Basic Software (AUTOSAR)

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

Configuration REQUIREMeNTS

The Can component is provided with a template file for configuration of the module. This template file should be copied into the project for inclusion in the build after adapting the template for the needs of the project. Additionally, the leading underscore should be removed from this file. This file can be found in the “tools/template/” folder of this component. For details on how to adapt, third party documentation found in this component can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

2.2 - Can Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Can

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Can_Vector_CANbedded_03.15.00_02.18.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/03/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

2.3 - TechnicalReference_CANDriver

TechnicalReference

2.4 - TechnicalReference_CANDriver_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139
Page 140
Page 141
Page 142
Page 143
Page 144
Page 145
Page 146
Page 147
Page 148
Page 149

2.5 - TechnicalReference_CANDrivers

Vector CAN Driver
Technical Reference

Reference Implementation 1.5

Version 3.01.01

Authors: H. Honert, K. Emmert
Version:
3.01.01
Status:
released (in preparation/completed/inspected/released)

©2010, Vector Informatik GmbH
Version: 3.01.01
1 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

1  Document Information
1.1  History
Author
Date
Version
Remarks
Hoffmann
July, 30th 1997  1.00
Initial draft
Baudermann, Ebner
Aug, 9th 1999
2.00
Reorganization of the document
Hardware related
documentation removed
Ebner
Nov, 2nd 1999  2.01
Spelling corrections
Baudermann
Nov, 6th 1999
2.02
Restrictions with reentrance
capability for the following CAN
Driver functions: CanInit,
CanReset..., CanSleep,
CanWakeUp and CAN
interrupts
Honert
Dec, 14th 1999  2.03
DLC check added
Ebner
Feb, 8th 2000
2.04
Configuration by tool support
(CANgen) added
Baudermann, Rein, Honert,  May, 23th 2000  2.10
Generally reworked
Brändle
According to reference
implementation, version 1.1
Honert
Oct, 31th 2000  2.11
Description of indexed CAN
Driver added
Honert
Feb, 28th 2001  2.12
Extensions according to
reference implementation
version 1.2
Hardware related
documentation of HC12 and
C16x moved to a separate
document
Honert
Aug, 10th 2001  2.13
Description of API extended
  Single Receive Channel CAN
Driver
  CanCancelTransmit and
CanCancelMsgTransmit added
  Access to ErrorCounters added
Honert,
Aug, 20th 2001  2.14
Prototype of UserPrecopy

corrected
Spelling corrections
Emmert
Modifications for pdf conversion
Emmert
Okt, 9th 2001
2.15
Modifications of Figure 4 and 5.
Honert
Mai, 17th 2002  2.16
Function name corrected for
indexed driver
Extensions according to
©2010, Vector Informatik GmbH
Version: 3.01.01
2 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

reference implementation
version 1.3
Ebner, Honert, Emmert
Jun, 18th, 2003 2.20
Macro names corrected in
figure 7.
Extensions according to
reference implementation
version 1.4.
Additional explanation for offline
/ partial offline mode (ch. 5.2.6)
Emmert, Honert
Juli, 29th, 2003  2.21
New tables for API descriptions.
Corrections of some
Parameters and API
descriptions.
Stephan Hoffmann, Klaus
May 17nd,
2.22 Description
of
API
extended
Emmert, Heike Honert,
2004
  Direct Transmit Objects
Patrick Markl
Cancel in Hardware
Language corrections, New
Layout, Technical revisions
Klaus Emmert
2005-12-30
2.23
GENy added as Generation
Matthias Fleischmann
Tool
Added description for:
  Multiple ECU
  Common CAN
  Signal Access Macros
  Rx Queue
  Conditional Message Received
  Variable Datalen
Heike Honert
2006-08-01
2.30
Extensions according to
reference implementation 1.5.
Heike Honert
2007-01-09
3.00
prepare links to hw specific
Added description for:
  CAN RAM check
  Standard/HighEnd CAN Driver
Heike Honert
2007-01-29
3.01
some corrections
  improve Common CAN
  service functions for conditional
message reception added
  Description for Partial Offline
Mode for GENy modified
  ESCAN00032527: Update
description of
ApplCanAddCanInterruptDisabl
e/Restore call-back function
Heike Honert
2010-06-11
3.01.01
Reference to documentation of
VstdLib changed
Table 1-1   History of the Document
©2010, Vector Informatik GmbH
Version: 3.01.01
3 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

1.2
Reference Documents
Index and Document Name
[1] TechnicalReference_<hardware>.pdf
Table 1-2 Reference Documents

Please note
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
©2010, Vector Informatik GmbH
Version: 3.01.01
4 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

2 About this Document
This document describes the concept, features, API and the configuration of the Vector
CAN Driver.
The CAN Driver interface to the CAN Controller is designed to use the hardware specific
capabilities in an efficient way. The interface to the higher communication layers is mostly
identical for different CAN Controllers, so that the Interaction Layer, Network Management,
Transport Protocol and especially the user software are independent of the particular CAN
Controller used. Please note that in this document the term Application is not used strictly
for the user software but also for all the higher communication layers as listed above.
Therefore, Application refers to any of the software modules using the CAN Driver.
Two different types of CAN Driver are supported. These are the Standard CAN Driver and
the High End CAN Driver. The High End CAN Driver is an extended Standard CAN Driver.
The description of the Standard CAN Driver is also valid for the High End CAN Driver. The
additional features of the High End CAN Driver are described in own chapters.
The API of the functions is described in a separate chapter at the end of this document.
Referred functions are always shown in the Single receive channel mode.
Hardware related special features and implementation specifics are described in a
separate document which is named TechnicalReference_CAN_<hardware>.pdf.

©2010, Vector Informatik GmbH
Version: 3.01.01
13 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

2.1 Documents this one refers to…
 User Manual CAN Driver
 Hardware-specific documentation for the CAN Driver

User Manual
Technical
Technical
Reference
Reference
General
Hardware
You are here
#hw_<xxx>

Figure 2-1 Manuals and References for the CAN Driver

2.2 Naming Conventions
Some of the function names are mandatory, because they are used in the CAN Driver.
Other names are placeholders, and the Application can redefine or has to select them
according to its requirements:
Can...
It is mandatory to use all names beginning with Can... as they appear. Can...
stands for CAN Driver.
ApplCan...
The functions, starting with Appl... are so called callback functions. They are
provided by the Application and called by the CAN Driver. They are used to
notify the application about events such as state transitions.
User...
All names starting with User... are placeholders and will be selected by using
the Generation Tool according to the requirements of the Application. User...
stands for user-specific functions.
©2010, Vector Informatik GmbH
Version: 3.01.01
14 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

3  Reference Implementations
The reference implementation is a general specification for all Vector CAN Drivers. The
software versions for specific CAN Drivers differs, because there are different source
codes for different CAN Controllers. Therefore another overall version number exists,
representing the reference implementation. The CAN Drivers are implemented according
to this reference implementation with an identical feature set and Application interface as
well as a harmonized implementation.

3.1  Version 1.0
3.1.1  What's new?
  Identifier ranges defined by acceptance code and mask to receive a complete set of
several CAN identifiers. This is much more efficient for special requirements with fixed
identifier ranges and can be configured by the Application. Useful settings for
Application are selected automatically by the Generation Tool.
  Some parameters are provided by preprocessor defines in the CAN Driver configuration
file instead of global variables. This results in more efficient code.
  Notification of a CAN receive message overrun condition is done by the callback
function ApplCanOverrun(). This is configurable.
  The internal copy mechanism of the CAN Driver is configurable separately for receive
and transmit direction. It will be enabled automatically if an Application data buffer is
selected by the Generation Tool.
3.1.2  What's changed?
  General interrupt disable during critical service functions is replaced by a reentrant
solution.
  General assertion categories for the following severe errors in the CAN Driver:
  - User interface (e.g. invalid handles)
  - Generated data (caused by the Generation Tool)
  - Hardware problems (unexpected conditions of the CAN Controller)
  - Internal errors (e.g. inconsistent transmit queue entries)
  The different categories can be configured separately and the name of the callback
function has changed from ApplFatalError(..) to ApplCanFatalError(..).
  Callback function CanMsgReceive() has changed in ApplCanMsgReceived().
  Plausibility check for configuration switches of the CAN Driver is optional and will be
done in a separate header file called CAN_CHK.H.
  CanRxActualDLC will be provided as a preprocessor macro.
©2010, Vector Informatik GmbH
Version: 3.01.01
15 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  If the transmit queue is used for CAN Controllers with several hardware transmit
objects, only one of these register sets will be used for normal transmission (in
combination with the transmit queue). The others are reserved for Full CAN Transmit
Objects with fixed CAN identifier and DLC.
  The names of the following global variables have been changed:
  CanEcuNumber to canEcuNumber
  CanRxHandle to canRxHandle

3.2  Version 1.1
3.2.1  What's new?
3.2.1.1
Mandatory (for all CAN Drivers)
  Configurable callback function if software acceptance filtering doesn't match.
  Configurable callback functions to monitor the correct transmit behavior.
  Dynamic transmit objects for variable CAN identifier and DLC
  Security level for the data consistency during the internal copy routines for receive and
transmit data.
  Configurable callback functions to control hardware dependent loop break conditions
(e.g. during the transition to reset, standby or sleep mode).
  For micros with nested interrupt levels the global disabling of interrupts by
CanGlobalInterruptDisable/Restore() is replaced by a configurable interrupt lock level.
3.2.1.2
Optional (for some specific CAN Drivers)
  Support of extended CAN identifiers in different modes (extended only or mixed with
standard identifiers)
  Non-interrupt (polling) mode for asynchronous transmission, reception, error and wake-
up notification.
  Dynamic transmit objects (for flexible transmit buffer, pretransmit as well as confirmation
function).
  Full CAN Transmit Objects with fixed CAN identifier and DLC.
  Dynamic hardware acceptance filtering for the reception of different messages.
3.2.2  What's changed?
  Service functions for flexible CAN identifier and DLC CanTransmitVarDLC/ID(..) must
not be used for new developments. It will be replaced by dynamic transmit objects.
  Special macros for the direct access to CAN message information (identifier, DLC, ...) in
the receive function (Dir...) will be removed. The standard macros can be used instead.
©2010, Vector Informatik GmbH
Version: 3.01.01
16 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Configurable DLC check for the length of the according receive buffer to avoid the
overwriting of the next receive buffer: The complete data will not be copied and the
Application will not be notified if an inconsistency is detected.
  The return code data type of the CanGetStatus() service function has changed because
of additional information in the software state of the CAN Driver and the hardware state
of the CAN Controller.
3.3  Version 1.2
3.3.1  What’s new?
  Hash search algorithm
  Low level transmit functionality to support e.g. gateways
  Service functions to stop and restart the CAN Controller.
  partial offline to switch dedicated transmit messages off.
  New return code of CanTransmit() in case of partial offline.
  Macros which return 8 bit of a received extended ID for use in precopy functions.
  Access to error counter of the CAN controller
  Service function to cancel transmit requests and confirmations
3.3.2  What’s changed?
  Generic Precopy function is now mandatory
  CanSleep() and CanWakeUp() has now a return value.
  CanGetStatus() is always available. Activation of extended status enables the additional
information in the hardware state of the CAN Controller.
  Passive mode can only be activated for all transmit requests and not for dedicated
messages.
  The name of some macros to access the ID in a precopy function has changed
  In the indexed CAN Driver, CanGetDynTxObj() has the channel as additional parameter.
  Macro CanRxActualIdHi renamed to CanRxActualIdRawHi
  Macro CanRxActualIdLo renamed to CanRxActualIdRawLo
3.4  Version 1.3
3.4.1  What’s new?
  New service functions to disable and restore CAN interrupts
3.4.2  What’s changed?
  Function CanInterruptDisable renamed to CanGlobalInterruptDisable
©2010, Vector Informatik GmbH
Version: 3.01.01
17 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Function CanInterruptRestore renamed to CanGlobalInterruptRestore
  Support of systems with mixed Identifier expanded
  Macro CanRxActualId returns the Identifier always in the logical presentation
3.5  Version 1.4
3.5.1  What’s new?
3.5.1.1
Mandatory (for all CAN Drivers)
3.5.1.1.1 Common features
  New functions CanCopyFromCan and CanCopyToCan. Hardware/Compiler dependent
functions to optimize copying of data (provide for higher layers such as TP, Diag).
more… API…
  The CAN driver can be configured to run without any disabling of interrupts.
The application has to take care of reentrancy! To set the Can Driver to this mode, the
security level has to be set to the lowest value. more…
  The CAN Driver is more fault tolerant against unexpected CAN interrupts like Rx
interrupt of a transmit object. Interrupt in polling mode or interrupts of unused objects
are handled by the driver.
  Callback function ApplCanPreWakeUp which is called immediately after the activation of
the wakeup interrupt. more... API…
  The CAN Driver doesn’t use library function of the compiler library (except for intrinsic
functions)
  The Can Driver code is MISRA compliant.
3.5.1.1.2 Transmission features
A confirmation function common to all transmit messages is supported. This function is
called after any successful transmission (except Direct Transmit Objects but includes
canceled transmit objects that had been sent although). more… API…
3.5.1.2
Optional (for some specific CAN Drivers)
3.5.1.2.1 Transmission features
  CanDirectTransmit( txHandle ) to support direct transmit objects.
This transmission is completely independent of other transmit messages and can
be sent e.g. out of a NMI (non-maskable interrupt service routine. (see also what’s
changed).
3.5.1.2.2 Reception features
  For Full CAN controllers polling of Basic CAN is supported (all functionality of the CAN
driver can be used in polling mode). more…
  A callback function is called, if the DLC check fails (this means if the DLC of the
received message is shorter than configured for this message). more… API…
©2010, Vector Informatik GmbH
Version: 3.01.01
18 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Support variable data length (for specific OEMs).

3.5.2  What’s changed?
  The names of the different kinds of transmission objects changed. To make the
differences clear in the following table all kinds of transmission objects are listed even if
nothing changed. more…
Old names (before RI 1.4)
New names (RI 1.4 and later)
Transmit Objects
Normal Transmit Object
Direct Transmit Objects
Full CAN Transmit Object
Dynamic Transmit Objects
Dynamic Transmit Objects
--- Direct
Transmit
Objects
Low Level Message Transmit
Low Level Message Transmit

3.5.2.1
Transmission features
  The interface of the TxObserve Callback functions has changed (parameter of the
functions  ApplCanTxObjStart() and ApplCanTxObjConfirmed() and ApplCanInit(). An
additional parameter is used. This additional parameter is the handle of the hardware
object (a unique number over all hardware transmit objects which starts with 0).
more… API…
  The functions CanCancelTransmit() and CanCancelMsgTransmit can now delete a
message in the hardware transmit buffer as well as in the queue. more… API…
  To get the tx handle of a pending transmit message, a new Service function is defined:
CanTxGetActHandle(CanObjectHandle logTxHwObject) more… API…
  If a CAN controller doesn’t support arbitration by ID, Direct Transmit Objects and Full
CAN Transmit Objects have a higher priority than the Normal Transmit Object. The Low
Level Message transmission has the lowest priority. more…
  It is not possible/necessary any longer to specify the number of the CAN transmit buffer
for Full CAN Transmit Objects. This will be done by the Generation Tool automatically.
  The functions CanPartOffline and CanPartOnline are designed to be reentrant. API…
3.6  Version 1.5
3.6.1  What’s new?
  data size optimized Tx Queue.
  In systems with mixed IDs (standard and extended), each range can be configured to
standard or extended ID individually.
  Each hardware objects can be configured individually to polling or interrupt mode.
more... API...
  Multiple Basic CAN objects can be defined to optimize the hardware filters. more...
©2010, Vector Informatik GmbH
Version: 3.01.01
19 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Rx Queue supports now queuing of messages out of a range.
  Notification about mode change of the CAN driver between offline and online mode.
  New macros to fill structure of Low Level Message Transmit
  distinguish between Standard CAN Driver and High End CAN Driver instead of optional
features
3.6.2  What’s changed?
  Source Address of Range Specific Precopy Messages removed – deviation to HIS CAN
Driver Specification. (EcuNumber isn’t any longer a member of tCanRxInfoStruct)
  Return code of Range Precopy Functions has effect on further reception handling.
  Direct Transmit Objects are not supported any more
  API Categories Single Receive Buffer (SRD) and Multiple Receive Buffer (MRB) are not
supported any more.
  Global Interrupt Control has been moved to VStdLib (CanGlobalInterruptDisable(),.
CanGlobalInterruptRestore(),  Interrupt Control by Application, Interrupt Lock Level).
...more information see Application Note AN-ISC-2-1050_VstdLibIntegration.pdf.
  Channel parameter for Hardware Loop Check Callbacks – deviation to HIS CAN Driver
Specification API...
  The following macros are not available any more: MK_EXTID_LO, MK_EXTID_HI,
MK_STDID_LO, MK_STDID_HI, CanRxActualIdRaw, CanRxActualIdRawHi,
CanRxActualIdRawLo
  The polling Tasks are allowed to be called in Sleep mode, too.
  Improvement of usage of assertions
  Same OSEK OS interrupt category for all CAN interrupts.
  Variable data length replaced by copying data with received DLC and DLC check
against minimum length.
  Description of dynamic pretransmit function, dynamic confirmation function and dynamic
acceptance filtering removed.

©2010, Vector Informatik GmbH
Version: 3.01.01
20 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

4  Overview
For error prevention, maintainability and expandability of Application programs, it is
essential to have a uniform interface between Application and CAN Driver, mostly
independent of the CAN Controller used. The CAN Driver itself must be adapted to the
CAN Controller for reasons of efficiency. This yields the following requirements for a
universally applicable CAN Driver:
  Independent of Application
  Driver code optimized for the CAN Controller used
  Uniform interface to the Application for different CAN Controllers
  Efficient usage of hardware resources, especially RAM and run time
  Support of special services like Interaction Layer, Network Management, Transport
Protocol

Figure 4-1  Relationship of the individual Software Components. They are customized by the Generation Tool
The generic CAN Driver code is independent of the Application. Only the callback
functions have to be given by the Application. The Application specific description data are
stored in dedicated data structures. The structure of the description data is fixed; however,
the contents of the structures are defined according to the ECU specific behavior by the
Generation Tool. This is done partly automatically based on information in the CAN
database and partly manually by user specific settings in the Generation Tool. The data
structures are specific for the CAN Controller, they are linked to the CAN Driver code
(ROM-capable).
The data to be transmitted or received are exchanged by default via global data buffers.
These data buffers are CAN message based. They are also created by the Generation
©2010, Vector Informatik GmbH
Version: 3.01.01
21 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Tool. Additionally, the Generation Tool creates signal-based access macros and/or
functions. This means the Application does not have to know the location and the structure
of the global data buffers. The names of the access macros/functions are formed from the
signal names in the CAN database. The detailed structure and features of the access
macros/functions are described in the documentation of the Generation Tool.
The Generation Tool will not be discussed in this CAN Driver documentation, since it is
irrelevant for the CAN Driver functionality. But the generated data structures are highly
optimized for an efficient usage of each CAN Controller. Therefore the usage of the
Generation Tool is a must to customize the CAN Driver code to the special needs of the
Application.
4.1 Short Summary of the Functional Scope
In this section the main tasks of the CAN Driver are summarized very briefly:
1. Initialize the CAN Controller
2. Transmit a single CAN message
3. Receive a single CAN messages
4. Handle Bus-Off
5. Support sleep mode
6. Support special services

4.1.1 Initialization
There are several CAN Driver service functions for initialization purposes available.
CanInitPowerOn(..) for the complete initialization of software and hardware after power-on,
CanResetBusOffStart(..) and CanResetBusOffEnd(..) for the re-initialization of the CAN
Controller after BusOff. For any other re-initialization the application can call CanInit(..).
Various initialization data structures can be predefined by the Generation Tool and
referenced in the Application by means of a specific initialization handle.
4.1.2 Transmission
One of the main services provided by the CAN Driver is to set up a transmit request in the
CAN Controller by the service function CanTransmit(..). The reference to the CAN
message specific description data is done by a transmit handle used in the Application.
This information like CAN identifier and DLC is set up by the Generation Tool based on the
CAN Database and additional user specific settings. If the CAN Controller is busy because
all hardware transmit objects are currently reserved, the transmit request can be stored
temporarily in a transmit queue. The number of hardware transmit objects depends on the
CAN Controller or CAN Driver configuration. For details please refer to the CAN Controller
specific documentation TechnicalReference_CAN_<hardware>.pdf [#hw_comObj]. If the
CAN Controller is ready, data can be copied by different mechanism to the hardware
transmit registers. The return code of the transmit function informs whether the transmit
request was accepted by the CAN Driver or not. If it was rejected by an error and no
transmit queue is used, the Application is responsible for the repetition of the transmit
©2010, Vector Informatik GmbH
Version: 3.01.01
22 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

request until the message is in the CAN Controller. A successful transmission is signaled
by a confirmation. Special features like offline or passive mode are available to control the
transmit path of the CAN Driver by the Network Management or Diagnostics.
4.1.3  Reception
If a message on the CAN bus was accepted by the hardware and software acceptance
filtering, data can be read by different mechanism and this asynchronous event is notified
to the application by an indication. Additionally a special callback function
ApplCanMsgReceived() allows the user to access receive data directly in the scope of a
receive interrupt before the software acceptance filtering. The algorithm for the software
acceptance filtering is configurable because in some Applications a lot of irrelevant CAN
identifiers are passing the hardware acceptance filter and an efficient software filtering is
very important.
4.1.4  Bus-Off
The CAN Driver notifies a detected BusOff state to the Application by calling a special
callback function ApplCanBusOff(). Further processing like re-initialization of the CAN
Controller and additional customer-specific requirements like disabling transmissions for a
certain time have to be done by the Application.
4.1.5  Sleep Mode
Some CAN Controller are supporting a so called sleep mode with reduced power
consumption. The CAN Driver provides the service functions CanSleep() and
CanWakeUp() to enter and leave this special mode on request of the Application.
If the CAN Controller is also wakeable by the CAN bus, the callback function
ApplCanWakeUp() is called if this condition is detected. In some cases this leads to the
situation that the CAN controller is initialized (CanWakeUp) before the application will be
notified.
In case of changing the PLL (SLEEP = slow speed / ACTIVE = normal speed) the
application must be informed immediately. Otherwise the “long” interrupt execution causes
a watchdog reset. Therefore the callback function ApplCanPreWakeUp is called just after
the activation of the wakeup interrupt. The configuration is done via the Generation Tool or
user configuration file.

4.1.6  Special Features
There is additional support for special features like
  Status of CAN Driver and CAN Controller
  Interrupt control
  Assertions
  Hardware loop check
  Support of OSEK compliant operating systems
  Multiple-channel CAN Driver
  Polling mode
©2010, Vector Informatik GmbH
Version: 3.01.01
23 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Handling of Extended Identifiers
  Stop mode
4.2  Data Structures for CAN Driver Customization
The description data created by the Generation Tool are split into initialization structures
for the CAN Controller as well as transmission and reception structures for CAN
messages. They are located in the ROM memory of the microprocessor. The receive and
transmit buffers are mapped in RAM data and will be referenced by the description data.
The description data also contains references (pointers) to user-specific functions of the
Application. The CAN Driver accesses all the structures in the description data. The CAN
Driver is independent of the Application but the generated description data depends on the
particular Application.

©2010, Vector Informatik GmbH
Version: 3.01.01
24 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 4-2  Description data, CAN Driver and Application with their interfaces.
4.2.1  ROM Data
4.2.1.1
Initialization Structures
The CAN Controller is initialized with the description data stored in the initialization
structures. They consist of the register values for the CAN Controller. They are highly
dependent on the particular used CAN Controller.
©2010, Vector Informatik GmbH
Version: 3.01.01
25 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

4.2.1.2
Transmit Structures
The structures listed below are used by the CAN Driver internally.
ID
Identifier of the messages to be transmitted. The format is CAN
Controller dependent for efficiency reasons.
DLC
Number of data bytes to be transmitted (Data Length Code).
The format is CAN Controller dependent for efficiency reasons.
DataPtr
Pointer to the CAN message based global transmit buffer.
UserPreTransmitPtr
Pointer to the user specific pretransmit function (must be a
NULL pointer if not used).
UserConfirmationPtr
Pointer to the user specific confirmation function (must be a
NULL pointer if not used).
ConfirmationOffset/Mask  Byte offset and bit mask for the CAN Driver access to the
corresponding confirmation flag.

4.2.1.3
Receive Structures
The structures listed below are used by the CAN Driver internally.
ID
Identifier of the messages to be received. The format is CAN
Controller dependent for efficiency reasons.
DataLen
Number of data bytes to be copied. The value may be different
from the DLC of the message received. The driver then only
copies the number of bytes stored in this structure. The other
bytes are ignored.
DataPtr
Pointer to the CAN message based global receive buffer.
UserPrecopyPtr
Pointer to the user specific precopy function (must be a NULL
pointer if not used).
UserIndicationPtr
Pointer to the user specific indication function (must be a NULL
pointer if not used).
IndicationOffset/Mask
Byte offset and bit mask for the CAN Driver access to the
corresponding indication flag.

4.2.2  RAM Data
The RAM data consist of transmit and receive buffers for the CAN messages.
In the data buffers, the first byte transmitted or received is located at the least significant
address of the data array (Note: Bit 7 is transmitted first).
For some microprocessors there are memory areas which can be accessed more
efficiently (e.g. internal RAM or bit addressable segments). The data buffers can be
mapped by the Generation Tool.

©2010, Vector Informatik GmbH
Version: 3.01.01
26 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5  Detailed Description of the Functional Scope (Standard)
5.1
Initialization
5.1.1  Power-On Initialization of the CAN Driver
The following service function must be called once after power-on to initialize the CAN
Driver:
void CanInitPowerOn( void );

This call initializes the CAN Controller for each channel and all CAN Driver variables (local
and global), i.e. the CAN Driver is set to online and active state.
This service function has to be called for a proper initialization before any other CAN
Driver function and before the global interrupts are enabled.
5.1.2  Re-Initialization of the CAN Controller
The CAN Controller is completely re-initialized by the service function call:
void CanInit( CanInitHandle initObject );

The parameter initObject means a handle for a specific initialization structure.
It is a must to bring the CAN Driver into offline state before this service function is called.
By this service function only the CAN Controller and the corresponding internal variables
will be initialized. Software states like online/offline or active/passive remain unchanged.
Changes of individual registers of the CAN Controller are only possible by means of a
complete re-initialization, i.e. an entire initialization structure must be provided for each
register change (e.g. bit timing, acceptance filtering, .. ).
5.2
Transmission
5.2.1  Detailed Functional Description
This section shows the transmission of a CAN message using different methods. For the
general processing first a flow chart is used. The gray decision symbols branch to features
that can be removed from the CAN Driver using the configuration options (see Figure 5-1).
In a second step sequence charts are used to show how the different objects of the CAN
Driver, description data and Application program work together.

©2010, Vector Informatik GmbH
Version: 3.01.01
27 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

STARTING POINT
Application
Leave Transmit Interrupt
CanTransmit
Yes
CanTransmitQueuedObj
No
Queue Empty
Yes
CAN offline
Use not
No
Use
Transmit Queue
Configured
Part offline
check
Not configured
Yes
CAN offline
Confirmation Function
Not configured
Yes
Part offline
No
Configured
Confirmation Function
Defined
No
Confirmation Flag
Use Queue
Use
Not configured
Configured
Confirmation Flag
Use not
Defined
Transmit Buffer Full
Yes
No
Confirm Transmission
Use not
Configured
Pretransmit Function
defined
Use
Confirmation of
Transmission
Pretransmit Function
Not configured
Yes
Confirm TxObserve
kCanCopyData
Use not
Use
No
Use TxObserve
Copy Data
Switches in the Generation Tool for
optional features of the CAN Driver
Enter Transmit Interrupt
Decisions in the code, if the feature is selected.
Initiate Transmit
Optional or mandatory functions of the CAN Driver
No
end
Interrupt Enabled
Mandatory path through the CAN Driver
Queue
Use
Use TxObserve
Yes
Optional path through the CAN Driver
TxObserve Started
Use not
Direction of work flow
ACKNOWLEDGE
(sent message received)
CAN Message
Transmit

Figure 5-1 Transmission of a CAN message
©2010, Vector Informatik GmbH
Version: 3.01.01
28 / 149
based on template version 2.1

The main service function to initiate a transmit request is
vuint8 CanTransmit( CanTransmitHandle txObject );

The function parameter is a transmit message handle. It represents an index in the
generated transmit description data. The return code contains the following information:
kCanTxOk
Successful transmit request. The message is sent out by the
CAN Controller without any further action required. For CAN
Drivers with transmit queue, this return code is also used if the
transmit request has been accepted in the queue, even if it was
already in queue.
kCanTxFailed
CAN transmit request failed. In this case the calling application
has to repeat the transmit request later.

kCanTxPartOffline
Error code because CAN Driver’s transmit path is in partial
offline mode for this transmit object.

The left path (see Figure 5-1) time flows from top to bottom. This path shows the program
flow calling the service function CanTransmit(..). First the CAN Driver checks whether the
transmit path is switched to offline state. If so the function returns with an error code. Then
the Driver checks (if configured) the partial offline mode. If the specified message is offline,
the function will return an error code.
In the next step the CAN Driver checks the availability of a hardware transmit object. If no
object is available the transmit request is stored in the transmit queue (if configured to be
used) and the CAN Driver returns to the Application with the return code kCanTxOk. If no
transmit queue is used the CAN Driver returns with an error code kCanTxFailed.
If a transmit object is available the CAN identifier and the data length code will be set in
accordance to the description data. Now, if a pretransmit function is configured, this
pretransmit function will be called. Within this user specific function the Application may
copy the data to be transmitted directly to the CAN Controller hardware registers. If the
data is completely copied, the pretransmit function returns kCanNoCopyData to the CAN
Driver.

The data has to be copied by the CAN Driver itself, if there is no pretransmit function
defined or this function returns kCanCopyData. In this case the CAN Driver copies the data
from the global data buffer associated with the message to the CAN Controller hardware
registers.
Then the transmission of the CAN message is started in the CAN Controller and the
function returns the code kCanTxOk to the Application.
Dependent on the configuration, the TxObserve function is now started.
In the right path of the figure below, the time flows from bottom to top. This path shows the
program flow in the interrupt service routine after a successfully transmission of the
message to the CAN bus. In the transmit interrupt routine, the confirmation actions are
performed. If configured, first the TxObservation is confirmed, then (if configured) a
©2010, Vector Informatik GmbH
Version: 3.01.01
29 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

confirmation function for all messages is called. Afterwards the confirmation flag is set and
then the message-specific confirmation function is called.
If the CAN Driver is configured to use a transmit queue, after processing the confirmation
actions the CAN Driver checks if the transmit queue is empty. If so the transmit interrupt
routine is finished. If there are entries in the queue the highest priority CAN message is
removed from the queue and the transmission of this message is requested. This is also
done on interrupt level.
In the middle of the picture we see the transmit queue which is used if all hardware
transmit objects are busy, when CanTransmit(..) is called.
The next sections describe the transmission of a CAN message using sequence charts.
The vertical lines within these diagrams represent program objects like interrupt routines,
functions (thick lines) or data objects (thin lines). The horizontal lines represent program
flow or data access within the program. Flow control and program instances are described
using thick lines, data access is described using thin lines. Time flows from the top of a
chart downwards so that sequence „1“ is performed before sequence „2“. The description
of the sequence charts is given in the tables following the charts.

The first sequence chart in Figure 5-2 shows the behavior if a hardware transmit object is
available, a global data buffer is associated to the message and the copy mechanism of
the CAN Driver is used.

CAN Data
TX Interrupt
Can-
Driver
Global Data
Conf.
CAN
Conf. Flag
Pretransmit
Application
Buffer
Routine
Transmit
Parameters Buffer
Function
1
2
3
4
5
6
7
8
9
10

Figure 5-2 Transmission with an available transmit object; Using global data buffer
No
Description
1
The Application writes the data to the global data buffer
2
The Application calls CanTransmit(..) service function
3
Function uses description data (CAN identifier, DLC, etc...)
4
Global data buffer is read and copied; the transmit process is started
5
CanTransmit(..) service function is finished, the return code is kCanTxOk
6
The message is successfully sent to the CAN bus. Transmit interrupt routine is
started
7
Transmit confirmation flag is set (cleared by the Application)
©2010, Vector Informatik GmbH
Version: 3.01.01
30 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8
Confirmation function is called
9
Confirmation functions returns to transmit interrupt routine
10
Transmit interrupt routine is left

The next sequence chart in shows the behavior if a hardware transmit object is available
and a pretransmit function is used to copy the data to be sent.

CAN Data
TX Interrupt Can-
Driver
Global Data
Conf.
CAN
Conf. Flag
Pretransmit
Application
Buffer
Routine
Transmit
Parameters Buffer
Function
1
2
3
4
5
6
7
8
9
10
11

Figure 5-3 Transmission with an available hardware transmit object; Using a pretransmit function to copy data

No
Description
1
CanTransmit(..) service function is called by the Application
2
Function reads the description data (CAN identifier, DLC, etc.)
3
Call of the pretransmit function
4
Pretransmit function writes data to the CAN Controller
5
Pretransmit function returns to CanTransmit(..)
6
Start transmission; CanTransmit(..) service function is finished and the return code
is kCanTxOk
7
The message is successfully sent to the CAN bus. Transmit interrupt routine is
started
8
Transmit confirmation flag is set (cleared by the Application)
9
Confirmation function is called
10
Confirmation function returns to transmit interrupt routine
11
Transmit interrupt routine is left
©2010, Vector Informatik GmbH
Version: 3.01.01
31 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The next sequence chart in shows the behavior, if no hardware transmit object is available.
This sequence chart is valid only if the CAN Driver is configured to use a transmit queue.
The data is copied by the CAN Driver itself.

TX Interrupt
Can-
Driver
Global Data
Conf.
CAN
CAN Data
Conf. Flag
Application
Buffer
Routine
Transmit
Parameters
Buffer
Pretransmit Function
1
2
3
4
5
6
7
8
9
10

Figure 5-4  Transmit procedure if no hardware transmit object available
No  Description
1
The Application writes the data to the global data buffer
2
The Application calls CanTransmit() service function. No hardware transmit objects
available. Request is stored in the transmit queue.
3
Function returns kCanTxOk
4
Transmit interrupt: A (previous) CAN message was successfully sent, transmit object
is available again
5
Confirmation flag of the previous CAN message is set (cleared by the Application)
6
Confirmation function of the previous CAN message is called
7
Confirmation function return
8
The transmit queue is checked for requests. The pending transmit request is found.
The description data are evaluated (CAN identifier, DLC, etc...)
9
Global data buffer is read and copied; the transmit process is started
10  Transmit interrupt routine is left

5.2.2  Transmit Queue
The normal Tx object can be configured to use a transmit queue or not. The Transmit
Queue is not available for Full CAN Objects and the Low Level Transmit Object. If no
transmit queue is used, the Application is responsible to restart a transmit request if it
wasn’t accepted by the CAN Driver. In case of using a transmit queue, a transmit request
is always accepted (if the driver is online). But the transmit queue holds only the transmit
©2010, Vector Informatik GmbH
Version: 3.01.01
32 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

request of a CAN message. It doesn’t store the data to be sent. Please note the same
message can be queued only once. The CAN Driver sets a transmit request in the transmit
queue, if no hardware transmit object is available after CanTransmit(..) is called. On a
transmit interrupt, i. e. when a message has been sent successfully, the CAN Driver
checks whether transmit requests are stored in the queue. If so, one requests is removed
from the queue and the transmit request is executed. The search algorithm in the queue is
priority based, there is no FIFO strategy. This means the CAN identifier with the lowest
number is removed first from the queue.
If the CAN Driver is configured to use a transmit queue, the internal data copy mechanism
will be initiated and/or the pretransmit function will be called in the scope of a transmit
interrupt after the completion of a previous transmit request. Therefore the user has to
guarantee the data consistency, because an Application write access to the global data
buffer may be interrupted by such a transmit interrupt. If within this interrupt the associated
message is requested to be transmitted on the CAN bus, inconsistent data may be sent.
The Application must ensure data consistency by one of the following mechanisms:
  Disable Interrupts while writing data to the global data buffer
  Use the message based confirmation flag to manage the data access handling. On
startup the access right is on Application side. Calling CanTransmit(..) this access right
is given to the CAN Driver. As soon as the confirmation flag is set by the CAN Driver,
the access right is given back to the Application.
  In polling mode the service function CanTxTask() must be used to transmit queued
messages. The transmission of a CAN message is only started if the CanTxTask() is
called. In polling mode every message is queued in the transmit queue. To ensure that
every message was send the CanTxTask() may be called cyclic.
5.2.3  Data Copy Mechanisms
There are two different methods for the Application to pass the data to be transmitted to
the CAN Driver. The CAN Driver selects the method for each message depending on the
CAN Driver description data. If no pretransmit function is defined, the usage of a global
data buffer is a prerequisite and the CAN Drivers internal data copy mechanism is always
used. If a pretransmit function is defined, the data to be transmitted may be stored
anywhere in the Applications memory and the user defined copy mechanism in the
pretransmit function is used.
5.2.3.1
Internal
With the internal data copy mechanism, the Application writes the data to be transmitted to
a global data buffer associated with the transmit message. The global data buffer is
defined by the Generation Tool. The access to the global data buffer is done by means of
access macros and/or functions which are also defined by the Generation Tool. After
passing the data to the global data buffer, the Application initiates the transmit request by
calling CanTransmit(..) and the data is copied internally to the CAN Controller hardware
registers.
Important
Data consistency of CAN messages has to be guaranteed by the Application if
  CanTransmit(..) is called on a higher interrupt or task level, or the transmit queue is
used.
©2010, Vector Informatik GmbH
Version: 3.01.01
33 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.2.3.2
User defined (“Pretransmit Function”)
Using the pretransmit function to pass the data to be transmitted to the CAN bus, the
Application first initiates the transmit request by calling CanTransmit(..). Just before the
message is put in the CAN chip, the CAN Driver calls a user defined pretransmit function.
For each transmit message a separate pretransmit function may be defined. Within this
user specific function the user can write the data directly to the hardware registers of the
CAN Controller, but other tasks can also be performed. The return code of the pretransmit
function indicates to the CAN Driver whether the data are to be copied by the CAN Driver
internally from the global data buffer to the CAN Controller hardware registers or not (if it is
already done within the pretransmit function).

Important
Be careful if a pretransmit function is used. Interrupts are not disabled during the call of
  this user specific function by the CAN Driver, therefore the restrictions for security level 0
are valid. If the interrupts are not disabled before and restored after the copy process by
the Application, data consistency of a CAN messages cannot be guaranteed if the
transmit queue is used.
5.2.4  Notification
After the successful transmission of a message on the CAN bus (i.e. at least one other
CAN bus node received the CAN message correctly with an acknowledge), the Application
can be notified by different confirmation mechanisms:
5.2.4.1
Data Interface (Confirmation Flag)
If a confirmation flag is used, this message related flag is set by the CAN Driver, if the
associated CAN message was sent on the CAN bus. This is done in the scope of the
transmit interrupt. The flag must be cleared by the Application.

Important
Interrupts have to be disabled while the confirmation flags are being cleared, because of
  the read-modify-write conflict if this operation is interrupted by a CAN transmit interrupt
routine. This can result in the loss of events.
5.2.4.2
Functional Interface (Confirmation Function for each message)
In parallel or instead of the data interface a functional interface can be configured, i.e. user
specific function is called if the associated CAN message was sent on the CAN bus. This
is also done in the scope of the transmit interrupt and therefore special care of the run time
of this function has to be taken.
5.2.4.3
Functional Interface (Common Confirmation Function for all messages)
A common confirmation function informs the application via ApplCanTxConfirmation about
a successful transmission of a message. Any message is confirmed via this callback
function.

Info
A canceled transmission will provoke a notification if the message was send on the bus.
  If the message had been deleted out of the hardware, the application will not be notified.
More…

©2010, Vector Informatik GmbH
Version: 3.01.01
34 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.2.5 Offline Mode
The CAN Driver's transmit path can be switched to the offline state, i.e. disabled. In this
state no CAN messages are sent to the CAN bus. On each transmit request the CAN
Driver checks the internal flag which indicates whether the transmission is currently
disabled and the transmit service function returns an error code. This flag is set and reset
by the following CAN Driver service functions
void CanOnline( void );
void CanOffline( void );

These CAN Driver service functions are called by the Network Management or by the
Application (only if there is no Network Management available on a specific CAN channel).

The Application can be notified about the mode change (e.g. if the Network Management
calls CanOnline() or CanOffline()). This is done with the following callback functions:

void ApplCanOnline( void );
void ApplCanOffline( void );

5.2.6 Partial Offline Mode
The partial Offline Mode enables the application to prevent the transmission of groups of
CAN messages. CanTransmit() returns a special code, if the requested message cannot
be sent because of the active partial offline mode. The partial offline mode is implemented
by the following functions:
void CanPartOnline ( vuint8 sendGroup );
void CanPartOffline( vuint8 sendGroup );
vuint8 CanGetPartMode( void );

The partial offline mode can handle up to eight different groups of messages. The function
parameter sendGroup decides about this group. CanPartOffline() switches all messages of
one ore more send groups to the offline state. Earlier calls of CanPartOffline() are not
affected. CanPartOnline() switches one or more send groups back to online state.
Each message might be assigned to one or more send groups. The names of the send
groups are configurable. Each send group can be switched to offline or online by using the
generated define:
C_SEND_GRP_<name>
C_SEND_GRP_ALL can be used to switch all groups together to offline or online.

Example
The following table shows, which message is assigned to which send group (CANgen
 concept. For GENy concept, go to the next chapter.).

send group name
7 6 5 4 3 User2 User1 User0
©2010, Vector Informatik GmbH
Version: 3.01.01
35 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

MESSAGE1
  x  x
x

MESSAGE2
    x

x
MESSAGE3
  x  x

Example
for a possible program flow:
  CanPartOffline(C_SEND_GRP_User0); MESSAGE2 is stopped to be send
CanPartOffline(C_SEND_GRP_User1); MESSAGE1 is stopped to be send
              MESSAGE2 is still stopped to be send
status = CanGetPartMode();   status is equal to ( C_SEND_GRP_User0
|                          C_SEND_GRP_User1)
CanPartOnline(C_SEND_GRP_User0); MESSAGE1 is still stopped to be sent
              MESSAGE2 can be sent again
CanPartOffline(C_SEND_GRP_User0 | C_SEND_GRP_3);
MESSAGE1 is stopped to be sent
MESSAGE2 is stopped to be sent
MESSAGE3 is stopped to be sent
CanPartOnline(C_SEND_GRP_ALL);
All send groups are online again. All
messages can be sent now.
Info
If the offline mode and partial offline mode are used in parallel the offline
  mode has ‘higher priority’. This means if the offline mode is set the function
CanTransmit always returns ‘kCanTxFailed’ independent of the current
partial offline state.

5.2.6.1   Partial Offline Mode with GENy
In GENy there are
  8 Offline Modes (SendGroups)
  Default name is UserX, but can be changed as shown in the illustration below. There
Offline mode 4 is changed to MyGroup4.
  5 Message Classes for
  Default (0)
  Appl
  Nm
  Tp
  Diag
  Il

©2010, Vector Informatik GmbH
Version: 3.01.01
36 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

All messages are assigned automatically to a message class using their attribute
information from the DBC file.

Figure 5-5 Partial Offline Mode settings in GENy

Info
You find this information in the configuration view of the CAN Driver.

With the checked checkbox for OfflineMode4 (Message Class 1 (APPL) all application
messages are assigned to the Offline Mode 4.
If you select an application message, you will find the following:
©2010, Vector Informatik GmbH
Version: 3.01.01
37 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 5-6 One Single Application Message Selected
At the Message Class entry you see this is an application message and below you see
your MyGroup4 and a checked checkbox. I.e. this message is assigned to MyGroup4.

Figure 5-7 User Defined assignment to Offline Modes
For any message you can decide whether to assign the message to another Offline Mode
or to additionally assign the message to another Offline Mode. In the example above, the
messate DummyTransmit (application message) is not assigned to MyGroup4 anymore.
Now this message is assigned to USER2.

©2010, Vector Informatik GmbH
Version: 3.01.01
38 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 5-8  Overview Messages and Offline Modes

Info
If you cannot find any information concerning Offline Modes you should use the
  Customize Grid functionality. Activate the view below via: View|Customize Grid and
then select Offline Modes.

To get an overall view of which message is assigned to which group, or to do the
necessary assignments having a good overview, select all TxMessages in the tree view
and activate the Offline Modes via Customize Grid (described at the top of this chapter).
5.2.7  Passive State
The CAN Driver's transmit path can be switched to the passive state. In passive state no
transmit request is passed to the CAN bus, i.e. no CAN message is sent. However, there
is only the CAN bus activity affected but not the Application interface because there is no
error code returned and the notification is done in the normal way, i.e. the Application
software runs in normal operating mode. This is the main difference to the offline mode.
The passive state may be used to localize errors in a CAN bus and is realized by the
following CAN Driver service functions
void CanSetActive ( void );
void CanSetPassive( void );
©2010, Vector Informatik GmbH
Version: 3.01.01
39 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The passive state of the CAN Driver is usually used during the development phase of the
CAN bus. If an Application might disturb the other nodes, it can be switched to passive
state temporarily and simulated by an appropriated tool. This is usually done by a
Diagnostics.

Info
To use the Passive State efficiently there must be a special support by the network
  designer. An external tool must be able to take over the tasks of the ECU simultaneously
when the ECU is switched to passive state.

The passive state of the CAN Driver must not be mixed up with the passive state of
OSEK Network Management. If the OSEK Network Management is put into passive
state (service functions SilentNM / TalkNM) only Network Management messages are
affected. The passive state of the CAN Driver prevents any CAN messages (including
Network Management messages) from being sent on the CAN bus.

Also note the following hints for the usage of the passive state:
  If the passive function is enabled the corresponding code in CanSetPassive() and
CanSetActive() is activated, otherwise only dummy macros will be provided. This results
in less CAN Driver code and an easy way to switch off this service function without
changing the Application software.
  The Application calls the service function CanSetPassive() to prevent transmission. In
case of a transmit queue it is cleared, i.e. confirmation activities may be lost during the
transition from active to passive state. Beginning with the next CanTransmit() the
messages are not sent on the CAN bus until CanSetActive() is called.
In case of a transmit queue, the service function CanSetPassive() has to be called in
the confirmation function of the last message to be sent on the CAN bus. If there is no
such request, CanSetPassive() can be called at any time.
In passive mode, the result seems to be successful, i.e. the code kCanTxOk is returned
from CanTransmit(), and all configured flags (cleared by the Application) are set and the
functions are called (Common Confirmation Function, Confirmation Flag and/or
Confirmation Function). Tx Observation is not used in passive state.
  To restart transmission, the service function CanSetActive() has to be called. Starting
with the next call of CanTransmit(), the messages are transmitted again on the CAN
bus.
Important
If the CAN Driver is switched from active to passive state, the transmit queue will be
  cleared and therefore some confirmations may be lost.

5.2.8  Tx Observe
This functionality is used to check the transmit path of the CAN Driver by the following
way: After a successful transmit request in the CAN Controller a specific function is called:
void ApplCanTxObjStart( logTxHwObject );
©2010, Vector Informatik GmbH
Version: 3.01.01
40 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

If the message was sent on the CAN network successfully another callback function is
called in the scope of the transmit interrupt:
void ApplCanTxObjConfirmed( logTxHwObject );

This functionality can be used to observe any transmission. As the CAN Driver is not time
triggered, the call back functions offer the application a way to start a timer with
ApplCanTxObjStart and stop this timer with ApplCanTxObjConfirmed. In case of exceeding
a predefined time for transmission, the message can be deleted or any other reaction can
be done.
In case of a well working system, these callback functions are normally called in a
symmetric way within the maximum specified delay time which is allowed in the existing
run time environment after a transmit request until the CAN message is sent to the CAN
bus successfully. In case of a transmit error a time-out supervision can be implemented by
these callback functions and error recovery can be done. If more than one hardware
transmit object is used, these callback functions can be called in a nested way and so an
additional counter is necessary. That counter has to be reset after each re-initialization of
the CAN Controller. This can be done in the following callback function:
void ApplCanInit( logTxHwObjectFirstUsed,
logTxHwObjectFirstUnused);
5.2.9 Cancellation of a Transmission
There are several ways to cancel a requested transmission.
5.2.9.1
Cancel a Transmission via CanInit
CanInit initializes the CAN controller hardware and can therefore be used to cancel any
current transmission. (see Re-Initialization of the CAN Controller). Some controllers do not
stop their transmission immediately, so it is possible that the Cancellation via CanInit()
could lead to an errorframe on the bus.
5.2.9.2
Cancel a Transmission via CanCancelTransmit or CanCancelMsgTransmit
Both functions work the same way, except that CanCancelTransmit cancels a transmission
initiated via CanTransmit and CanCancelMsgTransmit cancels a transmission initiated via
CanMsgTransmit.
The call of the confirmation function or the setting of the confirmation flag are suppressed,
if this message is already in the transmit buffer of the CAN Controller. If the transmit queue
is enabled, a pending transmit request in the queue is canceled.
These functions also delete messages in the hardware transmit buffer if configured. But
this feature is strongly dependent of the hardware. Some CAN Driver / CAN Controller
require the call of CanRxTask() / CanTxTask() to be able to continue.
Using the cancel functions out of the Tx observe functionality (see above) the handle for
the functions must be obtained via the function CanTxGetActHandle(CanObjectHandle
logTxHwObject). The return code decides whether it was a CanTransmit or a
CanMsgTransmit which causes a CanCancelTransmit or a CanCancelMsgTransmit.

©2010, Vector Informatik GmbH
Version: 3.01.01
41 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

CanTransmitHandle Hdl;
Hdl = CanTxGetActHandle(logTxHwObject);

if(Hdl == kCanBufferMsgTransmit)
{
CanCancelMsgTransmit(Hdl);
}
else if(Hdl < kCanBufferMsgTransmit)
{
CanCancelTransmit(Hdl);
}
else if(Hdl > kCanBufferMsgTransmit)
{
/* The Tx request was confirmed or cancelled, or no Tx request is pending. */
}

5.2.9.3
Notification about Cancellation of a message
The application can be notified each time the transmit request or the pending confirmation
is cancel. That means either the message based confirmation (flag or function) or the
cancel notification will be executed after successful call of CanTransmit() or
CanMsgTransmit().
To enable the notification the flag “CAN Cancel Notification” in the Generation Tool must
be selected. If this flag is set a Callback function informs the Application about that a
message was cancelled. ApplCanCancelNotification() will be called if the transmit request
was initiated via CanTransmit(), ApplCanMsgCancelNotification() will be called if the
request was set up via CanMsgTransmit().
©2010, Vector Informatik GmbH
Version: 3.01.01
42 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.2.10  Overview of Transmit Objects
The table shows the naming for different RI versions. Some of the features of the column
are hardware dependent.
Names before RI 1.4
Names RI 1.4
Names RI 1.5 and later
Transmit Object
Normal Transmit Object
Normal Transmit Object
Direct Transmit Objects
Full CAN Transmit Object
Full CAN Transmit Object
--- Direct
Transmit
Objects
---
Dynamic Transmit Objects
Dynamic Transmit Objects
Dynamic Transmit Objects
Low Level Message Transmit  Low Level Message Transmit
Low Level Message Transmit

5.2.11  Normal Transmit Object
A Normal Transmit Object is the hardware transmit object supported by all CAN Drivers. All
transmit messages that are not assigned to a Full CAN Transmit Object will be transmitted
via this Normal Transmit Object. The transmit queue works only on this object and the
Dynamic Transmit Objects can only be transmitted via this object, too.
5.2.12  Full CAN Transmit Objects
Each Full CAN Transmit Object has its own Hardware Transmit Object. This means a Full
CAN Transmit Object holds exactly one CAN message with a specific CAN identifier and
DLC. These CAN messages are statically assigned by the Generation Tool. Changes of
this reference during run time are not possible. There are two reasons for Full CAN
Transmit Object:
1.  The associated CAN message object is never occupied by another transmit request
2.  There is no need to copy the CAN identifier and the DLC. The message data can also
be stored directly in the CAN Controller and the transmit request can be initiated
directly.
Info
Full CAN objects are sent via CanTransmit() function.

5.2.13  Dynamic Transmit Objects
The CAN Driver supports the transmission of CAN messages with dynamic parameters.
These messages must not be specified in the CAN database. This feature can be used in
gateways, for example.
These dynamic objects can consist of mixed dynamic and static parts. CAN identifier, DLC
and data pointer can be selected separately as dynamic or static. The selection is common
for all dynamic objects. Pretransmit functions and confirmation functions are always static.
The CAN identifier priority for dynamic objects is lost if a transmit queue is used. Dynamic
objects have a higher internal priority than static objects, independent of their current CAN
identifier.
©2010, Vector Informatik GmbH
Version: 3.01.01
43 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Before the Application can use a dynamic object, the Application needs to reserve one.
This can be done by the following service function:
CanTransmitHandle CanGetDynTxObj( CanTransmitHandle txHandle);

The next step is to set all dynamic parameters of this object. This will be done by calling
the service functions:
void CanDynTxObjSetId ( ... );
void CanDynTxObjSetExtId ( ... );
void CanDynTxObjSetDlc ( ... );
void CanDynTxObjSetDataPtr ( ... );

After this, the dynamic object can be transmitted by calling CanTransmit(..) with the handle
of the dynamic object. The Application is allowed to use a dynamic object several times. If
the Application doesn’t need the dynamic objects any more, it can be released by the
service function
vuint8 CanReleaseDynTxObj( CanTransmitHandle txHandle );
There are two macros to allow a call of CanReleaseDynTxObj() in a confirmation function.
Both macros are only allowed to be called in the context of the user confirmation function
of this Dynamic Object.
CanConfirmStart(txHand This macro enables release of dynamic objects in a confirmation
le)
function.
txHandle has to be equal to the parameter of the confirmation
function.
CanConfirmEnd()
This macro restores security mechanism for release of dynamic
Objects.

Example:
void Confirm_ResDynTxObj ( CanTransmitHandle txHandle )
{
…
CanConfirmStart(txHandle);
if (CanReleaseDynTxObj( txHandle )== kCanDynNotReleased)
{ //error handling }
CanConfirmEnd();
…
}

If a dynamic object is used several times, the Application has to take care to use the
confirmation flag / function.
The maximum number of Dynamic Transmit Objects must be defined statically in the
Generation Tool.
Messages of dynamic transmit objects can not be sent via Full CAN Transmit Objects.

©2010, Vector Informatik GmbH
Version: 3.01.01
44 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.2.14  Priority of Transmit Objects

Message ID
Priority
Low 0
Full CAN Transmit Objects
High n
Normal Transmit Object
Low Level Transmit Object
(High End)

Figure 5-9  Priority of Transmit Objects


Full CAN Objects have the highest priority and they are sorted according to their ID. This is
automatically done by the Generation Tool.
There is only one Normal Transmit Object with a lower priority than the Full CAN Objects.
Dynamic Transmit Objects are transmitted via the Normal Transmit Object.
The Low Level Message Transmit Object has the lowest priority.
This priority is only valid, if the hardware is not able to arbitrate according the IDs.

©2010, Vector Informatik GmbH
Version: 3.01.01
45 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.3
Reception
5.3.1 Detailed Functional Description
CAN Message
Receive
No Action
Message not accepted
Hardware
Acceptance Filter
Message accepted
Interrupt Request
No
Interrupt Enabled
is stored
Yes
Enter
Receive Interrupt
Use
Use Receive Function
Receive Function
Use not
No
kCanCopyData
Yes
Use
Range
Filter
No
Match?
Yes
Range/Component
PreCopy Function
kCanNoCopyData
Use
UseMessage
Message not matched
Software
Message Not Matched
NotMatched
Acceptance Filter
Message accepted
Use not
Use
Check DLC
Use not
Use
Failed
DLC Failed
UseDlcFailed
DLC Check
Ok
Use not
Use
Use Generic Precopy
Generic
Use not
PreCopy Function
No
kCanCopyData
Yes
Defined
Precopy defined
Not defined
Precopy Function
No
kCanCopyData
Switches in the Generation Tool for
optional features of the CAN Driver
Yes
Decisions in the code, if the feature is selected.
Optional or mandatory functions of the CAN Driver
Copy Data
Mandatory path through the CAN Driver
Defined
Indication Flag
Optional path through the CAN Driver
defined
Direction of work flow
Indication Flag
Not defined
Defined
Indication Function
defined
Indication Function
Not defined
Leave
Receive Interrupt

end

Figure 5-10 Reception of a CAN messages
©2010, Vector Informatik GmbH
Version: 3.01.01
46 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

CAN messages are received asynchronously and without any explicit service function call.
Normally, the CAN Driver is informed by the CAN Controller via interrupt of the reception of
a CAN message. That means the received CAN identifier has passed the hardware
acceptance filtering of the CAN Controller and the entire message is stored in a receive
register. In case of a Basic CAN object, the message has to be retrieved and processed as
fast as possible. If a feature is only in Basic CAN or Full CAN available if is mentioned in
the text.
The gray decision symbols branch to features that can be removed from the CAN Driver
using the configuration options of the Generation Tool. Disabled features cannot be used
for any messages. The code for these features is completely removed. If a feature is
enabled, it can be determined for each message whether it is used or not.
The receive callback function ApplCanMsgReceived(..) is called on every reception of a
CAN message after the hardware acceptance filter is passed. Within this function the
Application may preprocess the received message in any way (ECU specific dynamic
filtering mechanisms, gateway functionality, etc...). If the function returns kCanCopyData,
the CAN Driver continues the processing. If the function returns kCanNoCopyData, the
CAN Driver terminates the message reception.
During the software acceptance filtering (only available for Basic CAN) the CAN Driver first
checks for range specific identifiers. For the range specific identifiers special precopy
functions may be defined. Afterwards the single CAN identifier based filtering is performed.
The CAN Drivers support different mechanisms like linear search, hash search or an index
search. In any case the filtering capabilities of the CAN Controller are used. The
corresponding receive object has to be determined by comparing the generated CAN
identifier in the data description tables with the received CAN identifier in the Basic CAN
object.
If the result of the software acceptance filtering is negative (only done for a Basic CAN
object), the callback function ApplCanMsgNotMatched() is called. Then the receive
interrupt is terminated immediately after the CAN Controller hardware is serviced.
After a CAN identifier match, the DLC will be checked. In case of a failed DLC check there
can be a configured callback function to notify the application.
In case of a successful DLC check the generic precopy function is called (if configured).
Generic precopy means that a common function named ApplCanGenericPrecopy() is
called for all identifiers. If this function returns kCanNoCopyData the CAN Driver
terminates further processing. If this function returns kCanCopyData, the CAN Driver
continues to work on the message received.
After the generic precopy if configured a precopy function separate for each message
according to the entry in the description data is called. Within this user specific function
any processing of the message received may occur (complete processing of a message or
special storage methods like ring buffers, FIFOs, ...). If the precopy function returns
kCanNoCopyData the CAN Driver terminates further processing. If the precopy function
returns kCanCopyData, the CAN Driver continues to work on the message received.
In the next step the data is copied to the global data buffer. The CAN Driver copies only
the number of bytes from the CAN receive buffer that is stored in the array CanRxDataLen.
©2010, Vector Informatik GmbH
Version: 3.01.01
47 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Then the indication actions defined for this message are performed. This means the
indication flag is set and/or the indication function is called. The Application has to reset
the indication flag before or after data processing.
In the following sections the processing steps are described using sequence charts. The
vertical directed lines within these diagrams represent program objects like interrupt
routines, functions or data objects. The horizontal lines represent program flow or data
access within the program. Within the sequence charts below flow control and program
instances are described using thick lines, data access is described using thin lines. Time
flows from the top of a chart downwards so that sequence „1“ is performed before
sequence „2“. The description of the sequence charts is given in the tables following the
charts.

CAN Data
RX Interrupt Driver
Global Data Indication
ApplCan-
CAN
Precopy
Indication
Application
Buffer
Routine
Parameters
Buffer
Flag
MsgReceived
1
2
3
4
5
6
7
8

Figure 5-11 Reception of a CAN message: The data is completely processed in the precopy function
No Description
1
A CAN message has passed the hardware acceptance filtering, the receive interrupt
routine is triggered
2
If configured, the ApplCanMsgReceived() callback function is called
3
The ApplCanMsgReceived() callback function returns kCanCopyData
4
Software acceptance filtering and identification of the received CAN message
5
If configured, the precopy function is called. The Application is able to take control over
the receive process immediately after the software acceptance filtering and direct access
to the CAN Controller receive register is possible.
6
Within the precopy function the data in the CAN Controller hardware registers are read
and completely processed.
7
The precopy function returns kCanNoCopyData. No further processing (copying of data,
indication actions) occurs in the CAN Driver
8
After servicing the CAN Controller hardware (the receive registers of the CAN Controller
are released), the receive interrupt routine is left.

Info
1. If the ApplCanMsgReceived() callback function returns kCanNoCopyData, the
received message is ignored. This means no further software filtering, no precopy, no
©2010, Vector Informatik GmbH
Version: 3.01.01
48 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

copying of data and no indication actions are performed.

2. If the precopy function returns kCanNoCopyData, no copying of data and no
indication actions are performed.

RX
CAN Data
Driver
Indication
ApplCanMsg
Interrupt
Global Data
CAN
Buffer
Parameters
Flag
Precopy
Indication
Receive
Application
Routine
Buffer
1
2
3
4
5
6
7
8
9
10
11

Figure 5-12 Reception of a CAN message: The CAN Driver internal copying mechanism is used

No  Description
1
A CAN message has passed the hardware acceptance filtering, the receive interrupt
routine is triggered
2
If configured, the ApplCanMsgReceived(..) callback function is called
3
The ApplCanMsgReceived(..) callback function returns kCanCopyData
4
Software acceptance filtering and identification of the received CAN message
5
If configured, the precopy function is called. The Application is able to take control
over the receive process immediately after the software acceptance filtering and the
direct access to the CAN Controller receive register is possible.
6
The precopy function returns kCanCopyData. The CAN Driver continues its normal
processing.
7
The received data are copied from the CAN Controller receive register to the global
data buffer associated to the CAN message
8
If configured, the indication flag is set (must be reset by the Application)
9
If configured, the indication function is called; any user actions can be performed
within this user specific function
10  Indication function returns to the receive interrupt routine
11  Receive interrupt routine is left

©2010, Vector Informatik GmbH
Version: 3.01.01
49 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.3.2  Receive Function
Before the software filtering is done, the Application optionally may use the
ApplCanMsgReceived() callback function called by the CAN Driver. Within this function the
Application can define whether to process the message received or not.
5.3.3  Range-Specific Precopy Functions
The CAN Driver's receive path can be configured to filter special identifier ranges and
associated precopy functions will be called directly. Up to four ranges are supported by the
CAN Driver. The ranges must be defined by a start address (e.g. 0x400) and a mask (e.g.
0x1F, i.e. if a bit is set it means don’t care) and leads to a specific range (in our example it
is from 0x400 to 0x 41F). The ranges are typically predefined by the Generation Tool for
special functions. If these are not used they are available for the application:

Range 0  Network
If the usage of a Network Management is configured
Management
Application
Application specific. May be used by the Application
Range 1  Diagnostics
If extended addressing mode of the Transport Protocol is configured
Application
Application specific. May be used by the Application
Range 2  Special usage
Car manufacturer specific
Application
Application specific. May be used by the Application
Range 3  Application
Application specific. May be used by the Application

Special capabilities of some CAN Controllers with several hardware acceptance filters may
also be used for the range specific filtering.
5.3.4  Identifier Search Algorithms
The following software filtering mechanisms are supported: All mechanisms but linear are
optional in the different hardware implementations.
Linear Search:
The identifier of the incoming message is compared to all CAN
identifiers in a table (if found, the search stops). The average search
time is proportional to the number of receive messages.
Hash Search:
An optimized search algorithm with a small known number of search
steps. The Generation tool calculates an optimized search table and
some parameters used at run time. The number of search steps can
be defined by the user. The less search steps the bigger the resulting
hash tables.
Table Search:
This is a kind of hash mechanism. The last three bits of a CAN
identifier are used as a selector for the search table. There are 8
different tables for each of the hardware acceptance filters in the
CAN Controller. Within the table a linear search is implemented.
Index Search:
A table with 2048 entries (one entry for each identifier) is used for
software filtering. Index Search is used for Standard ID only.

©2010, Vector Informatik GmbH
Version: 3.01.01
50 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.3.5  DLC check
The Data Length Code of a received message will be compared to the length of the
Application receive buffer of this message. If the DLC is smaller than the Application
receive buffer, data will not be copied. The length of the received message buffer is the
maximum length which is necessary to treat all signals for this ECU. To inform the
application the callback function ApplCanMsgDlcFailed will be called. The reception
process will be terminated afterwards.
Depending on the OEM the length of the received data bytes can be different at run time. It
is also possible to compare the length of the received message with a minimum length
which can be smaller than the Application receive buffer.
The behavior can be configured via generation tool and the database attribute
GenMsgMinAcceptLength.
5.3.6  Data Copy Mechanism
There are two different methods for the Application to access the data received from the
CAN bus.
5.3.6.1
Internal
Using the internal data copy mechanism, the CAN Driver copies the contents of the CAN
controller receive registers to a global data buffer associated to the receive message. The
Application can access the signal values in the message specific data buffer using access
macros or functions. The access macros are generated by the Generation Tool using
information in the CAN database. The signal access macros always return unsigned
values.
The Application itself is responsible for the data consistency of signals in a CAN message
which cannot be handled in atomic operations because the receive buffer may be
overwritten asynchronously by a CAN receive interrupt. Different mechanisms can be used
to guarantee data consistency:

1.  Disabling of the CAN receive interrupt.
2.  Read the receive signal. Compare the signal value with the signal in the hardware
buffer. Repeat the read operation if the values differ.
3.  Usage of the message based indication flag:
3.1  Clear the message indication flag
3.2  Read the data (one or more signals of a message)
3.3  Check the message indication flag: If set then return to 3.1

Depending on the OEM the length of the received data bytes can be different at run time.
Instead of copying all needed bytes (equal to the length of the global data buffer
associated to the receive message) the CAN Driver can be configured to copy the number
of received bytes. In case the number of received bytes exceed the length of the data
buffer, the CAN Driver takes care to copy at maximum the length of the data buffer.
©2010, Vector Informatik GmbH
Version: 3.01.01
51 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Info
The signal access macros are not affected. The application has to make sure, that it
does not access data via access macros that is not copied now because of a change of
the data length.

5.3.6.2
User-defined Precopy Functions
The user can define specific precopy functions for each receive object in the Generation
Tool. If defined, the CAN Driver calls this user-specific function immediately after the
software filtering. Within this precopy function the Application can access the data directly
in the CAN Controller receive registers. The precopy function indicates this to the CAN
Driver by the appropriate return code kCanNoCopyData and the further processing will be
terminated immediately. On the other side the CAN Driver can be forced to continue with
normal processing of the message after the precopy function by using the return code
kCanCopyData.
The parameter of the precopy function is a pointer to a structure. This structure includes
the handle of the received message and a pointer to the received data.
A separate user-specific function may be defined for each receive message. But it is also
possible to use the same function for different messages.
If no such function is defined, a NULL pointer is written to the corresponding description
data by the Generation Tool.
The user has to note that these user-specific functions are called in the receive interrupt.
Only short receive actions should be done to avoid negative influence on the Application
task by a long interrupt disable time.
The precopy mechanism can be used to handle only a small number of receive signals in
an efficient way, if there is a CAN receive message with 8 bytes but the receiving ECU for
example only needs the 6th bit of the 7th byte. The standard copy routine starts always at
the beginning of the receive data buffer and copies all data up to the last byte with
significant signals for the dedicated node (the 7th byte in the example above). This results
in some overhead in RAM and run time, particularly if these signals are mapped in the rear
part of the message. The precopy function can therefore be used to implement a user
specific copy routine and has to return the return code kCanNoCopyData.
Another example for a precopy function is a compare mechanism between the CAN
Controller receive register and the global Application buffer. If both are matching, data
have not to be copied and the indication is not necessary, i.e. kCanNoCopyData is
returned. Otherwise the return code kCanCopyData leads to the standard copy
mechanism of the CAN Driver and notification to the Application using indications.
The precopy function can also be used to implement receive queues (FIFO, FILO or ring
buffer).
5.3.7 Notification
After the reception of a message from the CAN bus and the successful hardware and
software acceptance filtering, the Application can be notified by different indication
mechanisms:
©2010, Vector Informatik GmbH
Version: 3.01.01
52 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.3.7.1
Data Interface (Indication Flag)
If an indication flag is used, this message related flag is set by the CAN Driver, if the
associated CAN message was received. This is done in the scope of the receive interrupt.
The flag must be cleared by the Application.

Caution
Interrupts have to be disabled during reset of the indication flags because of the read-
  modify-write conflict if this operation is interrupted by a CAN receive interrupt routine.
This can result in the loss of events.

5.3.7.2
Functional Interface (Indication Function)
In parallel or instead of the data interface a functional interface can be configured, i.e. a
user-specific function is called if the associated CAN message was received. This is also
done in the scope of the receive interrupt and therefore special care on the run time of this
user-specific function has to be taken. A special notification mechanism for the Application
can be implemented in such an indication function.
5.3.8  Not-Matched Function
If a CAN message has passed the hardware acceptance filtering but is rejected by the
software acceptance filtering (in case of a Basic CAN receive object) a special callback
function will be called (if configured):
void ApplCanMsgNotMatched( ... );

5.3.9  Overrun Handling
An Overrun appears if a CAN message is lost in the Basic CAN receive object, because
the other was not treated yet entirely. There are two possibilities how a message could be
lost. In some cases the old message was overwritten with a new message. In other cases
a new message couldn’t be received.
If enabled, the Application has to provide an overrun callback function:
void ApplCanOverrun( void );

The overrun handling itself is done by the CAN Driver.
5.3.10  Full CAN Overrun Handling
A Full CAN Overrun appears if a CAN message is lost in the Full CAN receive object,
because the other was not treated yet entirely. There are two possibilities how a message
could be lost. In some cases the old message was overwritten with a new message. In
other cases a new message couldn’t be received.
If enabled, the Application has to provide an overrun callback function for Full CAN
objects:
void ApplCanFullCanOverrun( void );

The overrun handling itself is done by the CAN Driver
©2010, Vector Informatik GmbH
Version: 3.01.01
53 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.3.11  Conditional Message Received
The Conditional Message Received function ApplCanMsgCondReceived() will be
conditional called for each reception of a CAN message. The condition can be set / reset
and read by application via CanResetMsgReceivedCondition(),
CanSetMsgReceivedCondition(), and CanGetMsgReceivedCondition(). The condition is
automatically set by CanInitPowerOn() and CanSleep().

5.4
Bus-Off Handling
There are several functions provided by the CAN Driver to handle a BusOff state of the
CAN Controller after severe transmit errors. For some CAN Controllers a re-initialization
must be done to satisfy the hardware requirements others are changing automatically to
the 'Error Active' state after 128 x 11 recessive bits on the CAN bus as it is specified in the
CAN protocol. Nevertheless it is recommended by most of the customer specific CAN bus
specifications to re-initialize the CAN Controller in every case, because the transmit error
might be caused by a faulty bit in the CAN Controller registers, e.g. bus timing registers, in
case of EMC influences. The following service functions have to be used by the
Application to handle a BusOff error:
void CanResetBusOffStart( CanInitHandle initObject );
void CanResetBusOffEnd( CanInitHandle initObject );

Typically an extension (compared to the CAN protocol specific requirements) of the error
recovery time for the CAN bus is implemented. This is done by switching the CAN Driver's
transmit path to off using the service function CanOffline(). Because of recursive calls of
some CAN Driver service functions, CanResetBusOffStart(..) and CanResetBusOffEnd(..)
are only allowed to be called in the offline mode of the CAN Driver, i.e. CanOffline() has to
be called before.
Typically the Network Management handles BusOff errors. In such case there are no
additional activities necessary by the Application. If no Network Management is used, the
Application has to provide a callback function
void ApplCanBusOff( void );

This callback function is called by the CAN Driver in case of BusOff. The error handling as
described above has to be done in this function. CanOnline has to be called outside of this
function on task level.

Important
For CAN controller which has autorecovery after BusOff detection we don’t recommend
  to use the status polling. If using status polling with autorecovery it could happen, that
the application doesn’t detect a BusOff because a transmit request was detected first
and the application wasn’t informed about the BusOff.
©2010, Vector Informatik GmbH
Version: 3.01.01
54 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.5
Sleep Mode
Some CAN Controllers support a special power-down mode with reduced power
consumption which is typically called sleep mode. This mode will be entered by the
following service:
vuint8 CanSleep( void );
Important
Before entering the sleep mode, some hardware specific preconditions have to be
  ensured, e.g. the CAN Controller transmit registers have to be empty. It has to be
guaranteed, that the following service functions are called before CanSleep():
void CanOffline( void );
void CanResetBusSleep( CanInitHandle initObject );.

The return to normal mode will be initiated by an explicit request of the Application:
vuint8 CanWakeUp( void );

Sleep mode is not supported by all CAN Controllers. If not, both related service functions
are provided to guarantee a unified service function interface for all CAN Drivers and to
make the Application mostly hardware independent. However, the functions itself have no
effect on the CAN Controller.
A subset of CAN Controllers, which are supporting a sleep mode in principle, are able to
be awakened by any CAN bus activity, i.e. a dominant level on the CAN bus. This wake-up
by CAN is an asynchronous event, normally detected by a special wake-up interrupt. The
Application will be notified by the following callback function:
void ApplCanWakeUp( void );

This callback function has to be provided by the Application. CanWakeUp() doesn't have to
be called in this case, because the CAN Controller returns to normal mode automatically
or initiated by the CAN Driver before this function call. Other communication related issues
like the activation of the bus transceiver hardware used or the return to the online mode
(see CanOnline()) have to be done in this callback function or as a consequence of this
event.
If a CAN Controller doesn't support a wake-up by the CAN bus, other hardware
substitutions like an external interrupt based on the CAN Controller's Rx line have to be
implemented.
The application should check the return value of CanSleep() and CanWakeUp()  in
every case to get the status of the CAN Controller. If CanSleep() returns kCanFailed
the CAN controller hasn’t entered into sleep mode. If CanWakeUp() returns kCanFailed
the CAN controller has not woken up. The application has to decide how to react on this
behavior.
If sleep mode is not entered, no CAN wake-up interrupt will be generated on detection of
any message on the CAN bus. The callback function ApplCanWakeUp() will not be called
and as a consequence the bus transceiver will not be initialized. This may lead to a
deadlock. Therefore it is necessary to call CanSleep() successfully to build a wake-up
capable system.
©2010, Vector Informatik GmbH
Version: 3.01.01
55 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

There is a limitation in the access to the API in Sleep mode.

The implementation of this functionality is very hardware dependent. See also CAN
controller specific documentation TechnicalReference_CAN_<hardware>.pdf [#hw_sleep].
5.6
Special Features
5.6.1 Status
Some internal software states of the CAN Driver and hardware states of the CAN
Controller can be read by the return code of the following service function:
vuint8 CanGetStatus( void );

In detail this is the following information:
 CAN Controller is in sleep mode (CanSleep() was called)
 CAN Controller is in stop mode ( CanStop() was called )
 CAN Driver transmit path is in offline mode(CanOffline() was called)
 current error states of the CAN Controller (Error-Active, Warning, Error-Passive or Bus-
Off)
Not all of the CAN protocol specific bus states are supported by each CAN Driver. Please
refer to the CAN Controller related section of the CAN Driver documentation for details
TechnicalReference_CAN_<hardware>.pdf [#hw_status].
There are special macros to provide an easier access on the single information in the
return code. These macros are true (not equal to 0) if the specific condition is valid and
false (equal to 0) if not. The parameter of this macros is the status, i.e. the return code of
CanGetStatus():
vuint8 CanHwIsOk ( vuint8 status );
vuint8 CanHwIsWarning( vuint8 status );
vuint8 CanHwIsPassive( vuint8 status );
vuint8 CanHwIsBusOff ( vuint8 status );
vuint8 CanHwIsSleep ( vuint8 status );
vuint8 CanHwIsWakeUp ( vuint8 status );
vuint8 CanHwIsStop ( vuint8 status );
vuint8 CanHwIsStart ( vuint8 status );
vuint8 CanHwIsOffline( vuint8 status );
vuint8 CanHwIsOnline ( vuint8 status );

If the hardware status information isn’t used by the Application this part of the functionality
can be disabled.
©2010, Vector Informatik GmbH
Version: 3.01.01
56 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.6.2 Stop Mode
The function CanStop() switches the CAN controller hardware to a state in which the CAN
controller doesn’t influence the communication of other nodes on the bus. For example no
hardware acknowledge is given, messages can’t be transmitted or received. In this state
the Can controller can’t be activated by activities on the CAN bus.
The function CanStart() reactivates the CAN controller hardware again.
The implementation of this functionality is very hardware dependent. See also CAN
controller specific documentation TechnicalReference_CAN_<hardware>.pdf [#hw_stop].
5.6.3 Remote Frames
The CAN Driver ignores remote frames and doesn’t answer on a remote request.
5.6.4 Interrupt Control
The interrupt control of the CAN Driver is done by the service functions
void CanGlobalInterruptDisable( void );
void CanGlobalInterruptRestore( void );

These functions have been moved to VstdLib. Only macros for compatibility reasons are
still provided in the CAN Driver:
#define CanGlobalInterruptDisable VStdSuspendAllInterrupts
#define CanGlobalInterruptRestore VStdResumeAllInterrupts

...more information see in the technical reference of the VStdLib.
(TechnicalReference_VstdLib.pdf).
5.6.4.1
Security Level
The security levels can be used to guarantee the data consistency of a complete CAN
message during the copy process (this is a must, because the CAN Driver does not know
anything about the signal structure of the message) and the access to the notification flags
(indication and confirmation). During these operations the interrupt lock time is as short as
possible. Depending on the program scope with access to CAN message signals,
indication or confirmation flags in the Application the following actions in the CAN Driver
have to be realized without any interruption:
 Copy process for receive messages (in the scope of the receive interrupt)
 Copy process for transmit messages (in the scope of CanTransmit(..) or in a pretransmit
function)
 Set of indication and confirmation flags (in the scope of the receive and transmit
interrupt)
 Some internal mechanisms for data consistency.
Therefore different security levels are supported:

©2010, Vector Informatik GmbH
Version: 3.01.01
57 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Level
CAN Driver
Restrictions for the Application
prevention
  None
No consistency mechanisms at all. The CAN
00
driver has to be configured to polling mode.
CAN interrupts are not allowed. All CAN driver
tasks, all calls to service functions, all data and
flag access must be performed from the same
level.
10
No Flag and Copy  No usage of CAN transmit and receive signals
Security
in the interrupt context. Usage of the TxQueue
is allowed in Tx polling mode only.
No reset of notification flags in the interrupt
context
If a fully-preemptive operating system is used,
the access to the transmit data and
transmission of the data has to be done on the
same priority level. (data consistency).
20 Interrupts
are
a) Interrupt-Mode:
disabled during the
No usage of CAN receive signals and no
copy process of
reset of notification flags in the interrupt
transmit messages
context
b) Polling-Mode
Access to CAN receive signals, indication
and confirmation flags is only allowed at the
same level or at lower level than CanTask().
30
Interrupts are
No restrictions for the Application, neither on
(default)  disabled during the  the usage of CAN receive or transmit signals
copy process of
nor on the reset of notifications flags, can i.e.
transmit and
both be done at any time.
receive messages
and during the
access to the
notification flags
Figure 1: Security levels
Important
Be careful if a pretransmit function is used. Interrupts are not disabled during the call of
  this user specific function by the CAN Driver, therefore the restrictions for security level
10 are valid. If the interrupts are not disabled before and restored after the copy process
by the Application, data consistency of a CAN messages cannot be guaranteed if the
transmit queue is used..

5.6.4.2
Control of CAN interrupts
The interrupt control of the CAN Interrupts is done by the service functions
void CanCanInterruptDisable( void );
©2010, Vector Informatik GmbH
Version: 3.01.01
58 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

void CanCanInterruptRestore( void );

These service functions control the CAN Interrupts. CanCanInterruptDisable disables the
CAN interrupts and CanCanInterruptRestore restores the state of the CAN interrupts
before the call of CanCanInterruptDisable. This mechanism is accompanied with a counter
to recognize the number of calls. A “disable” increments the counter and a “restore”
decrements the counter to allow nested calls of these functions.
These functions could only be called as pair. That means that on a
CanCanInterruptDisable must follow a CanCanInterruptRestore. Otherwise the selected
interrupt(s) are always disabled.
Additionally refer to the hardware description for the specific platform
TechnicalReference_CAN_<hardware>.pdf [#hw_int] especially concerning the handling of
the wake-up interrupt. It depends on the hardware whether the wake-up interrupt is
included or not.
There are two call back functions for the application. After the CanCanInterruptDisable the
function ApplCanAddCanInterruptDisable is called and after the CanCanInterruptRestore
the function ApplCanAddCanInterruptRestore is called.
Use these two functions to handle the wake-up interrupt if the hardware treats this interrupt
separately or if the Driver runs in Polling Mode disable the polling tasks.
To activate the call back functions refer to the API description of the functions.
5.6.5 Assertions
To detect some incorrect internal conditions of the CAN Driver during development,
integration and software test, there are different categories of so called assertions
configurable:

 User interface (for example input parameters, reentrance if not allowed)
 Fatal hardware errors
 Generated data
 Internal software errors (for example inconsistent internal states)
Each type of assertion can be configured independently.
These assertions will help in different development phases to deal with unexpected
problems which cannot be handled by the CAN Driver internally. In such case the following
callback function will be called by the CAN Driver:
void ApplCanFatalError( vuint8 errorNumber );

This callback function has to be provided by the Application. The function parameter
errorNumber gives more detailed information about the kind of error which is occurred.
Generally, the error number has to be checked to solve the underlying problem.
Important
This callback function must not return to the CAN Driver afterwards.

©2010, Vector Informatik GmbH
Version: 3.01.01
59 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The recommended usage of the different assertion categories is explained in the following
table:

User Interface
Development of Application software
Fatal hardware errors
Development of Application software
New CAN Controller used
Generated Data
New version of the Generation Tool used
Test of software changes in the Generation Tool or CAN Driver
(Vector internal)
Internal software errors
Test of software changes in the CAN Driver (Vector internal)

These checks could be very run-time intensive and should only be activated for the
development phase of the CAN Driver
The call back function ApplCanFatalError() is called with the following error codes:
In case of a user assertion:
kErrorTxDlcTooLarge
CanTransmitVarDlc() or CanDynTxObjSetDlc() called
with DLC > 8.
kErrorTxHdlTooLarge service
function called with transmit handle too large
kErrorIntRestoreTooOften
CanCanInterruptRestore() called too often
kErrorIntDisableTooOften
CanCanInterruptDisable() called too often
kErrorChannelHdlTooLarge service
function called with channel handle too large
kErrorInitObjectHdlTooLarge
CanInit() called with parameter “initObject” too large
kErrorTxHwHdlTooLarge
CanTxGetActHandle() called with logical hardware
handle too large
kErrorHwObjNotInPolling
CanTxObjTask(), CanRxFullCANObjTask() or
CanRxBasicCANObjTask() called for hardware object
which is configured to interrupt mode.
kErrorHwHdlTooSmall
CanTxObjTask(), CanRxFullCANObjTask() or
CanRxBasicCANObjTask() called for hardware object
handle too small
kErrorHwHdlTooLarge
CanTxObjTask(), CanRxFullCANObjTask() or
CanRxBasicCANObjTask() called for hardware object
handle too large
kErrorAccessedInvalidDynObj
CanGetDynTxObj(),CanReleaseDynTxObj()  or
CanDynTxObjSet...() is called with wrong transmit
handle (transmit handle too large)
kErrorAccessedStatObjAsDyn
CanGetDynTxObj(),CanReleaseDynTxObj()  or
CanDynTxObjSet...() is called with wrong transmit
handle (transmit handle belongs to a static object)
kErrorDynObjReleased
UserConfirmation() or UserPreTransmit() is called for a
dynamic object which is already released.
kErrorPollingTaskRecursion
CAN Driver Polling tasks (Can...Task()) are called
©2010, Vector Informatik GmbH
Version: 3.01.01
60 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

recursive or interrupt each other.
kErrorDisabledChannel
Service function called for disabled channel on systems
with multiple configurations.
kErrorDisabledTxMessage
CanCancelTransmit() or CanTransmit() called with
txHandle that is not active in the current configuration.
(Physical multiple ECU)
kErrorDisabledCanInt
CanSleep() or CanWakeUp() is called with disabled
CAN Interrupts (via CanCanInterruptDisable()).
kErrorCanSleep
CanStop(), CanCanInterruptDisable() or
CanCanInterruptRestore() called during Sleep mode, or
offline mode is not active during sleep mode.
kErrorCanOnline
CanSleep() or CanStop() is called without offline mode.
kErrorCanStop
CanSleep() is called during Stop mode or offline mode
is not active during Stop mode.
kErrorWrongMask
CanSetTxIdExtHi() is called with illegal mask (mask
higher than 0x1F).
kErrorWrongId
CanDynTxObjSetId() or CanDynTxObjSetExtid() is
called with illegal ID (standard ID higher than 0x7ff or
extended ID higher than 0x1FFFFFFF).
In case of a generation assertion:
kErrorTxROMDLCTooLarge
Error in generated table of transmit DLCs
In case of a hardware assertion:
kErrorTxBufferBusy
HW transmit object is busy, but this is not expected
In case of a internal assertion:
kErrorTxHandleWrong
saved transmit handle has an unexpected value
kErrorInternalTxHdlTooLarge
internal function called with parameter tx handle too
large
kErrorRxHandleWrong
The variable rx handle has an illegal value.
kErrorTxObjHandleWrong
The handle of the hardware transmit object has an
illegal value.
kErrorReleasedUnusedDynObj
CanReleaseDynTxObj() is called for an object which is
already released.
kErrorTxQueueToManyHandle
The data type of the Tx Queue cannot handle all tx
messages.
kErrorInternalChannelHdlTooLarge Static function called with channel handle too large or
calculated channel handle too large.
kErrorInternalDisabledChannel
Static function called for disabled channel on systems
with multiple configurations.
kErrorInternalDisabledTxMessage Confirmation called with txHandle that is not active in
the current configuration. (Physical multiple ECU)

See the CAN Controller specific part of the CAN Driver documentation
TechnicalReference_CAN_<hardware>.pdf [#hw_assert] to get the list of additional
hardware specific error numbers for each CAN Driver.
©2010, Vector Informatik GmbH
Version: 3.01.01
61 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.6.6 Hardware Loop Check
There are two kinds of handling loops in the CAN Driver internally. The first one uses a
counter or other mathematics algorithms to abort the loop. The second one uses hardware
information from the CAN Controller to abort the loop.
Some of these state transitions have to be done by two steps:
1. Request
2. Acknowledge
In the first step the request for a specific action (e.g. re-initialization of the CAN Controller)
is set but generally it cannot be entered immediately because of the prerequisite that the
CAN bus has to be in idle state, i.e. waiting for a recessive CAN bus level. In normal
operation the described behavior is non-critical. However, an exception is a malfunction of
the hardware. If the hardware is damaged or disturbed for a longer time, this loop may be
too long or even endless and is finally stopped by a watchdog reset. Because of this
restrictive error recovery the complete software functionality is affected, nothing can be
done to prevent the repetition and additionally it is not possible to store any error specific
diagnostic information, i.e. the problem cannot be checked later.
To avoid those kinds of endless loops, the user can configure a special loop control. This
has to be handled by the Application. It cannot be done by the CAN Driver itself because it
is hardware dependent.
Therefore the Application is informed once by the following callback function if such a
critical loop is entered:
void ApplCanTimerStart( vuint8 timerIdentification );

This callback function starts a timer realized by the Application. The recommended timer
handling is counting downwards to zero because of faster code on most microprocessors.
The parameter identifies the timer, i.e. the kind of loop. It is necessary to identify the loop
type because the corresponding start value has to be set. Beside of this, different (not the
same) loops can be started re-entrant and so the Application has to provide one timer for
each kind of loop. The list of necessary timers is pre-defined by the CAN Driver and
depends on the CAN Controller. Please refer to CAN Controller specific documentation for
a detailed list TechnicalReference_CAN_<hardware>.pdf [#hw_loop].
During the loop wait state a second callback function is called repeatedly to control the
break condition for the loop by the Application:
vuint8 ApplCanTimerLoop( vuint8 timerIdentification );

This callback function returns the status of the corresponding timer to the CAN Driver. The
return code must be TRUE (not equal to 0) if the timer is still running and FALSE (equal to
0) if the timer has expired. In this case the CAN Driver loop will be left immediately. The
Application must be aware of a serious problem in the hardware and the following actions
have to be done:
 Store diagnostics information
 Switch off transmit (CanOffline()) and receive path of the CAN Driver
©2010, Vector Informatik GmbH
Version: 3.01.01
62 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  Re-initialization of the CAN Driver (CanInit()). This may lead to the next loop control
failure, therefore it has to be limited and in case of a permanent severe hardware
problem a special limp home state has to be foreseen.
If the loop is terminated, a third callback function is provided to stop the previously started
loop control timer:
void ApplCanTimerEnd( vuint8 timerIdentification );

Important
Be aware of the priorities of the timer interrupt routine and the CAN interrupt routine. If
  the priority of the timer interrupt is below the CAN Interrupt priority the timer value for the
loop check may not be changed anymore while a CAN interrupt routine is running.

5.6.7  Support of OSEK-Compliant Operating Systems
If an OSEK operating system is used (ISR category 2), the hard-coded interrupt routines
for receiving, transmitting, error and wake-up are replaced by the ISR macro. In this case
an OSEK-specific header has to be included in can_inc.h to provide this macro.
5.6.8  Multiple-Channel CAN Driver
There are two different kinds of multiple-channel CAN Drivers: Sometimes two CAN
Controllers are used by one ECU on the same CAN bus, to increase the number of receive
and transmit objects. Logically, they can be conceived as a single CAN Controller. This
behavior is described in the chapter Common CAN.   more...
Usually, two (or more) CAN Controllers are used to serve different CAN networks, for
example in gateways.

5.6.8.1
Indexed CAN Driver
Indexed CAN Drivers work on more than one CAN bus without doubling of code. Function
names are equal to single channel (standard) CAN Driver. Function parameter are different
in many cases.
Switches in can_cfg.h are without a suffix but with effect to all CAN channels.

5.6.9  Standard Polling Mode
In polling mode no interrupts are used. Instead of interrupts the Application has to call
cyclic service functions in the CAN Driver, to work on transmit and receive messages as
well as other asynchronous events. This cyclic service function is
void CanTask ( void );

and calls all needed service functions for transmission, reception, error and wake-up which
can also be polled separately by the following service functions:
void CanRxBasicCANTask ( void );
void CanRxFullCANTask   ( void );
void CanTxTask ( void );
©2010, Vector Informatik GmbH
Version: 3.01.01
63 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

void CanErrorTask   ( void );
void CanWakeUpTask ( void );

The transmission and the reception of CAN messages can be served by interrupt or by
polling separately. Several configurations for polling are available:
  Full CAN Receive objects (for Full CAN Controllers only)
  Basic CAN Receive Objects
  Transmit objects
  Errors
  Wake-Up

5.6.9.1
Application Hints
Concerning the transmit polling the handling depends on the configuration of transmit
queue and the confirmation notification:
  No transmit queue but confirmation flags and/or confirmation functions are configured:
The CanTxTask() has to be called cyclically as fast as the confirmation notification is
needed or before CanTransmit() is called to release the CAN Controller hardware
transmit register.
  Transmit queue is configured: CanTransmit() puts only a transmit request into the
transmit queue. CanTxTask() transmits the messages on the CAN bus and does the
confirmation as well. Therefore CanTxTask() has to be called as fast as confirmation is
needed and the messages should be transmitted.
5.6.10  Handling of different identifier types
Every Vector CAN Driver supports per default only the standard mode using 11 bits for a
CAN identifier. In addition to this standard mode, some Vector CAN Drivers also support
the feature of extended mode using 29 bits for a CAN identifier.
Depending on the selected mode (standard or extended CAN identifiers) the Generation
Tool switches to the correct initialization structures used for the corresponding mode. The
type and number of supported search algorithms depends on the mode. Four different
CAN Driver configurations are possible:

  Standard mode (only 11 bit CAN identifier)
  Extended mode for the normal receive path of single CAN messages (only 29 bit CAN
identifier)
  Mixed mode (11 bit and 29 bit CAN identifier mixed on one CAN bus)
  For indexed drivers a bus dependent mode (11 bit CAN identifier on one and 29 bit CAN
identifier on the other CAN bus).
©2010, Vector Informatik GmbH
Version: 3.01.01
64 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

5.6.11  Copying Mechanisms
CanCopyToCan or CanCopyFromCan are hardware/compiler dependent functions that are
provided to optimize copying of data from/to the CAN hardware buffer.
Info
CanCopyFromCan should only be used within a precopy function. CanCopyToCan
  should only be used within a pretransmit function.

5.6.12  Common CAN
Common CAN is a special feature which is available only on request and on systems with
2 or more CAN controllers. The idea of this feature is to map different HW channels into
one application channel.
When Common CAN is activated additional receive FullCAN messages can be configured
on a channel. This is realized by using a second CAN controller for the same channel. The
first CAN controller (CAN A) supports Tx, Rx Full CAN and Rx Basic CAN. The second
CAN controller (CAN B) supports Rx Full CAN. Both CAN controllers have to be connected
to the same CAN bus. The API is always ‘Multiple Receive Channel’.

To enable the Common CAN feature activate the corresponding checkbox in the channel
settings.

First select the messages handled in Full CAN objects. Then select the “Hardware
Channel” to be used to receive the full CAN message.

Please note that the messages received on CAN B of the Common CAN must be filtered
out with the Basic CAN mask.

5.6.13  Multiple ECU
The feature Multiple ECU is usually used for nodes that exist more than once in a car with
only a few differences. At power up the application decides which node should be realized,
e.g. left passenger door, or right driver door.
To reduce the memory consumption messages that are sent exclusively from one node
can be overlapped with the exclusively sent messages from the other nodes. The result of
this overlapping is that all these messages share a common memory location for the
transmit data.

5.6.14  Signal Access Macros
Signal access macros are function like macros, to access signals within a message. They
can be used by the application for an easy access to signals. The generation of signal
value access macros can be enabled or disabled. If enabled, the Generation Tool
generates access macros using the signal names from the communication data base with
respect to prefixes or post-fixes defined in the Names tab.

©2010, Vector Informatik GmbH
Version: 3.01.01
65 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 5-13 Name of signal access macros
For each signal an access macro is formed from the signal name in the CAN database, a
signal variable prefix (access via signal structures or byte/word commands), a signal
prefix, a signal postfix, and a signal variable postfix. Prefixes and postfixes can be
configured by the user in the generator program. To assure better readability, it is
advisable not to use all four prefixes and postfixes simultaneously.
The access macros for the CAN receive buffer get an extended prefix CAN_. Within
Precopy and Pretransmit routines these macros serve to access the CAN controller's CAN
receive and transmit buffer on a signal basis.

5.6.15 CAN RAM Check
The CAN driver supports a check of the CAN controller’s mailboxes. The CAN controller
RAM check is called internally every time the function CanInit() is called. The CAN driver
verifies that no used mailboxes is corrupt. A mailbox is considered corrupt if a predefined
pattern is written to the appropriate mailbox registers and the read operation does not
return the expected pattern. If a corrupt mailbox is found the function
ApplCanCorruptMailbox() is called. This function tells the application which mailbox is
corrupt.
After the check of all mailboxes the CAN driver calls the callback function
ApplCanMemCheckFailed() if at least one corrupt mailbox was found. The application
must decide if the CAN driver disables communication or not by means of the callback
function’s return value. If the application has decided to disable the communication there is
no possibility to enable the communication again until the next call to CanInitPowerOn().
The CAN RAM check functionality itself can be activated via Generation Tool. This include
the callback ApplCanMemCheckFailed(). The callback ApplCanCorruptMailbox() can only
be activated via a user configuration file.
©2010, Vector Informatik GmbH
Version: 3.01.01
66 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

6  Detailed Description of the Functional Scope (High End extension)
6.1  Transmission
6.1.1  Low-Level Message Transmit
Using a multiple channel CAN Driver the routing of complete CAN messages from one
CAN Bus to another one is supported by the function
vuint8 CanMsgTransmit(...);
This function has a parameter with a pointer to a CAN Message Buffer. So it is possible to
route the whole buffer from one CAN chip to the other one. To prevent a conflict with the
functional messages, this function uses an own send buffer (If an additional buffer is
available in the CAN Controller).
A special confirmation function and an initialization callback function are called.
void ApplCanMsgTransmitConf(...); within confirmation interrupt
void ApplCanMsgTransmitInit(...); within CanInit
These functions can be used by the application to implement a data queue mechanism.
There is no internal transmit queue for this transmit object available.

CanMsgTransmit() can also be used for dynamic transmission. Therefore the CAN driver
supports macros to write standard ID or extended ID, DLC and data to the structure:

CanMsgTransmitSetStdId (...)
CanMsgTransmitSetExtId (...)
CanMsgTransmitSetDlc (...)
CanMsgTransmitSetData (...)

6.2  Reception
6.2.1  Multiple Basic CAN
To improve efficiency of the hardware filtering and reduce the interrupt load produced by
reception of unwanted messages, the number of Hardware Basic CAN objects can be
changed in the Generation Tool. Each Hardware Basic CAN object has it’s own filter.
Increasing the number of Basic CAN objects will reduce the number of available Full CAN
objects (Rx and Tx).
This feature is only available for Full CAN controllers.
6.2.2  Rx Queue
The Rx Queue is a data queue which stores receive messages if the application does not
want to process them within the interrupt context. In some applications it may happen that
the run time in the receive interrupt becomes too long. This leads to long interrupt
latencies and possible loss of messages. The Rx Queue may help in these cases. If the
Rx Queue is configured the received messages are copied into this queue in the interrupt
©2010, Vector Informatik GmbH
Version: 3.01.01
67 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

context. The handling of the queued messages is done on task level. Messages which are
received by means of a RangePrecopy can also be copied into the queue or handled in
the interrupt context.
In order to handle the queued messages the application has to call cyclically a CAN Driver
function which checks for queued messages and processes them.
If Precopy and Indication functions are used for application messages, be aware that they
are not called in interrupt context any more.
By using the Rx Queue the runtime in the Rx interrupt is decreased. The average runtime
of the application is increased because of the overhead for handling the queue.
Please note
In case a range is configured to be handled via the Rx Queue, the return code of the
RangePrecopy for this range is ignored.
6.2.2.1 Handling in Receive Interrupt
During the receive interrupt the CAN Driver calls the callback function
ApplCanPreRxQueue() after the range or search algorithm match in order to let the
application decide whether the received message is processed within the interrupt or has
to be entered into the Rx queue. The function ApplCanPreRxQueue() is only called if
configured. Otherwise all received messages are handled by the Rx queue. If the Rx
Queue is full the CAN Driver notifies the application by calling the callback function
ApplCanRxQueueOverrun() (if configured) and discards the received message. After the
message was copied into the Rx queue the Rx interrupt is terminated.
©2010, Vector Informatik GmbH
Version: 3.01.01
68 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Receive message
(hardware filtering)
Hardware Level
Enter
Rx Interrupt Level Start
Receive Interrupt
ApplCanMsgReceived
(CanRxInfoStructPtr)
SW Range
entered
yes
no
Queue
yes
configured
no
Normal receive-interrupt
Range Precopy
ApplCanPreRxQueue
with SW message search
Indexed,
Function
(CanRxInfoStructPtr)
Hash,
Linear
ApplCanPreRxQueue
(CanRxInfoStructPtr)
Return
kCanCopyData
Return
yes
yes
kCanCopyData
no
Write FIFO
Write FIFO
Handle
Handle
normal receive-interrupt
no
Id
Id
with Message Precopy,
DLC
DLC
data copy mechanism,
Data
Data
Indication Function / Flags
yes
Exit
Rx Interrupt Level End

Figure 6-1 Handling of the Rx queue within the receive routine.
6.2.2.2 Handling on Task Level
In order to process the messages pending in the Rx queue the application has to call the
function CanHandleRxMsg(). This function processes all messages in the queue. The
processing of the messages is done in the same way like in the Rx interrupt. That means
©2010, Vector Informatik GmbH
Version: 3.01.01
69 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

for each message the Generic Precopy and the UserPrecopy are called. After that the
message data are copied into the RAM buffer and than the Indication Flag is set and the
UserIndication function is called. The last step is to delete the processed message from
the Rx queue.
CanHandleRxMsg()
Task Level Start
Read FIFO
Handle
Id
DLC
Data
SW Range
no
entered
yes
normal receive-interrupt
Range Precopy
with Message Precopy,
Function
data copy mechanism
Clear FIFO
Clear FIFO
Handle
Handle
Id
Id
DLC
DLC
Data
Data
Indication Function / Flags
Exit
Task Level End

Figure 6-2 Handling of the Rx queue on task level.
6.2.2.3 Resetting the Rx Queue
The CAN Driver provides the function CanDeleteRxQueue() to delete all messages
pending in the Rx Queue
©2010, Vector Informatik GmbH
Version: 3.01.01
70 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

6.3  Special Features
6.3.1  Individual Polling
Each mailbox (BasicCAN Rx, FullCAN Rx, FullCAN Tx, low level Tx and normal Tx) can be
selected to be polled or treat in interrupt context. This also provides the possibility to use
interrupt mode on one channel and polling mode on the other.
The polling tasks of the standard polling mode are still available. The CAN Driver provides
additional service functions to poll each mailbox individual.
void CanRxBasicCANObjTask ( ... );
void CanRxFullCANObjTask   ( ... );
void CanTxObjTask   ( ... );
These functions have the number of the mailbox and the hardware channel as parameter.
For both parameters, symbolic names are generated.
CanTask(),  CanErrorTask() and CanWakeUpTask() are available in this polling
mode, too.
©2010, Vector Informatik GmbH
Version: 3.01.01
71 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

7 Feature List (Standard and High End)
This general feature list describes the overall feature set of Vector CAN Drivers. Not all of
these features are mandatory for all CAN Drivers. Please refer to the CAN Controller
dependent CAN Driver manual for details TechnicalReference_CAN_<hardware>.pdf
[#hw_feature].

CAN Driver Functionality

Standard
HighEnd
Functions
Initialization

Power-On Initialization


CanInitPowerOn
Re-Initialization


CanInit

Transmission

Transmit Request


CanTransmit
Transmit Request Queue



Internal data copy mechanism



Pretransmit functions


UserPreTransmit
Common confirmation function


ApplCanTxConfirmation
Confirmation flag



Confirmation function


UserConfirmation
Offline Mode


CanOnline, CanOffline
Partial Offline Mode
CanOnline, CanPartOffline,


CanGetPartMode
Passive-Mode
CanSetActive,


CanSetPassive
Tx Observe mode
ApplCanInit,


ApplCanTxObjStart,
ApplCanTxObjConfirmed
Dynamic TxObjects
ID


CanDynTxSet(Ext)Id

DLC


CanDynTxSetDlc

Data-Ptr


CanDynTxSetDataPtr
Full CAN Tx Objects

Cancellation in Hardware
CanCancelTransmit,

CanCancelMsgTransmit
Low Level Message Transmit


CanMsgTransmit

Reception

Receive function


ApplCanMsgReceived
Search algorithms
Linear



Table

Index



Hash



©2010, Vector Informatik GmbH
Version: 3.01.01
72 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Range specific precopy functions
ApplCanRangeXxxPrecopy
4
4
Xxx .. 0,1,2,3
DLC check


ApplCanMsgDlcFailed
Internal data copy mechanism



Generic precopy function


ApplCanGenericPrecopy
Precopy function


UserPrecopy
Indication flag



Indication function


UserIndication
Message not matched function


ApplCanMsgNotMatched
Overrun Notification


ApplCanOverrun
Full-CAN overrun notification

ApplCanFullCanOverrun
Multiple Basic CAN



Rx Queue
CanHandleRxMsg,


CanDeleteRxQueue

Bus off

Notification function


ApplCanBusOff
Nested Recovery functions
CanResetBusOffStart,


CanResetBusOffEnd

Sleep Mode

Mode Change

CanSleep, CanWakeUp
Preparation


CanResetBusSleep
Notification function

ApplCanWakeUp

Special Feature

Status


CanGetStatus
Security Level



Assertions


ApplCanFatalError
Hardware loop check
ApplCanTimerStart


ApplCanTimerLoop
ApplCanTimerEnd
Stop Mode

CanStart, CanStop
Support of OSEK operating system



Standard Polling Mode
Tx


CanTxTask

Rx(Full CAN objects)

CanRxFullCANTask

Rx(Basic CAN objects)


CanRxBasicCANTask

Error


CanErrorTask

Wakeup

CanWakeUpTask
Individual Polling
CanTxObjTask,


CanRxFullCANObjTask,
CanRxBasicCANObjTask
Multi-channel



Support extended ID addressing mode



Support mixed ID addressing mode



Support access to error counters
CanRxActualErrorCounter


CanTxActualErrorCounter
©2010, Vector Informatik GmbH
Version: 3.01.01
73 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Copy functions
CanCopyFromCan,


CanCopyToCan
CAN RAM check


ApplCanMemCheckFailed
Figure 2: Feature List
   feature is supported in general (exceptions might be possible if a CAN controller is not able to support a
feature.

feature is not implemented for each hardware because different CAN controller doesn’t support this
feature.

©2010, Vector Informatik GmbH
Version: 3.01.01
74 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8  Description of the API (Standard)
The complete Standard CAN Driver API is described in this section.
8.1
API Categories
Depending on the number of supported channels, i.e. the number of connected CAN
networks to one ECU, the API of the CAN Driver is realized as "Single Channel" or
"Multiple Channel" with additional channel specific information.
8.1.1  Single Receive Channel (SRC)
A “Single Receive Channel” CAN Driver supports one CAN channel.
8.1.2  Multiple Receive Channel (MRC)
A "Single Receive Channel" CAN Driver is typically extended for multiple channels by
adding an index to the function parameter list (e.g. CanOnline() becomes to
CanOnline(channel)) or by using the handle as a channel indicator (e.g.
CanTransmit(txHandle)).
©2010, Vector Informatik GmbH
Version: 3.01.01
75 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.2
Data Types
The following general data types are defined by the CAN Driver:

vbittype
canbittype
Single bit information
vuint8
canuint8
unsigned 8 bit (byte) value
vuint16
canuint16
unsigned 16 bit (word) value
vuint32
canuint32
unsigned 32 bit (dword) value
vsint8
cansint8
signed 8 bit (byte) value
vsint16
cansint16
signed 16 bit (word) value
vsint32
cansint32
signed 32 bit (dword) value

There are special data types to reference specific generated data structures:
CanInitHandle Initialization
parameters
CanReceiveHandle Receive
parameters
CanTransmitHandle Transmit
parameters
CanChannelHandle
Channel parameters ( only available in indexed CAN Drivers )

Some data types are referencing the CAN Controller registers
CanChipDataPtr
Receive and transmit data register of the CAN Controller
CanChipMsgPtr
Complete receive and transmit message objects including CAN
identifier and DLC
Some data types are only available in Single Receive Channel and Multiple Receive
Channel CAN Drivers
typedef volatile struct
Structure with transmit information.
{

CanChipDataPtr     pChipData;
pChipData is the pointer to the transmit data bytes
CanTransmitHandle Handle;
in the CAN controller.
} CanTxInfoStruct;
Handle of the transmit message.

typedef volatile struct
Structure with receive information:
{
Channel from which the precopy is called.
CanChannelHandle   Channel;
pChipMsgObj is the pointer to the CAN Controller
CanChipMsgPtr     pChipMsgObj;
Receive Register. If there are several receive
objects with different memory addresses available,
CanChipDataPtr     pChipData;
pChipMsgObj contains the pointer to the dedicated
CanReceiveHandle   Handle;
receive object to get some information like CAN
} tCanRxInfoStruct;
identifier or DLC of the received message directly
out of the CAN Controller registers.

pChipData is the pointer to the received data bytes.
©2010, Vector Informatik GmbH
Version: 3.01.01
76 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Handle of the received message.
CanRxInfoStructPtr
Pointer to structure with receive information.

8.3
Constants
This information is stored in ROM.
8.3.1  Version Number
kCanMainVersion and kCanSubVersion contains the BCD coded version of the CAN
Driver:

kCanMainVersion
Main version of the CAN Driver (BCD coded in a vuint8 constant
variable)
kCanSubVersion
Sub version of the CAN Driver (BCD coded in a vuint8 constant
variable)
kCanBugFixVersion Release version of the CAN Driver (BCD coded in a vuint8
constant variable)

Example
A version number 2.31.00 is coded as 0x02 in kCanMainVersion, 0x31 in
  kCanSubVersion and 0x00 in kCanBugFixVersion.

8.4
Macros
8.4.1  Conversion between Logical and Hardware Representation of CAN
Parameter DLC
These macros are used to convert the CAN protocol specific parameter DLC between the
logical presentation (DLC: 0..8) and the CAN Controller dependent, internal register layout
of different CAN Controllers.
They are normally used by the Generation Tool for the initialization of the node specific
control structures but they are available also for the Application, if necessary.
The MK_... macros are converting from the logical to the CAN Controller dependent
representation:
MK_TX_DLC(dlc)
Conversion of transmit DLC, if associated CAN message has
standard identifier

The following macro is only allowed to be used if extended CAN identifiers are used:
MK_TX_DLC_EXT(dlc)  Conversion of transmit DLC if associated CAN message has an
extended identifier

The XT_... macro is converting from the CAN Controller dependent to the logical
presentation:
©2010, Vector Informatik GmbH
Version: 3.01.01
77 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

XT_TX_DLC(dlc)
Conversion of transmit DLC independent of identifier type

8.4.2  Direct Access to the CAN Controller Registers
These macros are defined by the CAN Driver to provide the access on CAN protocol
specific parameters like CAN identifier and DLC currently available in the CAN Controller.
To assign these information to a previously received message they are only valid in the
callback function ApplCanMsgReceived() or in user specific precopy functions. Only in this
scope there is a clear reference on receive messages possible and data in the CAN
Controller receive registers are still locked. They are referencing either on the CAN
Controller register or on the software shadow buffer of the CAN Driver, if used. The
parameter rxStruct is only available for Single Receive Channel and Multiple Receive
Channel Drivers and is the pointer to the receive information structure.
CanRxActualId(rxStruct)
Read identifier in logical presentation (0h..7FFh for
standard identifier or 0h..1FFFFFFFh for extended
identifier).
In case of mixed identifier, the macro
CanRxActualIdType can be used to decide whether
the CAN identifier is in standard or extended
format.
CanRxActualIdType(rxStruct) Read the format type of the CAN identifier
kCanIdTypeStd  standard
format
kCanIdTypeExt  extended
format
CanRxActualDLC(rxStruct)
Read DLC in logical presentation (0..8)
CanRxActualData(rxStruct,i) Read Data in logical presentation. i is the position
of the byte (0..7).
CanRxActualErrorCounter(
Read current status of the receive error counter. In
channel)
use of microcontrollers without an readable error
counter, this macro returns always 0.
CanTxActualErrorCounter(
Read current status of the transmit error counter. In
channel)
use of microcontrollers without an readable error
counter, this macro returns always 0.

The following macros are only available if extended CAN identifiers are used:
CanRxActualIdExtHi(
Read the bit 24 to 29 of the extended identifier in
rxStruct)
logical presentation
CanRxActualIdExtMidHi(
Read the bit 16 to 23 of the extended identifier in
rxStruct)
logical presentation
CanRxActualIdExtMidLo(
Read the bit 8 to 15 of the extended identifier in
rxStruct)
logical presentation
CanRxActualIdExtLo(
Read the bit 0 to 7 of the extended identifier in
rxStruct)
logical presentation

To write CAN protocol specific parameters like CAN identifier and DLC the to the CAN
controller there are some macros available. The parameter txStruct is only available for
©2010, Vector Informatik GmbH
Version: 3.01.01
78 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Single Receive Channel and Multiple Receive Channel Drivers and is the pointer to the
transmit information structure.
CanTxWriteActId(txStruct,
Write the parameter id in standard format and in
id)
logical presentation to the hardware.
CanTxWriteActDLC(rxStruct,  Write the DLC in logical presentation (0..8)
dlc)

The following macro is only available if extended CAN identifiers are used:
CanTxWriteActExtId(
Write the parameter id in extended format and in
txStruct,id)
logical presentation to the hardware.

8.4.3  Interpretation of the CAN Status
The following macros are used to decode the return code of CanGetStatus() (TRUE
means not equal to zero):
CanHwIsOk(state)
This macro returns TRUE, if the status of the CAN
Controller is Error-Active.
CanHwIsWarning(state) This macro returns TRUE, if the status of the CAN
Controller is Warning (at least one error counter is equal or
higher than 96).
CanHwIsPassive(state) This macro returns TRUE, if the status of the CAN
Controller is Error-Passive.
CanHwIsBusOff(state)  This macro returns TRUE, if the status of the CAN
Controller is Bus-Off. This information is only temporary. The
time when this status changes from TRUE to FALSE
depends on the CAN controller. This could be after the CAN
controller has resynchronized on the bus regardless of the
Busoff recovery by the Application. This could also be after
CanResetBusoffStart() is called or after
CanResetBusoffEnd() is called.
Hint: Busoff detection has to be performed with
ApplCanBusoff().
CanHwIsWakeup(state)  This macro returns TRUE, if the CAN Controller is not in
sleep mode.
CanHwIsSleep(state)
This macro returns TRUE, if the CAN Controller is in sleep
mode.
CanHwIsStart(state)
This macro returns TRUE, if the CAN Controller is not in
stop mode.
CanHwIsStop(state)
This macro returns TRUE, if the CAN Controller is in stop
mode.
CanIsOnline(state)
This macro returns TRUE, if the CAN Driver is online.
CanIsOffline(state)
This macro returns TRUE, if the CAN Driver is offline.

©2010, Vector Informatik GmbH
Version: 3.01.01
79 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Not all CAN Controllers support all of the hardware dependent states. Please refer to the
CAN Controller specific documentation TechnicalReference_CAN_<hardware>.pdf
[#hw_status] for details.
8.4.4 Access to low level transmit structure
These macros are defined by the CAN driver to fill the set the data to be transmitted with
CanMsgTransmit():
CanMsgTransmitSetStdId( Write the parameter id in standard format and in logical
tCanMsgTransmitStruct
presentation to the structure txData.
*txData, vuint16 id)
CanMsgTransmitSetExtId( Write the parameter id in extended format and in logical
tCanMsgTransmitStruct
presentation to the structure txData.
*txData, vuint32 id)
CanMsgTransmitSetDlc(
Write the DLC in logical presentation (0..8)
tCanMsgTransmitStruct
*txData, vuint8 dlc)
CanMsgTransmitSetData(
Write the data bytes to be transmitted to the structure
tCanMsgTransmitStruct
txData. nrDataBytes specifies the number of bytes to be
*txData, vuint8
copied (e.g. same as the DLC, max. 8). txDataBytes
nrDataByte, vuint8
points to the current location where the data has to be
*txDataBytes)
copied from.

8.5
Functions
This chapter contains a description of the CAN Driver functions (services, callbacks and
user specifics) and the appropriate parameters and return codes. The function declarations
are given in C syntax as explained below:
vuint8 CanTransmit( CanTransmitHandle txObject );
 vuint8 is the type of the return code
 CanTransmit is the name of the function
 CanTransmitHandle is the type of the function parameter
 txObject is the function parameter.
©2010, Vector Informatik GmbH
Version: 3.01.01
80 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1  Service Functions
8.5.1.1  CanInitPowerOn
CanInitPowerOn
Prototype
Single Receive Channel
void CanInitPowerOn ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanInitPowerOn() initializes the CAN Controller and the CAN Drivers internal
variables. The CAN Driver is always set to online mode and active operating state.
Particularities and Limitations
  This service function has to be called before any other CAN Driver function. The interrupts have to
be disabled during this service function is called.
  For indexed CAN Drivers every channel is initialized with kCanInitObj0.

8.5.1.2
CanInit
CanInit
Prototype
Single Receive Channel
void CanInit ( CanInitHandle initObject )
Multiple Receive Channel
void CanInit ( CanChannelHandle channel, CanInitHandle
initObject )
Parameter
initObject
Handle of an initialization structure. The generated macros should be
used:
kCanInitObjX  (with X = 1 ... Number of generated initialization structures)
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
Initialization of the CAN Controller hardware. It is used to cancel pending transmit requests in the CAN
Controller transmit register and to change the baud rate or the hardware acceptance filters.
Online/Offline mode and Active/Passive state will not be changed.
Particularities and Limitations
©2010, Vector Informatik GmbH
Version: 3.01.01
81 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  During the call of CanInit(..), the CAN Driver has to be in offline mode.
  CanInit(..) is not reentrant and therefore must not be called recursively.
  CanInit(..) must not be interrupted by CanReset...(..), CanSleep(..), CanWakeUp(..)
or by any CAN interrupt service routine and vice versa.
  CanInit(..) must not interrupt the confirmation interrupt and must not be called in the
confirmation or indication function.

8.5.1.3  CanTransmit
CanTransmit
Prototype
Single Receive Channel
vuint8 CanTransmit ( CanTransmitHandle txObject )
Multiple Receive Channel
Parameter
txObject
Handle of the transmit object
Return code
kCanTxOk
The transmit request was accepted by the CAN Driver
kCanTxFailed
Error code because one of the following conditions:
  Transmit request could not be passed to the CAN Controller because
the transmit registers are busy (only if there is no transmit queue
used)
  CAN Driver's transmit path is in offline mode
  Special hardware conditions of the CAN Controller (e.g. the sleep
mode was entered; failed synchronization on the CAN bus)
kCanTxPartOffline
Error code because the transmit path of the CAN driver is in partial
offline mode for this transmit object.
Functional Description
The service function CanTransmit(..) checks if a transmit register in the CAN Controller is
available. If so, the transmit process is initiated in the CAN Controller and kCanTxOk is returned. If not
and if there is no transmit queue configured, the function call returns with the error code
kCanTxFailed or kCanTxPartOffline. For a CAN Driver with a configured transmit queue; the
transmit request is marked in the queue and kCanTxOk is returned. Only the transmit request is saved
but not the associated data. As soon as one of the CAN Controller transmit registers becomes
available (successful transmission of the previous transmit request), the next transmit request with the
highest priority (lowest CAN identifier) in the transmit queue will be serviced.
By the parameter txObject all information for transmission (CAN identifier, DLC, location and length
of data, etc...) can be taken from the CAN Driver description data. They will be copied to the CAN
Controller and the transmit process is started. The message will be actually transmitted on the CAN
bus after a successful arbitration of the CAN protocol.
After a successful transmission a CAN message (at least one other CAN bus node gives an
acknowledge) the confirmation notification (a flag will be set or a user specific function will be called)
are executed in the scope of the CAN transmit interrupt routine.
Particularities and Limitations
©2010, Vector Informatik GmbH
Version: 3.01.01
82 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

 CanTransmit(..) supports the Network Management which can enable or disable the CAN
Driver's transmit path by means of the CAN Driver service functions CanOnline() and
CanOffline(). No distinction is made between Network Management and Application messages.
In the offline mode, the transmit request is rejected with an error code.
 For CAN Controllers with priority controlled transmit queue (hardware or software) the sequence of
transmission may deviate from the call sequence of CanTransmit(..) because the transmit
queues are handled according to priorities (lowest CAN identifier first) and not according to the
chronological order of the entries in the queue (FIFO).
 The generated handles should be used to reference the transmit objects. The names consist of the
message symbol, a prefix and a postfix. Fixed rules are used to build these names. For more
details please refer to the user manual of the Generation Tool

8.5.1.4
CanTask
CanTask
Prototype
Single Receive Channel
void CanTask ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanTask() does polling of error events, receive objects, transmit objects and
wake-up events in the CAN Controller according to the configured polling mode. In multiple channel
drivers the CanTask() handles all channels.
Particularities and Limitations
 CanTask() must not run on higher priority than other CAN functions.
 CanTask() is available, if any polling mode is configured for the CAN Driver
 CanTask() is also available for some CAN Controllers if cancellation in hardware is configured.
See more about that in the CAN Controller specific documentation
TechnicalReference_CAN_<hardware>.pdf [#hw_cancel] .

8.5.1.5 CanTxTask
CanTxTask
Prototype
Single Receive Channel
void CanTxTask ( void )
Multiple Receive Channel
void CanTxTask ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
©2010, Vector Informatik GmbH
Version: 3.01.01
83 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Functional Description
The service function CanTxTask() does polling of transmit objects in the CAN Controller.
Confirmation functions will be called and confirmation flags will be set. If the transmit queue is
configured, this service function additionally transmits the queued messages.
Particularities and Limitations
 CanTxTask() is available, if the general polling mode or the transmit polling mode is configured.
 CanTxTask() is also available for some CAN Controllers if cancellation in hardware is configured.
See more about that in the CAN Controller specific documentation
TechnicalReference_CAN_<hardware>.pdf [#hw_cancel] .

8.5.1.6
CanRxFullCANTask
CanRxFullCanTask
Prototype
Single Receive Channel
void CanRxFullCANTask ( void )
Multiple Receive Channel
void CanRxFullCANTask ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanRxFullCanTask() does polling of Full CAN receive objects (if available)
according to the configured polling mode.
Particularities and Limitations
 CanRxFullCanTask() must not run on higher priority than other CAN functions.
 CanRxFullCanTask() is available if the Full CAN receive polling mode is configured.

8.5.1.7
CanRxBasicCANTask
CanRxBasicCANTask
Prototype
Single Receive Channel
void CanRxBasicCANTask ( void )
Multiple Receive Channel
void CanRxBasicCANTask ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanRxBasicCANTask() does polling of Basic CAN receive objects according to
the configured polling mode.
©2010, Vector Informatik GmbH
Version: 3.01.01
84 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations
 CanRxBasicCANTask() must not run on higher priority than other CAN functions.
 CanRxBasicCANTask() is available if the Basic CAN receive polling mode is configured.

8.5.1.8
CanErrorTask
CanErrorTask
Prototype
Single Receive Channel
void CanErrorTask ( void )

Multiple Receive Channel
void CanErrorTask ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanErrorTask() does polling of error events in the CAN Controller. In case of a
BusOff, the callback function ApplCanBusOff() is called by this service function.
Particularities and Limitations
 CanErrorTask() is available if the error polling is enabled.

8.5.1.9
CanWakeUpTask
CanWakeUpTask
Prototype
Single Receive Channel
void CanWakeUpTask ( void )
Multiple Receive Channel
void CanWakeUpTask ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanWakeUpTask() does polling of the wake-up events in the CAN Controller
according to the enabled polling mode. In case of a wake-up event on the CAN bus, the callback
function ApplCanWakeUp() will be called by this service function.
Particularities and Limitations
 CanWakeUpTask() is available if the wakeup polling is enabled.
 A wake-up by the CAN bus is not supported by all CAN Controllers. Please refer to the CAN
controller specific documentation TechnicalReference_CAN_<hardware>.pdf [#hw_sleep].
©2010, Vector Informatik GmbH
Version: 3.01.01
85 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1.10 CanOnline
CanOnline
Prototype
Single Receive Channel
void CanOnline ( void )
Multiple Receive Channel
void CanOnline ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanOnline() enables the CAN Driver's transmit path for all subsequent transmit
requests of CanTransmit(..). This is prerequisite to transmit any CAN message.
The current status of the transmit path can be queried by CanGetStatus().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
If a Network Management is used, the service function CanOnline() may only be used by the
Network Management.
It is only allowed to call CanOnline() on Task level. No other CAN Driver service function is allowed
to be interrupted by CanOnline().

8.5.1.11 CanOffline
CanOffline
Prototype
Single Receive Channel
void CanOffline ( void )
Multiple Receive Channel
void CanOffline ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanOffline() disables the CAN Driver's transmit path for all subsequent
transmit requests of CanTransmit(..).
While the transmit path is blocked, transmit requests by CanTransmit(..) are rejected with an
error. This can be determined by evaluating the return code.
The current status of the transmit path can be queried by CanGetStatus().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
©2010, Vector Informatik GmbH
Version: 3.01.01
86 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

If the CAN Driver is configured to use a transmit queue, all queue entries will be cleared, i.e. transmit
requests will be lost.
If a Network Management is used, the service functions CanOffline() may only be used by the
Network Management.

8.5.1.12  CanPartOnline
CanPartOnline
Prototype
Single Receive Channel
void CanPartOnline ( vuint8 sendGroup )
Multiple Receive Channel
void CanPartOnline ( CanChannelHandle channel, vuint8
sendGroup )
Parameter
sendGroup
Send group or groups to be switched to online.
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanPartOnline() enables the CAN Driver's transmit path for the selected send
groups.
The current status of the partial offline mode can be queried by CanGetPartMode().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations

8.5.1.13  CanPartOffline
CanPartOffline
Prototype
Single Receive Channel
void CanPartOffline ( vuint8 sendGroup )
Multiple Receive Channel
void CanPartOffline ( CanChannelHandle channel, vuint8
sendGroup )
Parameter
sendGroup
Send group or groups to be switched to offline.
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
87 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The service function CanPartOffline() disables the CAN Driver's transmit path for the selected
send groups.
While the transmit path is blocked for a selected group, transmit requests of a message assigned to
this group by CanTransmit(..) are rejected with kCanPartOffline. This can be determined by
evaluating the return code.
The current status of the partial offline mode can be queried by CanGetPartMode().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  A queued message will be still send after the function CanPartOffline() was called.

8.5.1.14  CanGetPartMode
CanGetPartMode
Prototype
Single Receive Channel
vuint8 CanGetPartMode ( void )
Multiple Receive Channel
vuint8 CanGetPartMode ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
vuint8
Send groups which are in partial offline mode.
  C_SEND_GRP_NONE (if the partial mode is inactive)
  C_SEND_GRP_ALL (if the partial mode is active for all groups.)
NOTE: predefined macros can be used to check for all or none
send groups.
For indexed CAN Driver, this functionality is related to the specified CAN
channel.
See also 5.2.6 Partial Offline Mode page 35
Functional Description
Reads the current partial offline status of the CAN Driver.
Particularities and Limitations

8.5.1.15  CanGetStatus
CanGetStatus
Prototype
Single Receive Channel
vuint8 CanGetStatus ( void )
Multiple Receive Channel
vuint8 CanGetStatus ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
©2010, Vector Informatik GmbH
Version: 3.01.01
88 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Return code
vuint8
Software status of the CAN Driver. The following information is coded in
the return code:
  CAN Driver is offline (CanOffline() was called)
If extended status is enabled, this function also returns the hardware
status of the CAN Controller. The following additional information are
coded in the return code:
  Warning level, Error-Active/-Passive state and Bus-Off of the CAN
Controller
  CAN Controller is in sleep mode (CanSleep() was called)
  CAN Controller is in stop mode (CanStop() was called)
There are special macros to get this information in the return code.
These macros are TRUE (not equal to 0) if the specific condition is valid
and FALSE (equal to 0) if not. The parameter of these macros is the
status, i.e. the return code of CanGetStatus():
  CanHwIsWarning(..), CanHwIsPassive(..),
CanHwIsBusOff(..),
  CanHwIsOk(..)
  CanHwIs Sleep(..), CanHwIsWakeup(..)
  CanHwIsStop(..), CanHwIsStart(..)
  CanIsOffline(..), CanIsOnline(..)
For indexed CAN Driver, this functionality is related to the specified CAN
channel.
Functional Description
Reads the current status of the CAN Driver and the CAN Controller.
Particularities and Limitations

8.5.1.16  CanSleep
CanSleep
Prototype
Single Receive Channel
vuint8 CanSleep (void )
Multiple Receive Channel
vuint8 CanSleep ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
Result of the sleep request:
kCanFailed
Sleep mode not entered
kCanOk
Sleep mode entered
kCanNotSupported
The function CanSleep is not supported by this driver
Functional Description
The service function CanSleep() puts the CAN Controller into sleep mode. This reduces the power
©2010, Vector Informatik GmbH
Version: 3.01.01
89 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

consumption of the CAN Controller and enables the wake up behavior if the CAN Controller supports
this functionality. For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
 This functionality is not supported for all CAN Controllers. In such case the function is provided by
the CAN Driver but without any effect on the CAN Controller. This is done to enable the Application
to realize an orthogonal software structure.
 If it is supported by the CAN Controller, on a wake-up by the CAN bus, the callback function
ApplCanWakeUp() is called.
 If a message is currently transmitted or received during the call of this service function, a direct
wake-up interrupt occurs or the CAN Driver remains in this function until the sleep mode is entered.
This behavior of the CAN Controller has to be considered in implementing the Application or the
Network Management. (This behavior is hardware dependent and described more detailed in the
CAN controller specific documentation TechnicalReference_CAN_<hardware>.pdf [#hw_sleep])
 If the sleep mode is not entered, no CAN wake-up interrupt occurs on the detection of any
message on the CAN bus. The callback function ApplCanWakeUp() will not be called and in
consequence the bus transceiver will not be initialized. This leads to CAN bus errors. Therefore it is
necessary to call a set of functions to realize a wake-up capable system. The order of the function
calls is very important. more…
 During the call of CanSleep() the CAN Driver has to be offline.
 CanSleep() must not be interrupted by CanInit(), CanReset...(), CanWakeUp() or any
CAN interrupt routine and vice versa.
 CanSleep(..) is not reentrant and therefore must not be called recursively.
 It isn’t allowed to call CanSleep() out of any callback function.
 CAN Interrupts should be disabled during the call of CanSleep(). To disable the Can Interrupts
the function CanCanInterruptDisable() should not be used. If this function is used no CAN
wake-up interrupt occurs on the detection of any message on the CAN bus. The callback function
ApplCanWakeUp() will not be called.
 In Sleep mode the service functions CanGetStatus(), CanWakeUp(), CanTransmit(),
CanTask() and all Can...Task() are allowed to be called.

8.5.1.17 CanWakeUp
CanWakeUp
Prototype
Single Receive Channel
vuint8 CanWakeUp ( void )
Multiple Receive Channel
vuint8 CanWakeUp ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
Result of the wakeup request
kCanFailed
wakeup was not successful
kCanOk
Sleep mode left
kCanNotSupported
The function CanWakeUp is not supported by this driver.
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
90 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The service function CanWakeUp() enters the normal operating mode of the CAN Controller.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  This functionality is not supported for all CAN Controllers. In such case the function is provided by
the CAN Driver but without any effect on the CAN Controller. This is done to enable the Application
to realize an orthogonal software structure.
  During the call of CanWakeUp() the CAN Driver has to be offline.
  No wake-up interrupt is generated by the call of CanWakeUp().
  CanWakeUp() must not be interrupted by CanInit(), CanReset...(), CanSleep() or any
CAN interrupt routine and vice versa.
  CanWakeUp(..) is not reentrant and therefore must not be called recursively.

8.5.1.18  CanStart
CanStart
Prototype
Single Receive Channel
vuint8 CanStart ( void )
Multiple Receive Channel
vuint8 CanStart ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
Result of the stop request
kCanFailed
Restart of the CAN controller was not successful.
kCanOk
Stop mode left
kCanNotSupported
The function CanStart() is not supported by this driver.
Functional Description
The service function CanStart() enters the normal operating mode of the CAN Controller.
CanStart() may not be called in sleep mode.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  This functionality is not supported for all CAN Controllers. In such case the function is provided by
the CAN Driver but without any effect on the CAN Controller. This is done to enable the Application
to realize an orthogonal software structure.
  During the call of CanStart() the CAN Driver has to be offline.
  CanStart() must not be interrupted by CanInit(), CanReset...(), CanWakeUp() or any
CAN interrupt routine and vice versa.
  CanStart(..) is not reentrant and therefore must not be called recursively.

©2010, Vector Informatik GmbH
Version: 3.01.01
91 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1.19  CanStop
CanStop
Prototype
Single Receive Channel
vuint8 CanStop ( void )
Multiple Receive Channel
vuint8 CanStop ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
Result of the stop request:
kCanFailed
Stop mode not entered
kCanOk
Stop mode entered
kCanNotSupported
The function CanStop is not supported by this driver.
Functional Description
The service function CanStop() puts the CAN Controller into stop or hold mode. This does not
reduces the power consumption of the CAN Controller. The stop mode can only be left by calling
CanStart(). CanStop() must not be called in sleep mode.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  This functionality is not supported for all CAN Controllers. In such case the function is provided by
the CAN Driver but without any effect on the CAN Controller. This is done to enable the Application
to realize an orthogonal software structure.
  During the call of CanStop() the CAN Driver has to be offline.
  CanStop() must not be interrupted by CanInit(), CanReset...(), CanWakeUp() or any
CAN interrupt routine and vice versa.
  CanStop(..) is not reentrant and therefore must not be called recursively.

8.5.1.20  CanGlobalInterruptDisable
CanGlobalInterruptDisable
Prototype
Single Receive Channel
void CanGlobalInterruptDisable ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanGlobalInterruptDisable() disables interrupts, either by changing the
global interrupt control flag of the microprocessor or the interrupt level of the interrupt controller. In the
later case, the interrupt level is configurable. All levels where the CAN API (CAN interrupt, Flags,
service functions) is used have to be disabled.
©2010, Vector Informatik GmbH
Version: 3.01.01
92 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations
  This function has been moved to VstdLib. For more information refer to Application note-ISC-2-
1050_VstdLibIntegration.pdf

8.5.1.21  CanGlobalInterruptRestore
CanGlobalInterruptRestore
Prototype
Single Receive Channel
void CanGlobalInterruptRestore ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanGlobalInterruptRestore() restores the initial interrupt state which was
saved temporarily by CanGlobalInterruptDisable(). If CanGlobalInterruptDisable() is
called in a nested way, the initial interrupt state is not restored until
CanGlobalInterruptRestore() has been called as many times.
Particularities and Limitations
  This function has been moved to VstdLib. For more information refer to Application note AN-ISC-2-
1050_VstdLibIntegration.pdf

8.5.1.22  CanCanInterruptDisable
CanCanInterruptDisable
Prototype
Single Receive Channel
void CanCanInterruptDisable ( void )
Multiple Receive Channel
void CanCanInterruptDisable ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanCanInterruptDisable() disables all CAN interrupts of one CAN channel,
either by changing the CAN interrupt control flags of the interrupt controller or of the CAN controller. In
case of separately implemented wake-up interrupt routines they have to be disabled by the
application. Therefore the callback function ApplCanAddCanInterruptDisable() can be
activated.
Particularities and Limitations
©2010, Vector Informatik GmbH
Version: 3.01.01
93 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

 The CAN Drivers differ in the implementation of this service function. Please refer to the CAN
Controller specification documentation TechnicalReference_CAN_<hardware>.pdf [#hw_int] for
details.
 This service function is not allowed to be called during Sleep-Mode.

8.5.1.23 CanCanInterruptRestore
CanCanInterruptRestore
Prototype
Single Receive Channel
void CanCanInterruptRestore ( void )
Multiple Receive Channel
void CanCanInterruptRestore ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanCanInterruptRestore() restores the initial interrupt state which was
saved temporarily by CanCanInterruptDisable(). If CanCanInterruptDisable() is called in
a nested way, the initial interrupt state is not restored until CanCanInterruptRestore() has been
called as many times. In case of separately implemented wake-up interrupt routines they have to be
restored by the application. Therefore the callback function ApplCanAddCanInterruptRestore()
can be activated.
Particularities and Limitations
 The CAN Drivers differ in the implementation of this service function. Please refer to the CAN
Controller specification documentation TechnicalReference_CAN_<hardware>.pdf [#hw_int] for
details.
 This service function is not allowed to be called during Sleep-Mode.

8.5.1.24 CanSetPassive
CanSetPassive
Prototype
Single Receive Channel
void CanSetPassive ( void )
Multiple Receive Channel
void CanSetPassive ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanSetPassive(..) switches the CAN Driver to the passive state.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
©2010, Vector Informatik GmbH
Version: 3.01.01
94 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations
  If the CAN Driver is configured to use a transmit queue, all queue entries will be cleared, i.e.
transmit requests and subsequent confirmations will be lost.
  The passive state of the CAN Driver will have an effect only if it is enabled by the CAN Driver
configuration. Nevertheless this service function is available at any time

8.5.1.25  CanSetActive
CanSetActive
Prototype
Single Receive Channel
void CanSetActive ( void )
Multiple Receive Channel
void CanSetActive ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanSetActive() switches the CAN Driver back to the active state.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  The passive state of the CAN Driver will have an effect only if it is enabled by the CAN Driver
configuration. Nevertheless this service function is available at any time.

8.5.1.26  CanResetBusOffStart
CanResetBusOffStart
Prototype
Single Receive Channel
void CanResetBusOffStart ( CanInitHandle initObject )
Multiple Receive Channel
void CanResetBusOffStart ( CanChannelHandle channel,
CanInitHandle initObject )
Parameter
initObject
Handle of an initialization structure. The generated macros should be
used:
kCanInitObjX (with X = 1 ... Number of generated initialization structures)
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
95 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

This service function starts error recovery of the CAN Controller directly after BusOff. Usually a re-
initialization of the CAN Controller is done. The correct handling of a BusOff depends on the used
CAN Controller. Please refer to the CAN Controller specification documentation
TechnicalReference_CAN_<hardware>.pdf [#hw_busoff] for details.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
 During the call of CanResetBusOffStart(..), the CAN Driver has to be in offline mode.
 CanResetBusOffStart(..) is not reentrant and therefore must not be called recursively.
 CanResetBusOffStart() must not be interrupted by CanInit(), CanResetBusOffEnd(),
CanResetBusSleep(), CanSleep(), CanWakeUp() or by any CAN interrupt service routine
and vice versa.
 This service function can be realized as a preprocessor macro.

8.5.1.27 CanResetBusOffEnd
CanResetBusOffEnd
Prototype
Single Receive Channel
void CanResetBusOffEnd ( CanInitHandle initObject )
Multiple Receive Channel
void CanResetBusOffEnd ( CanChannelHandle channel,
 CanInitHandle initObject )
Parameter
initObject
Handle of an initialization structure. The generated macros should be
used:
kCanInitObjX (with X = 1 ... Number of generated initialization structures)
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
Completes the error recovery after BusOff. For most of the CAN Drivers this service function has no
effect.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
 During the call of CanResetBusOffEnd(..), the CAN Driver has to be in offline mode.
 CanResetBusOffEnd(..) is not reentrant and therefore must not be called recursively.
 CanResetBusOffEnd() must not be interrupted by CanInit(), CanResetBusOffStart(),
CanResetBusSleep(), CanSleep(), CanWakeUp() or by any CAN interrupt service routine
and vice versa.
 This service function can be realized as a preprocessor macro.

8.5.1.28 CanResetBusSleep
CanResetBusSleep
Prototype
©2010, Vector Informatik GmbH
Version: 3.01.01
96 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Single Receive Channel
void CanResetBusSleep ( CanInitHandle initObject )
Multiple Receive Channel
void CanResetBusSleep ( CanChannelHandle channel,
  CanInitHandle initObject )
Parameter
initObject
Handle of an initialization structure. The generated macros should be
used:
kCanInitObjX  (with X = 1 ... Number of generated initialization structures)
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX  (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This service function aborts pending transmit requests in the CAN Controller before the sleep mode of
the CAN Controller is entered. This can be done by different ways, depending on CAN Controller
specific features:
  Complete re-initialization of the CAN Controller (using the service function CanInit() )
  Cancel of the transmit requests
Please refer to the CAN Controller specific documentation for details.
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations
  During the call of CanResetBusSleep(..), the CAN Driver has to be in offline mode.
  CanResetBusSleep(..) is not reentrant and therefore must not be called recursively.
  CanResetBusSleep() must not be interrupted by CanInit(), CanResetBusOffStart(),
CanResetBusOffEnd(), CanSleep(), CanWakeUp() or by any CAN interrupt service routine
and vice versa.
  This service function can be realized as a preprocessor macro.

8.5.1.29  CanGetDynTxObj
CanGetDynTxObj
Prototype
Single Receive Channel
CanTransmitHandle CanGetDynTxObj ( CanTransmitHandle
Multiple Receive Channel
txObject )
Parameter
txObject
Handle of the dynamic transmit object.
Return code
CanTransmitHandle
Handle of the dynamic transmit object or kCanNoTxDynObjAvailable
if no dynamic transmit object is available or the specific dynamic object
is already used.
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
97 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Reserves a dynamic transmit object.
To use dynamic transmit objects an Application must reserve a dynamic transmit object from the CAN
Driver.
Before transmission, the Application must set all configured dynamic parameters of the dynamic
transmit object.
The Application can use a dynamic transmit object for one or many transmissions, but finally it must
release the dynamic transmit object by calling CanReleaseDynTxObj(..).
Particularities and Limitations
This service function is only available, if dynamic transmit objects are configured.
The generated handles should be used to reference the transmit objects. The names consist of the
message symbol, a prefix and a postfix. Fixed rules are used to build these names. For more
details please refer to the online help of the Generation Tool.

©2010, Vector Informatik GmbH
Version: 3.01.01
98 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1.30  CanReleaseDynTxObj
CanReleaseDynTxObj
Prototype
Single Receive Channel
vuint8 CanReleaseDynTxObj ( CanTransmitHandle txObject )
Multiple Receive Channel
Parameter
txObject
Handle of the dynamic transmit object which was returned by
CanGetDynTxObj(..)
Return code
kCanDynReleased
Dynamic object is released
kCanDynNotReleased
Dynamic transmit object couldn’t be released because the object is still
in the transmit queue or in the transmit register of the CAN Controller.
CanReleaseDynTxObj(..) has to be called later again.
Functional Description
Release a dynamic transmit object, which was reserved before by calling CanGetDynTxObj(..).
The dynamic transmit object is referenced by txObject.
After a transmission of one or more messages is finished, the Application has to release the reserved
resource, because the number of dynamic transmit objects is limited and the Application should not
keep reserved dynamic transmit objects for a longer time.
Particularities and Limitations
  This service function is only available, if dynamic transmit objects are configured.
  The parameter txObject was reserved before by a call to CanGetDynTxObj(..).

8.5.1.31  CanDynTxObjSetId
CanDynTxObjSetId
Prototype
Single Receive Channel
void CanDynTxObjSetId ( CanTransmitHandle txObject, vuint16
Multiple Receive Channel
id )
Parameter
txObject
Handle of the dynamic transmit object which was returned by
CanGetDynTxObj(..).
id
CAN identifier in standard format
Return code
-
-
Functional Description
Sets the CAN identifier in standard format of a dynamic transmit object. The dynamic transmit object is
referenced by txObject.
Particularities and Limitations
  This service function is only available, if dynamic transmit objects are configured.
  The parameter txObject was reserved before by a call to CanGetDynTxObj(..).

©2010, Vector Informatik GmbH
Version: 3.01.01
99 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1.32  CanDynTxObjSetExtId
CanDynObjSetExtId
Prototype
Single Receive Channel
void CanDynTxObjSetExtId ( CanTransmitHandle txObject,
Multiple Receive Channel
vuint16 idExtHi,
vuint16 idExtLo)
Parameter
txObject
Handle of the dynamic transmit object which was returned by
CanGetDynTxObj(..)
idExtHi
Upper 16 bit of the CAN identifier in extended format
idExtLo
Lower 16 bit of the CAN identifier in extended format
Return code
-
-
Functional Description
Sets the CAN identifier in extended format of a dynamic transmit object. The dynamic transmit object
is referenced by txObject
Particularities and Limitations
  This service function is only available, if dynamic transmit objects are configured.
  The parameter txObject was reserved before by a call to CanGetDynTxObj(..).

8.5.1.33  CanDynTxObjSetDlc
CanDynTxObjSetDlc
Prototype
Single Receive Channel
void CanDynTxObjSetDlc ( CanTransmitHandle txObject,
Multiple Receive Channel
  vuint8 dlc )
Parameter
txObject
Handle of the dynamic transmit object which was returned by
CanGetDynTxObj(..)
dlc
Data Length Code of the dynamic transmit object
Return code
-
-
Functional Description
Sets the Data Length Code of a dynamic transmit object. The dynamic transmit object is referenced by
txObject.
Particularities and Limitations
  This service function is only available, if dynamic transmit objects are configured.
  The parameter txObject was reserved before by a call to CanGetDynTxObj(..).

©2010, Vector Informatik GmbH
Version: 3.01.01
100 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.1.34  CanDynTxObjSetDataPtr
CanDynTxObjSetDataPtr
Prototype
Single Receive Channel
void CanDynTxObjSetDataPtr ( CanTransmitHandle txObject,
Multiple Receive Channel
  vuint8 *pData )
Parameter
txObject
Handle of the dynamic transmit object which was returned by
CanGetDynTxObj(..)
*pData
Data reference of the application specific data buffer referenced by the
dynamic transmit object
Return code
-
-
Functional Description
Sets the data pointer of a dynamic transmit object. The dynamic transmit object is referenced by
txObject.
Particularities and Limitations
  This service function is only available, if dynamic transmit objects are configured.
  The parameter txObject was reserved before by a call to CanGetDynTxObj(..).

8.5.1.35  CanCancelTransmit
CanCancelTransmit
Prototype
Single Receive Channel
void CanCancelTransmit ( CanTransmitHandle txObject )
Multiple Receive Channel
Parameter
txObject
Handle of the transmit object
Return code
-
-
Functional Description
The call of the confirmation function resp. setting of the confirmation flag associated with txObject are
suppressed, if this message is already in the transmit buffer of the CAN controller.
If the transmit queue is enabled, a pending transmit request in the queue is canceled.
Particularities and Limitations
The function call of CanCancelTransmit() must not interrupt the transmit ISR, CanTransmit() or
the CanTxTask().
Though a transmission is canceled it will be sent if the request has been already in the hardware
object. Only if activated and highly dependent on hardware and vehicle manufacturer the transmit
request can be deleted in the hardware transmit object, too.

8.5.1.36  CanCopyFromCan
CanCopyFromCan
©2010, Vector Informatik GmbH
Version: 3.01.01
101 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Prototype
Single Receive Channel
void CanCopyFromCan (void *dst, CanChipDataPtr src, vuint8
Multiple Receive Channel
len)
Parameter
dst
Pointer to the destination in default memory. This pointer is available in
the Precopy Function.
src
Pointer to the source CAN buffer or temporary buffer
len
number of bytes which have to be copied
Return code
-
-
Functional Description
This function copies data from the CAN data buffer to the RAM.
Particularities and Limitations
This function can only be used within precopy functions.

8.5.1.37  CanCopyToCan
CanCopyToCan
Prototype
Single Receive Channel
void CanCopyToCan ( CanChipDataPtr dst, void *src, vuint8
Multiple Receive Channel
len)
Parameter
dst
Pointer to the destination CAN buffer or temporary buffer. This pointer is
available in the Pretransmit Function.
src
Pointer to the source in default memory.
len
number of bytes which have to be copied
Return code
-
-
Functional Description
This function copies data from the RAM into the CAN data buffer.
Particularities and Limitations
This function can only be used within pretransmit functions.

8.5.1.38  CanTxGetActHandle
CanTxGetActHandle
Prototype
Single Receive Channel
CanTransmitHandle CanTxGetActHandle (CanObjectHandle
Multiple Receive Channel
logTxHwObject)
Parameter
©2010, Vector Informatik GmbH
Version: 3.01.01
102 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

logTxHwObject
Handle of the CAN hardware transmit object. For indexed drivers this is
a unique number over all CAN channels.
Return code
txObject
Handle of the transmit object which is currently in the hardware transmit
object. In case of enabled LowLevelMessageTransmit, this could also be
a handle of such a message
kCanBufferMsgTransmit: CanCancelMsgTransmit
kCanTxHandleNotUsed: Handle is not valid
Functional Description
This service functions returns the handle of the transmit message, which has been transmitted in a
certain CAN hardware transmit object. The return value can be used as a parameter for
CanCancelTransmit(). If the return value is kCanBufferMsgTransmit,
CanCancelMsgTransmit() has to be called in stead of CanCancelTransmit().
CanCancelTransmit() ignores invalid handle and kCanBufferMsgTransmit.
Particularities and Limitations
This function is only allowed to be called in or after ApplCanTxObjStart() and before
ApplCanTxObjConfirmed() of a certain CAN buffer.

8.5.1.39  CanResetMsgReceivedCondition
CanResetMsgReceivedCondition
Prototype
Single Receive Channel
void CanResetMsgReceivedCondition ( void )
Multiple Receive Channel
void CanResetMsgReceivedCondition ( CanChannelHandle
channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX   (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanResetMsgReceivedConditional() disables the calling of
ApplCanMsgCondReceived().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations

8.5.1.40  CanSetMsgReceivedCondition
CanSetMsgReceivedCondition
Prototype
Single Receive Channel
void CanSetMsgReceivedCondition ( void )
Multiple Receive Channel
void CanSetMsgReceivedCondition ( CanChannelHandle channel
)
Parameter
©2010, Vector Informatik GmbH
Version: 3.01.01
103 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX   (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanSetMsgReceivedConditional() enables the calling of
ApplCanMsgCondReceived().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations

8.5.1.41  CanGetMsgReceivedCondition
CanGetMsgReceivedCondition
Prototype
Single Receive Channel
void CanGetMsgReceivedCondition ( void )
Multiple Receive Channel
void CanGetMsgReceivedCondition ( CanChannelHandle channel
)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX   (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The service function CanGetMsgReceivedConditional()returns the status of the condition for
calling ApplCanMsgCondReceived().
For indexed CAN Driver, this functionality is related to the specified CAN channel.
Particularities and Limitations

©2010, Vector Informatik GmbH
Version: 3.01.01
104 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.2  User Specific Functions
The user specific functions listed in this section are called by the CAN Driver and provided
by the Application when certain events occur. The user can define user specific functions
specifically for each message. The names in this section are only placeholders. The name
could be set in the generation tool. The type of the particular user specific message must
agree with the function types listed here.
8.5.2.1
UserPrecopy
UserPrecopy
Prototype
Single Receive Channel
vuint8 UserPrecopy ( CanRxInfoStructPtr rxStruct )
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive structure
Return code
kCanCopyData
Received data will be copied using the CAN Driver 's internal copy
mechanism
kCanNoCopyData
CAN Driver doesn’t copy data and doesn’t perform indication
Functional Description
User specific function of the CAN Driver, which is called in the receive interrupt of a CAN message
before copying the data from the CAN Controller receive register to the application specific global data
buffer.
Depending on the function's return code, the CAN Driver will either terminate the processing of the
received message (kCanNoCopyData) or resume normal processing (kCanCopyData).
Particularities and Limitations
  For each CAN message a separate precopy function may be defined.

8.5.2.2
UserIndication
UserIndication
Prototype
Single Receive Channel
void UserIndication( CanReceiveHandle rxObject)
Multiple Receive Channel
Parameter
rxObject
Handle of the received message
Return code
-
-
Functional Description
User specific function which is called in the receive interrupt of a CAN message after data has been
copied and the CAN Controller receive register have been released.
Particularities and Limitations
  For each CAN message a separate indication function may be defined.
©2010, Vector Informatik GmbH
Version: 3.01.01
105 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.2.3
UserPreTransmit
UserPreTransmit
Prototype
Single Receive Channel
vuint8 UserPreTransmit( CanTxInfoStruct txStruct )
Multiple Receive Channel
Parameter
txStruct
Transmit structure
Return code
kCanCopyData
After the return of this user specific function, the CAN Driver copies the
data to be transmitted from the application specific global data buffer
associated to the corresponding message to the CAN Controller transmit
register
kCanNoCopyData
The CAN Driver does not copy data but starts the transmit request in the
CAN Controller immediately
Functional Description
User specific function which is called before the message is copied from the application specific data
buffer to the transmit register of the CAN Controller. This is done in the scope of the Tx interrupt or the
CanTxTask() via CanTransmit(..). The usage of the internal copy mechanism of the CAN Driver
is controlled by the return code.
A possible usage is the acquiring and copying of existing data which are spread in the Application.
Particularities and Limitations
For each CAN message a separate pretransmit function may be defined.

8.5.2.4
UserConfirmation
UserConfirmation
Prototype
Single Receive Channel
void UserConfirmation( CanTransmitHandle txObject )
Multiple Receive Channel
Parameter
txObject
Handle of the transmit object
Return code
-
-
Functional Description
User specific function which is called in the scope of the CAN transmit interrupt routine or the
CanTxTask() after the message has been sent on the CAN bus successfully
Particularities and Limitations
For each CAN message a separate confirmation function may be defined.

©2010, Vector Informatik GmbH
Version: 3.01.01
106 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3  Callback Functions
Callback functions are called by the CAN Driver on certain events and have to be provided
by the Application. In contrast to the user specific functions in the section before the
callback functions are not message related but only event related. Their name can also be
reconfigured.
8.5.3.1  ApplCanBusOff
ApplCanBusOff
Prototype
Single Receive Channel
void ApplCanBusOff ( void )
Multiple Receive Channel
void ApplCanBusOff ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This callback function is called if the CAN Controller enters BusOff state. The function is called in the
error interrupt, CanTask() or CanErrorTask().
Particularities and Limitations
If no Network Management is used which provides a BusOff error handling, the Application has to do
the subsequent error handling (usually the re-initialization of the CAN Controller) by the CAN Driver
service function CanResetBusOffStart() and CanResetBusOffEnd() itself.

8.5.3.2
ApplCanWakeUp
ApplCanWakeUp
Prototype
Single Receive Channel
void ApplCanWakeUp ( void )
Multiple Receive Channel
void ApplCanWakeUp ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX  (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This callback function is called if a wake-up condition on the CAN bus is detected during sleep mode
of the CAN Controller. The function is called in the wakeup interrupt, in the CanTask() or in the
CanWakeupTask().
Particularities and Limitations
©2010, Vector Informatik GmbH
Version: 3.01.01
107 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

  If the CAN Controller was put into sleep mode by calling the service function CanSleep(), and
afterwards there is a dominant level at the receive input of the CAN Controller, CAN Controller
generates a wake-up interrupt. The CAN Driver calls the callback function ApplCanWakeUp() to
handle further wake-up call activities, e.g. starting the Network Management.
  The Application must assure that the CAN transmit path is restored to its normal operating state,
typically by the activation of the bus transceiver.
  This wake-up functionality is not supported by all CAN Controllers. If there is no power-down mode
of the CAN Controller or if the microprocessor cannot detect an external wake-up condition by the
CAN bus, this callback function will never be called.

8.5.3.3
ApplCanOverrun
ApplCanOverrun
Prototype
Single Receive Channel
void ApplCanOverrun ( void )
Multiple Receive Channel
void ApplCanOverrun ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX  (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This callback function is called if an overrun in a Basic CAN receive object was detected. It indicates a
possible loss of receive data. The function is called in the error interrupt, in the receive interrupt, in the
CanTask(), in the CanRxTask(), or in the CanErrorTask().
Particularities and Limitations
The overrun is completely handled by the CAN Driver. This callback function only notifies the
Application about such a condition.

8.5.3.4
ApplCanFullCanOverrun
ApplCanFullCanOverrun
Prototype
Single Receive Channel
void ApplCanFullCanOverrun ( void )
Multiple Receive Channel
void ApplCanFullCanOverrun ( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX  (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This callback function is called if an overrun of a Full CAN receive object was detected. It indicates a
possible loss of receive data. The function is called in the error interrupt, in the receive interrupt, in the
CanTask(), in the CanRxTask() or in the CanErrorTask().
©2010, Vector Informatik GmbH
Version: 3.01.01
108 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations
  The overrun is completely handled by the CAN Driver. This callback function only notifies the
Application about an overrun.

8.5.3.5
ApplCanMsgReceived
ApplCanMsgReceived
Prototype
Single Receive Channel
vuint8 ApplCanMsgReceived( CanRxInfoStructPtr rxStruct )
Multiple Receive Channel
Parameter
rxStruct
Pointer to receive information structure
Return code
kCanCopyData
Receive processing will be continued
kCanNoCopyData
Receive processing will be terminated
Functional Description
This callback function is called on every reception of a CAN message when the hardware acceptance
filter is passed. The function is called in the receive interrupt, in the CanTask() or in the
CanRxTask().
Particularities and Limitations
  The callback function may be used for gateway functionality or any other purpose.
  There are preprocessor macros available to read the CAN identifier, the Data Length Code and the
data in the CAN Controller receive register.

8.5.3.6
ApplCanRangePrecopy
ApplCanRangePrecopy
Prototype
Single Receive Channel
vuint8 ApplCanRangePrecopy( CanRxInfoStructPtr rxStruct)
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive structure
Return code
kCanCopyData
The CAN receive interrupt routine is continued with verifying a match to
the next range and ID search.
kCanNoCopyData
The CAN receive interrupt routine is terminated immediately after the
CAN Controller is serviced
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
109 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

This precopy function is not called on a specific message CAN identifier but on a complete CAN
identifier range. The function is called in the receive interrupt, in the CanTask(), in the
CanRxTask() or in CanHandleRxMsg(). The return code is not taken into account, if the range is
handled via the RX Queue. In this case, the handling of the received message will be terminated after
calling the range specific precopy function.
The name of this function is only a placeholder. The name could be set in the generation tool.
Up to four ranges with individual precopy functions can be specified per CAN channel.
Particularities and Limitations
  Ranges are normally used for Network Management or Transport Protocol services only
  In case a range configured to be handled via the Rx Queue, the return code of this function is
ignored.

8.5.3.7
ApplCanAddCanInterruptDisable
ApplCanAddCanInterruptDisable
Prototype
Single Receive Channel
void ApplCanAddCanInterruptDisable ( CanChannelHandle
Multiple Receive Channel
channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
In case of Single Receive Channel channel is always 0.
Return code
-
-
Functional Description
Disabling of additional CAN interrupts (like separately implemented Wake-Up interrupts and Polling
Tasks) can be added to the standard mechanism of the CAN by this callback function. The function is
called on interrupt and task level.
Particularities and Limitations
  ApplCanAddCanInterruptDisable() is only called if configured

8.5.3.8
ApplCanAddCanInterruptRestore
ApplCanAddCanInterruptRestore
Prototype
Single Receive Channel
void ApplCanAddCanInterruptRestore ( CanChannelHandle
Multiple Receive Channel
channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
In case of Single Receive Channel channel is always 0.
Return code
-
-
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
110 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Complementary callback function for ApplCanAddCanInterruptDisable().The function is called
on interrupt and task level.
Particularities and Limitations
 ApplCanAddCanInterruptRestore() is only called if configured.

8.5.3.9
ApplCanFatalError
ApplCanFatalError
Prototype
Single Receive Channel
void ApplCanFatalError ( vuint8 errorNumber )
Multiple Receive Channel
void ApplCanFatalError ( CanChannelHandle channel, vuint8
errorNumber )
Parameter
errorNumber
Error identification: There is a predefined list with supported assertion
checks for each CAN Driver. All the function parameters starting with
kError.... Please refer to chapter Assertions and the CAN Controller
Specific documentation TechnicalReference_CAN_<hardware>.pdf
[#hw_assert] for details.
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
If assertions are configured, the callback function ApplCanFatalError(..) is called in case of
invalid user conditions (Application interface, reentrance), inconsistent generated data, hardware
errors or internal errors (queue). An error number is passed by the parameter. The function is called on
interrupt and task level.
Particularities and Limitations
 This callback function does not have to return to the CAN Driver.

8.5.3.10 ApplCanMsgNotMatched
ApplCanMsgNotMatched
Prototype
Single Receive Channel
void ApplCanMsgNotMatched ( CanRxInfoStructPtr rxStruct )
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive structure
Return code
-
-
Functional Description
This callback function is called if a CAN message passes the hardware acceptance filter, but not the
software filter (inclusive the identifier specific predefined ranges). The function is called in the receive
interrupt, in the CanTask() or in the CanRxTask().
©2010, Vector Informatik GmbH
Version: 3.01.01
111 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations

8.5.3.11 ApplCanInit
ApplCanInit
Prototype
Single Receive Channel
void ApplCanInit( CanObjectHandle logTxHwObjectFirstUsed,
 CanObjectHandle logTxHwObjectFirstUnused)
Multiple Receive Channel
void ApplCanInit( CanChannelObject channel,
 CanObjectHandle logTxHwObjectFirstUsed,
 CanObjectHandle logTxHwObjectFirstUnused)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
logTxHwObjectFirstUsed
Handle of the first CAN hardware transmit object of the current channel.
logTxHwObjectFirstUnused Handle of the first unused CAN hardware transmit object of the current
channel.
example:
for ( i = logTxHwObjectFirstUsed; i <
logTxHwObjectFirstUnused; i++)
{
/* loop over all used hardware transmit buffer of
the current
channel */
}
Return code
-
-
Functional Description
This callback function is called in CanInit() for general purposes. In CanInit() transmit requests in
the CAN Controller are canceled. This means the corresponding confirmation notification will never
occur. User defined actions started in ApplCanTxObjStart() have to be stopped in
ApplCanInit().The function is called on interrupt and task level.
Particularities and Limitations
This callback is active only if ‘Tx observe’ functionality is activated.

©2010, Vector Informatik GmbH
Version: 3.01.01
112 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3.12 ApplCanTxObjStart
ApplCanTxObjStart
Prototype
Single Receive Channel
void ApplCanTxObjStart( CanObjectHandle logTxHwObject)
Multiple Receive Channel
void ApplCanTxObjStart( CanChannelHandle channel,
CanObjectHandle logTxHwObject)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
logTxHwObject
Handle of the CAN buffer transmit object. For indexed drivers this is a
unique number over all CAN channels.
Return code
-
-
Functional Description
This callback function is called every time, a transmit request is initiated in the CAN Controller. This is
done in the service CanTransmit(..).The function is called in the transmit interrupt, in the
CanTask() or in the CanTxTask(), if the transmit queue is enabled.
Particularities and Limitations
This callback is active only if ‘Tx observe’ functionality is activated.

8.5.3.13 ApplCanTxObjConfirmed
ApplCanTxObjConfirmed
Prototype
Single Receive Channel
void ApplCanTxObjConfirmed( CanObjectHandle logTxHwObject)
Multiple Receive Channel
void ApplCanTxObjConfirmed (CanChannelHandle channel,
CanObjectHandle logTxHwObject)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
logTxHwObject
Handle of the CAN buffer transmit object. For indexed drivers this is a
unique number over all CAN channels.
Return code
-
-
Functional Description
This callback function is called every time, a successful transmission is confirmed by the CAN
Controller in the scope of a transmit interrupt, in the CanTask() or in the CanTxTask().
Particularities and Limitations
This callback is active only if ‘Tx observe’ functionality is activated.

©2010, Vector Informatik GmbH
Version: 3.01.01
113 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3.14  ApplCanTimerStart
ApplCanTimerStart
Prototype
Single Receive Channel
void ApplCanTimerStart(vuint8 timerIdentification)
Multiple Receive Channel
void ApplCanTimerStart(CanChannelObject channel, vuint8
timerIdentification)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
timerIdentification
Identifier for the hardware dependent loop timer
Return code
-
-
Functional Description
This callback function is called before a CAN Controller dependent loop is started.
Particularities and Limitations

8.5.3.15  ApplCanTimerLoop
ApplCanTimerLoop
Prototype
Single Receive Channel
vuint8 ApplCanTimerLoop(vuint8 timerIdentification)
Multiple Receive Channel
vuint8 ApplCanTimerLoop(CanChannelObject channel, vuint8
timerIdentification)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
timerIdentification
Identifier for the hardware dependent loop timer
Return code
FALSE (equal to 0)
Exit loop, even if hardware is not correct
TRUE (not equal to 0)
Continue with waiting for hardware condition
Functional Description
This callback function is called once in every loop cycle, i.e. multiple times for a specific condition.
Particularities and Limitations

©2010, Vector Informatik GmbH
Version: 3.01.01
114 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3.16  ApplCanTimerEnd
ApplCanTimerEnd
Prototype
Single Receive Channel
void ApplCanTimerEnd(vuint8 timerIdentification)
Multiple Receive Channel
void ApplCanTimerEnd(CanChannelObject channel, vuint8
timerIdentification)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
timerIdentification
Identifier for the hardware dependent loop timer
Return code
-
-
Functional Description
This callback function is called after a hardware dependent loop is finished, due to return value also of
ApplCanTimerLoop or hardware condition met.
Particularities and Limitations

8.5.3.17  ApplCanGenericPrecopy
ApplCanGenericPrecopy
Prototype
Single Receive Channel
vuint8 ApplCanGenericPrecopy(CanRxInfoStructPtr rxStruct)
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive structure
Return code
kCanCopyData
The UserPrecopy function will be called and the Received data will be
copied using the CAN Driver’s internal copy mechanism.
kCanNoCopyData
CAN Driver doesn’t copy data and doesn’t perform indication
Functional Description
This precopy function is common to all receive messages. It will be called immediately after the DLC-
check. The call of the UserPrecopy functions or copy of data are influenced by
ApplCanGenericPrecopy(). The function is called in the receive interrupt, in the CanTask() or in
the CanRxTask().
Particularities and Limitations

8.5.3.18  ApplCanPreWakeup
ApplCanPreWakeup
Prototype
©2010, Vector Informatik GmbH
Version: 3.01.01
115 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Single Receive Channel
void ApplCanPreWakeUp( void )
Multiple Receive Channel
void ApplCanPreWakeUp(CanChannelHandle channel)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
Is called just after the activation of the wakeup interrupt.
Particularities and Limitations

8.5.3.19 ApplCanTxConfirmation
ApplCanTxConfirmation
Prototype
Single Receive Channel
void ApplCanTxConfirmation( CanTxInfoStructPtr txStruct)
Multiple Receive Channel
Parameter
txStruct
Pointer to transmit structure

typedef struct
{
CanChannelHandle Channel;
CanTransmitHandle Handle;
} tCanTxConfInfoStruct;

typedef tCanTxConfInfoStruct
*CanTxInfoStructPtr;
Handle:
- 0 ... (kCanNumberOfTxMessages-1): the handle of the Tx message.
- kCanBufferMsgTransmit, in case the message was sent via
CanCancelMsgTransmit().
- ((CanTransmitHandle)0xFFFFFFFEU)
in case the message was cancel by CanCanTransmit() or
CanCancelMsgTransmit() but sent on the bus
Return code
-
-
Functional Description
This confirmation function is common to all transmit messages. It will be called after the successful
transmission. The function is called in the transmit interrupt, in the CanTask() or in the
CanTxTask().
Particularities and Limitations

©2010, Vector Informatik GmbH
Version: 3.01.01
116 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3.20 ApplCanMsgDlcFailed
ApplCanMsgDlcFailed
Prototype
Single Receive Channel
void ApplCanMsgDlcFailed( CanRxInfoStructPtr rxStruct )
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive structure
Return code
-
-
Functional Description
This callback function is called, if the DLC check fails. To activate this callback function the switch
C_ENABLE_DLC_FAILED_FCT has to be set in a user configuration file. The function is called in the
receive interrupt, in the CanTask() or in the CanRxTask().
Particularities and Limitations
It depends on the OEM if ApplCanMsgDlcFailed() is available.

8.5.3.21 ApplCanCancelNotification
ApplCanCancelNotification
Prototype
Single Receive Channel
void ApplCanCancelNotification(CanTransmitHandle txHandle)
Multiple Receive Channel
Parameter
txHandle
Handle of cancelled transmit object
Return code
-
-
Functional Description
This function will be called if a transmit message is deleted (CanCancelTransmit, CanOffline or
CanInit). This function could be called in Interrupt or Task context.
Particularities and Limitations
ApplCanCancelNotification() is only called if configured.

©2010, Vector Informatik GmbH
Version: 3.01.01
117 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

8.5.3.22  ApplCanOnline
ApplCanOnline
Prototype
Single Receive Channel
void ApplCanOnline(CanChannelHandle channel)
Multiple Receive Channel
Parameter
channel
CAN Channel on which the CAN driver was switched to online mode.
Return code
-
-
Functional Description
This callback function indicates that the CAN driver is switched to online mode. This function is called
by the CAN Driver if the mode change is initiated via CanOnline().
Particularities and Limitations
Call context: This function is called within CanOnline(). This service function is only allowed to be
called on task level.

8.5.3.23  ApplCanOffline
ApplCanOffline
Prototype
Single Receive Channel
void ApplCanOffline(CanChannelHandle channel)
Multiple Receive Channel
Parameter
channel
CAN Channel on which the CAN driver was switched to offline mode.
Return code
-
-
Functional Description
This callback function indicates that the CAN driver is switched to offline mode. This function is called
by the CAN Driver if the mode change is initiated via CanOffline().
Particularities and Limitations
Call context: This function is called within CanOffline(). This service function is allowed to be
called on task level or on interrupt level.

8.5.3.24  ApplCanMsgCondReceived
ApplCanMsgCondReceived
Prototype
Single Receive Channel
void ApplCanMsgCondReceived (CanRxInfoStructPtr rxStruct)
Multiple Receive Channel
Parameter
rxStruct
Pointer to the receive information structure
©2010, Vector Informatik GmbH
Version: 3.01.01
118 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Return code
-
-
Functional Description
This callback function is conditionally called on every reception of a CAN message when the hardware
acceptance filter is passed.
There are preprocessor macros available to read the CAN identifier, the Data Length Code and the
data in the CAN Controller receive register.
Particularities and Limitations
Call context: The function is called in the receive interrupt, in the CanTask() or in the
CanRxTask().

8.5.3.25  ApplCanMemCheckFailed
ApplCanMemCheckFailed
Prototype
Single Receive Channel
vuint8 ApplCanMemCheckFailed ( void )
Multiple Receive Channel
vuint8 ApplCanMemCheckFailed ( CanChannelHandle channel )
Parameter
Channel
Handle of the CAN channel on which the check failed. The generated
macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
kCanEnableCommunication  Allow communication.
kCanDisableCommunication Disable communication, no reception and no transmission is performed.
Functional Description
This callback function is called if the CAN driver has found at least one corrupt memory bit within the
CAN mailboxes. The application can decide if the CAN driver allows further communication by means
of the return value.
Particularities and Limitations
Call context: This function is called on task level or within the busoff interrupt.

8.5.3.26  ApplCanCorruptMailbox
ApplCanCorruptMailbox
Prototype
Single Receive Channel
void ApplCanCorruptMailbox ( CanObjectHandle hwObjHandle )
Multiple Receive Channel
void ApplCanCorruptMailbox ( CanChannelHandle channel,
CanObjectHandle hwObjHandle )
Parameter
hwObjHandle
The index of the corrupt mailbox.
channel
Handle of the CAN channel on which the corrupt mailbox is located. The
generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
©2010, Vector Informatik GmbH
Version: 3.01.01
119 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Return code
-
-
Functional Description
This callback function is called if the CAN driver has found a corrupt mailbox.
Particularities and Limitations
Call context: This function is called on task level or within the busoff interrupt.

©2010, Vector Informatik GmbH
Version: 3.01.01
120 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

9 Description of the API (High End extension)
9.1 Functions
9.1.1 Service Functions
9.1.1.1 CanTxObjTask
CanTxObjTask
Prototype
Single Receive Channel
void CanTxObjTask ( CanObjectHandle txObjHandle )
Multiple Receive Channel
void CanTxObjTask ( CanChannelHandle canHwChannel,
CanObjectHandle txObjHandle )
Parameter
canHwChannel
Handle of a CAN Hardware channel. The generated macros should be
used:
Normal Tx Object:
C_TX_NORMAL_<channel>_HW_CHANNEL (with <channel> = 0 ... Number
of logical channel)
Full CAN Tx Object:
<message name>_HW_CHANNEL (with <message name> = Name of the
Message with pre and postfixes generated in “can_par.h”t)
Low Level Tx Object:
C_TX_LL_<channel>_HW_CHANNEL (with <channel> = 0 ... Number of logical
channel)
txObjHandle
Handle of a Tx mailbox. The generated macros should be used:
Normal Tx Object:
C_TX_NORMAL_<channel>_HW_OBJ (with <channel> = 0 ... Number of
logical channel)
Full CAN Tx Object:
<message name>_HW_OBJ (with <message name> = Name of the Message with
pre and postfixes generated in “can_par.h”)
Low Level Tx Object:
C_TX_LL_<channel>_HW_OBJ (with <channel> = 0 ... Number of logical
channel)
Return code
-
-
Functional Description
The service function CanTxObjTask() does polling of specified transmit hardware objects in the
CAN controller. Confirmation functions will be called and confirmation flags will be set. If the transmit
queue is configured, this service function additionally transmits the queued messages.
Particularities and Limitations
 CanTxObjTask() is available, if the individual polling mode and at least one mailbox is configured
for polling.

©2010, Vector Informatik GmbH
Version: 3.01.01
121 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

9.1.1.2 CanRxFullCANObjTask
CanRxFullCANObjTask
Prototype
Single Receive Channel
void CanRxFullCANObjTask (CanObjectHandle rxObjHandle )
Multiple Receive Channel
void CanRxFullCANObjTask ( CanChannelHandle canHwChannel,
CanObjectHandle rxObjHandle )
Parameter
canHwChannel
Handle of a CAN Hardware channel. The generated macros should be
used:
<message name>_HW_ CHANNEL (with <message name> = Name of the
Message with pre and postfixes generated in “can_par.h”)
rxObjHandle
Handle of an Rx mailbox. The generated macros should be used:
<message name>_HW_OBJ (with <message name> = Name of the Message
with pre and postfixes generated in “can_par.h”t)
Return code
-
-
Functional Description
The service function CanRxFullCANObjTask() does polling of specified Full CAN receive objects
according to the configured objects in polling mode.
Particularities and Limitations
 CanRxFullCANObjTask() must not run on higher priority than other CAN functions.
 CanRxFullCANObjTask() is available, if the individual polling mode and at least one mailbox is
configured for polling.

9.1.1.3
CanRxBasicCANObjTask
CanRxBasicCANObjTask
Prototype
Single Receive Channel
void CanRxBasicCANObjTask ( void )
Multiple Receive Channel
void CanRxBasicCANObjTask (CanChannelHandle canHwChannel,
CanObjectHandle rxObjHandle )
Parameter
canHwChannel
Handle of a CAN Hardware channel. The generated macros should be
used:
C_BASIC<number_of_the_BasicCAN>_<channel>HW_CHANNEL
(with <number_of_the_BasicCAN>= the logical number of the Basic CAN on this
channel
<channel> = 0 ... Number of logical channel)
txObjHandle
Handle of a Rx mailbox. The generated macros should be used:
C_BASIC<number_of_the_BasicCAN>_<channel>_HW_OBJ
(with
<number_of_the_BasicCAN>= the logical number of the Basic CAN on this channel
<channel> = 0 ... Number of logical channel)
Return code
-
-
Functional Description
©2010, Vector Informatik GmbH
Version: 3.01.01
122 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

The service function CanRxBasicCANObjTask() does polling of specified Basic CAN receive
objects according to the configured objects in polling mode.
Particularities and Limitations
  CanRxBasicCANObjTask() must not run on higher priority than other CAN functions.
  CanRxBasicCANObjTask() is available, if the individual polling mode and at least one mailbox is
configured for polling.

9.1.1.4
CanMsgTransmit
CanMsgTransmit
Prototype
Single Receive Channel
vuint8 CanMsgTransmit ( tCanMsgTransmitStruct *txData )
Multiple Receive Channel
vuint8 CanMsgTransmit ( CanChannelHandle channel,
tCanMsgObject *txData )
Parameter
*txData
Pointer to the structure with ID, DLC and data to send
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
kCanTxOk
if the message-buffer is free and the data could be copied to the CAN-
data-buffer or if passive mode (CanSetPassive()) is active.
kCanTxFailed
if offline mode is active, the CAN buffer is not free.
Functional Description
This function is called by the application. The function sends the message which is defined in the
txData (Id, DLC, Data) to the CAN-Bus which is defined in the channel.
Particularities and Limitations
  the contents of txData may not be changed while CanMsgTransmit() is running

9.1.1.5
CanCancelMsgTransmit
CanCancelMsgTransmit
Prototype
Single Receive Channel
void CanCancelMsgTransmit( void )
Multiple Receive Channel
void CanCancelMsgTransmit( CanChannelHandle channel )
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX  (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
The call of ApplCanMsgTransmitConf() is suppressed, if a message is already in the transmit
buffer of the CAN controller associated with CanMsgTransmit(). Dependent on the configuration
this function cancels a message in the CAN hardware.
©2010, Vector Informatik GmbH
Version: 3.01.01
123 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Particularities and Limitations
The function call of CanCancelTransmit() must not interrupt the transmit ISR,
CanMsgTransmit() or the CanTxTask().
Though a transmission is canceled it will be sent if the request has been already in the hardware
object. Only if activated and highly dependent on hardware and vehicle manufacturer the transmit
request which is initiated with CanMsgTransmit() can be deleted in the hardware transmit object,
too. The function CanCancelMsgTranmit() is only available if the confirmation
ApplCanMsgTransmitConf() is configured.

9.1.1.6
CanHandleRxMsg
CanHandleRxMsg
Prototype
Single Receive Channel
void CanHandleRxMsg ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanHandleRxMsg() handles the received messages which are stored in the Rx
Queue. The standard mechanism (GenericPrecopy, UserPrecopy, copy of data, Indication Flag and
UserIndication) is started for each stored message.
Particularities and Limitations
This function is only allowed to be called on task level.

9.1.1.7
CanDeleteRxQueue
CanDeleteRxQueue
Prototype
Single Receive Channel
void CanDeleteRxQueue ( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
Functional Description
The service function CanDeleteRxQueue() clears all pending messages in the Rx Queue.
Particularities and Limitations
This function is only allowed to be called on task level.

©2010, Vector Informatik GmbH
Version: 3.01.01
124 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

9.1.2 Callback Functions
9.1.2.1
ApplCanMsgTransmitConf
ApplCanMsgTransmitConf
Prototype
Single Receive Channel
void ApplCanMsgTransmitConf( void )
Multiple Receive Channel
void ApplCanMsgTransmitConf(CanChannelHandle channel)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This function will be called from the CAN Driver after sending the message. It is called directly in the
transmit Interrupt (Confirmation) from the CAN-Controller. On task level it is called in the CanTask()
or in the CanTxTask(). With this callback function it is possible to implement a queue-functionality.
Particularities and Limitations
ApplCanMsgTransmitConf() is only called if configured.

9.1.2.2
ApplCanMsgTransmitInit
ApplCanMsgTransmitInit
Prototype
Single Receive Channel
void ApplCanMsgTransmitInit( void )
Multiple Receive Channel
void ApplCanMsgTransmitInit(CanChannelHandle channel)
Parameter
channel
Handle of a CAN channel. The generated macros should be used:
kCanIndexX (with X = 0 ... Number of generated channel index)
Return code
-
-
Functional Description
This function will be called from the CAN Driver after a possible cancel of a transmit request in
CanInit().
Particularities and Limitations
ApplCanMsgTransmitInit() is only called if ApplCanMsgTransmitConf() is configured.

9.1.2.3
ApplCanMsgCancelNotification
ApplCanMsgCancelNotification
Prototype
Single Receive Channel
void ApplCanMsgCancelNotification( void )
©2010, Vector Informatik GmbH
Version: 3.01.01
125 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Multiple Receive Channel
void ApplCanMsgCancelNotification( CanChannelHandle channel
)
Parameter
Channel
CAN Channel on which the Tx Object was cancelled.
Return code
-
-
Functional Description
This function will be called if a transmit message is deleted (CanCancelMsgTransmit). It applies only
to Tx messages that have been transmitted via CanMsgTransmit. This function could be called in
Interrupt or Task context.
Particularities and Limitations
ApplCanMsgCancelNotification() is only called if configured.

9.1.2.4
ApplCanPreRxQueue
ApplCanPreRxQueue
Prototype
Single Receive Channel
vuint8 ApplCanPreRxQueue( CanRxInfoStructPtr rxStruct )
Multiple Receive Channel
Parameter
rxStruct
Pointer to receive information structure
Return code
kCanCopyData
The data of the received message will be stored in the Rx Queue.
kCanNoCopyData
The data of the received message are not stored in the Rx Queue. The
reception is handled within the receive interrupt.
Functional Description
This precopy function is called if a message is received which is a valid message in the receive
structures or has to be handled via a range (in case the use of the Rx Queue is configured for this
range ). The application can decide whether to handle the message via the Rx Queue or the standard
CAN Driver mechanism within the receive interrupt.
Particularities and Limitations
Call context: This function is called within the receive interrupt.

9.1.2.5
ApplCanRxQueueOverrun
ApplCanRxQueueOverrun
Prototype
Single Receive Channel
void ApplCanRxQueueOverrun( void )
Multiple Receive Channel
Parameter
-
-
Return code
-
-
©2010, Vector Informatik GmbH
Version: 3.01.01
126 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Functional Description
This callback function indicates an overrun of the Rx Queue. This function is called by the CAN Driver,
in case a new message has to be stored in the Rx Queue, but the Queue if full. This new message will
be lost.
Particularities and Limitations
Call context: This function is called within the receive interrupt.

©2010, Vector Informatik GmbH
Version: 3.01.01
127 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

10 Configuration (Standard and High End)
This chapter describes the common options for configuring (customizing) the CAN Driver.
CAN Controller dependent configuration is described in the CAN Controller specific
documentation TechnicalReference_CAN_<hardware>.pdf [#hw_conf]. The configuration
can be done by the Generation Tool automatically.
10.1 Network Database – Attribute Definition
Caution
Attribute names in CANgen are case sensitive and not evaluated, if the name case is
 incorrect.

Name
GenMsgMinAcceptLength
Description
The DLC check can be configured to verify the received DLC against the value
given by this attribute (Against minimum acceptance length). The value can be
smaller than the Application receive buffer of this message.
Value “-1” means the DLC of the received message will be compared to the
length of the Application receive buffer of this message.
Type Of Object
Message
Value Type
Integer
Default
-1
Minimum
-1
Maximum
8

10.2 Automatic Configuration by GENy
Using the Generation Tool GENy the configuration can be done by the tool. The
configuration options common to all CAN Drivers is described here. The CAN Controller
dependent options are described in the CAN Controller specific user manual. The following
dialog describes the CAN Driver common options. The configuration data is stored by the
tool in the file can_cfg.h for GENy.

©2010, Vector Informatik GmbH
Version: 3.01.01
128 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 10-1 Configuration of the common CAN Driver options with GENy

Feature
Explanation
Common Driver Parameters
Online/Offline Callback
If CanOnline() or CanOffline() is called the Application is notified that
Functions
a certain CAN driver state was entered.
DLC check
The DLC check can be configured to “disabled”, comparison of received
DLC “against data length” or “against minimum acceptance length”.
“against data length” means the number of bytes necessary for the ECU
and is equal to the length of the application data buffer.
The minimum acceptance length can be configured message specific via
database or on the Rx message view.
If DLC check is used, received Data messages with smaller DLC than
expected for this ID are ignored.
Data Copy Mechanism
The Data Copy Mechanism can be configured to “copy number of
needed bytes” or “copy all received bytes”.
“copy number of needed bytes” means the CAN driver copies always the
number of bytes which is equal to the length of the application data
buffer.
“copy all received bytes” means if the number of received bytes is less
than the size of the application data buffer only the received bytes are
copied. Otherwise the number of bytes which is equal to the length of the
application data buffer will be copied.
RAM check
The CAN driver supports a RAM check of the CAN controller mailboxes.
Sleep / Wakeup
If this field is checked, the CAN controller can be switched to sleep
mode.
©2010, Vector Informatik GmbH
Version: 3.01.01
129 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Cancel in Hardware
CanCancelTransmit() and CanCancelMsgTransmit() will delete a
pending request in the CAN controller hardware.
FullCAN Overrun
If checked an overrun in the receive FullCAN objects will be signaled to
Notification
the Application.
Receive Function
The receive function ApplCanMsgReceived() is called by the CAN
Driver on every reception of a CAN message after the hardware
acceptance filter is passed. Within this callback function the Application
may preprocess the received message in any way (ECU specific
dynamic filtering mechanisms, preprocessing of the messages, gateway
functionality...).
If the callback function ApplCanMsgReceived() returns kCanCopyData,
the CAN Driver continues to work on the message received.
If the callback function returns kCanNoCopyData, the CAN finishes
working on the message received.
The callback function has to be defined by the application.
Active / Passive State
If this field is checked, the CAN Driver's transmit path can be switched to
the "Passive" state. In this state no CAN messages are sent to the CAN
bus. The transmit request always returns with ”OK”.
This ”passive” state functionality may be used to localize errors in a CAN
bus: If there are errors in a CAN bus, and the errors disappear when a
particular node is switched to passive state, the scapegoat is found. The
Application must be switched to the passive state and back to active
state by an external tester.
If active/passive state is enabled, the CAN Driver is in active state after
initialization.
If this field is not selected, the corresponding service functions are
available but without any effect on the CAN Driver status.
Extended Status
This is the global checkbox for using hardware status information in the
CAN Driver service CanGetStatus() or not.
Transmit Queue
If this field is checked the CAN Driver is configured to use a transmit
queue.
If no transmit queue is used, the Application is responsible to restart a
transmit request if it wasn’t accepted by the CAN Driver. In the case of
using a transmit queue, a transmit request is almost accepted. But the
queue does only store the transmit request of a message. It doesn’t
store the data to be sent in any case. The CAN Driver inserts a transmit
request to the queue, if no hardware object is available when
CanTransmit() is called. On a transmit interrupt, this means a former
requested message is transmitted, the CAN Driver checks whether
transmit requests are stored in the queue. If so, these requests are
removed from the queue and the transmit request is executed. The
search algorithm in the queue is priority based, there is no FIFO
strategy. This means the identifier with the lowest number is removed
first from the queue.
Tx observation
This is the global switch for using the Tx observe functionality of the
CAN Driver or not.
©2010, Vector Informatik GmbH
Version: 3.01.01
130 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Message-Not-Matched
This is the global switch for using the MsgNotMatched function of the
Function
CAN Driver or not.
Overrun Notification
If this field is checked the CAN Driver is configured to notify the
Application in case of an overrun.
The Application has to provide an Overrun callback function:
void ApplCanOverrun(void)  /* Overrun in the CAN Controller */
The overrun handling itself is done by the CAN Driver.
Hardware Loop Check
This is the global switch for using the hardware loop check of the CAN
Driver or not.
Partial Offline Mode
If the checkbox “Use PartOffline Functionality” is checked, the partial
offline mode is available.
Generic Pre-copy
This checkbox enables the use of the generic precopy function –
ApplCanGenericPrecopy(). This precopy function is common to all
receive messages. it will be called as soon as the receive handle is
determined.
CAN Copy from & to CAN  This checkbox enables the use of copy functions CopyFromCan() and
CopyToCan().
CAN cancel Notification
The application will be notified via ApplCanCancelNotification() if a
message is canceled and therefore confirmation will occur. This is valid
for messages which have been requested via CanTransmit().
CAN Interrupt Control
There are two call back functions for the application. Within
Callbacks
CanCanInterruptDisable() the function
ApplCanAddCanInterruptDisable() is called and within
CanCanInterruptRestore() the function
ApplCanAddCanInterruptRestore() is called.
These two functions have to be used to handle the wake-up interrupt if
the hardware treats this interrupt separately or if the Driver runs in
Polling Mode the polling tasks have to be disabled.
Common Confirmation
If this field is checked the common confirmation function of the CAN
Function
Driver is enabled.
Offline Modes
Name of Mode X
with X = 0..7.
If the partial Offline Mode is enabled the name of each send group can
be configured here. more...
Default Mapping
Message Class 0
All messages with don’t belong to an other class are assigned to this
class.
OfflineModeX
with X = 0..7.
The message class 0 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
Message Class 1 (Appl)
All application messages are assigned to this message class.
OfflineModeX
with X = 0..7.
The message class 1 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
©2010, Vector Informatik GmbH
Version: 3.01.01
131 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Message Class 2 (NM)
All network mangement messages are assigned to this message class.
OfflineModeX
with X = 0..7.
The message class 2 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
Message Class 3 (TP)
All transport layer messages are assigned to this message class.
OfflineModeX
with X = 0..7.
The message class 3 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
Message Class 4 (Diag)
All diagnostic messages are assigned to this message class.
OfflineModeX
with X = 0..7.
The message class 4 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
Message Class 5 (IL)
All interaction layer messages are assigned to this message class.
OfflineModeX
with X = 0..7.
The message class 5 can be assigned to certain Offline Modes (send
goups) by selecting the check box.
OSEK OS
Use OsekOS Interrupt Cat In case of using OSEK-OS the interrupt category of the CAN Driver
2
interrupts have to be defined. Normally category 1 is used. Instead of
this category 2 can be selected.
OSEK OS
If this field is checked the CAN Driver is configured to support OSEK-
OS. The kind of OSEK-OS depends on the specific microprocessor.
Polling
Polling type
The polling type can be switched between “None”, “Type specific” and
“individual”.
Individual: If enabled, each BasicCAN, Normal Tx, Low level Tx and
FullCAN can be selected to be polled individual
Rx Basic CAN Polling
Normally the CAN driver works interrupt driven. To use the reception via
Basic CAN objects in polling mode, check this field. This field is available
in “Type specific polling mode”.
Rx Full CAN Polling
Normally the CAN driver works interrupt driven. To use the reception via
Full CAN objects in polling mode, check this field. This field is available
in “Type specific polling mode”.
Tx Polling
Normally the CAN driver works interrupt driven. To use the transmission
in polling mode, check this field. This field is available in “Type specific
polling mode”.
Wakeup Polling
Normally the CAN driver works interrupt driven. To use the wake up
detection in polling mode, check this field.
CAN Status Polling
Normally the CAN driver works interrupt driven. To use the Status and
Error detection in polling mode, check this field.
Low Level Transmission
©2010, Vector Informatik GmbH
Version: 3.01.01
132 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Cancel Notification
The application will be notified if a message is canceled and therefore
Function
confirmation will occur. This is valid if the transmission has been
requested via CanMsgTransmit().
Enable Low Level
If the checkbox “Use Low Level Message Transmit” is checked, the
Transmission
function CanMsgTransmit() can be used.
Confirmation Function
This checkbox is only available, if “use Low Level Message Transmit” is
active. The confirmation and init callback functions of low level transmit
functionality can be activated by this checkbox.
API
Symbolic Names for
If the database allows the assignment of value tables to individual
Signal Values
signals, this feature is selectable. If this functionality is enabled, symbolic
names for values are generated for all signals that have an associated
value table
Indexed Component
This switch determines whether the component should configure the
indexed or non-indexed version of the driver component.
General Settings
Security level
This is the define value to configure the security level. Valid values are 0,
10, 20 or 30. more...
User Config File
The CAN Driver configuration file (can_cfg.h) is generated. If the user
wants to overwrite this automatically generated configuration file, the
user is able to define the name of a user defined configuration file which
is included at the end of the generated file can_cfg.h. This means entries
in the user defined configuration file overwrite the entries in can_cfg.h.
Debug Suport
Assertions
There are different groups of assertions supported by the CAN Driver.
They can be selected depending of the development phase:
None: No debug functionality active.
User: User API is debugged. The CAN Driver service function
parameters are checked.
Hardware: The CAN Controller interface is checked. Depends on CAN
Controller.
Gen: The configuration data are checked.
Internal: CAN Driver internal checking.
Dynamic Tx Objects
ID
If the checkbox “ID” is checked, the IDs of the dynamic transmit objects
can be changed by the service function CanDynTxObjSetId() and/or by
the service function CanDynTxObjSetExtId(). The last mentioned
service function is only available if extended ID addressing is checked in
the Generation Tool.
DLC
If the checkbox “DLC” is checked, the DLC of the dynamic transmit
objects can be changed by the service function CanDynTxObjSetDlc.
Data Pointer
If the checkbox “Data Pointer” is checked, the data pointers of the
dynamic transmit objects can be changed by the service function
CanDynTxObjSetDataPtr().
©2010, Vector Informatik GmbH
Version: 3.01.01
133 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Confirmation
If the checkbox “Confirmation” is checked, the confirmation function of
the dynamic transmit objects can be changed by the service function
CanDynTxObjSetConfirmationFct(). The occurrence of this switch is
CAN Controller dependent.
Pre-transmit
If the checkbox “Pre-transmit” is checked, the pretransmit function of the
dynamic transmit objects can be changed by the service function
CanDynTxObjSetPreTransmitFct().The occurrence of this switch is
CAN Controller dependent.
ID Search Algorithm
Search Algorithm
For a Basic CAN Controller or the Basic CAN object of a Full CAN
Controller the hardware acceptance filtering provided by the CAN
Controller is not sufficient. Therefore a software acceptance filtering has
to be supported by comparing the incoming message identifier with the
complete list of all relevant message identifier. Here could the way how
to search in the table of the receive messages be defined. The optimum
algorithm depends on the number of the received messages to search in
and their identifier structure. The supported search algorithms are
dependent of the CAN Driver and the hardware. Refer to the CAN
controller specific documenation
TechnicalReference_CAN_<hardware>.pdf [#hw_feature] for more
information.
 linear
 hash search
 index search
 table search
Additional Memory [Byes] This shows the byte consumption when hash search is selected. It is
just for information.
Maximum Search Steps
This is only activated when hash search is selected. Enter here the
amount of maximum search steps that are necessary to find the received
message ID in the list of to be received messages. The little this value
the greater the additional memory bytes and the faster the receive ISR.
Rx Queue
Overrun Notification
The Application is informed, if the Rx Queue is full and a new message
should be copied into the Queue. The new message will be lost.
Enable Rx Queue
If the checkbox “Enable Rx Queue” is checked, the RX Queue is
enabled. Else the Rx Queue is disabled.
Pre Rx Queue Function
If the checkbox “Pre Rx Queue Function” is checked, a Callback function
is enabled where the application could decide what should happen with
the CAN Message which was received. The two possibilities are to store
the message in the queue, or to process the message in the interrupt.
Number of queued Rx
Specifies the depth of the queue ("Number of queued Rx messages").
Messages

©2010, Vector Informatik GmbH
Version: 3.01.01
134 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 10-2 Channel Specific Configuration for GENy

Features
Explanation
Configuration Options
General Settings
Bus System Type
Each channel is configured for a specific type of bus
system. The bus system is always CAN for CAN Driver.
Manufacturer
Manufacturer with is specified in the database file for this
channel.
Common Driver Parameters
Multiple Basic CAN
Enable Multiple Basic
If checked, the number of Basic CAN objects can be
CAN
selected. The deselecting of this checkbox resets the
number of Basic CAN objects to the default.
Number Of BasicCAN
Enter number of needed Basic CAN objects. Each Basic
Objects
CAN object may consist of 2 hardware mailboxes. This
depends on the CAN controller.
Ranges / Range Precopy Functions
Range
Ranges are normally used for Network Management,
Transport Protocol and so on. There are in maximum 4
ranges configurable.
Mask
Acceptance mask of this identifier range.
Code
Acceptance code of this identifier range.
Precopy function
Specific precopy function for this range.
Extended IDs
The range can be specified to receive extended IDs. If not
selected, this range will receive standard IDs.
©2010, Vector Informatik GmbH
Version: 3.01.01
135 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Use Own Filter
If there are enough Basic CAN filters available, one Basic
CAN filter can be used exclusive for this range.
Use Rx Queue
All messages which are received by this range can be
configured to be handled via the Rx Queue. This is only
possible, if the feature Rx Queue is activated.
Dynamic Tx objects
Number of dynamic Tx
Maximum number of dynamic send objects which are
objects
available at run time.

Figure 10-3 Configuration of individual polling with GENy

Features
Explanation
Configuration Options
Enable Polling
If checked, the associated mailbox will be handled in
polling mode. This is only selectable, if the polling mode is
configured to individual polling.

©2010, Vector Informatik GmbH
Version: 3.01.01
136 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 10-4 Configuration of a Tx message with GENy
Features
Explanation
Configuration Options
Message / Frame Properties
Generate
If unchecked, the generation of this message will be
suppressed.
Common Driver Parameters
Signal Access Macros
Signal access macros can be used by the application for
an easy access to signals specified within a message.
Offline Modes
<Part offline group>/<Mode X name>
Usage
Standard: configuration via default mapping
User Defined: the user can set or reset the “Real Value”
Real Value
It set, the message belongs to this group and the
transmission of this message will be disabled if this group
is switched offline.
Flags
Confirmation Flag
After successful transmission of a message the driver sets
the confirmation flag of the message.
Functions
Confirmation Function
After successful transmission of a message the driver call
the user defined confirmation function of the message. The
name of this function has to be specified in this field.
Pretransmit Function
The used defined pretransmit function can be called before
the transmission of a message is started. The name of this
function has to be specified in this field.
©2010, Vector Informatik GmbH
Version: 3.01.01
137 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Full CAN Tx
Tx FullCAN
A Tx message can be assigned to a Full CAN objects.

Figure 10-5 Configuration of an Rx message with GENy
Features
Explanation
Configuration Options
Message / Frame Properties
Generate
If unchecked, the generation of this message will be
suppressed.
Common Driver Parameters
Minimum Data Length

Signal Access Macros
Signal access macros can be used by the application for
an easy access to signals specified within a message.
Flags
Indication Flag
After successful reception of a message the driver sets the
indication flag of the message
Functions
Indication Function
The name of the used defined indication function can be
specified in this field.
Precopy Function
The name of the used defined precopy function can be
specified in this field.
Full CAN
Full CAN
An Rx message can be assigned to a Full CAN objects.
Lock Full CAN
If set, the assignment of a Rx message to a Full CAN
©2010, Vector Informatik GmbH
Version: 3.01.01
138 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

object cannot be changes by the filter optimization.
Hardware Channel
In case a receive message is configured to be ‘FullCAN’
and Common CAN is activated then the user can configure
this message to be received on the first (Channel A) or the
second (Channel B) CAN controller on this channel.

10.3 Automatic Configuration by CANgen
Using the Generation Tool CANgen the configuration can be done by the tool. The
configuration options common to all CAN Drivers is described here. The CAN Controller
dependent options are described in the CAN Controller specific user manual. The following
dialog describes the CAN Driver common options. The configuration data is stored by the
tool in the file can_cfg.h for CANgen.

Figure 10-6 CAN Driver configuration tab

©2010, Vector Informatik GmbH
Version: 3.01.01
139 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation

Path of the CAN config file The CAN Driver configuration file (can_cfg.h) is generated. If the user
wants to overwrite this automatically generated configuration file, the
user is able to define the name of a user defined configuration file which
is included at the end of the generated file can_cfg.h. This means entries
in the user defined configuration file overwrite the entries in can_cfg.h.
Use Receive Function
The receive function ApplCanMsgReceived() is called by the CAN
(ApplCanMsgReceived)
Driver on every reception of a CAN message after the hardware
acceptance filter is passed. Within this callback function the Application
may preprocess the received message in any way (ECU specific
dynamic filtering mechanisms, preprocessing of the messages, gateway
functionality...).
If the callback function ApplCanMsgReceived() returns kCanCopyData,
the CAN Driver continues to work on the message received.
If the callback function returns kCanNoCopyData, the CAN finishes
working on the message received.
Support Active/Passive
If this field is checked, the CAN Driver's transmit path can be switched to
State
the "Passive" state. In this state no CAN messages are sent to the CAN
bus. The transmit request always returns with ”OK”.
This ”passive” state functionality may be used to localize errors in a CAN
bus: If there are errors in a CAN bus, and the errors disappear when a
particular node is switched to passive state, the scapegoat is found. The
Application must be switched to the passive state and back to active
state by an external tester.
If active/passive state is enabled, the CAN Driver is in active state after
initialization.
Use Transmit Queue
If this field is checked the CAN Driver is configured to use a transmit
queue.
If no transmit queue is used, the Application is responsible to restart a
transmit request if it wasn’t accepted by the CAN Driver. In the case of
using a transmit queue, a transmit request is almost accepted. But the
queue does only store the transmit request of a message. It doesn’t
store the data to be sent in any case. The CAN Driver inserts a transmit
request to the queue, if no hardware object is available when
CanTransmit() is called. On a transmit interrupt, this means a former
requested message is transmitted, the CAN Driver checks whether
transmit requests are stored in the queue. If so, these requests are
removed from the queue and the transmit request is executed. The
search algorithm in the queue is priority based, there is no FIFO
strategy. This means the identifier with the lowest number is removed
first from the queue.
Support for OSEK OS
If this field is checked the CAN Driver is configured to support OSEK-
OS. The kind of OSEK-OS depends on the specific microprocessor.
Use OsekOS Interrupt Cat In case of using OSEK-OS the interrupt category of the CAN Driver
2
interrupts have to be defined. Normally category 1 is used. Instead of
this category 2 can be selected.
©2010, Vector Informatik GmbH
Version: 3.01.01
140 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Support Overrun
If this field is checked the CAN Driver is configured to notify the
Notification
Application in case of an overrun.
The Application has to provide an Overrun callback function:
void ApplCanOverrun(void)  /* Overrun in the CAN Controller */
The overrun handling itself is done by the CAN Driver:
Security Level
This is the define value to configure the security level. Valid values are
0,10, 20 or 30.
Extended Status
This is the global checkbox for using hardware status information in the
CAN Driver service CanGetStatus() or not.
Debug level
There are different Debug Levels supported by the CAN Driver:
None: No debug functionality active.
User: User API is debugged. The CAN Driver service function
parameters are checked.
Hardware: The CAN Controller interface is checked. Depends on CAN
Controller.
Gen: The configuration data are checked.
Internal: CAN Driver internal checking (consistency of transmit queue).
Extended IDs
This checkbox is available only if extended CAN identifiers are selected
in the channel configuration dialog. It has to be enabled if extended CAN
identifiers have to be received by the range specific acceptance filtering
and the appropriate precopy function has to be called. In such case no
standard identifiers can be received by any acceptance range.
Use Range X
This is the global switch to select identifier range specific precopy
functions. These ranges are normally used for Network Management,
Transport Protocol and so on. There are in maximum 4 ranges
configurable, where ‘X’ is the number of the specified range. If a range is
enabled, the following additional settings has to be done:
Range X mask
Acceptance code of the identifier range X.
Range X ID
Acceptance mask of the identifier range X.
Range X precopy function  Specific precopy function for range X.
Tx observe
This is the global switch for using the tx observe functionality of the CAN
Driver or not.
Use MsgNotMatched
This is the global switch for using the MsgNotMatched function of the
function
CAN Driver or not.
Hardware Loop Check
This is the global switch for using the hardware loop check of the CAN
Driver or not.
Number of dynamic tx
Maximum number of dynamic send objects which are available at run
objects
time.
Dynamic TxId
If the checkbox “DynamicTxId” is checked, the IDs of the dynamic
transmit objects can be changed by the service function
CanDynTxObjSetId() and/or by the service function
CanDynTxObjSetExtId(). The last mentioned service function is only
available if extended ID addressing is checked in the Generation Tool.
©2010, Vector Informatik GmbH
Version: 3.01.01
141 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Feature
Explanation
Dynamic TxDLC
If the checkbox “DynamicTxDLC” is checked, the DLCs of the dynamic
transmit objects can be changed by the service function
CanDynTxObjSetDlc().
Dynamic TxDataPtr
If the checkbox “DynamicTxDataPtr” is checked, the data pointers of the
dynamic transmit objects can be changed by the service function
CanDynTxObjSetDataPtr(). The occurrence of this switch is CAN
Controller dependent.
Dynamic TxConfirmation
If the checkbox “DynamicTxConfirmation” is checked, the confirmation
function of the dynamic transmit objects can be changed by the service
function CanDynTxObjSetConfirmationFct(). The occurrence of this
switch is CAN Controller dependent.
Dynamic TxPreTransmit
If the checkbox “DynamicTxPretransmit” is checked, the pretransmit
function of the dynamic transmit objects can be changed by the service
function CanDynTxObjSetPreTransmitFct().The occurrence of this
switch is CAN Controller dependent.
Use Low Level Message
If the checkbox “Use Low Level Message Transmit” is checked, the
Transmit
function CanMsgTransmit() can be used.
Use Low Level Message
This checkbox is only available, if “use Low Level Message Transmit” is
Transmit Confirmation
active. The confirmation and init callback functions of low level transmit
functionality can be activated by this checkbox.
Use PartOffline
If the checkbox “Use PartOffline Functionality” is checked, the partial
Functionality
offline mode is available.
Use Generic Precopy
This checkbox enables the use of the generic precopy function –
ApplCanGenericPrecopy(). This precopy function is common to all
receive messages. It will be called as soon as the receive handle is
determined.

The next figure shows the Configuration of the partial offline mode. Every transmit
message can be assigned to up to eight partial offline groups.
©2010, Vector Informatik GmbH
Version: 3.01.01
142 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

Figure 10-7 Configuration of Partial Offline Mode

Feature
Explanation
Edit part offline mode
this button can be used to change the names of the eight partial offline
names
groups

The following features cannot be configured by the Application. They are set automatically
depending on the used OEM:
  DLC check
  Data Copy Mechanism
  Cancel in Hardware

©2010, Vector Informatik GmbH
Version: 3.01.01
143 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

10.4  Manual configuration via user configuration file
This chapter describes additional configuration options for special features which can only
be configured via user configuration file.
In the following table you will find a list of configuration switches, used to control the
functional units of the CAN Driver:

Switch
Value / Range
Use of ...
C_xxx_APPLCANPREWAKEUP_FCT  ENABLE, DISABLE
Activate call of ApplCanPreWakeUp() if
an WakeUp Interrupt occurs.
C_xxx_NOTIFY_CORRUPT_MAILBOX ENABLE,
DISABLE  Activate call of ApplCanCorruptMailbox()
in case the CAN RAM Check fails for a
certain mailbox.

If the Generation Tool CANgen is used, some additional configurations can only be due via
user configuration file:

Switch
Value / Range
Use of ...
C_xxx_ONLINE_OFFLINE_CALLBACK ENABLE, DISABLE
Activate call of ApplCanOnline() and
_FCT
ApplCanOffline() if the associated CAN
driver state was entered.
C_xxx_INTCTRL_ADD_CAN_FCT ENABLE,
DISABLE
Activate call of
ApplCanAddCanInterruptDisable()
and
ApplCanAddCanInterruptRestore().
These two functions have to be used to
handle the wake-up interrupt if the
hardware treats this interrupt separately
or if the Driver runs in Polling Mode the
polling tasks have to be disabled.

©2010, Vector Informatik GmbH
Version: 3.01.01
144 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

11 Glossary
Abbreviations and
Expressions
Explanation
Acceptance filtering
Mechanism which decides whether each received protocol frame is
to be taken into account by the local Node or ignored.
API Application
Program
Interface.
Application Interface
An application interface is the prescribed method of a SW
component for using the available functionality.
Arbitration
Mechanism which guarantees that a simultaneous access made by
multiple stations results in a contention where one frame will
survive uncorrupted.
ASAP Arbeitskreis
zur
Standardisierung von Applikationssystemen.
Standardization of Application and Calibration system task force
BCD
Binary Coded Decimal
Buffer
A buffer in a memory area normally in the RAM. It is an area, the
application reserved for data storage
Bus
Defines what we call internal as channel or connection.
BusOff
A node is in the state bus off when it is switched off from the bus
due to a request of fault confinement entity. In the bus off state, a
node can neither send nor receive any frames. A node can start the
recovery from bus off state only upon a user request.A node is in
the state BusOff when it is switched off from the bus. In the state
BusOff a node can neither send nor receive any protocol frames.
Callback function
This is a function provided by an application. E.g. the CAN Driver
calls a callback function to allow the application to control some
action, to make decisions at runtime and to influence the work of
the Driver.
CAN
Controller Area Network protocol originally defined for use as a
communication network for control applications in vehicles.
CAN Controller
A hardware unit integrated into a micro controller (or as a separate
unit) handling the CAN protocol.
CAN Driver
The CAN driver encapsulates a specific CAN controller handling. It
consists of algorithms for HW initialization, CAN message
transmission and reception. The application interface supports both
event and polling notification and WR/RD access to the message
buffers.
Channel
A channel defines the assignment (1:1) between a physical
communication interface and a physical layer on which different
modules are connected to (either CAN or LIN). 1 channel consists
of 1..X network(s).
Configuration
The communication configuration adapts the communication stack
to the specific component requirements by means of the
Generation Tool.
Confirmation
A service primitive defined in the ISO/OSI Reference model (ISO
©2010, Vector Informatik GmbH
Version: 3.01.01
145 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

7498). With the service primitive 'confirmation' a service provider
informs a service user about the result of a preceding service
request of the service user. Notification by the CAN Driver on
asynchronous successful transmission of a CAN message.
Data consistency
Data consistency means that the content of a given application
message correlates unambiguously to the operation performed
onto the message by the application. This means that no
unforeseen sequence of operations may alter the content of a
message hence rendering a message inconsistent with respect to
its allowed and expected value.
DBC
CAN database format of the Vector company which is used by
Vector tools
DLC
Data Length CodeNumber of data bytes of a CAN message
ECU
Electronic Control Unit
Error
Error is a local problem which could be solved locally. If not, the
error will be given as an exception to the application. An error is not
the specification conform misbehavior of a system (e.g. a not
responded diagnostic request after three requests without
response is no error). Discrepancy between a computed, observed
or measured value or condition and the true, specified or
theoretically correct value or condition (IEC 61508-4).
FIFO
First In First Out
FILO
First In Last Out
Gateway
A gateway is designed to enable communication between different
bus systems, e.g. from CAN to LIN.
Generation Tool
See CANgen, DBKOMGen and GENy. The generation tool
configures the communication stack based on database attributes
(vehicle manufacturer), project settings (module supplier) and
license information (Vector).
HIS Hersteller-Initiative
Software
HW Hardware
ID
Identifier (e.g. Identifier of a CAN message)
Indication
A service primitive defined in the ISO/OSI Reference Model (ISO
7498). With the service primitive 'indication' a service provider
informs a service user about the occurrence of either an internal
event or a service request issued by another service user.
Notification of application in case of events in the Vector software
components, e.g. an asynchronous reception of a CAN message.
Interrupt
Processor-specific event which can interrupt the execution of a
current program section.
Interrupt level
Processing level provided for time-critical activities. To keep the
interrupt latency brief, only absolutely indispensable actions should
be effected in the Interrupt Service Routine, which ensures
reception of the interrupt and trigger its (post) processing within a
task. Other processing levels are: Operating System Level and
Task Level.
ISO
International Standardization Organization
©2010, Vector Informatik GmbH
Version: 3.01.01
146 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

ISR
Interrupt Service Routine
LIN
Local Interconnect Network
Manufacturer Vehicle
manufacturer
Message
A message is responsible for the logical transmission and reception
of information depending on the restrictions of the physical layer.
The definition of the message contents is part of the database
given by the vehicle manufacturer.
MISRA
Motor Industry Software Reliability Association
MRC
Multiple Receive Channel
Network
A network defines the assignment (1:N) between a logical
communication grouping and a physical layer on which different
modules are connected to (either CAN or LIN). 1 network consists
of 1 channel, Y networks consists of 1..Z channel(s). We say
network if we talk about more than 1 bus.
NM Network
Management
Node
A network topological entity. Nodes are connected by data links
forming the network. Each node is separately addressable on the
network.
OEM
Original Equipment Manufacturer
Offline
State of the data link layer. In the Offline state, no application
communication is possible. Only the network management is
allowed to communicate.
Online
(Normal) state of the data link layer. Application and Network
Management communication are possible.
OS Operating
System
OSEK
Name of the overall project: Abbreviation of the German term
"Offene Systeme und deren Schnittstellen fÃ¼r die Elektronik im
Kraftfahrzeug" - Open Systems and the Corresponding Interfaces
for Automotive Electronics.
Overrun
Overwriting data in a memory with limited capacity, e.g. Queued
message object
Platform
The sum of micro controller derivative, communication controller
implementation and compiler is called platform.
RAM Random
Access
Memory
Register
A register is a memory area in the controller, e.g. in the CAN
Controller. Distinguish Register from Buffer
RI Reference
Implementation
ROM Read-Only
Memory
Signal
A signal is responsible for the logical transmission and reception of
information depending on the restrictions of the physical layer. The
definition of the signal contents is part of the database given by the
vehicle manufacturer. Signals describe the significance of the
individual data segments within a message. Typically bits, bytes or
words are used for data segments but individual bit combinations
are also possible. In the CAN data base, each data segment is
assigned a symbolic name, a value range, a conversion formula
©2010, Vector Informatik GmbH
Version: 3.01.01
147 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

and a physical unit, as well as a list of receiving nodes.
SRC
Single Receive Channel
Status
A status describes the properties (parameters) of an entity. A state
is interpreted as an information, e.g. an error, by the entity which
uses a status, and is frequently determined by the history.
Task Level
Processing level where the actual application software, is
executed. Tasks are executed according to the priority assigned to
them, and to the selected scheduling policy. Other processing
levels are: Interrupt level and Operating System Level.
Transceiver
A transceiver adapts the physical layer to the communication
interface.
Vehicle Manufacturer
We use this instead of OEM
Watchdog
A monitoring entity.

©2010, Vector Informatik GmbH
Version: 3.01.01
148 / 149
based on template version 2.1

TechnicalReference Vector CAN Driver

12 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com
©2010, Vector Informatik GmbH
Version: 3.01.01
149 / 149
based on template version 2.1

Document Outline

2.6 - TechnicalReference_Rh850_Rscan

Vector CAN Driver

2.7 - TechnicalReference_Rh850_Rscan_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50

2.8 - TechnicalReference_Rh850_Rscans

Vector CAN Driver
Technical Reference

Renesas
RH850
RSCAN

Version 1.08.00

Authors
Torsten Kercher
Status
Released

Vector CAN Driver Technical Reference RH850 RSCAN

Document Information
History

Author
Date
Version  Remarks
Torsten Kercher  2013-05-27  1.00.00  Initial release (support F1L with GreenHills compiler)
Torsten Kercher  2013-07-18  1.01.00  Support R1L derivatives
Correct description of nested interrupt behavior
Torsten Kercher  2013-08-26  1.02.00  Support HighEnd features
Support WindRiver Diab compiler
Torsten Kercher  2013-10-16  1.03.00  Support R1M derivatives
Update referenced version of the R1x manual
Support external wakeup functionality
Update chapters 5, 6, 7.2.2
Torsten Kercher  2014-04-04  1.04.00  Support extended CAN RAM check
Support RSCAN RAM test
Support D1L, D1M, P1M derivatives
Update referenced version of the F1L manual
Torsten Kercher  2014-04-29  1.04.01  Update description of nested interrupt behavior
Torsten Kercher  2014-05-15  1.05.00  Support IAR compiler
Support F1H derivatives
Update expected loop durations in chapter 5
Torsten Kercher  2014-07-23  1.06.00  Support Renesas compiler
Support C1H, C1M, E1L, E1M derivatives
Update chapters 5, 9.4, 10.3
Update ref. versions of the F1L and F1H manuals
Torsten Kercher  2014-11-24  1.07.00  Support configuration of the used ‘CAN Interface’
Support F1M derivatives
Update chapters 5, 6, 7.2.9, 9.4, 10.3
Update ref. versions of the P1x and R1x manuals
Torsten Kercher  2015-08-19  1.08.00  Support F1K derivatives
Table 1-1   History of the document

Please note
We  have  configured  the  programs  in  accordance  with  your  specifications  in  the
  questionnaire.  Whereas  the  programs  do  support  other  configurations  than  the  one
specified  in  your  questionnaire,  Vector’s  release  of  the  programs  delivered  to  your
company  is  expressly  restricted  to  the  configuration  you  have  specified  in  the
questionnaire.

2015, Vector Informatik GmbH
Version: 1.08.00
2 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

1  Introduction
The concept of the CAN driver and the standardized interface between the CAN driver and
the  application  is  described  in  the  document  TechnicalReference_CANDriver.pdf.  The
CAN driver interface to the hardware is designed in a way that capabilities of the special
CAN chips can be utilized optimally. The interface to the application was made identical for
the  different  CAN  chips,  so  that  the  "higher"  layers  such  as  network  management,
transport protocols and especially the application would essentially be independent of the
particular CAN chip used.

This  document  describes  the  hardware  dependent  special  features  and  implementation
specifics of the Renesas RSCAN on the RH850 platform.
2015, Vector Informatik GmbH
Version: 1.08.00
5 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

2  Important References
The  following  table  summarizes  information  about  the  CAN  Driver.  It  gives  you  detailed
information  about  the  versions,  derivatives  and  compilers. As  very  important  information
the  documentations  of  the  hardware  manufacturers  are  listed. The  CAN  Driver  is  based
upon these documents in the given version.

Driver
Supported
Supported
Hardware Manufacturer Documents
Version
Version

  Compilers
Derivatives
3.15.xx,  GreenHills,
C1H
R01UH0414EJ0041, RH850/C1x,
Rev.0.41
RI 1.5
WindRiver Diab,  C1M
User’s Manual: Hardware
Feb 2014
Renesas,
D1L
R01UH0451EJ0041, RH850/D1L/D1M
Rev.0.41
IAR
D1M
Group, User’s Manual: Hardware
Jan 2014
E1L
R01UH0468JJ0040, RH850/E1L,
Rev.0.40
User’s Manual: Hardware
Dec 2013
E1M
R01UH0466JJ0040, RH850/E1M-S,
Rev.0.40
User’s Manual: Hardware
Dec 2013
F1H 1
R01UH0445EJ0011, RH850/F1H Group,  Rev.0.11
User’s Manual: Hardware
Apr 2014
F1K 1
R01UH0562EJ0050, RH850/F1K Group   Rev.0.50
User’s Manual: Hardware
Mar 2015
F1L
R01UH0390EJ0110, RH850/F1L Group,   Rev.1.10
User’s Manual: Hardware
Jun 2014
F1M
R01UH0518EJ0010, RH850/F1M Group,   Rev.0.10
User’s Manual: Hardware
Nov 2014
P1M
R01UH0436EJ0060, RH850/P1x Group,   Rev.0.60
User’s Manual: Hardware
Jul 2014
R1L
R01UH0411EJ0110, RH850/R1x Group,   Rev.1.10
R1M
User’s Manual: Hardware
Aug 2014

R01US0058EJ0020, RH850 Family,
Rev.0.20
User’s Manual: Software
Feb 2013
Table 2-1   Supported Hardware Overview

Driver Version: This is the current version of the CAN Driver. RI shows the version of the Reference
Implementation and therefore the functional scope of the CAN Driver.
Supported Compilers: List of compilers the CAN Driver is working with.
Supported Derivatives: List of derivatives the CAN Driver can be used on.
Hardware Manufacturer Documents: List of the documentation the CAN Driver is based on.
Version: Version of the documentation the CAN Driver is based on.


1 Only the first RSCAN unit (RSCAN0) is supported (physical channels CAN0-CAN5).
2015, Vector Informatik GmbH
Version: 1.08.00
6 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

3  Usage of Controller Features
3.1
[#hw_comObj] - Communication Objects
The generation tool supports a flexible allocation of message buffers:

Figure 3-1  Hardware Object Layout

Note
Figure  3-1  depicts  the  maximum  capacities  of  one  RSCAN  unit  -  the  actual  layout
  depends  on  the  used  derivative.  Refer  to  the  hardware  manual  to  get  the  number  of
supported physical channels to determine which Tx buffers are available. The amount
of  supported  Rx  buffers  (nRXMBmax)  equals  the  number  of  supported  physical
channels of the used RSCAN unit * 16.

2015, Vector Informatik GmbH
Version: 1.08.00
7 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Obj
Hw object  Log object  No. of
Comment
number
type
type
objects
These objects are used to receive
specific CAN messages. The user
defines statically (Generation Tool) that
a CAN message should be received in a
FullCAN message object. The

Generation Tool distributes the
0
messages to the FullCAN objects. Up to
0

Receive
Receive
-
nRxMBmax receive FullCAN objects can
-
buffer
FullCAN
nRXMBmax be configured per channel, but the sum
(nRXFC

-1)

over all receive FullCAN objects on all
= nRXFC
channels must not exceed nRxMBmax.
The receive buffers for the FullCAN
objects of all channels (sorted
ascending by the physical channel
index) are allocated continuously
starting from index 0.
These objects are not used. It depends
on the configuration of receive FullCAN
nRXFC
0
Receive

objects and nRxMBmax how many
-
Unused
buffer

-
receive buffers are not used. These
127

128
objects will not be configured, so they
don’t consume shared hardware buffers.
All other CAN messages (Application,
Diagnostics, Network Management) are
received via the BasicCAN objects.
Each object consists of one receive
FIFO buffer with a configurable amount
of acceptance filters and an individually
configurable FIFO depth (number of
allocated shared buffers). In general
0
there is one BasicCAN object per
128

-
channel, but by using the Multiple
-
Receive
Receive
8
BasicCAN feature the amount of used
(128 +

FIFO buffer  BasicCAN
BasicCAN objects can be configured.
nRXBC

-1)
= nRXBC
Up to 8 receive BasicCAN objects can
be configured per channel, but the sum
over all receive BasicCAN objects on all
channels must not exceed 8. The
receive FIFO buffers for the BasicCAN
objects of all channels (sorted
ascending by the physical channel
index) are allocated continuously
starting from index 128.
These objects are not used. It depends
on the configuration of receive
128 + nRXBC
0
Receive

BasicCAN objects how many receive
-
Unused
FIFO buffer

-
FIFO buffers are not used. These
135

8
objects will not be configured, so they
don’t consume shared hardware buffers.
2015, Vector Informatik GmbH
Version: 1.08.00
8 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Obj
Hw object  Log object  No. of
Comment
number
type
type
objects
The usage of Transmit / Receive FIFO
136
Transmit /
buffers is not supported by this driver.
-
Receive
Unused
24
These objects are always unused and
159
FIFO buffer
will not be configured, so they don’t
consume shared hardware buffers.
This object is used by CanTransmit()
to send several messages on the logical
Transmit
Transmit
1
160 + (n*16)

channel that is mapped to physical

buffer
Normal
per channel  channel n. If the transmit message
object is busy, the transmit request is
stored in a software queue.
This object is used by
0 or 1
Transmit
CanMsgTransmit() to send its
Low Level  per channel
161 + (n*16)

buffer
messages on the logical channel that is

Transmit

= nTXLL
mapped to physical channel n if the Low

Level transmit functionality is used.
These objects are used by
CanTransmit() to send a certain
message on the logical channel that is

161 + (n*16)
0
mapped to physical channel n. The user

+ nTXLL
defines statically (Generation Tool)
-
-
Transmit
Transmit
15
which CAN messages are located in

161 + (n*16) +  buffer
FullCAN
such Tx FullCAN objects. The
nTXLL +
per channel  Generation Tool distributes the
nTXFC(n)

-1
messages to the objects. Up to 15
= nTXFC(n)   transmit FullCAN objects can be
assigned per channel (up to 14 if the
Low Level transmit functionality is used).
161 + (n*16) +
These objects are not used. It depends
nTXLL +
0
on the configuration of transmit objects
nTXFC(n)
Transmit
how many transmit buffer objects are
Unused
-

-
buffer
15
not used. Additionally all transmit buffers
161 + (n*16)
per channel  of not supported or unused physical
+14
channels n are unused.
Table 3-1   Hardware Object Layout

nRxMBmax  Amount of RX buffers that is supported by the used derivative (see note above)
nRxFC
Number of used Rx FullCAN objects over all channels
nRxBC
Number of used Rx BasicCAN objects over all channels
n
Index of the physical channel
nTXLL
Number of Low Level transmit objects per channel (0 or 1)
nTXFC(n)
Number of used Tx FullCAN objects on the channel that is mapped to the physical channel n

2015, Vector Informatik GmbH
Version: 1.08.00
9 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Caution
The number of available transmit buffer objects per physical channel is constant. The
  receive buffers and FIFOs are shared over all channels and the availability per channel
is  restricted  as  explained  in  table  3-1.  Furthermore  the  internal  buffers  for  all  receive
objects  are  allocated  out  of  a common  buffer  pool  with  size  of  (number  of  supported
physical  channels  of  the  used  RSCAN  unit  *  64).  This  has  to  be  considered  when
configuring the number of the Rx FullCAN objects and the number and individual FIFO
depths of the Rx BasicCAN objects (refer to section 11.1.3 for further information and
details on how to configure the hardware objects).

3.2
Acceptance Filters
The hardware acceptance filters of the receive BasicCAN objects must allow reception of
all  messages  that  are  not  received  in  FullCAN  message  objects  and  additionally  all
messages  that  fit  in  a  configured  range  (e.g.  for  Network  Management,  Transport
Protocol).  The  generation  tool  offers  assistance  for  configuration.  The  number  of  used
filters  is  also  configurable  to  allow  efficient  hardware  filtering  to  minimize  unnecessary
CPU load.

Caution
The hardware supports a pool of acceptance filters with size of (number of supported
  physical channels of the used RSCAN unit * 64) that are used for Rx BasicCAN as well
as Rx FullCAN objects. This has to be considered when configuring the number of Rx
FullCAN objects and the number of filters per Rx BasicCAN object. See section 11.1.3
for further information and details on the configuration.

2015, Vector Informatik GmbH
Version: 1.08.00
10 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

4   [#hw_sleep] - SleepMode and WakeUp
The  driver  supports  sleep  and  wakeup  functionality.  With  the  function  CanSleep()  the
CAN controller enters sleep mode and leaves it with the function CanWakeUp() (internal
wakeup)  or  upon  a  falling  edge  respectively  dominant  level  on  the  Rx  pin  (external
wakeup).
Specify the Sleep/Wakeup option in the generation tool in order to use the Sleep/Wakeup
functionality.  If  this  option  is  not  enabled,  the  service  functions  CanSleep()  and
CanWakeUp() are empty and return kCanNotSupported.
4.1
Sleep
The  function  CanSleep()  changes  the  channel  from  communication  mode  via  reset
mode to stop mode. If the function is called during CAN communication, the reception or
transmission  is  terminated  before  it  is  completed  (the  same  applies  to  a  call  of
CanResetBusSleep()).
The return value kCanOk is always expected as these mode transitions do not depend on
external influences (e.g. the CAN bus level). However, if the function returns kCanFailed
(e.g. caused by a hardware loop cancellation, see chapter 5 for details) call CanSleep()
again or re-initialize the channel.
4.2
Internal Wakeup
The  function  CanWakeUp()  changes  the  channel  from  stop  mode  via  reset  mode  to
communication mode.
The return value kCanOk is always expected as these mode transitions do not depend on
external influences (e.g. the CAN bus level). However, if the function returns kCanFailed
(e.g. caused by a hardware loop cancellation, see chapter 5 for details) call CanWakeup()
again or re-initialize the channel.
4.3
External Wakeup
The external wakeup functionality is realized by external interrupts but fully handled by the
CAN driver in default configurations. The RSCAN itself does not provide any possibility of
detecting bus activity if  it is in  stop mode. Instead  the port configuration of  many  RH850
derivatives allows combining the CANn Rx pin with an external interrupt INTPm to be able
to  detect  a  CAN  event  even  if  the  driver  is  in  sleep  mode.  See  the  hardware
documentation of the actual derivative for details (Port x – Alternative Functions) and refer
to chapter 10 for implementation hints.
When the driver is in  sleep mode and a  CAN event is detected on the Rx pin a wakeup
interrupt is generated. It is also possible to detect this event by polling the interrupt request
flag without enabling the interrupt source. The ISR or the task function calls the application
function  ApplCanPreWakeUp()  (if  configured),  changes  the  channel  mode  via  reset
mode to communication mode and then calls ApplCanWakeUp().
2015, Vector Informatik GmbH
Version: 1.08.00
11 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Caution
If the Sleep/Wakeup functionality is enabled via the configuration tool both the internal
  and external wakeup are available  by default  and the CAN driver expects that the Rx
pin  of  each  used  CAN  channel  is  linked  with  an  external  interrupt  in  context  of  the
RH850  port  configuration  as  depicted  in  the  corresponding  hardware  manual.
Additionally  the  driver  expects  that  each  external  interrupt  source  is  assigned  to  the
lowest  possible  interrupt  channel  if  the  sources  are  multiplexed  (check  the  “INTC1
interrupt select register” if applicable).
If  this  configuration  is  not  possible  for  the  actual  derivative  (refer  to  the  hardware
documentation) or any respective external interrupt cannot be used exclusively by the
driver (write accesses to the corresponding interrupt control register, e.g. if any external
MCU  wakeup  handling  using  this  source  is  implemented),  the  external  wakeup
functionality must not be used.
In this case the Sleep/Wakeup functionality has to be disabled via the generation tool
or the external wakeup handling has to be deactivated by adding following to the user
configuration file:
#define C_ENABLE_EXTERNAL_WAKEUP_SUPPRESSION
Then  the  driver  does  not  access  the  external  interrupt  sources  and  only  the  internal
wakeup is possible (the driver does not wake up on bus activity).

Caution
The driver performs write accesses within the interrupt controller address space of the
  MCU if the external wakeup functionality is used. If wakeup processing is configured to
interrupt  the  corresponding  source  is  enabled  at  successful  sleep  transitions  and
disabled  during  wakeup  transitions.  Additionally  the  corresponding  interrupt  request
flag is cleared right before the interrupt is enabled; hence a wakeup event can only be
detected  after  the  sleep  transition  has  been  successfully  completed.  Refer  to  section
10.3 if an exclusive write access to the interrupt control registers is not possible. Please
note that the interrupt request flag also has to be cleared for polling configurations.

2015, Vector Informatik GmbH
Version: 1.08.00
12 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

5   [#hw_loop] - Hardware Loop Check
In  context  of  the  feature  Hardware  Loop  Check  (see  TechnicalReference_CANDriver,
chapter Hardware Loop Check) this CAN Driver provides the following timer identifications.
Refer to the hardware manual for a description of the RSCAN clock sources and additional
information  on  other  hardware  specifics  like  the  mode  transitions.  Please  note  that  the
expected loop durations  vary between individual derivatives. The given values depict the
worst case and may be lower for the actually used derivative.

Caution
Always significantly increase the given durations for the loop callout implementation to
  compensate additional software delays.

kCanLoopRamInit
This loop may be called within the function CanInitPowerOn() and is processed until
the  CAN  RAM  initialization  after  a  MCU  reset  has  finished.  This  is  necessary  as  this
initialization has to be completed before the  RSCAN  can be configured. As this loop is
not called in channel context the channel parameter has to be ignored.
The maximum  expected  duration  to  wait for  the  CAN  RAM  initialization  starts  from  the
time  of  the  MCU  reset  and  is  device  specific.  Refer  to  the  corresponding  hardware
manual (e.g.  section RSCAN Setting Procedure  –  Initial Settings) to get  the number of
required cycles of the pclk. If this loop is canceled try to call CanInitPowerOn() again
or reset the MCU.

kCanLoopInit
This  loop may  be  called  within  the function  CanInitPowerOn(). As  it  is  not  called  in
channel  context  the  channel  parameter  has  to  be  ignored.  The  loop  may  be  called
multiple times within this function and the possible occurrences are as follows:
  To protect the transition via global reset mode to global stop mode.
  To protect the transition to global reset mode.
  To protect transitions and settings in context of the global test mode (only active if the
RSCAN RAM test is enabled)
  To protect the transition to channel reset mode for each active channel.
  To protect the transition to global operation mode.

The duration for each mode transition in this context is expected to be two CAN bit times
at  highest  (of  the  lowest  communication  speed  of  the  channels  in  use).  If  any  loop
occurrence is canceled try to call CanInitPowerOn() again or reset the MCU.

2015, Vector Informatik GmbH
Version: 1.08.00
13 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

kCanLoopBusOffRecovery
This channel dependent loop may be called in CanInit() if the RSCAN is currently in
BusOff  state  and  is  processed  until  11  consecutive  recessive  bits  have  been  detected
128 times on the bus to ensure compliance to the BusOff recovery specification (see also
chapter 6).
The  maximum  expected  duration  is  1408  CAN  bit  times  on  a  recessive  bus,  128
message  times  including  inter-frame  space  on  a  communicative  bus  or  any  time  if
disturbances are present. There is no issue and nothing to do if the loop is canceled, but
the specified BusOff recovery time may not be met.

kCanLoopEnterResetMode
This  channel  dependent  loop  may  be  called  multiple  times  in  CanInit()  and  is
processed  as  long  as  the  CAN  cell  does  not  enter  channel  reset  mode,  respectively
channel operation mode.
The  maximum  expected  duration  of  each  loop  is  three  CAN  bit  times.  If  the  loop  is
canceled try to call CanInit() again. If the loop still doesn’t finish within the expected
time call CanInitPowerOn().

kCanLoopEnterOperationMode
This channel dependent loop is called in CanStart() and is processed as long as the
CAN cell does not enter channel operation mode.
The  maximum  expected  duration  of  the  loop  is  three  CAN  bit  times.  If  the  loop  is
canceled  try  to  call  CanStart()  again  or  invoke  CanInit().  If  the  loop  still  doesn’t
finish within the expected time call CanInitPowerOn().

kCanLoopEnterSleepMode
This  channel  dependent  loop  may  be  called  multiple  times  in  CanSleep()  and  is
processed  as  long  as  the  CAN  cell  does  not  enter  channel  reset  mode,  respectively
channel stop mode.
The maximum expected duration of the loop is two CAN bit times. If the loop is canceled
try to call CanSleep() again or invoke CanInit(). If the loop still doesn’t finish within
the expected time call CanInitPowerOn().

kCanLoopEnterWakeupMode
This  channel  dependent  loop  may  be  called  multiple  times  in  CanWakeUp()  and  is
processed  as  long  as  the  CAN  cell  does  not  enter  channel  reset  mode,  respectively
channel operation mode.
The  maximum  expected  duration  of  the  loop  is  three  CAN  bit  times.  If  the  loop  is
canceled try to call CanWakeUp() again or invoke CanInit(). If the loop still doesn’t
finish within the expected time call CanInitPowerOn().

2015, Vector Informatik GmbH
Version: 1.08.00
14 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

kCanLoopRxFcProcess
This  channel  depended  loop  may  be  called  in  CanFullCanMsgReceived()  and  is
processed  as  long  as  new  messages  are  received  by  the  current  receive  buffer  while
copying a previously received message to a temporary software buffer. This ensures that
always consistent and most recent data is indicated to the higher layers.
It is expected that the loop is called only one time. Please note that if the loop iterates at
all,  previously  received  messages  of  the  current  receive  buffer  are  discarded  without
further notification as data consistency cannot be ensured. There is no issue and nothing
to do if the loop is canceled, but the latest message is also discarded and the function
CanFullCanMsgReceived() returns without indicating any message at all.

2015, Vector Informatik GmbH
Version: 1.08.00
15 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

6  [#hw_busoff] - Bus off
In  case  of  a  BusOff  event  the  controller  automatically  changes  to  stop  mode  on  the
respective  channel.  There  is  no  automatic  recovery  as  specified  by  ISO11898-1;  the
application  has  to  restart  communication  following  the  description  in  the  Technical
Reference CAN driver, i.e. by calling CanResetBusOffStart/-End() which leads to a
call of CanInit().

Caution
Please note that if CanResetBusOffEnd() is called before 11 consecutive recessive
  bits have been detected 128 times on the bus, the function CanInit() waits until this
condition  is  met.  Reason  is  that  the  current  recovery  status  is  lost  during  re-
initialization.  It  may  not  be  acceptable  for  the  program  to  wait  until  the  hardware  has
recovered  as  this  delay  is  implemented  synchronously.  In  this  case  use  the  feature
“Hardware  Loop  Check”  to  control  the  behavior.  See  kCanLoopBusOffRecovery  in
chapter 5 for details.

2015, Vector Informatik GmbH
Version: 1.08.00
16 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

7  CAN Driver Features
7.1
[#hw_feature] - Feature List

Standard
HighEnd
Initialization
Power-On Initialization


Re-Initialization


Transmission
Transmit Request


Transmit Request Queue


Internal data copy mechanism


Pretransmit functions


Common confirmation function


Confirmation flag


Confirmation function


Offline Mode


Partial Offline Mode


Passive-Mode


Tx Observe mode


Dynamic TxObjects
ID



DLC



Data-Ptr


Full CAN Tx Objects


Cancellation in Hardware


Low Level Message Transmit
-

Reception
Receive function


Search algorithms
Linear



Table
-
-

Index



Hash


Range specific precopy functions
4
4
(min. 2, typ.4)
DLC check


Internal data copy mechanism


Generic precopy function


Precopy function


Indication flag


Indication function


Message not matched function


2015, Vector Informatik GmbH
Version: 1.08.00
17 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Overrun Notification


Full CAN overrun notification
-
-
Multiple Basic CAN
-

Rx Queue 2
-

Bus off
Notification function


Nested Recovery functions


Sleep Mode
Mode Change


Preparation


Notification function


Special Features
Status


Security Level


Assertions


Hardware loop check


Stop Mode


Support of OSEK operating


system
Polling Mode
Tx



Rx (FullCAN) 3



Rx (BasicCAN)



Error



Wakeup


Individual Polling 4
-

Multi channel


Support extended ID addressing


mode
Support mixed ID addressing


mode
Support access to error counters


Copy functions


CAN RAM check 5


Extended CAN RAM check 6


Table 7-1   CAN Driver Functionality


2 Consider that the Rx BasicCAN hardware FIFOs in combination with Rx BasicCAN polling might be a more
efficient alternative to the Rx Queue in many configurations.
3 Due to hardware limitations (no interrupt request can be generated for receive buffers) Rx FullCAN polling
is mandatory if Rx FullCAN objects are configured.
4 Due to hardware limitations (see note 3) all Rx FullCAN objects have to be polled.
5 Due to hardware limitations (no write access to Rx objects) only supported for Tx objects.
6 This feature is project specific and only available if explicitly ordered.
2015, Vector Informatik GmbH
Version: 1.08.00
18 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

7.2
Description of Hardware-related Features
7.2.1
[#hw_status] - Status
If a status is not supported, the related macro always returns false.
Status
Support
CanHwIsOk(state)

CanHwIsWarning(state)

CanHwIsPassive(state)

CanHwIsBusOff(state)

CanHwIsWakeup(state)

CanHwIsSleep(state)

CanHwIsStart(state)

CanHwIsStop(state)

CanIsOnline(state)

CanIsOffline(state)

Table 7-2   CAN Status
7.2.2
[#hw_stop] - Stop Mode
The service function CanStop() calls CanInit() and leaves the channel in reset mode,
where it is disconnected from the bus. If the function is called during CAN communication,
the reception or transmission is terminated before it is completed. This mode can be left by
calling CanStart(). Both transitions do not depend on external influences (e.g. the CAN
bus level), so the return value kCanOk is always expected. However, if the functions return
kCanFailed (e.g. caused by a hardware loop cancellation, see chapter 5 for details) call
CanStop() respectively CanStart() again or re-initialize the channel.

7.2.3
[#hw_int] - Control of CAN Interrupts
CAN interrupt locking is performed by modifying the interrupt request mask bits (MK) in the
control registers of the appropriate sources directly within the interrupt controller address
space of the MCU. Therefore the driver needs exclusive write access to all CAN related EI
level  interrupt  control  registers  (ICn).  If  the  Sleep/Wakeup  functionality  is  enabled  this
includes the ICn of external interrupt sources (see chapter 4).
Since  Rx  FIFO  interrupt  and  overrun  (global  error)  cannot  be  enabled  and  disabled  for
every  object  individually  they  are  disabled  globally  when  the  interrupts  of  at  least  one
controller are disabled and enabled globally if  the interrupts of no controller are disabled
anymore.
All CAN related ICn are initialized and then modified by the driver during runtime (interrupt
disable  and  restore).  The  priority  level  for  the  initialization  can  be  selected  via  the
configuration  tool  (all  CAN  interrupts  must  have  the  same  priority),  see  section  11.1.3.
Refer to chapter 10 for further information on CAN interrupts.
2015, Vector Informatik GmbH
Version: 1.08.00
19 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Caution
In standard configuration the driver needs exclusive write access to all CAN related EI
  level  interrupt  control  registers.  Refer  to  chapter  10  for  further  information  and
especially section 10.3 if an exclusive write access is not possible.

7.2.4
[#hw_cancel] - Cancel in Hardware

Yes  No
Has the CanTxTask() to be called by the application to handle the canceled
transmit request in the hardware?



Cancelling transmission of messages via CanCancelTransmit() or
CanCancelMsgTransmit():

Yes  No
ApplCanTxConfirmation() is only called for transmitted messages, successfully
canceled messages are not notified. That means the CAN driver is able to detect


whether a message is transmitted even if the application has tried to cancel.

7.2.5
Remote Frames
Remote Frames will not have any influence on  the communication because they  are not
received due to hardware filtering.

7.2.6
CAN RAM Check
The  CAN  driver  supports  a  check  of  the  CAN  mailboxes  which  is  performed  internally
every  time  the  function  CanInit()  is  called.  The  CAN  driver  verifies  that  no  used
mailboxes are corrupt. A mailbox is considered corrupt if predefined patterns are written to
the appropriate mailbox registers and read operations do not return the expected patterns.
If  a  corrupt  mailbox  is  found  the  function  ApplCanCorruptMailbox()  is  optionally
called to inform the application which mailbox is affected.
After  the  check  of  all  mailboxes  on  the  given  channel  the  CAN  driver  calls  the  function
ApplCanMemCheckFailed() if at least one corrupt mailbox was found. The application
can control whether the CAN driver disables communication on the current channel or not
by  means  of  the  return  value  of  the  call-back  function.  If  the  application  has  decided  to
disable the communication there is no possibility to enable the communication again until
the next call of CanInitPowerOn().

Caution
Due to hardware limitations (no write access for receive objects) the CAN RAM check
  is only supported for transmit mailboxes. Consider the behavioural differences of CAN
RAM check when it is used in combination with the extended CAN RAM check feature.

2015, Vector Informatik GmbH
Version: 1.08.00
20 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

The additional call-back function ApplCanCorruptMailbox() can only be activated via
the user configuration file - the settings are listed below. In case no user config file is used
(i.e. the mentioned switch is not defined) the feature is disabled.
Switch
Value
Description
C_ENABLE_NOTIFY_CORRUPT_MAILBOX

Activate call of ApplCanCorruptMailbox()
in case the CAN RAM check fails for a certain
mailbox.

7.2.7
Extended CAN RAM Check
The  extended RAM check provides an additional check of the CAN cell control  registers
RAM with extended API and modified standard CAN RAM check and driver behaviour.
The RSCAN control registers are differentiated between registers that have to be written in
global  reset  mode  (afterwards  referred  to  as  “global  registers”)  or  can  also  be  written  in
channel reset mode (afterwards referred to as “channel registers”). Since the transition to
global reset mode affects all channels, the global register RAM is checked only once within
CanInitPowerOn(). If the global register RAM is considered corrupt a call-back function
(see below) is issued to allow the application to control whether the driver initialization is
proceeded or not.
The  channel  register  and  mailbox  RAM  check  is  performed  within  the  function
CanInit(). The registers RAM check disables the complete channel communication if at
least  one  of  the  checked  registers  is  considered  corrupt. The  mailbox  RAM  check  (only
available for Tx objects) disables corrupt mailboxes so that no transmission is possible on
them.  In  both  cases  the  appropriate  call-backs  (see  below)  are  called  to  inform  the
application  about  the  failures.  Channels  and  mailboxes  can  be  re-enabled  by  the
application  using  the  extended API.  If  any  of  the  control  registers  check  or  the  mailbox
registers  check  fails  the  overall  RAM  check  call-back  ApplCanMemCheckFailed()  is
invoked.
More detailed information is given below; section 9.3 describes the API functions:
  If any of the global registers (e.g. global configuration registers, registers relating to the
configuration of receive objects and receive rules) are considered corrupt the function
ApplCanGlobalMemCheckFailed()  is  invoked  within  CanInitPowerOn().  If  this
function  returns  kCanEnableCommunication  the  initialization  is  continued  ignoring
the results of the check. If it returns kCanDisableCommunication the RSCAN is put
back  into  global  stop  mode  and  CanInitPowerOn()  returns  without  initializing  the
RSCAN.  The  check  of  the  channel  registers  RAM  is  also  not  performed  and
CanInitPowerOn() has to be called again to be able to use the CAN functionality in
this case (other CAN API functions must not be called until CanInitPowerOn() was
executed completely). The check is performed with every call of this function.
  If  any  of  the  channel  control  registers  are  considered  corrupt  the  function
ApplCanCorruptRegisters()  is  called  and  the  communication  on  the  given
channel is disabled. The CAN cell stays in stop mode whatever the general call-back
function ApplCanMemCheckFailed()  returns  and the  channel  is disconnected from
the Tx port pin.
2015, Vector Informatik GmbH
Version: 1.08.00
21 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

  If  a  corrupt  mailbox  is  found  it  is  disabled  by  the  driver  and  the  call-back  function
ApplCanCorruptMailbox()  is  invoked  (if  this  is  enabled  by  the  definition  of
C_ENABLE_NOTIFY_CORRUPT_MAILBOX).  In  this  case  (but  only  if  no  corrupt  CAN
control registers were found on the given channel) the application can decide whether
the  communication  on  the  channel  should  be  disabled  using  the  return  value  of  the
function ApplCanMemCheckFailed(), but the mailbox stays disabled anyway.
  If the communication on a channel was disabled previously it can be re-enabled using
the function CanEnableChannelCommunication().
  Mailboxes that were disabled by mailbox RAM check can be re-enabled by the function
CanEnableMailboxCommunication() (but  only if the communication on the given
channel is enabled).
  No  mailbox  or  register  RAM  check  is  performed  and  no  RAM  check  call-backs  are
invoked  if  CanInit()  is  called  by  CanResetBusOffEnd().  However,  all  previously
disabled channels or mailboxes stay disabled.

Caution
The  only  way  to re-enable  channel  or  mailbox  communication  is  to  use  the  functions
  CanEnableChannelCommunication(),  CanEnableMailboxCommunication()
or CanInitPowerOn().

The extended CAN RAM check feature needs the standard CAN RAM check functionality
to  be  activated.  The  following  settings  have  to  be  done  in  the  user  configuration  file.  In
case  no  user  config  file  is  used  (i.e.  the  mentioned  switch  is  not  defined)  the  feature  is
disabled. Please note that this is a project specific feature that might not be available and
C_ENABLE_CAN_RAM_CHECK_EXTENDED has no effect in this case.
Switch
Value  Description
C_ENABLE_CAN_RAM_CHECK_EXTENDED

Activate the extended CAN RAM check feature.

7.2.8
RSCAN ECC Configuration
In context of the RSCAN RAM error detection and correction (ECC) the driver provides the
additional  call-back  function  ApplCanEccConfiguration()  (see  section  9.2)  that  is
invoked by CanInitPowerOn() after the CAN RAM initialization is complete and before
the RSCAN is configured while the cell is in global stop mode. This gives the application
the possibility to configure the ECC behavior for  the RSCAN. The driver offers no further
support for this feature - any ECC configuration and handling has to be performed by the
application.
The following settings have to be done in the user configuration file. In case no user config
file is used (i.e. the mentioned switch is not defined) the feature is disabled.
Switch
Value  Description
C_ENABLE_ECC_CALLOUT

Activate call of ApplCanEccConfiguration().

2015, Vector Informatik GmbH
Version: 1.08.00
22 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

7.2.9
RSCAN RAM Test
The RSCAN provides a global test mode that enables the driver to perform a check of the
internal  RSCAN  RAM  that  is  not  accessible  during  normal  operation.  This  check  is
performed once  within  CanInitPowerOn().  Similar  to the  (extended)  CAN  RAM  check
the internal RAM is considered corrupt if predefined patterns are written to the appropriate
RAM  addresses  and  read  operations  do  not  return  the  expected  patterns.  If  any  corrupt
bits  are  found  the  call-back  function  ApplCanGlobalMemCheckFailed()  is  invoked
(see section 9.3). If this function returns kCanEnableCommunication the initialization is
continued  ignoring  the  results  of  the  check.  If  it  returns  kCanDisableCommunication
the RSCAN is put back into global stop mode and CanInitPowerOn() returns without
initializing the RSCAN. CanInitPowerOn() has to be called again to be able to use the
CAN  functionality  in  this  case  (other  CAN  API  functions  must  not  be  called  until
CanInitPowerOn()  was  executed  completely).  The  RAM  test  is  performed  with  every
call of this function.
If this test is used in combination with the (extended) CAN RAM check the coverage of the
latter one is reduced in order to save runtime.
  The receive rule registers are omitted by  the global register check within the function
CanInitPowerOn().
  The mailbox check is omitted if CanInit() is called out of CanInitPowerOn().

The following settings have to be done in the user configuration file. In case no user config
file is used (i.e. the first switch is not defined) the feature is disabled. The second switch is
only evaluated if C_ENABLE_CAN_HW_RAM_CHECK is defined.
Switch
Value
Description
C_ENABLE_CAN_HW_RAM_CHECK

Activate the RSCAN RAM test feature.
C_ENABLE_CAN_HW_RAM_CHECK_SIZE
32 .. 65504  The given number of bytes is checked by the
(bytes)
RAM test (always starting from the beginning
of the CAN RAM). The value must be a
multiple of 32 bytes and has to be valid for the
used derivative (refer to the corresponding
hardware manual).

Caution
Depending  on  the  size  of  RAM  to  be  checked,  used  compiler  options,  clock  settings
  and others this check might take up to several milliseconds. Suggestion is to verify the
runtime of CanInitPowerOn()in the actual project if this feature is enabled.

2015, Vector Informatik GmbH
Version: 1.08.00
23 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

8   [#hw_assert] – Assertions
The driver implements no specific assertions with additional error codes.
2015, Vector Informatik GmbH
Version: 1.08.00
24 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

9  API
9.1
Category
Single Receive Channels (SRC)

A “Single Receive Channel” CAN Driver supports one CAN
channel.)
Multiple Receive Channel (MRC)

A "Multiple Receive Channel" CAN Driver is typically
extended for multiple channels by adding an index to the
function parameter list (e.g. CanOnline() becomes
CanOnline(channel)) or by using the handle as a
channel indicator (e.g. CanTransmit(txHandle)).
Table 9-1   API Category

9.2
RSCAN ECC Configuration
In  context  of  the  RSCAN  ECC  feature  the  application  has  to  provide  following  call-back
function (see section 7.2.8 further information).

ApplCanEccConfiguration
Prototype
Single Receive Channel
void ApplCanEccConfiguration (void)
Multiple Receive Channel
void ApplCanEccConfiguration (void)
Parameter
-
-
Return code
-
-
Functional Description
This function is called by CanInitPowerOn() to allow the configuration of the RSCAN ECC functionality.
Particularities and Limitations
Only required if C_ENABLE_ECC_CALLOUT is defined.

2015, Vector Informatik GmbH
Version: 1.08.00
25 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

9.3
(Extended) CAN RAM Check

In context of the CAN RAM check feature the application has to provide following call-back
functions (see sections 7.2.6 and 7.2.7 for further information).

ApplCanMemCheckFailed
Prototype
Single Receive Channel
vuint8 ApplCanMemCheckFailed (void)
Multiple Receive Channel
vuint8 ApplCanMemCheckFailed (CanChannelHandle channel)
Parameter
This parameter specifies the CAN channel on which the memory check is
CanChannelHandle channel
performed.
Return code
vuint8
kCanEnableCommunication – Allow communication (see note in
“Particularities and Limitations”).
kCanDisableCommunication – Disable communication, no reception and
no transmission is performed.
Functional Description
This call-back function is invoked within CanInit() if the CAN driver has found at least one corrupt bit
within the CAN mailboxes RAM or (if extended CAN RAM check is enabled) at least one corrupt bit within
the channel control registers RAM. The application can decide whether the CAN driver allows further
communication by means of the return value.
Particularities and Limitations
Call context: If the feature Extended CAN RAM check is deactivated this function is called on task level or
within the BusOff interrupt; else only on task level.
Configuration: Required if the following setting is active:
C_ENABLE_CAN_RAM_CHECK
Important note: If the optional feature “Extended CAN RAM check” is activated
(C_ENABLE_CAN_RAM_CHECK_EXTENDED is defined) and the registers RAM check failed (call-back
function ApplCanCorruptRegisters() was called for the given channel), the communication on the
channel will be disabled, the CAN cell stays in stop mode and the return value of this function is ignored –
the communication will NOT be allowed even if the return value is kCanEnableCommunication.

2015, Vector Informatik GmbH
Version: 1.08.00
26 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

ApplCanCorruptMailbox
Prototype
Single Receive Channel
void ApplCanCorruptMailbox (CanObjectHandle hwObjHandle)
Multiple Receive Channel
void ApplCanCorruptMailbox (CanChannelHandle channel,
CanObjectHandle hwObjHandle)

      CanObjectHandle hwObjHandle )
Parameter
This parameter specifies the CAN channel on which the memory check is
CanChannelHandle channel
performed.
This parameter specifies the index of the corrupt mailbox.
CanObjectHandle

hwObjHandle
Return code
-
-
Functional Description
This function is called within CanInit() if the CAN driver has found a corrupt mailbox.
Particularities and Limitations
Call context: If the feature “Extended CAN RAM check” is deactivated this function is called on task level or
within the BusOff interrupt; else only on task level.
Configuration: Required if the following settings are active:
C_ENABLE_CAN_RAM_CHECK
C_ENABLE_NOTIFY_CORRUPT_MAILBOX

In case the feature extended CAN RAM check is enabled the following additional call-back
functions have to be provided by the application.

ApplCanCorruptRegisters
Prototype
Single Receive Channel
void ApplCanCorruptRegisters (void)
Multiple Receive Channel
void ApplCanCorruptRegisters (CanChannelHandle channel)
Parameter
This parameter specifies the CAN channel on which the memory check is
CanChannelHandle channel
performed.
Return code
-
-
Functional Description
This function is called if the CAN driver has found corrupt channel control registers.
Particularities and Limitations
Call context: This function is called out of task level within CanInit() on the given channel if the RAM
check is not suppressed. The RAM check is suppressed if CanInit() is called in scope of the functions
CanResetBusOffEnd()or (dependent on parameter) CanEnableChannelCommunication().
Configuration: Required if the following settings are active:
C_ENABLE_CAN_RAM_CHECK
C_ENABLE_CAN_RAM_CHECK_EXTENDED

2015, Vector Informatik GmbH
Version: 1.08.00
27 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

ApplCanGlobalMemCheckFailed
Prototype
Single Receive Channel
vuint8 ApplCanGlobalMemCheckFailed (void)
Multiple Receive Channel
vuint8 ApplCanGlobalMemCheckFailed (void)
Parameter
-
-
Return code
vuint8
kCanEnableCommunication – Continue initialization of the RSCAN.
kCanDisableCommunication – Stop initialization of the RSCAN.
Functional Description
This call-back function is invoked if the CAN driver has found at least one corrupt bit within the global control
registers RAM in context of the extended CAN RAM check or if any corrupt bit was found in context of the
RSCAN RAM test (see section 7.2.9). The application can decide whether the CAN driver proceeds with the
RSCAN initialization by means of the return value.
Particularities and Limitations
Call context: This function is called out of task level within CanInitPowerOn().
Configuration: Required if the following settings are active:
C_ENABLE_CAN_RAM_CHECK
C_ENABLE_CAN_RAM_CHECK_EXTENDED
or
C_ENABLE_CAN_HW_RAM_CHECK
Important note: Be aware of undefined runtime behavior if kCanEnableCommunication is returned as
the driver tries to initialize and communicate despite corrupt RAM was found. The application has to verify
the system in this case.

2015, Vector Informatik GmbH
Version: 1.08.00
28 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

The following service functions are provided by the driver in context of the extended CAN
RAM check feature.

CanEnableChannelCommunication
Prototype
Single Receive Channel
void CanEnableChannelCommunication (vuint8 suppressRamCheck)
void CanEnableChannelCommunication (CanChannelHandle channel,
Multiple Receive Channel
vuint8 suppressRamCheck)
Parameter
This parameter specifies the CAN channel that shall be re
CanChannelHandle channel
-enabled.
vuint8 suppressRamCheck
kCanTrue – RAM check will be suppressed while re-enabling the
communication on the channel.
kCanFalse – RAM check will be performed while re-enabling the
communication on the channel
Return code
-
-
Functional Description
The function re-enables the channel communication if it was disabled previously. It calls CanInit()
internally but all eventually disabled mailboxes stay disabled. If the RAM check is not suppressed it can fail
again and the appropriate call-back function is invoked in this case.
Particularities and Limitations
Restriction: Same restrictions as for a call of CanInit() apply.
Call context: This function is called by the application.
Configuration: Available if the following settings are active:
C_ENABLE_CAN_RAM_CHECK
C_ENABLE_CAN_RAM_CHECK_EXTENDED

2015, Vector Informatik GmbH
Version: 1.08.00
29 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

CanEnableMailboxCommunication
Prototype
Single Receive Channel
vuint8 CanEnableMailboxCommunication (CanObjectHandle

hwObjHandle)
Multiple Receive Channel
vuint8 CanEnableMailboxCommunication (CanChannelHandle channel,

CanObjectHandle hwObjHandle)
Parameter
This parameter specifies the CAN channel for which the mailbox shall be
CanChannelHandle channel
re-enabled.
The index of the mailbox to be re
CanObjectHandle
-enabled.
hwObjHandle
Return code
vuint8
kCanOk - Mailbox communication was re-enabled.
kCanFailed - Enabling of mailbox communication failed: hwObjHandle is
not a valid Tx mailbox, the mailbox was not disabled previously or the
communication on the channel is still disabled.
Functional Description
The function re-enables the mailbox communication that was disabled previously by the extended CAN
RAM check. Note that the mailbox RAM check is not performed in scope of this function call - the
application must guarantee that the mailbox is not corrupt.
Particularities and Limitations
Call context: This function is called by the application.
Configuration: Available if the following settings are active:
C_ENABLE_CAN_RAM_CHECK
C_ENABLE_CAN_RAM_CHECK_EXTENDED

2015, Vector Informatik GmbH
Version: 1.08.00
30 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

9.4
External CAN Interrupt Handling
These  call-back  functions  are  invoked  if  the  driver  does  not  perform  the  CAN  interrupt
handling. See section 10.3 for details.

ApplCanWriteIcr8
Prototype
Single Receive Channel
void ApplCanWriteIcr8 (vuint32 address, vuint8 value)
Multiple Receive Channel
void ApplCanWriteIcr8 (vuint32 address, vuint8 value)
Parameter
This parameter specifies the memory address the function has to write to.
vuint32 address
It is always part of the interrupt controller address space.
vuint8 value
This parameter specifies the value the function has to write.
Return code
-
-
Functional Description
This call-back is invoked by several driver functions and has to write one byte with the given value to the
given address.
Particularities and Limitations
Only required if C_ENABLE_INTC_ACCESS_BY_APPL is defined.
Always perform a byte access. The function has to be synchronous.

ApplCanReadIcr8
Prototype
Single Receive Channel
vuint8 ApplCanReadIcr8 (vuint32 address)
Multiple Receive Channel
vuint8 ApplCanReadIcr8 (vuint32 address)
Parameter
This parameter specifies the memory address the function has to read
vuint32 address
from. It is always part of the interrupt controller address space.
Return code
vuint8
The value that was read from the given address.
Functional Description
This call-back is invoked by several driver functions and has to read and return one byte from the given
address.
Particularities and Limitations
Only required if C_ENABLE_INTC_ACCESS_BY_APPL is defined.
Always perform a byte access. The function has to be synchronous.

2015, Vector Informatik GmbH
Version: 1.08.00
31 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

OsCanCanInterruptDisable
Prototype
Single Receive Channel
void OsCanCanInterruptDisable (void)
Multiple Receive Channel
void OsCanCanInterruptDisable (CanChannelHandle channel)
Parameter
This parameter specifies the logical CAN channel for which the interrupts
CanChannelHandle channel
shall be disabled.
Return code
-
-
Functional Description
This function is called by CanCanInterruptDisable() and has to disable the CAN interrupts on the
given channel.
Particularities and Limitations
Only required if C_ENABLE_OSEK_CAN_INTCTRL is defined.

OsCanCanInterruptRestore
Prototype
Single Receive Channel
void OsCanCanInterruptRestore (void)
Multiple Receive Channel
void OsCanCanInterruptRestore (CanChannelHandle channel)
Parameter
This parameter specifies the logical CAN channel for which the interrupts
CanChannelHandle channel
shall be restored.
Return code
-
-
Functional Description
This function is called by CanCanInterruptRestore() and has to restore the CAN interrupts on the
given channel.
Particularities and Limitations
Only required if C_ENABLE_OSEK_CAN_INTCTRL is defined.

2015, Vector Informatik GmbH
Version: 1.08.00
32 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

ApplCanWakeupInterruptDisable
Prototype
Single Receive Channel
void ApplCanWakeupInterruptDisable (vuint8 channel)
Multiple Receive Channel
void ApplCanWakeupInterruptDisable (vuint8 channel)
Parameter
This parameter specifies the logical CAN channel for which the wakeup
vuint8 channel
interrupt shall be disabled.
Return code
-
-
Functional Description
This function is called by CanWakeup() and CanInit() and has to disable the wakeup interrupt on
the given channel.
Particularities and Limitations
Only required if C_ENABLE_OSEK_CAN_INTCTRL and C_ENABLE_SLEEP_WAKEUP are defined and the
external wakeup is used.

ApplCanWakeupInterruptEnable
Prototype
Single Receive Channel
void ApplCanWakeupInterruptEnable (vuint8 channel)
Multiple Receive Channel
void ApplCanWakeupInterruptEnable (vuint8 channel)
Parameter
This parameter specifies the logical CAN channel for which the wakeup
vuint8 channel
interrupt shall be enabled.
Return code
-
-
Functional Description
This function is called by CanSleep() and has to enable the wakeup interrupt on the given channel.
Particularities and Limitations
Only required if C_ENABLE_OSEK_CAN_INTCTRL and C_ENABLE_SLEEP_WAKEUP are defined and the
external wakeup is used.

2015, Vector Informatik GmbH
Version: 1.08.00
33 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

ApplCanWakeupOccurred
Prototype
Single Receive Channel
vuint8 ApplCanWakeupOccurred (vuint8 channel)
Multiple Receive Channel
vuint8 ApplCanWakeupOccurred (vuint8 channel)
Parameter
This parameter specifies the logical CAN channel to check for a wakeup
vuint8 channel
occurrence.
Return code
CAN_NOT_OK: If no wakeup occurred on this channel
vuint8
CAN_OK: If a wakeup occurred on this channel
Functional Description
This function is called by CanWakeupTask() and has to check for a wakeup event on the given
channel.
Particularities and Limitations
Only required if C_ENABLE_OSEK_CAN_INTCTRL, C_ENABLE_SLEEP_WAKEUP and
C_ENABLE_WAKEUP_POLLING are defined and the external wakeup is used.

2015, Vector Informatik GmbH
Version: 1.08.00
34 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

10  Implementations Hints
10.1  Important Notes
1.  The  following  condition  will  lead  to  an  endless  recursion  in  the  CAN  Driver:
Recursive  call  of  'CanTransmit'  within  a  confirmation  routine,  if  the  CAN  Driver  has
been set into the passive state by CanSetPassive. Recommendations are:
>  NO CALL OF CanTransmit WITHIN CONFIRMATION-ROUTINES
>  PLEASE USE CanSetPassive ONLY ACCORDING TO THE DESCRIPTION

2.  Only  the  transmit  line  of  the  CAN  Driver  is  blocked  by  the  functions  CanOffline().
However, messages in the transmit buffer of the CAN-Chip, are still sent. For a reliable
prevention  of  this  fact,  call  function  CanInit()  after  calling  CanOffline().  The
order of the two function calls is urgently required, due to the fact, that CanInit() is
only allowed in offline mode.
3.  If the VStdLib interrupt-lock-level is used, the chosen priority level must be higher than
the  highest  level  of  any  functionality  of  the  CAN  Driver  (signal  access,  etc).  Keep  in
mind that smaller values represent higher priorities.
4.  Resetting  indication  flags  and  confirmation  flags  is  done  by  Read-Modify-Write.  The
application  is  responsible  for  consistency.  CanGlobalInterruptDisable()  and
CanGlobalInterruptRestore()  must  be  called  to  avoid  interruption  by  the  CAN.
Otherwise confirmations or indications can be lost.
5.  Port and general clock settings are not handled by the driver. This has to be performed
by  the  upper  layers  before  the  call  of  CanInitPowerOn().  Please  check  the
appropriate hardware manual of the used derivative for details regarding the hardware
specific  configuration  aspects.  The  CAN  clock  (fCAN)  for  baudrate  generation  can  be
selected via the configuration tool; refer to section 11.1.2.
6.  If  external  wakeup  support  is  used  the  port  configuration  (performed  by  the  upper
layers) has to be extended. Besides setting the correct port functions for CAN it has to
be  ensured  that  this  function  is  combined  with  the  respective  external  interrupt.
Additionally the edge/level detection has to be configured correctly to generate interrupt
requests  upon  detection  of  CAN  events  (e.g.  on  low  level  or  falling  edges)  on  the
corresponding  pins  (see  the  hardware  manual  for  details;  refer  to  the  filter  control
register for instance). If the external wakeup is used the control registers of the external
interrupts are also fully handled by the CAN driver in default configuration.
7.  When using GreenHills, IAR or Renesas compiler the ID bit of the PSW is cleared by
software when any category 1 interrupt service routine of the CAN driver is entered to
allow  nesting  of  interrupts.  For  other  compilers  the  default  platform  behavior  is  not
modified (the ID bit stays set) and the acknowledgement of further interrupt requests is
blocked when any driver ISR is processed. This default driver behavior for category 1
interrupts  can  be  changed  by  definition  of  C_DISABLE_NESTED_INTERRUPTS
respectively C_ENABLE_NESTED_INTERRUPTS via the user configuration file. Keep in
mind that enabling the feature is redundant if the compiler inserts code to allow nesting
of interrupts in general and always verify that the compiler generates correct code if the
feature is enabled.
2015, Vector Informatik GmbH
Version: 1.08.00
35 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

10.2  Interrupt Configuration
With  exception  of  the  CAN  related  EI  level  interrupt  control  registers  (ICn,  see  section
7.2.3) all further interrupt configuration within the interrupt controller address space of the
MCU has to be performed by the application before the call of CanInitPoweron().
The  default  implementation  configures  table  reference  as  the  way  to  determine  the
interrupt  vector  (TB  bit  in  ICn  registers  is  set).  The  application  has  to  take  care  about
referencing the CAN interrupt service routines in the interrupt vector table - the prototypes
are  exported in  the driver header file.  Please check the appropriate hardware  manual of
the used derivative for details regarding the hardware specific configuration aspects. Table
10-1 shows the provided  ISRs and the accordant interrupt  sources (n is the index of the
physical  channel).  Please  note  that  it  is  configuration  dependent  whether  a  particular
interrupt service routine is available (see remarks in table).

CAN interrupt
CAN interrupt
Provided service  Remarks
request name
request cause
routine
CAN RX FIFO
Used for BasicCAN reception if ‘Rx
INTRCANGRECC  interrupt
CanIsrRxFifo
BasicCan Polling’ is not enabled or

‘Individual Polling’ is configured.
CAN global error
INTRCANGERR
Used for Rx BasicCAN overrun if ‘Error

interrupt
CanIsrGlobalStatus

Polling’ is not enabled.
Used for transmission on physical
INTRCANnTRX
CANn TX interrupt
CanIsrTx_n
channel n if ‘Tx Polling’ is not enabled
or ‘Individual Polling’ is configured.
CANn TX/RX  FIFO
INTRCANnREC
RX complete interrupt -
This interrupt is not used.

Used for BusOff detection on physical
INTRCANnERR
CANn error interrupt
CanIsrStatus_n
channel n if ‘Error Polling’ is not
enabled.
Used for wakeup detection on physical
External interrupt
channel n if the Sleep/Wakeup
INTPm

(see chapter 4)
CanIsrWakeup_n
functionality is enabled, the external

wakeup is used and ‘Wakeup Polling’ is
not enabled.
Table 10-1   Interrupt Service Routines
If the INTC shall implement direct jumps to an address determined by the interrupt priority
level  (instead  of  table  reference)  the  switch  C_ENABLE_DIRECT_INTERRUPT_BRANCH
has to be defined via the user configuration file. (This setting affects the TB bit in the ICn
registers.) In this case the application has to implement a common service routine for all
CAN interrupts and jump to it from the corresponding address (refer to  hardware manual
for configuration aspects).
See below an implementation example for GreenHills compiler and a full interrupt system
with disabled Sleep/Wakeup functionality that uses physical channels 1 and 4; also refer to
the information in table 10-1 about the presence of the individual CAN interrupt functions.
Each driver routine must not be called if the CAN interrupts for the corresponding channel
(respectively  any  CAN  channel  for  the  global  handlers)  are  currently  disabled.  This  is
especially relevant if more than one channel is used or other interrupt sources also call the
common service routine. In general it is recommended to check the status of the MK bit in
2015, Vector Informatik GmbH
Version: 1.08.00
36 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

the  ICn  register  of  each  CAN  interrupt  source  before  invoking  the  corresponding  driver
routine as these bits directly indicate the status of the CAN interrupt lock mechanism. Any
driver routine may only be called if the corresponding interrupt source is enabled (MK bit
== 0). These actions may differ if the application handles the CAN interrupt disable/restore
mechanism (see section 10.3 below), but the requirements above must always be met.  If
the feature “Multiple Configurations” is used only functions corresponding to channels that
are used in the active identity should be called.

#pragma ghs interrupt
void CommonIsr_Prio_x ( void )
{
  /* handling for other interrupts that are assigned to
this priority and not handled by table reference */

  /* CAN interrupts */
  if (MK bit of INTRCANGRECC == 0) CanIsrRxFifo();
  if (MK bit of INTRCANGERR == 0) CanIsrGlobalStatus();
  if (MK bit of INTRCAN1ERR == 0) CanIsrStatus_1();
  if (MK bit of INTRCAN1TRX == 0) CanIsrTx_1();
  if (MK bit of INTRCAN4ERR == 0) CanIsrStatus_4();
  if (MK bit of INTRCAN4TRX == 0) CanIsrTx_4();

  /* handling for other interrupts that are assigned to
this priority and not handled by table reference */
}

Since  the  common  service  routine  is  already  qualified  as  an  ISR  to  the  compiler,  the
individual CAN interrupt routines have to be configured as void-void functions if this variant
is used. Therefore the switch C_ENABLE_ISRVOID additionally has to be defined via the
user configuration file (if category 1 CAN interrupts are used).

Caution
The  driver  performs  no  measures  to  ensure  the  correct  functionality  of  the  CAN
  interrupt disable/restore mechanism if it is bypassed by the common interrupt handler
when  C_ENABLE_DIRECT_INTERRUPT_BRANCH  is  defined.  Therefore  the  usage  of
this switch in not recommended in general and should only be defined if table reference
is not possible at all.

10.2.1  Configuration of Interrupt Vectors with IAR compiler
Instead  of a  manual  initialization  of  the  interrupt  vector  table  it  is  possible  to  let  the  IAR
compiler  set  up  the  table  by  using  the  #pragma  vector=xx  directive  (only  for  category  1
interrupts). This feature  can  be  enabled  via  the  user  configuration  file  by  defining  the  EI
level  interrupt  number  for  each  used  CAN  interrupt.  The  names  of  these  defines  are
derived from the corresponding ISR names.
See below an example for a full interrupt system with external wakeup support that uses
physical channels 2 and 5. Refer to the information in table 10-1 about the presence of the
individual CAN interrupt functions.

2015, Vector Informatik GmbH
Version: 1.08.00
37 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

#define C_CANISRRXFIFO_VECTOR         15
#define C_CANISRGLOBALSTATUS_VECTOR  14
#define C_CANISRTX_VECTOR_2           211
#define C_CANISRSTATUS_VECTOR_2       209
#define C_CANISRWAKEUP_VECTOR_2       31
#define C_CANISRTX_VECTOR_5           281
#define C_CANISRSTATUS_VECTOR_5       279
#define C_CANISRWAKEUP_VECTOR_5       36

Caution
This is an example and the necessary defines depend on the actual configuration. The
  interrupt numbers depend on the selected derivative; refer to the hardware manual to
get the respective values.

10.3  External CAN Interrupt Handling
There are several solutions if accesses to the EI level interrupt control registers (ICn) are
not possible or allowed for the driver (reasons may be restricted operating modes, memory
protection, bus guard functionalities or similar).
10.3.1  Hardware Access by Call-Back Functions
If the switch C_ENABLE_INTC_ACCESS_BY_APPL is defined via the user configuration file
the  driver  implementation  is  still  used  to  initialize  and  modify  all  ICn  as  described  in  the
previous sections, but all actual read and write accesses to the interrupt control registers
have to be performed by call-back functions.
The functions ApplCanWriteIcr8() and ApplCanReadIcr8() (see section 9.4 for the
API  definitions)  are  always  invoked  when  accessing  registers  of  the  interrupt  controller
(other  peripherals  are  not  accessed  by  the  driver).  These  functions  have  to  be
implemented by the application and perform the hardware access including any unlocking
mechanisms,  checks  for  the  given  addresses  or  similar.  It  is  expected  by  the  driver  that
every access is synchronous and always successfully performed.

Caution
An exclusive write access to the ICn as stated in the previous sections still has to be
  guaranteed.  If  any  access  is  not  successfully  performed  when  these  functions  are
called,  the  driver  has  to  be  re-initialized  by  calling  CanInitPowerOn()  as  correct
behavior cannot be ensured.

10.3.2  Interrupt Control by Application
If  an  exclusive  write  access  to the  CAN  related  ICn  is  not  possible  or  the  internal driver
mechanisms
that  are
described
above
are
not  applicable,
the
switch
C_ENABLE_OSEK_CAN_INTCTRL  can  be  defined  via  the  user  configuration  file.  In  this
case the application has to ensure proper initialization, disabling and restoring of the CAN
interrupt sources as the driver provides no support for these tasks at all. The registers of
the interrupt controller are never accessed by the driver.
2015, Vector Informatik GmbH
Version: 1.08.00
38 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

If  this  switch  is  defined  the  application  additionally  has  to  perform  the  initialization  of  all
necessary ICn before the call of CanInitPowerOn(). All used sources (see remarks in
table  10-1)  have  to  be  enabled  after  initialization  whereas  unused  sources  have  to  be
disabled.
In  context  of  the  CAN  interrupt  disable/restore  mechanism  the  driver  implements
application  call-back  functions  that  are  used  whenever  CanCanInterruptDisable()
or  CanCanInterruptRestore()  are  invoked  by  the  program  (see  section  9.4  for  the
API definitions). Suggestion is that the function OsCanCanInterruptDisable() saves
the value of the MK bit of the ICn of all used CAN interrupt sources that are linked to the
given  logical  channel  and  then  sets  these  MK  bits  to  1  in  order  to  disable  the  sources.
OsCanCanInterruptRestore()  should  restore  the  value  of  the  previously  saved  MK
bits for the given logical channel. Keep in mind that the right physical channel has to be
chosen based on the given logical channel (to get the right ICn) and that the receive FIFO
and global status interrupt are used by all channels, hence they should be disabled as long
as any channel’s interrupts are disabled.
If the Sleep/Wakeup functionality is enabled and the external wakeup is used please note
that the external wakeup interrupts always have to be disabled after initialization as these
sources are only enabled on demand. Also additional application call-back functions (see
section 9.4 for the API definitions) are invoked by the driver. This is relevant for interrupt
and polling systems as the external interrupt request flag has to be cleared independently
of the interrupt configuration.
ApplCanWakeupInterruptEnable()  is  always  invoked  in  context  of  CanSleep().
This function first has to clear the external interrupt request flag in the  corresponding ICn
and  then  –  only  if  wakeup  detection  is  performed  by  interrupts  –  enable  the  external
interrupt.  Keep  in  mind  that  depending  on  the  current  status  of  the  CAN  interrupt
disable/restore mechanism this has to be performed either by clearing the corresponding
mask bit in the respective hardware register or in the mask status that was saved by the
function  OsCanCanInterruptDisable().  ApplCanWakeupInterruptDisable()  is
only  invoked  if  wakeup  detection  is  performed  by  interrupts  in  context  of  CanWakeup(),
respectively  the  external  wakeup  handling,  and  in  CanInit().  This  function  has  to
disable the interrupt, depending on the current status of the CAN interrupt disable/restore
mechanism either by setting the corresponding mask bit in the hardware register or in the
saved  mask  status.  ApplCanWakeupOccurred()  is  called  in  context  of  the  function
CanWakeupTask() to check for the occurrence of a wakeup event (i.e. the presence of
the interrupt request flag) if the detection is performed by polling.
The implementation may differ but all CAN interrupts for the corresponding channel have
to  be  disabled  after  the  first  call  (keep  in  mind  that  nested  calls  can  occur)  of
OsCanCanInterruptDisable()  and  stay  disabled  until  the  last  nested  call  of
OsCanCanInterruptRestore()  that  has  to  restore  the  previous  interrupt  state.
ApplCanWakeupInterruptEnable()  and  ApplCanInterruptDisable()  have  to
enable and disable the wakeup interrupt for one channel but must not violate the general
CAN interrupt disable/restore mechanism. It is also important to clear the wakeup interrupt
request  flag  within  ApplCanWakeupInterruptEnable().  The  application  additionally
has to handle possible concurrent accesses to the ICn and ensure that those accesses do
not violate the conditions above.

2015, Vector Informatik GmbH
Version: 1.08.00
39 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Caution
The  definition  of  C_ENABLE_INTC_ACCESS_BY_APPL  is  recommended  if  interrupt
  control registers cannot be accessed by the driver. If C_ENABLE_OSEK_CAN_INTCTRL
is defined the driver performs no measures to ensure consistency of the interrupt lock
mechanism. Additionally the application has to ensure correct concurrent accesses to
the  ICn  and  has  to  handle  nested  calls  of  OsCanCanInterruptDisable()  and
OsCanCanInterruptRestore().  Therefore  the  usage  of  this  switch  is  not
recommended in general and should only be defined if the internal driver mechanisms
or the definition of C_ENABLE_INTC_ACCESS_BY_APPL are not possible at all.

2015, Vector Informatik GmbH
Version: 1.08.00
40 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11  Configuration
11.1  Configuration by GENy
The  driver  is  configured  with  the  help  of  the  configuration  tool  GENy.  This  section
describes  the  configuration  of  the  driver  specific  aspects.  The  configuration  options
common to all CAN drivers are described in TechnicalReference_CANDriver.pdf.

Note
To get further information please refer to the online help of the generation tool.

11.1.1  Platform Settings

Figure 11-1  GENy Platform Settings
Attribute
Supported
Description
Values
Preconfiguration

Select the pre-configuration file to use.
Micro
Hw_Rh850Cpu
Select the target platform.
Derivative
See Table 2-1
Select the specific derivative group.
Compiler
See Table 2-1
Select the used compiler.
Table 11-1   GENy Platform Settings

2015, Vector Informatik GmbH
Version: 1.08.00
41 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.1.2  Component Settings

Figure 11-2  GENy Component Settings
Attribute
Supported
Description
Values
CAN Interface
RSCAN,
Select the CAN interface that is incorporated by the used
RSCAN_FD
derivative - see the HW manual for information. This selection
is independent of the actual CAN-FD usage as the driver has
to handle general hardware differences for both variants.
Maximum number of
1 - 8
Enter the maximum number of physical CAN channels that
CAN channels
are supported by the used RSCAN unit of the actual
derivative. This value is independent from the number of
channels in the configuration but used to determine the
available hardware resources. Only if this value is correct the
tool can ensure valid configurations for the actual derivative.
Depending on the selected derivative not all values may be
available.
CAN external clock
true,
Enable this attribute to use the external clock input
source
false
(clk_xincan) as CAN clock (fCAN). If the attribute is disabled
clkc is used - this is the default selection. (This setting directly
affects the DCS bit in the global configuration register.)
Table 11-2   GENy Component Settings

2015, Vector Informatik GmbH
Version: 1.08.00
42 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.1.3  Channel-specific Settings

Figure 11-3  GENy Channel Specific Settings

Caution
The  sum  of  the  shared  buffers  used  to  allocate  the  receive  objects  over  all  channels
  must  not  exceed  (“Maximum  number  of  CAN  channels”    *  64)7.  This  includes  the  Rx
FullCAN  objects  (1  buffer  per  actually  assigned  object;  not  the  value  of  “Rx  FullCAN
object  allocation)  and  the  depth  of  all  Rx  BasicCAN  objects  (individually  configurable
amount of buffers, selected by the attribute “Rx Fifo depth”) on all channels.
The  sum  of  used  acceptance  filters  over  all  channels  must  not  exceed  (“Maximum
number of CAN channels” * 64)7. Each actually assigned Rx FullCAN object uses one
filter  and  each  Rx  BasicCAN  object  uses the  number  of filters  that  is  selected  by the
attribute “Filters per BasicCAN” on the corresponding channel.
The generation tool checks these and other restrictions (e.g. allowed selection for the
attribute “Physical controller”) to ensure valid configurations. Therefore it is mandatory
to enter a valid value for the attribute “Maximum number of CAN channels”7. Refer to
chapter 3 for additional information.


7 Refer to section 11.1.2 for the description of the attribute “Maximum number of CAN channels“.
2015, Vector Informatik GmbH
Version: 1.08.00
43 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

Attribute
Supported
Description
Values
BCFG
register value
The value for the Channel Configuration Register.
Acceptance Filter
-
Opens the acceptance filter dialog, see section 11.1.3.1. If
Configuration
several init structures are created this is only possible for the
first structure.
Bustiming
-
Opens the bustiming dialog to determine the value for BCFG,
Configuration
see section 11.1.3.2.
Physical controller
CAN 0 – CAN 7
Select the physical channel you want to assign to this logical
channel. The value is enumerated the same way as referenced
in the hardware manual. Depending on the selected derivative
and configuration of the attribute “Maximum number of CAN
channels” (see section 11.1.2) not all values may be available.
CAN interrupt priority  0 – 15
Select the interrupt priority level of this CAN channel’s interrupts
that are configured if the driver has interrupt control. Depending
on the selected derivative not all levels may be available. See
section 7.2.3 and chapter 10 for further information.
Rx FullCAN object
0 – nRXMBmax
You can configure as many receive FullCAN messages on this
allocation
channel as specified here. This value is used to limit the
selection for manual or automatic configuration - only the
actually arranged FullCAN objects will be configured in
hardware. The value of nRXMBmax equals “Maximum number
of CAN channels” * 16.
Filters per BasicCAN  1 – 128
Select how many acceptance filters will be assigned to each Rx
BasicCAN object on this channel; see section 11.1.3.1 for
details. Depending on the selected derivative not all values may
be available.
Rx Fifo process count  2 – 255
Select the maximum number of pending receive messages that
are processed for each Rx BasicCAN object within one polling
cycle respectively one interrupt occurrence. By adjusting this
value it can be ensured that high FIFO loads will be evenly
processed by the driver. Remaining messages are processed
within the next polling cycle respectively the interrupt of the next
received message on this channel. Select greater values if
overruns occur.
Rx Fifo depth
4, 8, 16, 32,
Individually configure the depth (amount of assigned shared
48, 64, 128
buffers) of every Rx FIFO, that is used as Rx BasicCAN object
on this channel.
Table 11-3   GENy Channel Specific Settings

Note
As  the  RSCAN  has  restrictions  regarding  the  receive  buffers  (e.g.  no  interrupt
  processing,  no  overrun  detection)  also  consider  configurations  without  Rx  FullCAN
objects. The large FIFO sizes and amount of filters that are possible for the BasicCAN
objects  give  similar  advantages  as  the  usage  of  FullCAN  objects.  For  many
configurations  this  can  be  an  alternative  that  above  all  is  more  effective  regarding
runtime and memory usage.

2015, Vector Informatik GmbH
Version: 1.08.00
44 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.1.3.1  Acceptance Filter Configuration

Figure 11-4  GENy Acceptance Filter Configuration
Attribute
Supported
Description
Values
Acceptance Filter
representation of
The configured BasicCAN filters are shown. Each ID-bit is
type, mask and
represented by “0/1/X”, meaning must match “0”, “1” or don’t
code
care “X”. The number of filters can be adjusted by the attribute
“Filters per BasicCAN” on the channel view.
Type
standard,
Select if the filter shall apply to standard or extended ID types.
extended
(Based on the database and configuration only one type may
be available.)
Mask / Code
register values
The register values for this filter that will be configured in
hardware.
Open filters
-
Open the filters completely to receive all messages.
Optimize
-
Configure the filters automatically to just receive IDs in the
database if possible. A large number of filters allow better
optimizations, but don’t configure more filters than the
optimization algorithm uses for message distribution.
“Use FullCAN” tries to put as many messages as possible in
FullCAN objects. Select the maximum number of available
objects by adjusting the attribute “Rx FullCAN object
allocation” on the channel view. This is useful when only a few
number of BasicCAN filters are configured for example.
Table 11-4   GENy Acceptance Filter Configuration
2015, Vector Informatik GmbH
Version: 1.08.00
45 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.1.3.1.1  Additional information if the feature “Multiple BasicCAN objects” is used
The dialog shows all BasicCAN acceptance filters for the respective channel. The amount
of filters equals the product of configured BasicCAN objects and the number of filters per
BasicCAN.  An  example  configuration  with  3  BasicCAN  objects  and  2  filters  per  object
results in 6 filters as shown in figure 11-5. The first 2 filters (in accordance with the attribute
“Filters per BasicCAN”) are assigned to the first BasicCAN object, the next 2 to the second
BasicCAN object and so on.

Figure 11-5  GENy Acceptance Filter Assignment
Please note that  a received message is stored in  the first  mailbox with a matching filter.
After  an  identifier  was  compared  against  the  FullCAN  filters,  it  is  compared  against  the
BasicCAN filters in the order that is depicted in the dialog. This has to be considered when
the  feature  “Multiple  BasicCAN  objects”  is  used.  If  filter  number  1  in  the  example  from
figure 11-5 was open (all bits “don’t care”), all non FullCAN standard identifiers would be
received by BasicCAN0 and BasicCAN2 would never receive any message.

Note
In  some  “Multiple  BasicCAN”  configurations  it  may  be  useful  to  assign  certain
  BasicCAN  messages  to  specific  hardware  objects  as  the  FIFO  depths  or  “Individual
Polling” settings can be adapted to the actual communication aspects for example. As
the  optimization  algorithms  don’t  consider  this  use  case  the  filters  have  to  be  edited
manually in this case.
Alternatively it is possible to configure and lock only several significant filters and then
use the optimization functionality. But after doing so always check the result because
manually configured filters may not always receive the pre-assigned identifiers as the
message could match an automatically assigned filter that is compared first. Focus on
filters with smaller numbers or add some “dummy filters” for earlier objects to achieve
better results.

2015, Vector Informatik GmbH
Version: 1.08.00
46 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.1.3.2  Bustiming Configuration

Figure 11-6  GENy Bustiming Configuration
Attribute
Supported
Description
Values
Clock
CAN clock
Set the clock frequency that is provided to the CAN cell for
baudrate generation (fCAN). Consider the setting of the
attribute “CAN external clock source” (see section 11.1.2).
Baudrate
baudrate
Set the baudrate to be used for this channel.
CAN BTR register
register value
Enter the value for the Channel Configuration Register (see
attribute BCFG in section 11.1.3).
Calculate
-
Calculate possible Channel Configuration Register settings
out of the entered baudrate or vice versa.
CAN_BTR, Sample,
-
Select specific channel configuration register values to adapt
BTL cycles, SJW
the sample point and sync phase to comply with your bus
physics.
Table 11-5   GENy Bustiming Configuration
2015, Vector Informatik GmbH
Version: 1.08.00
47 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

11.2  Manual Configuration
This section describes additional configuration options for special features that can only be
configured via the user configuration file.
  Define  C_DISABLE_NESTED_INTERRUPTS  or  C_ENABLE_NESTED_INTERRUPTS  to
control the nesting of the CAN interrupts. See section 10.1 for further information.
  Define  C_ENABLE_DIRECT_INTERRUPT_BRANCH  (and  if  needed  additionally
C_ENABLE_ISRVOID)  to  deactivate  table  reference  as  the  method  to  handle  CAN
interrupts. See section 10.2 for further information.
  Define  C_ENABLE_INTC_ACCESS_BY_APPL  or  C_ENABLE_OSEK_CAN_INTCTRL  to
prohibit  read  and  write  accesses  within  the  interrupt  controller  address  space.  See
section 10.3 for further information.
  Define C_ENABLE_EXTERNAL_WAKEUP_SUPPRESSION to disable the external wakeup
functionality. See chapter 4 for further information.
  See sections 7.2.6 to 7.2.9 for options that control different RAM test features.
  See  section  10.2.1  for  information  on  how  to  set  up  the  interrupt  vector  table  when
using IAR compiler.
2015, Vector Informatik GmbH
Version: 1.08.00
48 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

12  Known Issues / Limitations
1.  Due  to  hardware  limitations  the  feature  CAN  RAM  check  is  not  supported  for  receive
mailboxes (no write access is possible for these objects).
2.  Due to hardware limitations receive FullCANs cannot be processed in interrupt context
and no overruns can be detected for these objects.
3.  With  default  configuration  the  driver  needs  exclusive  write  access  to  all  EI  level
interrupt control registers (ICn) that are related to a CAN interrupt source (see section
7.2.3 and chapter 10 for further information.).
4.  Refer  to  chapter  4  for  restrictions  when  using  the  Sleep/Wakeup  functionality.
Additionally the global stop mode of the RSCAN is not supported.
5.  When using multiple initialization structures no multiple acceptance filter configurations
are  supported  by  the  driver.  The  filter  settings  are  always  derived  from  the  first
structure. Use several structures only to arrange multiple baudrate configurations.
6.  When using the feature Multiple ECU Configurations it is not supported to use a logical
channel in more than one identity. The only exception is the first logical channel which
can be present in any identity if it is also mapped to the physical channel CAN0. This
limitation  does  not  apply  to  the  usage  of  physical  channels:  Every  available  physical
channel can be used in any identity and the same physical channel can be used in as
many identities as needed (if it is referenced by different logical channels).
7.  For  derivatives  that  incorporate  multiple  RSCAN  units  only  the  first  one  (RSCAN0)  is
supported by the driver.

For  latest  information  about  issues  or  limitations  of  the  actually  used  derivative  please
contact the hardware manufacturer.

2015, Vector Informatik GmbH
Version: 1.08.00
49 /50
based on template version 3.2

Vector CAN Driver Technical Reference RH850 RSCAN

13  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 1.08.00
50 /50
based on template version 3.2

Document Outline

2.9 - UserManual_CanDriver

User Manual

2.10 - UserManual_CanDriver_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56

2.11 - UserManual_CanDrivers

Vector CAN Driver
User Manual
(Your First Steps)

Version 2.4

Vector Informatik GmbH, Ingersheimer Str. 24, 70499 Stuttgart
Tel. 0711/80670-0, Fax 0711/80670-399, Email can@vector-informatik.de
Internet http:\\www.vector-informatik.de

User Manual Vector CAN Driver

2 / 56

Higher layer components
CAN Driver
CAN Controller
Transceiver
CAN
Message Transmission - Reception

Authors: Klaus Emmert
Version:
2.4
Status:
released (in preparation/completed/inspected/released)

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

3 / 56
History
Author
Date
Version
Remarks
Klaus Emmert
2001-05-11
0.1
First version of the User Manual
Klaus Emmert
2001-08-11
0.4
Technical and linguistic revision
Klaus Emmert
2001-09.21
0.6
Revision (pretransmit)
Klaus Emmert
2001-10-10
0.6a
Error in description of a mes-
sage, how to enter the manufac-
turer type to the example data
base.
Klaus Emmert
2001-12-14
1.0
Linguistic revision
Klaus Emmert
2002-09-25
1.4
Linguistic corrections and little
adaptations
Klaus Emmert
2003-07-16
1.5
Warning added for example code
usage
Klaus Emmert
2004-10-26
1.6
New Layout, example dbc file
deleted and description modified,
description for CANgen and the
new Generation Tool GENy, new
Symbols
Klaus Emmert
2006-05-30
1.7
Updated dialog for bus timing
register setup
Klaus Emmert
2006-09-08
1.8
Page number of Index, headline
numbering
Klaus Emmert
2007-02-20
1.9
Issues in Word Hyperlinks
Klaus Emmert
2007-07-26
2.0
Issues in steps introduction,
some typos.
Klaus Emmert
2007-09-06
2.1
Typos and reference in TOC
Klaus Emmert
2007-10-29
2.2
Baudrate setting description
Klaus Emmert
2008-09-04
2.3
Include file for CAN Driver and
GENy
Klaus Emmert
2009-08-26
2.4
Fix: v_inc.h must not be changed
manually.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

4 / 56
Motivation For This Work
The CAN Driver is the only component among the CANbedded Software Compo-
nents that is directly connected with the CAN Controller hardware. It is the founda-
tion for all other CANbedded Software Components.
The first target for you is to get the CAN Driver running, to see receive and transmit
messages on the bus.

WARNING
All application code in any of the Vector User Manuals is for training pur-
poses only. They are slightly tested and designed to understand the basic
idea of using a certain component or a set of components.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

8 /  56
1  Welcome to the CAN Driver User Manual
1.1
Beginners with the CAN Driver start here ?
You need some information about this document?
  Æ see Chapter 2
Getting started                                                   Æ see Chapter 3
9 Steps for the CAN Driver                                      Æ see Chapter 6

1.2
For Advanced Users
Start reading here.                                              Æ see Chapter 5


1.3
Special topics
Strategies for receiving a CAN message                       Æ see Chapter 6.9.1
Strategies for sending a CAN message                        Æ see Chapter 6.9.2
An exercise                                                      Æ see Chapter 7.1

1.4
Documents this one refers to…
TechnicalReference_CANDriver.pdf
TechnicalReference_CAN_xxx.pdf

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

9 / 56
2 About This Document
This document gives you an understanding of the CAN Driver. You will receive
general information, a step-by-step tutorial on how to include and use the function-
alities of the CAN Driver.
For more detailed information about the CAN Driver and its API refer to the Technical
Reference (TechnicalReference_CANDriver.pdf) and the hardware specific refer-
ences TechnicalReference_CAN_xxx.pdf (e.g. TechnicalReference_CAN_HC12.pdf).
2.1
How This Documentation Is Set-Up
Chapter
Content
Chapter 1
The welcome page is to navigate in the document. The main parts of the document
can be accessed from here via hyperlinks.
Chapter 2
It contains some formal information about this document, an explanation of legends
and symbols.
Chapter 3
An introduction to the files, the tools and information necessary to understand the
descriptions in the following chapters.
Chapter 4
Here you find some more insight in the CAN Driver about receiving and transmitting
messages, the CAN controllers and the data structure.
Chapter 5
A step-by-step guide to establish CAN communication on an ECU for the first time.
Follow the 9 steps to get the answer to most of your questions and problems..
Chapter 6
Here you find a problem to solve to check your understanding of the CAN Driver and
its functions.
Chapter 7
In this last chapter there is a list of experiences with the CAN Driver.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

10 / 56
2.2
Legend and Explanation of Symbols
You find these symbols at the right side of the document. They indicate special ar-
eas in the text. Here is a list of their meaning.
These areas
to the right of
Symbol
Meaning
the text
contain brief
items of
The building bricks mark examples.
information
that will

facilitate your
search for
Comm
ents
You will find key words and information in short sentences in the margin. This will
and
specific
explanati-
greatly simplify your search for topics.
topics.
The footprints will lead you through the steps until you can use the described Vector
CAN Driver.

There is something you should take care about.

Useful and additional information is displayed in areas with this symbol.

This file you are allowed to edit on demand.

This file you must not edit at all.

This indicates an area dealing with frequently asked questions (FAQ).

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

11 / 56
3 ECUs and Vector CANbedded Components – An Overall View
3.1
Network Data Base File (DBC)
Normally the different ECUs in a modern vehicle are developed by different suppli-
ers (SUPPLIER X). All ECUs within the same bus system ( n or o) use the same
data base (dbc file) to guarantee that the ECUs will work together later on in the
vehicle.
SUPPLIER 1
SUPPLIER 6
SUPPLIER 2
SUPPLIER 5
Network Database
n All_ECUs_highspeed.dbc
n Powertrain
o All_ECUs_midspeed.dbc
o BodyCAN
SUPPLIER 4
SUPPLIER 3

Figure 3-1 A Modern Vehicle With Body CAN And PowerTrain Bus
The dbc file is designed by the vehicle manufacturer and distributed to all suppliers
There is the same
dbc file per bus
that develop an ECU. Thus every supplier uses the SAME dbc file for one vehicle
system (high
speed, low
platform and one bus system (powertrain, body CAN etc.) to guarantee a common
speed, etc) for all
basis for development.
suppliers to
guarantee a
common basis for
The dbc file contains e.g. information about every node in the network, the mes-
development.
sages/signals each node has to send or to receive. The distribution of the signals
among the messages is stored in the DBC file, too.
For example: every ECU has to know that a 1 in bit 7 in the 4th byte of the message
0x305 means “Ignition Key” on/off.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

12 / 56
4 CANbedded Software Components
The vector CANbedded environment consists of a number of adaptive source code
components that cover the basic communication and diagnostics requirements in
automotive applications.

Figure 4-1 CANbedded Software Components
CAN Driver
The CAN Driver handles the hardware specific CAN chip characters and provides a standardized
application interface.
Interaction Layer
The Interaction Layer (IL for short) is responsible for the transmission of messages according to
specified rules, monitoring receive messages, timeout monitoring, etc. It provides a signal oriented
application interface for the application.
Transport Protocol
The CAN protocol is restricted to 8 data bytes per message. But in some cases (e.g. diagnostics)
you need to exchange much more than 8 data bytes. The segmentation of the data, the monitoring
of the messages and the timeouts is done by the Transport Protocol (TP for short).
Diagnostics
Diagnostics Layer according to ISO14229 / ISO14230 (Keyword Protocol 2000).
Network Management
The Network Management (NM for short) is the component to control the bus, to synchronize the
transition to bus sleep, error recovery after bus-off, etc.
Communication Control Layer (CCL)
The CCL provides an integration environment for the CANbedded Software Components, an ab-
straction for different vehicle manufacturers, microcontrollers, CAN Controllers and compil-
ers/linkers. It also provides a global debug mechanism.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

13 / 56
Universal Measurement and Calibration Protocol (XCP)
This is the Software Component for measurement and calibration on several bus systems. To men-
tion some feature: read and write access to various memory locations or flash programming.
Generation Tool
This is a PC tool for configuring the above listed components. The Generation Tool is driven by a
network database file, DBC file for short.

The CANbedded Software Components are configurable and can be adapted to
your specific needs via the Generation Tool.

4.1
Generation Tool
The Generation Tool displays the complete set of ECUs in the network. In general
you pick out the one you develop the software for. In special cases when you de-
velop ECUs that are almost identical (e.g. door ECUs) you select more than one
(so-called multiple ECUs).
For  your ECU there are special requirements concerning the hardware and the
functionality. I.e. the driver must be suitable for your hardware and the standard
components must be adaptable for your project-specific needs. The means to do
this is the Generation Tool.
The Generation Tool is a PC-Tool. It reads in the Network Data Base file (DBC)
and offers you to select the node you are going to develop and has therefore all
information about your ECU, the receive and transmit messages, the signals etc.
The Generation Tool generates files that contain this information (DBC, hardware
and specific settings) and so complete the components core files and have to be
Include the
generated
included in the compile and link process.
files in your
system as
shown.
You must not
Your Hardware Platform-
change the
and Compiler information
Application
generated
files by hand
Project specific  component settings
Specific Data
– the  next
generation
process will

delete these
changes.
Right now there are two Generation Tools available, CANgen and the new Genera-
tion Tool called GENy. Which tool you have to use depends on you delivery and the
project.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

14 / 56
4.2
The Vector CAN Driver
A driver is a program to control a piece of hardware. In this case the Vector CAN
Driver controls the CAN Controller and its registers.
4.2.1 Tasks of The Vector CAN Driver
The CAN Driver basically handles the reception and transmission of information via
the CAN Bus and recognizes bus failure (bus off). The CAN Driver provides a
standard application interface for the application.
Your application only has to use a set of predefined functions to control the CAN
Driver and will be notified via interrupt about incoming information (messages). To
control the incoming and outgoing data and to be notified of important events you
have to add some service- and call-back-functions to your application (see 6.5).
For more detailed information about the CAN Driver please refer to the Vector CAN
Driver Technical Reference (TechnicalReference_CANDriver.pdf and TechnicalRe-
ferfence_CAN_<hardwareplatform>.pdf, e.g. TechnicalReference_CAN_HC12.pdf).

4.2.2 Vector CAN Driver Files
The Vector CAN Driver consists of 3 sets of files, component files, generated files
and configurable files
4.2.2.1
Component Files
Independent of the used Generation Tool
can_drv.c - can_def.h - v_def.h
You must not change these files at all.

4.2.2.2
Generated Files
Independent of the used Generation Tool
can_cfg.h - v_cfg.h
Only for CANgen
YourECU.c - YourECU.h
Only for GENy
can_par.c - can_par.h - drv_par.c - drv_par.h - v_par.h - v_par.c - v_inc.h

Do not change these files. You will lose the changes after the next generation proc-
ess.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

15 / 56

4.2.2.3
Configurable files
Independent of the used Generation Tool
can_inc.h
INC stands for include. Here you can add includes you need.. You have to include
can_inc.h in every application C file where you need CAN functionality, followed by
the include of YourECU.h.
The Generation Tool CANgen generates the signal and message access macros
as well as the indication or confirmation flags to the file YourECU.h. GENy gener-
ates this to the file can_par.h.

4.2.3  Include The CAN Driver Into Your Application
Use the illustration in Figure  4-2 to include the files for the CAN Driver into your
application correctly. Please keep to the including order to avoid errors while com-
piling or linking.

Figure  4-2  Order For Including Files

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

16 / 56
5  Vector CAN Driver– A More Detailed View
You access the
signals   relevant
for your ECU with
the macros
5.1
Information Package on the CAN Bus
generated by the
Generation Tool.

As mentioned before, the information is exchanged between ECUs via the CAN
The generated
bus. The maximum amount of data which can be exchanged is 8 data bytes and
file sig_test.c
they are transmitted via a so-called message.
contains a list of
all access macros
to the signals.
A message contains the ID (the “name” or number of the message), the DLC (data
length code, i.e., the number of data bytes) and the data bytes .
A message on the CAN Bus can contain from 0 to 8 data bytes.
Every message is divided up into signals. A signal consists of 1 up to 64 bits. A
signal cannot exceed the message boundary.
We do not consider signals here which are greater than 64 bits, as this involves the
Transport Protocol.

Message
ID DLC
DL
0x01 0x12
Signal
(1 Bit to 8 Bytes) 0x01 0x12
e.g. Temperature,
(hi, low
(hi, lo )
A signal can
l ca  exceed
exce
byte boundaries
rie

Figure  5-1  Message and Signal
Signals are assigned to messages by the vehicle manufacturer database engineer.
This assignment is stored in the database (dbc file).
Normally you must not change the database (dbc file).

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

17 / 56
5.2
Storing Information Packages
The more you understand about data handling in the CAN Driver the better you are
able to design your application. You have to know where the data is stored at a
specific point in time to be able to access this data correctly.
Notification for
Application
RAM buffer
Temp
Ignition
Copy to RAM buffer depending on ID.
Door_S
or_ tate
Keep data consistent!
CAN Driver
Rx register
ID DLC
Transceiver
CAN messages
CAN messages

Figure 5-2 Rx Register, Data Structure and Notification

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

18 / 56
Updated by Application
RAM buffer
Temp
Ignit
Igni ion
Door_
Door State
CanTransmit (TxHandle)
CAN Driver
Copy data to Tx register.
Tx register
Keep data consistent!
ID DLC
Transceiver
CAN messages
CAN messages

Figure  5-3  Tx Register, Data Structure and CanTransmit
There are 3 elements involved in storing information packages:
5.2.1  The Registers of the CAN Controller
Your CAN Controller has a receive register (Rx Register) and a transmit register
(Tx Register).
Later on you will
Data is always received in the Rx Register of the controller. The data is written to
see, that this
special access to
the Tx Register immediately before a transmission.
the hardware is
possible only in
the functions
You can access these two registers via the signal access macros containing the
ApplCanMsgRe-
_CAN_ in the name (see YourECU.h if you use CANgen and can_par.h if you use
ceived and in the
Precopy Func-
GENy).
tions for reception
and in the Pre-
transmit Function
for transmission.
The signal access to the Tx Register is dependent on the hardware, not all drivers
support this feature.
5.2.2  The Data Structure Generated by the Generation Tool for Storing Mes-
sage Data.
The Generation Tool defines variables to allocate memory for the data of the re-
ceive messages and the transmit messages (The data allocation is optional and
can be switched off). In the receive procedure, the data will be copied from the Rx
Register to the message-specific memory area (RAM). In the transmit procedure,
you have to enter the current values in the variables and the driver will copy the
data to the Tx Register as shown in Figure  5-2 and Figure  5-3.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

19 / 56
The decision, whether to copy the data to or from the registers (receive and transmit)
with your own function or whether you let the driver do the copying action is up to
you and is decided by the return value of specific functions (precopy function, pre-
transmit function, see  6.9).
The Generation Tool optimizes the memory consumption. The highest byte con-
taining relevant signals determines the amount of bytes to be reserved for this
message. In the picture below, the red areas and lines in the bytes show where
relevant signal information is stored within the message.

4 bytes
The Generation
Tool minimizes
8 bytes
the amount of

memory reserved
for a message.
Figure  5-4  Memory optimization by the Generation Tool

In the first message the 3rd byte contains the last signal (counting started with 0).
Byte 4, 5, 6 and 7 have no relevant information for your ECU. In this case the Gen-
eration Tool only reserves 4 (0-3) bytes for this message.
The second message has information in the 7th byte, so the number of byte to be
reserved is 8 (0-7).
5.2.3  Memory the Application Reserved for Signals.
Sometimes you only need one byte or even only one bit signal out of a message.
To save RAM memory do not use a generated data structure. Use the precopy
function (see  6.9.1.5) to copy the byte or the bit of the received message to the
byte or the bit field you reserved in your application to hold this specific information.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

20 / 56
6  CAN Driver in 9 Steps
STEP 1 :   UNPACK THE DELIVERY
Follow the install shield, unpack the delivery and install the generation tool.

STEP 2:   GENERATION TOOL AND DBC FILE
Configure the CAN Driver using the generation tool and an appropriate data base file
(DBC)..

STEP 3:  GENERATE FILES
The generation tool generates all necessary files for the CAN Driver.

STEP 4:   ADD FILES TO YOUR APPLICATION PROJECT
To use the CAN Driver you have to add the CAN Driver files to your application project.

STEP 5:   ADAPTATIONS FOR YOUR APPLICATION
Also adapt your application files to be able to use the functionality of the CAN Driver.

STEP 6:   COMPILE AND LINK
Compile and Link your application project including the CAN Driver.

STEP 7:   RECEPTION OF A CAN MESSAGE
Test the receiving path of the CAN Driver by sending a message to your ECU.

STEP 8:   TRANSMISSION OF A CAN MESSAGE
Transmit your first CAN message using the CAN Driver service functions.

STEP 9:   FURTHER ACTIONS AND SETTINGS
Topics above the very easy beginning.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

21 / 56
6.1
STEP 1 Unpack the Delivery
The delivery of CANbedded Software Components normally comprises a Genera-
tion Tool and the source code of the software components.
The Generation
Tool generates
You only have to start the
files for your
application. It is
…_Setup.exe
the connection
between your
hardware and
and to follow the install shield wizard.
settings, the
requirements of
your vehicle
manufacturer and
We recommend creating a shortcut to the Generation Tool.
the other ECUs,
your ECU has to
communicate

with.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

22 / 56
6.2
STEP 2 Generation Tool and dbc File
Use new Generation Tool GENy, look there >>
6.2.1  Using CANgen as Generation Tool
When you start the Generation Tool you will see a window like Figure   6-1. This
starting window is the main window of the Generation Tool.

Figure  6-1  Add a dbc file
A click on the green plus (+) will open a new window to add your database (dbc
file).
When you use
the browse-button
you will get an
absolute path to
the dbc file.
It is suggested
that you use
relative paths in
order to be able
to move your
project more
easily from one
directory to
another.
This warning
occurs only if you

open the dbc.file
Figure
for the first time
6-2  Warning – do not bother
because of the
extension file has
Browse for your dbc file and select it. When you do this for the first time, the Warn-
still not been
created. The
ing above will occur. Ignore it, and just confirm with OK..
extension file will
contain your
Select your node; choose your target system and compiler.
settings you do in
the following.
Since we are using a CAN Driver with just one channel, the channel index has to be
left empty. When you have two or more channels, they will be distinguished via this
index.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

23 / 56
The Name field is
set to the name of
the dbc file. You
can change the
name . It is only
used in the list of
your channels in
figure 2-5.

Figure 6-3 Channel properties
Confirm with OK and you will see your setting as text in the field of the starting win-
dow of the Generation Tool. When we save the configuration for the first time, we
have to use the menu command File/Save as.

Figure 6-4 Save Setting For The First Time
Take a look at the directory where you stored the settings of the Generation Tool.
There is your dbc file and new files (see note) only used by the Tool.
The following files belong to the Generation Tool:

<databasename>.dbc
(exampleDRV.dbc)
<databasename>.ext
(exampleDRV.ext)
<databasename_nodename>.msg
(exampleDRV_YourECU.msg)
<databasename_nodename>.sig (exampleDRV_YourECU.sig)
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

24 / 56
(<databasename_nodename>.fms (exampleDRV_YourECU.fms))
fms only when using a full CAN controller.
yourECU.ccf
this is the project file for the Generation
Tool.

Now you can open your settings in the normal way (not via the dbc file) by opening
the file YourECU.ccf.
When your vehicle manufacturer changes the dbc file, just copy all files important for
the Generation Tool into a new directory, delete the old dbc file and copy the new dbc
file in this new directory. Rename the old ext file with the name of the new dbc file.
This preserves your application-specific settings.
The checkbox
Generate only bit
and byte signal
This does not work when the target system has changed!!!
macros is only
used for very
special applica-
tions. If you have

any doubt, do not
choose this.
Now we shall make additional settings for the component CAN Driver. Use this but-
ton[
] to open the Generation Options and to enter the following dialog.

Figure 6-5 Overview of Signals and Directories
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

25 / 56
In the overview tab page (Figure  6-5) you see all receive and send messages for
your node.
Just choose the path where the header and the C file are to be generated and the
path for the configuration file can_cfg.h.
Select the tab CAN Driver.
In the following dialog you can make settings that are the same for all CAN drivers
regardless of the hardware platform. For the first attempt we do not select anything.
Here you see the
variety of setting
you can make to
configure a CAN
Driver. Take a
look at it but do
not enter anything
for this first
attempt.

Refer to the
document
CANdrv.doc to
get further infor-
mation about
these settings.

Figure  6-6  CAN Driver Dialog (for HC12)
The next tab, CAN driver (advanced) is very special for the specific vehicle manufac-
turer and the hardware platform. Please refer to the description of your CAN Driver
Technical Reference for the advanced settings (TechnicalRefer-
ence_CAN_hardwareplatform.pdf).
Finally we have to set the Init registers. Please select this tab (Figure  6-7).
Some of the following information might be hardware dependent but the fundamental
mechanisms are the same.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

26 / 56
Every two col-
umns belong to
one so-called init
structure consist-
ing of baud rate,
acceptance
filters…

Figure 6-7 Init Registers For The CAN Controller (for HC12)
This is a very important dialog. Please pay special attention to these settings.
Here is where you can make the settings for the hardware acceptance filters and
the bus timing of your CAN Controller.
First we look at the Acceptance filters, second at the Bustiming registers.
In order to minimize the number of messages that should not be received by your
ECU, you can set a hardware filter by means of the acceptance register (1) (see
Figure 6-8).
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

27 / 56
The reception of any message normally causes an interrupt. To minimize the inter-
rupt load you set the filters, so only relevant message will pass and cause an inter-
rupt.

Figure 6-8 Acceptance Filters For The CAN Controller (for HC12)
For the first attempt it is your choice whether to open all filter via the Open filters or
you use the Optimize filters button. Confirm with OK.
The setting of the filters is described in detail in the help document for the Generation
Tool. (just use the HELP button).
Next we will look at the bus timing. To do this, while still on the Init registers tab
page, click on the Bustiming registers button.
Incorrect Bus Timing settings are common mistakes that cause errors while transmis-
sion and reception. Please pay special attention to all settings in this dialog.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

28 / 56

Figure 6-9 Bus Timing Register Settings

Caution
Before SOP it is duty of the OEM / Tier1 supplier to recalculate and validate these
automatically calculated values for the bus timing registers.

First you have to enter the clock signal frequency. This is the base for further calcu-
lating the timing registers. Make sure to select the correct frequency.
The Bus Timing Registers of any CAN controller contain information about the bus
rate, the synchronization jump width (SJW) and the BTL cycles. There are two
ways to make these setting:
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

29 / 56
1.  Do you know the baud rate ?
Enter the baud rate and click on Calculate bustiming registers. You will get a
list of possible register setting. Choose your setting by a click in the list.
Between 60 and 80% is a good value for the Sample Rate and the SJW for your se-
lection. All vehicle manufacturers have strict guidelines for these settings.
2.  You can also simply enter values for the two bus timing registers (CBT0 and
CBT1) and let the software calculate the baud rate.
Return to the Init registers dialog via OK and see the changed values.
With a further OK you return to the main window of the Generation Tool.

Make sure that the checkboxes Use TP, Use diagnosis, Use Can Calibration
Protocol, Use MCNet … are NOT selected (as we are working with the CAN
Driver only for this example).
The variety of these buttons is dependent on the manufacturer. Deactivate any com-
ponent but the CAN Driver.

Figure  6-10 TP Options
The figure is only an example. The screenshot may look very different in your case.
But you see the checkbox which must not be selected.

Read the following chapter if you use GENy.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

30 / 56
6.2.2  Using GENy, the new Generation Tool
The following first steps with the Generation Tool are described in details in the online
help of the Generation Tool GENy, too.
Start the Generation Tool and setup a new configuration. Via File/New you open
the Setup Dialog Window. Select License, Compiler, Micro and Derivative (if avail-
able) and confirm via [OK]. Then open the Channel Setup Window via the green
plus and the selection of the underlying bus system (CAN or LIN).

Figure  6-11 Setup Dialog Window and Channel Setup Window to Create a New Configuration
The channel name is Channel X per default (X is starting with 1). Use the browse
functionality to enter the location of the data base (dbc file).
Select your node out of the field Database Nodes and confirm the settings with
[OK].
Now save the configuration via File/Save or File/Save as.
First at all you should switch on/off the components you need, in this case we only
use the CAN Driver.
Use the component selection at the bottom of the main window of the Generation
Tool and select the suitable Driver (in this example application we use the
CPUHC12 and the Driver HC12).

Figure  6-12 Component Selection

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

31 / 56
Now you should set the path where the Generation Tool generated the files to. To
do this, open the Generation Directories Window via Configuration/Generation
Paths. Enter the root path and select additionally individual paths for the compo-
nents, if the Generation Tool should generated the files to different folders. This is
also described very detailed in the GENy online help.
For the HC12 there are some hardware-specific settings that you have to make,
the register block address and the register block offset. It depends on you hard-
ware whether you have to do such kind of settings or not. Refer to the Technical-
Reference_CAN_YourHardware.pdf for more information.

Figure 6-13 The Register Block Address is a General Setting for the CPU

Figure 6-14 Register Block Offset, Acceptance Filters and Bus Timing are Channel-Specific Settings for the CPU
What is missing now is the settings for the acceptance filters and the bus timing.
Acceptance filter configuration and bus timing configuration are very important set-
tings. Please pay special attention to them.
As you see in the navigation tree above you can open the configuration windows
for these two settings via the channels of the hardware (e.g. CPUHC12).
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

32 / 56
First we take a look at the Acceptance filters, second at the Bustiming registers.
In order to minimize the number of messages that should not be received by your
ECU, you can set a hardware filter by means of the acceptance register.

Figure 6-15 Acceptance Filter Settings Window of GENy
The reception of any message normally causes an interrupt. To minimize the inter-
rupt load you set the filters, so only relevant message will pass and cause an inter-
rupt.
For the first attempt it is your choice whether to open all filter via the Open filters
or you use the Optimize filters button. Confirm with [OK].
The window for the bus timing registers is the same as for the CANgen Generation
Tool. Refer to the lines above for this explanation.
To make the settings for the component CAN Driver itself use the lists below Driv-
erHC12 and DriverHC12/Channels/Channel 1. But for the this first attempt leave
these driver settings on their default values.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

33 / 56
6.3
STEP 3 Generate Files
6.3.1  Using CANgen Generation Tool
Click on the button
and start the generation process.

Remember to
start the genera-
tion process after
any change in the
dialog windows of
the Generation
Tool.

Figure  6-16 Generation Process

The double arrow is only available if you have a multi-channel CAN Driver distin-
guished via the Channel index.
Now we have generated for the first time. Check the directory and see the new
files. There should be at least the files YourECU.c and YourECU.h, and in the path
for the configuration file there should be can_cfg.h and v_cfg.h.
If you do not find the generated files check your path in the Overview dialog.

6.3.2  Using GENy
Click on the button
and start the generation process.

Figure  6-17 Information About the Generated Files and the Generation Process
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

34 / 56
The Generation Tool provides you with information about the Generated Files and
Generation information. In this example shown above the acceptance filters are
not set correctly, Message_2 will not pass the filter. Open or optimize the filters.
If a message will not pass the acceptance filters, the Generation Tool will not create
signal access macros for the hardware (_CAN_ see in chapter 5.2.1). Make sure that
the generation process runs without error messages.
Now we have generated for the first time. Check the directory and see the new
files: can_par.c, can_par.h, drv_par.c, drv_par.h, can_cfg.h, v_par.c, v_par.h,
v_cfg.h, v_inc.h.
If you do not find the files check the paths in the Generation Paths… dialog.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

35 / 56
6.4
STEP 4 Add Files to your Application
In this step you have to add all files of the CANbedded Software Components (In
this example these files are only the ones for the CAN Driver) and the generated
ones to your project (or makefile).
Rename the file _can_inc.h to can_inc.h (remove the underscore prefix) and open
it with an appropriate editor. As you do not use any other component but the CAN
Driver you should delete the #include of the Network Management (nm_cfg.h) at
the end of this file.
If you want to use functions of the CAN Driver or you want to access signals or mes-
sages, you only have to include the can_inc.h and then the YourECU.h for CANgen
and v_inc.h for using GENy.
Now add the driver files to your source list for your compiler or your makefile.
If you want to apply changes you have made in the Generation Tool, you must start
the generation process again. Remember compiling afterwards.
!!! We are still not able to compile and link. !!!
The starting point for this example is a very simple application consisting of only
one file (here applmain) and an interrupt vector table (vectors.c). It should give you
an idea of how to handle the service- and callback functions of the CAN Driver.
In the following chapters we complete this example step by step.
This example was created for using CANgen. For the usage of GENy you just have
to include the v_inc.h.

Example for HC12:
|-------------------------------------------------------------------
| A U T H O R I D E N T I T Y
|-------------------------------------------------------------------
| Initials Name Company
| -------- --------------------- ---------------------------
| em Emmert Klaus Vector Informatik GmbH
|-------------------------------------------------------------------

/*Includes ********************************************************/
#include "can_inc.h"
#include "yourecu.h"

void main (void )
{
}

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

36 / 56
6.5
STEP 5 Adaptations for your Application
To be able to compile and link, you have to adapt a few things in your application.

Example for the HC12:

/* Includes*********************************************************/
#include "can_inc.h"  /*using CANgen*/
#include "yourecu.h"  /*using CANgen*/
#include "can_par.h"  /*is also included for GENy via include of v_inc.h*/

/*Function prototypes **********************************************/
void enableInterrupts( void );
void hardwareInit( void );

/*Main Function **********************************************/
void main(void)
{
/* make sure that the interrupts are disabled to initialize the
modules.*/

DO  NOT USE any CAN API function before calling CanInitPowerOn.
It is forbidden to use CanInterruptDisable here

hardwareInit();

It is forbidden to

use any CAN
functionality
  CanInitPowerOn(kCanInitObj1);
before CanInit-

PowerOn !!!
enableInterrupts();

for(;;)
{
;
}
}

void ApplCanBusOff( void )
{
; /*Callback function for notification of BusOff*/
}

void ApplCanWakeUp( void )
{

; /*Callback function at the transition from SleepMode to sleep
indication recommended*/
}

void hardwareInit( void )
{
/*
Do your hardware specific initializations here.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

37 / 56
Remember your TRANSCEIVER
*/
;
}

@interrupt void irq_dummy0(void)
{
  for( ;; ); /*all other interrupts except the CAN Interrupts are routed
to this function.*/
}

Now the description of the above code:
First, we have to include the can_inc.h and then the generated header, here
yourecu.h.
The following define is to enable the interrupts and is hardware dependent.
In the main() function you have to do initializations first.
In the hardwareInit you can turn on timers or PWM or something else.
When you use a
As you see, the transceiver connects directly to the CAN Bus, so:
high speed
transceiver, you
!!!  PLEASE THINK OF SWITCHING YOUR TRANSCEIVER ON !!!
have to take care
THE CAN DRIVER DOES NOT HANDLE THE TRANSCEIVER
of your terminat-
ing resistor of
120Ω
Normally this is only necessary when using a low-speed-transceiver. Refer to your
hardware guide.
CAN Driver
CAN Controller
can_rx
can_tx
(standby
enable)
Transceiver
CAN_H
CAN_L
GND

Figure  6-18 The Transceiver
To start the CAN Controller and the CAN Driver, you have to call the function:
CanInitPowerOn( kCanInitObj1 )
Make sure that
the interrupts are
disabled when
calling the func-
Make sure that you use functions of the CAN Driver API after CanInitPowerOn.
tion CanInitPow-
erOn. Normally
the interrupts are
disabled by
default at startup.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

38 / 56
The parameter passed in determines the init structure you made the settings for via
the Generation Tool. You will find the macro kCanInitObj1 in the generated
yourecu.h (can_par.h for GENy) normally at the end of the file. (On some hard-
ware platforms, this parameter is not necessary (e.g. V850). Refer to your hard-
ware specific documentation for this information.
Now you can enable interrupts.
The main-function is an endless-loop. Perhaps you can turn on some LEDs, to see
the application running.
You also have to provide the CAN Driver with two application functions, applCan-
BusOff and applCanWakeUp. For the first start, you can leave these functions
empty to avoid linker errors.
Think of adding

this or a similar
file to your sys-
Since the CAN Driver uses interrupts for notifying the application when a CAN
tem, i.e. your
makefile or  your
message has been received, you have to map the interrupts on the corresponding
project.
interrupt service routines. Refer to your compiler manual how to do this in your
case.
For the HC12 CAN Drivers this is done in the file vectors.c. Let’s have a look at this
file.
Interrupts and interrupt tables are highly dependent on the hardware. Just use this
example as a guide.

Example for HC12:

const functptr vectab[] = { // @0xFFC4 start address of table
  CanTxInterrupt, // $FFC4 CAN transmit
CanRxInterrupt, // $FFC6 CAN receive
CanErrorInterrupt, // $FFC8 CAN error
irq_dummy0, // reserved
irq_dummy0, //
irq_dummy0, //
  CanWakeUpInterrupt, // $FFD0 CAN wake-up
irq_dummy0, //ATD
irq_dummy0, //SCI 2
irq_dummy0, //SPI
irq_dummy0, //SPI
irq_dummy0, //Pulse acc input
irq_dummy0, //Pulse acc overf
irq_dummy0, //Timer overf
irq_dummy0, //Timer channel 7
irq_dummy0, //Timer channel 6
irq_dummy0, //Timer channel 5
irq_dummy0, //Timer channel 4
irq_dummy0, //Timer channel 3
irq_dummy0, //Timer channel 2
irq_dummy0, //Timer channel 1
irq_dummy0, //Timer channel 0
irq_dummy0, //Real time
irq_dummy0, //IRQ
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

39 / 56
irq_dummy0, //XIRQ
irq_dummy0, //SWI
irq_dummy0, //illegal
irq_dummy0, //cop fail
irq_dummy0, //clock fail
_stext //RESET
};

As you see in the example, we only use CAN-specific interrupts and the reset vec-
tor. All other interrupts result in a dummy interrupt.
You also have to provide the function irq_dummy0( ) in your application. Refer to your
hardware description to figure out the solution for your situation.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

40 / 56
6.6
STEP 6 Compile, Link and Download
Now start your compiler by calling the makefile or just clicking the start button. What
you do is depends on your development tool chain.

Back to 9 Steps overview

6.7
STEP 7 Receiving A Message

Congratulations !!

You have now arrived at Step 7, i.e. you can compile and link. You are very close
to your first CAN communication.
In every project you normally have to spend a lot of the time starting up the hardware
and the development environment.

Make sure that:
You have the correct clock frequency (important for baud rate).
You have entered this clock in the dialog box of the Generation Tool.
The memory mapping is correct.
The physical CAN connection is there and has no damage.
You have a terminating resistor (120Ω) if you use high-speed CAN (powertrain).
Your transceiver is initialized properly
After the download of your Application, set a breakpoint in your debugger on the
main (void) function and start. Did it stop at main?
If so, Congratulations again.
Remove the breakpoint and restart. Now your application is running in the endless
loop. Please check this!
CANoe is very
convenient for
testing a CAN
communication.
As soon as you
see the message
Id or the Name in
the  Trace win-
dow after sending

a message, you
know that your
Figure  6-19 Simple Test Environment
hardware settings
are correct.
Now send a CAN message on the bus. It is best to use an ID your ECU normally
has to receive.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

41 / 56
A very easy way to send a message is by using the CANoe (or CANalyzer), a PC-tool
from Vector Informatik. Use the generator block and send the message.
Send the message and observe the Trace window.
Do you see the name of the message or the ID?
Great, your ECU has acknowledged the CAN message, i.e. all hardware settings
are correct.
If you see Error frames, check the list above. The main mistakes are hardware set-
tings (transceiver), the baud rate (clock of CAN Controller), wiring problems and
ground offsets.
Now we are ready to modify our application. Please check in the Generation Tool
on the tab Receive messages, if the Indication flag for the message is switched on.

Figure  6-20 Check button for indication flag
There are many
If not, switch it on, start a new generation process, compile and link the system again
more ways to
react  when a
and download it to the target.
CAN message  is
received. Refer to
Step 9 in this
Now we use the so-called Indication flag to poll the reception of the CAN message.
manual.
When an interrupt is triggered by the reception of a CAN message, the indication
flag will be set (if chosen in the Generation Tool).
When you use another dbc file, your message will have a different name. You will find
the correct macro for your indication flag in the file yourecu.h (can_par.h). Just search
for indication.
Example for the HC12:
void main(void)
{
hardwareInit();

CanInitPowerOn(kCanInitObj1);

enableInterrupts();

for(;;)
{
  /* First Test modification*/
if( Message_2_ind_b )
{
Message_2_ind_b = 0; Breakpoint here
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

42 / 56
}
}
}

The names are generated out of the name of the signal and the pre- and postfixes
from the “names” tab. Refer to the file YourECU.h (can_par.h) for the correct writing of
messages, indication flags etc.
Compile, link and download the application and set a breakpoint (as shown). Now
send the CAN message via the Generator Block.

It stopped at the breakpoint?

If so, you received the message, used the correct macro for the flag and got noti-
fied of the reception.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

43 / 56
6.8
STEP 8 Sending a Message
The next step is the transmission of a CAN message. This is done by calling the
function
CanTransmit( handle );
The  handle specifies the message you want to send. Open the file yourecu.h
(can_par.h for GENy) and search for “handle” in the section on send/transmit
objects. Chose the appropriate macro for the send message and use it as shown.

Example:
void main(void)
{
hardwareInit();

CanInitPowerOn(kCanInitObj1);

enableInterrupts();

for(;;)
handle
{
/* First Test modification*/
if( Message_2_ind_b )
{
  /*Second Test modification*/

if( CanTransmit( CanTxMessage_1 ) == kCanTxOk )
{

    Message_2_ind_b = 0;
  }
}
}
}

Refer to the file YourECU.h (can_par.h for GENy) for the message handles.

Meaning of the return value of CanTransmit
The function CanTransmit has a return value, kCanTxOk or kCanTxFailed.  The
meaning of this value is not as simple as it looks like.
Without Software Transmit Queue
kCanTxOk means that the data has been copied from the RAM to the Tx Register
and the transmit request is set in the CAN Controller hardware. The physical trans-
mission of the message depends on when the message wins the CAN bus arbitra-
tion.
kCanTxFailed means the hardware register is busy or CAN Driver is offline.
With Software Transmit Queue
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

44 / 56
kCanTxOk could mean the same as above. But it also could mean that the transmit
request is set in the software queue of the CAN Driver and will be processed as soon
as possible. Read more about the software queue in the chapter 6.9.2.3.
kCanTxFailed means the CAN Driver is offline.

Full CAN Tx Object
There is no Tx queue functionality for Full CAN Tx Objects.

This modified application sends back a CAN message. You should see the re-
sponse message in your Trace window. Refer to the TechnicalRefer-
ence_CANDriver.pdf to get information about the return value.
Do you see the response message in the Trace window?

CONGRATULATIONS!
The basic CAN communication is running.

Of course this is a very simple application and far away from the complexity of your
application, but as the saying goes:
The longest way starts with the first step(s).

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

45 / 56
6.9
STEP 9 Further Actions
The next step is to build up your application around the communication. To do this
in a simple manner, read the following tips and recommendations. You will then be
given an exercise that poses a problem which you will try to solve. After finding the
correct answer, you will understand the order in which the functions of the CAN
Driver are called.
6.9.1  Strategies for Receiving a CAN Message
The  Figure   6-21 shows the calling order of the functions when receiving a mes-
sage.
Indication Flag/Function
Hardware Copy of data to
locked
software buffer
conditional
Precopy Function
exit
Search Algorithm
exit
if not found
Ranges
exit
if matched
ApplCanMsgReceived
conditional
exit
Hardware Filter
CAN-BUS

Figure  6-21 Calling Order Of Functions When A CAN Message Is Received
6.9.1.1
Hardware Filter (HW Filter)
As you have learned before, you can adjust the hardware filter in the Generation
Tool. Every message that passes the hardware filter triggers an interrupt – if not
using polling mode.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

46 / 56
To reduce your interrupt load, optimize the filters (Generation Tool).
6.9.1.2
ApplCanMsgReceived
In the Generation Tool you can choose to have this function called with any recep-
tion of a CAN message that passes the hardware filter.
Here you can filter the messages that pass the hardware filter but contain no rele-
If you select the
function
vant information. At this point, the data is in the receive register (Rx register). Use
ApplCanMsgRe-
the hardware access macros to figure out ID, DLC and DATA of the received mes-
ceived, the
prototype will be
sage.
generated. You
only have to enter
the function.
6.9.1.3
Ranges
Ranges are a software filter mechanism. Since the message is filtered by its ID
and assigned to the categories Network Management, Diagnostics, Application,
etc., you can route more messages on the same Range precopy function.
6.9.1.4
Search Algorithm
To figure out whether a message is meant for your ECU and which message ID it
is the CAN Driver has to compare the ID with an ID-list. This comparison can be
done in different ways. The criterion is the speed for browsing the list. The Genera-
tion Tool offers different search algorithms to choose. Please refer to the CAN
Driver Technical Manual for the differences.
6.9.1.5
Precopy
In the Generation Tool (receive objects/functions) you can enter a name for a mes-
sage-specific precopy function. This function is called by the CAN Driver before
copying the message data from the receive register to the RAM data structure (if
The _CAN_
selected).
macros will be
generated only
when you have
The Precopy function e.g. can be used to check to see if the data has
chosen a precopy
function or the
changed. Use the _CAN_ access macros to read the data out of the receive regis-
object is a full can
object.
ter and compare it with the RAM buffer (look in yourECU.h for CANgen and in
can_par.h for GENy for these access macros).
This macro will be only generated if the message is a full can object or you have se-
lected a precopy-function for this message (see later).
As you are in interrupt context, data consistency is not in danger (refer to the tech-
nical reference for you hardware). Keep your actions short in any Precopy func-
tion.
The return value of the Precopy function determines what happens next.
kCanCopyData: The driver is to do the copying from receive register to RAM
buffer.
kCanNoCopyData: You did the copy of relevant data and the driver does not need
to call its copying routine.

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

47 / 56
6.9.1.6
Indication Flag / Indication Function
The application is notified by the indication flags and/or the indication functions
The driver indicates the reception of a message to the application.
Indication Function
This function runs in interrupt context and is message-specific. Keep your action
very short in this function.
You can enter a name for a message-specific Indication function in the
Generation Tool (in the same way as you did it for the Precopy function).
Indication Flag
This flag is message-specific. It is set by the CAN Driver and can be polled by the
application. It tells the application a new message has been received.
!!! This flag must be reset by the application. !!!
You can use this flag to ensure you are working on the newest contents of a mes-
sage.
If the flag is set, it means that a new message has been received. Clear the flag and
access the received data. If the flag is cleared after your access, you can be sure that
you have current data. If the flag is set, new data has been received in the meantime,
so repeat this once again.

Remember for Data consistency
All flags are set by the driver in an interrupt context. If your µC does not perform an
atomic (i.e. uninterruptible) write access to bit data it is necessary to protect the
write access via an interrupt lock to prevent unexpected change or loss of flag
states. It is recommended to perform this (CAN-) interrupt lock via the API func-
tions CanInterruptDisable / CanInterruptRestore.
Please refer to your controller and/or compiler manual for information about atomic
write access to bit data in your system. In case of doubts, it is recommended to
lock the interrupt during the access.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

48 / 56
6.9.2 Strategies for Sending a CAN Message
The transmission of a CAN message is divided into two parts: the preparations until
the transmission of a message and the transmit interrupt handling, which informs
you about the successful sending of a message.
First we look at the preparations before sending.
Update RAM buffer
CAN Transmit
yes
Buffer free?
Entry in Queue
exit
Pretransmit
Copy of data to
hardware buffer
Send Message
CAN-BUS

Figure 6-22 States Before Transmitting A CAN Message
6.9.2.1
Update RAM buffer
The methods of transmission highly depend on your application. You may have to
send in a fixed cycle, or you may have to send when a specific event occurs.
Both cases require current data. If you use the RAM buffer, you just have to keep
the data in it up-to-date.
When you use your own buffer you should enter the values directly into the trans-
mit register just before sending the message. Otherwise the data could be overwrit-
ten by another transmit message.
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

49 / 56
6.9.2.2
CanTransmit
The CanTransmit function initiates the transmission of a specific message. The
You can only be
handle (in the file yourECU.h for CANgen and in can_par.h for GENy) specifies
sure that the
message has
which message is sent.
been sent when
you get the
confirmation
CanTransmit has 2 possible return values, but none of them guarantee that the
interrupt (confir-
mation function or
message has been sent yet. They just say that either the message will be sent as
confirmation flag)
soon as possible (with or without a queue) or the transmission request has been
rejected (see  6.8);

6.9.2.3
The Queue
There are two possible causes for a return value of kCanTxOk: either the message
has directly entered the transmit buffer or the message has entered the queue (if
chosen in the Generation Tool).
An entry in the queue means, the REQUEST to send this message is stored, not
the data. So leave the data untouched until you are sure the message has been
sent, i.e. until the Confirmation flag is set or the Confirmation function
is called.
6.9.2.4
Pretransmit Function
When you do not have a RAM buffer for your message, you must copy the data to
the transmit register of the CAN Controller in the Pretransmit function. With
the call of the function you get a pointer directly to the transmit registers. In this
case you have to know the distribution of the signals to the bytes, because you do
not get signal access macros.
The time between the call of CanTransmit and the confirmation interrupt is not pre-
dictable. To update your data short before the transmission, use the Pretransmit func-
tion too. If this function is called, you can be sure that this message is the next mes-
sage to be sent.
When the message is sent and at least one ECU receives this message, the ac-
knowledge will trigger the so-called transmit interrupt. This interrupt calls the
transmit interrupt service routine, which in turn might call the confirmation function
or set the confirmation flag.
6.9.2.5
Confirmation Function and Confirmation Flag
The Confirmation function is called in interrupt context, so keep the run time
See the parallels
as short as possible by not doing much in the code. Now you can be sure, your
between the
indication func-
message has been sent successfully.
tion/flag  and the
confirmation
The Confirmation flag has the same meaning, but you have to poll this flag in
function/flag
your application (similar to the way it is done with the Indication flag). You
get the macro out of the generated file yourECU.h (can_par.h).
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

50 / 56
Leave Interrupt
CanTransmitQueuedObject
Queue Empty?
Confirmation Flag/Function
CAN-BUS
ACKNOWLEDGE
Figure 6-23 Confirmation Interrupt After Transmission Of CAN Message
After the confirmation the queue (if chosen) will be worked on.

Back to 9 Steps overview

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

51 / 56
7  Further Information
7.1
An Exercise For Practice
The program below is a small application (for the HC12) using the basic service- and
call-back functions of the CAN driver. Try to follow the program and answer the
questions connected with.

The application receives a CAN message containing a byte signal b_Signal_2_c.
After processing the incoming message, the application sends another message
containing only one byte signal, called b_Signal_1_c.
Can you calculate the value that will be sent back with b_Signal_1_c depending
on the value of the variable a  and the value of the received signal
b_Signal_2_c?
See the solution at the end of this document

Example for the HC12:
/* Includes
*******************************************************************/
#include "can_inc.h"    /*for CANgen*/
#include "yourecu.h"    /*for CANgen*/

#include "can_par.h"    /*only include for GENy*/

/* Variable definition
*******************************************************************/
unsigned char a;

/* Function prototypes
********************************************************/
void main_function(void);
void enableInterrupts( void );
void hardwareInit( void );

/* The Main Function
**********************************************************/

void main(void)
{
hardwareInit();

CanInitPowerOn(kCanInitObj1);

  a = 5;
  b_Signal_2_c = 0;

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

52 / 56
enableInterrupts();

for(;;)
{

if( Message_2_ind_b )
    {
      b_Signal_1_c = b_Signal_2_c + a;
      if( CanTransmit( CanTxMessage_1 ) == kCanTxOk )
      {
/*Disable Interrupt*/
Message_2_ind_b = 0;
/*Enable Interrupt*/
      }

    }
if( Message_1_conf_b )
    {
a=1;
/*Disable Interrupt*/
Message_1_conf_b = 0;
/*Enable Interrupt*/
    }

  }
}

/* Other Functions
**********************************************************/

void enableInterrupts( void )
{
/*Enable interrupts*/
}
void ApplCanBusOff( void ) /*later uesd for bus off treatment*/
{
;
}
void ApplCanWakeUp( void ) /*later used for wakeup functionality*/
{
;
}
/* new function added in the Generation Tool and application */
canuint8 ApplCanMsgReceived( void )
{
a=a+2;

  return( kCanCopyData );
}
canuint8 M1_PretransmitFunction(CanChipDataPtr dat)
{
  b_Signal_1_c = b_Signal_1_c +1;
  return( kCanCopyData );
}
void M1_ConfirmationFunction(CanTransmitHandle tmtObject)
{
a=a+23;
}
canuint8 M2_Precopy(CanReceiveHandle rcvObject)
{
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

53 / 56
rcvObject = rcvObject;  /*to  avoid  compiler  warning.  You  only

use this handle if you have one

precopy function for two or more

messages*/
a=2;
  if( b_CAN_Signal_2_c == b_Signal_2_c )
{

return(
kCanNoCopyData
);
/*same value as before, no need to

copy data, leave interrupt*/
}
else
{
a = b_CAN_Signal_2_c;
return( kCanCopyData );
}
}

void M2_IndicationFunction(CanReceiveHandle rcvObject)
{
  rcvObject = rcvObject; /*to
avoid
compiler
warning.
You
only
       use this handle if you have
one
precopy
function
for
two
or
more
messages*/
a=a+1;
}
/****************************************************/
void hardwareInit( void )
{
/*
  Do your hardware specific initializations here.
  Don’t forget to initialize your TRANSCEIVER, if necessary*/
;
}
@interrupt void irq_dummy0(void)
{
  for( ;; );
}

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

54 / 56
7.2
The Solution To The Exercise
7.2.1  After the first reception and transmission of a new value:
a = 1
b_Signal_1_c = b_Signal_2_c*2+2

7.2.2  After the reception of the same value as before:
a = 2
no return message

Did you get it?

7.2.3  The solution, step by step
At the beginning,
a=5 and b_Signal_2_c = 0
The Main loop is waiting on an Indication Flag for Message 2 and a Confirmation
Flag for Message 1.
The first function that is called after the reception of Message 2 is ApplCan-
MsgReceived. There the 2 is added to a and returned with kCanCopyData, so
the reception process continues.
At this point a=7 and b_Signal_2_c = b_Signal_2_c
The next function executed is M2_Precopy. The variable a is set to 2 and the re-
ceived signal b_CAN_Signal_2_c (the data in the Rx register, i.e. in the CAN Con-
troller) is compared with the signal b_Signal_2_c.
If there is no change, the return value kCanNoCopyData stops the receive process
the receive interrupt is exited.
Now a=2 and no response message will be sent.
If there is a difference, a is set to b_CAN_Signal_2_c and the return value keeps
the receive interrupt going on.
At this point a= b_CAN_Signal_2_c and b_Signal_2_c= b_Signal_2_c
Now the Indication function M2_IndicatinoFunction is called, where a
is increased by 1.
Now a= b_Signal_2_c+1 and b_Signal_2_c= b_Signal_2_c
©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

55 / 56
Since the Indication flag is set, now the main loop put b_Signal_1_c =
b_Signal_2_c+a, i.e. b_Signal_1_c= 2* b_Signal_2_c+1.
Now the message is requested to be sent (CanTransmit). If the request is an-
swered with a kCanTxOk, the Indication flag is cleared to avoid sending the mes-
sage again and again. Otherwise the flags stay set until the request of sending this
message is successful.
At this point a = b_Signal_2_c+1 and b_Signal_2_c = b_Signal_2_c and
b_Signal_1_c = 2* b_Signal_2_c +1
Before the message is on its way, the function M1_PretransmitFunction is
called. This function increments the send signal by 1 and the return value lets the
driver copy the data from the RAM buffer to the Tx register.
At this point a = b_Signal_2_c+1 and b_Signal_2_c = b_Signal_2_c and
b_Signal_1_c = 2* b_Signal_2_c +2
Now the message is on its way via CAN. The first node to receive this message (in
this test case, CANoe) gives an acknowledge that triggers a transmit interrupt.
In the function M1_ConfirmationFunction 23 is added to a.
Now a = b_Signal_2_c+24 and b_Signal_2_c = b_Signal_2_c and b_Signal_1_c = 2*
b_Signal_2_c +2
Then the Confirmation flag is set and recognized by the main loop. There the
variable a is set to 1 and the Confirmation flag is reset to 0 to prevent setting
a over and over again.
So the result is:
a = 1
b_Signal_1_c = 2* b_Signal_2_c +2

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

User Manual Vector CAN Driver

56 / 56
8
Index
Acceptance filters ................................. 26, 32
Hardware..................................................... 45
applCanBusOff ........................................... 38
Including Order............................................ 15
ApplCanMsgReceived .................... 46, 52, 54
Indication flag .................................. 41, 49, 55
applCanWakeUp......................................... 38
Indication Flag............................................. 47
baud rate............................................... 29, 41
Indication Function...................................... 47
Bootloader .................................................. 10
Init registers........................................... 25, 29
Bustiming ........................................ 26, 27, 32
Interaction Layer ................................... 12, 13
Bustiming registers ............................... 26, 32
interrupt ....................................................... 47
CAN Driver. 12, 14, 15, 17, 22, 25, 33, 35, 45,
link.......................................35, 36, 40, 41, 42
46
makefile................................................. 35, 40
can_cfg.h .............................................. 25, 33
memory requirement................................... 19
can_inc.h .................................................... 35
message...................................................... 16
CANalyzer................................................... 41
Motivation...................................................... 4
CANdesc IN 8 STEPS ................................ 53
Network Management................................. 12
CANdesc tab............................................... 15
Open filters............................................ 27, 32
CanInitPowerOn ......................................... 37
Optimze filters ....................................... 27, 32
CanInterruptDisable.................................... 47
Precopy ...............................19, 46, 47, 52, 54
CanInterruptRestore ................................... 47
Pretransmit............................................ 19, 49
CANoe .................................................. 41, 55
Queue ......................................................... 49
Channel properties ..................................... 23
Ranges........................................................ 46
clock.......................................... 28, 39, 40, 41
receive register............................................ 18
compile ..................................... 35, 36, 40, 41
Registers ..................................................... 18
Confirmation ............................................... 49
Search Algorithm......................................... 46
Data consistency ........................................ 47
signals ......................................................... 16
dbc file ............................................ 11, 22, 41
Strategies .............................................. 45, 48
dbc-file ............................................ 22, 23, 24
transmit register .......................................... 18
Diagnostics ................................................. 12
Transport Protocol....................................... 12
example .......................................... 35, 38, 39
Universal Measurement and Calibration
Example........................ 35, 36, 38, 41, 43, 51
Protocol (XCP).................................. 12, 13
generation process ................... 14, 33, 35, 41
yourecu.h ................35, 36, 37, 38, 41, 43, 51

©2009, Vector Informatik GmbH

Version: 2.4

based of template version 1.7

Document Outline

3 - CRC Library

CRC Library

Component Documentation

3.1 - Crc Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Crc

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Crc_Vector_Ar4.0.3_05.02.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3164

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

3.2 - TechnicalReference_Crc

MICROSAR CRC

3.3 - TechnicalReference_Crc_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21

3.4 - TechnicalReference_Crcs

MICROSAR CRC
Technical Reference

Version 4.02.00

Authors
Michael Goß
Status
Released

Technical Reference MICROSAR CRC
Document Information
History
Author
Date
Version
Remarks
Tobias Schmid
2006-12-13
1.0
Initial Version
Tobias Schmid
2008-01-21
3.00.00
Update to ASR 2.1
Changed versioning to new notation
Claudia Mausz
2008-05-19
4.00.00
Update to ASR 3
Add Crc8 calculation
Michael Goß
2014-11-18
4.01.00
Update to ASR 4
Add Crc8H2F calculation
Michael Goß
2015-05-08
4.02.00
SafeBSW
Add Crc32P4 calculation
Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_SWS_CRCLibrary.pdf
V4.2.0
[2]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
V1.6.0
Scope of the Document
This  technical  reference  describes  the  general  use  of  the  CRC  library  basis  software.
There are no aspects which are controller specific.

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 4.02.00
2 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
4.00.00
Update to AUTOSAR Version 3
Add Crc8 calculation
4.01.00
Update to AUTOSAR Version 4
Add Crc8 calculation based on 0x2F polynomial
4.02.00
Crc32 E2E Profile 4 routine was added due to SafeBSW
Table 1-1   Component history

2015, Vector Informatik GmbH
Version: 4.02.00
6 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
2  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module CRC as specified in [1].

Supported AUTOSAR Release*:
4
Supported Configuration Variants:
pre-compile
Vendor ID:
CRC_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
CRC_MODULE_ID
201 decimal
(according to ref. [2])
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

This component implements service functions in ANSI C for calculating CRC checksums.
The module allows pre-compile configuration of the calculation method, which is used to
compute  the  CRC  values.  The  five  possible  methods  are  table  based  or  runtime
calculation of CRC values.
There are five different CRC calculation services available:
>  Two different services for checksum calculation of 8bit CRC value from a buffer
>  Checksum calculation of 16bit CRC value from a buffer
>  Two different services for checksum calculation of 32bit CRC value from a buffer
2015, Vector Informatik GmbH
Version: 4.02.00
7 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
2.1
Architecture Overview
The following figure shows where the CRC is located in the AUTOSAR architecture.

Figure 2-1  AUTOSAR 4.x Architecture Overview
No  interface from other module  is required. The CRC component is a service  module. It
can be called from any module or application (e.g. NVRAM Manager).

2015, Vector Informatik GmbH
Version: 4.02.00
8 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
3  Functional Description
3.1
Features
The features listed in the following tables cover the complete functionality specified for the
CRC.
The AUTOSAR  standard  functionality  is  specified  in  [1],  the  corresponding  features  are
listed in the tables
>  Table 3-1   Supported AUTOSAR standard conform features
>  Table 3-2   Not supported AUTOSAR standard conform features
Vector Informatik provides further CRC functionality beyond the AUTOSAR standard. The
corresponding features are listed in the table
>  Table 3-3   Features provided beyond the AUTOSAR standard

The following features specified in [1] are supported:
Supported AUTOSAR Standard Conform Features
Crc8 calculation based on the SAE-J1850 CRC8 Standard
Crc8 calculation based on 0x2F polynomial
Crc16 calculation based on the CCITT CRC16 Standard
Crc32 calculation based on the IEEE-802.3 Ethernet Standard
For all CRC calculations following methods can be used:
>  Table based calculation: results in fast execution, but increases code size (ROM
table)
>  Runtime calculation: results in smaller code size, but slower execution time
All routines are re-entrant and can be used by multiple applications at the same time.
Table 3-1   Supported AUTOSAR standard conform features
3.1.1
Deviations
The following features specified in [1] are not supported:
Not Supported AUTOSAR Standard Conform Features
Hardware based CRC calculation
Debugging concept
Table 3-2   Not supported AUTOSAR standard conform features

2015, Vector Informatik GmbH
Version: 4.02.00
9 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
3.1.2
Additions/ Extensions
The following features are provided beyond the AUTOSAR standard:
Features Provided Beyond The AUTOSAR Standard
Crc32 calculation based on 0xF4ACFB13 polynomial (E2E Profile 4).
Calculation can be configured either runtime or table based as described in Table 3-1.
Table 3-3   Features provided beyond the AUTOSAR standard
3.2
Initialization
No initialization is necessary.
3.3
States
This component does not contain any state machine.
3.4
Main Functions
This component does not have a main function. It only contains the routines to calculate
the  checksums.  These  API  functions  are  called  from  other  modules,  e.g.  NVRAM
Manager.
3.5
Error Handling
3.5.1
Development Error Reporting
Module CRC does not provide any development error detection mechanism.

3.5.2
Production Code Error Reporting
Module CRC does not provide any production error detection mechanism.

3.5.3
Parameter Checking
Module CRC’s functions do not perform any parameter checks.

2015, Vector Informatik GmbH
Version: 4.02.00
10 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
4  Integration
This chapter gives necessary information for the integration of the MICROSAR  CRC into
an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the CRC contains the files which are described in the chapters  4.1.1 and
4.1.2.
4.1.1
Static Files
File Name
Description
Crc.c
Implementation of the CRC routines
Crc.h
Header file of the CRC routines
Table 4-1   Static files

4.1.2
Dynamic Files
The dynamic files are generated by the configuration tool DaVinci Configurator.
File Name
Description
Crc_Cfg.h
Configuration of the CRC routines
Table 4-2   Generated files

4.2
Include Structure
cmp Component View
Crc_Cfg.h
Crc.h
«include»
«use»
«include»
application / other BSW module
Crc.c

Figure 4-1  Include structure
2015, Vector Informatik GmbH
Version: 4.02.00
11 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
5  API Description
5.1
Type Definitions
The types defined by the CRC are described in this chapter.
Type Name
C-Type
Description
Value Range
Crc_DataRefType
P2CONST  Pointer type for pointers
0-255 (uint8)
to data buffers, from
which the CRC value is to
be calculated.
Table 5-1   Type definitions
Std_VersionInfoType
Struct Element Name  C-Type  Description
Value Range
Std_VersionInfoType
Struct
Returns the version
uint16 vendorID
information
uint16 moduleID
uint8 sw_major_version
uint8 sw_minor_version
uint8 sw_patch_version
Table 5-2   Std_VersionInfoType
5.2
Interrupt Service Routines provided by CRC
The CRC component does not provide any interrupt service routines.
5.3
Services provided by CRC
5.3.1
Crc_CalculateCRC8
Prototype
uint8 Crc_CalculateCRC8 (Crc_DataRefType Crc_DataPtr, uint32 Crc_Length, uint8
Crc_StartValue8, boolean Crc_IsFirstCall )
Parameter
Crc_DataPtr
Pointer to start address of data block to be calculated
Crc_Length
Length of data to be calculated (in bytes)
Crc_StartValue8
Value the algorithm starts with
Crc_IsFirstCall
TRUE: First call in a sequence or individual CRC calculation; start from initial
value, ignore Crc_StartValue8.
FALSE: Subsequent call in a call sequence; Crc_StartValue8 is interpreted to
be the return value of the previous function call.
Return code
uint8
8 bit result of CRC calculation
2015, Vector Informatik GmbH
Version: 4.02.00
12 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
Functional Description
This service performs a CRC8 calculation synchronously on Crc_Length data bytes, pointed to by
Crc_DataPtr, with the starting value of Crc_StartValue8. The CRC8 routine is based on the SAE-J1850
CRC8 Standard:
SAE-J1850 CRC8 Standard
value
CRC result width
8 bits
Polynomial
1Dh
Initial value
FFh
Input data reflected
No
Result data reflected
No
XOR value
FFh
Check
4Bh
Magic check
C4h
Table 5-3   SAE-J1850 CRC8 Standard

Particularities and Limitations
>  If large data blocks have to be calculated (>32 bytes), the table based calculation method
should be configured in order to decrease the calculation time.
Expected Caller Context
>  There is no specific caller. CRC can be called from anywhere.
Table 5-4   Crc_CalculateCRC8

5.3.2
Crc_CalculateCRC8H2F
Prototype
uint8 Crc_CalculateCRC8H2F (Crc_DataRefType Crc_DataPtr, uint32 Crc_Length,
uint8 Crc_StartValue8H2F, boolean Crc_IsFirstCall )
Parameter
Crc_DataPtr
Pointer to start address of data block to be calculated
Crc_Length
Length of data to be calculated (in bytes)
Crc_StartValue8H2F
Value the algorithm starts with
Crc_IsFirstCall
TRUE: First call in a sequence or individual CRC calculation; start from initial
value, ignore Crc_StartValue8H2F.
FALSE: Subsequent call in a call sequence; Crc_StartValue8H2F is
interpreted to be the return value of the previous function call.
Return code
uint8
8 bit result of CRC calculation
2015, Vector Informatik GmbH
Version: 4.02.00
13 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
Functional Description
This service performs a CRC8 calculation synchronously on Crc_Length data bytes, pointed to by
Crc_DataPtr, with the starting value of Crc_StartValue8H2F. The CRC8 routine is based on the generator
polynomial 0x2F:
CRC8 routine based on 0x2F polynomial
value
CRC result width
8 bits
Polynomial
2Fh
Initial value
FFh
Input data reflected
No
Result data reflected
No
XOR value
FFh
Check
DFh
Magic check
42h
Table 5-5   CRC calculation based on 0x2F polynomial

Particularities and Limitations
>  If large data blocks have to be calculated (>32 bytes), the table based calculation method
should be configured in order to decrease the calculation time.
Expected Caller Context
>  There is no specific caller. CRC can be called from anywhere.
Table 5-6   Crc_CalculateCRC8H2F

5.3.3
Crc_CalculateCRC16
Prototype
uint16 Crc_CalculateCRC16 (Crc_DataRefType Crc_DataPtr, uint32 Crc_Length,
uint16 Crc_StartValue16, boolean Crc_IsFirstCall )
Parameter
Crc_DataPtr
Pointer to start address of data block to be calculated
Crc_Length
Length of data to be calculated (in bytes)
Crc_StartValue16
Value the algorithm starts with
Crc_IsFirstCall
TRUE: First call in a sequence or individual CRC calculation; start from initial
value, ignore Crc_StartValue16.
FALSE: Subsequent call in a call sequence; Crc_StartValue16 is interpreted to
be the return value of the previous function call.
Return code
uint16
16 bit result of CRC calculation
2015, Vector Informatik GmbH
Version: 4.02.00
14 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
Functional Description
This service performs a CRC16 calculation synchronously on Crc_Length data bytes, pointed to by
Crc_DataPtr, with the starting value of Crc_StartValue16. The CRC16 routine is based on the CCITT
CRC16 Standard:
CCITT CRC16  Standard
value
CRC result width
16 bits
Polynomial
1021h
Initial value
FFFFh
Input data reflected
No
Result data reflected
No
XOR value
0000h
Check
29B1h
Magic check
0000h
Table 5-7   CCITT CRC16 Standard

Particularities and Limitations
>  If large data blocks have to be calculated (>32 bytes), the table based calculation method
should be configured in order to decrease the calculation time.
Expected Caller Context
>  There is no specific caller. CRC can be called from anywhere.
Table 5-8   Crc_CalculateCRC16

5.3.4
Crc_CalculateCRC32
Prototype
uint32 Crc_CalculateCRC32 (Crc_DataRefType Crc_DataPtr, uint32 Crc_Length,
uint32 Crc_StartValue32, boolean Crc_IsFirstCall)
Parameter
Crc_DataPtr
Pointer to start address of data block to be calculated
Crc_Length
Length of data to be calculated (in bytes)
Crc_StartValue32
Value the algorithm starts with
Crc_IsFirstCall
TRUE: First call in a sequence or individual CRC calculation; start from initial
value, ignore Crc_StartValue32.
FALSE: Subsequent call in a call sequence; Crc_StartValue32 is interpreted to
be the return value of the previous function call.
Return code
uint32
32 bit result of CRC calculation
2015, Vector Informatik GmbH
Version: 4.02.00
15 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
Functional Description
This service performs a CRC32 calculation synchronously on Crc_Length data bytes, pointed to by
Crc_DataPtr, with the starting value of Crc_StartValue32. The CRC32 routine is based on the IEEE-802.3
CRC32 Ethernet Standard:
IEEE-802.3 CRC32 Ethernet Standard
value
CRC result width
32 bits
Polynomial
04C11DB7h
Initial value
FFFFFFFFh
Input data reflected
Yes
Result data reflected
Yes
XOR value
FFFFFFFFh
Check
CBF43926h
Magic check*
DEBB20E3h
Table 5-9   IEEE-802.3 CRC32 Ethernet Standard

*Important note
To match the magic check value, the CRC must be appended in little endian format,
  i.e. low significant byte first. This is due to the reflections of the input and the result.
Example of magic check: calculation of IEEE-802.3 CRC32 over data bytes 31h 32h
33h 34h 35h 36h 37h 38h 39h:
>  CRC generation: CRC over 31h 32h 33h 34h 35h 36h 37h 38h 39h,
initial value FFFFFFFFh:
>  CRC-result: CBh F4h 39h 26h (See check value)
>  CRC check: CRC over 31h 32h 33h 34h 35h 36h 37h 38h 39h 26h 39h
F4h CBh (CRC-result was appended to data bytes in little endian
format), initial value FFFFFFFFh:
>  CRC-result: 21h 44h DFh 1Ch
>  Magic check = CRC-result XORed with ‘XOR value’:
DEBB20E3h = 2144DF1Ch xor FFFFFFFFh

Particularities and Limitations
>  If large data blocks have to be calculated (>32 bytes), the table based calculation method
should be configured in order to decrease the calculation time.
Expected Caller Context
>  There is no specific caller. CRC can be called from anywhere.
Table 5-10   Crc_CalculateCRC32
2015, Vector Informatik GmbH
Version: 4.02.00
16 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
5.3.5
Crc_CalculateCRC32P4
Prototype
uint32 Crc_CalculateCRC32P4 (Crc_DataRefType Crc_DataPtr, uint32 Crc_Length,
uint32 Crc_StartValue32, boolean Crc_IsFirstCall)
Parameter
Crc_DataPtr
Pointer to start address of data block to be calculated
Crc_Length
Length of data to be calculated (in bytes)
Crc_StartValue32
Value the algorithm starts with
Crc_IsFirstCall
TRUE: First call in a sequence or individual CRC calculation; start from initial
value, ignore Crc_StartValue32.
FALSE: Subsequent call in a call sequence; Crc_StartValue32 is interpreted to
be the return value of the previous function call.
Return code
uint32
32 bit result of CRC calculation
Functional Description
This service performs a CRC32 calculation synchronously on Crc_Length data bytes, pointed to by
Crc_DataPtr, with the starting value of Crc_StartValue32. The CRC32 routine is based on the 0xF4ACFB13
polynomial (E2E Protection Profile 4):

CRC 32 routine based on 0xF4ACFB13
value
polyonmial
CRC result width
32 bits
Polynomial
F4ACFB13h
Initial value
FFFFFFFFh
Input data reflected
Yes
Result data reflected
Yes
XOR value
FFFFFFFFh
Check
1697D06Ah
Magic check
6FB32240h
Table 5-11   CRC32 calculation based on 0xF4ACFB13 polynomial (E2E Protection Profile 4)
Particularities and Limitations
>  If large data blocks have to be calculated (>32 bytes), the table based calculation method should be
configured in order to decrease the calculation time.
Call context
>  There is no specific caller. CRC can be called from anywhere.
Table 5-12   Crc_CalculateCRC32P4

2015, Vector Informatik GmbH
Version: 4.02.00
17 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC

5.3.6
Crc_GetVersionInfo
Prototype
void Crc_GetVersionInfo ( Std_VersionInfoType *Versioninfo )
Parameter
Versioninfo
Pointer to where to store the version information of this module
Return code
None
--
Functional Description
This service returns the version information of the module. The version information includes:
>  Module ID
>  Vendor ID
>  Vendor specific version numbers
This function is pre-compile time configurable On/Off by the configuration parameter
CrcVersionInfoApi.
Particularities and Limitations
>  None
Expected Caller Context
>  Application
Table 5-13   Crc_GetVersionInfo
5.4
Services used by CRC
The CRC component does not use services from other modules.
5.5
Callback Functions
Module CRC’s functions do not provide any callback functions.
5.6
Configurable Interfaces
5.6.1
Notifications
The CRC module does not provide notifications for upper layers. The CRC routines return
the checksum; this value will be evaluated by application or other modules.
5.6.2
Callout Functions
The CRC module does not provide callout functions.
5.6.3
Hook Functions
The CRC module does not provide hook functions.
2015, Vector Informatik GmbH
Version: 4.02.00
18 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
6  Configuration
6.1
Configuration Variants
The CRC supports the configuration variants
>  VARIANT-PRE-COMPILE
The configuration classes of the CRC parameters depend on the supported configuration
variants. For their definitions please see the Crc_bswmd.arxml file.
CRC can be configured using the following tool:
>  DaVinci Configurator 5 (AUTOSAR 4 packages only). Parameters are explained within
the tool.
2015, Vector Informatik GmbH
Version: 4.02.00
19 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
7  Glossary and Abbreviations
7.1
Glossary
Term
Description
CRC
Cyclic Redundancy Check
Table 7-1   Glossary

7.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
CCITT
Commité Consultatif Internationale Télégrafique et Téléfonique
DEM
Diagnostic Event Manager
DET
Development Error Tracer
E2E
End to End
ECU
Electronic Control Unit
HIS
Hersteller Initiative Software
IEEE
Institute of Electrical and Electronics Engineers
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
NVRAM Manager
Non Volatile Random Access Memory Manager
ROM
Read Only Memory
RTE
Runtime Environment
SAE
Society of Automotive Engineers
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
Table 7-2   Abbreviations

2015, Vector Informatik GmbH
Version: 4.02.00
20 / 21
based on template version 5.9.0

Technical Reference MICROSAR CRC
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 4.02.00
21 / 21
based on template version 5.9.0

Document Outline

4 - Default Error Tracer

Default Error Tracer

Component Documentation

4.1 - Det Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Det

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Det_Vector_Ar4.0.3_07.00.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3193

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

4.2 - TechnicalReference_Det

Technical Reference

4.3 - TechnicalReference_Det_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30

4.4 - TechnicalReference_Dets

MICROSAR DET
Technical Reference

Version 2.4.0

Authors
Hartmut Hörner
Version:
2.4.0
Status:
Released

Technical Reference MICROSAR DET

1  Document Information
1.1
History
Author
Date
Version
Remarks
Hartmut Hörner
2007-11-29
1.0
Initial version
Hartmut Hörner
2008-01-03
1.1
Update to AUTOSAR 3
Hartmut Hörner
2008-04-14
1.2
Naming changed to
AUTOSAR short name,
screen shots updated.
(ESCAN00025687)
Hartmut Hörner
2008-09-16
1.3
Added DET extension
mechanism based on callout
(4.7, 6.3.1).
Added chapter 5.3.
Hartmut Hörner
2010-01-13
2.0
Update to AUTOSAR 4
Hartmut Hörner
2012-04-20
2.1
Added usage hints related to
silent BSW concept in 5.4
(ESCAN00058419)
Hartmut Hörner
2013-04-09
2.2
Added Configurator 5 and
service port interface
(ESCAN00066511)
Hartmut Hörner
2013-09-13
2.3
Added DLT forwarding
support for Configurator 5
(ESCAN00068394,
ESCAN00069807)
Hartmut Hörner
2014-12-10
2.3.1
Added description of
BCD-coded return value of
Det_GetVersionInfo()
(ESCAN00079310)
Hartmut Hörner
2015-06-12
2.4.0
File name changed
(ESCAN00081049)
Added chapter 5.4.
Table 1-1   History of the Document
2015, Vector Informatik GmbH
Version: 2.4.0
2 / 30
based on template version 2.0

Technical Reference MICROSAR DET

1.2
Reference Documents
Index
Document
[1]
AUTOSAR_SWS_DET.pdf, Version 2.2.0
[2]
AUTOSAR_SWS_DET.pdf, Version 3.0.0

Table 1-2 Referenced documents

Please note
We have configured the programs in accordance with your specifications in the

questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 2.4.0
3 / 30
based on template version 2.0

Technical Reference MICROSAR DET

2  Component History
Component
New Features
Version
0.01.00
Creation
2.00.00
Update for AUTOSAR Release 2.0
3.00.00
Update for AUTOSAR Release 2.1
3.01.00
GetVersionInfo API added
3.02.00
Extended debug features added
4.00.00
Update for AUTOSAR Release 3
compiler abstraction and memmap added
4.01.00
DET entry callout
5.00.00
Update for AUTOSAR Release 4
6.00.00
Support of Configurator 5 (MSR3)
7.00.00
Support of Configurator 5 (MSR4)
8.00.00
DLT and service port interface
9.00.00
safeBSW
Table 2-1   Component History

2015, Vector Informatik GmbH
Version: 2.4.0
7 / 30
based on template version 2.0

Technical Reference MICROSAR DET

3  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module DET (Development Error Tracer) as specified in [1] and [2].

Supported AUTOSAR Release*:
3 and 4
Supported Configuration Variants:
pre-compile

Vendor ID:
DET_VENDOR_ID 30
Module ID:
DET_MODULE_ID 15

* For the precise AUTOSAR Release 3.x and 4.x please see the release specific documentation.

The DET is the central error handler in the AUTOSAR architecture during the development
phase. All other basic software modules can report development errors to the DET.


3.1
Architecture Overview
The following figure shows where the DET is located in the AUTOSAR architecture.

Figure 3-1  AUTOSAR architecture

2015, Vector Informatik GmbH
Version: 2.4.0
8 / 30
based on template version 2.0

Technical Reference MICROSAR DET

The following figure shows the interfaces to modules adjacent to DET. These interfaces
are described in chapter 6.
<any BSW module>
EcuM
Application
Dlt
COM
IPDU
Report
Init /
Callout
Forward
error
Start
error
DET

Figure 3-2 Interfaces to adjacent modules of the DET

2015, Vector Informatik GmbH
Version: 2.4.0
9 / 30
based on template version 2.0

Technical Reference MICROSAR DET

4  Functional Description
4.1
Features
The features listed in this chapter cover the complete functionality specified in [1] and [2].
The  "supported"  and  "not  supported"  features  are  presented  in  the  following  two  tables.
For further information of not supported features also see to chapter 8.

The following features described in [1] are supported:
Feature
Initialization and start services
Error reporting service
Table 4-1   Supported SWS features

The following features described in [1] and [2] are not supported in GENy:
Feature
Service port interface is only supported in Configurator 5
Forwarding of DET errors to the DLT module is only supported in Configurator 5
Table 4-2   Not supported AUTOSAR 3 and 4 SWS features
The following features described in [2] are not supported:
Feature
Configurable list of error hooks (use the DET entry callout instead)
Debugging support (AUTOSAR debugging concept)
Table 4-3   Not supported AUTOSAR 4 SWS features
4.2
Initialization
The DET is initialized and operational after the API Det_Init has been called. In [1] and
[2] an additional Det_Start service is specified to handle cases where it is necessary to
split the initialization in two phases. Since this is not applicable the Det_Start function is
empty.
In  the AUTOSAR  4  variant  the API  Det_InitMemory  may  have  to  be used  in  addition,
please refer to the API description 6.2.2 for details.
4.3
States
The DET has no internal state machine, it is operational after initialization.
In the AUTOSAR 4 variant the module uses its initialization state to perform a check if the
module has been initialized.
2015, Vector Informatik GmbH
Version: 2.4.0
10 / 30
based on template version 2.0

Technical Reference MICROSAR DET

4.4
Main Functions
The DET has no main function since it does not perform cyclic tasks.
4.5
Error Handling
Since the DET is the centralized error handler it does not  use error handling services  of
other BSW modules.
4.6
Debugging with the DET
The DET is called for each development error which is reported by other BSW modules.
Since  it  is  potentially  not  safe  to  continue  the  program  when  such  an  error  occurs,  the
default implementation of the DET is an endless loop.
A breakpoint should always be set in this loop. When the breakpoint is hit, the parameters
of the function Det_ReportError 6.2.4 can be inspected in the debugger. By means of
these parameters it is possible to find out which error occurred; it is however sometimes
more convenient to use a stack trace if the debugger provides this.

A breakpoint should always be set in the endless loop

If a simulated target based on the CANoe emulation environment is used the endless loop
is replaced by an error message in the CANoe write window.
4.6.1
Extended Debug Features
Sometimes  the  provision  of  the  endless  loop  is  not  sufficient  for  debugging,  therefore
some extended debug features are provided. These features are thought as a debugging
aid, thus they are accessible via the debugger and do not have special APIs.
To use these features the attribute “Enable Extended Debug Support” must be enabled (s.
7.1.2).
4.6.1.1
Filters
Sometimes  it  happens  that  a  BSW  module  reports  DET  errors  which  are  known  to  be
uncritical.  Such  errors  can  be  ignored  by  discarding  the  related  calls  to
Det_ReportError.
To  implement  this  functionality  the  DET  provides  a  set  of  filters  where  the  errors  to  be
discarded can be configured. It is possible to use the patterns 0xff or 0xffff as wild cards
(don’t care patterns).
2015, Vector Informatik GmbH
Version: 2.4.0
11 / 30
based on template version 2.0

Technical Reference MICROSAR DET

Configuration of filters
  configure the required number of filters in configuration tool with the attribute

“Number of Global Filters” (s. 7.1.2)
  enable filtering globally in the debugger by setting
detStatus.globalFilterActive to 1

  configure the required filters in the debugger by setting detGlobalFilter
elements

Filter examples
  a) ignore error 3 of API7 of module 20 in instance 0
  moduleId=20
  instanceId=0
  apiId=7
errorId=3
b) ignore all errors of module 20 in instance 0
  moduleId=20
  instanceId=0
  apiId=0xff
  errorId=0xff

4.6.1.2
Logging
The DET provides a log buffer for incoming error messages. Error messages which have
been filtered are not logged.
The contents of the log buffer can be viewed with the debugger.

Configuration of logging
  configure the required size of the log buffer in the configuration tool with the

attribute “Size of Log Buffer” (s. 7.1.2)
2015, Vector Informatik GmbH
Version: 2.4.0
12 / 30
based on template version 2.0

Technical Reference MICROSAR DET

  enable logging globally in the debugger by setting detStatus.logActive to 1

Logging example
  The variable detStatus.logIndex shows the index in the log buffer with the last logged
development error. Use the elements of detLogBuffer to view the logged errors.

By default all elements of the variable (s. above) detLogBuffer are initialized with zero.

By  setting  detStatus.breakOnLogOverrun  in  the  debugger  it  is  possible  to  enter  the
endless loop if the log buffer is full.
4.6.1.3
Break handler
For some errors it is possible to continue operation. Therefore it  is possible to unlock the
endless loop with the debugger to continue the program. Since the same error could occur
multiple times and to avoid ending up in the endless loop again it is possible to configure a
special filter set for the break handler. Such errors are logged (if logging is active) but do
not lead to a break.

2015, Vector Informatik GmbH
Version: 2.4.0
13 / 30
based on template version 2.0

Technical Reference MICROSAR DET

Configuration of break handler filters
  configure the required number of break handler filters in configuration tool

with the attribute “Number of Break Handler Filters” (s. 7.1.2)
  enable break handler filtering globally in the debugger by setting
detStatus.breakFilterActive to 1

  configure the required break handler filters in the debugger by setting
detBreakFilter elements

For some filter examples please refer to 4.6.1.1.
In  the  following  example  it  is  described  how  the  endless  loop  can  be  unlocked  in  the
debugger.
How to unlock the endless loop
Set detStatus.unlockBreak to 1 to leave endless loop:

2015, Vector Informatik GmbH
Version: 2.4.0
14 / 30
based on template version 2.0

Technical Reference MICROSAR DET

4.7
Extension of the DET
Sometimes  the built-in  debug features of the DET may not  be sufficient  or some special
handling of errors is required. Examples for such use cases include:
Logging of DET errors via debug interface
Transmission of DET errors on a serial bus system
Error  handling  which  requires  direct  access  to  the  hardware  (e.g.  disabling  of
specific interrupts)
Complex application specific error handling
To
support
such
extensions
the
DET
provides
a
DET
entry
callout
(Appl_DetEntryCallout) which is called first when the DET is entered. The callout has
to  be  provided  by  the application.  It  receives  all  parameters of  the  DET’s error  reporting
function. Depending on the return code the DET continues or abandons error handling. For
details  please  refer  to  API  description  in  chapter  6.3.1.  This  feature  is  enabled  by  a
configuration parameter as described in chapter 7.1.2.
2015, Vector Informatik GmbH
Version: 2.4.0
15 / 30
based on template version 2.0

Technical Reference MICROSAR DET

5  Integration
This chapter gives necessary information for the integration of  the  MICROSAR  DET  into
an application environment of an ECU.
5.1
Scope of Delivery
In the delivery of the MICROSAR DET the files listed in 5.1.1 and 5.1.2 are contained.
5.1.1
Static Files
File Name
Description
Det.c
This is the source file of the DET
Det.h
This is the header file of the DET
Table 5-1
Static files
5.1.2
Generated Files
The dynamic files are generated by the configuration tool.
File Name
Description
Det_cfg.h
This is configuration header file containing pre-compile parameters.
Table 5-2
Generated files
5.2
Include Structure
The DET includes the headers mentioned in the previous chapters 5.1.1 and 5.1.2.
In addition the file Std_Types.h is included.
To support the AUTOSAR memory mapping concept the header MemMap.h is included.
5.3
Handling of Recursions
If DET errors occur within the call context of the DET recursions could be caused. This can
happen in the following cases:
A  DET  error  occurs  in  one  of  the  interrupt  enabling  or  disabling  functions  which
are used by the DET on its own to protect critical sections of the DET.
In an Appl_DetEntryCallout or a subroutine of Appl_DetEntryCallout if
BSW API functions are used there.
These cases are handled by an internal locking mechanism in the DET so the application
needs not to take care of them. It should however be noted that in case of a recursion the
DET might skip a callout or its internal error logging.
If forwarding of errors to the DLT module is used (Configurator 5 only) the DLT module is
responsible for preventing potential recursions which could occur if a DET error is reported
by  the  DLT  module.  The  MICROSAR  implementation  of  the  DLT  module  considers  this
requirement.
2015, Vector Informatik GmbH
Version: 2.4.0
16 / 30
based on template version 2.0

Technical Reference MICROSAR DET

5.4
Critical Sections
The DET has code sections which need protection against preemption. Therefore the DET
uses  one  exclusive  area  which  typically  requires  an  interrupt  lock  up  to  the  highest
interrupt level where DET error reports can be produced:
DET_EXCLUSIVE_AREA_0
This exclusive area is short and only relevant if the logging feature is activated.
5.5
Usage Hints for Operation in Safety Related ECUs
The  silent  BSW  concept  assures  that  a  BSW  module  does  not  corrupt  memory  of  the
application  and  other  BSW  modules.  In  this  context  the  following  aspects  have  to  be
considered for the DET:
In  the  callout  function  Appl_DetEntryCallout  the  DET  passes  four
parameters to the application which could be used as indices by the application.
Please  note,  that  the  DET  does  not  perform  plausibility  checks  of  the  value
ranges  of  those  parameters  because  the  errors  reported  to  the  DET  are  not
known  by  the  DET  in  advance.  The  producer  and  consumer  (could  both  be
application  code)  has  to  perform  plausibility  checks  of  the  index  parameters  if
necessary.
If  the  extended  debug  feature  “logging”  is  used  depending  on  the  scheduling
concept of the ECU DET errors could be logged from different contexts and it has
therefore  to  be  secured  that  the  critical  section  DET_EXCLUSIVE_AREA_0
reaches  up  the  highest  processing  level  of  the  application  which  can  produce
DET errors.
The application has to pass a valid pointer to the API  Det_GetVersionInfo. A
NULL  pointer  check  of  the  passed  pointer  parameter  is  only  available  in  the
AUTOSAR 4 variant of the DET.
The  DET  is  intended  for  the  development  phase  of  an  ECU.  If  it  is  used  in
production  code  the  extended  debug  features  should  be  switched  off  because
they are only relevant if a debugger is attached.

2015, Vector Informatik GmbH
Version: 2.4.0
17 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6  API Description
6.1
Interfaces Overview
The DET provides the four services
Det_Init for initialization,
Det_InitMemory for initialization (AUTOSAR 4 only),
Det_Start for additional initialization purposes,
Det_ReportError for reporting of development errors and
Det_GetVersionInfo for version information.
They are described in detail in the following sections.
6.2
Services Provided by MICROSAR DET
The MICROSAR DET API consists of services, which are realized by function calls.
6.2.1
Det_Init
Det_Init
Prototype
void Det_Init  ( void )
Parameter
-
-
Return code
-
-
Functional Description
Initializes the DET.
Particularities and Limitations
>  Should only be called once by the EcuM when the system is started
Expected Caller Context
>  Should be called from a safe context on task level
Table 6-1   Det_Init
2015, Vector Informatik GmbH
Version: 2.4.0
18 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.2.2
Det_InitMemory
Det_InitMemory
Prototype
void Det_InitMemory  ( void )
Parameter
-
-
Return code
-
-
Functional Description
Initializes the state variable for the un-init check of the DET. If this function is used it must be called before
Det_Init.
Particularities and Limitations
>  Should only be called once by the EcuM when the system is started
>  Only needed if the startup code does not support initialized RAM
>  Only applicable for the AUTOSAR 4 variant
Expected Caller Context
>  Should be called from a safe context on task level
Table 6-2   Det_InitMemory

6.2.3
Det_Start
Det_Start
Prototype
void Det_Start  ( void )
Parameter
-
-
Return code
-
-
Functional Description
Starts the DET. This service currently has no functionality, i.e. the API function is empty.
Particularities and Limitations
>  Call could be omitted
Expected Caller Context
>  No restriction
Table 6-3   Det_Start

2015, Vector Informatik GmbH
Version: 2.4.0
19 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.2.4
Det_ReportError
Det_ReportError
Prototype
AUTOSAR 3:
void Det_ReportError  ( uint16 ModuleId, uint8 InstanceId,
  uint8 ApiId, uint8 ErrorId )
AUTOSAR 4:
Std_ReturnType Det_ReportError  ( uint16 ModuleId, uint8 InstanceId,
  uint8 ApiId, uint8 ErrorId )

Parameter
ModuleId
Module ID of calling module
InstanceId
The identifier of the index based instance of a module, starting from 0, If the
module is a single instance module it shall pass 0 as the InstanceId.
ApiId
ID of API service in which error is detected
(defined in SWS of calling module)
ErrorId
ID of detected development error
(defined in SWS of calling module)
Return code
AUTOSAR 3:

-
-
AUTOSAR 4:

Std_ReturnType
Always E_OK
Functional Description
Used to report errors from other BSW modules to the DET. If extended debug features are disabled the
DET enters an endless loop in case of an embedded target or issues an error message in the CANoe write
window in case of a simulated target.
For details please refer to chapter 4.
Particularities and Limitations
>  If this function is called the DET may enter an endless loop, therefore it is strongly
recommended to put a breakpoint in the DET.
Expected Caller Context
>  No restriction
Table 6-4   Det_ReportError
2015, Vector Informatik GmbH
Version: 2.4.0
20 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.2.5
Det_GetVersionInfo
Det_GetVersionInfo
Prototype
void Det_GetVersionInfo  ( Std_VersionInfoType *versioninfo )
Parameter
versioninfo
Version information of the DET
Return code
-
-
Functional Description
This API returns version information, vendor ID and AUTOSAR module ID of the component.
The versions are BCD-coded.
Particularities and Limitations
>  This API is only available if enabled in configuration (s. 7.1.2).
>  As an alternative the #defines described in [1] chapter 10.2 could be used to read this
information.
Expected Caller Context
>  No restriction
Table 6-5   Det_GetVersionInfo
2015, Vector Informatik GmbH
Version: 2.4.0
21 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.3
Services used by MICROSAR DET
In the following table services provided by other components, which are used by the DET
are  listed.  For details about  prototype and functionality refer to the documentation of  the
providing component.
Component
API
DLT
Dlt_DetForwardErrorTrace
Only if configured in Configurator 5.
Table 6-6
Services used by the DET

To allow for extensions of the DET a callout to the application is used.
6.3.1
Appl_DetEntryCallout
Appl_DetEntryCallout
Prototype
uint8 Appl_DetEntryCallout  ( uint16 ModuleId, uint8 InstanceId,
  uint8 ApiId, uint8 ErrorId )
Parameter
ModuleId
Module ID of calling module
InstanceId
The identifier of the index based instance of a module, starting from 0, If the
module is a single instance module it shall pass 0 as the InstanceId.
ApiId
ID of API service in which error is detected
(defined in SWS of calling module)
ErrorId
ID of detected development error
(defined in SWS of calling module)
Return code
uint8
0 continue DET processing
1 abandon DET processing
Functional Description
This function is used to extend the DET. The parameters can be used for application specific error
handling. By means of the return code the application can control further processing of the DET.
For details please refer to chapter 4.7.
Particularities and Limitations
>  This API is only available if enabled in configuration (s. 7.1.2).
>  This function has to be provided by the application.
Expected Caller Context
>  No restriction
Table 6-7   Appl_DetEntryCallout
6.4
Callback Functions
The DET does not provide callback functions.
2015, Vector Informatik GmbH
Version: 2.4.0
22 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.5
Configurable Interfaces
The DET does not provide configurable interfaces.
2015, Vector Informatik GmbH
Version: 2.4.0
23 / 30
based on template version 2.0

Technical Reference MICROSAR DET

6.6
Service Ports
Service ports are only supported in conjunction with the Configurator 5.
6.6.1
Client Server Interface
A client server interface is related to a Provide Port at the server side and a Require Port
at client side.
6.6.1.1
Provide Ports on DET Side
At  the  Provide  Ports  of  the  DET  the  API  function  described  in  6.2.4  is  available  as
Runnable Entity. Runnable Entities are invoked via Operations. The mapping from a SWC
client  call  to  an  Operation  is  performed  by  the  RTE.  In this  mapping  the  RTE adds  Port
Defined Argument Values to the client call of the SWC, if configured.
The  following  sub-chapter  presents  the  Provide  Port  defined  for  the  DET  and  the
Operation defined for the Provide Port, the API function related to the Operation and the
Port Defined Argument Values to be added by the RTE.
6.6.1.1.1
DETService

Operation
API Function
Port Defined Argument Values
ReportError
Det_ReportError
uint16 ModuleId
( IN uint8 InstanceId,
IN uint8 ApiId,
IN uint8 ErrorId )
Table 6-8   DETService
A separate  DETService  Port is needed for each AUTOSAR SW-C which  wants  to report
errors  to  the  DET  module  which  corresponds  to  the  service  port  of  the  SW-C.  Each
DETService  Port  needs  a  ModuleId  as  port  defined  argument  value.  This  value  is  set
automatically  and  symbolic  name  value  defines  for  the  ModuleIds  are  generated.  The
required service ports and their ModuleIds are configured in Configurator 5.
2015, Vector Informatik GmbH
Version: 2.4.0
24 / 30
based on template version 2.0

Technical Reference MICROSAR DET

7  Configuration
In the MICROSAR DET the attributes can be configured with the following methods:
>  Configuration in GENy, for a detailed description see 7.1
>  Configuration in Configurator 5, for a detailed description refer to the online help
7.1
Configuration with GENy
The MICROSAR DET is configured with the help of the configuration tool GENy.
7.1.1
System Configuration
To use the DET it must be enabled in the system configuration in GENy.

Figure 7-1  Enabling the DET in the GENy system configuration
7.1.2
Component Configuration
In the following screenshot the component configuration of the DET is shown.

Figure 7-2  Component configuration of the DET

2015, Vector Informatik GmbH
Version: 2.4.0
25 / 30
based on template version 2.0

Technical Reference MICROSAR DET

Details  about  the  configuration  parameters  are  given  in  Table  7-1.  The  usage  of  these
parameters for the extended debug support is described in chapter 4.6.1.

Attribute Name
Configuration  Value
Values
Description
Variant
Type
The default value
is written in bold
Global settings
Enable Development  Pre-compile
boolean
On/off
Enable reporting of development
Error Tracer
errors.
Get Version Info
Pre-compile
boolean
On/off
Enable the function
Det_GetVersionInfo() to get the
major, minor and patch version
information.
Entry Callout
Pre-compile
boolean
On/off
Enable the function
Appl_DetEntryCallout to support
user specific extensions.
Extended Debug support
Enable Extended
Pre-compile
boolean
On/off
Enable extended debug support
Debug Support
features including filtering, logging
and flexible break handling.
Number of Global
Pre-compile
integer
0..255
Number of global filters which can
Filters
be used to discard irrelevant
errors.
Number of Break
Pre-compile
integer
0..255
Number of break handler filters
Handler Filters
which can be used to exit the DET
without entering the endless loop.
Size of Log Buffer
Pre-compile
integer
0..255
Size of the log buffer which can be
used to log errors reported to the
DET.
Table 7-1   DET configuration parameters

2015, Vector Informatik GmbH
Version: 2.4.0
26 / 30
based on template version 2.0

Technical Reference MICROSAR DET

8  AUTOSAR Standard Compliance
8.1
Deviations
8.1.1
Support of Service Port Interface
The current version supports the AUTOSAR service port interface only for the Configurator
5. If the DET should be used to log application errors and the tool GENy is used the SWCs
should call the DET directly.
8.1.2
Support of AUTOSAR Debugging Concept (AUTOSAR 4)
Forwarding of DET errors to the DLT module is only supported for the Configurator 5.
The AUTOSAR debugging concept is not supported.
8.1.3
Support of Configurable List of Error Hooks (AUTOSAR 4)
This feature is not supported; the extension mechanism (DET entry callout)  can be used
instead.

8.2
Additions/ Extensions
8.2.1
Extended Debug Features
Since  AUTOSAR  specifies  only  the  interface  and  not  the  functionality  of  the  DET  all
provided debugging features are AUTOSAR extensions.
8.2.2
DET Extension Mechanism
Since  AUTOSAR  does  not  specify  a  mechanism  how  the  DET  can  be  extended  by
application code a callout was added.
8.3
Limitations
None

2015, Vector Informatik GmbH
Version: 2.4.0
27 / 30
based on template version 2.0

Technical Reference MICROSAR DET

9  Abbreviations
Abbreviation
Description
API
Application Programming Interface
BSW
Basis SoftWare
DEM
Diagnostic Event Manager
DET
Development Error Tracer
DLT
Diagnostic Log and Trace
pPort
Provide Port
rPort
Require Port
RTE
RunTime Environment
SWC
SoftWare Component
Table 9-1   Abbreviations

2015, Vector Informatik GmbH
Version: 2.4.0
28 / 30
based on template version 2.0

Technical Reference MICROSAR DET

10 Glossary
Term
Description
Stack trace
A stack trace (also called stack backtrace or stack traceback) is a report
of the active stack frames instantiated by the execution of a program.
Although stack traces may be generated anywhere within a program, they
are mostly used to aid debugging by showing where exactly an error
occurs. The last few stack frames often indicate the origin of the bug.
Table 10-1 Glossary

2015, Vector Informatik GmbH
Version: 2.4.0
29 / 30
based on template version 2.0

Technical Reference MICROSAR DET

11 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com

2015, Vector Informatik GmbH
Version: 2.4.0
30 / 30
based on template version 2.0

5 - Diagnostic Event Manager

Diagnostic Event Manager

Component Documentation

5.1 - Dem Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Dem

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Dem_Vector_Ar4.1.2_09.01.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3165

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

5.2 - TechnicalReference_Dem

MICROSAR Diagnostic Event Manager (Dem)

5.3 - TechnicalReference_Dem_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139
Page 140
Page 141
Page 142
Page 143
Page 144
Page 145
Page 146
Page 147
Page 148
Page 149
Page 150
Page 151
Page 152
Page 153
Page 154
Page 155
Page 156
Page 157
Page 158
Page 159
Page 160
Page 161
Page 162
Page 163
Page 164
Page 165
Page 166
Page 167
Page 168
Page 169
Page 170
Page 171
Page 172
Page 173
Page 174
Page 175

5.4 - TechnicalReference_Dems

MICROSAR Diagnostic Event Manager
(Dem)
Technical Reference

Version 4.3.0

Authors
Thomas Dedler, Alexander Ditte, Matthias Heil
Status
Released

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Document Information
History
Author
Date
Version  Remarks
A. Ditte
2012-05-04  1.0.0
>  Initial Version
A. Ditte
2012-10-09  1.0.1
>  Add chapter 6.2.4.18 and 6.6.1.2.11
>  Add GetEventEnableCondition to chapter 6.6.1.1.2
M. Heil
2012-11-02
1.1.0
>  Architecture Update
A. Ditte,
2013-02-15  1.2.0
>  Introduced Measurement and Calibration (chapter 5)
M. Heil
>  Extended chapters 3.3, 3.5, 3.15, 4.3 and 4.3.1
>  Added User Controlled WarningIndicatorRequest
(chapter 3.16.1)
>  Added chapters 6.2.4.22, 6.2.4.23, 6.6.1.1.9
M. Heil
2013-04-05  1.3.0
>  Support for feature ‘DTC suppression’
>  Added chapter 3.9, APIs 6.2.4.24, 6.2.4.25
>  Reworked table layout in chapters 4.3, 5.2
>  Reworked Measurement and Calibration (chapter 5)
>  Added measurable items (chapter 5.1)
M. Heil
2013-06-17  1.4.0
>  Added combined events
>  Reworked suppression
T. Dedler
2013-07-22  1.4.1
>  critical section description extended
T. Dedler,   2013-09-04  2.0.0
>  Service ID definition changed
M. Heil
>  Post-Build Loadable
A. Ditte
2013-11-05
2.1.0
>  Added OBD DTC and Root cause EventId to chapter
3.10.2
>  Added limitation for internal data elements in chapter
8.3
A. Ditte,
2014-01-14  3.0.0
>  Added J1939 (chapters 3.19, 6.2.7)
M. Heil
>  Adapted DCM interfaces (chapter 6.2.6) according
AUTOSAR 4.1.2
>  Added chapter 4.3.1
>  Fixed ESCAN00071673: NVM configuration is not
described
>  Fixed ESCAN00071511: Missing hint for supported
feature 'individual post-build loadable'
>  Fixed ESCAN00073677: Incorrect figure for DEM
initialization states
2015, Vector Informatik GmbH
Version: 4.3.0
2 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
M. Heil
2014-03-27  3.1.0
>  Describe deviation in handling operation cycles before
module initialization.
>  Add dependency to configuration to Dcm APIs.
>  Added warning about time-based de-bouncing and
maximum fault detection counter in current cycle
M. Heil
2014-05-08  3.2.0
>  Added Event Availability (chapters 3.9.1, 6.2.4.26)
>  Added freeze frame pre-storage (chapters 3.11, 6.2.4.4,
6.2.4.5)
>  Corrected description of Event and DTC suppression
(chapters 3.9, 6.2.4.4, 6.2.4.5)
>  Introduced chapter 3.3.3.4
>  Clarified usage of DTC groups (chapter 8.3)
M. Heil
2014-10-14  4.0.0
>  Moved Initialization Pointer (see Dem_PreInit(),
A. Ditte
Dem_Init())
>  Added API Dem_RequestNvSynchronization()
>  Added de-bounce values in NVRAM and API
Dem_NvM_InitDebounceData()
>  Added additional aging variant (chapter 3.5), added
Figure 3-3
>  Added missing configuration variants (chapter 2,
ESCAN00076237)
>  Added description for NVRAM write frequency (chapter
3.13.2, ESCAN00078587)
>  Added description for NVRAM recovery (chapter 3.13.3,
ESCAN00078582)
>  Added support of J1939 nodes
M. Heil
2015-02-27  4.1.0
>  Added APIs, chapters 6.2.4.3, 6.2.4.20
>  Support EnableCondition notification, 3.15.4
>  Added explanation of Dem task mapping, chapter 4.9
>  Added not of reduced queue depth for some events,
chapter 3.3.3.2
>  Updated critical sections, chapter 4.4
M. Heil
2015-04-20  4.1.1
>  Added deviation regarding notification signatures
(chapters 6.5.1, 8.1)
>  Reworked chapter 3.1 according ESCAN00082555
M. Heil
2015-06-17  4.2.0
>  Extended data callback support (chapters 3.10.3,
6.5.1.6)
>  Described FDC statistics for DTCs using internal de-
bouncing (chapter 3.10.2)
>  Described aging target 0 (chapter 3.5.1)
>  Described effect of asynchronous behavior of $85
(chapter 3.7)
>  Described different aging behavior (chapter 3.5.5)
2015, Vector Informatik GmbH
Version: 4.3.0
3 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
M. Heil
2015-09-14  4.3.0
>  More information about NVRam setup (chapter 4.5 ff)
>  Changes due to new option to persist event availability
(chapters 3.9.1, 6.2.4.26, 6.2.4.11)

2015, Vector Informatik GmbH
Version: 4.3.0
4 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_SWS_DiagnosticEventManager.pdf
V4.2.0,
V5.1.0
[2]   AUTOSAR
AUTOSAR_SWS_DevelopmentErrorTracer.pdf
V3.2.0
[3]   AUTOSAR
AUTOSAR_SWS_DiagnosticCommunicationManager.pdf
V4.2.0
[4]   AUTOSAR
AUTOSAR_SWS_NVRAMManager.pdf
V3.2.0
[5]   AUTOSAR
AUTOSAR_SWS_StandardTypes.pdf
V1.3.0
[6]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
V1.6.0
[7]   ISO
14229-1 Road vehicles – Unified diagnostic services (UDS)  -
– Part 1: Specification and requirements
[8]   Vector
TechnicalReference_PostBuildLoadable.pdf
See delivery
[9]   Vector
TechnicalReference_IdentityManager.pdf
See delivery

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 4.3.0
5 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
4.00.00
1st Release Version
4.03.00
Production Release
5.00.00
Post-Build support
6.00.00
J1939 support, API according ASR 4.1.2
7.00.00
Change of initialization to allow Postbuild-Selectable
8.00.00
Support API according ASR 4.2.1
9.00.00
Technical completion of WWH-OBD
Table 1-1   Component history
2015, Vector Informatik GmbH
Version: 4.3.0
16 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
2 Introduction
This document describes the functionality, API and configuration of the AUTOSAR BSW
module Diagnostic Event Manager “Dem” as specified in [1].

Supported
AUTOSAR 4
Release*:
Supported
Configuration pre-compile, post-build loadable, post-build selectable
Variants:
Vendor ID:
DEM_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
DEM_MODULE_ID
54 decimal
(according to ref. [6])
Version Information
DEM_AR_RELEASE_MAJOR_VERSION
version literal,
DEM_AR_RELEASE_MINOR_VERSION
decimal
DEM_AR_RELEASE_REVISION_VERSION
DEM_SW_MAJOR_VERSION
DEM_SW_MINOR_VERSION
DEM_SW_PATCH_VERSION
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

The Dem is responsible for processing and storing diagnostic events (both externally
visible DTCs and internal events reported by other BSW modules) and associated
environmental data. In addition, the Dem provides the fault information data to the Dcm
and J1939Dcm (if applicable).
2.1
How to Read this Document
Here are some basic hints on how to navigate this document.
2.1.1
API Definitions
The application API of the Dem is usually never called directly. The functions declarations
here are given for documentation purposes. Parts of the function signatures are not
exposed to the actual caller, and represent an implementation detail.
Nonetheless, this documentation refers to the Dem API directly when describing the
different features, as the actual name of the API called by the application is defined by the
application itself. Instead of a sentence referring to this fact the underlying Dem function
name is mentioned directly.
E.g. If the documentation mentions the API Dem_SetOperationCycleState, a client
module would call a service function resembling Rte_Call_<APPLDEFINED>-
_SetOperationCycleState.
An application is strongly advised to never call the Dem API directly, but to use the service
interface instead.
2015, Vector Informatik GmbH
Version: 4.3.0
17 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
2.1.2
Configuration References
When this text references a configuration parameter or container, the references are given
in the format of a navigation path:
>  /ModuleDefinition/ContainerDefinition/Definition:
The absolute variant is used for references in a different module. These references
start with a slash and the module definition. E.g. /NvM/NvMBlockDescriptor
>  ContainerDefinition/Definition:
The relative variant is used for references to parameters of the Dem itself. For brevity
the module definition has been omitted.
In both variants the last definition can be either of type container, parameter or reference.
This  document  does  not  duplicate  the  parameter  descriptions  again,  so  when  in  doubt
please  refer  to  the  module’s  parameter  definition  file  (bsmwd-file)  for  a  definitive
declaration.
2.2
Architecture Overview
The following figure shows where the Dem is located in the AUTOSAR architecture.

Figure 2-1  AUTOSAR 4.1 Architecture Overview
2015, Vector Informatik GmbH
Version: 4.3.0
18 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
The next figure shows the interfaces to adjacent modules of the Dem. These interfaces are
described in chapter 5.2.3.
class Architecture
Rte
Det
Dem
Dlt
Dcm
FiM
SchM
Nv M
EcuM
BSW
J1939Dcm

Figure 2-2  Interfaces to adjacent modules of the Dem

Caution
Applications do not access the services of the BSW modules directly. They use
  the service ports provided by the BSW modules via the RTE. The service ports
provided by the Dem are listed in chapter 6.6 and are defined in [1].

2015, Vector Informatik GmbH
Version: 4.3.0
19 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
3  Functional Description
3.1
Features
The features listed in the following tables cover the complete functionality specified for the
Dem.
The AUTOSAR  standard  functionality  is  specified  in  [1],  the  corresponding  features  are
listed in the tables
>  Table 3-1   Supported AUTOSAR standard conform features
>  Table 3-2   Not supported AUTOSAR standard conform features
For further information of not supported features see also chapter 7.3.1.
Vector Informatik provides further Dem functionality beyond the AUTOSAR standard. The
corresponding features are listed in the table
>  Table 3-3   Features provided beyond the AUTOSAR standard

The following features specified in [1] are supported:
Supported AUTOSAR Standard Conform Features
Post-Build Loadable
MICROSAR Identity Manager using Post-Build Selectable
Module individual post-build loadable update
OBD II / WWH-OBD functionalities and APIs, only if licensed accordingly.
All non-optional features described in [1], except features described below
Table 3-1   Supported AUTOSAR standard conform features
The following features specified in [1] are not supported:
Not Supported AUTOSAR Standard Conform Features
Configuration – for details please refer to the Module Parameter Description (BSWDM)
Configuration of configured snapshot records deviates from [1]
Configuration of automatic start of an operation cycle is only possible for one cycle
Service Needs are neither provided nor evaluated
Multiplicity of some elements is restricted in comparison to [1]
De-bouncing
Monitors / SWC cannot reset or query the current de-bouncing state.
>  Dem_GetDebouncingOfEvent()
>  Dem_ResetEventDebounceStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
20 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Not Supported AUTOSAR Standard Conform Features
OperationCycles
Aging Cycles
Aging cycles which are only used for aging and the corresponding API
Dem_SetAgingCycleState(). Use operation cycles instead.
Centralized Operation Cycles
APIs Dem_SetOperationCycleCntValue() and Dem_SetAgingCycleCounter() are not
available
API Dem_GetOperationCycleState() is not available
BSW errors always evaluate OperationCycles, even before full initialization.
DET reports for ‘started’ cycles during shutdown.
Volatile cycles are implicitly stopped during shutdown.
ClearDTC
Partial status clear when clear is prohibited is not supported.
Clearing of a DTC is either completely blocked, or the DTC is completely removed from memory.
Data collection / System integration
DemFreezeFrameCapture, DemExtendedDataCapture
Data collection in context of the calling diagnostic monitor is not supported. All external data is
collected on Dem Task level.
Sender/Receiver Ports, and related data conversion, are not supported.
Extended Data record collection triggers
Custom extended data records are triggered by TestFailed transitions only.
BSW integration
DLT
Diagnostic Log & Trace APIs Dem_DltGetMostRecentFreezeFrameRecordData() and
Dem_DltGetAllExtendedDataRecords() are not available
Debugging
No support for public access to internal variables is provided.
Dcm DTC change notification is called unconditionally. The relevant API is not available:
Dem_DcmControlDTCStatusChangedNotification()
API FiM_DemInit() is unsupported and never called by the Dem.
Multiple Configuration
DTC suppression by configuration (DemEventAvailability / DemEventSupressed) is not
supported
Miscellaneous
Mirror Memory
Mirror memory solutions are manufacturer specific and not supported.
Event Combination ‘Type 2’
The event related data is assigned to the sub-events, which will be merged to the combined
event. The data is not assigned to the combined event itself.
2015, Vector Informatik GmbH
Version: 4.3.0
21 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Not Supported AUTOSAR Standard Conform Features
Indicator-Event- specific set and reset (healing) condition
Indicators are enabled together with the event confirmation, i.e. when Bit 3 is set.
Healing is always done based on the event status byte.
Table 3-2   Not supported AUTOSAR standard conform features
The following features are provided beyond the AUTOSAR standard:
Features Provided Beyond The AUTOSAR Standard
Interface Dem_InitMemory()
This function can be used to initialize static RAM variables in case the start-up code is not used
to initialize RAM. Refer to chapter 6.2.3.3.
Interface Dem_PostRunRequested()
Allows the application to test if the Dem can be shut down safely. For details refer to chapter
6.2.4.21.
Selective non-volatile mirror invalidation on configuration change
Allows the controlled reset of the Dem non-volatile data, without invalidating the whole non-
volatile data or manual initialization algorithms. For details refer to chapter 4.5.2.1
Extended set of internal data elements
In addition to the set defined in [1], the Dem provides additional internal data elements. Refer to
chapter 3.10.1 for the complete list.
Extended support for ClientServer Data callbacks, see chapter 3.10.3
Variants on status bit handling in case of memory overflow, see chapter 3.3.3.3
Option to prevent aging of event entries to remove stored environment data (e.g. snapshot
records)
Multiple variants for aging behavior regarding healing, see chapter 3.5.5
Option to distribute runtime of ClearDTC operation across multiple tasks
Configurable copy routine, see chapter 4.3.1
Request for NV data synchronization, see Dem_RequestNvSynchronization()
Table 3-3   Features provided beyond the AUTOSAR standard

3.2
Initialization
Initialization of the Dem module is a two-step process.
First,  using  the  interface  Dem_PreInit()  the  Dem  is  brought  into  a  state  of  reduced
functionality.  This  shall  be  used  during  the  startup  phase  to  allow  processing  events
reported by BSW modules using Dem_ReportErrorStatus().
The pre-initialization phase already allows de-bouncing of status reports.
After the  Dem  has been pre-initialized  and after the  NVM  has finished  the  restoration of
the  NVRAM  mirror  data,  the  Dem  will  be  brought  to  full  function  using  the  interface
2015, Vector Informatik GmbH
Version: 4.3.0
22 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Dem_Init(), also during the startup phase. Additionally, the interface Dem_Init() can
be used to reinitialize the Dem after Dem_Shutdown() was called.

Caution
This Dem implementation is not consistent with Autosar regarding the initialization API.
 Both Dem_PreInit() and Dem_Init() take a configuration pointer. Please adapt your
initialization sequence accordingly.

Note
If a changed configuration set is flashed to an existing ECU, the NVRAM mirror
 variables of the Dem must be re-initialized before Dem_Init() is called. There
are several ways how this can be implemented. Please also refer to chapter 4.5
regarding the correct setup.
 Using the NvM which can be configured to invalidate data on configuration
change.
 Using the Dem which supports a similar feature as the NvM using the
configuration option ‘DemCompiledConfigId’. In this case Dem_Init() will
take care of the re-initialization.
 Before calling Dem_Init() it is safe to call the initialization functions
configured for usage by the NvM. Additionally, all primary and secondary
data can to be cleared by overwriting each RAM variable
Dem_Cfg_[Primary|Secondary]Entry_<N> with the contents of
Dem_MemoryEntryInit.

3.2.1
Initialization States
After the (re)start of the ECU the Dem is in state “UNINITIALIZED”. In this state the Dem is
not operable until the interface Dem_PreInit() was called.
Dem_PreInit() will change the state to “PREINITIALIZED”. Within this state only BSW
errors can be reported via Dem_ReportErrorStatus(). EnableConditions are not
considered in this phase.
During initialization via Dem_Init() the Dem switches to state “INITIALIZED” and is fully
operable afterwards. In this phase EnableConditions are initialized to their configured
default state and can take effect.
Now the function Dem_MainFunction() can be called until Dem_Shutdown() will
finalize all pending operations in the Dem, deactivate the event processing except for
BSW events and change the state to “SHUTDOWN”. Figure 3-1 provides an overview of
the described behavior.
2015, Vector Informatik GmbH
Version: 4.3.0
23 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Changes
Prior versions (Implementation version < 7.00.00) did consider the configured enable
 conditions during the pre-initialization phase.

stm InitStates
UNINITIALIZED
PREINITIALIZED
Compiler
notes
notes
startup

Dem is not initialized

Dem is pre-initialized
code
Dem_PreInit()

APIs if called will throw a

most APIs if called will throw a DET error
Dem_InitMemory()
DET

only calls to API Dem_ReportError() will

Dem internal variables have
not cause a DET error
Initial
random value
Dem_Init()
SHUTDOWN
INITIALIZED
notes
Dem_Init()
notes

Dem is stopped

Dem is initialized and full operational

most APIs if called will throw a DET error

All APIs can be accessed without a DET

only calls to API Dem_ReportError() will
error
Final
Dem_Shutdown()
not cause a DET error

Dem does access (and modify) the
NVRAM mirror
Dem_MainFunction()

Figure 3-1 Dem states
3.3
Diagnostic Event Processing
A diagnostic event defines the result of a monitor which can be located in a SWC or a
BSW module. These monitors can report an event as a qualified test result by calling
Dem_ReportErrorStatus() or Dem_SetEventStatus() with “Failed” or “Passed” or
as a pre-qualified test result by using the event de-bouncing with “PreFailed” or
“PrePassed”.
In order to use pre-qualified test results the reported event must be configured with a de-
bounce algorithm. Otherwise (using monitor internal de-bouncing) pre-qualified results will
cause a DET report and are ignored.
3.3.1
Event De-bouncing
The Dem implements the mechanisms described below:
3.3.1.1
Counter Based Algorithm
A monitor must trigger the Dem actively, usually multiple times, before an event will be
qualified as passed or failed. Each separate trigger will add (or subtract) a configured step
size value to a counter value, and the event will be qualified as ‘failed’ or ‘passed’ once this
de-bounce counter reaches the respective configured threshold value.
2015, Vector Informatik GmbH
Version: 4.3.0
24 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
The  configurable  thresholds  support  a  range  for  the  de-bounce  counter  of  -32768  …
32767.  For  external  reports  its  current  value  will  be  mapped  linearly  to  the  UDS  fault
detection counter which supports a range of -128 … 127.

Caution
Threshold values of 0 to detect a qualified failed or qualified passed result are allowed
  in some Autosar versions, but this implementation does not support such a setting.

If  enabled,  counter  based  de-bounced  events  can  de-bounce  across  multiple  power
cycles. Therefore the counter value is persisted into non-volatile memory during shutdown
of the ECU.

3.3.1.2
Time Based Algorithm
For events  using time based de-bouncing,  the application only needs to trigger the Dem
once in order to set a qualification direction. The event will be qualified after the configured
de-bounce time has elapsed. Multiple triggers for the same event and same qualification
direction have no effect.
Each event report results at most in reloading a software timer due to a direction change.
Once an event was reported, the timer is stopped by
>  A “clear DTC” command
>  The restart of the event’s associated “Operation cycle”
>  Deactivation of (one of) the event’s associated enable condition.
>  API Dem_ResetEventDebounceStatus().
Event  de-bouncing  via  time  based  algorithm  requires  comparatively  high  CPU  runtime
usage.  To  alleviate  this,  the  Dem  supports  both  a  high  resolution  timer  (a  Dem  main
function  call  equals  a  timer  tick)  and  a  low  resolution  timer  (150ms  equals  a  timer  tick).
Events  which  have  a  de-bounce time  greater  than  5  seconds  will  use  the  low  resolution
timer per default. Still, software timers are expensive and should be used sparingly.
2015, Vector Informatik GmbH
Version: 4.3.0
25 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Changes
Since implementation version 8.00.00, events using time based debouncing are
  processed on the Dem task function. This change affects monitors reporting a fully
qualified result instead of using a de-bounced report (e.g. DEM_EVENT_STATUS-
_FAILED instead of DEM_EVENT_STATUS_PREFAILED)
If your monitor reports fully qualified results, consider using monitor internal
debouncing instead of time-based debouncing to achieve synchronous behavior or the
Dem reporting functions.

Note
The timer ticks are processed on the Dem main task. If you report an event using time-
  based de-bouncing before the Dem is initialized, the timer will only start running when
the system has reached the point where cyclic tasks are served.

3.3.1.3
Monitor internal de-bouncing
If the application implements  the de-bouncing algorithm itself, a callback function can be
provided,  which  is  used  for  reporting  the  current  fault  detection  value  to  the  diagnostics
layer.
These  functions  should  not  implement  logic,  since  they  are  called  in  runtime  extensive
context.
If monitor internal de-bouncing is configured for an event, its monitor  cannot request de-
bouncing  by  the  Dem  (i.e.  trigger  operation  SetEventStatus  with  monitor  results
DEM_STATUS_PRE_FAILED or DEM_STATUS_PRE_PASSED). This would also result in
a DET report in case development error detection is enabled. The Dem module does not
have the necessary information to process these types of monitor results.

Workaround (before version 6.00.00)
If you do not want de-bouncing for an event at all, e.g. only report qualified passed and
  failed results, you should consider using counter based de-bouncing for these events.
For efficiency reasons, only choose monitor internal de-bouncing if you need to provide
the callback function.
With version 6.00.00 the callback function for internal de-bouncing is optional.

2015, Vector Informatik GmbH
Version: 4.3.0
26 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
In case environment data has to be stored due to reaching a de-bounce detection
 counter value that is still less than qualified failed (< UDS FDC 127), monitor internal
de-bouncing cannot be used. Please also see chapter 3.10.1

3.3.2
Event Reporting
Monitors may report test results either by PortInterface or, in case of a complex device
driver or basic software module, by direct C API.
The different APIs are important because callback contexts (i.e. the origin of the function
call) for all configured notification callbacks must be known to the RTE generator. The
current Autosar design is implemented such that CDD and BSW do not declare formally
where calls to ReportErrorStatus take place. Instead, the Dem has to queue all reports
from ReportErrorStatus and perform the action on its task level.

Caution
In systems with an Rte, never call Dem_SetEventStatus() directly from your code.
 Always use the Rte_Call_.mechanism. Alternatively configure the reported event as
EventKind ‘BSW’ and report its status using API Dem_ReportEventStatus().

One disadvantage of Dem_ReportEventStatus() is its missing return code. The caller
cannot tell if a test result has been discarded. Whenever possible, implement your
monitors as Software Components with access to Rte functionality.

Caution
Status reports do not maintain relative order. The Dem does not guarantee that multiple
 event reports are processed in the same order that they had been reported in.
Ordering is preserved for the first result, but there is no guarantee that multiple reports
preserve the order of report for each and every single test result during a single task.
This is mainly due to the additional resources required for no apparent benefit.
The behavior is best described as example:
If two monitors 1 and 2 report failed results F1 and F2, their order is preserved.
If monitors toggle within a single Dem task cycle, their respective ordering is no
preserved.
Example: Reporting order F1, F2, P2, P1 would be processed as F1, P1, F2, P2 instead,
which still preserves the order of the initial test result.

Due to the different nature of these APIs, it is an error to call ‘the other’ API from the one
configured for an event. The Dem will post a DET notification in that case, provided
development error detection is enabled.
3.3.3
Event Status
Every event supports a status byte whereas each bit represents different status
information. For detailed information please refer to [7].
2015, Vector Informatik GmbH
Version: 4.3.0
27 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
>  Bit 0 – TestFailed
The bit indicates the qualified result of the most recent test.
>  Bit 1 – TestFailedThisOperationCycle
The bit indicates if during the active operation cycle the event was qualified as failed.
>  Bit 2 – PendingDTC
This bit indicates if during a past or current operation cycle the event has been
qualified as failed, and has not tested ‘passed’ for a whole cycle since the failed result
was reported.
>  Bit 3 – ConfirmedDTC
The bit indicates that the event has been detected enough times that it was stored in
long term memory.
>  Bit 4 – TestNotCompletedSinceLastClear
This bit indicates if the event has been qualified (passed or failed) since the fault
memory has been cleared.
>  Bit 5 – TestFailedSinceLastClear
This bit indicates if the event has been qualified as failed since the fault memory has
been cleared.
>  Bit 6 – TestNotCompletedThisOperationCycle
This bit indicates if the event has been qualified (passed or failed) during the active
operation cycle.
>  Bit 7 – WarningIndicatorRequested
The bit indicates if a warning indicator for this event is active.
Due to consistency concerns in systems using preemptive tasks not all status transitions
on these bits can be performed independently from each other. Transitions that depend on
the  state  of  the  shared  event  memory  can  influence  each  other  and  are  processed  in  a
serialized form on the Dem task function
Chapter  3.3.3.1  and  3.3.3.2  describe  which  status  bit  transitions  are  modified
synchronously (in context of the caller) and which status bits are modified asynchronously
(in context of the Dem).
3.3.3.1
Synchronous Status Bit Transitions
The  status  bits  0,  1,  4,  and  6  are  synchronously  modified  in  the  context  of  the  caller  of
Dem_SetEventStatus().  After  this  function  has  returned,  the  status  bits  will  have  an
updated state.
The setting of bit 5 can be influenced by configuration. If it is not set to setting ‘stored only’
(see chapter 3.3.3.3) this bit is also set synchronously.
Please note that status notification callbacks will be processed in the caller context as well.
Reports by Dem_ReportErrorStatus() are queued and do not modify the status byte
synchronously. Please also see chapter 3.3.2.
2015, Vector Informatik GmbH
Version: 4.3.0
28 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Caution
Combined events and events using time-based de-bouncing are queued and do not
  modify their event status synchronously.

3.3.3.2
Asynchronous Status Bit Transitions
During the call of Dem_MainFunction() Status bits 2, 3 and 7 will be updated. This is
done asynchronously to remove time consuming operations from the callers’ context, and
to provide an easy serialization without falling back to interrupt locks.
If bit 5 is set to ‘stored only’ processing it is set asynchronously as well.
Therefore, the call to Dem_SetEventStatus()only costs as little as possible in terms of
runtime and stack usage.
Pending reports by Dem_ReportErrorStatus() are processed on task level for all bits,
please also see chapter 3.3.2.
Events  configured  to  age  immediately  on  the  first  qualified  passed  result  do  not  allow
queuing  a  qualified failed  result until  after  the  passed  result  was  processed on  the  Dem
task. In this case, E_NOT_OK is returned from Dem_ReportErrorStatus()
3.3.3.3
Event Storage modifying Status Bits
Several  UDS  status  bit  transitions  depend  on  successful  event  storage.  The  Dem  offers
multiple interpretations of these transitions when taking event displacement into account.
For status bits 2 – PendingDTC, 3 – ConfirmedDTC and 7 – WarningIndicatorRequested
there are two alternatives ‘Stored Only’ and ‘All DTC’ – see Figure 3-2.
For status bit 5 – TestFailedSinceLastClear the alternatives ‘Stored Only’ and ‘All DTC’ are
supported as well, along with a third option to select different reset conditions for this bit.
Please also see chapter 3.5.4.
The usual bit transitions are not affected by this option. It only selects the behavior in case
of event memory overflow and displacement.

Figure 3-2  Effect of Precondition ‘Event Storage’ and Displacement on Status Bits
2015, Vector Informatik GmbH
Version: 4.3.0
29 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Due to Autosar standardized naming of configuration options, the settings for these bits
are named differently for each bit, please refer to Table 3-4 Configuration of status bit
processing for details.
Status Bit
‘Stored Only’
‘All DTC’
Bit 2 – PendingDTC
DemPendingDtcProcessing =
DemPendingDtcProcessing =
(Vector Extension)
STORED_ONLY
ALL_DTC
Bit 3 – ConfirmedDTC
DemResetConfirmedBitOn-
DemResetConfirmedBitOnOverflow =
Overflow = TRUE
FALSE
Bit 5 – FailedSinceLastClear DemStatusBitHandlingTest-
DemStatusBitHandlingTestFailed-
FailedSinceLastClear =
SinceLastClear = NORMAL or AGING
AGING_AND_DISPLACEMENT
Bit 7 – WarningIndicatorReq DemWarningIndicatorRequested- DemWarningIndicatorRequested-
(Vector Extension)
Processing = STORED_ONLY
Processing = ALL_DTC
Note: WIR bit is not reset on
displacement due to additional
requirements
Table 3-4 Configuration of status bit processing
3.3.3.4
Lightweight Multiple Trips (FailureCycleCounterThreshold)
Enabling the feature for multiple trips (see DemGeneral/DemMultipleTripSupport) will
enable the full-fledged support, but at the cost of a non-volatile trip counter per event. The
common requirement of up to 2 trips (DemEventFailureCycleCounterThreshold <= 1) can
work without this added cost.
In case you want to reduce Dem NV-RAM consumption, you can disable the full support
for multiple trips, and still have support for up to 2 trips for event confirmation.

Caution
Although the UDS status byte normally allows distinguishing the first from the second
 trip, it is not sufficient information in all failure scenarios with ConfirmedDTC handled
‘STORED_ONLY’.
In case an event cannot enter the event memory (e.g. due to storage conditions or
overflow) at the time of the second trip, the Dem loses the information that the event
had already failed in the last operation cycle.
This means that failed event reports and re-occurrences of the DTC will not lead to
confirmation until the next operation cycle.
If this limitation is not acceptable for your ECU, you need to enable the full support for
multiple trips (DemMultipleTripSupport == true).

3.4
Event Displacement
In case all available memory slots are already used up by past events when a new event
needs to be entered, the Dem can displace a less important event. This is governed by the
following set of rules, in the order of mention:
> Dedicated Aging Counters are repurposed first
2015, Vector Informatik GmbH
Version: 4.3.0
30 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
>  Aged events are displaced before other events
>  Lower prioritized events will be displaced by higher prioritized events. This step
depends on the configuration of event priorities and is omitted if each event has the
same priority.
>  Passive events of equal priority (test failed bit is not set) can be displaced if no lower
prioritized event can be found. This step can be omitted by configuration.
>  An active event of equal priority can be displaced if it has not been tested in the active
operation cycle. This step can be omitted by configuration.
If multiple events match, the oldest one is displaced. Age in this context is defined by the
point in time the event data was last updated.
If no event matches, an option exists to displace the oldest event whatever its state.
3.5
Event Aging
The process of aging resets status bit 3 – ConfirmedDTC when a sufficient amount of time
has elapsed so that the cause for the error entry is assumedly not relevant anymore. This
is often used as a trigger to also  clear stored snapshot or extended data from the event
memory.
In addition to the aging process defined in [1] there are further options. The differences are
summarized in Table 3-5
In all cases the event ages only if it supports aging, and the aging process continues long
enough so the events aging counter reaches the defined threshold value.

Aging start condition
Aging continuation
Aging At Passed
An event that is tested passed
At the end of the events aging
(Autosar Default)
immediately starts to age.
cycle, if the event is not currently
active (tested failed).
Aging At Passed, Cont  An event that is tested passed
At the end of the events aging
Not Failed
immediately starts to age.
cycle, in case the event is tested in
its current operation cycle and is
currently not failed.
Cont End Of Cycle
At the end of the events
At the end of the events aging
operation cycle, in case the
cycle, if the event is not currently
event is tested and did not test
active (tested failed).
‘failed’ in that cycle.
Cont Tested Passed,
At the end of the events
At the end of the events aging
Cont Tested Passed
operation cycle, in case the
cycle, if the event is tested and not
Zero At Passed
event is tested and did not test
tested failed in its current operation
‘failed’ in that cycle.
cycle. I.e. untested cycles are not
considered.
Table 3-5   Aging algorithms
2015, Vector Informatik GmbH
Version: 4.3.0
31 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Figure 3-3  Behavior of the Aging Counter
3.5.1
Aging Target ‘0’
Events  aging  ‘immediately’  are  handled  in  a  special  way,  depending  on  the  configured
aging algorithm.
In  general,  they  age  immediately  when  the  aging  start  condition  is  reached.  For  details
refer to Table 3-6   Immediate aging.

Aging with target 0
Aging At Passed
If the DTC is tested passed when an event reports a passed result.
(Autosar Default)
Aging At Passed, Cont  At the end of the event’s operation cycle, if the DTC was not tested
Not Failed
failed this cycle.
Cont End Of Cycle
At the end of the event’s operation cycle, if PendingDTC is reset.
Cont Tested Passed
At the end of the event’s operation cycle, if PendingDTC is reset.
Cont Tested Passed
If the DTC is tested passed when an event reports a passed result,
Zero At Passed
and the DTC is not tested failed in that cycle.
Table 3-6   Immediate aging
3.5.2
Aging Counter Reallocation
To  implement  aging  of  events,  an  event  requires  an  aging  counter.  This  counter  is
contained within the event memory entry along with stored additional data. If the confirmed
bit is set  independently of event  storage (see chapter  3.3.3.3) events  do not  necessarily
have  the means  to  age,  even  if they meet  the precondition  (e.g.  test  completed and  not
tested failed for one operation cycle).
2015, Vector Informatik GmbH
Version: 4.3.0
32 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
In this case the Dem module tries to reallocate a free memory entry for the aging event.
This event entry is used solely for the purpose of aging the confirmed DTC bit.

Caution
In case ConfirmedDTC is set independently of event storage (Setting ‘ALL DTC’, see
  chapter 3.3.3.3) DTCs do not necessarily age with the configured number of aging
cycles. This is not a bug, but a result of an insufficient amount of available aging
counters.

3.5.3
Aging of Environmental Data
Stored  data  can  optionally  be  discarded  or  kept  intake  once  a  DTC  has  completed  the
aging process and resets its ConfirmedDTC bit.
If the data is kept intact, it is reported to the Dcm in the same way it is reported for active
events.

Caution
This setting has a negative side effect on reallocating aging counters (see chapter
  3.5.1), since the Dem prioritizes aged environmental data higher than the need for new
aging counters. There is no displacement of aged data due to a different, aging event.
Only a number of DTCs up to the available event memory entries can age, unless
events are cleared by other means, e.g. ClearDTC.

3.5.4
Aging of TestFailedSinceLastClear
The general status bit processing for bit 5 is described in chapter 3.3.3. There is however
an additional option to reset this bit when an event ages.
Currently the aging counter value required to reset Bit 5 is the same as for ConfirmedDTC,
so there is no way to age it at a later time.
Please  refer  to  the  configuration  parameter  DemGeneral/DemStatusBitHandlingTest-
FailedSinceLastClear for details.
3.5.5
Aging and Healing
Aging and healing normally happen in parallel. The Dem does not implement safe guards
to prevent aging  before  healing has occurred. This situation is rather unusual and would
indicate a mistake in the configuration, or how the cycles are reported to the Dem.
For some use-cases like OBD II, it is supported to only start with the aging process once a
configured  indicator  request  has  completed  healing.  In  order  to  achieve  consistent
behavior across all DTC, this can be activated also for events not supporting an indicator.
This  aspect  of  the  aging  behavior  can  be  selected  using  the  configuration  switch
DemGeneral/DemAgingAfterHealing.
2015, Vector Informatik GmbH
Version: 4.3.0
33 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
3.6
Operation Cycles
Each event is assigned to an operation cycle, e.g. ignition cycle. An operation cycle can be
started and stopped with the function Dem_SetOperationCycleState(). Reporting an
event to the Dem is possible only if its corresponding operation cycle is started – otherwise
the  report  will  be  discarded.  In  this  regard  the  operation  cycle  acts  as  additional  enable
condition which cannot be circumvented.
The operation cycle also is the basis for the status bits referring to ‘this operation cycle’ (Bit
1 and Bit 6), as well as the calculation of events that may or may not have occurred during
the whole cycle, e.g. to calculate the precondition for resetting Bit 2.
Since  operation  cycle  restarts  can  cause  a  lot  of  notification  function  calls,  the  actual
processing  is  done  asynchronously  on  the  Dem_MainFunction().  As  notification  for  the
finished processing, please use InitMonitorForX callbacks.

Caution
Due to the asynchronous processing, operation cycle changes will get lost if you shut
  down the Dem module before a pending change is processed.

3.6.1
Persistent Storage of Operation Cycle State
The  Dem  provides  the  possibility  to  restore  the  state  of  operation  cycles  through  power
down. This feature has its caveats though.
The  persisted  state  of  operation  cycles  is  not  known  in  pre-initialization  state,  since  the
NvM which controls the non-volatile data relies on a pre-initialized Dem!
Until  the  Dem  is  completely  initialized  all  operation  cycles  are  inactive,  independently  of
their stored state. The persisted state only becomes active during  Dem_Init(), but this
state modification is not counted as flank of the operation cycle state and will not modify
the DTC status bytes.

Caution
Even with persistent operation cycle storage enabled, during pre-initialization all cycles
  are in state ‘stopped’ since their real state is not known until full initialization. This will
cause discarded BSW error reports due to unfulfilled preconditions!

3.6.2
Automatic Operation Cycle Restart
Operation  cycles  automatically  count  as  enable  condition for  all  related  events,  meaning
that if a cycle is not started, monitor reports are not accepted. During ECU startup, there is
no valid way to start an operation cycle by API.
If  you  select  a  cycle  to  be  started  automatically,  it  will  be  treated  as  ‘started’  during  pre-
initialization, so event reports are possible.
2015, Vector Informatik GmbH
Version: 4.3.0
34 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Additionally,  all  calculations  resulting  from  an  operation  cycle  restart  are  done  in
Dem_Init()  –  But  be  aware  that  all  notification  functions  are  skipped,  since  the
initialization status of the RTE is not known at this point.
The  DTC  status  calculation  is  performed  in  Dem_Init()  ‘as  if’  the  cycle  had  started
before  Dem_PreInit().  E.g.  fault  detection  counters  of  related  DTCs  do  not  reset  to
zero.

Caution
Since the cycle is already started automatically you may not start it again from your
  application. This would be regarded as an additional, completed cycle and would cause
unwanted modifications of the event status, like premature aging of events.

Caution
Automatic restart of cycle skips all notifications – including event status change and
  monitor initialization callbacks. If you use this feature, your monitors need to initialize
their starting state in an initialization routine and cannot rely on an init-monitor
notification callback alone.

3.7
Enable Conditions and Control DTC Setting
Up  to  31  enable  conditions  can  be  assigned  to  an  event.  Only  if  all  assigned  enable
conditions are fulfilled the respective event reported via Dem_ReportErrorStatus() or
Dem_SetEventStatus() will lead to a change of the event status bits and a storage of
environmental data. Otherwise the event report will be discarded.
A  diagnostic  monitor  using  the  RTE  interfaces  to  report  events  can  evaluate  the  return
value of the SetEventStatus operation. In case event reports are discarded, this operation
will always return E_NOT_OK. It is not possible to tell the exact reason for the discarded
report.
Enable  condition  states  can  be  set  via  Dem_SetEnableCondition()  respectively  by
the corresponding port interface operation.

Changes
Since Implementation version 7.00.00, enable conditions do not take effect until after
  full initialization (Dem_Init())

When an event’s enable conditions are not fulfilled, the Dem provides the option to reset or
to freeze an ongoing de-bouncing process. Using this feature  defers enabling an enable
condition  to  the  Dem  main  function,  because  it  involves  checking  all  events  if  they  are
affected by the change.
As a side effect, it is possible to lose enable condition changes that toggle faster than the
cycle time of the Dem main function.
The same applies to ControlDTCSetting.
2015, Vector Informatik GmbH
Version: 4.3.0
35 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Changes
Since implementation version 8.00.00, enabling enable conditions and
  ControlDTCSetting are processed on the Dem main function. Activating an enable
condition will not have immediate effect. This change affects all configurations using
time-based de-bouncing, or the option to reset the de-bounce counters on enable
condition change.

Caution
EnableDTCSettings is processed on the main function, but the API was not changed to
  asynchronous by Autosar (RfC 69895). As a result, the Dcm will send the positive
response to service $85 before the DTCSettings have actually been enabled. This can
be observable as DTCs are not entered into the Dem until the Dem task function has
completed.

3.7.1
Effects on de-bouncing and FDC
While  enable  conditions  are  disabled,  de-bouncing  is  usually  stopped  as  well.  The  Dem
allows  configuring  whether  events  continue  de-bouncing  where  they  left  off,  or  whether
they start from the beginning – or even continue de-bouncing.
The point in time of the reset, being either when the enable conditions are disabled or re-
enabled, is also subject to configuration.
In  any  case,  it  is  not  possible for  events  to qualify  during  the  time  enable  conditions  (or
ControlDTCSetting) are disabled.
3.8
Storage Conditions
Up  to  32  storage  conditions  can  be  assigned  to  an  event.  If  the  assigned  storage
conditions  are  not  fulfilled,  the  respective  event  reported  via  Dem_SetEventStatus()
will change its status byte, but its environmental data and statistical data (e.g. most recent
failed event) is not stored or updated.
Also,  status bits  2,  3,  5  and  7  will  not  transition  while  storage  conditions are  not  fulfilled
(depending on configuration options, see chapter 3.3.3.3).
The storage condition state can be set via Dem_SetStorageCondition().
2015, Vector Informatik GmbH
Version: 4.3.0
36 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
Unfulfilled storage conditions prevent event storage, not postpone it. When storage is
  re-enabled, in most configurations the blocked entries will require either a passed
failed transition or a transition of TestFailedThisOperationCycle in order to create a
memory entry.

3.9
DTC Suppression
AUTOSAR  provides  two  mechanisms  to  disable,  hide or  otherwise  prevent  evaluation  of
test reports. They differ in the impact of the suppression operation.
This  implementation  allows  calling  the  event  based  suppression  API  before  full
initialization,  and  calls  by  BSW  or  CDD  (i.e.  it  does  not  require  Rte_Call).  Please  be
advised that this is an extension to [1].

Note
Suppression / Availability states are not stored in non-volatile RAM – suppression must
  be (re)activated in each power cycle.

3.9.1
Event Availability
The  API  Dem_SetEventAvailable()  can  disconnect  the  event  reporting  from  event
processing.  Use  this  mechanism  in  case  the  ECU  has  fault  paths  that  are  supported
conditionally, e.g. due to ECU variants.
Unavailable  events  do  not  track  a  status.  They  cannot  confirm,  cannot  enter  the  event
memory, and attached DTCs are not reported to the outside world, i.e. through Dcm API.
Event reports and the request to suppress the same event do collide. In order to correctly
implement  suppression,  unused  DTCs  should  be  suppressed  before  the  monitor  in
question starts to report test results for it.

Caution
The FiM module prior to Autosar 4.2.1 is not able to work with unavailable events. It
  can cause runtime errors and/or FID status miscalculations when the FiM module tries
to request the event status of an unavailable event, since that request will return an
unexpected error code.

DTCs and events already stored in the event memory cannot be made unavailable and the
corresponding API call will fail.
For  combined  events,  the  DTC  will  be  hidden  only  after  all  events  attached  to  the  DTC
have been set to disabled.
2015, Vector Informatik GmbH
Version: 4.3.0
37 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
A default setting for event availability can be defined. In this case, the API
  Dem_SetEventAvailable() may not be called before Dem initialization, as the active
configuration is not known
Also, the default setting cannot be used in conjunction with DemAvailabilityStorage

3.9.2
Suppress Event / Suppress DTC
The suppression APIs only ‘hide’ DTCs to the outside world.
Event processing and storage are processed normally – this means suppressed DTCs can
use up memory slots, and enable indicators.
DTCs  and  events  suppression  states  are  tracked  independently,  as  defined  in  [1].  This
means, you can only ‘unsuppress’ a DTC using the same API it was suppressed with.
For combined events, the DTC will be hidden only after all events attached to the DTC are
suppressed, or the DTC is suppressed directly using Dem_SetDTCSuppression().

Note
Different from the event based suppression, DTC suppression is not possible before
  full initialization. Dem_Init() is the API that selects the active configuration, so the
mapping between EventId and DTC is not known before then.

3.10  Environmental Data
The  Dem  supports  storage  of  data  with  each  DTC  in  form  of  snapshot  records  and
extended data records.
A  Snapshot  Record  is  DTC  specific  and  consists  of  one  or  more  DIDs  (Data  Identifiers)
which  in  turn  consist  of  one  more  data  elements.  Snapshot  Records  are  collected  and
stored at a configurable point in time during event confirmation, and often multiple times.
An Extended Data Record is defined globally and consists of one or more data elements. It
is typically used for statistic values like the occurrence counter or aging counter that are
not frozen at storage time.
The content of data elements can be provided by the application or by the Dem itself.
For application defined data the Dem will request the data using callback functions every
time a new value needs to be stored, and supply the stored values to the reading module
(e.g.  the  Dcm).  This  type  of  data  is  comparable  to  snapshot  records  in  that  no  current
value can be supplied to a reader.
To use internal data provided by the Dem, data elements must be mapped by configuration
to the requested statistical value. The Dem will then always supply the current value of the
respective statistic to reading modules.
Figure 3-4 provides an example of the described layout.
2015, Vector Informatik GmbH
Version: 4.3.0
38 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Snapshot Record Layout
DTC1 DID2 Data1
Data2
DID1
Data3
DTC2 DID3
Data2
Data4
DTCn DID3
Data2
Data4
DID4
Data5
Data6
Data7
Extended Data Record Layout
DTC1 Ext1 Aging Cnt
DTC2 Ext1 Aging Cnt
Ext10 Data8
Data9
DTCn Ext1 Aging Cnt
Ext2
Data10
Ext4
Data11

Figure 3-4 Environmental Data Layout
3.10.1 Storage Trigger
There are two algorithms how snapshot records are stored. One is the ‘calculated
snapshot number’ option, for which snapshots are currently stored with each transition of
the TestFailed bit of an event.
© 2009. Vector Informatik GmbH. All rights reserved. Any distribut
 ion or copying is subject to prior written approval by Vector.
Slide: 1
The ‘configured snapshot number’ option allows defining for each snapshot record in detail
when to store it, if its contents may be updated, and what its record number is going to be.
This second option also necessitates defining when to try and create an event memory
entry, for there are some interesting combinations:
A failing DTC will (ideally) create the following triggers, in order:
1. FDC threshold (< qualified failed) exceeded
2. FDC qualifies, Bit 0 is set
3. DTC Pending, Bit 2 is set
4. DTC Confirmed, Bit 3 is set
Although in reality these can easily all occur at the same time.
Snapshots are stored and updated with each trigger, so e.g. if the snapshot trigger is ‘test
failed’, each of these events will update a corresponding snapshot record – once an event
memory entry is created for the DTC.
The exact trigger that is used to create a memory entry is set with option
DemGeneral/DemEventStorageTrigger. This way you can realize ECUs that i.e. update
snapshot data with each Occurrence, but start only once the DTC reaches ConfirmedDTC.
2015, Vector Informatik GmbH
Version: 4.3.0
39 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
3.10.1.1  Storage Trigger ‘FDC Threshold’
If snapshot data has to be stored prior to event qualification, the event has to be set up to
use a Dem internal de-bouncing algorithm. Currently there is no API to notify the Dem that
a FDC threshold has been detected by a monitor internal de-bouncing algorithm.
Also, the actual threshold values need to be configured for the events as well.

Caution
If an event cannot be stored due to a full event memory, another attempt is made only
  when the FDC threshold is crossed again. If the event’s FDC rests above the threshold
value, no attempt to store data is made, even if another event was cleared in the
meantime, e.g. by ClearDTC.

3.10.2  Internal Data Elements
The Dem provides access to the following values  by means of an internal data element.
Internal  data  is  usually  not  frozen  in  the  primary  memory,  but  rather  the  current  value  is
reported.
Aging counter
Available  both  in  positive  direction,  counting  up  from  0  (event  is  not  aging)  up  to  the
configured threshold value; and in reverse counting down to 0.
Occurrence counter
Counts  the  number  of  passed-failed  transitions  since  an  event  has  been  stored.  This
counter is available in 8bit and 16bit variants.
Cycle counters
Different  statistics  concerning  the  number  of  operation  cycles:  The  number  of  cycles
completed  since  the  first  or  last  failed  result,  and  the  number  of  cycles  during  which  an
event has reported a failed result.
Overflow indication:
Indicates if the event’s memory destination has overflown.
Event priority:
Is set to the configured priority value of the event.
Significance:
Is set to the configured event significance value. Occurrence is 0, Fault is 1.
Root cause EventId
The  event  id  that  caused  the  storage/update  of  the environmental  data.  Can  be  used  in
context of the feature combined events to store the root cause event id.
2015, Vector Informatik GmbH
Version: 4.3.0
40 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
OBD DTC
The OBD DTC for the event id that caused the storage/update of the environmental data. If
no OBD DTC is configured the returned value will be 0.
Fault Detection Counter statistics
The current fault detection counter can always map. For internally de-bounced events, the
maximum value per operation cycle, and the maximum value since last clear are available
as well.

Caution
For time-based events, the maximum FDC in a cycle (or since last clear) are updated
  during the Dem task processing. This can result in a current FDC larger than the
displayed maximum FDC when the de-bouncing timer has just started.
This situation will correct itself after the timer has ticked once, but for low resolution
timing this can take up to the configured low resolution tick (which defaults to 150 ms).

3.10.3  External Data Elements
Data  is  collected  through  required  port  prototypes  and  needs  to  be  mapped  to  the  data
provider  during  Rte  configuration.  Please  note  that  each  data  element  has  its  own  port
interface and port prototype. It is not supported to collect a variety of DIDs or data signals
through a shared callback function by AUTOSAR design.
As a vendor specific extension, the MICROSAR Dem module supports data callbacks that
also pass the EventId to the application. This allows scenarios not possible with a standard
Dem:
  Application managed data storage: e.g. connecting the Dem to legacy applications that
already store (parts of) the environment data.
  Event specific data contents: e.g. storing root cause dependent data.
3.10.3.1  Nv-Ram storage
The usual AUTOSAR Dem will store all data collected from the application in NV-Ram.
For such data elements, data sampling is always processed on the Dem cyclic function.
Queries (e.g. through Dcm UDS diagnostic services) always return the frozen value.
As an extension to AUTOSAR, the Dem also allows  to configure data elements to return
‘live’ data. This is useful especially to support statistics data that is not already covered by
the Dem internal data elements.
When  data  elements  are  configured  not  to  be  stored  in  NV-Ram,  the  data  is  requested
every  time  a  query  is  processed.  Their  implementation  should  be  reentrant  and  fast  to
allow diagnostic responses to complete in time.
2015, Vector Informatik GmbH
Version: 4.3.0
41 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
There is no way to tell the Dem that data is ‘not currently available’ in this case. The
  Autosar standard requires to substitute a ‘0xFF’ pattern in case a data callback returns
‘NOT OK’
Optional data is not possible, especially since a single DID or extended record may
consist of up to 255 callbacks, and optional data right in the middle of a DID makes no
sense.

3.11  Freeze Frame Pre-Storage
The  environmental  data  associated  with  a  DTC  is  collected  when  the  DTC  storage  is
processed  on  the  Dem  task  function.  The  delay  between  the  event  report  and  the  data
collection can be a problem if fast changing data needs to be captured. In other use-cases
the DTC is supposed to store a snapshot of the system state some time before the event
qualification finishes.
Using  Dem_PrestoreFreezeFrame()  a  monitor  can  request  immediate  data  capture.  If
successful,  this  snapshot  is  used  as  the  data  source  if  the  DTC  is  stored  to  the  event
memory later on.
The Dem captures the following data, if relevant:
  A UDS snapshot record
  A OBD freeze frame
  J1939 freeze frame and expanded freeze frame

Caution
Extended data records are not captured.

The  Dem  can  only  pre-store  a  limited  number  of  events  (see  configuration  parameter
DemGeneral/DemMaxNumberPrestoredFF).  Once  the  allotted  space  is  exhausted
subsequent pre-storage requests will fail until one or more of them were freed. It is always
possible to refresh a pre-stored data set already allocated to an event.
Pre-Stored  data  is  not  preserved  through  Power-Cycles,  and  will  be  discarded
automatically  once  it  is  used  or  after  a  qualified  test  result  has  been  processed  for  the
respective  event.  Also  see  Dem_ClearPrestoredFreezeFrame()  for  a  way  to  explicitly
discard stale data.
3.12  Combined Events
It is possible to combine the results of multiple monitors to a single DTC. This feature is
referred to as ‘Combined Events’ in this document.
2015, Vector Informatik GmbH
Version: 4.3.0
42 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Monitors  report  events  as  usual,  events  are  de-bounced  individually,  and  for  each  event
the Dem keeps track of its individual status byte. Only when a DTC status is required there
is a visible difference.
3.12.1  Configuration
Currently  the  configuration  format  allows  too  much  freedom  in  configuration  due  to  the
multiple combination types. For Type 1 combination the following restrictions apply:
  All events mapped to the same DTC must have identical environmental data
(extended records, number and content of snapshots etc.
  All events mapped to the same DTC must use the same cycles (operation, failing,
healing and aging cycles)
  All events mapped to the same DTC must use the same destination, significance,
priority, the same setting for ‘aging allowed’ and the same significance.
The behavior with mixed settings is undefined and not supported by this implementation.
3.12.2  Event Reporting
Monitor results that need to be combined are not processed directly, but deferred to task
level. Other than that the application API is not changed.

Caution
Do not depend on status changes of either event status or DTC status to occur during
  the call to SetEventStatus and ReportErrorStatus. If monitors are combined to a shared
DTC, the status will not change until the next task cycle.

3.12.3  DTC Status
If  event  combination  is  used,  the  DTC  status  does  not  correspond  to  the  event  status
directly. Instead, the DTC status is derived from the status of multiple events.
As defined by Autosar (see [1]) this combined status is calculated according to Table 3-7.
Basically the DTC status is a simple OR combination of all events, with the resulting status
byte modified by an additional combination term. This is done such that a failed result will
also reset the ‘test not completed’ bits even if not all contributing monitors have completed
their test cycle.

Caution
A direct effect of event combination is a possible toggle of Bit 4 and Bit 6 during a
  single operation cycle. I.e. these bits can become set (test not completed  true) as
result of a completed test. This behavior is intended by Autosar and not an
implementation issue.
Applications need to take this into account when reacting on changes of ‘Test not
Completed This Operation Cycle / Since Last Clear’!

2015, Vector Informatik GmbH
Version: 4.3.0
43 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Combined DTC Status Bit

Bit 0 – TestFailed
OR (Event[i].Bit0)
Bit 1 – Test Failed This Operation Cycle
OR (Event[i].Bit1)
Bit 2 – PendingDTC
OR (Event[i].Bit2)
Bit 3 – ConfirmedDTC
OR (Event[i].Bit3)
Bit 4 – Test not Completed Since Last Clear
OR (Event[i].Bit4) AND NOT Bit5
Bit 5 – Test Failed Since Last Clear
OR (Event[i].Bit5)
Bit 6 – Test not Completed This Operation Cycle
OR (Event[i].Bit6) AND NOT Bit0
Bit 7 – Warning Indicator Requested
OR (Event[i].Bit7)
Table 3-7   DTC status combination
3.12.4  Environmental Data Update
Environment  data  and  statistics  are  calculated  based  on  the  DTC  status,  not  the  event
status of contributing events.
Example:  The  occurrence  counter,  if  configured,  is  not  incremented  with  each  failing
monitor.  Instead,  the occurrence  counter  is  incremented  each  time  Bit0  of the  combined
DTC transitions 0  1.
A failed monitor result might therefore not result in an update of event data (nor an event
data changed notification). This behavior is intentional.
3.12.5  Aging
A combined DTC starts to age once the conditions discussed in chapter 3.5 are fulfilled for
each event, e.g. once all monitors have reported a ‘passed’ result.
3.12.6  Clear DTC
If  a  request  to  clear  a  combined  DTC  is  received,  all  monitors  that  define  a  ‘clear  DTC
allowed’  callback  will  be  notified  by  the  Dem  and  have  a  chance  to  prevent  the  clear
operation. If a single monitor disallows the clear operation, the DTC will be left in the event
memory.

Caution
If an application responds positively to a call to a ‘clear event allowed’ callback, the
  DTC is not necessarily cleared as a result!
Another monitor can be combined to the same DTC and disallow the clear operation.
Do not use a clear allowed callback as indication that a DTC was cleared, instead use
the InitMonitorForEvent notification!

3.13  Non-Volatile Data Management
The Dem uses the standard AUTOSAR data management facilities provided by the NvM
module.
2015, Vector Informatik GmbH
Version: 4.3.0
44 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
3.13.1  NvM Interaction
If immediate data writes are enabled, the NvM needs to support API configuration class 2.
Otherwise the APIs provided by configuration class 1 are sufficient for Dem operation.
If  you  do  not  use  an  AUTOSAR  NvM  module,  you  have  to  provide  a  compatible
replacement in order to use features related to non-volatile data management. The NVM
module  needs  to  implement  at  least  the  functionality  described  in  chapter  4.5  NVM
Integration.
3.13.2  NVRAM Write Frequency
The Dem is designed to trigger as less NVRAM writes as possible. Thereto only the data
which  typically changes not  very often is stored during ECU runtime. The following table
will give you an overview of the NVRAM write frequency.
NvRam Item

ntry

ata

E
e D
ntry
y
c
E
r

Data
Data
da
n i
un
ary
Write Frequency
us

on
dm
tat
mir
ec
A
S
Debo
P
S
At shutdown - always
  1  

At shutdown - if content has changed



At clear DTC
        
Immediately - if immediate NVRAM storage is enabled

2  2
Table 3-8   NVRAM write frequency
3.13.3  Data Recovery
As the Dem uses multiple NVRAM blocks to persist its data (refer to 4.5), it might happen
that  correlating  data  becomes  inconsistent  due  to  a  power  loss  or  an  NVRAM  error.  To
avoid  restoring  to  an  undefined  state,  during  initialization  some  errors  are  detected  and
corrected, as follows.
>  Duplicate entries in a memory are resolved by removing the older entry.
>  Stored-Only/Aging status bits are reset if the respective event is not stored, or aged.
>  Depending on aging behavior the status bits TestFailed, PendingDTC,
TestFailedThisOperationCycle and WarningIndicatorRequested, are reset for currently
aging events.
>  Reset status bit TestFailedThisOperationCycle if both TestFailedThisOperationCycle
and TestNotCompletedThisOperationCycle are set.
>  Reset status bit TestNotCompletedSinceLastClear if both TestFailedSincleLastClear
and TestNotCompletedSinceLastClear are set.

1 Only in case of option DemOperationCycleStatusStorage is enabled
2 Only applicable if an event confirms or ages. Please note, an event that toggles from TEST FAILED to
TEST PASSED will also cause NvRam modification.
2015, Vector Informatik GmbH
Version: 4.3.0
45 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
>  De-bounce counters are reset if they exceed the configured threshold, or the
TestFailed bit does not match a reached threshold (only relevant if de-bounce counters
are stored in NVRAM).
>  Stored Events have their status bit corrected if:
>  Events are stored when they reach an fault detection counter limit and if
>  A consecutive failed cycle counter is supported, and has a value > 0, status bits
PendingDTC and TestFailedSincleLastClear are set. If that counter also exceeds
the failure cycle counter threshold, the ConfirmedDTC status bit is set.
>  An occurrence counter is supported and has a value > 0, then status bit
TestFailedSincleLastClear is set.
>  Events are stored with other triggers
>  The status bit TestFailedSincleLastClear is set.
>  If a consecutive failed cycle counter is supported, and has a value > 0, the status bit
PendingDTC is set. If that counter also exceeds the failure cycle counter threshold,
the status bit ConfirmedDTC is set.
>  If the event has a failure cycle counter threshold of 0, the status bit ConfirmedDTC
is set.
>  If events are stored with trigger ConfirmedDTC, status bit ConfirmedDTC is set.
>  If a combined event is stored, but the EventId in NVRAM is not the 'master' EventId for
that combination group, the entry is discarded. This happens due to an integration
error, so also a DET error (inconsistent state) will be set.
>  If the event has no warning indicator configured but the status bit
WarningIndicatorRequested is set, then the status bit WarningIndicatorRequested is
reset.
3.14  Diagnostic Interfaces
To  provide  the  data  maintained  by  the  Dem  to  an  external  tester  the  Dem  supports
interfaces to the Dcm which are described in chapter 6.2.6.
Please note, these API are intended for use by the Dcm module exclusively and may not
be  safe  to  use  otherwise.  In  case  a  replacement  for  the  Dcm  module  has  to  be
implemented, we politely refer to the Autosar Dcm specification  [3], and do not elaborate
on the details within the context of this document.
3.15  Notifications
The  Dem  supports  several  configurable  global  and  specific  event  or  DTC  related
notification  functions  which  will  be  described  in  the  following.  For  details  please  refer  to
chapter 6.5.1.
2015, Vector Informatik GmbH
Version: 4.3.0
46 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
Status notifications are separated for asynchronous and synchronous changes (also
  see chapter 3.3.3). A status report may therefore result in separate notifications.

Caution
Notifications are not necessarily ordered correctly. This means the event status
  received from a notification function is not reliable.
Do not use event notification in safety relevant contexts (see AUTOSAR RfC
48668)
To work around the issue, you can prevent monitors and the Dem task from pre-
empting each other (not recommended) or ignore the received status values and use
GetEventStatus to read the current one.

3.15.1  Event Status Changed
These  are  notifications  for  an  event  status  change  independent  of  the  DTC  status
availability  mask. With  the  given  old  and new  status  the  receiver  is  able  to  identify  what
has changed.
>  General notification:
This callback function is called from Dem for each event on status change.
>  Event specific notifications:
Each event may have one or more of these callback functions which are called only if
the respective event status has changed.
>  FIM notification:
This callback function is called for each event on status change. Dependent on the
given state the FIM is able to derive the new fault inhibition state.
3.15.2  DTC Status Changed
These are notifications for a DTC status change. The DTC status availability mask is taken
into account, so status bits which are not supported will not cause a notification. It is also
possible that a changed event status does not change the resulting status of a combined
DTC.
>  Event specific notifications:
Each event may have one or more of these callback functions which are called only if
the respective DTC status has changed.
>  Dcm notification:
This is callback function is called for each DTC status change. Dependent on the given
state the Dcm is able to decide if a ROE message shall be sent.
3.15.3  Event Data Changed
These notifications will be called from Dem if the data related to an event has changed.
>  General notification:
This is a single callback function which is called for each event on data change.
2015, Vector Informatik GmbH
Version: 4.3.0
47 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
>  Event specific notification:
Each event may have one callback function which is called on event data change.
3.15.4  Monitor Re-Initialization
These notifications are  called from  Dem,  to signal  to diagnostic monitors  that a new test
result is now requested. This can happen due to clearing the fault memory, the start of a
new  operation  cycle,  or  the  re-enabling  of  previously  disabled  DTC  settings  or  enable
conditions
The set of notification calls is fully customizable in the configuration.
>  Event specific notification:
Each event may have one callback function which is called for the reasons mentioned
above.
>  Function specific notifications:
Each event may have one or more of this callback functions which is called for the
reasons mentioned above.
For combined events, this callback is notified for each event if they are re-enabled by
enable conditions.
3.16  Indicators
An  event  can  be  configured  to  have  one  or  more  indicators  assigned.  An  indicator  is
reported  active  if  at  least  one  assigned  event  requests  it,  and  cleared  when  all  events
assigned  to  it  have  revoked  their  warning  indicator  request  (i.e.  by  healing  or  diagnostic
service ClearDtc).
The indicator status is set always with event confirmation (set condition of bit 3), and reset
after the configured number of operation cycles during which the event was tested, but not
tested failed.
An event’s warning indicator request status is reported in bit 7 of the UDS status byte.
3.16.1  User Controlled WarningIndicatorRequest
Use  cases  that  demand  setting  of  the  UDS  Bit  7  (WarningIndicatorRequest)  differently
from  the  normal  indicator  handling  can  be  met  using  the  operation  SetWIRStatus  (see
chapter 6.6.1.1.9).
Examples include resetting the WIR bit only with the next power cycle after the indicator
status has healed, or setting it with the first failed result instead of the ‘confirmedDTC’ bit.
This  interface  also  allows  controlling  Bit7  of  a  BSW  error.  There  is  only  a  SWC  API
available to control the WIR status bit of BSW errors, so a SWC module has to be used for
this task in all cases.
To calculate the visible status of Bit 7, the ‘normal’ monitor WIR request is logically OR’ed
to the user controlled state as depicted in Figure 3-5.
2015, Vector Informatik GmbH
Version: 4.3.0
48 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
UDS  DTC  status  change  notifications  are  called  only  if  the  combined  (User
  Controlled  +  Indicator)  status  changes.  In  case  more  detailed  information  is
needed a SWC can use the operation GetWIRStatus in combination with event
status notifications.

Figure 3-5  User Controlled WarningIndicatorRequest
3.17  Interface to the Runtime Environment
The  Dem  interacts  with  the  application  through  the  Rte  and  defined  port  interfaces  (see
chapter 6.6).
There are no statically defined callouts that need to be implemented by the application. All
notifications and callouts are set up during configuration.
This  is  why  the  Dem software  component  description  file  (Dem_swc.arxml)  is  generated
based on the configuration.
3.18  Error Handling
3.18.1  Development Error Reporting
By  default,  development  errors  are  reported  to  the  Det  using  the  service
Det_ReportError()  as  specified  in  [2],  if  development  error  reporting  is  enabled  (i.e.
pre-compile parameter Dem_DEV_ERROR_DETECT==STD_ON).
If  another  module  is  used  for  development  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError().
The reported Dem ID is 54.
The  reported  service  IDs  identify  the  services  which  are  described  in  6.2.  The  following
table presents the service IDs and the related services:
Service ID
Service
0x00
Dem_GetVersionInfo()
0x01
Dem_PreInit()
0x02
Dem_Init()
0x03
Dem_Shutdown()
2015, Vector Informatik GmbH
Version: 4.3.0
49 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Service ID
Service
0x04
Dem_SetEventStatus()
0x05
Dem_ResetEventStatus()
0x06
Dem_PrestoreFreezeFrame()
0x07
Dem_ClearPrestoredFreezeFrame()
0x08
Dem_SetOperationCycleState()
0x09
Dem_SetOperationCycleCntValue
0x0A
Dem_GetEventStatus()
0x0B
Dem_GetEventFailed()
0x0C
Dem_GetEventTested()
0x0D
Dem_GetDTCOfEvent()
0x0E
Dem_DcmGetSeverityOfDTC()
0x0F
Dem_ReportErrorStatus()
0x11
Dem_SetAgingCycleState
0x12
Dem_SetAgingCycleCounterValue
0x13
Dem_DcmSetDTCFilter()
0x15
Dem_DcmGetStatusOfDTC()
0x16
Dem_DcmGetDTCStatusAvailabilityMask()
0x17
Dem_DcmGetNumberOfFilteredDTC()
0x18
Dem_DcmGetNextFilteredDTC()
0x19
Dem_DcmGetDTCByOccurrenceTime()
0x1A
Dem_DcmDisableDTCRecordUpdate()
0x1B
Dem_DcmEnableDTCRecordUpdate()
0x1C
Dem_DcmGetOBDFreezeFrameData
0x1D
Dem_DcmGetFreezeFrameDataByDTC()
0x1F
Dem_DcmGetSizeOfFreezeFrameByDTC()
0x20
Dem_DcmGetExtendedDataRecordByDTC()
0x21
Dem_DcmGetSizeOfExtendedDataRecordByDTC()
0x22
Dem_DcmClearDTC()
0x23
Dem_ClearDTC()
0x24
Dem_DcmDisableDTCSetting()
0x25
Dem_DcmEnableDTCSetting()
0x29
Dem_GetIndicatorStatus()
0x2A
Dem_DcmCancelOperation()
0x30
Dem_GetEventExtendedDataRecord()
0x31
Dem_GetEventFreezeFrameData()
0x32
Dem_GetEventMemoryOverflow()
0x33
Dem_SetDTCSuppression()
0x34
Dem_DcmGetFunctionalUnitOfDTC()
2015, Vector Informatik GmbH
Version: 4.3.0
50 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Service ID
Service
0x36
Dem_SetEventSuppression()
0x37
Dem_SetEventAvailable()
0x38
Dem_SetStorageCondition()
0x39
Dem_SetEnableCondition()
0x3A
Dem_DcmGetNextFilteredRecord()
0x3B
Dem_DcmGetNextFilteredDTCAndFDC()
0x3C
Dem_DcmGetTranslationType()
0x3D
Dem_DcmGetNextFilteredDTCAndSeverity()
0x3E
Dem_GetFaultDetectionCounter()
0x3F
Dem_DcmSetFreezeFrameRecordFilter()
0x40
Dem_DltGetAllExtendedDataRecords
0x41
Dem_DltGetMostRecentFreezeFrameRecordData
0x51
Dem_SetEventDisabled
0x52
Dem_DcmReadDataOfOBDFreezeFrame
0x53
Dem_DcmGetDTCOfOBDFreezeFrame
0x55
Dem_MainFunction()
0x61
Dem_DcmReadDataOfPID01
0x63
Dem_DcmReadDataOfPID1C
0x64
Dem_DcmReadDataOfPID21
0x65
Dem_DcmReadDataOfPID30
0x66
Dem_DcmReadDataOfPID31
0x67
Dem_DcmReadDataOfPID41
0x68
Dem_DcmReadDataOfPID4D
0x69
Dem_DcmReadDataOfPID4E
0x6B
Dem_DcmGetInfoTypeValue08
0x6C
Dem_DcmGetInfoTypeValue0B
0x71
Dem_RepIUMPRDenLock
0x72
Dem_RepIUMPRDenRelease
0x73
Dem_RepIUMPRFaultDetect
0x79
Dem_SetPtoStatus
0x7A
Dem_SetWIRStatus()
0x90
Dem_J1939DcmSetDTCFilter()
0x91
Dem_J1939DcmGetNumberOfFilteredDTC ()
0x92
Dem_J1939DcmGetNextFilteredDTC()
0x93
Dem_J1939DcmFirstDTCwithLampStatus()
0x94
Dem_J1939DcmGetNextDTCwithLampStatus ()
0x95
Dem_J1939DcmClearDTC()
0x96
Dem_J1939DcmSetFreezeFrameFilter()
2015, Vector Informatik GmbH
Version: 4.3.0
51 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Service ID
Service
0x97
Dem_J1939DcmGetNextFreezeFrame()
0x98
Dem_J1939DcmGetNextSPNInFreezeFrame()
0x99
Dem_J1939DcmSetRatioFilter
0x9A
Dem_J1939DcmGetNextFilteredRatio
0x9B
Dem_J1939DcmReadDiagnosticReadiness1
0x9C
Dem_J1939DcmReadDiagnosticReadiness2
0x9D
Dem_J1939DcmReadDiagnosticReadiness3
0xAA
Dem_SetPfcCycle
0xAB
Dem_GetPfcCycle
0xAE
Dem_SetIUMPRDenCondition
Table 3-9   Service IDs
Table 3-10 presents the service IDs of APIs not defined by AUTOSAR, the related services
and corresponding errors:
Service ID
Service
0xD0
Dem_InitMemory()
0xD1
Dem_PostRunRequested()
0xD2
Dem_GetEventEnableCondition()
0xD3
Dem_GetWIRStatus()
0xD4
Dem_EnablePermanentStorage
0xD5
Dem_GetIUMPRGeneralData
0xD6
Dem_GetNextIUMPRRatioData (API was removed since version 8.00.00)
0xD7
Dem_GetNextIUMPRRatioDataAndDTC
0xD8
Dem_GetCurrentIUMPRRatioDataAndDTC
0xDB
Dem_RequestNvSynchronization()
0xF1
Dem_NvM_InitAdminData()
Dem_NvM_InitStatusData()
Dem_NvM_InitDebounceData()
0xF2
Dem_NvM_JobFinished()
0xFF
Internal function calls
Table 3-10   Additional Service IDs
The errors reported to Det are described in the following table:
Error Code
Description
0x10  DEM_E_PARAM_CONFIG
Service was called with a parameter value which is
not allowed in this configuration
0x11  DEM_E_PARAM_POINTER
Service was called with a NULL pointer argument
0x12  DEM_E_PARAM_DATA
Service was called with an invalid parameter value
2015, Vector Informatik GmbH
Version: 4.3.0
52 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Error Code
Description
0x13  DEM_E_PARAM_LENGTH
Service was called with an invalid length or size
parameter
0x20  DEM_E_UNINIT
Service was called before the Dem module has been
initialized
0x30  DEM_E_NODATAAVAILABLE
Data collection failed (application error)
0x40  DEM_E_WRONG_CONDITION
Service was called with unsatisfied precondition
0xF0  DEM_E_INCONSISTENT_STATE  Dem is in an inconsistent internal state
Table 3-11   Errors reported to Det
3.18.1.1  Parameter Checking
AUTOSAR requires that API functions check the validity of their parameters. These checks
are for development error reporting and are en-/disabled together with development error
reporting.

Caution
If the Dem is used in as Pre-Compile variant, Dem_PreInit() does not verify the
  initialization pointer. This pointer is unused anyways, so we deviate from [1] in order to
be more in line with most other Autosar modules.

3.18.1.2  Defensive Behavior
If required, all assertion checks can be left active, only disabling the notification to the Det
module.  This  behavior  can  be  controlled  by  configuration  option  DemGeneral/DemUse-
DefensiveBehavior.
3.18.2  Production Code Error Reporting
The Dem does not report any production code related errors.
Production  code  errors  in  general  are  errors  which  shall  be  saved  through  the  Dem  by
definition. Errors of Dem itself occurring during normal operation are not saved as DTC.
3.19  J1939

Note
Dependent on the licensed components of your delivery the feature J1939 may not be
  available in DEM.

In  general  the  SAE  J1939  communication  protocol  was  developed  for  heavy-duty
environments but is also applicable for communication networks in light- and medium-duty
on-road and off-road vehicles.
J1939 does not describe how the fault memory shall behave but how to report the faults
and their related data.
2015, Vector Informatik GmbH
Version: 4.3.0
53 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
With  the  interface  described  in  chapter  6.2.7  the  following  diagnostic  messages  can  be
supported:
Diagnostic Message
DM1 – Active Diagnostic Trouble Codes
DM2 – Previously Active Diagnostic Trouble Codes
DM3 – Diagnostic Data Clear/Reset Of Previously Active DTCs
DM4 – Freeze Frame Parameters
DM11 – Diagnostic Data Clear/Reset of Active DTCs
DM25 – Expanded Freeze Frame
DM31 – DTC To Lamp Association
DM35 – Immediate Fault Status
Table 3-12   Diagnostic messages where content is provided by Dem
3.19.1  J1939 Freeze Frame and J1939 Expanded Freeze Frame
With  J1939  enabled,  the  Dem  supports  two  globally  defined  J1939  specific  freezes  in
addition to the environmental data described in chapter 3.10. Each DTC can be configured
individually to support freeze frame and/or expanded freeze frame, or none.
The  J1939  (expanded)  freeze  frame  data  is  stored  when  the  DTC  becomes  active
(ConfirmedDTC  1) and is not updated if the DTC reoccurs.
These freeze frames are stored in addition to any configured ‘standard’ freeze frames but
they are not mapped into a UDS snapshot record.
3.19.2  Indicators
In addition to the ‘normal’ indicators (refer to 3.16) a J1939 related DTC may support up to
one of the J1939 specific indicators listed below.
>  Red Stop Lamp (RSL)
>  Amber Warning Lamp (AWL)
>  Protect Lamp (PL)
These indicators use different behavior settings, as required for J1939. These settings are
valid for the indicators mentioned above:
>  Continuous
>  Fast Flash
>  Slow Flash
Differently  from  the  ‘normal’  AUTOSAR  indicators,  Dem_GetIndicatorStatus()  returns  a
prioritized result if multiple events request the same indicator with different behavior. E.g.
the  PL  is  triggered  at  the  same  time  as  “Continuous”  and  “Fast  Flash”,  the  behavior  is
indicated as “Continuous”.
DTC  and  event  suppression  (refer  to  chapter  3.9.2)  with  DTC  format  set  to  J1939  the
configured  indicator  is  not  applied  to  the  ECU  indicator  state.  I.e.  the  API
Dem_GetIndicatorStatus()  will  return  the  same  result  whether  DTCs  are  suppressed  or
2015, Vector Informatik GmbH
Version: 4.3.0
54 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
not. To match this behavior, the network management node ID related indicator status also
reports the indicator state of suppressed DTCs.
3.19.3 Clear DTC
In contrast to the clear process defined by UDS which provides the DTC itself or the group
of DTCs that shall be cleared, the J1939 Clear DTC command provides the DTC status
that must match the available J1939 DTCs to be cleared.
DTCs with the following DTC status can be cleared:
DTC Status

TestFailed (Bit0) == 1
Active
AND
ConfirmedDTC (Bit3) == 1
TestFailed (Bit0) == 0
Previously Active
AND
ConfirmedDTC (Bit3) == 1
Table 3-13 J1939 DTC Status to be cleared

Caution
Events without a DTC number cannot be cleared using the J1939 API as they do not
 support the ConfirmedDTC status.

3.20 Clear DTC APIs
The clear DTC operations are implemented in full accordance with [1].
Please be aware that the <xxx>ClearDTC interfaces start an asynchronous clear process.
While one clear operation is in progress, other clear requests receive a
DEM_CLEAR_BUSY response (see chapters 6.2.4.27, 6.2.6.20 and 6.2.7.1 for details).

Caution
The Dem will reject new clear requests with DEM_CLEAR_BUSY until the final result of
 an ongoing clear DTC has been retrieved (Figure 3-6).

2015, Vector Informatik GmbH
Version: 4.3.0
55 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
sd Clear DTC
Client 1
Client 2
Dem
<xxx>ClearDTC()
Clear
start()
:DEM_CLEAR_PENDING
Operation
*<xxx>ClearDTC()
:DEM_CLEAR_PENDING
<xxx>ClearDTC()
:DEM_CLEAR_BUSY
finish()
<xxx>ClearDTC()
:DEM_CLEAR_BUSY
<xxx>ClearDTC()
:DEM_CLEAR_OK

Figure 3-6 Concurrent Clear Requests
2015, Vector Informatik GmbH
Version: 4.3.0
56 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4  Integration
This chapter gives necessary information for the integration of the MICROSAR  Dem into
an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the Dem contains the files which are described in the chapters  4.1.1 and
4.1.2:
4.1.1
Static Files
File Name
Source
Object
Description
Code
Code
Delivery  Delivery
Dem.c
This is the source file of the Dem. It contains the


main functionality of the Dem.
Dem.h
This header file provides the Dem API functions for
BSW modules and the application. This file is


supposed to be included by client modules but not
by Dcm.
Dem_Dcm.h
This header file provides the Dem API functions for


the Dcm. This file is supposed to be included by
Dcm.
Dem_J1939Dcm.h
This header file provides the Dem API functions for


the J1939Dcm. This file is supposed to be included
by J1939Dcm.
Dem_Types.h
This header file contains all Dem data types. Do not


include this file directly, but include Dem.h instead.
Dem_Cbk.h
This header file contains callback functions intended
for the NvM module. Include this in the NvM


configuration for the declarations of the initialization
and notification functions.
Dem_Validation.h
This header file contains static configuration checks.


Inconsistent configuration settings will trigger #error
directives within this file.
Dem_Cdd_Types.h
This header file contains all types that are supposed
to be generated by the Rte.


In case no Rte is used, this file is included instead of
Rte_Dem_Type.h. Otherwise, this file is not used at
all.
Table 4-1   Static files
4.1.2
Dynamic Files
The dynamic files are generated by the configuration tool Cfg5.
File Name
Description
Dem_Cfg.h
This header file contains the configuration switches of the Dem.
2015, Vector Informatik GmbH
Version: 4.3.0
57 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
File Name
Description
Dem_Lcfg.c
This source file contains configuration values and tables of the Dem.
Dem_Lcfg.h
This header file provides access functions to the Dem for the configuration
values and tables.
Dem_PBcfg.c
This source file contains post-buildable configuration values/tables of the
Dem.
For easier handling, this file is created in pre-compile configurations as well. If
your build environment produces error messages due to this file not defining
any symbols, feel free to exclude it from the build.
Dem_PBcfg.h
This header file provides access functions to the Dem for the post-buildable
configuration values and tables.
Dem_swc.arxml  This AUTOSAR xml file is used for the configuration of the Rte. It contains the
information to get prototypes of callback functions offered by other
components.
Table 4-2   Generated files
2015, Vector Informatik GmbH
Version: 4.3.0
58 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.2
Include Structure
class IncludeStructure
FiM.h
Det.h
SchM_Dem.h
EcuM_Error.h
MemMap.h
Dcm.h
J1939Dcm.h
Dlt.h
NvM.h
J1939Nm.h
_Appl.h
«include»
«include»
«include»
«include»
«include»
vstdlib.h
«include»
Dem.c
«include»
«include»
«include» «include»
«include»
Dem_Dcm.h
Dem_J1939Dcm.h
Dem_Cbk.h
Rte_Dem.h
«include»
«include» «include»
«include»
«include»
«include»
Dem_Validation.h
Dem.h
Dem_Types.h
Rte_Dem_Type.h
Dem_Cdd_Types.h
«include»
«include»
«include»
«include»
«include»
«include»
Dem_Lcfg.h
Dem_PBcfg.h
Dem_Cfg.h
Std_Types.h
«include»
«include»
Dem_PBcfg.c
Dem_Lcfg.c

Figure 4-1 Include structure
2015, Vector Informatik GmbH
Version: 4.3.0
59 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.3
Compiler Abstraction and Memory Mapping
The objects (e.g. variables, functions, constants) are declared by compiler independent
definitions – the compiler abstraction definitions. Each compiler abstraction definition is
assigned to a memory section.
The following table contains the memory section names and the compiler abstraction
definitions of the Dem and illustrates their assignment among each other.
Compiler Abstraction
T
Definitions
S

N

T
RM
CO
P
G

DE
NS
L_
L_
P
CF
Memory Mapping
P
B

_CO
_CO
_CA
_A
_P
Sections
M
M
M
M
M
DE

DE

DE

DE

DE
DEM_START_SEC_CODE



DEM_STOP_SEC_CODE
DEM_START_SEC_CONST_<size>



DEM_STOP_SEC_CONST_<size>
DEM_START_SEC_CALIB_<size>



DEM_STOP_SEC_CALIB_<size>
DEM_START_SEC_PBCFG


DEM_STOP_SEC_PBCFG
DEM_START_SEC_PBCFG_ROOT


DEM_STOP_SEC_PBCFG_ROOT
Table 4-3 Compiler abstraction and memory mapping, constant sections

Compiler Abstraction

A

T
Definitions

A

IT

A

A
A

IN
T
T
A
T
A

IT
A
T
A
D
D_D
_DA
D
E

L_
R
R_IN
R_NO
M_
_D
T
P
A
Memory Mapping
A
A
P
H

_V
_V
_DCM
_NV
_DL
_A
_S
Sections
M
M
M
M
M
M
M
DE

DE

DE

DE

DE

DE

DE
DEM_START_SEC_VAR_NO_INIT_<size>




DEM_STOP_SEC_VAR_NO_INIT_<size>
DEM_START_SEC_VAR_INIT_<size>



DEM_STOP_SEC_VAR_INIT_<size>
2015, Vector Informatik GmbH
Version: 4.3.0
60 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
DEM_START_SEC_VAR_SAVED_ZONE0_<size>




DEM_STOP_SEC_VAR_SAVED_ZONE0_<size>
DCM diagnostic buffer (section depends on DCM




implementation)
Application or RTE buffer used in port communication



(section depends on configuration and port mapping)
Table 4-4 Compiler abstraction and memory mapping, variable sections
4.3.1
Copy Routines
By default, the Dem implementation uses the copy routines provided by the Vector
standard library (VStdLib). Its copy routines are aware of the Autosar Memory Mapping
feature, and will work independently from the chosen mapping.
If the Dem module is not integrated into a MICROSAR 4 environment, the VstdLib module
might not be available, or not be enabled to support Autosar Memory Mapping.
In this case, you can disable the use of VstdLib (Configuration option DemGeneral/
DemUseMemcopyMacros). The Dem provides a simple copy routine based on a for-loop,
which is used as default replacement for the VstdLib implementation.
If necessary, you can also replace this default implementation. To do so, simply provide a
specialized definition of the following macros, e.g. globally, or in a user-config file:
Dem_MemCpy_Macro(destination_ptr, source_ptr, length_in_byte)
Dem_MemSet_Macro(destination_ptr, value_byte, length_in_byte)
4.4
Critical Sections
The Dem uses the Critical Section implementation of the SchM.
4.4.1
Exclusive Area 0
DiagMonitor
Purpose:
Ensures data consistency between the Diagnostic Monitors and the Dem task.
Interfaces:
> SchM_Enter_Dem_DEM_EXCLUSIVE_AREA_0
> SchM_Exit_Dem_DEM_EXCLUSIVE_AREA_0

Runtime:
Short runtime; The runtime will increase if J1939 nodes are used.

Dependency:
> Dem_MainFunction()
> Dem_ReportErrorStatus()
> Dem_SetEventStatus()
> Dem_ResetEventStatus()
> Dem_ResetEventDebounceStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
61 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
DiagMonitor
>  Dem_PrestoreFreezeFrame()
>  Dem_ClearPrestoredFreezeFrame()
>  Dem_GetIndicatorStatus()
>  Dem_SetWIRStatus()
>  Dem_SetEventAvailable()
>  Dem_SetDTCSuppression()
>  Dem_SetEventSuppression()
>  Dem_RepIUMPRFaultDetect()1
>  Dem_RepIUMPRDenLock()1
>  Dem_RepIUMPRDenRelease()1
>  Dem_SetIUMPRDenCondition()1

Recommendation:
This critical section is used from Dem_ReportErrorStatus() which has an unknown call context (it
may be called from any BSW and CDD, and even before the system is fully initialized).
Therefore this critical section cannot be mapped to OS resources.
Table 4-5   Exclusive Area 0

1 API may not be part of the delivery as its availability depends on the DEM license.
2015, Vector Informatik GmbH
Version: 4.3.0
62 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.4.2
Exclusive Area 1
StateManager
Purpose:
Ensures data consistency in case of preempted execution between application state managers
and Dem task.
Interfaces:
>  SchM_Enter_Dem_DEM_EXCLUSIVE_AREA_1
>  SchM_Exit_Dem_DEM_EXCLUSIVE_AREA_1

Runtime:
short runtime, sparse usage

Dependency:
>  Dem_MainFunction()
>  Dem_SetOperationCycleState()
>  Dem_SetEnableCondition()
>  Dem_SetStorageCondition()
>  Dem_DcmDisableDTCSetting()
>  Dem_DcmEnableDTCSetting()
>  Dem_SetPfcCycle()1

Recommendation:
No recommendation.
Table 4-6   Exclusive Area 1
2015, Vector Informatik GmbH
Version: 4.3.0
63 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.4.3
Exclusive Area 2
DcmApi
Purpose:
Protects global state data and values used to track Dcm related tasks from concurrent
modification.

Interfaces:
>  SchM_Enter_Dem_DEM_EXCLUSIVE_AREA_2
>  SchM_Exit_Dem_DEM_EXCLUSIVE_AREA_2

Runtime:
short runtime, sparse usage

Dependency:
>  Dem_MainFunction()
>  Dem_DcmClearDTC()
>  Dem_J1939DcmClearDTC()
>  Dem_DcmCancelOperation()
>  Dem_DcmReadDataOfPID01()1
>  Dem_DcmReadDataOfPID21()1
>  Dem_EnablePermanentStorage()1
Recommendation:
No recommendation.
Table 4-7   Exclusive Area 2
4.5
NVM Integration
In  general,  the  Dem  module  is  designed  to  work  with  an Autosar  NvM  to  provide  non-
volatile data storage.
It  is  expected  that  all  NV  blocks  used  by  the  Dem  are  configured  with  the  parameters
detailed in the following chapters:
>  RAM buffer
>  Initialization method: ROM element or initialization function
>  Single block job end notification
>  Enabled for both WriteAll and ReadAll
When using a non-Autosar NV manager, please also refer to the Autosar SWS of the NvM
module for more details on the expected behavior.

1 API may not be part of the delivery as its availability depends on the DEM license.
2015, Vector Informatik GmbH
Version: 4.3.0
64 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.5.1
NVRAM Demand
All non-volatile data blocks used by the Dem must be configured to match the size of the
underlying  type.  Since  the  actual  size  depends  on  compiler  settings  and  platform
properties, this size cannot be calculated by the configuration tool.
To find the correct data structure sizes, you can use temporary code to perform a ‘sizeof’
operation on the data types involved, or check your linker map file if it contains this kind of
data.
The MICROSAR NvM implementation supports a feature to verify the correct configuration
of  block  sizes.  It  is  strongly  recommended  to  enable  this feature;  it  also  provides  a  very
easy way to find out the correct block sizes.
Table 4-8 lists the types used by the different data elements.
NvRam  Item  RAM buffer symbol
Type
Comment
Admin Data
Dem_Cfg_AdminData
Dem_Cfg_AdminDataType
-
Event Data
Dem_Cfg_StatusData
Dem_Cfg_StatusDataType
-
Debounce Data  Dem_Cfg_DebounceData
Dem_Cfg_DebounceDataType
Only if de-
bounce counter
storage is
enabled
Available Data  Dem_Cfg_EventAvailableData
Dem_Cfg_EventAvailableDataType  Only if
DemAvailabilitySt
orage is enabled
Primary
Dem_Cfg_PrimaryEntry_0
Dem_Cfg_PrimaryEntryType
-
Memory
…
Dem_Cfg_PrimaryEntry_N
Secondary
Dem_Cfg_SecondaryEntry_0
Dem_Cfg_PrimaryEntryType
Only if secondary
Memory
…
memory is
Dem_Cfg_SecondaryEntry_N
enabled

Table 4-8   NvRam blocks
2015, Vector Informatik GmbH
Version: 4.3.0
65 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.5.2
NVRAM Initialization
The NVM provides a means to initialize RAM buffers, if the backing storage cannot restore
a preserved copy – e.g. because none has ever been stored yet.
For this, the Dem provides initialization functions and default ROM data. The Init functions
are declared in Dem_Cbk.h, the ROM constants are declared in
NvRam Item
Initialization
Admin Data
Call Dem_NvM_InitAdminData()
Event Data
Call Dem_NvM_InitStatusData()
Debounce Data
Call Dem_NvM_InitDebounceData()
Available Data
Call Dem_NvM_InitEventAvailableData()
Primary Memory
Copy initialization data from Dem_MemoryEntryInit
Secondary Memory
Copy initialization data from Dem_MemoryEntryInit
Table 4-9   NvRam initialization

Note
Dem_Cfg_PrimaryEntry_0… Dem_Cfg_PrimaryEntry_N depend on the number of
  primary entries stored in the ECU. (e.g. 0 … 19 in case of 20 primary entries). The
same applies to the secondary memory.

4.5.2.1
Controlled Re-initialization
Some  use-cases  require  the  total  reset  of  all  stored  data.  A  simple  way  for  that  is  to
change the Dem configuration id (DemGeneral/DemCompiledConfigId) in the configuration
tool.
This  is  especially  useful  during  development,  when  a  different  software  configuration  is
loaded while the NV contents still remain from an older software version. Please be aware
that changing the Dem configuration is likely to require resetting the NV data.
If  a  different  configuration  id  is  detected  during  Dem_Init(),  the  Dem  will  completely
reinitialize  all  data.  This  can  be  helpful  if  you  do  not  want  to  use  the  similar  feature
provided by NvM.
In post-build configurations, the configuration Id will change automatically to ensure the NV
data is cleared if configuration changes invalidate the stored NV data.

Caution
Re-initialization is no replacement for ClearDtc. It will not respect any requirements
  regarding the clear command.

4.5.2.2
Common Errors
Sadly  the  Dem  software  cannot  cope  with  all  possible  inconsistent  NV  data.  In  some
situations  the  NV  data  must  be  managed  in  parts  from  outside  the  Dem  to  ensure  data
consistency.
2015, Vector Informatik GmbH
Version: 4.3.0
66 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
  Initial initialization:
On the very first startup, the Dem will re-initialize the NV data. Unless this data is
actually persisted within the NV-Ram, the Dem will keep re-initializing all data on
startup.
You must allow the Dem to initialize its data, which requires at least one normal
shutdown.
Incomplete recovery:
After changing the Dem configuration, the contents currently stored in the NV memory
are internally inconsistent for the Dem module. This can happen when applying a new
Dem installation on an existing hardware, or when changing the Dem configuration
during development.
In most cases, the compiled config Id will suffice to re-initialize old content, but in some
cases the NvM will itself re-initialize some of the Dem blocks – but not all. In this case,
the compiled config Id does not work reliably.
4.5.3
Expected NVM Behavior
stm NVRAM Handling
Startup
Pre-Initialization
Run State
Shutdow n
[RAM destroyed]
[RAM intact]
Startup
DEM Pre-Initialization
Operate
Nv M Initialization
DEM
Dem Shutdow n
Nv M data retention
Initialization
notes
[!PostRunRequested]
notes
notes
notes
-> Dem_PreInit()
-> NvM_ReadAll()
notes
-> Dem_Shutdown()
-> NvM_WriteAll()
Abort
-> Dem_Init()
Shutdown
loop all Bocks used by Dem
loop all blocks used by Dem
Immediate NvRam write == ON             Immediate NvRam write == OFF
Block
Block
modified?
invalid?
[data has changed]
[data has changed]
[valid]
/NvM_WriteBlock
/NvM_SetRamBlockStatus
[Yes]
[Invalid]
[JobResult ==
NVM_REQ_OK]
Write data to
Initialize Block
NVRAM
w ait Nv M j ob notification
notes
Either option:
notes
call initialization function
-> Dem_NvM_JobFinished
copy ROM data
Ram-Block status:
[JobResult !=
unmodified
NVM_REQ_OK]
Ram-Block status:
/NvM_SetRamBlockStatus
modified
notes
NvM_SetRamBlockStatus

Figure 4-2  NvM behavior
The key assumptions about NVM behavior are depicted in Figure 4-2.
  The NVM initialization will start after Dem_PreInit() was called.
  Before Dem_Init() is called, all blocks used by Dem are either restored from non-
volatile memory, or re-initialized by calling the respective initialization function or
copying the initialization ROM data.
  If a block has been re-initialized, the NVM will not need a separate call to
NvM_SetRamBlockStatus() to retain the changed data later on.
  After Dem_Shutdown() is called, all blocks marked as modified by Dem or due to re-
initialization are retained in non-volatile memory.
2015, Vector Informatik GmbH
Version: 4.3.0
67 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
  Before Dem_Init() is called after a Dem_Shutdown(), all data has either been
restored again, or is still valid.
  After the Dem has requested an immediate write block, the NvM is expected to notify
the result by means of callback Dem_NvM_JobFinished().

Caution
The Dem cannot keep track of NV-Ram blocks that have not been retained in non-
  volatile memory if the shutdown process is aborted.
After Dem_Init() is called, the Dem assumes the NVM will not need a trigger to store
a block which has changed before Dem_Shutdown() was called.
Due to this, the Dem will also not instruct the NVM to immediately write changed
environment data from before Dem_Shutdown().

Caution
The Dem tries to detect completely uninitialized NV-Ram data by means of a ‘magic
  pattern’ in the AdminData block.
Still, the Dem is unable to detect only partially initialized data. So if your implementation
of the NVM module only initializes some of the Dem’s non-volatile data, the results are
undefined.

Caution
Even when some NV data is stored during runtime of the Dem module, it is not optional
  to store the remaining data as well.
The shutdown phase must always be finished before powering down the ECU. It is not
sufficient to simply drop the power supply.

Caution
If the NV data storage during runtime was not successful the Dem marks the NVRAM
  block as to be considered for shutdown NVRAM storage. Hence it is mandatory to
configure all Dem NVRAM blocks to be processed during NvM_WriteAll.

4.5.4
Flash Lifetime Considerations
If  you  need  to  safe  on  writes  to  the  NVRAM,  e.g.  because  your  backing  storage  is
implemented as Flash EEPROM emulation, be aware of your options available to reduce
Dem data writes.
NV  synchronization  takes  place at  least  at  shutdown,  but  due  to  configuration  or explicit
request  the  NV  data  can  be  synchronized  during  runtime  as  well.  In  that  case,  multiple
2015, Vector Informatik GmbH
Version: 4.3.0
68 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
writes to the backing storage can happen during a single power cycle, increasing wear on
the backing storage. Please refer to Table 3-8 for details regarding the write frequency.
4.6
Rte Integration
4.6.1
Runnable Entities
The Dem has been implemented in a way that allows all API to safely preempt each other.
So, all runnables can be called from fully preemptive tasks.
Runnable entity
Remarks
Dem_MainFunction
The Dem_MainFunction Runnable entity corresponds to
the Dem cyclic task function. As such, it has to be
mapped to a task.
Most notification and callout functions are called from this
Runnable
Dem_SetEventStatus
These runnables should not be mapped to a task for
Dem_ResetEventStatus
efficiency reasons.
Dem_GetEventStatus
Please note that these API are implemented reentrant for
Dem_GetEventFailed
different Pports, so clients do not need to synchronize
Dem_GetEventTested
these calls.
Dem_GetDTCOfEvent
Dem_GetEventEnableCondition
Dem_GetEventFreezeFrameData
Dem_GetEventExtendedDataRecord
Dem_GetFaultDetectionCounter
Dem_SetEventSuppression
Dem_PrestoreFreezeFrame
Dem_ClearPrestoredFreezeFrame
Dem_SetOperationCycleState
Dem_SetEnableCondition
Dem_SetStorageCondition
Dem_GetIndicatorStatus
Dem_GetEventMemoryOverflow
Dem_PostRunRequest
Dem_SetEventSuppression
Dem_SetDTCSuppression
Table 4-10   Dem runnable entities
4.6.2
Application Port Interface
Application software will communicate with the Dem through port interfaces only. The Dem
port  interfaces  all  use  port  defines  arguments  to  abstract  from  internal  object  handles.
Please refer to general Autosar documentation (not in scope of this document).
The  EventId  is  available  through  some  notification  port  operations,  though  a  typical
application  is  strongly  advised  not  to  rely  on  the handle  of  a  Dem  event for any  reason.
Instead, use port mapping to use a specific event and let the Rte handle the details.
2015, Vector Informatik GmbH
Version: 4.3.0
69 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
4.6.3
DcmIf
The  Dcm  uses  a  dedicated  port  interface  of  type  ‘DcmIf’  to  communicate  to  the  Rte  in
which contexts it calls Dem APIs. This is a necessary mechanism to identify e.g. OS tasks
on which Dem APIs are called.
The port prototype provided by Dem – simply called ‘Dcm’ – needs to be connected to the
equivalent port prototype required by Dcm. Please make sure to verify your configuration
accordingly.  Failing  to  do  so  might  result  in  missing  serialization  resulting  in  data
corruption.

Note
If the MICROSAR 4 Dem is used in a different environment than pure AUTOSAR4, it
  might not be possible to use Rte port mapping for the DcmIf port interface.
E.g. AUTOSAR before release 4 did not allow connecting service interfaces with other
service interfaces.
In those cases it usually is sufficient to map the Dcm task functions to the same task as
the Dem task function (Dem_MainFunction()).
Other measures may be possible, but are subject to the specific conditions of the run-
time setup. Since the details also depend on the implementation of notification function
(functions called by Dem which are implemented in application code), an exhaustive
suggestion is not possible in the scope of this document.

4.7
Post-Run requirements
Before  shutting  down  the  Dem  by  calling  Dem_Shutdown()  the  runtime  environment
needs to verify that the Dem is in a consistent state.
Normally,  this  can  be  achieved  within  Dem_Shutdown(),  but  in  some  cases  the  Dem
needs  to  wait  for  an  NVRAM  write  operation  to  complete  before  the  cleanup  operations
can be performed. This will only be possible if immediate writes are activated.
For  this  reason,  the  Dem  must  be  queried  via  the API  Dem_PostRunRequested()  to
make  sure  there  are  no  pending  write  operations  that  block  the  shutdown  process.
Otherwise  the  Dem  will  notify  this  state  to  the  Det  (if  Development  Error  Detection  is
enabled) and some event related data will be lost. E.g. a cleared event could be present
again after the ECU restarts.
The runtime environment should make sure that monitors do not report test results to the
Dem  after  the  result  of  Dem_PostRunRequested()  is  evaluated,  because  this  would
lengthen the time the Dem requires in PostRun.

2015, Vector Informatik GmbH
Version: 4.3.0
70 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
If you want to test for the post run condition, the Dem will enter this state only if the
  same data is modified again while the NVRAM write is pending. This second
invalidation of the data block can only be reported to NvM after the write completes.

4.8
Run-Time limitation
In order to reduce run time ‘spikes’, the Dem supports a simple limiter for clearing the fault
memory.  In  effect,  the  Dem  can  be  instructed  to  only  delete  a  limited  number  of  DTCs
during  a  single  task  cycle.  This  will  cause  the  operation  to  take  much  longer,  but  will
distribute the effort through multiple task cycles.

Caution
Combined DTCs must be cleared ‘en bloc’, so the Dem will clear combined events
  even when it exceeds the allowed limit. Thus, the sum of the largest combined event
and the limiter value can be cleared during a single task cycle.

A suggestion for the ‘correct’ setting of the clear limit, or even if the feature should be used
in  a  given  set-up  cannot  be  given  in  the  scope  of  this  document.  It  remains  in  the
responsibility of the integrator to identify run-time constraints that require its use.
4.9
Split main function
The Dem currently only provides a single task function. In case the features ‘time based
debouncing’ and ‘OBD’ are not enabled, the Dem main function does not drive a timer. In
that case, the configured cycle time is irrelevant for the function of the Dem module.
This allows mapping the Dem task function on a lower priority task, or a background task.
Since the Dcm APIs are also served from the Dem task function, this can affect the Dcm
response  times.  To  prevent  unwanted  NRC  78  (response  pending)  responses  from  the
Dcm  module,  make  sure  the  Dem  main  function  is  not  stalled  by  your  choice  of  task
mapping.
As  soon  as  the  Dem  configuration  requires  timer  handling  (e.g.  for  time  based  de-
bouncing), the Dem main function must be called with the configured cycle time.
2015, Vector Informatik GmbH
Version: 4.3.0
71 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
5  Measurement and Calibration
Measurement  and  calibration  is  a  powerful  workflow  during  ECU  development  phase
which  allows  to  monitor  (e.g.  via  XCP)  module  internal  variables  and  also  to  modify  the
configuration so the behavior will be changed. These changes in the module configuration
can be done without the need to build new software which is flashed into the ECU.
5.1
Measurable Data
Measurable objects are not intended to be modified as they may have direct influence to
DEM state machines and therefore might result in an undefined behavior. So their current
value shall be read out only.
Please not that not all elements might be available – disabled features usually also disable
some of the RAM tables.
The following tables describe the measurable objects:
5.1.1
Dem_Cfg_StatusData
Dem_Cfg_StatusData
Measureable Item
Base Type
Description
FirstFailedEvent
uint16
The event id which was first reported as failed (FDC 127).
FirstConfirmedEvent
uint16
The event id which has confirmed first.
MostRecentFailedEvent
uint8
The event id which was reported as failed (FDC 127)
most recently.
MostRecentConfmdEvent  uint16
The event id which has confirmed most recently.
TripCount[]
uint8
The number of trips for each event.
EventStatus[]
uint8
The current UDS status for each event. Please note that
the actual DTC status may differ from the event status.
Table 5-1   Measurement item Dem_Cfg_StatusData
5.1.2
Dem_Cfg_EventDebounceValue
Dem_Cfg_EventDebounceValue[]
Measureable Item
Base Type
Description
Dem_Cfg_EventDebounceValue[]
uint16
Current value of the de-bounce counter or
time, depending on selected algorithm.
Table 5-2   Measurement item Dem_Cfg_EventDebounceValue
2015, Vector Informatik GmbH
Version: 4.3.0
72 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
5.1.3
Dem_Cfg_EventMaxDebounceValues
Dem_Cfg_EventMaxDebounceValues[]
Measureable Item
Base Type
Description
Dem_Cfg_EventMaxDebounceValues[] uint16
Maximum value of the de-bounce counter or
time in current operation cycle, depending on
the selected algorithm.
Table 5-3 Measurement item Dem_Cfg_EventMaxDebounceValues[]
5.1.4
Dem_PrimaryEntry_<Number>
Dem_PrimaryEntry_<Number>
Measureable Item Base Type
Description
Timestamp
uint32
Entry/ update time of the primary entry slot. Used to provide
a chronology order between the primary entry slots.
AgingCounter
uint16
The current aging count of the event (refer to 3.10.1).
EventId
uint16
The event id which is stored in this primary entry slot.
MaxDebounceValue uint16
The maximum de-bounce value of the respective event since
last fault memory clear.
OccurrenceCounter uint8
refer to 3.10.1
SnapshotData[][]
uint8
refer to 3.9
ExtendedData[][]
uint8
refer to 3.9
ExtendedHeader
uint8
Bit coded information which extended data record is
currently stored.
SnapshotHeader
uint8
If DEM is configured for calculated snapshots: bit coded
information which snapshot record is currently stored.
If DEM is configured for configured snapshots: counter which
indicates the current number of stored snapshot records.
Table 5-4 Measurement item Dem_PrimaryEntry_<Number>
5.2
Post-Build Support
Please also refer to chapter 7.3 for configuration aspects of the post-build features.
5.2.1
Initialization
During the startup of the ECU, the Dem expects to receive a pointer to preliminary
configuration data in Dem_PreInit(). Typically the final ECU configuration is determined
after the NV subsystem is available, but the Dem still needs access to the de-bouncing
configuration of events reported prior to full initialization.
The final configuration data can optionally be passed to Dem_Init().
Both pointers are passed by the MICROSAR EcuM based on the post-build configuration.
If no MICROSAR EcuM is used, the procedure of how to find the proper initialization
pointers is out of scope of this document.
2015, Vector Informatik GmbH
Version: 4.3.0
73 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Caution
The final configuration may not introduce change to the de-bouncing configuration of
  events reported prior to full initialization.
The new configuration data cannot be applied in retrospect, so the state of these
events could become inconsistent, e.g. FDC > 127, and TestFailed == 0.

The  Dem  module  will  verify  the  configuration  data  before  accepting  it  to  initialize  the
module. If this verification fails, an EcuM error hook (see chapter  6.3.1) is called with an
error code according to Table 5-5.
Error Code
Reason
ECUM_BSWERROR_NULLPTR
Initialization with a null pointer.
ECUM_BSWERROR_MAGICNUMBER
Magic pattern check failed. This pattern is
appended at the end of the initialization root
structure. An error here is a strong indication of
random data, or a major incompatibility
between the code and the configuration data.
ECUM_BSWERROR_COMPATIBILITYVERSION  The configuration data was created by an
incompatible generator. This is also tested by
verification of a ‘magic’ pattern, so initialization
with random data can also cause this error
code.
Table 5-5   Error Codes possible during Post-Build initialization failure
If no MICROSAR EcuM is used, this error hooks and the error code constants have to be
provided by the environment.
1.  If the pointer equals NULL_PTR, initialization is rejected.
2.  If the initialization structure does not end with the correct magic number it is rejected.
3.  If the initialization structure was created by an incompatible generator version it is
rejected (starting magic number check)

Caution
The verification steps performed during initialization are neither intended nor sufficient
  to detect corrupted configuration data. They are intended only to detect initialization
with a random pointer, and to reject data created by an incompatible generator version.

2015, Vector Informatik GmbH
Version: 4.3.0
74 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
5.2.2
Post-Build Loadable
Vector also provides a tool based approach superior to calibration. While calibration only
modifies  existing  configuration  tables,  the  Post-Build  Loadable  approach  also  allows  to
validate the configuration change preventing misconfiguration, and to use compacted table
structures – with benefits to run-time and ROM usage.

Note
We do not support adding (or removing) of Events to /from an existing configuration
  during Post-Build. If you have ‘inactive’ monitors that are enabled by calibration or
other means, statically set up the Event for this monitor and use the API
Dem_SetEventAvailable() to control event availability.

5.2.3
Post-Build Selectable
The MICROSAR Identity Manager (refer to  [9]) is an implementation of  the AUTOSAR 4
post-build  selectable  concept.  It  allows  the  ECU  manufacturer  to  include  several  DEM
configurations  within  one  ECU.  With  post-build  selectable  and  the  Identity  Manager  the
ECU  variants  are  downloaded  within  the  ECUs  non-volatile  memory  (e.g.  flash)  at  ECU
build  time.  Post-build  selectable  does  not  allow  modification  of  DEM  aspects  after  ECU
build time.

Note
Please refer to the basic software module description (bswmd) file accompanying your
  delivery to find which parameters support post-build selectable.
This information is also displayed in the DaVinci Configurator 5 tool.

Note
We do not support adding (or removing) of Events to / from an existing configuration. If
  you have monitors that are enabled only in some configurations, set up the Event for
this monitor and use the configuration parameter DemEventAvailableInVariant, or API
Dem_SetEventAvailable() to control event availability.
It is not supported to disable all events in all variants using parameter
DemEventAvailableInVariant.

2015, Vector Informatik GmbH
Version: 4.3.0
75 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6 API Description
For an interfaces overview please see Figure 2-2.
6.1
Type Definitions
The types defined by the Dem are described in [1].
2015, Vector Informatik GmbH
Version: 4.3.0
76 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2
Services provided by Dem

Basic Knowledge
Call context means ‘who calls the API’. Typically these are rooted in an OS task
  function or interrupt service routine and contain the call stack up to the API in question.
Call contexts are important to analyze possible data corruption that can occur due to
simultaneous calls from different call contexts. This is not restricted to interruption due
to preemptive OS tasks – A call to an API function from within a notification or callback
function also is a different call context.
Typically not all possible call sequences can be implemented safe for data consistency
with reasonable effort, and valid call contexts might be restricted as a consequence.

6.2.1
Dem_GetVersionInfo()
Prototype
void Dem_GetVersionInfo ( Std_VersionInfoType* versioninfo )
Parameter
versioninfo
Pointer to where to store the version information of this module.
Return code
void
N/A
Functional Description
Returns the version information of this module.
The version information is decimal coded.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-1   Dem_GetVersionInfo()

2015, Vector Informatik GmbH
Version: 4.3.0
77 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

6.2.2
Dem_MainFunction()
Prototype
void Dem_MainFunction ( void )
Parameter
N/A
N/A
Return code
void
N/A
Functional Description
Processes all not event based Dem internal functions.
This function implements run-time heavy tasks. Make sure to allow it has a sufficient time slot for worst
case execution scenarios.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-2   Dem_MainFunction()
2015, Vector Informatik GmbH
Version: 4.3.0
78 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.3
Interface EcuM
6.2.3.1
Dem_PreInit()
Prototype
void Dem_PreInit ( const Dem_ConfigType* ConfigPtr )
Parameter
ConfigPtr
Pointer to preliminary configuration data
Return code
void
N/A
Functional Description
Initializes the internal states necessary to process events reported by BSW-modules.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  The ConfigPtr is used only in post-build variants.
>  If ConfigPtr is not needed, it is not checked to be non-NULL
Expected Caller Context
>  This function may not interrupt any other Dem function.
Table 6-3   Dem_PreInit()
2015, Vector Informatik GmbH
Version: 4.3.0
79 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.3.2
Dem_Init()
Prototype
void Dem_Init ( const Dem_ConfigType* ConfigPtr )
Parameter
ConfigPtr
Pointer to configuration data (Since version 7.00.00)
Return code
void
N/A
Functional Description
Initializes or re-initializes the Dem.
If NULL is passed, the configuration passed to Dem_PreInit() will be used instead.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  The ConfigPtr is used only in post-build variants.
>  The pointer is not checked to be non-NULL
Expected Caller Context
>  This function may not interrupt any other Dem function.
Table 6-4   Dem_Init()
6.2.3.3
Dem_InitMemory()
Prototype
void Dem_InitMemory ( void )
Parameter
N/A
N/A
Return code
void
N/A
Functional Description
- Extension to Autosar –
Use this function to initialize static RAM variables in case the start-up code is not used to initialize RAM.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function may not interrupt any other Dem function.
Table 6-5   Dem_InitMemory()
2015, Vector Informatik GmbH
Version: 4.3.0
80 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.3.4
Dem_Shutdown()
Prototype
void Dem_Shutdown ( void )
Parameter
N/A
N/A
Return code
void
N/A
Functional Description
Shutdown Dem functionality.
The function freezes the Dem data structures. As a result the Dem functionality is no longer available, but
the Dem non-volatile data can be stored in non-volatile memory.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Most pending asynchronous tasks will get lost when this function is called. The only
exceptions are pending event status changes. These remain queued according to [1].
Expected Caller Context
>  This function may not interrupt any other Dem function
Table 6-6   Dem_Shutdown()
2015, Vector Informatik GmbH
Version: 4.3.0
81 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4
Interface SWC and CDD
6.2.4.1
Dem_SetEventStatus()
Prototype
Std_ReturnType Dem_SetEventStatus ( Dem_EventIdType EventId, Dem_EventStatusType
EventStatus )
Parameter
EventId
Identification of an event by assigned EventId.
EventStatus
Monitor test result
DEM_EVENT_STATUS_PASSED: monitor reports a qualified passed test
result
DEM_EVENT_STATUS_FAILED: monitor reports a qualified failed test result
DEM_EVENT_STATUS_PREPASSED: monitor reports a passed test result
DEM_EVENT_STATUS_PREFAILED: monitor reports a failed test result
Return code
Std_ReturnType
E_OK: set of event status was successful
E_NOT_OK: set of event status failed or could not be accepted (e.g.: the
operation cycle configured for this event has not been started, an according
enable condition has been disabled)
Functional Description
API for SWCs to report a monitor result to the Dem.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is not reentrant with the other operations defined in DiagnosticMonitor (for the
same EventId) (see Table 6-86)
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-7   Dem_SetEventStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
82 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.2
Dem_ResetEventStatus()
Prototype
Std_ReturnType Dem_ResetEventStatus ( Dem_EventIdType EventId )
Parameter
EventId
Identification of an event by assigned EventId.
Return code
Std_ReturnType
E_OK: reset of event status was successful
E_NOT_OK: reset of event status failed or is not allowed, because the event
is already tested in this operation cycle
Functional Description
Resets the event failed status of an event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is not reentrant with the other operations defined in DiagnosticMonitor (for the
same EventId) (see Table 6-86)
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-8   Dem_ResetEventStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
83 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.3
Dem_ResetEventDebounceStatus()
Prototype
Std_ReturnType Dem_ResetEventDebounceStatus() ( Dem_EventIdType EventId,
Dem_DebounceResetStatusType DebounceResetStatus )
Parameter
EventId
Identification of an event by assigned EventId.
DebounceResetStatus  Select the action to take
Return code
Std_ReturnType
E_OK: The request was processed successfully
E_NOT_OK: The request was rejected
Functional Description
SWC API to control the Dem internal event de-bouncing.
Depending on DebounceResetStatus and the EventId's configured debouncing algorithm, this API performs
the following:
>  Time Based Debouncing
>  DEM_DEBOUNCE_STATUS_FREEZE
If the de-bounce timer is active, it is paused without modifying its current value. Otherwise this has
no effect. The timer will continue if the monitor reports another PREFAILED or PREPASSED in the
same direction.
>  DEM_DEBOUNCE_STATUS_RESET
The de-bounce timer is stopped and its value is set to 0.
>  Counter Based Debouncing
>  DEM_DEBOUNCE_STATUS_FREEZE:
This has no effect.
>  DEM_DEDOUNCE_STATUS_RESET:
This will set the current value of the debounce counter back to 0.
>  Monitor Internal Debouncing
>  The API returns E_NOT_OK in either case.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is not reentrant with the other operations defined in DiagnosticMonitor (for the
same EventId) (see Table 6-86)
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-9   Dem_ResetEventDebounceStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
84 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.4
Dem_PrestoreFreezeFrame()
Prototype
Std_ReturnType Dem_PrestoreFreezeFrame ( Dem_EventIdType EventId )
Parameter
EventId
Identification of an event by assigned EventId.
Return code
Std_ReturnType
E_OK: Freeze frame pre-storage was successful
E_NOT_OK: Freeze frame pre-storage failed
Functional Description
Captures the freeze frame data for a specific event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is not reentrant with the other operations defined in DiagnosticMonitor (for the
same EventId) (see Table 6-86)
>  This function is synchronous.
>  The function can have significant run-time.
>  If the call to this function coincides with the event storage on the task function, the Dem might
capture a current data set instead of using the pre-stored data.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-10   Dem_PrestoreFreezeFrame()
2015, Vector Informatik GmbH
Version: 4.3.0
85 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.5
Dem_ClearPrestoredFreezeFrame()
Prototype
Std_ReturnType Dem_ClearPrestoredFreezeFrame ( Dem_EventIdType EventId )
Parameter
EventId
Identification of an event by assigned EventId.
Return code
Std_ReturnType
E_OK: Clear pre-stored freeze frame was successful
E_NOT_OK: Clear pre-stored freeze frame failed
Functional Description
Clears a pre-stored freeze frame of a specific event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is not reentrant with the other operations defined in DiagnosticMonitor (for the
same EventId) (see Table 6-86)
>  This function is synchronous.
>  If the call to this function coincides with the event storage on the task function, the Dem might
use the pre-stored data set instead of discarding it.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-11   Dem_ClearPrestoredFreezeFrame()
2015, Vector Informatik GmbH
Version: 4.3.0
86 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.6
Dem_SetOperationCycleState()
Prototype
Std_ReturnType Dem_SetOperationCycleState ( uint8 OperationCycleId,
Dem_OperationCycleStateType CycleState )
Parameter
OperationCycleId
Identification of operation cycle, like power cycle or driving cycle.
CycleState
New operation cycle state: (re-)start or end
DEM_CYCLE_STATE_START: start a stopped cycle or restart an active cycle
DEM_CYCLE_STATE_END: stop an active cycle
Return code
Std_ReturnType
E_OK: set of operation cycle was successful
E_NOT_OK: set of operation cycle failed
Functional Description
This function reports a started or stopped operation cycle to the Dem.
The state change will set TestNotCompletedThisOperationCycle bits for all events using OperationCycleId
as operation cycle. Also all passive events using OperationCycleId as aging or healing cycle will increase
their respective counter and can heal or age.
It is allowed to call this run in pre-initialized mode to start the operation cycle of BSW events before full
initialization.
Since all these operations are computationally intensive, this function will not immediately complete but
postpone the work to the Dem task. Events that use OperationCycleId as operation cycle still use the last
known state until then.
Particularities and Limitations
>  This function is reentrant (for different OperationCycleId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-12   Dem_SetOperationCycleState()
2015, Vector Informatik GmbH
Version: 4.3.0
87 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.7
Dem_GetEventStatus()
Prototype
Std_ReturnType Dem_GetEventStatus ( Dem_EventIdType EventId,
Dem_EventStatusExtendedType* EventStatusExtended )
Parameter
EventId
Identification of an event by assigned EventId.
EventStatusExtended  UDS DTC status byte of the requested event.
If the return value of the function call is E_NOT_OK, this parameter does not
contain valid data.
Return code
Std_ReturnType
E_OK: get of event status was successful
E_NOT_OK: get of event status failed
Functional Description
Gets the current extended event status of an event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-13   Dem_GetEventStatus()

2015, Vector Informatik GmbH
Version: 4.3.0
88 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.8
Dem_GetEventFailed()
Prototype
Std_ReturnType Dem_GetEventFailed ( Dem_EventIdType EventId, Boolean*
EventFailed )
Parameter
EventId
Identification of an event by assigned EventId.
EventFailed
TRUE – Last Failed
FALSE – not Last Failed
Return code
Std_ReturnType
E_OK: get of “EventFailed” was successful
E_NOT_OK: get of “EventFailed” was not successful
Functional Description
Gets the failed status of an event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-14   Dem_GetEventFailed()
2015, Vector Informatik GmbH
Version: 4.3.0
89 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.9
Dem_GetEventTested()
Prototype
Std_ReturnType Dem_GetEventTested ( Dem_EventIdType EventId, Boolean*
EventTested )
Parameter
EventId
Identification of an event by assigned EventId.
EventTested
TRUE – event tested this cycle
FALSE – event not tested this cycle
Return code
Std_ReturnType
E_OK: get of event state “tested” successful
E_NOT_OK: get of event state “tested” failed
Functional Description
Gets the tested status of an event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-15   Dem_GetEventTested()

2015, Vector Informatik GmbH
Version: 4.3.0
90 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.10  Dem_GetDTCOfEvent()
Prototype
Std_ReturnType Dem_GetDTCOfEvent ( Dem_EventIdType EventId, Dem_DTCFormatType
DTCFormat, uint32* DTCOfEvent )
Parameter
EventId
Identification of an event by assigned EventId.
DTCFormat
Defines the output-format of the requested DTC value.
DEM_DTC_FORMAT_UDS: output format shall be UDS
DEM_DTC_FORMAT_OBD: output format shall be OBD
DEM_DTC_FORMAT_J1939: output format shall be J1939
DTCOfEvent
Receives the DTC value in respective format returned by this function. If the
return value of the function is other than E_OK this parameter does not
contain valid data.
Return code
Std_ReturnType
E_OK: get of DTC was successful
E_NOT_OK: the call was not successful
E_NO_DTC_AVAILABLE: there is no DTC
Functional Description
Provides the DTC number for the given EventId.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-16   Dem_GetDTCOfEvent()
2015, Vector Informatik GmbH
Version: 4.3.0
91 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.11  Dem_GetEventAvailable()
Prototype
Std_ReturnType Dem_GetEventAvailable (Dem_EventIdType EventId, Boolean
*AvailableStatus)
Parameter
EventId
Identification of an event by assigned EventId.
AvailableStatus
Receives the current availability status:
TRUE: Event is ‘available’
FALSE: Event is ‘not available’
Return code
Std_ReturnType
E_OK: Request processed successfully
E_NOT_OK: Invalid parameters passed to the function (only if Det is enabled).
Functional Description
This API returns the current availability state of an event (also see Dem_SetEventAvailable())
It is valid to call this API for events that have been set to unavailable.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Conditional [DemAvailabilityStorage == false]: This API may be called before full initialization
(after Dem_PreInit).
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-17   Dem_GetEventAvailable()
2015, Vector Informatik GmbH
Version: 4.3.0
92 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.12  Dem_SetEnableCondition()
Prototype
Std_ReturnType Dem_SetEnableCondition ( uint8 EnableConditionID, Boolean
ConditionFulfilled )
Parameter
EnableConditionID
This parameter identifies the enable condition.
ConditionFulfilled
This parameter specifies whether the enable condition assigned to the
EnableConditionID is fulfilled (TRUE) or not fulfilled (FALSE).
Return code
Std_ReturnType
E_OK: the enable condition could be set successfully
E_NOT_OK: the setting of the enable condition failed
Functional Description
Sets an enable condition.
Each event may have assigned several enable conditions. Only if all enable conditions referenced by the
event are fulfilled the event will be processed in Dem_SetEventStatus(), Dem_ReportErrorStatus() and
during time based de-bouncing.
Depending on configuration, enabling an enable condition can be deferred to the Dem task. Enable
condition changes of the same enable condition can be lost if they change faster than the cycle time of the
Dem main function. See chapter 3.7 for further details.
Particularities and Limitations
>  This function is reentrant (for different EnableConditionID).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-18   Dem_SetEnableCondition()

2015, Vector Informatik GmbH
Version: 4.3.0
93 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.13  Dem_SetStorageCondition()
Prototype
Std_ReturnType Dem_SetStorageCondition ( uint8 StorageConditionID, Boolean
ConditionFulfilled )
Parameter
StorageConditionID
This parameter identifies the storage condition.
ConditionFulfilled
This parameter specifies whether the storage condition assigned to the
StorageConditionID is fulfilled or not fulfilled.
TRUE: storage condition fulfilled
FALSE: storage condition not fulfilled
Return code
Std_ReturnType
E_OK: the storage condition could be set successfully
E_NOT_OK: the setting of the storage condition failed
Functional Description
Sets a storage condition.
Each event may have assigned several storage conditions. Only if all storage conditions referenced by the
event are fulfilled the event may be stored in memory.
Particularities and Limitations
>  This function is reentrant (for different StorageConditionID).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-19   Dem_SetStorageCondition()

2015, Vector Informatik GmbH
Version: 4.3.0
94 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.14  Dem_GetFaultDetectionCounter()
Prototype
Std_ReturnType Dem_GetFaultDetectionCounter ( Dem_EventIdType EventId, sint8*
FaultDetectionCounter )
Parameter
EventId
Provide the EventId value the fault detection counter is requested for. If the
return value of the function is other than OK this parameter does not contain
valid data.
FaultDetectionCounter  This parameter receives the Fault Detection Counter information of the
requested EventId. If the return value of the function call is other than E_OK
this parameter does not contain valid data.
-128dec…127dec PASSED… FAILED according to ISO 14229-1
Return code
Std_ReturnType
E_OK: request was successful
E_NOT_OK: request failed
DEM_E_NO_FDC_AVAILABLE: if the event does not support de-bouncing
Functional Description
Gets the fault detection counter of an event.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-20   Dem_GetFaultDetectionCounter()

2015, Vector Informatik GmbH
Version: 4.3.0
95 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.15  Dem_GetIndicatorStatus()
Prototype
Std_ReturnType Dem_GetIndicatorStatus ( uint8 IndicatorId,
Dem_IndicatorStatusType* IndicatorStatus )
Parameter
IndicatorId
The respective indicator which shall be checked for its status.
IndicatorStatus
Status of the indicator, like off, on, or blinking.
DEM_INDICATOR_OFF: indicator off
DEM_INDICATOR_CONTINUOUS: continuous on
DEM_INDICATOR_BLINKING: blinking mode
DEM_INDICATOR_BLINK_CONT: continuous and blinking mode
DEM_INDICATOR_FAST_FLASH: fast flash mode
DEM_INDICATOR_SLOW_FLASH: slow flash mode
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed or is not supported
Functional Description
Gets the indicator status derived from the event status and the configured indicator states.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-21   Dem_GetIndicatorStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
96 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.16  Dem_GetEventFreezeFrameData()
Prototype
Std_ReturnType Dem_GetEventFreezeFrameData ( Dem_EventIdType EventId, uint8
RecordNumber, Boolean ReportTotalRecord, uint16 DataId, uint8* DestBuffer )
Parameter
EventId
Identification of an event by assigned EventId.
RecordNumber
This parameter is a unique identifier for a freeze frame record as defined in
ISO15031-5 and ISO14229-1.
0xFF means that the most recent freeze frame record shall be returned.

ReportTotalRecord
TRUE: total freeze frame record (all PIDs/DIDs) data are requested
FALSE: a dedicated PID/DID is requested by the parameter DataId
DataId
This parameter specifies the PID (ISO15031-5) or DID (ISO14229-1) that shall
be copied to the destination buffer.
If ReportTotalRecord is TRUE, the value of DataId is ignored.
DestBuffer
The pointer to the buffer where the freeze frame data shall be written to.
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed
DEM_E_NODATAAVAILABLE: The data is not currently stored for the
requested event.
DEM_E_WRONG_RECORDNUMBER: The requested data was not copied
due to an undefined RecordNumber for the given event.
DEM_E_WRONG_DIDNUMBER: The requested data was not copied due to
an undefined data indentifier within the requested record (in case
ReportTotalRecord == FALSE)
Functional Description
Gets the data of a freeze frame/snapshot record for the given EventId.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-22   Dem_GetEventFreezeFrameData()

2015, Vector Informatik GmbH
Version: 4.3.0
97 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.17  Dem_GetEventExtendedDataRecord()
Prototype
Std_ReturnType Dem_GetEventExtendedDataRecord ( Dem_EventIdType EventId, uint8
RecordNumber, uint8* DestBuffer )
Parameter
EventId
Identification of an event by assigned EventId.
RecordNumber
Identification of requested Extended data record. The valid range is 0x01 …
0xFF whereas 0xFF means that all extended data records shall be returned.
DestBuffer
The pointer to the buffer where the extended data shall be written to.
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed
DEM_E_NODATAAVAILABLE: The data is not currently stored for the
requested event.
DEM_E_WRONG_RECORDNUMBER: The requested data was not copied
due to an undefined RecordNumber for the given event.
Functional Description
Gets the data of an extended data record by the given EventId.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-23   Dem_GetEventExtendedDataRecord()
2015, Vector Informatik GmbH
Version: 4.3.0
98 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.18  Dem_GetEventEnableCondition()
Prototype
void Dem_GetEventEnableCondition ( Dem_EventIdType EventId, Boolean*
ConditionFulfilled )
Parameter
EventId
This parameter identifies the enable condition.
ConditionFulfilled
This parameter specifies whether the enable conditions assigned to the
EventId is fulfilled (TRUE) or not fulfilled (FALSE).
Return code
void
N/A
Functional Description
- Extension to AUTOSAR –
Returns the enable condition state for the given event.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-24   Dem_GetEventEnableCondition()
2015, Vector Informatik GmbH
Version: 4.3.0
99 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.19  Dem_GetEventMemoryOverflow()
Prototype
Std_ReturnType Dem_GetEventMemoryOverflow ( Dem_DTCOriginType DTCOrigin,
Boolean* OverflowIndication )
Parameter
DTCOrigin
Selects the memory which shall be checked for overflow indication.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
OverflowIndication
This parameter returns TRUE if the according event memory was overflowed,
otherwise it returns FALSE.
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed or is not supported
Functional Description
Reports if a DTC was displaced or not stored in the given event memory because the event memory was
completely full at the time.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-25   Dem_GetEventMemoryOverflow()
2015, Vector Informatik GmbH
Version: 4.3.0
100 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.20  Dem_GetNumberOfEventMemoryEntries()
Prototype
Std_ReturnType Dem_GetNumberOfEventMemoryEntries ( Dem_DTCOriginType DTCOrigin,
uint8* NumberOfEventMemoryEntries )
Parameter
DTCOrigin
Identifier of the event memory concerned.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information
located in the primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information
located in the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information
located in the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located
in the mirror memory
NumberOfEventMemoryEntries  Pointer to receive the event count.
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed or is not supported
Functional Description
This function reports the number of event entries occupied by events. This does not necessarily correspond
to the DTC count read by Dcm due to event combination and other effects like post-building the OBD
relevance of a DTC stored in OBD permanent memory.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-26   Dem_GetNumberOfEventMemoryEntries()
2015, Vector Informatik GmbH
Version: 4.3.0
101 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.21  Dem_PostRunRequested()
Prototype
Std_ReturnType Dem_PostRunRequested (Boolean IsRequested )
Parameter
IsRequested
Set to TRUE: In case the Dem needs more time to finish NvRAM related
tasks. Shutdown is not possible without data loss.
Set to FALSE: Shutdown is possible. This value is only valid if all monitors are
disabled.
Return code
Std_ReturnType
E_OK: is always returned with disabled Det
E_NOT_OK: is returned with enabled Det when an error is detected
Functional Description
- Extension to Autosar –
Test if the Dem can be shut down safely (without possible data loss).
This function must be polled after leaving RUN mode (all application monitors have been stopped). Due to
pending NVM activity, data loss is possible if Dem_Shutdown is called while this function still returns TRUE.
As soon as the NVM finishes writing the current Dem data block, this function will return FALSE. The time
window for unsafe shutdown only depends on the write time of a data block (up to several seconds in
unfortunate circumstances!)
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-27   Dem_PostRunRequested()
2015, Vector Informatik GmbH
Version: 4.3.0
102 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.22  Dem_SetWIRStatus()
Prototype
Std_ReturnType Dem_SetWIRStatus (Dem_EventIdType EventId, Boolean WIRStatus )
Parameter
WIRStatus
Set to TRUE:  The WarningIndicatorRequest Bit of the DTC status for the
specified Event will be reported as “1”, independent to the current event
status.
Set to FALSE: The behavior of the WarningIndicatorRequest Bit in the DTC
status byte only depends on the event status.
Return code
Std_ReturnType
E_OK: is returned if the new WIR status have been applied successfully
E_NOT_OK: is returned if the new WIR status have not been applied (e.g.
because of disabled ControlDTCSetting). The application should repeat the
request
Functional Description
This API can be used to override the status of the WarningIndicatorRequest Bit in the DTC status to “1”.
Note that overriding the WIR status does neither affect the internal event status nor any indicators related
to the event. Only the DTC status reported by APIs like Dem_GetStatusOfDTC (et al.) or the DT Status
Changed callbacks are affected.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-28   Dem_SetWIRStatus ()
2015, Vector Informatik GmbH
Version: 4.3.0
103 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.23  Dem_GetWIRStatus()
Prototype
Std_ReturnType Dem_GetWIRStatus (Dem_EventIdType EventId, Boolean* WIRStatus )
Parameter
WIRStatus
Set to TRUE:  The WarningIndicatorRequest Bit is currently user-controlled
and have been set by the API Dem_SetWIRStatus.
Set to FALSE: The WarningIndicatorRequest Bit is currently not user-
controlled. The WIR-Bit in the DTC status byte only depends on the event
status.
Return code
Std_ReturnType
E_OK: is always returned with disabled Det
E_NOT_OK: is returned with enabled Det when an error is detected
Functional Description
- Extension to Autosar –
This API can be used get the current override the status of the WarningIndicatorRequest Bit in the DTC
status.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-29   Dem_GetWIRStatus ()
2015, Vector Informatik GmbH
Version: 4.3.0
104 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.24  Dem_SetDTCSuppression()
Prototype
Std_ReturnType Dem_SetDTCSuppression (uint32 DTC, Dem_DTCFormatType DTCFormat,
Boolean SuppressionStatus )
Parameter
DTC
The DTC Number to be suppressed.
DTCFormat
Defines the format of the given DTC to be suppressed
DEM_DTC_FORMAT_UDS: handle DTC in UDS format
DEM_DTC_FORMAT_J1939: handle DTC in J1939 format.
SuppressionStatus
TRUE: Suppress the DTC
FALSE: Report the DTC
Return code
Std_ReturnType
E_OK: Request processed successfully
E_NOT_OK: DTC not supported, DTC is already active (i.e. stored in event
memory), or invalid parameters passed to the function (only if Det is enabled).
Functional Description
This API suppresses the Event reporting the given DTCs such, that Dcm will not report the DTC. DTC
notification functions (e.g. to Dcm) are not called as well, preventing RoE responses.
Event reporting and notification (e.g. to FiM) are not affected and work as usual.
Particularities and Limitations
>  This function is reentrant for different DTCs.
>  This function is synchronous.
>  When the call to this function interrupts the entry process, this function can suppress an event
that is in the process of being entered into the event memory. In that case the function returns
E_OK but the DTC is still reported to the Dcm.
In order to make sure the suppression works correctly, either
>  clear DTCs after changing suppression
>  change suppression of DTCs before the monitors start reporting
>  prevent interruption of the Dem task by this function
>  DEM_DTC_FORMAT_OBD is not supported for this function.
Expected Caller Context
>  This function can be called from SWC modules, with limitations.
Table 6-30   Dem_SetDTCSuppression()
2015, Vector Informatik GmbH
Version: 4.3.0
105 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.25  Dem_SetEventSuppression()
Prototype
Std_ReturnType Dem_SetEventSuppression (Dem_EventIdType EventId, Boolean
SuppressionStatus )
Parameter
EventId
Identification of an event by assigned EventId.
SuppressionStatus
TRUE: Suppress the DTC attached to this event
FALSE: Report the DTC attached to this event
Return code
Std_ReturnType
E_OK: Request processed successfully
E_NOT_OK: Event is already active (i.e. stored in event memory), or invalid
parameters passed to the function (only if Det is enabled).
Functional Description
This API suppresses Events such, that Dcm will not report the DTC mapped to the event. DTC related
notification functions (e.g. to Dcm) are not called as well, preventing RoE responses.
Event reporting and notification (e.g. to FiM) are not affected and work as usual.
Particularities and Limitations
>  This function is reentrant for different EventId.
>  This function is synchronous.
>  When the call to this function interrupts the entry process, this function can suppress an event
that is in the process of being entered into the event memory. In that case the function returns
E_OK but the DTC is still reported to the Dcm.
In order to make sure the suppression works correctly, either
>  clear DTCs after changing suppression
>  change suppression of DTCs before the monitors start reporting
>  prevent interruption of the Dem task by this function
Expected Caller Context
>  This function can be called from any context, with limitations.
>  Although this function is mapped to a port interface, it is safe to use from BSW or CDD
context, as long as Exclusive Area 0 (see chapter 4.4.1) can be used.
Table 6-31   Dem_SetEventSuppression()
2015, Vector Informatik GmbH
Version: 4.3.0
106 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.26  Dem_SetEventAvailable()
Prototype
Std_ReturnType Dem_SetEventAvailable (Dem_EventIdType EventId, Boolean
AvailableStatus)
Parameter
EventId
Identification of an event by assigned EventId.
AvailableStatus
TRUE: Set the Event to ‘available’
FALSE: Set the Event to ‘not available’
Return code
Std_ReturnType
E_OK: Request processed successfully
E_NOT_OK: Event is already active (i.e. stored in event memory), or invalid
parameters passed to the function (only if Det is enabled).
Functional Description
Setting an event to unavailable prevents all APIs from using this EventId.
Event reporting and notification are not possible and the event will not be stored to the event memory.
Events having bit 0 (TestFailed) or bit 3 (ConfirmedDTC) set, stored events and events requesting an
indicator cannot be set unavailable.
Normally, the availability setting is volatile, and this API must be called in each power cycle of the ECU. In
case the option DemAvailabilityStorage is active, the last state is persisted in NVRAM. Since NVRAM is
restored between PreInit and Init, this API cannot be called before full initialization when using this option.
Particularities and Limitations
>  This function is reentrant for different EventId.
>  This function is synchronous.
>  Conditional [DemAvailabilityStorage == false]: This API may be called before full initialization
(after Dem_PreInit).
Expected Caller Context
>  This function can be called from any context, with limitations.
Table 6-32   Dem_SetEventAvailable()
2015, Vector Informatik GmbH
Version: 4.3.0
107 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.27 Dem_ClearDTC()
Prototype
Dem_ReturnClearDTCType Dem_ClearDTC ( uint32 DTC, Dem_DTCFormatType DTCFormat,
Dem_DTCOriginType DTCOrigin )
Parameter
DTC
Defines the DTC in respective format that shall be cleared from the event
memory. If the DTC fits to a DTC group number, all DTCs of the group shall be
cleared.
DTCFormat
Defines the input format of the provided DTC value.
DEM_DTC_FORMAT_UDS: clear UDS DTCs
DEM_DTC_FORMAT_OBD: clear OBD DTCs
DEM_DTC_FORMAT_J1939: clear J1939 DTCs
DTCOrigin
If the Dem supports more than one event memory, this parameter is used to
select the memory which shall be cleared.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
Return code
Dem_ReturnClearDTCTy DEM_CLEAR_OK: clearing is completed, the requested DTC(s) are reset
pe
DEM_CLEAR_WRONG_DTC: the requested DTC is not valid in the context of
DTCFormat and DTCOrigin
DEM_CLEAR_WRONG_DTCORIGIN: the requested DTC origin is not
available in the context of DTCFormat
DEM_CLEAR_FAILED: the clear operation could not be started
DEM_CLEAR_PENDING: the clear operation was started and is currently
processed to completion
DEM_CLEAR_BUSY: the clear operation is occupied from a different client
DEM_CLEAR_MEMORY_ERROR: (Since AR4.2.1) The clear operation has
completed in RAM, but synchronization to Nv-Ram has failed
Functional Description
Clears the stored event data from the event memory, resets the event status byte and de-bounce state.
There is a variety of configuration settings that further control the behavior of this function:
> see DemClearDTCBehavior to control what part of non-volatile write back must have completed before
this function returns DEM_CLEAR_OK
> Init monitor functions are called when an event is cleared, after clearing the event but before returning
OK to the tester
> If an event does not allow clearing (see CBClrEvt_<EventName>()), Init monitor callbacks are called
nonetheless.
2015, Vector Informatik GmbH
Version: 4.3.0
108 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Particularities and Limitations
>  This function is reentrant.
>  This function is asynchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-33   Dem_ClearDTC()
2015, Vector Informatik GmbH
Version: 4.3.0
109 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.4.28  Dem_RequestNvSynchronization()
Prototype
Std_ReturnType Dem_RequestNvSynchronization ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: Request processed successfully
E_NOT_OK: Request not processed due to errors, e.g. not initialized
Functional Description
This function can be used to request synchronization with the NV memory.
Following the call to this API, the Dem module will write back all modified NV blocks to the backing storage.
Particularities and Limitations
>  The write process will take a long time (depending on the ECU load, NV subsystem and
configuration size, it can take multiple seconds)
>  Only modifications up to the call to this API are taken into account.
>  There is no indication when everything was written. The Dem still requires a proper shutdown
procedure even when this API is used.
>  If the Dem shuts down while synchronizing the NV content, pending changes are still written
during NvM_WriteAll so no data is lost.
Expected Caller Context
>  This function can be called from any context
>  Although this function is mapped to a port interface, it is safe for use from BSW or CDD
context.
Table 6-34   Dem_RequestNvSynchronization()
2015, Vector Informatik GmbH
Version: 4.3.0
110 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.5
Interface BSW
6.2.5.1
Dem_ReportErrorStatus()
Prototype
void Dem_ReportErrorStatus ( Dem_EventIdType EventId, Dem_EventStatusType
EventStatus )
Parameter
EventId
Identification of an event by assigned EventId.
EventStatus
Monitor test result
Return code
void
N/A
Functional Description
BSW API to report a monitor result.
Particularities and Limitations
>  This function is reentrant (for different EventId).
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-35   Dem_ReportErrorStatus()

2015, Vector Informatik GmbH
Version: 4.3.0
111 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6
Interface Dcm
6.2.6.1
Dem_DcmSetDTCFilter()
Prototype
Dem_ReturnSetFilterType Dem_DcmSetDTCFilter ( uint8 DTCStatusMask,
Dem_DTCKindType DTCKind, Dem_DTCFormatType DTCFormat, Dem_DTCOriginType
DTCOrigin, Dem_FilterWithSeverityType FilterWithSeverity, Dem_DTCSeverityType
DTCSeverityMask, Dem_FilterForFDCType FilterForFaultDetectionCounter )
Parameter
DTCStatusMask
Status byte mask for DTC status byte filtering
0x00: deactivate the status-byte filtering to report all supported DTCs
0x01… 0xFF: status byte mask according to ISO14229-1 to filter for DTCs
with at least one status bit set matching this status byte mask
DTCKind
Defines the functional group of DTCs to be reported.
DEM_DTC_KIND_ALL_DTCS: report all kind of DTCs
DEM_DTC_KIND_EMISSION_REL_DTCS: report OBD relevant DTCs
DTCFormat
Defines the output-format of the requested DTC values for the sub-sequent
API calls.
DEM_DTC_FORMAT_OBD: report DTC in OBD format
DEM_DTC_FORMAT_UDS: report DTC in UDS format
DEM_DTC_FORMAT_J1939: not allowed
DTCOrigin
If the Dem supports more than one event memory this parameter is used to
select the source memory the DTCs shall be read from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
FilterWithSeverity
This flag defines whether severity information (ref. to parameter below) shall
be used for filtering. This is to allow for coexistence of DTCs with and without
severity information.
DTCSeverityMask
This parameter contains the DTCSeverityMask according to ISO14229-1.
DEM_FILTER_WITH_SEVERITY_YES: severity information shall be used
DEM_FILTER_WITH_SEVERITY_NO : severity information shall not be used
FilterForFaultDetect This flag defines whether the fault detection counter information shall be used
ionCounter
for filtering or not. If fault detection counter information is filter criteria, only
those DTCs with a fault detection counter value between 1 and 0x7E will be
reported.
DEM_FILTER_FOR_FDC_YES: fault detection counter shall be used
DEM_FILTER_FOR_FDC_NO: fault detection counter shall not be used

Note: If the event does not use Dem internal de-bouncing, the Dem will
request this information via GetFaultDetectionCounter.
2015, Vector Informatik GmbH
Version: 4.3.0
112 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Return code
Dem_ReturnSetFilterT Status of the operation to (re-)set a DTC filter.
ype
DEM_FILTER_ACCEPTED: filter was accepted
DEM_WRONG_FILTER: filter was not accepted
Functional Description
Initialize the DTC filter with the given criteria.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-36   Dem_DcmSetDTCFilter()

2015, Vector Informatik GmbH
Version: 4.3.0
113 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.2
Dem_DcmGetNumberOfFilteredDTC()
Prototype
Dem_ReturnGetNumberOfFilteredDTCType Dem_DcmGetNumberOfFilteredDTC ( uint16*
NumberOfFilteredDTC )
Parameter
NumberOfFilteredDTC  The number of DTCs matching the defined filter criteria.
Return code
Dem_ReturnGetNumberO DEM_NUMBER_OK: a valid number of DTC was calculated
fFilteredDTCType
DEM_NUMBER_FAILED: no valid number can be calculated
DEM_NUMBER_PENDING: not used
Functional Description
Returns the number of DTCs matching the filter criteria.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-37   Dem_DcmGetNumberOfFilteredDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
114 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.3
Dem_DcmGetNextFilteredDTC()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_DcmGetNextFilteredDTC ( uint32* DTC,
uint8* DTCStatus )
Parameter
DTC
Receives the DTC value in respective format of the filter returned by this
function. If the return value of the function is other than DEM_FILTERED_OK
this parameter does not contain valid data.
DTCStatus
This parameter receives the status information of the filtered DTC.
It follows the format as defined in ISO14229-1.
If the return value of the function call is other than DEM_FILTERED_OK this
parameter does not contain valid data.
Return code
Dem_ReturnGetNextFil DEM_NUMBER_OK: DTC number and status are valid
teredElementType
DEM_FILTERED_NO_MATCHING_ELEMENT: no DTC can be identified
(iteration end)
DEM_NUMBER_PENDING: not used
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Gets the next filtered DTC and its status.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-38   Dem_DcmGetNextFilteredDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
115 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.4
Dem_DcmGetNextFilteredDTCAndFDC()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_DcmGetNextFilteredDTCAndFDC ( uint32*
DTC, sint8* DTCFaultDetectionCounter )
Parameter
DTC
Receives the DTC value in respective format of the filter returned by this
function. If the return value of the function is other than DEM_FILTERED_OK
this parameter does not contain valid data.
DTCFaultDetectionCou This parameter receives the Fault Detection Counter information of the
nter
requested DTC. If the return value of the function call is other than
DEM_FILTERED_OK this parameter does not contain valid data.
-128dec…127dec /PASSED…FAILED according to ISO 14229-1
Return code
Dem_ReturnGetNextFil DEM_NUMBER_OK: DTC number and FDC are valid
teredElementType
DEM_FILTERED_NO_MATCHING_ELEMENT: no DTC can be identified
(iteration end)
DEM_NUMBER_PENDING: not used
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Gets the current DTC and its associated Fault Detection Counter (FDC) from the Dem.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-39   Dem_DcmGetNextFilteredDTCAndFDC()

2015, Vector Informatik GmbH
Version: 4.3.0
116 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.5
Dem_DcmGetNextFilteredDTCAndSeverity()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_GDcmetNextFilteredDTCAndSeverity (
uint32* DTC, uint8* DTCStatus, Dem_DTCSeverityType* DTCSeverity, uint8*
DTCFunctionalUnit )
Parameter
DTC
Receives the DTC value in respective format of the filter returned by this
function. If the return value of the function is other than DEM_FILTERED_OK
this parameter does not contain valid data.
DTCStatus
Receives the status value returned by the function. If the return value of the
function is other than DEM_FILTERED_OK this parameter does not contain
valid data.
DTCSeverity
Receives the severity value returned by the function. If the return value of the
function is other than DEM_FILTERED_OK this parameter does not contain
valid data.
DTCFunctionalUnit
Receives the functional unit value returned by the function. If the return value
of the function is other than DEM_FILTERED_OK this parameter does not
contain valid data.
Return code
Dem_ReturnGetNextFil DEM_FILTERED_OK: DTC number and all other out parameter are valid
teredDTCType
DEM_FILTERED_NO_MATCHING_ELEMENT: no DTC can be identified
(iteration end)
DEM_NUMBER_PENDING: not used
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Gets the current DTC and its Severity from the Dem.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-40   Dem_DcmGetNextFilteredDTCAndSeverity()

2015, Vector Informatik GmbH
Version: 4.3.0
117 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.6
Dem_DcmSetFreezeFrameRecordFilter()
Prototype
Dem_ReturnSetFilterType Dem_DcmSetFreezeFrameRecordFilter ( Dem_DTCFormatType
DTCFormat, uint16* NumberOfFilteredRecords )
Parameter
DTCFormat
Defines the output-format of the requested DTC values for the sub-sequent
API calls.
DEM_DTC_FORMAT_OBD: report DTC in OBD format
DEM_DTC_FORMAT_UDS: report DTC in UDS format
DEM_DTC_FORMAT_J1939: not allowed
NumberOfFilteredReco Number of freeze frame records currently stored in the event memory.
rds
Return code
Dem_ReturnSetFilterT Status of the operation to (re-)set a freeze frame record filter.
ype
DEM_FILTER_ACCEPTED: filter was accepted
DEM_WRONG_FILTER: filter was not accepted
Functional Description
Initialize the DTC record filter with the given criteria.
Using this function all currently stored snapshot records are counted and the internal state machine is
initialized to read a copy of their data (see Dem_DcmGetNextFilteredRecord). The number of snapshot
records is not fixed. It can change after this function has returned, so Dem_DcmGetNextFilteredRecord can
actually return fewer records.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-41   Dem_DcmSetFreezeFrameRecordFilter()

2015, Vector Informatik GmbH
Version: 4.3.0
118 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.7
Dem_DcmGetNextFilteredRecord()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_DcmGetNextFilteredRecord ( uint32* DTC,
uint8* RecordNumber )
Parameter
DTC
Receives the DTC value in respective format of the filter returned by this
function. If the return value of the function is other than DEM_FILTERED_OK
this parameter does not contain valid data.
RecordNumber
Freeze frame record number of the reported DTC. If the return value of the
function is other than DEM_FILTERED_OK this parameter does not contain
valid data.
Return code
Dem_ReturnGetNextFil DEM_FILTERED_OK: returned DTC number and RecordNumber are valid
teredElementType
DEM_FILTERED_NO_MATCHING_ELEMENT: no further matching records
are available
DEM_FILTERED_PENDING: not used
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Gets the next freeze frame/ snapshot record number and its associated DTC stored in the event memory.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-42   Dem_DcmGetNextFilteredRecord()

2015, Vector Informatik GmbH
Version: 4.3.0
119 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.8
Dem_DcmGetStatusOfDTC()
Prototype
Dem_ReturnGetStatusOfDTCType Dem_DcmGetStatusOfDTC ( uint32 DTC,
Dem_DTCOriginType DTCOrigin, uint8* DTCStatus )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCOrigin
If the Dem supports more than one event memory this parameter is used to
select the source memory the DTCs shall be read from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
DTCStatus
This parameter receives the status information of the requested DTC. If the
return value of the function call is other than DEM_STATUS_OK this
parameter does not contain valid data.
Return code
Dem_ReturnGetStatusO DEM_STATUS_OK: the requested status information was stored in
fDTCType
DTCStatus
DEM_STATUS_WRONG_DTC: DTC does not exist in DTCOrigin
DEM_STATUS_WRONG_DTCORIGIN: DTC origin does not exist
DEM_STATUS_FAILED: a generic error occurred
DEM_STATUS_PENDING: not used
Functional Description
Gets the current UDS status of a DTC.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-43   Dem_DcmGetStatusOfDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
120 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.9
Dem_DcmGetDTCStatusAvailabilityMask()
Prototype
Std_ReturnType Dem_DcmGetDTCStatusAvailabilityMask ( uint8* DTCStatusMask )
Parameter
DTCStatusMask
The value DTCStatusMask indicates the supported DTC status bits from the
Dem. All supported information is indicated by setting the corresponding
status bit to 1.
Return code
Std_ReturnType
E_OK: get of DTC status mask was successful
E_NOT_OK: get of DTC status mask failed
Functional Description
Gets the DTC status availability mask.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-44   Dem_DcmGetDTCStatusAvailabilityMask()

2015, Vector Informatik GmbH
Version: 4.3.0
121 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.10  Dem_DcmGetDTCByOccurrenceTime()
Prototype
Dem_ReturnGetDTCByOccurrenceTimeType Dem_DcmGetDTCByOccurrenceTime (
DTCRequestType DTCRequest, uint32* DTC )
Parameter
DTCRequest
This parameter defines the request type of the DTC.
DEM_FIRST_DET_CONFIRMED_DTC: first detected confirmed DTC
requested
DEM_MOST_RECENT_FAILED_DTC: most recent failed DTC requested
DEM_MOST_REC_DET_CONFIRMED_DTC: most recently detected
confirmed DTC requested
DEM_FIRST_FAILED_DTC: first failed DTC requested
DTC
Receives the DTC value in UDS format returned by the function. If the return
value of the function is other than DEM_OCCURR_OK this parameter does
not contain valid data.
Return code
Dem_ReturnGetDTCByOc DEM_OCCURR_NOT_AVAILABLE: no DTC is available for the given
currenceTimeType
DTCRequest
DEM_OCCURR_OK: the function returns a valid DTC
Functional Description
Gets the DTC by occurrence time.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-45   Dem_DcmGetDTCByOccurrenceTime()

2015, Vector Informatik GmbH
Version: 4.3.0
122 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.11  Dem_DcmGetTranslationType()
Prototype
Dem_DTCTranslationFormatType Dem_DcmGetTranslationType ( void )
Parameter
N/A
N/A
Return code
Dem_DTCTranslationFo Returns the configured DTC translation format. A combination of different DTC
rmatType
formats is not possible.
DEM_DTC_TRANSLATION_ISO15031_6: DTC is formatted according
ISO15031-6
DEM_DTC_TRANSLATION_ISO14229_1: DTC is formatted according
ISO14229-1
DEM_DTC_TRANSLATION_SAEJ1939_73: DTC is formatted according
SAE1939-73
DEM_DTC_TRANSLATION_ISO11992_4: DTC is formatted according
ISO11992-4
Functional Description
Gets the supported DTC formats of the ECU.
The supported formats are configured via DemTypeOfDTCSupported.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-46   Dem_DcmGetTranslationType()

2015, Vector Informatik GmbH
Version: 4.3.0
123 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.12  Dem_DcmGetSeverityOfDTC()
Prototype
Dem_ReturnGetSeverityOfDTCType Dem_DcmGetSeverityOfDTC ( uint32 DTC,
Dem_DTCSeverityType* DTCSeverity )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCSeverity
This parameter contains the DTCSeverityMask according to ISO14229-1.
Return code
Dem_ReturnGetSeverit DEM_GET_SEVERITYOFDTC_OK: the requested severity information was
yOfDTCType
stored in DTCSeverity
DEM_GET_SEVERITYOFDTC_WRONG_DTC: DTC does not exist in origin
primary memory
DEM_GET_SEVERITYOFDTC_NOSEVERITY: severities do not exist
DEM_GET_SEVERITYOFDTC_PENDING: not used
Functional Description
Gets the severity of the requested DTC.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-47   Dem_DcmGetSeverityOfDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
124 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.13  Dem_DcmGetFunctionalUnitOfDTC()
Prototype
Dem_ReturnGetFunctionalUnitOfDTCType Dem_DcmGetFunctionalUnitOfDTC ( uint32 DTC,
uint8* DTCFunctionalUnit )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCFunctionalUnit
Functional unit value of this DTC
Return code
Dem_ReturnGetFunctio DEM_GET_FUNCTIONALUNITOFDTC_OK: the requested functional unit
nalUnitOfDTCType
information was stored in DTCFunctionalUnit
DEM_GET_FUNCTIONALUNITOFDTC_WRONG_DTC: DTC does not exist
in origin primary memory
Functional Description
Gets the functional unit of the requested DTC.
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-48   Dem_DcmGetFunctionalUnitOfDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
125 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.14  Dem_DcmDisableDTCRecordUpdate()
Prototype
Dem_ReturnDisableDTCRecordUpdateType Dem_DcmDisableDTCRecordUpdate ( uint32 DTC,
Dem_DTCOriginType DTCOrigin )
Parameter
DTC
Selects the DTC in UDS format, for which DTC record update shall be
disabled.
DTCOrigin
If the Dem supports more than one event memory, this parameter is used to
select the source memory for which DTC record update shall be disabled.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
Return code
Dem_ReturnDisableDTC DEM_DISABLE_DTCRECUP_OK: entry is locked, read APIs may be called
RecordUpdateType
now
DEM_DISABLE_DTCRECUP_WRONG_DTC: the given DTC number is not
valid in the requested origin
DEM_DISABLE_DTCRECUP_WRONG_DTCORIGIN: the given origin is not
supported
DEM_DISABLE_DTCRECUP_PENDING: the request processing is pending,
call again
Functional Description
Disables the event memory update of a specific DTC (only one at a time) so it can be read out by the Dcm.
Particularities and Limitations
>  This function is not reentrant.
>  This function is asynchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-49   Dem_DcmDisableDTCRecordUpdate()

2015, Vector Informatik GmbH
Version: 4.3.0
126 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.15  Dem_DcmEnableDTCRecordUpdate()
Prototype
Std_ReturnType Dem_DcmEnableDTCRecordUpdate ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed
Functional Description
Enables the event memory update of the DTC disabled by Dem_DcmDisableDTCRecordUpdate() before.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-50   Dem_DcmEnableDTCRecordUpdate()

2015, Vector Informatik GmbH
Version: 4.3.0
127 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.16  Dem_DcmGetFreezeFrameDataByDTC()
Prototype
Dem_ReturnGetFreezeFrameDataByDTCType Dem_DcmGetFreezeFrameDataByDTC ( uint32
DTC, Dem_DTCOriginType DTCOrigin, uint8 RecordNumber, uint8* DestBuffer,
uint16* BufSize )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCOrigin
This parameter is used to select the source memory the DTCs shall be read
from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
RecordNumber
This parameter is a unique identifier for a freeze frame record as defined in
ISO15031-5 and ISO14229-1.
The value 0xFF is not allowed.
The value 0x00 indicates the OBD freeze frame.
DestBuffer
This parameter contains a byte pointer that points to the buffer, to which the
freeze frame data record shall be written to.
The format is: {RecordNumber, NumOfDIDs, DID[1], data[1], …, DID[N],
data[N]}
BufSize
When the function is called this parameter contains the maximum number of
data bytes that can be written to the buffer.
The function returns the actual number of written data bytes in this parameter.
Return code
Dem_ReturnGetFreezeF DEM_GET_FFDATABYDTC_OK: data was found and returned
rameDataByDTCType
DEM_GET_FFDATABYDTC_WRONG_DTC: the requested DTC is not
available for the requested Origin
DEM_GET_FFDATABYDTC_WRONG_DTCORIGIN: the requested Origin is
not available
DEM_GET_FFDATABYDTC_WRONG_RECORDNUMBER: the requested
record is not available
DEM_GET_FFDATABYDTC_WRONG_BUFFERSIZE: the destination buffer is
too small
DEM_GET_FFDATABYDTC_PENDING: not used
Functional Description
Gets freeze frame/ snapshot record data by DTC. The function stores the data in the provided DestBuffer.
2015, Vector Informatik GmbH
Version: 4.3.0
128 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-51   Dem_DcmGetFreezeFrameDataByDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
129 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.17  Dem_DcmGetSizeOfFreezeFrameByDTC()
Prototype
Dem_ReturnGetSizeOfDataByDTCType Dem_DcmGetSizeOfFreezeFrameByDTC ( uint32 DTC,
Dem_DTCOriginType DTCOrigin, uint8 RecordNumber, uint16* SizeOfFreezeFrame )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCOrigin
If the Dem supports more than one event memory, this parameter is used to
select the source memory the DTCs shall be read from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
RecordNumber
This parameter is a unique identifier for a freeze frame record as defined in
ISO 15031-5 and ISO 14229-1.
The value 0xFF requests the overall size.
SizeOfFreezeFrame
Number of bytes in the requested freeze frame record.
Return code
Dem_ReturnGetSizeOfD DEM_GETSIZEBYDTC_OK: data was found and returned
ataByDTCType
DEM_GETSIZEBYDTC_WRONG_DTC: the requested DTC is not available
for the requested Origin
DEM_GETSIZEBYDTC_WRONG_DTCORIGIN: the requested Origin is not
available
DEM_GETSIZEBYDTC_WRONG_RECNUM: the requested record is not
available
DEM_GETSIZEBYDTC_PENDING: not used
Functional Description
Get the size of a formatted snapshot record stored for a DTC.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-52   Dem_DcmGetSizeOfFreezeFrameByDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
130 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.18  Dem_DcmGetExtendedDataRecordByDTC()
Prototype
Dem_ReturnGetExtendedDataRecordByDTCType Dem_DcmGetExtendedDataRecordByDTC (
uint32 DTC, Dem_DTCOriginType DTCOrigin, uint8 ExtendedDataNumber, uint8*
DestBuffer, uint16* BufSize )
Parameter
DTC
Diagnostic Trouble Code in UDS format
DTCOrigin
This parameter is used to select the source memory the DTCs shall be read
from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
ExtendedDataNumber
Identification of requested extended data record. The valid range is 0x01 …
0xEF. The values 0xFE and 0xFF are not allowed.
DestBuffer
This parameter contains a byte pointer that points to the buffer to which the
Extended Data shall be written.
BufSize
When the function is called this parameter contains the maximum number of
data bytes that can be written to the buffer.
The function returns the actual number of written data bytes in this parameter.
Return code
Dem_ReturnGetExtende DEM_RECORD_OK: data was found and returned
dDataRecordByDTCType  DEM_RECORD_WRONG_DTC: the requested DTC is not available for the
requested Origin
DEM_RECORD_WRONG_DTCORIGIN: the requested Origin is not available
DEM_RECORD_WRONG_NUMBER: the requested record is not available
DEM_RECORD_WRONG_BUFFERSIZE: the destination buffer is too small
DEM_RECORD_PENDING: not used by this implementation
Functional Description
Gets extended data by the given extended record number and DTC number. The function stores the data in
the provided DestBuffer.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-53   Dem_DcmGetExtendedDataRecordByDTC()
2015, Vector Informatik GmbH
Version: 4.3.0
131 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.19  Dem_DcmGetSizeOfExtendedDataRecordByDTC()
Prototype
Dem_ReturnGetSizeOfDataByDTCType Dem_DcmGetSizeOfExtendedDataRecordByDTC (
uint32 DTC, Dem_DTCOriginType DTCOrigin, uint8 ExtendedDataNumber, uint16*
SizeOfExtendedDataRecord )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCOrigin
If the Dem supports more than one event memory, this parameter is used to
select the source memory the DTCs shall be read from.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
DEM_DTC_ORIGIN_MIRROR_MEMORY: event information located in the
mirror memory
ExtendedDataNumber
Number of requested extended data record. The valid range is 0x01 … 0xEF.
For OBD the values 0xFE and 0xFF are allowed to request the overall size of
all OBD records.
SizeOfExtendedDataRe Receives the size of the requested data record
cord
Return code
Dem_ReturnGetSizeOfD DEM_GETSIZEBYDTC_OK: data was found and returned
ataByDTCType
DEM_GETSIZEBYDTC_WRONG_DTC: the requested DTC is not available
for the requested Origin
DEM_GETSIZEBYDTC_WRONG_DTCORIGIN: the requested Origin is not
available
DEM_GETSIZEBYDTC_WRONG_RECNUM: the requested record is not
available
DEM_GETSIZEBYDTC_PENDING: not used
Functional Description
Get the size of a formatted extended data record stored for a DTC.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-54   Dem_DcmGetSizeOfExtendedDataRecordByDTC()

2015, Vector Informatik GmbH
Version: 4.3.0
132 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.20 Dem_DcmClearDTC()
Prototype
Dem_ReturnClearDTCType Dem_DcmClearDTC ( uint32 DTC, Dem_DTCFormatType
DTCFormat, Dem_DTCOriginType DTCOrigin )
Parameter
DTC
Defines the DTC in respective format that shall be cleared from the event
memory. If the DTC fits to a DTC group number, all DTCs of the group shall be
cleared.
DTCFormat
Defines the input format of the provided DTC value.
DEM_DTC_FORMAT_UDS: clear UDS DTCs
DEM_DTC_FORMAT_OBD: clear OBD DTCs
DEM_DTC_FORMAT_J1939: not allowed
DTCOrigin
If the Dem supports more than one event memory, this parameter is used to
select the memory which shall be cleared.
DEM_DTC_ORIGIN_PRIMARY_MEMORY: event information located in the
primary memory
DEM_DTC_ORIGIN_SECONDARY_MEMORY: event information located in
the secondary memory
DEM_DTC_ORIGIN_PERMANENT_MEMORY: event information located in
the permanent memory
Return code
Dem_ReturnClearDTCTy DEM_CLEAR_OK: clearing is completed, the requested DTC(s) are reset
pe
DEM_CLEAR_WRONG_DTC: the requested DTC is not valid in the context of
DTCFormat and DTCOrigin
DEM_CLEAR_WRONG_DTCORIGIN: the requested DTC origin is not
available in the context of DTCFormat
DEM_CLEAR_FAILED: the clear operation could not be started
DEM_CLEAR_PENDING: the clear operation was started and is currently
processed to completion
DEM_CLEAR_BUSY: the clear operation is occupied from a different client
DEM_CLEAR_MEMORY_ERROR: (Since AR4.2.1) The clear operation has
completed in RAM, but synchronization to Nv-Ram has failed
Functional Description
Clears the stored event data from the event memory, resets the event status byte and de-bounce state.
There is a variety of configuration settings that further control the behavior of this function:
> see DemClearDTCBehavior to control what part of non-volatile write back must have completed before
this function returns DEM_CLEAR_OK
> Init monitor functions are called when an event is cleared, after clearing the event but before returning
OK to the tester
> If an event does not allow clearing (see CBClrEvt_<EventName>()), Init monitor callbacks are called
nonetheless.
Particularities and Limitations
> This function is reentrant.
> This function is asynchronous.
> Only available if ‘DemSupportDcm’ is set to enabled.
2015, Vector Informatik GmbH
Version: 4.3.0
133 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Expected Caller Context
>  This function can be called from any context.
Table 6-55   Dem_DcmClearDTC()
6.2.6.21  Dem_DcmDisableDTCSetting()
Prototype
Dem_ReturnControlDTCSettingType Dem_DcmDisableDTCSetting ( Dem_DTCGroupType
DTCGroup, Dem_DTCKindType DTCKind )
Parameter
DTCGroup
Defines the group of DTC that shall be disabled to store in event memory.
DEM_DTC_GROUP_ALL_DTCS: select all DTCs
DEM_DTC_GROUP_BODY_DTCS: not supported
DEM_DTC_GROUP_EMISSION_REL_DTCS: not supported
DEM_DTC_GROUP_CHASSIS_DTCS: select group of chassis DTCs
DEM_DTC_GROUP_NETWORK_COM_DTCS: select group of network
communication DTCs,
DEM_DTC_GROUP_POWERTRAIN_DTCS: select group of powertrain DTCs
DTCKind
This parameter defines the requested DTC kind, either only OBD-relevant
DTCs or all DTCs
DEM_DTC_KIND_ALL_DTCS: select all DTCs
DEM_DTC_KIND_EMISSION_REL_DTCS: not supported
Return code
Dem_ReturnControlDTC DEM_CONTROL_DTC_SETTING_N_OK:  the input parameters are not valid
SettingType
DEM_CONTROL_DTC_SETTING_OK: the DTCs setting is switched off
Functional Description
Disables the setting (including update) of the status bits of a DTC group.
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-56   Dem_DcmDisableDTCSetting()

2015, Vector Informatik GmbH
Version: 4.3.0
134 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.22  Dem_DcmEnableDTCSetting()
Prototype
Dem_ReturnControlDTCSettingType Dem_DcmEnableDTCSetting ( Dem_DTCGroupType
DTCGroup, Dem_DTCKindType DTCKind )
Parameter
DTCGroup
Defines the group of DTC that shall be enabled to store in event memory.
DEM_DTC_GROUP_BODY_DTCS: select group of body DTCs
DEM_DTC_GROUP_EMISSION_REL_DTCS: select group of OBD relevant
DTCs
DEM_DTC_GROUP_ALL_DTCS: select all DTCs
DTCKind
This parameter defines the requested DTC kind, either only OBD-relevant
DTCs or all DTCs
DEM_DTC_KIND_ALL_DTCS: select all DTCs
DEM_DTC_KIND_EMISSION_REL_DTCS: select OBD relevant DTCs
Return code
Dem_ReturnControlDTC DEM_CONTROL_DTC_SETTING_N_OK:  the input parameters are not valid
SettingType
DEM_CONTROL_DTC_SETTING_OK: the DTCs setting is switched on
Functional Description
Enables the DTC setting for a DTC group. Currently only group ALL_DTCS is supported.
Depending on configuration, enabling ControlDTCSetting can be deferred to the Dem task. As a result,
changes to control DTC setting can be lost if they toggle change faster than the cycle time of the Dem main
function. See chapter 3.7 for further details.

Caution
This API is defined as synchronous, so the Dcm will send a positive response before the DTC
  setting is in fact re-enabled. An API change is discussed in Autosar to alleviate this problem.

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-57   Dem_DcmEnableDTCSetting()

2015, Vector Informatik GmbH
Version: 4.3.0
135 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.6.23  Dem_DcmCancelOperation()
Prototype
void Dem_DcmCancelOperation ( void )
Parameter
N/A
N/A
Return code
void
N/A
Functional Description
Cancel pending operation started from Dcm.
Supported for:
>  Dem_DcmClearDTC()
Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportDcm’ is set to enabled.
Expected Caller Context
>  This function can be called from any context.
Table 6-58   Dem_DcmCancelOperation()
2015, Vector Informatik GmbH
Version: 4.3.0
136 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7
Interface J1939Dcm

Note
Dependent on the licensed components of your delivery the interfaces listed in this
  chapter may not be available in DEM.

6.2.7.1
Dem_J1939DcmClearDTC()
Prototype
Dem_ReturnClearDTCType Dem_J1939DcmClearDTC ( Dem_J1939DcmSetClearFilterType
DTCTypeFilter, uint8 NodeAddress )
Parameter
DTCTypeFilter
DEM_J1939DTC_CLEAR_ALL: Clears all Active DTCs
DEM_J1939DTC_CLEAR_PREVIOUSLY_ACTIVE: Clears all previously
active DTCs
NodeAddress
The network management node ID to be cleared.
Return code
Dem_ReturnClearDTCTy DEM_CLEAR_OK: DTC successfully cleared
pe
DEM_CLEAR_WRONG_DTC: DTC value not existing (in this format)
DEM_CLEAR_WRONG_DTCORIGIN: Wrong DTC origin
DEM_CLEAR_FAILED: DTC clearing failed
DEM_CLEAR_PENDING: The DTC clearing is performed asynchronously and
is still pending. The caller can retry later
DEM_CLEAR_BUSY: DTC not cleared, as another clearing process is in
progress. The caller can retry later.
Functional Description
Clears the J1939 DTCs only
Particularities and Limitations
>  This function is not reentrant.
>  This function is asynchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-59   Dem_J1939DcmClearDTC()
2015, Vector Informatik GmbH
Version: 4.3.0
137 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.2
Dem_J1939DcmFirstDTCwithLampStatus()
Prototype
void Dem_J1939DcmFirstDTCwithLampStatus ( uint8 NodeAddress )
Parameter
NodeAddress
The network management node ID to be filtered.
Return code
void
N/A
Functional Description
Initializes the filter mechanism to the first event in the primary memory

Particularities and Limitations
>  This function is reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-60   Dem_J1939DcmFirstDTCwithLampStatus()
2015, Vector Informatik GmbH
Version: 4.3.0
138 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.3
Dem_J1939DcmGetNextDTCwithLampStatus ()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_J1939DcmGetNextDTCwithLampStatus  (
J1939DcmLampStatusType LampStatus, uint32 J1939DTC, uint8 OccurrenceCounter )
Parameter
LampStatus
DTC specific lamp status
J1939DTC
J1939 DTC number
OccurrenceCounter
The DTC specific occurrence counter
Return code
Dem_ReturnGetNext-
DEM_FILTERED_OK: Returned next filtered element
FilteredElementType  DEM_FILTERED_NO_MATCHING_ELEMENT: No further element (matching
the filter criteria) found
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Gets the next filtered J1939 DTC for DM31 including current LampStatus

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-61   Dem_J1939DcmGetNextDTCwithLampStatus ()
2015, Vector Informatik GmbH
Version: 4.3.0
139 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.4
Dem_J1939DcmGetNextFilteredDTC()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_J1939DcmGetNextFilteredDTC (uint32
J1939DTC, uint8 OccurenceCounter )
Parameter
J1939DTC
the J1939 DTC number
OccurenceCounter
the occurrence counter of the DTC
Return code
Dem_ReturnGetNext-
DEM_FILTERED_OK: Returned next filtered element
FilteredElementType  DEM_FILTERED_NO_MATCHING_ELEMENT: No further element (matching
the filter criteria) found
DEM_FILTERED_PENDING: The requested value is calculated
asynchronously and currently not available. The caller can retry later.
DEM_FILTERED_BUFFER_TOO_SMALL: not used
Functional Description
Provides the next DTC that matches the filter criteria.

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-62   Dem_J1939DcmGetNextFilteredDTC()
2015, Vector Informatik GmbH
Version: 4.3.0
140 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.5
Dem_J1939DcmGetNextFreezeFrame()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_J1939DcmGetNextFreezeFrame ( uint32
J1939DTC, uint8 OccurrenceCounter , uint8 DestBuffer, uint8 BufSize )
Parameter
J1939DTC
J1939 DTC number
OccurrenceCounter
DTC specific occurrence counter
DestBuffer
Pointer to the buffer where the Freeze Frame data shall be copied to.
BufSize
in: size of the available buffer
out: number of bytes copied into the buffer
Return code
Dem_ReturnGetNext-
DEM_FILTERED_OK: Returned next filtered element
FilteredElementType  DEM_FILTERED_NO_MATCHING_ELEMENT: No further element (matching
the filter criteria) found
DEM_FILTERED_PENDING: The requested value is calculated
asynchronously and currently not available. The caller can retry later.
DEM_FILTERED_BUFFER_TOO_SMALL: Buffer in the BufSize parameter is
not huge enough
Functional Description
Returns the next J1939DTC and Freeze Frame matching the filter criteria

Particularities and Limitations
>  This function is not reentrant.
>  This function is asynchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-63   Dem_J1939DcmGetNextFreezeFrame()
2015, Vector Informatik GmbH
Version: 4.3.0
141 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.6
Dem_J1939DcmGetNextSPNInFreezeFrame()
Prototype
Dem_ReturnGetNextFilteredElementType Dem_J1939DcmGetNextSPNInFreezeFrame (
uint32 SPNSupported, uint8 SPNDataLength )
Parameter
SPNSupported
This parameter contains the next SPN in the ExpandedFreezeFrame
SPNDataLength
This parameter contains the corresponding data length of the SPN
Return code
Dem_ReturnGetNext-
DEM_FILTERED_OK: Returned next filtered element
FilteredElementType  DEM_FILTERED_NO_MATCHING_ELEMENT: No further element (matching
the filter criteria) found
DEM_FILTERED_PENDING: The requested value is calculated
asynchronously and currently not available. The caller can retry later.
DEM_FILTERED_BUFFER_TOO_SMALL: Buffer in the BufSize parameter is
not huge enough
Functional Description
Retruns the SPNs that are stored in the J1939 FreezeFrame(s)
This interface returns always DEM_FILTERED_NO_MATCHING_ELEMENT as the data is directly provided
from J1939DCM

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-64   Dem_J1939DcmGetNextSPNInFreezeFrame()
2015, Vector Informatik GmbH
Version: 4.3.0
142 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.7
Dem_J1939DcmGetNumberOfFilteredDTC ()
Prototype
Dem_ReturnGetNumberOfFilteredDTCType  Dem_J1939DcmGetNumberOfFilteredDTC  (
uint16 NumberOfFilteredDTC )
Parameter
NumberOfFilteredDTC  number of DTCs matching the filter criteria
Return code
Dem_ReturnGetNumber- DEM_NUMBER_OK: A valid number was calculated
OfFilteredDTCType
DEM_NUMBER_FAILED: No valid number can be calculated
DEM_NUMBER_PENDING: not used
Functional Description
Gets the number of currently filtered DTCs set by the function Dem_J1939DcmSetDTCFilter().
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-65   Dem_J1939DcmGetNumberOfFilteredDTC ()
2015, Vector Informatik GmbH
Version: 4.3.0
143 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.8
Dem_J1939DcmSetDTCFilter()
Prototype
Dem_ReturnSetFilterType Dem_J1939DcmSetDTCFilter (
Dem_J1939DcmDTCStatusFilterType DTCStatusFilter, Dem_DTCKindType DTCKind, uint8
NodeAddress, Dem_J1939DcmLampStatusType LampStatus )
Parameter
DTCStatusFilter
DEM_J1939DTC_ACTIVE: Confirmed == 1 and TestFailed == 1
DEM_J1939DTC_PREVIOUSLY_ACTIVE: Confirmed == 1 and
TestFailed == 0
DEM_J1939DTC_PENDING: Pending == 1
DEM_J1939DTC_PERMANENT: not supported
DTCKind
DEM_DTC_KIND_ALL_DTCS: All DTCs
DEM_DTC_KIND_EMISSION_REL_DTCS: not supported
NodeAddress
The network management node ID to be filtered.
LampStatus
The ECU Lamp Status
HighByte
bits 7,6: Malfunction Indicator Lamp Status
bits 5,4: Red Stop Lamp Status
bits 3,2: Amber Warning Lamp Status
bits 1,0: Protect Lamp Status
LowByte
bits 7,6: Flash Malfunction Indicator Lamp
bits 5,4: Flash Red Stop Lamp
bits 3,2: Flash Amber Warning Lamp
bits 1,0: Flash Protect Lamp
Return code
Dem_ReturnSetFilterType
DEM_FILTER_ACCEPTED: Filter was accepted
DEM_WRONG_FILTER: Wrong filter selected
Functional Description
Sets the filter criteria for the J1939 DTC filter mechanism and returns the ECU lamp status.

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-66   Dem_J1939DcmSetDTCFilter()
2015, Vector Informatik GmbH
Version: 4.3.0
144 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.2.7.9
Dem_J1939DcmSetFreezeFrameFilter()
Prototype
Dem_ReturnSetFilterType Dem_J1939DcmSetFreezeFrameFilter (
Dem_J1939DcmSetFreezeFrameFilterType FreezeFrameKind, uint8 NodeAddress )
Parameter
FreezeFrameKind
DEM_J1939DCM_FREEZEFRAME: Set the filter for J1939 Freeze Frame
data
DEM_J1939DCM_EXPANDED_FREEZEFRAME: Set the filter for J1939
Expanded Freeze Frame data
DEM_J1939DCM_SPNS_IN_EXPANDED_FREEZEFRAME: Not supported,
DM24 message is handled by J1939Dcm
NodeAddress
The network management node ID to be filtered.
Return code
Dem_ReturnSetFilterType  DEM_FILTER_ACCEPTED: Filter was accepted
DEM_WRONG_FILTER: Wrong filter selected
Functional Description
Sets the filter criteria for the consecutive calls of functions
>  - Dem_J1939DcmGetNextFreezeFrame()
>  - Dem_J1939DcmGetNextSPNInFreezeFrame()

Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
>  Only available if ‘DemSupportJ1939Dcm’ is set to enabled.
Table 6-67   Dem_J1939DcmSetFreezeFrameFilter()
2015, Vector Informatik GmbH
Version: 4.3.0
145 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.3
Services used by Dem
In the following table services provided by other components, which are used by the Dem
are listed. For details about prototype and functionality refer to the documentation of the
providing component.
Component
API
Det
optional Dem_ReportErrorStatus
FiM
optional FiM_DemTriggerOnEventStatus
Dlt
optional Dlt_DemTriggerOnEventStatus
EcuM
optional EcuM_BswErrorHook
NvM
optional NvM_GetErrorStatus
optional NvM_SetRamBlockStatus
optional NvM_WriteBlock
Dcm
optional Dcm_DemTriggerOnDTCStatus
J1939Dcm
optional J1939Dcm_DemTriggerOnDTCStatus
SchM
optional SchM_Enter_Dem_<ExclusiveArea>
optional SchM_Exit_Dem_<ExclusiveArea>
Table 6-68 Services used by the Dem
6.3.1
EcuM_BswErrorHook()
Prototype
void EcuM_BswErrorHook ( uint16 BswModuleId, uint8 ErrorId )
Parameter
BswModuleId
Autosar ModuleId. The Dem will pass DEM_MODULE_ID.
ErrorId
Error code detailing the error cause, see Table 5-5
Return code
-
-
Functional Description
This function is called to report defunct configuration data passed to Dem_PreInit.
The Dem will leave Dem_PreInit after a call to this function, without initializing. Further calls to the Dem
module are not safe.
Particularities and Limitations
> This function is called in error cases, when initializing only a Post-Build configurations
> It is not safe if this function returns to the caller, especially if development error detection is disabled by
configuration.
Call context
> This function is called from Dem_PreInit()
Table 6-69 EcuM_BswErrorHook()
2015, Vector Informatik GmbH
Version: 4.3.0
146 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4
Callback Functions
This chapter describes the callback functions that are implemented by the Dem and can
be invoked by other modules. The prototypes of the callback functions are provided in the
header file Dem_Cbk.h by the Dem.
2015, Vector Informatik GmbH
Version: 4.3.0
147 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4.1
Dem_NvM_JobFinished()
Prototype
Std_ReturnType Dem_NvM_JobFinished ( uint8 ServiceId, NvM_RequestResultType
JobResult )
Parameter
ServiceId
The ServiceId indicates which one of the asynchronous services triggered via
the operations of Interface NVM Service (Read/Write) the notification belongs
to.
The value is currently not used by the Dem.
JobResult
Provides the result of the asynchronous job.
NVM_REQ_OK: last asynchronous request has been finished successfully
NVM_REQ_NOT_OK: last asynchronous request has been finished
unsuccessfully
NVM_REQ_PENDING: not used in this context
NVM_REQ_INTEGRITY_FAILED: not used in this context
NVM_REQ_BLOCK_SKIPPED: not used in this context
NVM_REQ_NV_INVALIDATED: not used in this context
Return code
Std_ReturnType
E_OK: is always returned

Functional Description
Is triggered from NVM to notify that the requested job which is processed asynchronous has been finished.
Particularities and Limitations
>  This function is reentrant.
>  This function is asynchronous.
>  Must be configured for every Dem related NVRAM block
Expected Caller Context
>  This function can be called from any context.
Table 6-70   Dem_NvM_JobFinished()
2015, Vector Informatik GmbH
Version: 4.3.0
148 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4.2
Dem_NvM_InitAdminData()
Prototype
Std_ReturnType Dem_NvM_InitAdminData ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: is always returned
Functional Description
Initialize NvBlock for administrative data.
This function is supposed to be called by the NVM in order to (re)initialize the data in case the non-volatile
memory has never been stored, or was corrupted (see NvMBlockDescriptor/NvMInitBlockCallback). It can
also be used to force a reinitialization of the Dem data triggered by the application (e.g. after a new
software version has been flashed to the ECU). In the latter case, make sure the function is not called in a
context with active Dem!
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-71   Dem_NvM_InitAdminData()
2015, Vector Informatik GmbH
Version: 4.3.0
149 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4.3
Dem_NvM_InitStatusData()
Prototype
Std_ReturnType Dem_NvM_InitStatusData ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: is always returned
Functional Description
Initialize NvBlock for event status data.
This function is supposed to be called by the NVM in order to (re)initialize the data in case the non-volatile
memory has never been stored, or was corrupted (see NvMBlockDescriptor/NvMInitBlockCallback).
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-72   Dem_NvM_InitStatusData()
2015, Vector Informatik GmbH
Version: 4.3.0
150 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4.4
Dem_NvM_InitDebounceData()
Prototype
Std_ReturnType Dem_NvM_InitDebounceData ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: is always returned
Functional Description
Initialize NvBlock for event de-bounce data.
This function is supposed to be called by the NVM in order to (re)initialize the data in case the non-volatile
memory has never been stored, or was corrupted (see NvMBlockDescriptor/NvMInitBlockCallback).
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-73   Dem_NvM_InitDebounceData()
2015, Vector Informatik GmbH
Version: 4.3.0
151 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.4.5
Dem_NvM_InitEventAvailableData()
Prototype
Std_ReturnType Dem_NvM_InitEventAvailableData ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
E_OK: is always returned
Functional Description
Initialize NvBlock for event availability data.
This function is supposed to be called by the NVM in order to (re)initialize the data in case the non-volatile
memory has never been stored, or was corrupted (see NvMBlockDescriptor/NvMInitBlockCallback).
Particularities and Limitations
>  This function is not reentrant.
>  This function is synchronous.
Expected Caller Context
>  This function can be called from any context.
Table 6-74   Dem_NvM_InitEventAvailableData()
2015, Vector Informatik GmbH
Version: 4.3.0
152 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5
Configurable Interfaces
6.5.1
Callouts
At its configurable interfaces the Dem defines callouts that can be mapped to callback
functions provided by other modules. The mapping is not statically defined by the Dem but
can be performed at configuration time. The function prototypes that can be used for the
configuration have to match the appropriate function prototype signatures, which are
described in the following sub-chapters.

6.5.1.1
CBClrEvt_<EventName>()
Prototype
Std_ReturnType CBClrEvt_<EventName> ( Boolean* Allowed )
Parameter
Allowed
True – clearance of event is allowed
False – clearance of event is not allowed
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed

Functional Description
Is triggered on DTC deletion to request the permission if the event may be cleared or not.
If the return value of the function call is other than E_OK the Dem clears the event for security reasons
without checking the Allowed value.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from task context.
Table 6-75 CBClrEvt_<EventName>()
2015, Vector Informatik GmbH
Version: 4.3.0
153 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.2
CBDataEvt_<EventName>()
Prototype
Std_ReturnType CBDataEvt_<EventName> ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
Return value unused
Functional Description
Is triggered on changes of the event related data in the event memory.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
> This function signature deviates from [1] to match the Rte_Call signature.
Call Context
> This function is called from task context.
Table 6-76 CBDataEvt_<EventName>()
2015, Vector Informatik GmbH
Version: 4.3.0
154 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.3
CBFaultDetectCtr_<EventName>()
Prototype
Std_ReturnType CBFaultDetectCtr_<EventName> ( sint8* FaultDetectionCounter )
Parameter
FaultDetectionCounter This parameter receives the fault detection counter information (according
ISO 14229-1) of the requested EventId. If the return value of the function call
is other than E_OK this parameter does not contain valid data.

-128dec…127dec PASSED…FAILED according to [7]

Return code
Std_ReturnType
E_OK: request was successful
E_NOT_OK: request failed

Functional Description
Gets the current fault detection counter value for the requested monitor-internal de-bouncing event.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from APIs with unrestricted call context.
Table 6-77 CBFaultDetectCtr_<EventName>()
2015, Vector Informatik GmbH
Version: 4.3.0
155 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.4
CBInitEvt_<EventName>()
Prototype
Std_ReturnType CBInitEvt_<EventName> ( Dem_InitMonitorReasonType
InitMonitorReason )
Parameter
InitMonitorReason
Specific (re-)initialization reason evaluated from the monitor to identify the
initialization kind to be performed.
DEM_INIT_MONITOR_CLEAR: Monitor of the EventId is cleared and all
internal values and states are reset
DEM_INIT_MONITOR_RESTART: Monitor of the EventId is requested to
restart

Return code
Std_ReturnType
Return value is unused.
Functional Description
(Re-)initializes the diagnostic monitor of a specific event.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from task context.
Table 6-78 CBInitEvt_<EventName>()
6.5.1.5
CBInitFct_<N>()
Prototype
Std_ReturnType CBInitFct_<N> ( void )
Parameter
N/A
N/A
Return code
Std_ReturnType
Return value unused
Functional Description
Resets the diagnostic monitor of a specific function.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from task context.
Table 6-79 CBInitFct_<N>()
2015, Vector Informatik GmbH
Version: 4.3.0
156 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.6
CBReadData_<SyncDataElement>()
Prototype
Standard API
Std_ReturnType CBReadData_<SyncDataElement> ( uint8*
Buffer )
API with Event Id
Std_ReturnType CBReadData_<SyncDataElement> (
Dem_EventIdType EventId, uint8* Buffer )
Parameter
Buffer
Buffer containing the value of the data element.
EventId
The EventId which has caused the trigger.
Return code
Std_ReturnType
E_OK: Operation was successful
E_NOT_OK: Operation failed
Functional Description
Requests the current value of the data element for freeze frame or extended data storage.
If the callback returns E_NOT_OK, the data is substituted by a pattern of 0xFF
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from task context.
Table 6-80 CBReadData_<SyncDataElement>()
2015, Vector Informatik GmbH
Version: 4.3.0
157 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.7
CBStatusDTC_<N>()
Prototype
Std_ReturnType CBStatusDTC_<N> ( uint32 DTC, uint8 DTCStatusOld, uint8
DTCStatusNew )
Parameter
DTC
Diagnostic Trouble Code in UDS format.
DTCStatusOld
DTC status ANDed with DTCStatusAvailabilityMask before change.
DTCStatusNew
DTC status ANDed with DTCStatusAvailabilityMask after change
Return code
Std_ReturnType
Return value unused
Functional Description
Is triggered on changes of the UDS DTC status byte. The trigger will not occur for changed status bits
which are disabled by the DTCStatusAvailabilityMask.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from APIs with unrestricted call context.
Table 6-81 CBStatusDTC_<N>()
2015, Vector Informatik GmbH
Version: 4.3.0
158 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.8
CBStatusJ1939DTC_<N>()
Prototype
Std_ReturnType CBStatusJ1939DTC_<N> ( uint32 DTC, uint8 DTCStatusOld, uint8
DTCStatusNew )
Parameter
DTC
Diagnostic Trouble Code in J1939 format.
DTCStatusOld
DTC status ANDed with DTCStatusAvailabilityMask before change.
DTCStatusNew
DTC status ANDed with DTCStatusAvailabilityMask after change
Return code
Std_ReturnType
Return value unused
Functional Description
Is triggered on changes of the J1939 DTC status byte. The trigger will not occur for changed status bits
which are disabled by the DTCStatusAvailabilityMask.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
Call Context
> This function is called from APIs with unrestricted call context.
Table 6-82 CBStatusJ1939DTC_<N>()
6.5.1.9
CBStatusEvt_<EventName>_<N>()
Prototype
Std_ReturnType CBStatusEvt_<EventName>_<N> ( Dem_EventStatusExtendedType
EventStatusOld, Dem_EventStatusExtendedType EventStatusNew )
Parameter
EventStatusOld
UDS status byte of event before change.
EventStatusNew
UDS status byte of event after change.
Return code
Std_ReturnType
Return value unused
Functional Description
Triggers on changes of the status byte for the related EventId.
Particularities and Limitations
> This function shall be reentrant.
> This function shall be synchronous.
> This function signature deviates from [1] to match the Rte_Call signature.
Call Context
> This function is called from APIs with unrestricted call context.
Table 6-83 CBStatusEvt_<EventName>_<N>()
2015, Vector Informatik GmbH
Version: 4.3.0
159 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.5.1.10  GeneralCBDataEvt()
Prototype
Std_ReturnType GeneralCBDataEvt ( Dem_EventIdType EventId )
Parameter
EventId
The EventId which has caused the trigger
Return code
Std_ReturnType
Return value unused
Functional Description
Is triggered on changes of the event related data in the event memory.
Particularities and Limitations
>  This function shall be reentrant.
>  This function shall be synchronous.
>  This function signature deviates from [1] to match the Rte_Call signature.
Call Context
>  This function is called from task context.
Table 6-84   GeneralCBDataEvt()
6.5.1.11  GeneralCBStatusEvt()
Prototype
Std_ReturnType GeneralCBStatusEvt ( Dem_EventIdType EventId,
Dem_EventStatusExtendedType EventStatusOld, Dem_EventStatusExtendedType
EventStatusNew )
Parameter
EventId
The EventId which has caused the trigger.
EventStatusOld
UDS status byte of event before change.
EventStatusNew
UDS status byte of event after change.
Return code
Std_ReturnType
Return value unused
Functional Description
Triggers on changes of the status byte for the related EventId.
Particularities and Limitations
>  This function shall be reentrant.
>  This function shall be synchronous.
>  This function signature deviates from [1] to match the Rte_Call signature.
Call Context
>  This function is called from APIs with unrestricted call context.
Table 6-85   GeneralCBStatusEvt()
2015, Vector Informatik GmbH
Version: 4.3.0
160 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.6
Service Ports
6.6.1
Client Server Interface
A client server interface is related to a Provide Port at the server side and a Require Port
at client side.
6.6.1.1
Provide Ports on Dem Side
At  the  Provide  Ports  of  the  Dem  the  API  functions  described  in  6.2  are  available  as
Runnable Entities. The Runnable Entities are invoked via Operations. The mapping from a
SWC client call to an Operation is performed by the RTE. In this mapping the RTE adds
Port Defined Argument Values to the client call of the SWC, if configured.
The  following  sub-chapters  present  the  Provide  Ports  defined  for  the  Dem  and  the
Operations defined for the Provide Ports, the API functions related to the Operations and
the Port Defined Argument Values to be added by the RTE.
6.6.1.1.1
DiagnosticMonitor
Port Defined Argument: Dem_EventIdType EventId
Operation
API Function
Arguments
SetEventStatus
Dem_SetEventStatus
IN Dem_EventStatusType
EventStatus,
ERR{E_NOT_OK}
ResetEventStatus
Dem_ResetEventStatus
ERR{E_NOT_OK}
PrestoreFreezeFrame
Dem_PrestoreFreezeFrame
ERR{E_NOT_OK}
ClearPrestoredFreezeFrame
Dem_ClearPrestoredFreezeFrame  ERR{E_NOT_OK}
Table 6-86   DiagnosticMonitor
6.6.1.1.2
DiagnosticInfo and GeneralDiagnosticInfo
DiagnosticInfo has Port Defined Argument: Dem_EventIdType EventId
Operation
API Function
Arguments
GetEventStatus
Dem_GetEventStatus
OUT Dem_EventStatusExtendedType
EventStatusExtended,
ERR{E_NOT_OK}
GetEventFailed
Dem_GetEventFailed
OUT boolean EventFailed,
ERR{E_NOT_OK}
GetEventTested
Dem_GetEventTested
OUT boolean EventTested,
ERR{E_NOT_OK}
GetDTCOfEvent
Dem_GetDTCOfEvent
IN Dem_DTCFormatType DTCFormat,
OUT uint32 DTCOfEvent,
ERR{E_NOT_OK,
DEM_E_NO_DTC_AVAILABLE}
GetFaultDetectionCounter
Dem_
OUT sint8 FaultDetectionCounter,
GetFaultDetectionCounter
ERR{E_NOT_OK,
DEM_E_NO_FDC_AVAILABLE}
2015, Vector Informatik GmbH
Version: 4.3.0
161 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Operation
API Function
Arguments
GetEventEnableCondition
Dem_
OUT boolean ConditionFullfilled
GetEventEnableCondition
ERR{E_NOT_OK}
GetEventFreezeFrameData
Dem_
IN uint8 RecordNumber,
GetEventFreezeFrameData
IN boolean ReportTotalRecord,
IN uint16 DataId,
OUT Dem_MaxDataValueType
DestBuffer,
ERR{DEM_E_NODATAAVAILABLE,
DEM_E_WRONG_RECORDNUMBER}
GetEventExtendedDataRecord
Dem_
IN uint8 RecordNumber,
GetEventExtendedDataRecor OUT Dem_MaxDataValueType
d
DestBuffer,
ERR{DEM_E_NODATAAVAILABLE,
DEM_E_WRONG_RECORDNUMBER}
Table 6-87   DiagnosticInfo and GeneralDiagnosticInfo
6.6.1.1.3
OperationCycle
Port Defined Argument: uint8 OperationCycleId
Operation
API Function
Arguments
SetOperationCycleState
Dem_SetOperationCycleState
IN Dem_OperationCycleStateType
CycleState,
ERR{E_NOT_OK}
Table 6-88   OperationCycle
6.6.1.1.4
AgingCycle
Not supported
6.6.1.1.5
ExternalAgingCycle
Not supported
6.6.1.1.6
EnableCondition
Port Defined Argument: uint8 EnableConditionId
Operation
API Function
Arguments
SetEnableCondition
Dem_SetEnableCondition
IN boolean ConditionFulfilled,
ERR{E_NOT_OK}
Table 6-89   EnableCondition
6.6.1.1.7
StorageCondition
Port Defined Argument: uint8 StorageConditionId
2015, Vector Informatik GmbH
Version: 4.3.0
162 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Operation
API Function
Arguments
SetStorageCondition
Dem_SetStorageCondition
IN boolean ConditionFulfilled,
ERR{E_NOT_OK}
Table 6-90   StorageCondition
6.6.1.1.8
IndicatorStatus
Port Defined Argument: uint8 IndicatorStatus
Operation
API Function
Arguments
GetIndicatorStatus
Dem_GetIndicatorStatus
OUT Dem_IndicatorStatusType
IndicatorStatus,
ERR{E_NOT_OK}
Table 6-91   IndicatorStatus
6.6.1.1.9
EventStatus
Port Defined Argument: Dem_EventIdType EventId
Operation
API Function
Arguments
SetWIRStatus
Dem_SetWIRStatus
IN boolean WIRStatus,
ERR{E_NOT_OK}
GetWIRStatus
Dem_GetWIRStatus
OUT boolean WIRStatus,
ERR{E_NOT_OK}
Table 6-92   EventStatus
6.6.1.1.10  EvMemOverflowIndication
Port Defined Argument: Dem_DTCOriginType DTCOrigin
Operation
API Function
Arguments
GetEventMemoryOverflow
Dem_
OUT boolean OverflowIndication,
GetEventMemoryOverflow
ERR{E_NOT_OK}
Table 6-93   EvMemOverflowIndication
6.6.1.1.11  DTCSuppression
Operation
API Function
Arguments
SetDTCSuppression
Dem_
IN uint32 DTC,
SetDTCSuppression
IN Dem_DTCFormatType
DTCFormat,
IN boolean SuppressionStatus
ERR{E_NOT_OK}
Table 6-94   DTCSuppression
2015, Vector Informatik GmbH
Version: 4.3.0
163 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.6.1.1.12  EventSuppression
Operation
API Function
Arguments
SetEventSuppression
Dem_
IN Dem_EventIdType EventId,
SetEventSuppression
IN boolean SuppressionStatus
ERR{E_NOT_OK}
Table 6-95   EventSuppression
6.6.1.1.13  DemServices
Operation
API Function
Arguments
GetDtcStatusAvailabilityMask
Dem_
OUT uint8 DTCStatusMask,
GetDtcStatusAvailabilityMask
ERR{E_NOT_OK}
GetPostRunRequested
Dem_
OUT boolean isRequested
GetPostRunRequested
ERR{E_NOT_OK}
SynchronizeNvData
Dem_
ERR{E_NOT_OK}
RequestNvSynchronization
Table 6-96   DemServices
6.6.1.1.14  DcmIf
The DcmIf PortInterface is a special case not intended to be used by application software.
Instead, this interface is a means to establish the call contexts for application notification
callbacks  that  are  the  result  of  function  calls  to  the  Dem  by  the  Dcm.  The  interface
description is omitted intentionally for this reason.
6.6.1.1.15  CddIf
Operation
API Function
Arguments
ClearDTC
Dem_
IN uint32 DTC,
ClearDTC
IN Dem_DTCFormatType DTCFormat
IN Dem_DTCOriginType DTCOrigin
ERR{DEM_CLEAR_WRONG_DTC,
DEM_CLEAR_WRONG_DTCORIGIN,
DEM_CLEAR_FAILED,
DEM_CLEAR_PENDING,
DEM_CLEAR_BUSY }

6.6.1.2
Require Ports on Dem Side
At its Require Ports the Dem calls Operations. These Operations have to be provided by
the  SWCs  by  means  of  Runnable  Entities.  These  Runnable  Entities  implement  the
callback functions expected by the Dem.
The following sub-chapters present the Require Ports defined for the Dem, the Operations
that are called from the Dem and the related Callouts, which are described in chapter 6.5.

2015, Vector Informatik GmbH
Version: 4.3.0
164 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)

Note
If following interfaces are used as port interfaces without RTE, the function prefix
 Rte_Call will be replaced by the prefix Appl_Dem.

6.6.1.2.1
CBInitEvt_<EventName>
Operation
Callout
InitMonitorForEvent
Rte_Call_ CBInitEvt_<EventName>_InitMonitorForEvent
Table 6-97 CBInitEvt_<EventName>
6.6.1.2.2
CBInitFct_<N>
Operation
Callout
InitMonitorForFunction
Rte_Call_ CBInitFct_<N> _InitMonitorForFunction
Table 6-98 CBInitFct_<N>
6.6.1.2.3
CBStatusEvt_<EventName>_<N>
Operation
Callout
EventStatusChanged
Rte_Call_ CBStatusEvt_<EventName>_<N> _EventStatusChanged
Table 6-99 CBStatusEvt_<EventName>_<N>
6.6.1.2.4
GeneralCBStatusEvt
Operation
Callout
EventStatusChanged
Rte_Call_ GeneralCBStatusEvt _EventStatusChanged
Table 6-100 GeneralCBStatusEvt
6.6.1.2.5
CBStatusDTC_<N>
Operation
Callout
DTCStatusChanged
Rte_Call_ CBStatusDTC_<N>_DTCStatusChanged
Table 6-101 CBStatusDTC_<N>
6.6.1.2.6
CBDataEvt_<EventName>
Operation
Callout
EventDataChanged
Rte_Call_ CBDataEvt_<EventName>_EventDataChanged
Table 6-102 CBDataEvt_<EventName>
2015, Vector Informatik GmbH
Version: 4.3.0
165 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
6.6.1.2.7
GeneralCBDataEvt
Operation
Callout
EventDataChanged
Rte_Call_ GeneralCBDataEvt _EventDataChanged
Table 6-103 GeneralCBDataEvt
6.6.1.2.8
CBClrEvt_<EventName>
Operation
Callout
ClearEventAllowed
Rte_Call_ CBClrEvt_<EventName>_ClearEventAllowed
Table 6-104 CBClrEvt_<EventName>
6.6.1.2.9
CBReadData_<SyncDataElement>
Operation
Callout
ReadData
Rte_Call_ CBReadData_<SyncDataElement> _ReadData
Table 6-105 CBReadData_<SyncDataElement>
6.6.1.2.10 CBFaultDetectCtr_<EventName>
Operation
Callout
GetFaultDetectionCounter
Rte_Call_ CBFaultDetectCtr_<EventName>
_GetFaultDetectionCounter
Table 6-106 CBFaultDetectCtr_<EventName>
6.6.1.2.11 CBCtrlDtcSetting
Operation
Callout
ControlDTCSettingChanged
Rte_Call_CBCControlDTCSetting_ControlDTCSettingChanged
Table 6-107 CBCtrlDtcSetting
6.7
Not Supported APIs
Operation
Dem_DcmGetOBDFreezeFrameData()
Dem_SetOperationCycleCntValue()
Dem_SetAgingCycleState()
Dem_SetAgingCycleCounterValue()
Dem_DltGetMostRecentFreezeFrameRecordData()
Dem_DltGetAllExtendedDataRecords()
Dem_SetEventDisabled()
2015, Vector Informatik GmbH
Version: 4.3.0
166 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Operation
Dem_RepIUMPRFaultDetect()
Dem_RepIUMPRDenLock()
Dem_RepIUMPRDenRelease()
Dem_DcmGetInfoTypeValue08()
Dem_DcmGetInfoTypeValue0B()
Dem_DcmReadDataOfPID01()
Dem_DcmReadDataOfPID1C()
Dem_DcmReadDataOfPID21()
Dem_DcmReadDataOfPID30()
Dem_DcmReadDataOfPID31()
Dem_DcmReadDataOfPID41()
Dem_DcmReadDataOfPID4D()
Dem_DcmReadDataOfPID4E()
Dem_DcmReadDataOfOBDFreezeFrame()
Dem_DcmGetDTCOfOBDFreezeFrame()
Dem_SetPtoStatus()
Table 6-108 Not Supported APIs
2015, Vector Informatik GmbH
Version: 4.3.0
167 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
7  Configuration
In the Dem the attributes can be configured with the following tools:
>  Configuration in GCE
>  Configuration in DaVinci Configurator
The configuration of post-build is described in [8] and [9].
7.1
Configuration Variants
The Dem supports the configuration variants
>  VARIANT-PRE-COMPILE
>  VARIANT-POST-BUILD-LOADABLE
>  VARIANT-POST-BUILD-SELECTABLE
The configuration classes of the Dem parameters depend on the supported configuration
variants. For their definitions please see the Dem_bswmd.arxml file.
7.2
Configurable Attributes
The description of each configurable option is described within the Dem_bswmd.arxml file.
You  can  use  the  online  help  of  DaVinci  Configurator  5  to  access  these  parameter
descriptions comfortably.
7.3
Configuration of Post-Build Loadable
This component uses a static RAM management which differs from the concept described
in the mentioned post-build documentation.
Since  all  RAM  buffers  scale  with  the  number  of  configured  events,  and  the  number  of
events  cannot  be  changed  during  post-build  time,  we  see  no  need  for  dynamic  RAM
management.
The NV-Ram required is however also not covered by dynamic RAM management. NvM
cannot  change  its  memory  allocation,  so  this  is  a  restriction  by  necessity.  In  post-build
configurations,  the  Dem  can  reserve  some  NV  memory  for  snapshot  data  storage  using
parameter /DemGeneral/DemPostbuild/DemMaxSizeFreezeFrame.
It is mainly used to verify that configuration changes do not increase the required NV Ram
beyond the available amount. You can however increase its value if you need flexibility to
add DIDs to existing snapshot records.

Caution
The reserved NV Ram size cannot be reduced during post-build. Be aware of the
  additional wear on the Flash memory if FEE is used to back the Dem NV data.

2015, Vector Informatik GmbH
Version: 4.3.0
168 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
7.3.1
Supported Variance
Since much of the configuration of Dem can result in API changes, some restrictions apply
regarding which features and configuration elements can be modified after linking.
E.g.,  there  is  no  sensible  way  to  introduce  (and  implement)  additional  application
callbacks. All code has to be already present in the ECU; service ports must be connected
via  RTE. Also, it’s not generally possible to add arbitrary data to the NV data structures,
whose block sizes are static as well.
Generally,  Post-Build  Loadable  for  the  Dem  module  supports  modifying  an  existing
configuration, but not changing it structurally. The exhaustive list of parameters that can be
modified using Post-Build Loadable is documented in the Dem parameter description file
(BSWMD file). This list is only intended as short outline.
>  DTC numbers
>  De-bouncing parameters
>  Step sizes and thresholds
>  Qualification time
>  DTC operation cycle
>  DID numbers
>  DIDs contained in snapshots
>  Restricted by the amount of reserved NV data

2015, Vector Informatik GmbH
Version: 4.3.0
169 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
8 AUTOSAR Standard Compliance
8.1
Deviations
Deviation
Comment
DemGetNextFilteredDTCAndFDC() If monitor internal de-bouncing is used the Dem
requests the application for the fault detection counter.
To implement the necessary call sequence definition,
the Dem provides this interface as part of PortInterface
DcmIf.
Dem_EnableDTCSetting()
This API can cause init monitor notifications if it ends a
DTC disabled state. To implement the necessary call
sequence definition, the Dem provides this interface as
part of PortInterface DcmIf.
Depending on the configuration, it requires a Dem task
for this API to take effect.
Dem_J1939DcmGetNextSPNIn
The interface is not supported and therefore will
FreezeFrame()
always return.
DEM_FILTERED_NO_MATCHING_ELEMENT. The
intended functionality is implemented in the Vector
J1939Dcm.
Operation cycle handling
Only the Operation Cycle using the ‘Autostart’ option is
considered active before initialization. This is different
from the Autosar standard, which defines to set all
cycles to active, and undo the effects for cycles not
started at initialization time.
TimeBased Debouncing
Qualified reports are handled asynchronously, for all
event status bits.
CBStatusEvt
and
CBtDataEvt The signature of these callbacks is expected to match
Notification signature
Rte_Call (see chapter 6.5.1 Callouts). Notifications
with return type ‘void’ are not possible.
Table 8-1 Deviations
8.2
Additions/ Extensions
Extension
Comment
Dem_InitMemory()
see 6.2.3.3
Dem_PostRunRequested()
see 6.2.4.21
Dem_GetEventEnableCondition()
see 6.2.4.18
Extension of
see 6.5.1.6
CBReadData_<SyncDataElement>()
Table 8-2 Extensions
2015, Vector Informatik GmbH
Version: 4.3.0
170 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
8.3
Limitations
Limitation
Comment
Enable Conditions
Maximum number of Enable Conditions is limited to 31 for efficiency
reasons.
Storage Conditions
Maximum number of Storage Conditions is limited to 32 for efficiency
reasons.
Operation Cycles
Maximum number of Operation Cycles is limited to 16 for efficiency
reasons.
Aging Threshold
Maximum possible aging cycles are limited to 255 (from 256) for
efficiency reasons.
ControlDTCSetting
The service is limited to DTC Group
DEM_DTC_GROUP_ALL_DTCS and DTC Kind
DEM_DTC_KIND_ALL_DTCS.
Non-Volatile storage
Configuration option DemStatusBitStorageTestFailed == false will
reset the Test Failed bit during initialization, but it will be stored in
NVRAM anyways.
DemGroupOfDTC
Configuration of DTC groups is limited to 4. These are intended to be
used to support the Powertrain, Body, Chassis and Network
groupings defined by ISO 15031-6.
Different definitions may not work as intended.
Extended Data Record
Interface Dem_GetEventExtendedDataRecord() will return
E_NOT_OK if requested record number is equal to 0xFE or 0xFF.
Snapshot Record/ Freeze  Interface Dem_GetEventFreezeFrameData() will return the most
Frame
recent record only if the records are configured as “calculated”.
Interface Dem_GetEventFreezeFrameData() will return
E_NOT_OK if the records are configured as “Configured” and the
requested record is 0xFF.
Internal Data Elements
The internal data elements which can be mapped into an extended
data or snapshot record will always have their current internal values
at the time the data is read out.
This will not apply to the following elements as they are static
configuration elements: Significance, Priority, OBD DTC, root cause
Event Id
J1939 DTC
If the DTC class has configured a J1939 DTC then an UDS DTC
must be also available.
J1939NmNodes
Maximum number of different nodes is limited to 255 (from 256) for
efficiency reasons.
J1939 Indicators
An event is only allowed to support one J1939 related indicators
(RSL, AWL, PL). The MIL indicator is not supported.
J1939 Freeze Frame and  Only one global defined J1939 Freeze Frame and one global J1939
Expanded Freeze Frame  Expanded Freeze Frame is supported.
De-bounce counter
This feature is limited to counter based de-bounced events only.
storage in NVRAM
BSW events which are reported before initialization of DEM
(Dem_Init()) must not use this feature.
DTC suppression
DEM_DTC_FORMAT_OBD is not supported for function
Dem_SetDTCSuppression()
2015, Vector Informatik GmbH
Version: 4.3.0
171 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
Table 8-3
Limitations
8.4
Not Supported Service Interfaces
The following table contains service interfaces which are not supported from Dem.
Port
Operation(s)
DiagnosticMonitor
SetEventDisable
AgingCycle
SetAgingCycleState
ExternalAgingCycle
SetAgingCycleCounterValue
PowerTakeOff
SetPtoStatus
DataServices<SyncDataElement>
ReadData  Sender/Receiver
Table 8-4 Service Interfaces which are not supported

2015, Vector Informatik GmbH
Version: 4.3.0
172 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
9  Glossary and Abbreviations
9.1
Glossary
Term
Description
Configurator 5
Configuration and code generation tool for MICROSAR components
Combined Event
The combination of multiple events into a combined status.
Warning Indicator
The warning indicator managed by the Dem only provides the information
that the related indicator (e.g. lamp in the dashboard) shall be requested,
the de-/activation must be handled by the application or a different ECU.
Each event that currently requests an indicator will have set the warning
indicator requested bit in the status byte.
Table 9-1   Glossary
9.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
AWL
Amber Warning Lamp
BSW
Basic Software
Cfg5
Configurator 5
CPU
Central Processing Unit
Dcm
Diagnostic Communication Manager
DCY
Driving Cycle
Dem
Diagnostic Event Manager
Det
Development Error Tracer
Dlt
Diagnostic Log and Trace
DTC
Diagnostic Trouble Code
EAD
Embedded Architecture Designer
ECU
Electronic Control Unit
EcuM
Ecu Manager
EEPROM
Electrically Erasable Programmable Read-Only Memory
FDC
Fault Detection Counter
FEE
Flash EEPROM Emulation
GCE
Generic Content Editor
HIS
Hersteller Initiative Software
ID
Identification
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
2015, Vector Informatik GmbH
Version: 4.3.0
173 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
MIL
Malfunction Indicator Lamp
NVRAM
Non-volatile Random Access Memory
OBD
On Board Diagnostics
OCC
Occurrence Counter
PL
Protect Lamp
Pport
Provide Port
RAM
Random Access Memory
ROE
Response On Event
ROM
Read-Only Memory
Rport
Require Port
RSL
Red Stop Lamp
Rte
Runtime Environment
SAE
Society of Automotive Engineers
SchM
Schedule Manager
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
UDS
Unified Diagnostic Services
WUC
Warmup Cycle
Table 9-2 Abbreviations
2015, Vector Informatik GmbH
Version: 4.3.0
174 / 175
based on template version 5.0.0

Technical Reference MICROSAR Diagnostic Event Manager (Dem)
10  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 4.3.0
175 / 175
based on template version 5.0.0

Document Outline

6 - DIO Driver

DIO Driver

Component Documentation

6.1 - AUTOSAR_DIO_Component_UserManual

AUTOSAR MCAL R4.0 User's Manual

6.2 - AUTOSAR_DIO_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58

6.3 - AUTOSAR_DIO_Component_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual
DIO Driver Component Ver.1.0.6
Embedded User‟s Manual
Target Device:
RH850/P1x
All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).
www.renesas.com
Rev 0.02 May 2015

2

Notice
1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to change
without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest product
information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different information to be
disclosed by Renesas Electronics such as that disclosed through our website.
2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third parties by
or arising from the use of Renesas Electronics products or technical information described in this document. No license, express, implied or
otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas Electronics or others.
3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.
4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of semiconductor
products and application examples.  You are fully responsible for the incorporation of these circuits, software, and information in the design of
your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by
          you or third parties arising from the use of these circuits, software, or information.
5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws and
regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products or the
technology described in this document for any purpose relating to military applications or use by the military, including but not limited to the
development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or incorporated into any
products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign laws or regulations.
6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does not warrant
that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by you resulting from errors
in or omissions from the information included herein.
7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and "Specific".  The
recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated below.  You must check
the quality grade of each Renesas Electronics product before using it in a particular application.  You may not use any Renesas Electronics
product for any application categorized as "Specific" without the prior written consent of Renesas Electronics.  Further, you may not use any
Renesas Electronics product for any application for which it is not intended without the prior written consent of Renesas Electronics.  Renesas
Electronics shall not be in any way liable for any damages or losses incurred by you or third parties arising from the use of any Renesas
Electronics product for an application categorized as "Specific" or for which the product is not intended where you have failed to obtain the
prior written consent of Renesas Electronics.  The quality grade of each Renesas Electronics product is "Standard" unless otherwise expressly
specified in a Renesas Electronics data sheets or data books, etc.
          "Standard":  Computers; office equipment; communications equipment; test and measurement equipment; audio and visual equipment; home
electronic appliances; machine tools; personal electronic equipment; and industrial robots.
         "High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime systems;
safety equipment; and medical equipment not specifically designed for life support.
          "Specific":  Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or systems for life
support (e.g. artificial life support devices or systems), surgical implantations, or healthcare intervention (e.g. excision, etc.), and any other
applications or purposes that pose a direct threat to human life.
8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics, especially with
respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation characteristics, installation and
other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages arising out of the use of Renesas
Electronics products beyond such specified ranges.
9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific
characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas Electronics
products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against the possibility of
physical injury, and injury or damage caused by fire in the event of the failure of a
           Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control and
malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation of
microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.
10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of each
Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations that regulate the
inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics assumes no liability for
damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
11.
This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas
          Electronics.
12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this document or Renesas
Electronics products, or if you have any other inquiries.
          (Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned
subsidiaries.
          (Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.
3

4

Abbreviations and Acronyms

Abbreviation / Acronym Description
ADC
Analog Digital Converter
ANSI
American National Standards Institute
API
Application Programming Interface
AUTOSAR
AUTomotive Open System ARchitecture
CAN
Controller Area Network
DEM
Diagnostic Event Manager
DET/Det
Development Error Tracer
DIO
Digital Input Output
ECU
Electronic Control Unit
EEPROM
Electrical Erasable Programmable Read Only Memory
Id
Identifier
I/O
Input/Output
LIN
Local Interconnnect Network
MCAL
MicroController Abstraction Layer
MCU
MicroController Unit
PWM
Pulse Width Modulation
RAM
Random Access Memory
ROM
Read Only Memory
RTE
Run Time Environment
SCI
Serial Communication Interface
SPI
Serial Peripheral Interface
WDT
WatchDog Timer

Definitions

Term
Represented by
Port
Represents a whole configurable port on a microcontroller device.
Port Pin
Represents a single configurable input or output pin on a
microcontroller device.
Sl. No.
Serial Number
5

6

10

Introduction                                                                                                                            Chapter 1

Chapter 1  Introduction

The purpose of this document is to describe the information related to DIO
Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of DIO Driver
Component. The system overview of complete AUTOSAR architecture is
shown in the below Figure:

Application Layer

AUTOSAR  RTE

System  Services

On board Device Abstraction

DI O Drive r

Microcontroller

Figure 1-1
System Overview Of AUTOSAR Architecture

The DIO Driver is part of the MCAL, the lowest layer of Basic Software in the
AUTOSAR environment.
11

Chapter 1 Introduction

The Figure in the following page depicts the DIO Driver as part of layered
AUTOSAR MCAL Layer:

Micro control ler Drivers
Memory Dri vers
Communication Drivers
I/O Drivers

i

n
te

W
rn
a
GP
M
a
F

t
n
n
PO
c
C
C
l
C
l
P
a
a
A
D
E
L
e
I
hd
C
W
T
U
ore
l
l
I
AN
x
D
I

E
N
O
R
U
R

o

M
F
M
C
la
P

a

T
g

a
R

y

s
s

h
h
OM

E
Po
Micro-
x
L
t
Unit
w
.
I

N
e
controller

r

Figure 1-2 System Overview Of The DIO Driver In AUTOSAR MCAL Layer

The DIO Driver Component provides the service for reading and writing to
Channels, ChannelGroups and Ports.

The DIO Driver Component comprises of two sections, that is, Embedded
Software and the Configuration Tool to achieve scalability and configurability.
The DIO Driver Component Code Generation Tool is a command line tool that
accepts ECU configuration description file(s) as input and generates source
and header file(s) Dio_PBcfg.c and Dio_Cfg.h respectively. The ECU
configuration description is an XML file that contains information about the
configuration for Port Pins.
12

Introduction                                                                                                                            Chapter 1

1.1.
Document Overview

The document has been segmented for easy reference. The table below
provides the user with an overview of the contents of each section:

Section
Contents
Section 1 (Introduction)
This section provides an introduction and overview of DIO Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure, Makefile structure for DIO
Process)
Driver Component. This section also explains about the Makefile
descriptions, Integration of DIO Driver Component with other
components, building the DIO Driver Component along with a sample
application.
Section 4 (Forethoughts)
This  section  provides  brief  information  about  the  DIO  Driver
Component, the preconditions that should be known to the user before
it is used, data consistency details and deviation list.
Section 5 (Architecture Details)
This section describes the layered architectural details of the DIO Driver
Component.
Section 6 (Register Details)
This section describes the register details of DIO Driver Component.
Section 7 (Interaction Between
This section describes interaction of the DIO Driver Component with the
User And DIO Driver Component)  upper layers.
Section 8 (DIO Driver Component  This section provides information about the DIO Driver Component
Header And Source File
source files. This section also contains the brief note on the tool
Description)
generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the DIO Driver Component
Generation Tool.
Section 10 (Application
This section explains all the APIs provided by the DIO Driver
Programming Interface)
Component.
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13 (P1M Specific
This section provides the P1M Specific Information.
Information)
Section 14 (Release Details)
This section provides release details with version name and base
version.
13

Chapter 1 Introduction

14

Reference Documents
Chapter 2

Chapter 2  Reference Documents

Sl. No.
Title
Version
1.
AUTOSAR_SWS_DIODriver.pdf
2.5.0
2.
r01uh0436ej0070_rh850p1x.pdf
0.70
3.
AUTOSAR_SWS_CompilerAbstraction.pdf
  3.2.0
4.
AUTOSAR_SWS_MemoryMapping.pdf
  1.4.0
5.
AUTOSAR_SWS_PlatformTypes.pdf
  2.5.0
6.
AUTOSAR_BSW_MakefileInterface.pdf
  0.3
7.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
  -
Note: AUTOSAR BUGZILLA is a database, which contains concerns raised
against information present in AUTOSAR Specifications.

15

Chapter 2 Reference Documents

16

Integration And Build Process
Chapter 3

Chapter 3 Integration And Build Process

In this section the folder structure of the DIO Driver Component is explained.
Description of the makefiles along with samples is provided in this section.

Remark The details about the C Source and Header files that are generated by the
DIO Driver Generation Tool are mentioned in the DIO Driver Component
Generation Tool User's Manual.

3.1.
DIO Driver Component Makefile

The Makefile provided with the DIO Driver Component consists of the GNU
Make compatible script to build the DIO Driver Component in case of any
change in the configuration. This can be used in the upper level Makefile (of
the application) to link and build the final application executable.

3.1.1. Folder Structure

The files are organized in the following folders:

Remark Trailing slash „\‟ at the end indicates a folder

X1X\common_platform\modules\dio\src\Dio.c

 \Dio_Version.c

 \Dio_Ram.c

X1X\common_platform\modules\dio\include\Dio.h

\Dio_Debug.h

\Dio_PBTypes.h

\Dio_LTTypes.h

\Dio_Ram.h

\Dio_Version.h

X1X\P1x\modules\dio\sample_application\<SubVariant>\make\ghs
 \App_DIO_P1M_Sample.mak

X1X\P1x\modules\dio\sample_application\ <SubVariant>

 \obj\<Compiler>
17

Chapter 3 Integration And Build Process



X1X\P1x\modules\dio\generator
 \R403_DIO_P1x_BSWMDT.arxml
X1X\common_platform\modules\dio\generator\Dio_X1x.exe
X1X\P1x\common_family\generator\P1x_translation.h
 \Sample_Applications_P1x.trxml
X1X\P1x\modules\dio\user_manual
(User manuals will be available in this folder).

Note: 1. <AUTOSAR_version> should be 4.0.3
2. <SubVariant> can be P1M
3. <Device_name> can be 701304, 701305, 701310,
 701311, 701312, 701313, 701314, 701315, 701318,
 701319, 701320, 701321, 701322 and 701323.
4. <Compiler> can be ghs
18

Forethoughts                                                                                                                                             Chapter 4

Chapter 4  Forethoughts

4.1.
General

Following information will aid the user to use the DIO Driver Component
software efficiently.

•  The DIO Driver does not enable or disable the ECU or Microcontroller
power supply. The upper layer should handle this operation.

•  Start-up code is not implemented by the DIO Driver.

•  DIO Driver does not implement any callback notification functions.

•  DIO Driver does not implement any scheduled functions.

•  DIO Driver supports the Readback feature.

•  The DIO Driver Component is Postbuild time configurable for R4.0.3.

•  The file Interrupt_VectorTable.c provided is just a Demo and not all
interrupts will be mapped in this file. So the user has to update the
Interrupt_VectorTable.c as per his configuration.

4.2.
Preconditions

Following preconditions have to be adhered by the user, for proper
functioning of the DIO Driver Component:

•  The Dio_Cfg.h and Dio_PBcfg.c files generated by the DIO Driver
Component Code Generation Tool have to be linked along with DIO
Driver Component source files.

•  File Dio_PBcfg.c generated by DIO Driver Component
Generation Tool can be compiled and linked independently.

•  The application has to be rebuilt, if there is any change in the Dio_Cfg.h
and Dio_PBcfg.c file generated by the DIO Driver Component Generation
Tool.

•  Dio_Ram.c and Dio_Ram.h are used only for Autosar release 4.0.3.

•  The DIO Driver Component needs to be initialized before accepting any API
requests. Dio_Init should be called to initialize DIO Driver Component.

•  The authorization of the user for calling the software triggering of a
hardware reset is not checked in the DIO Driver. This will be the
responsibility of the upper layer.

•  The user should ensure that DIO Driver Component API requests
are invoked with correct input arguments.

•  Input parameters are validated only when the static configuration
parameter DioDevErrorDetect is enabled. Application should ensure that
the right parameters are passed while invoking the APIs when
DioDevErrorDetect is disabled.

•  A mismatch in the version numbers of header and the source files will
19

Chapter 4 Forethoughts

result in a compilation error. User should ensure that the correct versions
of the header and the source files are used.

• The DIO functions shall be called only after PORT Driver
initialization, otherwise DIO functions will exhibit undefined behavior.
• User/Integrator should ensure that same Ports/Pins are configured for
DIO Driver component.

4.3.
Data Consistency

To support the re-entrance services, the AUTOSAR DIO module will ensure
the data consistency while accessing its own RAM storage or hardware
registers. The DIO module will use SchM_Enter_Dio_<Exclusive Area> and
SchM_Exit_Dio_<Exclusive
Area>
functions.
The
SchM_Enter_Dio_<Exclusive Area> function is called before the data needs
to be protected and SchM_Exit_Dio_<Exclusive Area> function is called after
the data is accessed.
The following exclusive area along with scheduler services is used to provide
data integrity for shared resource:
• REGISTER_PROTECTION
The
functions
SchM_Enter_Dio_<Exclusive
Area>
and
SchM_Exit_Dio_<Exclusive Area> can be disabled by disabling the
configuration parameter “DioCriticalSectionProtection”.

4.4.
Deviation List

Table 4-1 Driver Deviation List Of
DIO module

Sl. No.
Description AUTOSAR
Bugzilla
1
The API DIO_GetVersionInfo is implemented as macro without DET
-
error DIO_E_PARAM_POINTER.
2
The API Dio_MaskedWritePort which is available in R3.2.2 is also
-
added to R4.0.3 release.
3.
In case of Multiple configuration sets used, configuring different short
-
name for the containers 'DioPort', 'DioChannel' and
'DioChannelGroup' across the configuration set shall result in
generation error.
4.
In case of Multiple configuration sets used, configuring different
-
number of 'DioPort' or 'DioChannel' or 'DioChannelGroup' containers
across the configuration set shall result in generation error.

20

Forethoughts                                                                                                                                             Chapter 4

4.5.
User mode and supervisor mode

The below table specifies the APIs which can run in user mode, supervisor
mode or both modes.

Table 4-2 User mode and Supervisor mode details

Sl.No.
List of API’S
User Mode
Supervisor Mode
Known limitation
in User mode
1.
Dio_Init
x
x
-
2.
Dio_ReadPort
x
x
-
3.
Dio_WritePort
x
x
-
4.
Dio_ReadChannel
x
x
-
5.
Dio_WriteChannel
x
x
-
6.
Dio_FlipChannel
x
x
-
7.
Dio_ReadChannelGroup
x
x
-
8.
Dio_WriteChannelGroup
x
x
-
9.
Dio_MaskedWritePort
x
x
-
10.
Dio_GetVersionInfo
x
x
-



21

Chapter 4 Forethoughts

22

Architecture Details
Chapter 5

Chapter 5
Architecture Details

The overview of the AUTOSAR DIO software architecture is given in the
following figure. The DIO Driver Component access the hardware features
directly. The upper layers call the functionalities provided by DIO Driver
Component:

I/O Hardware Abstraction Software

I/O Hardware Abstraction

DIO_WritePort
DIO_ReadPort

DIO_WriteChannelGroup
DIO_ReadChannelGroup

DIO_WriteChannel

DIO_ReadChannel

              Dio_MaskedWritePort



DIO_FlipChannel


DIO_Init

DIO Driver

On-  Chip Registers

On-  Chip Hardware

Figure 5-1
DIO Driver Architecture
23

Chapter 5                                                                                                       Architecture Details

DIO Driver Component:

The following figure shows the various functionalities as offered by the DIO
Driver.

Port

Read
Channel

Channel Group

Port

Write
Channel

Channel Group

Write And Read
Channel

Figure 5-2
DIO Driver Services

The DIO Driver Component is divided into the following sub modules based
on the functionality required:

•  Port Read and Port Write

•  Channel Read and Channel Write

•  ChannelGroup Read and ChannelGroup Write

DIO Read Port

The levels of all channels of a DIO Port will be read. A bit value '0' indicates
the individual channels of the Port to physical STD_LOW, a bit value '1'
indicates the individual channels of the port to physical STD_HIGH. The level
of all channels of Port are read simultaneously.

DIO Read Channel

The level of a single DIO Channel will be read as either STD_LOW or
STD_HIGH.

DIO Read ChannelGroup

The levels of all channels of a DIO Channel Group will be read. A bit value '0'
indicates  the  corresponding  pin  to  physical  STD_LOW,  a  bit  value  '1'
indicates the corresponding channel to physical STD_HIGH.
24

Architecture Details
Chapter 5

DIO Write Port

The levels of all channels of a Port will be set simultaneously without affecting
the functionality of the input channels. A bit value '0' sets the corresponding
channel to physical STD_LOW, a bit value '1' sets the corresponding channel
to physical STD_HIGH.

DIO Write Channel

The level of a single DIO Channel is set STD_HIGH or STD_LOW.

DIO Write ChannelGroup

All adjoining subset of DIO channels of a port are set simultaneously. A bit
value '0' sets the corresponding channel to physical STD_LOW, a bit value '1'
sets the corresponding channel to physical STD_HIGH.

DIO Initialization

All the global variables of the DIO modules will be initialized.

DIO Flip Channel

The level of a single DIO channel will be set with compliment of current level
that is, if current value is STD_HIGH then STD_LOW will be set and vice
versa and then the level of a single DIO Channel will be read.

DIO GetVersionInfo

The Dio_GetVersionInfo function shall return the version information of this
module.The version information includes module ID, Vendor ID and Vendor
specific version numbers.

DIO MaskedWrite Port

The Dio_MaskedWritePort function shall set the specified value for the
channels in the specified port if the corresponding bit in Mask is „1‟.

25

Chapter 5 Architecture Details

26

Registers Details
Chapter 6

Chapter 6 Registers Details

This section describes the register details of DIO Driver Component.

Table 6-1 Register Details

API Name
Registers
Config Parameter
Macro/Variable
Dio_Init
-
-
-
Dio_ReadPort
PPRn
-
LddPortLevel
JPPRn
-
LddPortLevel
APPRn
-
LddPortLevel
IPPRn
-
LddPortLevel
Dio_WritePort
PSRn
-
Level
JPSRn
-
Level
APSRn
-
Level
PMSRn
-
LddPortModeLevel
Dio_ReadChannel
PPRn
-
LddPortLevel
JPPRn
-
LddPortLevel
APPRn
-
LddPortLevel
IPPRn
-
LddPortLevel
Dio_WriteChannel
PSRn
-
LunPSRContent.ulLongWord
JPSRn
-
LunPSRContent.ulLongWord
APSRn
-
LunPSRContent.ulLongWord
PMSRn
-
LddPortModeLevel
Dio_FlipChannel
PNOTn
DioChannelBitPosition
-
JPNOTn
DioChannelBitPosition
-
APNOTn
DioChannelBitPosition
-
PPRn
-
LddPortLevel
JPPRn
-
LddPortLevel
APPRn
-
LddPortLevel
PMSRn
-
LddPortModeLevel
Dio_ReadChannelGroup
PPRn
-
LddPortLevel
JPPRn
-
LddPortLevel
APPRn
-
LddPortLevel
IPPRn
-
LddPortLevel
Dio_WriteChannelGroup
PSRn
-
LunPSRContent.ulLongWord
JPSRn
-
LunPSRContent.ulLongWord
APSRn
-
LunPSRContent.ulLongWord
PMSRn
-
LddPortModeLevel
Dio_GetVersionInfo
-
-
-
Dio_MaskedWritePort
PSRn
-
-
JPSRn
-
-
APSRn
-
-
27

Chapter 6 Register Details

PMSRn
-
LddPortModeLevel
28

Interaction Between The User And DIO Driver Component
Chapter 7

Chapter 7  Interaction Between The User And DIO

Driver Component

The details of the services supported by the DIO Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

7.1.   Services Provided By DIO Driver Component To The
User

The DIO Driver Component provides the following functionalities to the upper
layers or users:

•  To initialize the DIO module.

•  To read the physical level value from DIO Port.

•  To write specified value into given DIO Port.

•  To read physical level value from DIO Channel.

•  To write a specified value into the given DIO Channel.

•  To read physical level value from DIO ChannelGroup.

•  To write specified value into DIO ChannelGroup.

•  To read the DIO Driver Component version information.

•  To write specified value with a specified mask into given DIO Port.

•  To flip the level of a channel and return the level of the channel after flip.

29

Chapter 7 Interaction Between The User And DIO Driver Component

30

DIO Driver Component Header And Source File Description
Chapter 8

Chapter 8  DIO Driver Component Header And

Source File Description

This section explains the DIO Driver Component‟s source and header files.
These files have to be included in the project application while integrating with
other modules.

The C header file generated by DIO Driver Component Code Generation
Tool:

•  Dio_Cfg.h

The C source file generated by DIO Driver Component Code Generation
Tool:

•  Dio_PBcfg.c

The DIO Driver Component C header files:

•
Dio.h

•
Dio_Debug.h

•
Dio_PBTypes.h

•
Dio_LTTypes.h

•
Dio_Ram.h

•
Dio_Version.h

The DIO Driver Component C source files:

•  Dio.c

•  Dio_Ram.c

•  Dio_Version.c

Note : Dio_LTTypes.h is not applicable for AUTOSAR release 4.0.3.
The port specific C header files:

•  Compiler.h

•  Compiler_Cfg.h

•  MemMap.h

•  Platform_Types.h
31

Chapter 8 DIO Driver Component Header And Source File Description

The description of the DIO Driver Component files is provided in the table below:

Table 8-1 Description Of The DIO Driver Component Files

File
Details
Dio_Cfg.h
This file is generated by the DIO Driver Component Code Generation Tool for DIO
Driver Component pre-compile time parameters. This file contains macro definitions
for the configuration elements. The macros and the parameters generated will vary
with respect to the configuration in the input ARXML file.
Dio_PBcfg.c
This file contains post-build configuration data. The structures related to DIO
Initialization are provided in this file. Data structures will vary with respect to
parameters configured.
Dio.h
This file provides extern declarations for all the DIO Driver Component APIs. This file
provides service Ids of APIs, DET Error codes and Global Data Types for DIO Driver
component. This header file shall be included in other modules to use the features of
DIO Driver Component.
Dio_Debug.h
This file provides Provision of global variables for debugging purpose.
Dio_LTTypes.h
This file contains AUTOSAR DIO link time parameters.
Dio_PBTypes.h
This file contains the macros used internally by the DIO Driver Component code and
the structure declarations related to hardware unit registers, HARDWARE unit,
Channel configuration, Group configuration, Group RAM data and HARDWARE unit
RAM data.
Dio_Ram.h
This file contains the extern declarations for the global variables that are defined in
Dio_Ram.c file and the version information of the file.
Dio_Version.h
This file contains the macros of AUTOSAR version numbers of all modules that are
interfaced to DIO.
Dio.c
This file contains the implementation of all DIO Driver Component APIs.
Dio_Version.c
This file contains the code for checking version of all modules that are interfaced to
DIO.
Dio_Ram.c
This file contains the global variables used by DIO Driver Component.
Compiler.h
Provides compiler specific (non-ANSI) keywords. All mappings of keywords, which
are not standardized, and/or compiler specific are placed and organized in this
compiler specific header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
MemMap.h
This file allows to map variables, constants and code of modules to individual
memory sections. Memory mapping can be modified as per ECU specific needs.
Platform_Types.h
This file provides provision for defining platform and compiler dependent types.
32

Generation Tool Guide
Chapter 9

Chapter 9 Generation Tool Guide

For more information on the Dio Driver Component Generation Tool, please
refer “Generation Tool User Manual” document.
33

Chapter 9 Generation Tool Guide

34

Application Programming Interface                                                                                    Chapter 10

Chapter 10  Application Programming Interface

This section explains the Data types and APIs provided by the DIO Driver
Component to the Upper layers.

10.1.  Imported Types

This section explains the Data types imported by the DIO Driver Component
and lists its dependency on other modules.

10.1.1. Standard Types

In this section all types included from the Std_Types.h are listed:
Std_VersionInfoType

10.1.2. Other Module Types

DIO Driver Component module does not depend on other modules. Hence no
types from other modules are imported.

10.2.  Type Defintions

This section explains the type definitions of DIO Driver Component according
to AUTOSAR Specification.

Refer “AUTOSAR_SWS_DIODriver.pdf” for more type definitions

10.2.1.  Dio_ChannelType

Name:
Dio_ChannelType
Type:
uint8
Range:
0 to 255
Description:
Type definition for Dio_ChannelType used by Dio_ReadChannel and Dio_WriteChannel
35

Chapter 10                                                                                    Application Programming Interface

10.2.2.  Dio_PortType

Name:
Dio_PortType
Type:
uint8
Range:
0 to 255
Description:
Type definition for Dio_PortType used by Dio_ReadPort and Dio_WritePort.

10.2.3.  Dio_PortLevelType

Name:
Dio_PortLevelType
Type:
uint16
Range:
0 to 65535
Description:
Type definition for Dio_PortLevelType used by Dio_ReadPort, Dio_WritePort,
Dio_ReadChannelGroup and Dio_WriteChannelGroup.

10.2.4. Dio_ConfigType

Name:
Dio_ConfigType
Type:
Structure
Range:
Implementation specific.

This structure contains all post-build configurable parameters of the DIO driver.
Description:
A pointer to this structure is passed to the DIO driver initialization function for
configuration.
36

Application Programming Interface                                                                                    Chapter 10

10.3.  Function Definitions

Table 10-1  DIO Driver Component’s API list.

Sl no
API’s of R4.0.3
1.
  Dio_Init
2.
Dio_ReadPort
3.
Dio_WritePort
4.
Dio_ReadChannel
5.
Dio_WriteChannel
6.
  Dio_FlipChannel
7.
Dio_ReadChannelGroup
8.
Dio_WriteChannelGroup
9.
Dio_MaskedWritePort
10.
Dio_GetVersionInfo
37

Chapter 10 Application Programming Interface

38

Development And Production Errors
Chapter 11

Chapter 11 Development And Production Errors

In this section the development errors that are reported by the DIO Driver
Component are tabulated. The development errors will be reported only when
the pre compiler option DIO_DEV_ERROR_DETECT is enabled in the
configuration. The DIO Driver Component does not support any production
errors.

11.1. DIO Driver Component Development Errors

The following contains the DET errors that are reported by DIO Driver
Component. These errors are reported to Development Error Tracer Module
when the DIO Driver Component APIs are invoked with wrong input
parameters or without initialization of the driver.

Table 11-1
DET Errors Of DIO Driver Component (1/2)

Sl. No.
1
Error Code
DIO_E_PARAM_INVALID_CHANNEL_ID
Related API(s)
Dio_ReadChannel , Dio_WriteChannel and Dio_FlipChannel
Source of Error
When the above mentioned APIs are invoked with invalid Channel ID
Sl. No.
2
Error Code
DIO_E_PARAM_CONFIG
Related API(s)
Dio_Init
Source of Error
When the above mentioned API is invoked with NULL parameter.
Sl. No.
3
Error Code
DIO_E_PARAM_INVALID_PORT_ID
Related API(s)
Dio_ReadPort, Dio_WritePort , Dio_WriteChannel, Dio_FlipChannel,
Dio_WriteChannelGroup and Dio_MaskedWritePort
Source of Error
When the above mentioned APIs are invoked with invalid Port ID
Sl. No.
4
Error Code
DIO_E_PARAM_INVALID_GROUP
Related API(s)
Dio_ReadChannelGroup and Dio_WriteChannelGroup
Source of Error
When the above mentioned APIs are invoked with invalid ChannelGroup ID
Sl. No.
5
Error Code
DIO_E_INVALID_DATABASE
Related API(s)
Dio_Init
Source of Error
When the above mentioned API is called without a database or invalid database
39

Chapter 11 Development And Production Errors

Sl. No.
6
Error Code
DIO_E_UNINIT
Related API(s)
Dio_ReadChannel, Dio_WriteChannel, Dio_ReadPort, Dio_WritePort,
Dio_ReadChannelGroup , Dio_WriteChannelGroup and
Dio_FlipChannel
Source of Error
When the above mentioned APIs are invoked without module initialization.

11.2. Dio Driver Component Production Errors

None.
40

Memory Organization
Chapter 12

Chapter 12  Memory Organization

Following picture depicts a typical memory organization, which must be met
for proper functioning of DIO Driver Component software.

ROM Section
DIO Driver Component Library /
RAM Section
Object Files

Global R AM  of uns pecif ic size required f or D IO

Driver  func tioning.
D IO D river code related  to AP Is are  plac ed in
Y1
t his  memory.
Segment  N ame:

NO IN IT _RA M_U N SPEC IF IED
X1
Segment  N ame :

DIO_PUBL IC _C OD E_ROM
Global 1- bit R AM  to be initialized by  start- up
code.
Segment  N ame:
Y2
RAM_1BIT

Tool Generated Files

The const section (f or D IO configuration
structure of type “Dio_C onfigType”) in the file
Dio_PBcf g. c is placed in this memory.
X2
Segment  N ame :
DIO_CFG_DBTOC _UNSPECIFIED

The const section (other than D IO
Configuration structure) in the file Dio_PBcf g.c
is placed in this memory.
X 3
Segment  N ame :

DIO_CFG_DATA_UNSPECIFIED

Figure 12-1  DIO Driver Component Memory Organization
41

Chapter 12                                                                                                           Memory Organization

DIO_PUBLIC_CODE_ROM (X1): API(s) of DIO Driver Component, which
can be located in code memory.

DIO_CFG_DBTOC_UNSPECIFIED (X2): This section consists of DIO Driver
Component database table of contents generated by the DIO Driver
Component Generation Tool. This can be located in code memory.

DIO_CFG_DATA_UNSPECIFIED (X3): This section consists of DIO
Driver Component constant configuration structures. This can be located in
code memory.

RAM Section (Y1, and Y2):

NOINIT_RAM_UNSPECIFIED (Y1): This section consists of the global RAM
pointer variables that are used internally by DIO Driver Component. This can
be located in data memory.

RAM_1BIT (Y2): This section consists of the global RAM variables of 1-bit
size that are initialized by start-up code and used internally by DIO Driver
Component and other software components. The specific sections of
respective software components will be merged into this RAM section
accordingly. This can be located in data memory.

Notes:

•  X1, Y1, and Y2 pertain to only DIO Driver Component and do not include
memory occupied by Dio_PBcfg.c files generated by DIO Driver
Component Generation Tool.

•  User must ensure that none of the memory areas overlap with each other.
Even „debug‟ information should not overlap.

42

P1M Specific Information
Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:

•
R7F701304
•
R7F701305
•
R7F701310
•
R7F701311
•
R7F701312
•
R7F701313
•
R7F701314
•
R7F701315
•
R7F701318
•
R7F701319
•
R7F701320
•
R7F701321
•
R7F701322
•
R7F701323

13.1.  Interaction Between The User And DIO Driver

Component

13.1.1.  Translation Header File

The P1x_translation.h file supports following devices:
•
R7F701304
•
R7F701305
•
R7F701310
•
R7F701311
•
R7F701312
•
R7F701313
•
R7F701314
•
R7F701315
•
R7F701318
•
R7F701319
•
R7F701320
•
R7F701321
•
R7F701322
•
R7F701323

13.1.2.  Parameter Definition File
Parameter definition files support information for P1M
43

Chapter 13                                                                                                     P1M Specific Information

Table 13-1  PDF information for P1M
PDF Files
Devices Supported
R403_DIO_P1M_04_05_12_13_20_21. 701304, 701305, 701312, 701313, 701320,
arxml
701321
R403_DIO_P1M_10_11_14_15_18_19
701310, 701311, 701314, 701315, 701318,
_22_23.arxml
701319, 701322, 701323

13.2.  Sample Application

13.2.1 Sample Application Structure

The Sample Application is provided as reference to the user to understand the
method in which the DIO APIs can be invoked from the application.

Generic

AUTOSAR TYPES
COMPILER
rh850

TYPES

Devices

STUB
P1x

Det
DIO
Sample
Application


Figure 13-1 Overview Of DIO Driver Sample Application
44

P1M Specific Information
Chapter 13

The Sample Application of the P1M is available in the path
X1X/P1x/modules/dio/sample_application

The Sample Application consists of the following folder structure
X1X/P1x/modules/dio/definition/<Subvariant>/R403_DIO_P1M_04_05_12_13_
20_21.arxml
X1X/P1x/modules/dio/definition/<Subvariant>/R403_DIO_P1M_10_11_14_15_
18_19_22_23.arxml

X1X/P1x/modules/dio/sample_application/<Subvariant> /<AUTOSAR_version>
 /src/Dio_PBcfg.c
 /inc/Dio_Cfg.h
 /config/App_DIO_P1M_701304_Sample.one
 /config/App_DIO_P1M_701304_Sample.arxml
 /config/App_DIO_P1M_701304_Sample.html
 /config/App_DIO_P1M_701305_Sample.one
 /config/App_DIO_P1M_701305_Sample.arxml
 /config/App_DIO_P1M_701305_Sample.html
 /config/App_DIO_P1M_701310_Sample.one
 /config/App_DIO_P1M_701310_Sample.arxml
 /config/App_DIO_P1M_701310_Sample.html
 /config/App_DIO_P1M_701311_Sample.one
 /config/App_DIO_P1M_701311_Sample.arxml
 /config/App_DIO_P1M_701311_Sample.html
 /config/App_DIO_P1M_701312_Sample.one
 /config/App_DIO_P1M_701312_Sample.arxml
 /config/App_DIO_P1M_701312_Sample.html
 /config/App_DIO_P1M_701313_Sample.one
 /config/App_DIO_P1M_701313_Sample.arxml
 /config/App_DIO_P1M_701313_Sample.html
 /config/App_DIO_P1M_701314_Sample.one
 /config/App_DIO_P1M_701314_Sample.arxml
 /config/App_DIO_P1M_701314_Sample.html
 /config/App_DIO_P1M_701315_Sample.one
 /config/App_DIO_P1M_701315_Sample.arxml
 /config/App_DIO_P1M_701315_Sample.html
 /config/App_DIO_P1M_701318_Sample.one
 /config/App_DIO_P1M_701318_Sample.arxml
 /config/App_DIO_P1M_701318_Sample.html
 /config/App_DIO_P1M_701319_Sample.one
 /config/App_DIO_P1M_701319_Sample.arxml
 /config/App_DIO_P1M_701319_Sample.html
 /config/App_DIO_P1M_701320_Sample.one
 /config/App_DIO_P1M_701320_Sample.arxml
 /config/App_DIO_P1M_701320_Sample.html
 /config/App_DIO_P1M_701321_Sample.one
 /config/App_DIO_P1M_701321_Sample.arxml
 /config/App_DIO_P1M_701321_Sample.html
 /config/App_DIO_P1M_701322_Sample.one
 /config/App_DIO_P1M_701322_Sample.arxml
 /config/App_DIO_P1M_701322_Sample.html
 /config/App_DIO_P1M_701323_Sample.one
45

Chapter 13                                                                                                    P1M Specific Information

                                                                            /config/App_DIO_P1M_701323_Sample.arxml
                                       /config/App_DIO_P1M_701323_Sample.html



In the Sample Application all the DIO APIs are invoked in the following
sequence:
•  The API Dio_GetVersionInfo is invoked to get the version of the DIO
Driver module with a variable of Std_VersionInfoType, after the call of this
API the passed parameter will get updated with the DIO Driver version
details.
•  The API Dio_Init is invoked with a valid database address for the proper
initialization of the DIO Driver, all the DIO Driver control registers and
RAM variables will get initialized after this API is called.
•  The API Dio_WriteChannel is invoked to set the required level of a
particular channel. It sets the output level of the channel if that particular
channel is configured in output mode. If channel is configured for input
mode, Dio_WriteChannel has no effect.
•  The API Dio_ReadChannel reads the level of the required channel.
The level read for the channel is actual physical level of that channel if
the channel is configured in input mode and input buffer for that
channel is enabled.
•  The API Dio_WritePort is invoked to simultaneously set the required
levels to all channels of a port. It sets the output level of the channels
which are configured in output mode, for the channels which are
configured in input mode, Dio_WritePort has no effect.
•  The API Dio_ReadPort reads the level of all the channels of a required
port. The level read is actual physical level of the channels that are
configured in input mode and whose input buffer is also enabled.
•  The API Dio_WriteChannelGroup is invoked to simultaneously set the
required levels to group of channels of a port. It sets the output level of
the channels which are configured in output mode, for the channels
which are configured in input mode, Dio_WriteChannelGroup has no
effect.
•  The API Dio_ReadChannelGroup reads the level of group of channels of
a  required  port.  The  level  read  is  actual  physical  level  of  the  channels
that are configured in input mode and whose input buffer is also enabled.
•  The API Dio_MaskedWritePort provides service to set value of given port
with required mask.The Dio_MaskedWritePort funcion shall set the
specified value for the channel in specified port if the corresponding bit in
mask is „1‟.
•  The API Dio_WriteChannel is invoked to set the required level of a
particular channel. It sets the output level of the channel if that particular
channel is configured in output mode. If channel is configured for input
mode, Dio_WriteChannel has no effect.
•  The API Dio_FlipChannel reads the level of the channel and invert it, then
write the inverted level to the channel if the channel is configured as
output channel and the function shall have no influence on the physical
output if the channel is configured as input channel.

46

P1M Specific Information
Chapter 13

13.2.2 Building Sample Application

13.2.2.1
Configuration Example

This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details.
Configuration Details:
Name of the configuration file: App_DIO_P1M_<Device_name>.html

13.2.2.2
Debugging the Sample Application

Remark GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete
the build process using the delivered sample files.

• Open a Command window and change the current working directory
to “make” directory present as mentioned in below path:
“X1X\P1x\common_family\make\<Compiler>”

Now execute batch file SampleApp.bat with following parameters:

SampleApp.bat dio 4.0.3 <Device_name>
<Device_name> can be 701304, 701305, 701310, 701311, 701312,
701313, 701314, 701315, 701318, 701319,
701320, 701321, 701322 and 701323.

After this, the tool output files will be generated with the configuration as
mentioned in App_DIO_P1M_<Device_name>_Sample.html file
available in the path:

• “X1X\P1x\modules\dio\sample_application\<SubVariant>\<AUTOSAR_versi
on> \config”

• After this, all the object files, map file and the executable file Sample.out
will be available in the output folder
(“X1X\P1x\modules\dio\sample_application\<SubVariant>\obj\<Compiler>”
in this case).

• The executable can be loaded into the debugger and the sample
application can be executed.

Remark Executable files with „*.out‟ extension can be downloaded into the target
hardware with the help of Green Hills debugger.

 If any configuration changes (only post-build) are made to the
ECU Configuration Description files
 “X1X\P1x\modules\dio\sample_application\< SubVariant >
 \<AUTOSAR_version>config \ App_DIO_P1M_701310_Sample.arxml”

The database alone can be generated by using the following commands.

make –f App_DIO_P1M_Sample.mak generate_dio_config
make –f App_DIO_P1M_Sample.mak App_Dio_P1M_Sample.s37

47

Chapter 13                                                                                                    P1M Specific Information

After this, a flashable Motorola S-Record file App_Dio_P1M_Sample.s37 is
available in the output folder.

13.3.  Memory And Throughput

13.3.1 ROM/RAM Usage

The details of memory usage for the typical configuration provided in Section

13.3.2.1 Configuration Example are provided in this section.

Table 13-2   ROM/RAM Details with DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes
for 144 pin
device
1.
ROM
DIO_PUBLIC_CODE_ROM
1296

DIO_PRIVATE_CODE_ROM
0
CONST_ROM_UNSPECIFIED
0
DIO_CFG_DATA_UNSPECIFIED
40

DIO_CFG_DBTOC_UNSPECIFIED
16

2.
RAM
RAM_1BIT
1

NOINIT_RAM_UNSPECIFIED
-
8

DIO_CFG_RAM_UNSPECIFIED
-
0
-

The details of memory usage for the typical configuration, with DET enabled
and all other configurations as provided in 13.3.2.1 Configuration Example are
provided in this section.

  Table 13-3  ROM/RAM Details without DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes
for 144 pin
device
1.
ROM
DIO_PUBLIC_CODE_ROM
690
DIO_PRIVATE_CODE_ROM
0
CONST_ROM_UNSPECIFIED
0
DIO_CFG_DATA_UNSPECIFIED
40

DIO_CFG_DBTOC_UNSPECIFIED
16

-
-
48
-

P1M Specific Information
Chapter 13

2.
RAM
RAM_1BIT
0

NOINIT_RAM_UNSPECIFIED
8

DIO_CFG_RAM_UNSPECIFIED
0

13.3.2.
Stack Depth

The worst-case stack depth for DIO Driver Component for the typical

Configuration provided in Section 13.3.2.1 is 24 bytes.

13.3.3.
Throughput Details

The throughput details of the APIs for the configuration mentioned in the
Section13.3.2.1 Configuration Example.
The clock frequency used to measure the throughput is 80 MHz for all APIs

Table 13-4 Throughput Details of the APIs

Sl. No.
API Name
Throughput in
Remarks
microseconds
1.
Dio_Init
0.212
-
2.
Dio_WriteChannel
0.912
-
3.
Dio_ReadChannel
0.337
-
4.
Dio_WritePort
0.787
-
5.
Dio_ReadPort
0.212
-
6.
Dio_WriteChannelGroup
0.937
-
7.
Dio_ReadChannelGroup
0.350
-
8.
Dio_MaskedWritePort
0.787
-
9.
Dio_FlipChannel
0.875
-
10.
Dio_GetVersionInfo
0.12
-

49

Chapter 13 P1M Specific Information

50

Release Details Chapter 14
Chapter 14 Release Details

Embedded DIO Driver Software

Version: 1.0.9

51

Chapter 14 ReleaseDetails

52

Revision History

Sl.No.
Description
Version
Date
1.
Initial Version
1.0.0
30-Sep-2013
2
Updated for 100 pins and 144 pins device for P1x E4.02
1.0.1
27-Jan-2014

3
Following change is made:
1.0.2
13-Mar-2014


In page no 40, Header is changed.

In section 13.3.2.1, configuration file mentioned changed.

In page no 54, Header is added.

4.
Following change is made:
1.0.3
25-Aug-2014

In section 13.4 RAM/ROM details and throughput details
are updated.

Section 13.1.2 is added.

Section 13.2 is updated for compile and Linker and
Assembler options.
5.
Following changes are made:
1.0.4
04-Sep-2014

Table 11-1 is updated.

Repeated DIO_CFG_DBTOC_UNSPECIFIED is removed
from RAM section from table 13-5 and from table 13-6.

DIO_E_PARAM_POINTER is removed from DET Error
codes.
6.
Following changes are made:
1.0.5
18-Nov-2014

User manual is updated as per Template.

Dio_MaskedWritePort information is provided in section 5
and section 7.

Throughput Details are updated in section 13.4.3
7.
Following changes are made:
1.0.6
27-May-2015

Chapter 2 reference documents section is updated.

Chapter 3 section 3.1.1 is updated for new devices.

Chapter 4 section 4.1 General is updated and a note is
added regarding interrupt vector (.c) file

Chapter 4 section 4.4 Deviation list is updated.

Chapter 13 Section for compiler, linker, assembler details is
removed.

Chapter 13
13.1.1 Translation header files section is updated as per
new devices.
13.1.2 PDF section is updated as per new devices.
13.2.1 Sample application structure is updated for new
devices
13.2.2 Building sample application section is updated
13.3 Memory and throughput details are updated for 144
pin devices.

53

AUTOSAR MCAL R4.0.3 User's Manual
DIO Driver Component Ver.1.0.6

Publication Date: Rev.0.02, May 27, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.

Colophon 1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

6.4 - AUTOSAR_DIO_Tool_UserManual

AUTOSAR MCAL R4.0 User's Manual

6.5 - AUTOSAR_DIO_Tool_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32

6.6 - AUTOSAR_DIO_Tool_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual
DIO Driver Component Ver.1.0.2
Generation Tool User‟s Manual
Target Device:
RH850/P1x
All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).
www.renesas.com
Rev.0.02 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.

3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.

11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
API
Application Programming Interface
AUTOSAR
AUTomotive Open System ARchitecture
BSWMDT
Basic Software Module Description Template
ECU
Electronic Control Unit
Id
Identifier
MCAL
Microcontroller Abstraction Layer
Dio/DIO
Digital Input Output
XML
eXtensible Mark-up Language

Definitions

Terminology
Description
BSWMDT File
This file is the template for the Basic Software Module Description.
Configuration XML File
This file contains the setting of command line options.
ECU Configuration Description
Input file to DIO Driver Generation Tool. It is generated by ECU
File
Configuration Editor.
Sl.No
Serial Number.
Translation XML File
This file contains the translation and device specific header file path.

5

6

List of Figures

Figure 3-1
Overview of DIO Driver Generation Tool ........................................................................... 13

List of Tables

Table 5-1
Output Files Description ..................................................................................................... 17

8

Introduction
Chapter 1

Chapter 1 Introduction

The DIO Driver component provides the service for initializing the whole DIO
structure of the microcontroller.

The DIO Driver module comprises of two sections as Embedded Software
and the Generation Tool to achieve scalability and configurability.

The document describes the features of the DIO Driver Generation Tool. DIO
Driver Generation Tool is a command line tool that extracts information from
ECU Configuration Description File and BSWMDT File and generates DIO
Driver C Source and C Header files.
Dio_Cfg.h and Dio_PBcfg.c.

This document contains information on the options, input and output files of
the DIO Driver Generation Tool. In addition, this manual covers a step-by-step
procedure for the usage of tool.

ECU Configuration Description File contains information about DIO
configuration.

1.1 Document Overview

This user manual is organized as given in the table below:

Section
Contents
Section 1 (Introduction)
Provides an introduction to the document and explains how information
is organized in this manual.
Section 2 (Reference)
Provides a list of documents referred while developing this document.
Section 3 (DIO Driver
Provides the DIO Driver Generation Tool Overview.
Generation Tool Overview)
Section 4 (Input Files)
Provides information about ECU Configuration Description File.
Section 5 (Output Files)
Explains the output files that are generated by the DIO Driver
Generation Tool.
Section 6 (Precautions)
Contains precautions to be taken during configuration of ECU
Configuration Description File.
Section 7 (User Configuration
Describes about user configuration validation done by the DIO Driver
Validation)
Generation Tool.
Section 8 (Messages)
Describes all the Error/Warning/Information messages of R4.0.3 which
helps the user to understand the probable reason for
the same.
Section 9 (Notes)
Provides notes to help the user to understand this document better.

9

Chapter 1 Introduction

10

Reference
Chapter 2

Chapter 2  Reference

2.1  Reference Documents

The following table lists the documents referred to develop this document:

Sl.No.  Title
Version
1.
Autosar R4.0
2.5.0
AUTOSAR_SWS_DIODriver.pdf

P1x Parameter Definition File
1.0.3
2.
R403_DIO_P1M_04_05_12_13_20_21.arxml
3.
P1x Parameter Definition File
1.0.4

R403_DIO_P1M_10_11_14_15_18_19_22_23.arxml

2.2  Trademark Notice

Microsoft and Windows are trademarks/registered trademarks of Microsoft
Corporation.

11

Chapter 2 Reference

12

DIO Driver Generation Tool Overview
Chapter 3

Chapter 3  DIO Driver Generation Tool Overview

DIO Driver Generation Tool overview is shown below.

ECU

Configuration

Description

File, BSWMDT
DIO Driver
Dio_Cfg.h,
File, Translation
Generation
Dio_PBcfg.c
XML File and
Tool
Configuration
XML File

Figure 3-1  Overview of DIO Driver Generation Tool

DIO Driver Generation Tool is a command line tool that extracts, analyzes the
configuration details provided in the input file and validates correctness of the
data and provides scalability and configurability for DIO Driver module. It
accepts ECU Configuration Description File(s), Translation XML File,
BSWMDT File and Configuration XML File as input and displays appropriate
context sensitive error messages for wrong input and exits. Tool creates the
Log file (Msn.log) that contains the list of Error/Warning/Information messages
in the output directory.

For the error free input file, the tool generates the following output files:
Dio_Cfg.h and Dio_PBcfg.c.

Dio_Cfg.h will be compiled and linked with DIO Driver Component.
Dio_PBcfg.c will be compiled and linked separately from the other C Source
files and placed in flash.

ECU Configuration Description File can be created or edited using ECU
Configuration Editor.

Remark
•
In case of errors the generation tool returns a 1, in case of no errors
the generation tool returns a 0.

•
DIO Driver Generation Tool uses “Common Published Information” from
DIO module specific BSWMDT File. DIO module specific BSWMDT File
should not be updated manually since it is “Static Configuration” file.

13

Chapter 3 DIO Driver Generation Tool Overview

14

Input Files
Chapter 4

Chapter 4 Input Files

DIO Driver Generation Tool accepts ECU Configuration Description File(s),
BSWMDT File, Translation XML File and Configuration XML File as input.
DIO Driver Generation Tool needs information about DIO Driver module.
Hence ECU Configuration Description File should contain configuration of
DIO Driver module. Generation Tool ignores any other AUTOSAR component
configured in the ECU Configuration Description File. ECU Configuration
Description File can be generated using configuration editor.

ECU Configuration Description File must comply with AUTOSAR standard
ECU Configuration Description File format.

Remark The detailed explanation about the parameters and containers are found in
Parameter Definition File mentioned in the Reference Documents section.

15

Chapter 4 Input Files

16

Output Files
Chapter 5

Chapter 5  Output Files

DIO Driver Generation Tool generates configuration details in C Header and
C Source files.

(DIO Driver Generation Tool will generate Dio_Cfg.h and
Dio_PBcfg.c files.).

The content of each output file is given in the table below:

Table 5-1  Output Files Description

Output File
Details
Dio_Cfg.h
This file contains the macro definitions for development error detects, version info API
and channel group. This file contains DIO Channel Configuration Handles, DIO Port
Configuration Handles and DIO Channel Group Configuration Handles.
Dio_PBcfg.c
This file contains Data Structures for DIO Port Group Configuration, DIO Port Channel
Configuration and DIO Port Channel Group Configuration. This file also contains
information on Number of ports and Channels configured.

Remark  Output files generated by DIO Driver Generation Tool should not be modified
or edited manually.

17

Chapter 5 Output Files

18

Precautions
Chapter 6

Chapter 6  Precautions

•  ECU Configuration Description File and BSWMDT File must comply with
AUTOSAR standard for R4.0.3 ECU Configuration Description File and
BSWMDT File respectively.

•  The input file must contain DIO Driver module.

•  Default Configuration XML File (Dio_X1x.cfgxml) must be present in same
location of Dio_X1x.exe.

•  If Translation XML File is not provided on the command line, Dio_X1x.trxml
which is present in same location of Dio_X1x.exe is considered as „default‟
Translation XML File.

•  If Configuration XML File is not provided on the command line,
Dio_X1x.cfgxml which is present in same location of Dio_X1x.exe is
considered as „default‟ Configuration XML File.

•  Translation XML File should contain the file extension „.trxml‟.

•  Configuration XML File should contain the file extension „.cfgxml‟.

•  All the function names and the string values configured should follow C
syntax for variables. It can only contain alphanumeric characters and “_”. It
should start with an alphabet.

•  If the output files generated by DIO Driver Generation Tool are modified
externally, then they may not produce the expected results or may lead to
error/warning/Information messages.

•  Short Name for a container should be unique within a name space.

•  An error free ECU Configuration Description File generated from
configuration editor has to be provided as input to the DIO Driver
Generation Tool. Otherwise Tool may not produce the expected results or
may lead to errors/warnings/information messages.

•  User has to make sure that the respective device specific configuration file
is used otherwise Tool may not produce the expected results or may lead
to errors/warnings/information messages.

•  The description file should always be generated using  AUTOSAR specified
configuration editor and it should not be edited manually.

Remark  Please refer the DIO Component User Manual for deviations from AUTOSAR
Specifications, if any.

19

Chapter 6 Precautions

20

User Configuration Validation
Chapter 7

Chapter 7 User Configuration Validation

This section provides help to analyze the error, warning and information
messages displayed during the execution of DIO Driver Generation Tool. It
ensures conformance of input file with syntax and semantics. It also performs
validation on the input file for correctness of the data.

For more details on list of Error/Warning/Information messages that are
displayed as a result of input file(s) validation, refer Chapter “8 Messages”.

The Generation Tool displays error or warning or information when the user
has configured incorrect inputs. The format of Error/Warning/Information
message is as shown below.

• ERR/WRN/INF<mid><xxx>: <Error/Warning/Information Message>.
where,
<mid>: 120 - DIO Driver Module id (120) for user configuration checks.

000 - for command line checks.

<xxx>: 001-999 - Message id.

• File Name: Name of the file in which the error has occurred

• Path: Absolute path of the container in which the parameter is present

„File Name‟ and „Path‟ need not be present for all Error/Warning/Information
messages.

21

Chapter 7 User Configuration Validation

22

Messages
Chapter 8

Chapter 8 Messages

The messages help to identify the syntax or semantic errors in the ECU
Configuration Description File. Hence it ensures validity and correctness of
the information available in the ECU Configuration Description File.

The following section gives the list of error, warning and information
messages displayed by the Generation Tool.

8.1 Error Messages

ERR120001: Number of fields is not same for the entity 'Structure Name'.

This error occurs, if the number of fields is not same in the structure that is to
be generated in the output file.

ERR120002: Field 'Field Name' is empty in the entity 'Structure Name'.

This error occurs, if the structure fields that are to be generated in the output
file are empty.

ERR120003: 'DIO Driver' Component is not present in the input file(s).

This error occurs, if DIO Driver Component is not present in the input ECU
Configuration Description File(s).

ERR120004: The parameter 'parameter name' in the container 'container
name' should be configured.

This error occurs, if any of the mandatory configuration parameter(s)
mentioned below is (are) not configured in ECU Configuration Description File.
The list of mandatory parameters with respect to container is listed below:

Parameter Name
Container Name
DioDevErrorDetect

DioMaskedWritePortApi

DioVersionInfoApi
DioGeneral
DioVersionCheckExternalModules
DioDeviceName
DioFlipChannelApi
DioCriticalSectionProtection

23

Chapter 8 Messages

Parameter Name
Container Name
DioPortName
DioPort
DioChannelBitPosition
DioChannel
DioPortMask

DioChannelGroup
DioPortOffset

ERR120005: The value <value for DioPortName> configured for the
parameter ‘DioPortName’ present in the container ‘DioPort’ should be
unique.

This error occurs, if the value for parameter DioPortName present in the
container DioPort is not unique.

ERR120006: The value for parameter ‘DioChannelBitPosition’ present in
the container ‘DioChannel’ of the DIO port group <value for
DioPortName parameter> is not in the range of <Start> and <End>.

This error occurs, if the value for parameter DioChannelBitPosition present in
the container DioChannel for respective DIO port group is not valid as
configured channel bit position must belongs to the respective DIO port
group. In above error message, <Start> and <End> will be replaced by „start
channel bit position‟ and „end channel bit position‟ respectively for selected
DIO port group.

Example: Suppose in PORTGROUP_2_BITS_0_TO_2, only 0 to 2 channels
are available. If user configures channels, which does not belongs to
PORTGROUP_2_BITS_0_TO_2 then it is invalid configuration. Here start is 0
and end is 2.

ERR120007: The value <value for DioChannelBitPosition> configured for
the parameter ‘DioChannelBitPosition’ present in the container
‘DioChannel’ of the DIO port group <value for DioPortName parameter>
should be unique.

This error occurs, if the value for parameter DioChannelBitPosition present in
the container DioChannel is not unique for respective DIO port group
configured for the parameter DioPortName.

ERR120008: The value for parameter ‘DioPortMask’ <value for the
DioPortMask> present in the container ‘DioChannelGroup’ of the DIO
port group <value for DioPortName parameter> is not valid.

This error occurs, if value for parameter DioPortMask present in the container
DioChannelGroup for respective DIO port group is not valid as the grouped
channels must belong to the respective DIO port group.

Example: Suppose in PORTGROUP_2_BITS_0_TO_2, only 0 to 2 channels
are available. In this case, user should not consider channel 3 and channel 4
in channel grouping, since channel 3 and channel 4 does not belong to
PORTGROUP_2_BITS_0_TO_2.

ERR120009: The value for parameter ‘DioPortMask’ <value for the
DioPortMask> present in the container ‘DioChannelGroup’ of the DIO
port group <value for DioPortName parameter> is not valid. While
masking, channels should be grouped in continuous order.
24

Messages
Chapter 8

This error occurs, if value for parameter DioPortMask present in the container
DioChannelGroup is not valid. The grouped channels should be continuous
order.

Example: Channel 1 and Channel 5 cannot be grouped in one DIO Channel
Group since they are not continuous channels.

ERR120010: The value for parameter ‘DioPortOffset’ <value for the
DioPortOffset> present in the container ‘DioChannelGroup’ of the DIO
port group <value for DioPortName parameter> is not valid. The value of
the parameter ‘DioPortOffset’ should be equal to the start position of the
DIO channel group.

This error occurs, if the value for parameter DioPortOffset present in the
container DioChannelGroup is not valid. The value of the parameter
DioPortOffset should be equal to the start position of the DIO channel group.

Example: Suppose DIO channel grouping started from Channel 2 then value
for parameter DioPortOffset should be 2.

ERR120011: The short name <short name for DioPort> configured for
the container ‘DioPort’ should be unique.

This error occurs, if short name of the container DioPort is not unique in ECU
Configuration Description File.

ERR120012: The short name <short name for DioChannel> configured
for the container ‘DioChannel’ should be unique.

This error occurs, if short name of the container DioChannel is not unique in
each DioPort container.

ERR120013: The short name <short name for DioChannelGroup>
configured for the container ‘DioChannelGroup’ should be unique.

This error occurs, if short name of the container DioChannelGroup is not
unique in each DioPort container.

ERR120014: The number of ‘DioPort’ container is not same
across multiple configuration sets.

This error occurs, if the number of DioPort container is not same across
multiple configuration sets.

ERR120015: The number of ‘DioChannel’ container is not same across
multiple configuration sets.

This error occurs, if the number of DioChannel container is not same across
multiple configuration sets.

ERR120016: The number of ‘DioChannelGroup’ container is not same
across multiple configuration sets.

This error occurs, if the number of DioChannelGroup container is not same
across multiple configuration sets.

25

Chapter 8                                                                                                                                Messages

.
ERR120017: The container short name of ‘DioPort’ container is not
same across multiple configuration sets.

This error occurs, if the container short name of DioPort container is not same
across multiple configuration sets.

ERR120018: The container short name of ‘DioChannel’ container is not
same across multiple configuration sets.

This error occurs, if the container short name of DioChannel container is not
same across multiple configuration sets.

ERR120019: The container short name of ‘DioChannelGroup’ container
is not same across multiple configuration sets.

This error occurs, if the container short name of DioChannelGroup container
is not same across multiple configuration sets.

8.2  Warning Messages

None.

8.3  Information Messages

None.

26

Notes
Chapter 9

Chapter 9 Notes

“Generation tool” and “Tool” terminologies are used interchangeably to refer
DIO driver generation Tool

27

Chapter 9
Notes

28

Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
30-Sep-2013
2.
  Parameter „DioCriticalSectionProtection‟ is updated in Error
1.0.1
01-Sep-2014
message „ERR120004‟.
  Reference Documents section is updated for addition of Parameter
definition file reference in chapter 2.
  Precautions chapter is updated.

3.
  Section 2.1 Reference documents section is updated with the
1.0.2
27-Apr-2015
parameter definition file names.

29
29

AUTOSAR MCAL R4.0.3 User's Manual
DIO Driver Component Ver.1.0.2
Generation Tool User's Manual

Publication Date: Rev.0.02, April 27, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics America  Inc.
2880  Scott  Boulevard Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics Canada  Limited
1101  Nicholson Road,  New market, Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf, Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics Singapore Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ahsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

6.7 - Dio Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Dio

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Dio_Renesas_Ar4.0.3_01.00.09_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3166

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

7 - ECU Configuration

ECU Configuration

Component Documentation

EcuC Peer Review Checklists.html

7.1 - EcuC Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. EcuC

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. EcuC_Vector_Ar4.0.3_03.02.01_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3167

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

8 - ECU State Manager

ECU State Manager

Component Documentation

8.1 - EcuM Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. EcuM

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. EcuM_Vector_Ar4.0.3_05.00.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3168

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

8.2 - TechnicalReference_EcuM

MICROSAR EcuM

8.3 - TechnicalReference_EcuM_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134

8.4 - TechnicalReference_EcuMs

MICROSAR EcuM Flex
Technical Reference

SysService_Asr4EcuM
Version 5.00.00

Authors
Jochen Vorreiter
Status
Released

Technical Reference MICROSAR EcuM Flex
Document Information
History
Author
Date
Version
Remarks
Jochen Vorreiter
2012-06-06
1.00.00
>  Initial Setup
Jochen Vorreiter
2013-01-30
1.00.01
>  ESCAN00064669 Updated compiler
abstraction and memory mapping
Jochen Vorreiter
2013-05-03
1.01.00
>  Added support of post-build-loadable
>  Added support of asynchronous
transceiver handling in 3.9.2
>  Added API
EcuM_ClearValidatedWakeupEvent()
in 5.2.10
>  Extended description of
EcuM_StartupTwo() in 5.2.3
Jochen Vorreiter
2013-10-31
2.00.00
>  ESCAN00069010 Added support for
Alarm Clock in 3.14
>  ESCAN00071546 Added Multi Core
support in 3.15
>  New API
EcuM_GoToSelectedShutdownTarget
>  ESCAN00071553 Changed handling of
wakeup source states in 5.1
>  Changes in chapter 4.2 Critical Sections
>  ESCAN00071552 Removed
BswM_EcuM_CurentState notification
Jochen Vorreiter
2014-06-03
3.00.00
>  Added Support for EcuM fixed
>  ESCAN00073631 Fixed missing
description of EcuM_BswErrorHook()
Jochen Vorreiter
2014-11-04
4.00.00
>  Added Support for Post-Build
Selectable
>  Added chapter 3.15.1.2.1 Driver
initialization on the Slave Core.
>  Added chapter 3.15.5 Reconfiguration
of the BSW Core ID
>  Added MICROSAR specific CanSM
handling in 3.18.2.3.3
>  ESCAN00079382 Fixed missing
description of the StateRequest Port in
5.8.1.1
>  ESCAN00077124 Fixed description of
Critical Sections in 4.2
>  ESCAN00079407, ESCAN00068331
Fixed description in Type Definitions of
2015, Vector Informatik GmbH
Version: 5.00.00
2 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
EcuM_WakeupStateType in 5.1
Jochen Vorreiter
2014-11-25
4.00.01
>  Adapted description of
EcuM_DeterminePbConfiguration
Jochen Vorreiter
2015-01-26
4.01.00
>  Updated the Include structure and
added two files in 4.1.2
>  Updated access on PB and Variant data
in DriverInitLists in Ch. 5.7.2
Jochen Vorreiter
2015-07-14
5.00.00
>  Added new EcuM error ID for invalid
CoreID in Ch. 3.11.3
>  Added support for Mode Handling, see
Ch. 3.16, 5.3.13 and 5.5
>  Removed subchapters “Parameter
Checking” from Ch. 3.11
>  Added missing API ID in Table 3-8
  Service IDs
Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_SWS_ECUStateManager.pdf
V3.0.0
[2]   AUTOSAR
AUTOSAR_SWS_DevelopmentErrorTracer.pdf
V3.2.0
[3]   AUTOSAR
AUTOSAR_SWS_DiagnosticEventManager.pdf.pdf
V4.2.0
[4]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
V1.6.0
[5]   AUTOSAR
AUTOSAR_EXP_ModemanagementGuide.pdf
V1.0.0
[6]   VECTOR
TechnicalReference_PostBuildLoadable.pdf
see delivery
[7]   AUTOSAR
AUTOSAR_SWS_ECUStateManagerFixed.pdf
V1.4.0
[8]   VECTOR
TechnicalReference_IdentityManager.pdf
see delivery

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 5.00.00
3 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
1.00.00
Adaption to AUTOSAR Release 4
1.01.00
Added support of configuration variant Post-Build Loadable
Added support of asynchronous transceiver handling
2.00.00
Added support for handling of MuliCore ECUs
Added support of Alarm Clock to provide the absolute time and handling
of time triggered wake-ups.
3.00.00
Added support for EcuM with fixed state machine
4.00.00
Added support for Post-Build Selectable
5.00.00
Added support for Mode Handling in EcuM Flex
Table 1-1   Component history

2015, Vector Informatik GmbH
Version: 5.00.00
13 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
2  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module EcuM as specified in [1] and [7].

Supported AUTOSAR Release*:
4.0.3
Supported Configuration Variants:
Pre-Compile, Post-Build Loadable
Vendor ID:
ECUM_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
ECUM_MODULE_ID
10 decimal
(according to ref. [4])
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

This document describes the functionality and API of the ECU State Manager (EcuM) as a
hardware independent module.
The main tasks of the EcuM are:
>  Initialization of BSW (Basis Software) modules that are needed to start the operating
system
>  Preparation of the microcontroller for a sleep phase and the following wake up
>  Performing an ordered shut down or reset of the ECU
>  Validation of occurred wake ups via the wake-up validation protocol
2015, Vector Informatik GmbH
Version: 5.00.00
14 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
2.1
Architecture Overview
The following figure shows where the EcuM is located in the AUTOSAR architecture.

Figure 2-1 AUTOSAR architecture
2015, Vector Informatik GmbH
Version: 5.00.00
15 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
The next figure shows the interfaces to adjacent  modules of the  EcuM. These interfaces
are described in chapter 5.2 Services Provided by EcuM and 5.5 Services Used by EcuM.
cmp Architecture_Ov erv iew
SW-C / RTE
SchM
AUTOSAR OS
Dem
EcuM
other BSW Modules
Det
Rte
Bsw M
ComM
Mcu
Gpt
Nv M

Figure 2-2  Interfaces to adjacent modules of the EcuM
2015, Vector Informatik GmbH
Version: 5.00.00
16 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3  Functional Description
3.1
Features
The features listed in the following tables cover the complete functionality specified for the
EcuM.
The AUTOSAR standard functionality is specified in [1] and [7], the corresponding features
are listed in the tables:
>  Table 3-1   Supported AUTOSAR EcuM common features
>  Table 3-2   Supported AUTOSAR EcuM flex features
>  Table 3-3   Supported AUTOSAR EcuM fixed features
For further information of not supported features see also chapter 0.
Vector Informatik provides further EcuM functionality beyond the AUTOSAR standard. The
corresponding features are listed in the table:
>  Table 3-4   Features provided beyond the AUTOSAR standard

The following features specified in [1] and [7] are supported:
Supported AUTOSAR Standard Conform Features
Configuration of different wake-up sources.
Configuration of EcuM users.
Configurable startup sequence of the BSW stack that is needed before starting the OS.
Possibility to add additional initialization code into the initialization lists.
Notification of the BswM if a wake-up event occurs on a wake-up source.
Notification of the ComM if a wake-up event occurs on communication channels.
Assignment of communication channels to wake-up sources.
Configuration of different sleep modes.
Selection of different shutdown targets.
Selection of different shutdown causes.
Generation of the SW-C description file needed for the generation of the RTE.
Service Port: EcuM_ShutdownTarget
Service Port: EcuM_BootTarget
Consistency hash checking according to AUTOSAR specification
Post-build configuration of the EcuM
Support of MultiCore ECUs
Run / Post_Run Request Protocol
Mode Port: EcuM_CurrentMode
Table 3-1   Supported AUTOSAR EcuM common features
2015, Vector Informatik GmbH
Version: 5.00.00
17 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
The following EcuM flex features specified in [1] are supported:
Supported AUTOSAR EcuM flex Features
Configuration of different reset modes.
Service Port: EcuM_AlarmClock
Defensive Behavior to check the valid call of EcuM_GoDown
Alarm clock to provide an absolute time and handling of time triggered wake-ups.
Table 3-2   Supported AUTOSAR EcuM flex features

The following EcuM fixed features specified in [7] are supported:
Supported AUTOSAR EcuM fixed Features
Full initialization of the Stack via configurable DriverInitLists
Fixed state machine to control the ECU states
Allow communication via ComM_CommunicationAllowed when entering the ECUM_STATE_RUN
Handle NvM_WriteAll() and NvM_CancelWriteAll()
Start and stop of the RTE
Table 3-3   Supported AUTOSAR EcuM fixed features
The following features are provided beyond the AUTOSAR standard:
Features Provided Beyond The AUTOSAR Standard
Adding of additional initialization code by the configuration tool
Wake-up Events are buffered until the BswM and the ComM are initialized
Support of asynchronous transceiver handling (Introduced API EcuM_StartCheckWakeup +
EcuM_EndCheckWakeup)
Providing an additional API EcuM_ClearValidatedWakeupEvent() to clear only validated, but not
pending wake-up events
Providing an additional API EcuM_GoToSelectedShutdownTarget() to decide EcuM internal if
EcuM_GoPoll(), EcuM_GoHalt() or EcuM_GoDown() has to be called, depending on the selected
shutdown target [EcuM flex only]
Configuration of the Core ID on which the BSW is initialized
Table 3-4   Features provided beyond the AUTOSAR standard
2015, Vector Informatik GmbH
Version: 5.00.00
18 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.2
States of EcuM flex
These states indicate the current internal EcuM Operation State.
Module State
Activities
Point in Time
ECUM_STATE_STARTUP
Initializes the drivers out of  Entered during EcuM_Init().
the EcuM_DriverInitZero
list.
ECUM_STATE_STARTUP_ONE
Initializes the drivers out of  Entered during EcuM_Init().
the EcuM_DriverInitOne
list.
Reset reason translation,
setting of the default
shutdown target and at the
end start the operating
system.
ECUM_STATE_STARTUP_TWO
Initializes the BswM and
Entered during
the SchM.
EcuM_StartupTwo().
Former buffered Wake-up
Events are notified to the
BswM.
ECUM_STATE_APP_RUN
After initializing the
Entered during
necessary BSW, the EcuM  EcuM_StartupTwo(),
is in the Run state.
EcuM_GoSleep(), EcuM_GoPoll()
or during the MainFunction.
ECUM_STATE_GO_SLEEP
Prepares the ECU for the
Entered during EcuM_GoSleep().
upcoming sleep phase.
ECUM_STATE_SLEEP
Handles the sleep.
Entered during EcuM_GoHalt() or
EcuM_GoPoll().
ECUM_STATE_GO_OFF_ONE
Prepares the ECU for the
Entered during EcuM_GoDown().
upcoming Off phase.
The SchM and the BswM
are deinitialized in this
phase and the
EcuM_OnGoOffOne()
Callout is invoked.
Finally the operating
system will be shut down.
ECUM_STATE_GO_OFF_TWO
The configured shutdown
Entered during
target is called by the
EcuM_Shutdown().
EcuM.
ECUM_STATE_WAKEUP_ONE
The hardware is

reinitialized after a former
sleep mode.
ECUM_STATE_WAKEUP_VALIDATION
Waits for the validation of
After a wake-up event has
an occurred wake up.
occurred that needs validation.
Table 3-5   States of the EcuM
2015, Vector Informatik GmbH
Version: 5.00.00
19 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.3
States of EcuM fixed
These states indicate the current internal EcuM Operation State which can be retrieved via
the API 5.4.1 EcuM_GetState.
All the states,  except ECUM_STATE_STARTUP and ECUM_STATE_ERROR are notified
to the BswM. In some state transitions an RTE mode switch will be performed.
Module State
Activities
RTE Mode
ECUM_STATE_STARTUP
Initializes the drivers via the
ECUM_RTE_STARTUP
DriverInitLists.
(initial mode)
Reset reason translation, setting
of the default shutdown target
and at the end start the
operating system.
Initializes the BswM, the SchM
and the RTE.
Former buffered Wake-up
Events are notified to the BswM.
ECUM_STATE_APP_RUN
EcuM stays in this state while
ECUM_RTE_RUN
there are active Run Requests,
the EcuM Self Run Request
timeout has not expired or
ComM Channels are in
communication.
ECUM_STATE_APP_POST_RUN
Post Run Requests keep the
ECUM_RTE_POST_RUN
EcuM in this state.
ECUM_STATE_PREP_SHUTDOWN
Shutdown the DEM and transit
ECUM_RTE_POST_RUN
directly to
ECUM_STATE_GO_SLEEP or
ECUM_STATE_GO_OFF_ONE
ECUM_STATE_GO_SLEEP
EcuM triggers the
ECUM_RTE_SLEEP
NvM_WriteAll() job.
EcuM remains in this state until
the NvM calls
EcuM_CB_NfyNvMJobEnd() or
the occurrence of a wake up
event cancels the sleep
process. In case of a wake up
event, NvM_CancelWriteAll() is
called.
ECUM_STATE_SLEEP
Handles the sleep and a wake
ECUM_RTE_SLEEP
up from sleep.
ECUM_STATE_GO_OFF_ONE
Stops the RTE and triggers
ECUM_RTE_SHUTDOWN
NvM_WriteAll().
EcuM remains in this state until
the NvM call
EcuM_CB_NfyNvMJobEnd().
ECUM_STATE_WAKEUP_VALIDATION
Waits for the validation of an
ECUM_RTE_SLEEP
occurred wake up.
ECUM_STATE_WAKEUP_REACTION
Wait for completion of a
ECUM_RTE_SLEEP
potential NvM_CancelWriteAll().
2015, Vector Informatik GmbH
Version: 5.00.00
20 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Module State
Activities
RTE Mode
ECUM_STATE_WAKEUP_WAKESLEEP -
ECUM_RTE_WAKE_SLEEP
ECUM_STATE_ERROR
The EcuM_ErrorHook is called
-
in this state.
This state is only reached if the
ShutdownOS() or
EcuM_AL_SwitchOff returns to
the EcuM.
Table 3-6 States of the EcuM
2015, Vector Informatik GmbH
Version: 5.00.00
21 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.4
The State Diagram of the EcuM flex
The following figure shows the EcuM state diagram with all state transitions, the
corresponding conditions and actions:
stm EcuPhases
EcuM_Init
called
STARTUP
EntryPoint
ECUM_STATE_STARTUP_ONE (EcuM_Init)
notes
Perform the actions in the StartPreOS Sequence:
- Set Interrupts
- DriverInitZero (init Block0)
- Determine PbConfiguration (return a pointer to the config struct
that contain post-build config data from EcuM and all other BSWs)
- Check consistency of the configuration data
- DriverInitOne (init Block1)
- Get Mcu reset reason
- Select default shutdown target
- Start OS
SLEEP
EcuM_StartupTwo() is called by
[Shutdown Target == ECUM_STATE_RESET]
OS or by a task
/Action: EcuM_AL_Reset
EntryPoint
ECUM_STATE_STARTUP_TWO (EcuM_StartupTw o)
ECUM_STATE_GO_SLEEP
(EcuM_EnterSleep)
notes
A shutdown target must
Perform the actions in the StartPostOS Sequence:
be set by the BswM or
another SW-C before
notes
- Init BSW Scheduler
WakeUP Event
GoHalt or GoPoll is
EcuM prepares the Hardware for going to
- Init BSW Mode Manager
called.
sleep and setting the WakeUp sources.
- Notify the BswM about Wakeups during Startup
(from Features)
[call Mcu_Setmode(GoHalt)]
ECUM_STATE_SLEEP
Final
BSW Scheduler started
Poll
Halt
& BswM_Init called
UP
notes
notes
EcuM checks for pending wakeups
No more code is executed.
cyclically by calling
[No WakeUp
[No WakeUp
EcuM_CheckWakeup().
Before halting the MCU, EcuM must
occured]
occured]
Auxiliary EcuM_SleepActivity() must
invoke GenerateRamHash and call
be called for e.g. updating the alarm
CheckRamHash before leaving halt.
ECUM_STATE_RUN (EcuM_EnterSleep,
clock.
On Multicore: Only check the master
EcuM_MainFunction,
core.
EcuM_StartupTw o)
[GoHalt() or GoPoll() is invoked by
BswM]
notes
Tasks in the UP Phase:
[ValidatedWakeups = True]
- WakeUp Validation
/
[call EcuM_WakeupRestart]
ECUM_STATE_WAKEUP_ONE
(EcuM_WakeupRestart)
(from Features)
EcuM_GoOff
[ValidatedWakeups = False]
ECUM_STATE_WAKEUP_VALIDATION
(EcuM_EnterSleep)
[GoHalt() or GoPoll()]
If in ECUM_STATE_WAKEUP_VALIDATION
SHUTDOWN
no wakeup will be validated, the BswM can
set the EcuM back to sleep by calling GoHalt
() or GoPoll().
EntryPoint
Final
ECUM_STATE_GO_OFF_ONE (EcuM_GoDow n)
notes
Activities in the OffPreOS Phase:
(from Features)
If a wakeup event
- De-Init BSW Mode Manager
occurs the Shutdown
- De-Init BSW Scheduler
sequence shall be
- Check for pending wakeup events
completed and restart
- Set RESET as shutdown target, if wakeup events are pending
immediately thereafter.
- Shutdown OS
EcuM_Shutdown
ECUM_STATE_GO_OFF_TWO
Final
[Shutdown Target == ECUM_STATE_OFF]
/EcuM_AL_SwitchOff
Off

Figure 3-1 The state diagram of the EcuM flex
2015, Vector Informatik GmbH
Version: 5.00.00
22 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.5
The State Diagram of the EcuM with fixed state machine
The  following  figure  shows  the  EcuM  state  diagram  with  all  state  transitions  and  the
corresponding RTE modes:
stm EcuMFixedStateMachine_Ov erv iew
from Startup
Code
STARTUP
ECUM_STATE_ INIT
notes
Init Sequence I:
EcuM_AL_SetProgrammableInterrupts() [type:callout]
EcuM_AL_DriverInitZero [type:callout]
EcuM_DeterminePbConfiguration [type:callout]
EcuM_AL_DriverInitOne [type:callout] e.g. Dem_Init
Retrieve reset reason from MCU module and map it to an wakeup source
Start OS
Interrupts are
available now!
ECUM_STATE_STARTUP
notes
Init Sequence II:
Init BSW Scheduler (SchM_Init)
Init BswM (BswM_Init)
EcuM_AL_DriverInitTwo  [type:callout]
EcuM_OnRTEStartup  [type:callout]
Start Rte
EcuM_AL_DriverInitThree [type:callout]
Init finished and Rte has sent its feedback
[NO - "normal" startup]
[YES - wakeup by wakeup source with integrated power control]
Wakeup validation necessary
/EcuM_OnEnterRun [type: callout]
/RTE notification about SLEEP
to switch into RUN mode?
ComM_CommunicationAllowed(TRUE)
SLEEP Mode
RUN Mode
enter RUN mode
enter SLEEP mode
[wakeup event
pending]
[valid wakeup event && Rte has sent its
feedback && NvM_WriteAll is canceled]
/Dem_Init
ECUM_STATE_ APP_RUN
ECUM_STATE_ WAKEUP_REACTION
EcuM_OnEnterRun [type: callout]
ECUM_STATE_
BswM_EcuM_CurrentState
[wakeup event not pending]
WAKEUP_VALIDATION
(ECUM_STATE_APP_RUN)
/BswM_EcuM_CurrentState
notes
ComM_CommunicationAllowed(TRUE)
(ECUM_STATE_WAKEUP_REACTION)
Decrease the EcuM SelfRequest Timeout.
EcuM_OnWakeupReaction [type: callout]
EcuM remains in RUN state for minimum duration of SelfRequestTimeout.
Consider wakeup validation for communication channels.
[All RUN requests released && SelfRequestTimeout reached &&
[wakeup event occured]
Rte has sent its feedback && ComM channels are not in state
/BswM_EcuM_CurrentState(ECUM_STATE_WAKEUP_VALIDATION)
COMM_NO_COM_PENDING_REQUEST]
EcuM_OnWakeupReaction()
/Clear all Wakeup Events
BswM_EcuM_CurrentState/(ECUM_STATE_APP_POST_RUN)
EcuM_OnExitRun [type: callout]
leave RUN mode
ComM_CommunicationAllowed(FALSE)
POST_RUN Mode
ECUM_STATE_SLEEP
enter POST_RUN mode
[no pending or valid wakeup
[wakeup reaction is
occured]
SLEEP]
ECUM_STATE_APP_POST_RUN
WAKE_SLEEP Mode
enter WAKE_SLEEP mode
[wakeup event occured && Rte
ECUM_STATE_WAKE_SLEEP
has sent its feedback]
[NvM finished its write job && no valid wakeup
[(RUN state requested || EcuM has valid
/NvM_CancelWriteAll
existent && Rte has sent its feedback]
wakeup || ComM channel is pending) && Rte
[All POST_RUN requests released &&
EcuM_AL_DriverRestart [type:
/BswM_EcuM_CurrentState(ECUM_STATE_SLEEP)
has sent its feedback]
Rte has sent its feedback]
callout]
/EcuM_OnEnterRun [type:callout]
/EcuM_OnExitPostRun [type: callout]
EcuM_EnableCommunication(TRUE) [type:
callout]
[Rte has sent its feedback ]
ECUM_STATE_
switch back into
[wait for NvM AND
PREP_SHUTDOWN
RUN mode
asynchron wakeup
events]
/Rte notification about SLEEP
EcuM_OnGoSleep [Type: callout]
ECUM_STATE_ GO_SLEEP
Dem_Shutdown
NvM_WriteAll (when coming from PREP_SHUTDOWN)
leave POST_RUN mode
shutdown
target?
[shutdown target is SLEEP]
[shutdown target is not SLEEP]
enter SLEEP
SHUTDOWN Mode
mode
enter SHUTDOWN mode
/Rte notification about SHUTDOWN
EcuM_OnGoOffOne [Type: callout]
Dem_Shutdown
NvM_WriteAll
ECUM_STATE_ GO_OFF_ONE
notes
BswM notification about ECUM_STATE_ GO_OFF
Rte_Stop
SchM_DeInit
BswM_DeInit
ShutdownOS
[Execution of ShutdownOS() successful]
/EcuM_OnGoOffTwo [Type: callout]
Rte_Stop()
[NvM_WriteAll finished &&
SchM_DeInit()
Rte has sent its feedback]
BswM_DeInit()
ShutdownOS()
ECUM_STATE_
GO_OFF_TWO
leave
SHUTDOWN
Mode

Figure 3-2 State Diagram of the EcuM with fixed state machine
2015, Vector Informatik GmbH
Version: 5.00.00
23 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.6
Initialization
The initialization of the EcuM is split into two parts: one part is the initialization before the
OS is up and running and the second part must be executed when the OS is started.
3.6.1
EcuM_Init
The first part will be performed by the function EcuM_Init() (refer to chapter 5.2.2). This
function executes the DriverInitLists “EcuMDriverInitListZero” and “EcuMDriverInitListOne”
where the basic driver initialization should be performed. EcuM_Init() starts the AUTOSAR
OS by calling the function StartOS() (refer to chapter 5.2.3).

3.6.2
EcuM_StartupTwo
The second part of the initialization sequence will be executed by the EcuM API
EcuM_StartupTwo(). The integrator must ensure that this function is called once right after
the start of the OS.

3.6.2.1
EcuM_StartupTwo in case of EcuM flex
When EcuM_StartupTwo() is left, the EcuM flex is in Run state and passes the control of
the ECU to the BswM.

Caution
At the end of the EcuM_StartupTwo the EcuM is fully initialized. That does not mean
  that the whole stack is initialized, it means only that the EcuM has passed the control
over to the BswM. Further initialization is done by the BswM.

3.6.2.2
EcuM_StartupTwo in case of EcuM fixed
In  case  of  EcuM  fixed,  in  EcuM_StartupTwo()  the  DriverInitLists  “EcuMDriverInitListTwo”
and “EcuMDriverInitListThree” can be used to initialize the whole stack.

Caution
At the end of the EcuM_StartupTwo the EcuM fixed transits to
  ECUM_STATE_APP_RUN in case of a validated wake up, e.g. set by the MCU Reset
Reason (refer to chapter 3.9.5).
If this wake up was cleared (in EcuMDriverInitListTwo), the EcuM transits to
ECUM_STATE_WAKEUP_VALIDATION and performs a wake up validation if any wake
up source is pending.

3.6.3
Initialization Order
Depending on which modules are needed for starting the operating system the initialization
lists can look different.
2015, Vector Informatik GmbH
Version: 5.00.00
24 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
In the following an example initialization order is given. Init Block 0 corresponds to the
EcuM_AL_DriverInitZero() (refer to chapter 5.7.2.6) and Init Block 1 corresponds to
EcuM_AL_DriverInitOne() (refer to chapter 5.7.2.7).
Initialization Group
Init Block0
Det_Init()
Dem_PreInit(ConfigPointer)
Init Block1
Mcu_Init(ConfigPointer)
Gpt_Init(ConfigPointer)
Wdg_Init()
WdgM_Init()
Adc_Init(ConfigPointer)
Icu_Init(ConfigPointer)
Pwm_Init(ConfigPointer)
Table 3-7   Initialization Order
3.6.4
Additional Code in the Initialization Callouts
If the user needs more than the initialization routines offered by the AUTOSAR modules,
the configuration tool offers the facility to add own Code to the DriverInitLists. To use this
feature the user has to choose “Code” instead of a MSN, then the code can be added to a
special field.
The user code is added to the Init Block 0 or Init Block 1 as configured by the user.

Example
In this example the routine Mcu_InitClock() is added to the DriverInitListOne:

>  Open the Initialization dialogue
>  Go to the configuration of DriverInitListOne in the Pre-OS Init Sequence
>  Add an InitItem to the list and choose a name like “McuInitClock”
>  Choose “Code” in the field Type
>
In the field “Code” you can insert: “Mcu_InitClock();”
>  Reorder the position of the InitItem

2015, Vector Informatik GmbH
Version: 5.00.00
25 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.6.5
Inclusion of Additional Header Files
If the user needs additional headers for using in the EcuM_Callout_Stubs.c file, the EcuM
offers the possibility of adding them by the configuration tool.

Note
All header files of the modules that are initialized in the DriverInitLists must be
 included into the additional header files because they are not included
automatically.

3.6.6
Configuration Set Selection
The AUTOSAR compatible mechanism to select the configuration set which should be
used for module initialization considers the following aspects:
> Most of the AUTOSAR modules provide a configuration reference to the provided
configuration sets
> Some modules are initialized without a configuration pointer (Init-function signature
<MSN>_Init(void))
> Some modules have an Init-function signature with configuration pointer but make
no use of it, therefore, they need to be initialized with a NULL_PTR.

The user must decide which routines use a configuration pointer. For these routines the
configuration reference must be configured.
> Module uses a configuration pointer for its initialization:
- Select in the DriverInitList a MSN via the field Type (e.g. Dem)
- Select the corresponding Service (e.g. Dem_PreInit)
- Configure the corresponding Configuration Pointer for that MSN (e.g.
DemConfigSet)
- Result: The EcuM generates “Dem_PreInit(&DemConfigSet)”
> Module has a void Init-function signature
- Select in the DriverInitList a MSN via the field Type (e.g. Det)
- Select the corresponding Service (e.g. Det_Init)
- Do not configure the corresponding Configuration Pointer for this MSN
- Result: The EcuM generates: “Det_Init()”

2015, Vector Informatik GmbH
Version: 5.00.00
26 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex

Caution
If a module initialization routine requires a configuration set as parameter, the
  corresponding reference to the module must be configured.
This is also necessary if the initialization routine does not use the parameter. The
reference must be configured, otherwise the parameter list will be generated empty.

3.7
Initialization of a MultiCore ECU
The  initialization  of  a  MultiCore  Ecu  is  described  in  chapter  3.15.1  Initialization  of  a
MultiCore ECU.
3.8
Shutdown Targets
The  EcuM  provides  the  possibility  to  select  a  shutdown  target  that  is  used  for  the  next
shutdown,
initiated  by  calling
EcuM_GoDown()
(refer  to
chapter
5.3.5),
EcuM_GoPoll()(refer to chapter 5.3.4) or EcuM_GoHalt()(refer to chapter 5.3.3).
The following three different targets can be selected by a SWC or a BSW module:
>  ECUM_STATE_SLEEP
>  ECUM_STATE_RESET
>  ECUM_STATE_OFF

Note
The two targets ECUM_STATE_SLEEP and ECUM_STATE_RESET have an
  additional mode parameter, which is used to identify the configuration for the
Sleep mode or to identify the reason for an upcoming reset of the ECU.

3.8.1
Using the API EcuM_SelectShutdownTarget()
The API EcuM_SelectShutdownTarget()(refer to chapter 5.2.5) can only be used when the
EcuM is in the state ECUM_STATE_RUN. In the startup phase or during the sleep phase it
is not allowed to change the shutdown target.
3.8.2
Default Shutdown Target
A Default shutdown target must be set during the configuration. This is the first target that
is selected as shutdown target after a startup. During runtime the shutdown target can be
changed by another BSW or SWC via the API EcuM_SelectShutdownTarget().
3.8.3
Reset Modes
The reset modes can be used to identify the reason for an upcoming ECU reset. A set of
reset modes is defined by the AUTOSAR standard. Additional modes can be added by the
configuration.
2015, Vector Informatik GmbH
Version: 5.00.00
27 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
The reset mode is passed over to the Callout EcuM_AL_Reset(EcuM_ResetType) and the
user can implement different ways to reset the ECU, depending on the reason for this
reset.

The Vector extension ECUM_RESET_WAKEUP is used as the reset mode in the case of a
late wake-up event in the shutdown phase. If a wake-up occurs during the shutdown
procedure, the shutdown target is changed by the EcuM to ECUM_STATE_RESET and
the described mode is used.

Note
The following reset mode is defined by Vector as an extension to the standard
  AUTOSAR modes:
  ECUM_RESET_WAKEUP

Caution
Reset Modes are only available if EcuM flex is used.

3.8.4
Sleep Modes
A  sleep  mode  holds  the  information  about  the  configured  sleep  modes  and  the
corresponding relevant settings. The following items can be set for a sleep mode:
>  Reference to a configured MCU mode that is executed for that sleep mode.
>  Active Wake-up Sources during this sleep mode.
3.9
Wake-up Sources
The EcuM flex offers the possibility to configure wake-up sources for all modules that have
the functionality to wake up the ECU. The EcuM handles the Wake-up Validation Protocol
for these sources as described in 3.10.1 Wake-up Validation Protocol.
The Wake-up  Sources  have  several  configurable  attributes  as described in  the following
section.
3.9.1
Validation Timeout
For every source, except for the standard sources 0 – 4, a validation timeout timer can be
configured.  This  timer  specifies  the  time  (in  seconds)  until  the  wake-up  source  must  be
validated by calling EcuM_ValidateWakeupEvent().
If the wake-up event is not validated during that time the EcuM sets this event to “expired”
and reports it to the BswM.
2015, Vector Informatik GmbH
Version: 5.00.00
28 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex

Note
The following standard wake-up sources are pre-configured and do not need the wake-
  up validation protocol:
>  ECUM_WKSOURCE_POWER
>  ECUM_WKSOURCE_RESET
>  ECUM_WKSOURCE_INTERNAL_RESET
>  ECUM_WKSOURCE_INTERNAL_WDG
>  ECUM_WKSOURCE_EXTERNAL_WDG

3.9.2
Check-Wakeup Validation Timeout
For  every  source,  except  for  the  standard  sources  0  –  4,  a  check  wake-up  validation
timeout timer can be configured. This timer specifies the time (in seconds) until the wake-
up source must be set by calling EcuM_SetWakeupEvent().
This timer can be used for e.g. asynchronous transceiver drivers, which cannot check the
wake-up source in the context of EcuM_CheckWakeup.

3.9.3
ComM Channel Reference
If the configured Wake-up Source is a ComM Channel, the reference to the corresponding
channel can be configured by the parameter EcuMComMChannelRef.
If this reference is configured and a validated wake-up event occurred, the EcuM calls the
function ComM_EcuM_WakeupIndication() and reports it to the ComM.

Note
Only Wake-up Sources which represent a ComM Channel can lead to a wake up in the
  state ECUM_STATE_RUN. Other Wake-up Sources are ignored during this state.

3.9.4
Polling of Wake-up Sources
If a Wake-up Source needs to be polled to detect wake-up events this parameter must be
set. In that case, the sleep can be entered by calling EcuM_GoPoll() and the EcuM polls
all Wake-up Sources that are active during that Sleep mode and the polling parameter is
set.
3.9.5
MCU Reset Reason
The EcuM calls the routine Mcu_GetResetReason() to acquire the reason for the recent
reset. The EcuM iterates over all configured Wake-up Sources and checks if the
configured Reset Reason of one Wake-up Source matches to the return value of the MCU.
2015, Vector Informatik GmbH
Version: 5.00.00
29 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
If a reset reason is found, the EcuM maps this MCU reset reason to an EcuM Wake-up
Source and reports the event to the BswM. The regular wake-up validation is done by the
EcuM in case it is required by the source.

Note
If the reset reason translation is not successful and no reset reason can be determined,
  the EcuM reports to the BswM the default reset reason ECUM_WKSOURCE_RESET.

3.10  Main Functions
3.10.1  Wake-up Validation Protocol
The wake-up validation protocol provides a standardized way to recognize valid controller
wake ups after a sleep phase.
For  all  user  configured  wake-up  sources  the  parameter  “Validation  Timeout”  is
configurable.  If  the  parameter  is  set  to  a  value  which  is  not  0,  the  wake-up  validation
protocol is active for that source.
2015, Vector Informatik GmbH
Version: 5.00.00
30 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex

Example
In the following example the whole wake-up validation procedure can be seen. A wake-
up event occurs for the ComMChannel CanIf and needs validation. The validation is
processed and the wake-up event is notified to the BswM and to the ComM.
sd WakeupValidation
Module
Module
CanIf
Interrupt Source
«EmbeddedInterface»
«EmbeddedInterface»
Integration Code
ComM
BswM
EcuM
(EcuM_Callout_Stubs)
Interrupt()
EcuM_CheckWakeup(EcuM_WakeupSourceType)
CanIf_CheckWakeup(EcuM_WakeupSourceType)
EcuM_SetWakeupEvent(EcuM_WakeupSourceType)
BswM_EcuM_CurrentWakeup(EcuM_WakeupSourceType, EcuM_WakeupStatusType ECUM_WKSOURCE_PENDING)
EcuM_StartWakeupSources(EcuM_WakeupSourceType)
loop WHILE w akeup ev ent has not been v alidated
EcuM_CheckValidation(EcuM_WakeupSourceType)
CanIf_CheckValidation(EcuM_WakupSourceType)
opt w akeup ev ent is v alidated
EcuM_ValidateWakeupEvent(EcuM_WakeupSourceType)
BswM_EcuM_CurrentWakeup(EcuM_WakeupSourceType, EcuM_WakeupStatusType ECUM_WKSOURCE_VALIDATED)
ComM_EcuM_WakeUpIndication(NetworkHandleType)
EcuM_StopWakeupSources(EcuM_WakeupSourceType)

Figure 3-3 Example Wake-up Validation

2015, Vector Informatik GmbH
Version: 5.00.00
31 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.10.2  Wake-up Validation Protocol for asynchronous Can transceiver
For  all  user  configured  wake-up  sources  the  parameter  “Check  Validation  Timeout”  is
configurable. If the parameter is set to a value which is not 0, the check wake-up validation
protocol is active for that source.
For  these  sources  the  call  of  EcuM_SetWakeupEvent  must  not  occur  in  the  context  of
EcuM_CheckWakeup.

Example
In the following example parts of the wake-up validation procedure can be seen for an
  asynchronous Can transceiver.
sd WakeupValidation
Module
Module
CanIf
Icu
CanTrcv
Interrupt Source (CanTrcv
«EmbeddedInterface»
Integration Code
Hardware
BswM
EcuM
(EcuM_Callout_Stubs)
Interrupt()
EcuM_CheckWakeup(WAKEUP_SOURCE_CAN)
EcuM_StartCheckWakeup(WAKEUP_SOURCE_CAN)
WAKEUP_SOURCE_CAN, ECUM_WKSTATUS_CHECKWAKEUP(source, state)
start CheckWakeupTimer()
CanIf_CheckWakeup(WAKEUP_SOURCE_CAN)
CanTrcv_CB_WakeupByBus()
Program flow continues, if Ecu was in a sleep mode the wake-up procedure
is performed. If the Ecu was in Run mode, the Run mode continues as
before.
As soon as the transceiver gets a response via SPI about a valid wake-up
event, the CanTrcv calls EcuM_SetWakeupEvent in the positive case.
alt Wait for Wakeup Indication by Transceiv er
[positive Wakeup Indication]
EcuM_SetWakeupEvent(EcuM_WakeupSourceType)
BswM_EcuM_CurrentWakeup(WAKEUP_SOURCE_CAN,
ECUM_WKSTATUS_VALIDATED)
[negative Wakeup Indication]
EcuM_EndCheckWakeup(EcuM_WakeupSourceType)
BswM_EcuM_CurrentWakeup(WAKEUP_SOURCE_CAN, ECUM_WKSTATUS_EXPIRED)
[Timeout]
CheckWakeupTimerExpired()
BswM_EcuM_CurrentWakeup(WAKEUP_SOURCE_CAN, ECUM_WKSTATUS_EXPIRED)

Figure 3-4  Example Wake-up Validation for asynchronous Can Transceivers
2015, Vector Informatik GmbH
Version: 5.00.00
32 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.11  Error Handling
3.11.1  Development Error Reporting
Development  errors  are  reported  to  the  DET  using  the  service  Det_ReportError()  as
specified
in
[2],
if
development
error
reporting
is
enabled
(ECUM_DEV_ERROR_DETECT==STD_ON).
The reported EcuM ID is 10.
The  reported  service  IDs  identify  the  services  which  are  described  in  5.2.  The  following
table presents the service IDs and the related services:
Service ID
Service
0x00
EcuM_GetVersionInfo()
0x01
EcuM_Init()
0x02
EcuM_Shutdown()
0x03
EcuM_RequestRun()
0x04
EcuM_ReleaseRun()
0x05
EcuM_KillAllRUNRequests()
0x06
EcuM_SelectShutdownTarget()
0x07
EcuM_GetState()
0x08
EcuM_GetLastShutdownTarget()
0x09
EcuM_GetShutdownTarget()
0x0A
EcuM_RequestPOST_RUN()
0x0B
EcuM_ReleasePOST_RUN()
0x0C
EcuM_SetWakeupEvent()
0x0D
EcuM_GetPendingWakeupEvents()
0x12
EcuM_SelectBootTarget()
0x13
EcuM_GetBootTarget()
0x14
EcuM_ValidateWakeupEvent()
0x15
EcuM_GetValidatedWakeupEvents()
0x16
EcuM_ClearWakeupEvent()
0x18
EcuM_MainFunction()
0x19
EcuM_GetExpiredWakeupEvents()
0x1A
EcuM_StartupTwo()
0x1B
EcuM_SelectShutdownCause()
0x1C
EcuM_GetShutdownCause()
0x1D
EcuM_GetMostRecentShutdown()[not supported in this release]
0x1E
EcuM_GetNextRecentShutdown()[not supported in this release]
0x1F
EcuM_GoDown()
0x20
EcuM_GoHalt()
0x21
EcuM_GoPoll()
0x22
EcuM_SetRelWakeupAlarm()
2015, Vector Informatik GmbH
Version: 5.00.00
33 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Service ID
Service
0x23
EcuM_SetAbsWakeupAlarm()
0x24
EcuM_AbortWakeupAlarm()
0x25
EcuM_GetCurrentTime()
0x26
EcuM_GetWakeupTime()
0x27
EcuM_SetClock()
0x28
EcuM_StartCheckWakeup()
0x29
EcuM_EndCheckWakeup()
0x30
EcuM_ClearValidatedWakeupEvent()
0x2A
EcuM_KillAllPostRUNRequests()
0x2B
EcuM_SetState()
0x65
EcuM_CB_NfyNvMJobEnd()
Table 3-8   Service IDs
The errors reported to DET are described in the following table:
Error Code
Description
0x10
ECUM_E_UNINIT
A service was called prior to initialization.
0x11
ECUM_E_SERVICE_DISABLE
Error code defined by AUTOSAR SWS (not used in this
D
implementation).
0x12
ECUM_E_NULL_POINTER
A null pointer was passed as an argument.
0x13
ECUM_E_INVALID_PAR
A parameter was invalid (not specified)
0x14
ECUM_E_MULTIPLE_RUN_RE EcuM_RequestRUN or EcuM_ RequestPOST_RUN was
QUESTS
called two times by the same user without release.
0x15
ECUM_E_MISMATCHED_RUN EcuM_ReleaseRUN or EcuM_ ReleasePOST_RUN was
_RELEASE
called by a user without a previous request.
0x16
ECUM_E_STATE_PAR_OUT_
API service EcuM_SelectShutdownTarget() called with
OF_RANGE
parameter not in expected range
0x17
ECUM_E_UNKNOWN_
Wake-up source ID is not known by ECU State Manager
WAKEUP_SOURCE
0x20
ECUM_E_MODULE_NOT_IN_
EcuM_StartupTwo() is called and the EcuM is not in state
STARTUP
EcuM_Startup_One which is entered in EcuM_Init().
0x21
ECUM_E_MODULE_NOT_IN_
EcuM_Shutdown() was invoked without calling
PREPSHUTDOWN
EcuM_GoDown().
0x22
ECUM_E_MODULE_NOT_IN_
This error will be reported if the callout EcuM_AL_SwitchOff()
RUN_STATE
does not switch off the ECU.
0x23
ECUM_E_NO_SLEEPMODE_C This error will be reported if EcuM_GoPoll() or
ONFIGURED
EcuM_GoHalt() is called and no SleepMode is configured.
0x24
ECUM_E_INVALID_STATERE
A state which was requested is invalid, perhaps because a
QUEST
former request is not finished yet.
Table 3-9   Errors reported to DET

2015, Vector Informatik GmbH
Version: 5.00.00
34 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.11.2  Production Code Error Reporting
By  default,  production  code  related  errors  are  reported  to  the  DEM  using  the  service
Dem_ReportErrorStatus() as specified in [3], if production error reporting is enabled
(In  the  case  that  a  reference  to  a  Dem  event  parameter  is  configured  in
EcuMDemEventParameterRefs).
If  another  module  is  used  for  production  code  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Dem_ReportErrorStatus().
The errors reported to DEM are described in the following table:
Error Code
Description
ECUM_E_RAM_CHECK_FAILED
The RAM check during wake-up failed.
ECUM_E_CONFIGURATION_DATA_INCONSISTENT
Post build configuration data is inconsistent.
ECUM_E_IMPROPER_CALLER
Defensive behavior checks have detected
improper use of the module.
ECUM_E_ALL_RUN_REQUESTS_KILLED
The API EcuM_KillAllRUNRequests() was
called.
Table 3-10   Errors reported to DEM

Caution
Only ECUM_E_IMPROPER_CALLER and ECUM_E_ALL_RUN_REQUESTS_KILLED
  are passed to the Dem directly out of the static code. In the other cases
EcuM_ErrorHook (see 3.11.3) is called and the integrator has to decide what happens
in the case of these errors.

3.11.3  EcuM_ErrorHook
The  EcuM  has  an  own  ErrorHook  which  offers  the  integrator  the  possibility  to  react  on
occurring errors during runtime.
Error Code
Description
ECUM_E_HOOK_RAM_CHECK_FAILED
If the Ram check has failed after a sleep
phase, the ErrorHook is called with this
parameter.
ECUM_E_HOOK_CONFIGURATION_DATA_INCONSISTENT  If the consistency check of pre-compile
and link-time parameters in variant post-
build has failed, the ErrorHook is called
with this parameter.
ECUM_E_HOOK_WRONG_ECUM_USAGE
If the call of ShutdownOS returns to the
EcuM.
ShutdownOS has to call
EcuM_Shutdown() to perform a
2015, Vector Informatik GmbH
Version: 5.00.00
35 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Error Code
Description
shutdown.
ECUM_E_HOOK_INVALID_COREID
The OS returned an invalid CoreID via
the API GetCoreID().
Table 3-11   Description of EcuM internal Error Codes
The  integrator  has  to  implement  the  behavior  of  the  EcuM  in  this  situation.  The  EcuM
reports the error not by default to the Dem. If this is desired, the integrator has to call the
Dem.

3.12  Callout Execution Sequences
This chapter  describes the execution order of callouts and important functions. This may
be useful while integrating the software stack.

Caution
The execution sequences are not relevant for EcuM fixed.

3.12.1  Callouts from Startup to Run
STARTUP – RUN
Execution in EcuM_Init()
  EcuM_AL_SetProgrammableInterrupts()
  EcuM_AL_DriverInitZero()
  EcuM_AL_DriverInitOne()
  Mcu_GetResetReason()
  EcuM_SetWakeupEvent(ResetReason)
  StartOS(ECUM_DEFAULTAPPMODE)
Execution in EcuM_StartupTwo()
  SchM_Init()
  BswM_Init(NULL_PTR / CfgPtr_BswM)
  If Wake-up Events have occurred before BswM_Init:
  BswM_EcuM_CurrentWakeup(WakeupSource, ECUM_WKSTATUS_VALIDATED)
Table 3-12   Callouts from Startup to Run
2015, Vector Informatik GmbH
Version: 5.00.00
36 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.12.2  Callouts from Run to Sleep (Halt) and back to Run
Run – Sleep (Halt) – Run
Selection of the ShutdownTarget must be done before the transition to sleep e.g. by the BswM
  EcuM_SelectShutdownTarget(ECUM_STATE_SLEEP, resetSleepMode)
All validated wake-up events must be cleared, e.g. by the BswM
  EcuM_ClearValidatedWakeupEvent(ECUM_WKSOURCE_ALL_SOURCES)
GoHalt must be called e.g. by the BswM
  EcuM_GoHalt()
Execution in EcuM_GoHalt()
  BswM_EcuM_CurrentWakeup(wakeupSource, ECUM_WKSTATUS_NONE)
  EcuM_EnableWakeupSources(wakeupSource)
  GetResource(ECUM_OS_RESOURCE)
  DisableAllInterrupts()
  EcuM_GenerateRamHash()
  Mcu_SetMode(ECUM_SLEEPMODELIST[ECUM_CURRENTSLEEPMODE].mcuMode)
  EnableAllInterrupts()
  EcuM_CheckRamHash()
  If CheckRamHash has failed
  EcuM_ErrorHook(ECUM_E_HOOK_RAM_CHECK_FAILED)

DisableAllInterrupts()

Mcu_SetMode(ECUM_NORMALMCUMODEREF)

EnableAllInterrupts()

EcuM_DisableWakeupSources(EcuM_PendingWakeups |
EcuM_ValidatedWakeups))

BswM_EcuM_CurrentWakeup(EcuM_PendingWakeups |
EcuM_ValidatedWakeups),  ECUM_WKSTATUS_DISABLED)

EcuM_Al_DriverRestart()

ReleaseResource(ECUM_OS_RESOURCE)

Table 3-13   Callouts from Run to Sleep (Halt) and back to Run
2015, Vector Informatik GmbH
Version: 5.00.00
37 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.12.3  Callouts from Run to Reset
Run – Reset
Selection of the ShutdownTarget must be done before the transition to Off e.g. by the BswM
  EcuM_SelectShutdownTarget(ECUM_STATE_RESET, resetMode)
GoDown must be called e.g. by the BswM
  EcuM_GoDown()
Execution in EcuM_GoDown()
  EcuM_OnGoOffOne()
  BswM_Deinit()
  SchM_Deinit()
  ShutdownOS(E_OK)
Shutdown must be called from the ShutdownHook
  EcuM_Shutdown()
Execution in EcuM_Shutdown()
  EcuM_OnGoOffTwo()
  EcuM_AL_Reset( EcuM_CurrentShutdownMode )
Table 3-14   Callouts from Run to Reset
3.12.4  Callouts from Run to Off
Run – Reset
Selection of the ShutdownTarget must be done before the transition to Off e.g. by the BswM
  EcuM_SelectShutdownTarget(ECUM_STATE_Off, 0)
All validated wake-up events must be cleared, e.g. by the BswM
  EcuM_ClearValidatedWakeupEvent(ECUM_WKSOURCE_ALL_SOURCES)
GoDown must be called e.g. by the BswM
  EcuM_GoDown()
Execution in EcuM_GoDown()
  EcuM_OnGoOffOne()
  BswM_Deinit()
  SchM_Deinit()
>  If a wake-up event has occurred, the Shutdown Target will be changed to
ECUM_STATE_RESET and the reset mode will be ECUM_RESET_WAKEUP
  ShutdownOS(E_OK)
Shutdown must be called from the ShutdownHook
  EcuM_Shutdown()
Execution in EcuM_Shutdown()
  EcuM_OnGoOffTwo()
  EcuM_AL_SwitchOff()
Table 3-15   Callouts from Run to Off
2015, Vector Informatik GmbH
Version: 5.00.00
38 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.13 EcuM Flex Users and Defensive Behavior
The EcuM offers the facility to configure flex Users to identify the caller of the routine
EcuM_GoDown. The calling module has to use its Module ID as specified by AUTOSAR in
[4].

Note
To use this feature, the switch EcuMEnableDefBehaviour must be active.

2015, Vector Informatik GmbH
Version: 5.00.00
39 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.14  Alarm Clock
The EcuM flex offers the possibility to configure a clock which provides the absolute time
since the last  power-on reset  of  the ECU. This clock  can be used to  retrieve the current
system  time  via  the  API  EcuM_GetCurrentTime  and  to  wake  up  the  ECU  from  sleep
phases.

In sleep phases the ECU will be woken up by the Gpt every second, depending if the Gpt
supports this. If the wake up by the Gpt is the only wakeup event, the EcuM will increment
the system clock and falls back to sleep again. If a wake up alarm has expired, the EcuM
will call EcuM_SetWakeupEvent() to indicate a valid wake up of the ECU.

Note
To use this feature, the switch EcuMAlarmClockPresent must be active.

3.14.1  Configuring the Gpt to provide the Time base
To support the Alarm Clock, a Gpt channel must be configured in a way which leads to an
interrupt every second. For a correct behavior of the Alarm Clock, even in sleep phases,
the channel must be configured as followed:

Gpt Channel Parameter
Value
GptChannelMode
GPT_CH_MODE_CONTINUOUS
GptEnableWakeup
True
GptNotification
EcuM_AlarmCheckWakeup
GptWakeupSourceRef
Choose here the same Wakeup Source as configured for
EcuM parameter EcuMAlarmWakeupSource
Table 3-16   Gpt Channel Configuration

Caution
The implementation of the EcuM alarm clock requires that the Gpt provides a time base
  of exactly one second. If this is not supported by Gpt, the EcuM does not perform a
correction of the time base.

3.14.2  Configuring the EcuM for using the Alarm Clock
For  setting  a  wake  up  alarm  during  the  runtime  of  the ECU,  an  EcuMAlarmClock  with  a
reference to an EcuMFlexUserConfig must be configured.

2015, Vector Informatik GmbH
Version: 5.00.00
40 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
The  Gpt  channel  configured  in  3.14.1  must  be  referenced  by  the  EcuM  parameter
EcuMGptChannelRef.

3.14.3  Setting of the EcuM Clock
The API  EcuM_SetClock  is  offered  to  allow  configuring  an  EcuMFlexUser  to  modify  the
system  time  during  runtime.  This  user  must  be  set  as  reference  in  the  configuration
parameter EcuMSetClockAllowedUserRef.
Only if this reference is configured, the usage of the API EcuM_SetClock is allowed for this
user.
3.14.4  Setting of a Time Triggered Wake Up Alarm
Via the APIs EcuM_SetRelWakeupAlarm and EcuM_SetAbsWakeupAlarm the configured
EcuMFlexUsers  can  set  wake  up  alarms  during  the  runtime  of  the  ECU.  This  wake  up
alarm will be active during the next sleep phase.
The wake up alarm can be cancelled by the user during runtime of the ECU via the API
EcuM_AbortWakeupAlarm.

Note
One single EcuMFlexUser can only set one single wake up alarm.

Caution
All wake up alarms are cleared if the ECU wakes up from a sleep phase, even if the
  reason for this wake up was not time triggered. The wake up alarms must be rearmed
before the next sleep phase is entered.

2015, Vector Informatik GmbH
Version: 5.00.00
41 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.15  MultiCore Ecu
The  EcuM  offers  the  possibility  to  handle  multi  core  ECUs.  The  handling  of  the
initialization,  sleep  and  shutdown  differs  to  a  single  core  ECU  and  is  described  in  the
following.
3.15.1  Initialization of a MultiCore ECU
3.15.1.1  Initialization on the Master Core
After  power-on  of  the  ECU,  the  master  core  starts  running  and  EcuM_Init()  should  be
called in the startup code. At the end of EcuM_Init() the callout EcuM_StartOS() is called.
In the callout EcuM_StartOS() all other slave cores are started via the OS API StartCore().

Example
In the following example the startup sequence of the master core for a ECU with 4
  cores can be seen:
sd MasterCore Initialization
Module
Module
Startup Code
Module
Module
Module
Integration Code
EcuM
Os
SchM
BswM
(EcuM_Callout_Stubs)
InitTask
EcuM_Init()
PreOS
initialization
sequence of
EcuM()
EcuM_StartOS(AppModeType)
StartCore(CoreID1, &Status)
StartCore(CoreID2, &Status)
StartCore(CoreID3, &Status)
StartOS(appMode)
ActivateTask()
EcuM_StartupTwo()
SchM_Init()
BswM_Init(const BswM_ConfigType *)

Figure 3-5  Startup Sequence on a Master Core

Note
The callout EcuM_StartOS() is filled by the configuration tool per default. In some
  cases it might be necessary to adapt this callout.

2015, Vector Informatik GmbH
Version: 5.00.00
42 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.15.1.2  Initialization on the Slave Core
After  the  slave  core  has  been  started  by  the  master  core,  it  also  starts  running  with  the
startup code. EcuM_Init() is called from the startup code, but on the slave core only driver
initialization and a call to StartOS() is performed via the callout EcuM_StartOS().

Example
In the following example the startup sequence of a slave core for a ECU with 4 cores
  can be seen:
sd Slav eCore Initialization
Module
Module
Startup Code
Module
Module
Integration Code
EcuM
Os
SchM
(EcuM_Callout_Stubs)
InitTask
EcuM_Init()
EcuM_AL_DriverInitZero()
EcuM_AL_DriverInitOne()
EcuM_StartOS(AppModeType)
StartOS(appMode)
ActivateTask()
EcuM_StartupTwo()
SchM_Init()

Figure 3-6  Startup Sequence on a Slave Core

Caution
On the slave core a call to EcuM_StartupTwo() is only necessary if the initialization of
  the SchM should be done by the EcuM.
The BswM is currently not initialized on a slave core in this release!

3.15.1.2.1  Driver initialization on the Slave Core
The  callouts  EcuM_AL_DriverInitZero()  and  EcuM_AL_DriverInitOne()  are  also  called  on
slave cores, but the generated code is only executed on the master core.

2015, Vector Informatik GmbH
Version: 5.00.00
43 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
On which core the driver initialization is called, is determined via the OS API GetCoreID(),
as it can be seen in the code example below.
A slave core specific handling has to be implemented by the user.

Example
/*********************************************************************
 * EcuM_AL_DriverInitZero
*********************************************************************/
FUNC(void, ECUM_CODE) EcuM_AL_DriverInitZero(void)
{
 if(GetCoreID() == ECUM_CORE_ID_MASTER)
 {
 MasterCore_Init();
 }

/*********************************************************************
* DO NOT CHANGE THIS COMMENT! <USERBLOCK EcuM_AL_DriverInitZero>
DO NOT CHANGE THIS COMMENT!
*********************************************************************/
 /* Add implementation of EcuM_AL_DriverInitZero() */

 return;
/*********************************************************************
* DO NOT CHANGE THIS COMMENT! </USERBLOCK> DO NOT CHANGE THIS
COMMENT!
*********************************************************************/
}

3.15.2 Sleep handling of slave cores
The EcuM flex supports two different ways to set the ECU to sleep, with and without
synchronization of all cores. Which handling is used depends on the boolean parameter
EcuMSlaveCoreHandling
EcuMSlaveCoreHandling
Behavior
False
The Master Core does not care about slave cores during the
sleep mode. Depending on the used hardware, it might
happen that the Master Core has switched already to sleep
and the slave cores are still running.
True
The Master Core waits on the way to sleep (initiated via
EcuM_GoHalt() / EcuM_GoPoll() ) till all slave cores has
already switched to sleep. During wait for the slave cores,
the callout EcuM_WaitForSlaveCores is called cyclically till
all cores have switched their state to sleep. The callout can
be used to set the slaves to sleep.
Table 3-17 Sleep handling on Slave Cores
2015, Vector Informatik GmbH
Version: 5.00.00
44 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.15.3  Blocking of the BSW Scheduler during Sleep
If only one BSW scheduler is used on the master core, it is sufficient to configure only one
OsResource which is blocked during the sleep mode.
If  there  is  more  than  one  BSW  scheduler  running  on  several  cores,  it  is  necessary  to
configure an OsResource for every core. The configuration tool assigns automatically the
configured OsResource to the corresponding core.
3.15.4  Shutdown of the MultiCore ECU
It is necessary to call EcuM_GoDown() on all cores which have a running SchM to assure
a regular de-initialization of the SchM.
Finally after EcuM_GoDown() was called for all these slave cores, the API can be called
on the master core. This leads via the callout EcuM_ShutdownOS to a call of the OS API
ShutdownAllCores(). This API synchronizes all cores and stops the slaves.

Note
If the SchM is only running on the master core it is sufficient to call EcuM_GoDown() on
  the master core only.

3.15.5  Reconfiguration of the BSW Core ID
The EcuM supports the configuration of the BSW Core Id. Per default the master Core Id
is mapped to the OS define OS_CORE_ID_MASTER (Id 0).

If the BSW shall run on another Core, the Id has to be configured via the configuration tool.

2015, Vector Informatik GmbH
Version: 5.00.00
45 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.16  Mode Handling for EcuM Flex
3.16.1  Mode Handling
The  BswM  can  set  a  specific  EcuM  state  (via  EcuM_SetState)  which  is  mapped  to  the
corresponding mode and an Rte mode switch will be initiated by the EcuM. The mapping
of states to modes can be seen in Table 3-18.
After the mode switch is initiated, the EcuM polls the Rte in each MainFunction cycle if the
mode  switch  is  executed  successfully.  After  the  Rte  has  acknowledged  the  successful
mode switch execution, the EcuM will notify the BswM about the finished mode switch.
EcuM State
EcuM Mode
ECUM_STATE_STARTUP
RTE_MODE_EcuM_Mode_STARTUP
ECUM_STATE_SLEEP
RTE_MODE_EcuM_Mode_SHUTDOWN
or
RTE_MODE_EcuM_Mode_SLEEP
ECUM_STATE_APP_RUN
RTE_MODE_EcuM_Mode_RUN
ECUM_STATE_APP_POST_RUN
RTE_MODE_EcuM_Mode_POST_RUN
ECUM_STATE_SHUTDOWN
RTE_MODE_EcuM_Mode_SHUTDOWN
or
RTE_MODE_EcuM_Mode_SLEEP
Table 3-18   Mapping of States to Modes

Note
In case of a requested state ECUM_STATE_SHUTDOWN or ECUM_STATE_SLEEP,
  the corresponding mode depends on the currently configured shutdown target.

2015, Vector Informatik GmbH
Version: 5.00.00
46 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.16.2  Run Request Protocol
The run request protocol is a mechanism for applications or Software Components (SW-C)
to  request  RUN  state  explicitly  via  EcuM_RequestRUN.  The  EcuM  notifies  the  BswM
about  an active application request. If the application has nothing to do anymore  it  must
release the previous requested RUN state. If no other SW-C has requested RUN state the
ECU State Manger will notify the BswM that no application request is active anymore.
If SW-C needs special preparation for one of the shutdown states (SLEEP, OFF, RESET)
the  SW-C  must  request  POST  RUN  state.  This  is  the  same  mechanism  like  requesting
RUN state. So, the POST RUN state has to be released after the job of the application is
finished. It is very important for SW-C’s which needs POST RUN state activities to request
the POST RUN state before releasing the RUN request. Otherwise it is possible that the
application doesn't get the chance to execute its POST RUN activities, depending on the
BswM configuration.
To request RUN or POST RUN state each SW-C must be a configured user of the ECU
State  Manager.  Therefore  it  is  necessary  to  define  one  user  for  each  SW-C  to  place
requests.
2015, Vector Informatik GmbH
Version: 5.00.00
47 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.17 Generated Template Files
A generated template file in this document is a file which:
> is generated by the generation tool at every generation process
> the user can modify this template for his needs
> the changes made by the user will not be overwritten at the next generation process

In order not to overwrite the changes made by the user, the template file contains special
comments. The user must insert his code between the two comments which delimit the
user block. The comments have the following format:

/***************************************************************************************************************************************
* DO NOT CHANGE THIS COMMENT! <USERBLOCK FUNCTIONNAME> DO NOT CHANGE THIS COMMENT!
***************************************************************************************************************************************/

/****************************************************************************************************************************************
* DO NOT CHANGE THIS COMMENT! </USERBLOCK> DO NOT CHANGE THIS COMMENT!
****************************************************************************************************************************************/

Caution
Do not modify or delete these comments.

3.18 Wake-up Event Handling and Wake-up Validation
The handling of Wake-up Sources and Wake-up Validation has to be configured and
implemented specifically for every ECU. The following list provides a short overview which
callouts are affected:
 EcuM_EnableWakeupSources(), (refer to Ch. 5.7.2.17)
 EcuM_DisableWakeupSources(), (refer to Ch. 5.7.2.18)
 EcuM_CheckWakeup(), (refer to Ch. 5.7.2.21)
 EcuM_StartWakeupSources(), (refer to Ch. 5.7.2.19)
 EcuM_StopWakeupSources(), (refer to Ch. 5.7.2.20)

The integration task is to fill these callouts with code which fulfill the ECU specific
requirements. The following paragraphs illustrate two example use cases:
 Wake-up after a physical sleep mode
 Wake-up validation of communication channels (EcuM in Run state)

3.18.1 Wake-up after a Physical Sleep Mode
3.18.1.1 Use Case Description
A raising edge on an ICU channel shall bring the ECUM into RUN state. A wake-up source
“ECUM_WKSOURCE_ICU_CH0” is configured for that. The name of the configured ICU
channel is Icu_Channel0.
2015, Vector Informatik GmbH
Version: 5.00.00
48 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
No  wake-up  validation shall be performed on that  wake-up  event. This  wake-up event  is
the only active wake-up event for the desired sleep mode.
3.18.1.2  Execution Flow
>  EcuM is in ECUM_STATE_RUN
>  BswM calls EcuM_GoHalt()
  Callout EcuM_EnableWakeupSources() is executed.
  EcuM transits to sleep, Mcu_SetMode() is called
>  External event triggers ICU hardware to raise an interrupt
>  Callout EcuM_CheckWakeup() is executed by ISR
>  API function EcuM_SetWakeupEvent() is executed
> EcuM executes implicitly EcuM_ValidateWakeupEvent() because wake-up event is
instantly valid
>  EcuM transits from ECUM_STATE_SLEEP to ECUM_STATE_WAKEUP_ONE
>  EcuM transits from ECUM_STATE_WAKEUP_TWO to ECUM_STATE_ RUN
  Callout EcuM_DisableWakeupSources() is executed
3.18.1.3  Callout Implementation Examples
FUNC(void, ECUM_CODE) EcuM_EnableWakeupSources(EcuM_WakeupSourceType
wakeupSource)
{
  /* Check for each configured wake-up source the corresponding bit
   * is set. Here the bit for the ICU wake-up source must be set
  */
  if ((wakeupSource & ECUM_WKSOURCE_ICU_CH0) != 0)
  {
    Icu_EnableNotification(Icu_Channel0);
    Icu_EnableWakeup(Icu_Channel0);
    Icu_SetMode(ICU_MODE_SLEEP);
  }
  /* … */
}

FUNC(void, ECUM_CODE) EcuM_CheckWakeup(EcuM_WakeupSourceType wakeupSource)
{
  if ((wakeupSource & ECUM_WKSOURCE_ICU_CH0) != 0)
  {
    /* no validation necessary, so call EcuM_SetWakeupEvent() */

    EcuM_SetWakeupEvent(ECUM_WKSOURCE_ICU_CH0);
  }
  /* … */
}

FUNC(void, ECUM_CODE) EcuM_DisableWakeupSources(EcuM_WakeupSourceType
wakeupSource)
{
  if ((wakeupSource & ECUM_WKSOURCE_ICU_CH0) != 0)
  {
    Icu_DisableNotification(Icu_Channel0);
    Icu_DisableWakeup(Icu_Channel0);
    Icu_SetMode(ICU_MODE_NORMAL);
  }
}
2015, Vector Informatik GmbH
Version: 5.00.00
49 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex

3.18.2  Wake-up Validation of Communication Channels (ECUM in RUN State)
3.18.2.1  Use Case Description
A  wake-up  capable  CAN  hardware  is  assumed. A  message  on  a  CAN  channel  shall  be
recognized and set the CAN channel into normal operation mode (which will be triggered
by ComM). A wake-up source ECUM_WKSOURCE_CAN0 is configured for that. Wake-up
Validation shall be performed for that channel.
3.18.2.2  Execution Flow
>  ECUM is in RUN state, the CAN channel is in sleep state and is able to detect wake-up
events
>  Callout EcuM_CheckWakeup() is executed by ISR
>  API EcuM_SetWakeupEvent() is executed, EcuM starts wake-up validation timeout
>  EcuM_MainFunction() triggered by SCHM
  (a) ECUM detects a pending wake-up event and executes callout
EcuM_StartWakeupSources()
  (b) ECUM executes callout EcuM_CheckValidation()
  Note: step (b) may be executed several times, with each EcuM_MainFunction()
call until the wake-up event is validated or expired, but
EcuM_StartWakeupSources() is executed only once.
>  Case Validation successful:
  API EcuM_ValidateWakeupEvent() is executed, within this routine
ComM_WakeUpIndication() is called
  EcuM_MainFunction() triggered by SCHM
  ECUM stops validation timeout
>  Case Validation failed:
  ECUM executes callout EcuM_StopWakeupSources()
  The pending wake-up changes to an expired wake-up source
2015, Vector Informatik GmbH
Version: 5.00.00
50 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.18.2.3  Callout Implementation Examples
3.18.2.3.1  EcuM_CheckWakeup
FUNC(void, ECUM_CODE) EcuM_CheckWakeup(EcuM_WakeupSourceType wakeupSource)
{
if((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
{
CanIf_CheckWakeup(ECUM_WKSOURCE_CAN0);
}
}

3.18.2.3.2  EcuM_CheckValidation
FUNC(void, ECUM_CODE) EcuM_CheckValidation(EcuM_WakeupSourceType wakeupSource)
{
if ((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
{
/* Query the driver if the wake-up event was valid */
CanIf_CheckValidation(ECUM_WKSOURCE_CAN0);
}
}

3.18.2.3.3  EcuM_StartWakeupSources and EcuM_StopWakeupSources in the case
of a MICROSAR CanSM
If the used CanSM module is a MICROSAR module, the following implementation can be
used.

FUNC(void, ECUM_CODE) EcuM_StartWakeupSources(EcuM_WakeupSourceType
wakeupSource)
{
  if ((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
  { /* CanSM needs the corresponding Network Handle */
  if (CanSM_StartWakeupSources(0x00) == E_NOT_OK)
  {
  /* place ECU depended error handling here */
  }
  }
}

void EcuM_StopWakeupSources(EcuM_WakeupSourceType wakeupSource)
{
  if ((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
  { /* CanSM needs the corresponding Network Handle */
  if (CanSM_StopWakeupSources(0x00, wakeupSource) == E_NOT_OK)
  {
  /* place ECU depended error handling here */
  }
  }
}

2015, Vector Informatik GmbH
Version: 5.00.00
51 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
3.18.2.3.4  EcuM_StartWakeupSources and EcuM_StopWakeupSources in the case
of a non MICROSAR CanSM
If the used CanSM module is a non MICROSAR module, the following implementation can
be used.

FUNC(void, ECUM_CODE) EcuM_StartWakeupSources(EcuM_WakeupSourceType
wakeupSource)
{
  CanIf_ControllerModeType CanIfCtrlMode;
if ((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
{
/* determine in which is the current Can Controller state */
(void)CanIf_GetControllerMode(0, &CanIfCtrlMode);
/* in case the Can Controller is not CANIF_CS_STARTED */

if (CANIF_CS_STARTED != CanIfCtrlMode)
{
/* Set the controller and transceiver mode into normal operation mode*/
CanIf_SetTrcvMode(0, CANIF_TRCV_MODE_NORMAL);
CanIf_SetControllerMode(0, CANIF_CS_STOPPED);
CanIf_SetControllerMode(0, CANIF_CS_STARTED);
}
else
{
/* Stack already up and running */
}
}
}

FUNC(void, ECUM_CODE) EcuM_StopWakeupSources(EcuM_WakeupSourceType wakeupSource)
{
if ((wakeupSource & ECUM_WKSOURCE_CAN0) != 0)
{
/* Validation was not successful, set the CAN controller and
* Transceiver back to sleep mode. */
CanIf_SetControllerMode(0, CANIF_CS_STOPPED);
CanIf_SetControllerMode(0, CANIF_CS_SLEEP);
CanIf_SetTrcvMode(0, CANIF_TRCV_MODE_STANDBY);
}
}

2015, Vector Informatik GmbH
Version: 5.00.00
52 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
4  Integration
This chapter gives necessary information for the integration of the MICROSAR EcuM into
an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the EcuM contains the files which are described in the chapters 4.1.1 and
4.1.2:
4.1.1
Static Files
File Name
Source
Object
Description
Code
Code
Delivery  Delivery
EcuM.c
This is the source file of the EcuM. It contains the


implementation of the EcuM interfaces.
EcuM.h
This is the header file of the EcuM. It declares the


interfaces of the MIRCROSAR module EcuM.
EcuM_Cbk.h
Contains the prototypes of the provided callbacks and


callout functions.
Table 4-1   Static files

Do not edit manually
The static files listed above must not be edited by the user!

4.1.2
Dynamic Files
The dynamic files are generated by the configuration tool.
File Name
Description
EcuM_Cfg.h
Contains the configuration of the EcuM.
EcuM_Cfg.c
Contains the generated configuration data of the EcuM
EcuM_PrivateCfg.h
Contains configuration data which is only relevant for the EcuM
implementation. This file must be only included by the EcuM
implementation files.
EcuM_Generated_Types.h  Contains all provided types of the EcuM.
EcuM_PBcfg.c
Contains the post-build configuration of the EcuM.
EcuM_Callout_Stubs.c
Template for the callout code which has to be filled by the integrator.
EcuM_Init_PBcfg.c
This file contains configuration pointers to post-build modules.
EcuM_Init_PBcfg.h
This file contains the definition of the global post-build struct.
EcuM_Init_Cfg.c
This file contains configuration pointers to variant modules.
EcuM_Init_Cfg.h
This file contains the definition of the variant modules struct.
2015, Vector Informatik GmbH
Version: 5.00.00
53 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
File Name
Description
EcuM_Error.h
This file provides an BSW Error function for post-build-loadable
Table 4-2   Generated files

4.2
Critical Sections
The EcuM calls the following function when entering a critical section:
> void  SchM_Enter_EcuM_ECUM_EXCLUSIVE_AREA_0(void)
>  When the critical section is left the following function is called by the EcuM:
> void SchM_Exit_EcuM_ECUM_EXCLUSIVE_AREA_0(void)
Critical Section Define
Interrupt Lock
ECUM_EXCLUSIVE_AREA_0
No interrupt by any wake-up interrupt is
allowed. These interrupts must be locked in
this exclusive area.
ECUM_EXCLUSIVE_AREA_1
If it cannot be assured that a 32bit variable
is written atomically, this exclusive area
must be configured as a spin lock to
protect access on global state variables.

Note
The configuration of this exclusive
  area is only necessary in the case
of a multi core ECU

ECUM_EXCLUSIVE_AREA_2
No task switch and no interrupt from the
Gpt is allowed in this exclusive area to
protect the global system time.

Note
The configuration of this exclusive
  area is only necessary if the
feature Alarm Clock is enabled

Table 4-3   Critical Sections

2015, Vector Informatik GmbH
Version: 5.00.00
54 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
4.3
Include Structure
class include Structure
Std_Types.h
EcuM_Generated_Types.h
NvM.h
EcuM_Cfg.h
«include»
«include»
«include
in case of
Rte_EcuM_Type.h
EcuM
«include»
fixed»
«include»
EcuM_Error.h
«include»
EcuM_Cbk.h
EcuM_PBcfg.c
«include»
ComM.h
«include»
«include»
EcuM_Cfg.c
EcuM_Init_PBcfg.c
EcuM.h
Rte_Main.h
«include»«include»
«include»
ComM_EcuMBswM.h
EcuM_Init_Cfg.h
«include»
EcuM_Init_PBcfg.h
«include»
«include»
«include»
«include»
«include»
SchM_EcuM.h
«include»
«include»
«include»
EcuM_Init_Cfg.c
EcuM_PrivateCfg.h
EcuM_Callout_Stubs.c
«include»
BswM.h
«include»
«include» «include» «include» «include» «include»
«include»
Dem.h
Mcu.h
Os.h
Det.h
EcuM.c
BswM_EcuM.h
«include»

Figure 4-1 Include structure
2015, Vector Informatik GmbH
Version: 5.00.00
55 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
4.4
Dependencies on other BSW Modules
4.4.1
BswM
The  EcuM  module  depends  on  the  BswM.  The  EcuM  performs  the  initialization  of  the
BswM during EcuM_StartupTwo().
The  states  of  all  wake-up  sources  are  reported  to  the  BswM  in  the  case  of  a  changing
wake-up source.
The usage of the BswM cannot be switched off.
4.4.1.1
BswM and EcuM fixed
The EcuM reports all state changes described in 3.6.2.1 to the BswM.
4.4.2
AUTOSAR OS
The EcuM module depends on the AUTOSAR OS. It starts and performs the shutdown of
the OS.
The EcuM needs a valid reference within the EcuC file to a configured OS application
mode. Additionally an OsResource must be configured to block other tasks during a sleep
mode.
The usage of the OS cannot be switched off.
4.4.3
MCU
The EcuM module depends on a MCU. The MCU mode settings are used to enter power
saving  modes  in  the  phases  ECUM_STATE_SLEEP  and  ECUM_STATE_OFF,  it  is  also
used  to restore the normal  MCU  mode. Every  sleep mode  must have configured a MCU
mode which will be entered in that sleep mode.
After a reset, the MCU is called to get the reason for the current reset.
The usage of the MCU cannot be switched off.
4.4.4
DEM
The EcuM depends on the DEM. The EcuM supports the pre-initialization of the DEM and
if the production errors for the EcuM are configured as active, the EcuM reports some
Errors to the DEM. Refer to chapter 3.11.2 for more information.
The usage of the DEM can be switched off.
4.4.5
DET
The EcuM depends on the DET. The EcuM performs the initialization and reports
development errors for diagnostic purposes. Refer to chapter 3.11.1 for more information.
The usage of the DET can be switched off.
4.4.6
ComM
This module depends on the ComM. The EcuM manages the validation of communication
channels.  In  the  case  of  a  validated  wake-up  event  from  a  communication  channel,  the
EcuM reports this event to the ComM.
4.4.6.1
ComM and EcuM fixed
In
the
transition
to
ECUM_STATE_APP_RUN,
the
EcuM
calls
ComM_CommunicationAllowed() for all configured communication channels.
In  ECUM_STATE_APP_RUN,  the  ComM  API  ComM_GetState()  is  called  for  every
communication channel in EcuM_MainFunction.
2015, Vector Informatik GmbH
Version: 5.00.00
56 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
If  ComM_GetState()  returns  COMM_NO_COM_NO_PENDING_REQUEST  for  all
channels, the EcuM can leave the ECUM_STATE_APP_RUN.
4.4.7
SchM
The  EcuM  module  depends  on  the  SchM.  The  EcuM  performs  the  initialization  of  the
SchM during EcuM_StartupTwo().
The usage of the SchM cannot be switched off.
4.4.8
Gpt
In  the  case  that  the Alarm  Clock  is  enabled,  the  EcuM  depends  on  the  Gpt.  The  EcuM
initialize the Gpt (has to be done in EcuM_AL_DriverInitOne) and starts the corresponding
timer during EcuM_StartupTwo(). On the way to sleep, the mode of the Gpt is switched to
sleep and the normal mode is recovered after a wake-up from sleep.
4.4.9
NvM
The  EcuM  handles  the  call  of  NvM_WriteAll()  and  NvM_CancelWriteAll().  Both  calls  are
protected with a configurable timeout to guarantee a shutdown of the ECU even in case of
a defect NvM.

Caution
Dependency to the NvM exists only in case of EcuM fixed.

2015, Vector Informatik GmbH
Version: 5.00.00
57 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5  API Description
5.1
Type Definitions
The types defined by the EcuM are described in this chapter.
Type Name
C-Type
Description
Value Range
EcuM_StateType
uint8
Encodes all states and  ECUM_SUBSTATE_MASK
sub states provided by  Get the current state by AND
the ECU State
gating the state with this mask. All
Manager.
states are delivered including
substates.
ECUM_STATE_STARTUP
STARTUP super state
ECUM_STATE_STARTUP_ONE
Initialization of drivers which don’t
need OS support.
ECUM_STATE_STARTUP_TWO
Initialization of drivers which need
OS support.
ECUM_STATE_WAKEUP
WAKE-UP super state
Not used in this EcuM flex
Implementation!
ECUM_STATE_WAKEUP_ONE
Reinitializing of drivers for normal
operation.
ECUM_STATE_WAKEUP_VALIDATIO
N
Waits for validation of a wake-up
event
ECUM_STATE_WAKEUP_REACTION
Computes the appropriate wake-up
reaction
Not used in this EcuM flex
Implementation!
ECUM_STATE_WAKEUP_TWO
Prepares the ECU for RUN state
Not used in this EcuM flex
Implementation!
ECUM_STATE_WAKEUP_WAKESLE
EP
A short system phase where the
ECU transit from a wake-up directly
to sleep again.
Not used in this EcuM flex
Implementation!
2015, Vector Informatik GmbH
Version: 5.00.00
58 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Type Name
C-Type
Description
Value Range
ECUM_STATE_WAKEUP_TTII
Performs the TTII protocol
Not used in this EcuM flex
Implementation!
ECUM_STATE_RUN
Normal ECU operation super state
ECUM_STATE_APP_RUN
ECU is in normal operation state
Not used in this EcuM flex
Implementation!
ECUM_STATE_APP_POST_RUN
ECU performs POST RUN
activities
Not used in this EcuM flex
Implementation!
ECUM_STATE_SHUTDOWN
Shutdown super state
ECUM_STATE_PREP_SHUTDOWN
Prepares the ECU for the following
shutdown sequence.
Not used in this EcuM flex
Implementation!
ECUM_STATE_GO_SLEEP
Activation of the wake-up sources
ECUM_STATE_GO_OFF_ONE
Shutdown of system services
ECUM_STATE_GO_OFF_TWO
Performs a RESET or switches off
the ECU
ECUM_STATE_SLEEP
ECU is in sleep state (this
information cannot be retrieved)
ECUM_STATE_OFF
ECU is without power supply (this
information cannot be retrieved)
EcuM_WakeupSource uint32
Each bit in this type
ECUM_WKSOURCE_POWER
Type
identifies a wake-up
Identifies a power on reset (bit 0)
source.
ECUM_WKSOURCE_RESET
Identifies a hardware reset (bit 1)
ECUM_WKSOURCE_INTERNAL_RE
SET
Identifies resets which only reset
the core of the microcontroller but
not the peripherals. This source
also indicates unhandled
2015, Vector Informatik GmbH
Version: 5.00.00
59 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Type Name
C-Type
Description
Value Range
exceptions (bit 2)
ECUM_WKSOURCE_INTERNAL_WD
G
Identifies a reset by internal
watchdog (bit 3)
ECUM_WKSOURCE_EXTERNAL_W
DG
Identifies a reset by external
watchdog (bit 4). (This is only
possible if the hardware supports
this feature)
ECUM_WKSOURCE_ALL_SOURCES
Identifies each wake-up source
ECUM_WKSOURCE_NONE
Value 0. This is a MICROSAR
ECUM extension and identifies an
invalid wake-up source.
ECUM_WKSOURCE_<NAME>
Can be extended by configuration
EcuM_UserType
uint8
ID of the Users which
0..255
are able to request
The Range depends on the
RUN state. Each user
number of configured users
must have a unique ID.
EcuM_WakeupStateTy uint8
The type describes
ECUM_WKSTATUS_NONE
pe
possible results of the
The wake-up source is Disabled
WAKE-UP
ECUM_WKSTATUS_PENDING
VALIDATION state.
The wake-up event was detected
but not yet validated
ECUM_WKSTATUS_VALIDATED
The wake-up event is valid
ECUM_WKSTATUS_EXPIRED
The wake-up event has not been
validated and has already expired.
ECUM_WKSTATUS_ENABLED
The wake-up source is enabled
(armed) and is ready for detecting
wake-up events.
ECUM_WKSTATUS_CHECKWAKEUP
Asynchronous wake-up event is
detected but SetWakeupEvent has
not been called yet.
EcuM_BootTargetType uint8
Defines the boot target ECUM_BOOT_TARGET_APP
which should be
Boot into application mode
chosen in the next start ECUM_BOOT_TARGET_BOOTLOAD
up.
ER
Boot into boot loader mode
2015, Vector Informatik GmbH
Version: 5.00.00
60 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Type Name
C-Type
Description
Value Range
EcuM_ResetType
uint8
This type describes
ECUM_RESET_MCU
the reset
Microcontroller reset via
mechanisms
Mcu_PerformReset
supported by the
ECUM_RESET_WDG
ECU State Manager. Watchdog reset via

WdgM_PerformReset
It can be extended by ECUM_RESET_IO
configuration.
Reset by toggling an I/O line
ECUM_RESET_WAKEUP
Reset in the case of a wake-up
event during shutdown
ECUM_RESET_<NAME>
Can be extended by configuration.
EcuM_ShutdownCau uint8
This type describes
ECUM_CAUSE_UNKNOWN
seType
the cause for a
No cause was set.
shutdown
ECUM_CAUSE_ECU_STATE
by the ECU State
ECU state machine entered a
Manager.
state for shutdown

ECUM_CAUSE_WDGM
It can be extended by Watchdog Manager detected a
configuration.
failure
ECUM_CAUSE_DCM
Diagnostic Communication
Manager requests a
shutdown due to a service request
ECUM_CAUSE_<NAME>
Can be extended by configuration.
Table 5-1 Type definitions

2015, Vector Informatik GmbH
Version: 5.00.00
61 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2
Services Provided by EcuM
5.2.1
EcuM_MainFunction
Prototype
void EcuM_MainFunction (void)
Parameter
void
none
Return code
void
none
Functional Description
The service which implements all activities of the ECU state Manager while OS is up and running. In the
MainFunction the wake-up validation is handled. This service must be called on a periodic basis from an
adequate OS task.
  The service also carries out the wake-up validation protocol. The smallest validation timeout
typically should limit the period.
  As a rule of thumb, the period of this service should be in the order of half as long as the shortest
time constant mentioned in the topics above
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  Called by SchM
Call Context
  Function could be called from task level
Table 5-2   EcuM_MainFunction
2015, Vector Informatik GmbH
Version: 5.00.00
62 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.2
EcuM_Init
Prototype
void EcuM_Init (void)
Parameter
void
none
Return code
void
none
Functional Description
The Init function is called to initiate the startup procedure that takes place before the OS is started.
Additionally in this API all EcuM variables that need initialization are initialized.

Caution
After EcuM_Init() the EcuM is not in the running state, to achieve this state
  EcuM_StartupTwo() has to be called.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  called by start-up code
Call Context
  Function could be called from interrupt level or from task level
Table 5-3   EcuM_Init
2015, Vector Informatik GmbH
Version: 5.00.00
63 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.3
EcuM_StartupTwo
Prototype
void EcuM_StartupTwo (void)
Parameter
void
none
Return code
void
none
Functional Description
The function implements the startup phase where the OS is already running. EcuM_AL_DriverInitTwo() is
called within this function. This function should be scheduled by a task directly after StartOS() and only be
called once.

Caution
The integrator has to ensure that the EcuM_StartupTwo is not interrupted by any other
  function or task.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-4   EcuM_StartupTwo
2015, Vector Informatik GmbH
Version: 5.00.00
64 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.4
EcuM_Shutdown
Prototype
void EcuM_Shutdown (void)
Parameter
void
none
Return code
void
none
Functional Description
This function performs a reset or switches off the ECU (depending on which shutdown target is currently
chosen).

Note
This function shall be called inside the OS ShutdownHook() routine. The integrator is
  responsible to perform this task.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function should be called from the ShutdownHook of the Os.
Table 5-5   EcuM_Shutdown
2015, Vector Informatik GmbH
Version: 5.00.00
65 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.5
EcuM_SelectShutdownTarget
Prototype
Std_ReturnType EcuM_SelectShutdownTarget
(EcuM_StateType targetState,
uint8 resetSleepMode)
Parameter
targetState
One of these values:
  ECUM_STATE_OFF
  ECUM_STATE_SLEEP
  ECUM_STATE_RESET
resetSleepMode
Depending on the parameter targetState this represents a sleep mode or a
reset mode.
Return code
E_OK
success
E_NOT_OK
error
Functional Description
This service selects a shutdown target in which the shutdown sequence should change
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant. The EcuM must be in RUN state.
  The ECU State Manager does not define any mechanism to resolve issues arising from parallel
requests. It is rather assumed that there will be one application which is ECU specific and handles
these kinds of issues.
Call Context
  Function could be called from interrupt level or from task level
Table 5-6   EcuM_SelectShutdownTarget
2015, Vector Informatik GmbH
Version: 5.00.00
66 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.6
EcuM_GetShutdownTarget
Prototype
Std_ReturnType EcuM_GetShutdownTarget  (EcuM_StateType *target,

uint8 *resetSleepMode)
Parameter
target
One of these values:
  ECUM_STATE_OFF
  ECUM_STATE_SLEEP
  ECUM_STATE_RESET
resetSleepMode
Depending on the parameter target this represents a sleep mode or a reset
mode. If the target is ECUM_STATE_OFF this parameter is 0.
Return code
E_OK
success
E_NOT_OK
error
Functional Description
Returns the actual chosen shutdown target.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-7   EcuM_GetShutdownTarget
2015, Vector Informatik GmbH
Version: 5.00.00
67 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.7
EcuM_GetLastShutdownTarget
Prototype
Std_ReturnType EcuM_GetLastShutdownTarget
(EcuM_StateType *target,

uint8 *resetSleepMode)
Parameter
target
One of these values:
  ECUM_STATE_OFF
  ECUM_STATE_SLEEP
  ECUM_STATE_RESET
resetSleepMode
Depending on the parameter target this represents a sleep mode or a reset
mode. If the target is ECUM_STATE_OFF this parameter is 0.
Return code
E_OK
success
E_NOT_OK
error
Functional Description
This function returns not the current shutdown target but the shutdown target set before the last reset. This
function always shall return the same value until the next shutdown.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-8   EcuM_GetLastShutdownTarget
2015, Vector Informatik GmbH
Version: 5.00.00
68 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.8
EcuM_GetPendingWakeupEvents
Prototype
EcuM_WakeupSourceType EcuM_GetPendingWakeupEvents (void)
Parameter
void
none
Return code
EcuM_WakeupSourceTyp
Every bit set in the return value indicates a wake-up source where the
e
validation is in progress.
Functional Description
Returns wake-up events which have been set but not yet validated.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-9   EcuM_GetPendingWakeupEvents
5.2.9
EcuM_ClearWakeupEvent
Prototype
void EcuM_ClearWakeupEvent (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
Wake-up event(s) which should be cleared
Return code
void
none
Functional Description
Clears the pending, validated and expired wake-up events which are passed by the parameter.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-10   EcuM_ClearWakeupEvent
2015, Vector Informatik GmbH
Version: 5.00.00
69 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.10  EcuM_ClearValidatedWakeupEvent
Prototype
void EcuM_ClearValidatedWakeupEvent (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
Wake-up event(s) which should be cleared
Return code
void
none
Functional Description
Clears only the validated wake-up events which are passed by the parameter.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-11   EcuM_ClearValidatedWakeupEvent
2015, Vector Informatik GmbH
Version: 5.00.00
70 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.11  EcuM_GetValidatedWakeupEvents
Prototype
EcuM_WakeupSourceType EcuM_GetValidatedWakeupEvents (void)
Parameter
void
none
Return code
EcuM_WakeupSourceType  ID of the wake-up source which was responsible for the wake-up
Functional Description
This function returns wake-up event which causes the wake-up of the ECU from the previous sleep mode.

Caution
The validated Wake-up Events must be cleared before the EcuM is set to sleep. The
  EcuM does not clear those events by itself.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-12   EcuM_GetValidatedWakeupEvents
2015, Vector Informatik GmbH
Version: 5.00.00
71 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.12  EcuM_GetExpiredWakeupEvents
Prototype
EcuM_WakeupSourceType EcuM_GetExpiredWakeupEvents (void)
Parameter
void
none
Return code
EcuM_WakeupSourceType  ID's of wake-up sources which are expired in the validation process.
Functional Description
Returns all events that have been set and for which validation has failed. Events which do not need
validation must never be reported by this service.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-13   EcuM_GetExpiredWakeupEvents
5.2.13  EcuM_GetBootTarget
Prototype
Std_ReturnType EcuM_GetBootTarget (EcuM_BootTargetType *BootTarget)
Parameter
BootTarget
The current selected BootTarget
Return code
E_OK
success
E_NOT_OK
error
Functional Description
Returns the current selected boot target of the ECU.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-14   EcuM_GetBootTarget
2015, Vector Informatik GmbH
Version: 5.00.00
72 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.14  EcuM_SelectBootTarget
Prototype
Std_ReturnType EcuM_SelectBootTarget (EcuM_BootTargetType BootTarget)
Parameter
BootTarget
The selected BootTarget
Return code
E_OK
success
E_NOT_OK
error
Functional Description
Sets the boot target for the next boot.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-15   EcuM_SelectBootTarget
2015, Vector Informatik GmbH
Version: 5.00.00
73 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.15  EcuM_StartCheckWakeup
Prototype
void EcuM_StartCheckWakeup (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
ID of the asynchronous wake-up source
Return code
void
none
Functional Description
This function starts the check wakeup timeout mechanism and marks that the wakeup source has an
unapproved CheckWakeup call if applicable on given wakeup source (check wakeup timeout > 0).

Caution
This service shall only be called by EcuM_CheckWakeup(). The call is generated
  automatically if at least one wake-up source has a configured check wakeup timeout.

Particularities and Limitations
  This service is synchronous.
  This service is reentrant for the same WakeupSource.
  This service is always available.
Call Context
  Expected to be called in interrupt context.
Table 5-16   EcuM_StartCheckWakeup
2015, Vector Informatik GmbH
Version: 5.00.00
74 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.16  EcuM_EndCheckWakeup
Prototype
void EcuM_EndCheckWakeup (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
ID of the asynchronous wake-up source
Return code
void
none
Functional Description
This function stops the check wakeup timeout mechanism and removes the wakeup source from the list of
unapproved CheckWakeup calls.
Particularities and Limitations
  This service is synchronous.
  This service is reentrant for the same WakeupSource.
  This service is always available.
Call Context
  Expected to be called in interrupt context.
Table 5-17   EcuM_EndCheckWakeup
5.2.17  EcuM_GetVersionInfo
Prototype
void EcuM_GetVersionInfo (Std_VersionInfoType *versioninfo)
Parameter
versioninfo
pointer to store the version information
Return code
void
none
Functional Description
Returns the version information of the ECU State Manager.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  The availability of this service depends on ECUM_VERSION_INFO_API.
Call Context
  Function could be called from task level
Table 5-18   EcuM_GetVersionInfo
2015, Vector Informatik GmbH
Version: 5.00.00
75 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.18  EcuM_RequestRUN
Prototype
Std_ReturnType EcuM_RequestRUN (EcuM_UserType user)
Parameter
user
User ID which requests the RUN state
Return code
E_OK
Request accepted
E_NOT_OK
Request not accepted
Functional Description
Places a RUN request for this user, Users represents normally an application. The tracking of the requests
are specific for each user.

Note
RUN request will be ignored after an API call to EcuM_KillAllRUNRequest().

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-19   EcuM_RequestRUN
2015, Vector Informatik GmbH
Version: 5.00.00
76 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.19  EcuM_ReleaseRUN
Prototype
Std_ReturnType EcuM_ReleaseRUN (EcuM_UserType user)
Parameter
user
User ID which requests the RUN state
Return code
E_OK
Request accepted
E_NOT_OK
Request not accepted
Functional Description
Releases the RUN request previously done with a call to EcuM_RequestRUN().

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-20   EcuM_ReleaseRUN
2015, Vector Informatik GmbH
Version: 5.00.00
77 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.20  EcuM_RequestPOST_RUN
Prototype
Std_ReturnType EcuM_RequestPOST_RUN (EcuM_UserType user)
Parameter
user
User ID which requests the RUN state
Return code
E_OK
Request accepted
E_NOT_OK
Request not accepted
Functional Description
Places a POST_RUN request for this user, Users represents normally an application. The tracking of the
requests are specific for each user.

Note
POST_RUN request will be ignored after an API call to
  EcuM_KillAllPostRUNRequest().

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-21   EcuM_RequestPOST_RUN
2015, Vector Informatik GmbH
Version: 5.00.00
78 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.2.21  EcuM_ReleasePOST_RUN
Prototype
Std_ReturnType EcuM_ReleasePOST_RUN (EcuM_UserType user)
Parameter
user
User ID which requests the RUN state
Return code
E_OK
Request accepted
E_NOT_OK
Request not accepted
Functional Description
Releases the POST_RUN request previously done with a call to EcuM_RequestPOST_RUN().
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-22   EcuM_ReleasePOST_RUN

2015, Vector Informatik GmbH
Version: 5.00.00
79 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3
Services Provided by EcuM flex
In the following the services are described which are only relevant for EcuM flex:
5.3.1
EcuM_SelectShutdownCause
Prototype
Std_ReturnType EcuM_SelectShutdownCause
(EcuM_ShutdownCauseType

shutdownCause)
Parameter
shutdownCause
current shutdown cause
Return code
E_OK
success
E_NOT_OK
error
Functional Description
Selects a new Shutdown cause for an intended shutdown.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-23   EcuM_SelectShutdownCause
2015, Vector Informatik GmbH
Version: 5.00.00
80 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.2
EcuM_GetShutdownCause
Prototype
Std_ReturnType EcuM_GetShutdownCause
(EcuM_ShutdownCauseType

*shutdownCause)
Parameter
shutdownCause
current shutdown cause
Return code
E_OK
success
E_NOT_OK
error
Functional Description
Get the currently set shutdown cause.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-24   EcuM_GetShutdownCause
5.3.3
EcuM_GoHalt
Prototype
Std_ReturnType EcuM_GoHalt (void)
Parameter
void
none
Return code
E_OK
success
E_NOT_OK
error
Functional Description
This API is called in some modes for saving power. In this mode no more code is executed after entering
that state.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  The selected shutdown target must set to ECUM_STATE_SLEEP
Call Context
  Function could be called from interrupt level or from task level
Table 5-25   EcuM_GoHalt
2015, Vector Informatik GmbH
Version: 5.00.00
81 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.4
EcuM_GoPoll
Prototype
Std_ReturnType EcuM_GoPoll (void)
Parameter
void
none
Return code
E_OK
success
E_NOT_OK
error
Functional Description
This API is called in some modes for saving power. In this mode code is executed, so the EcuM poll for
wake-up events. Only those Wake-up Sources with configured parameter EcuMWakeupSourcePolling are
polled during that sleep mode. Other active sources can set wake-up events via interrupts.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  The selected shutdown target must set to ECUM_STATE_SLEEP
Call Context
  Function could be called from interrupt level or from task level
Table 5-26   EcuM_GoPoll
2015, Vector Informatik GmbH
Version: 5.00.00
82 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.5
EcuM_GoDown
Prototype
Std_ReturnType EcuM_GoDown (uint16 caller)
Parameter
void
none
Return code
Std_ReturnType
none
Functional Description
This routine is called to initiate a shutdown or a reset. The routine checks if the caller is one of the allowed
callers (if defensive behavior is configured) and then the EcuM calls ShutdownOS() and thereafter the API
EcuM_Shutdown() is called by the shutdown hook.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
  The selected shutdown target must set to ECUM_STATE_OFF or ECUM_STATE_RESET
Call Context
  Function could be called from interrupt level or from task level
Table 5-27   EcuM_GoDown
2015, Vector Informatik GmbH
Version: 5.00.00
83 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.6
EcuM_GoToSelectedShutdownTarget
Prototype
Std_ReturnType EcuM_GoToSelectedShutdownTarget(void)
Parameter
void
none
Return code
E_OK

E_NOT_OK

Functional Description
This API can be called e.g. from the BswM without knowledge about the currently
configured shutdown target. The EcuM decides if EcuM_GoHalt(), EcuM_GoPoll() or
EcuM_GoDown() has to be called.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from interrupt level or from task level
Table 5-28   EcuM_GoToSelectedShutdownTarget

2015, Vector Informatik GmbH
Version: 5.00.00
84 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.7
EcuM_SetRelWakeupAlarm
Prototype
Std_ReturnType EcuM_SetRelWakeupAlarm (EcuM_UserType user, uint32 time)
Parameter
user
The user that wants to set up the wake up alarm
time
Relative time for the wake-up alarm in seconds
Return code
E_OK
Alarm was successfully started
E_NOT_OK
No Alarm was started because of an invalid user parameter
E_EARLIER_ACTIVE
An earlier alarm was already started
Functional Description
This API can be used to set a relative wake up alarm during runtime of the ECU. For further information
about this see chapter 3.14.

Caution
All wake up alarms are cleared if the ECU wakes up from a sleep phase, even if the
  reason for this wake up was not time triggered. The wake up alarms must be rearmed
before the next sleep phase is entered.

Note
Each user can only set one wake-up alarm.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-29   EcuM_SetRelWakeupAlarm
2015, Vector Informatik GmbH
Version: 5.00.00
85 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.8
EcuM_SetAbsWakeupAlarm
Prototype
Std_ReturnType EcuM_SetAbsWakeupAlarm (EcuM_UserType user, uint32 time)
Parameter
user
The user that wants to set up the wake-up alarm
time
Absolute time for the wake-up alarm in seconds
Return code
E_OK
Alarm was successfully started
E_NOT_OK
No Alarm was started because of an invalid user parameter
E_EARLIER_ACTIVE
An earlier alarm was already started
E_PAST
The time has already passed
Functional Description
This API can be used to set an absolute wake up alarm during runtime of the ECU. For further information
about this see chapter 3.14.

Caution
All wake up alarms are cleared if the ECU wakes up from a sleep phase, even if the
  reason for this wake up was not time triggered. The wake up alarms must be rearmed
before the next sleep phase is entered.

Note
Each user can only set one wake-up alarm.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-30   EcuM_SetAbsWakeupAlarm
2015, Vector Informatik GmbH
Version: 5.00.00
86 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.9
EcuM_AbortWakeupAlarm
Prototype
Std_ReturnType EcuM_AbortWakeupAlarm (EcuM_UserType user)
Parameter
user
The user that wants to abort the wake-up alarm
Return code
E_OK
Alarm was successfully aborted
E_NOT_OK
The parameter ‘user’ was not valid
E_NOT_ACTIVE
No alarm was active for this user
Functional Description
This API can be used to abort a wake-up alarm which was set via the APIs EcuM_SetRelWakeupAlarm or
EcuM_SetAbsWakeupAlarm.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-31   EcuM_AbortWakeupAlarm
2015, Vector Informatik GmbH
Version: 5.00.00
87 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.10  EcuM_GetWakeupTime
Prototype
Std_ReturnType EcuM_GetWakeupTime (uint32 *time)
Parameter
time
Absolute time of the next configured wake-up alarm in seconds
Return code
E_OK
Time was successfully returned
E_NOT_OK
A null pointer was passed as parameter ‘time’
Functional Description
Returns the time of the next active wake-up alarm which was set via the APIs EcuM_SetAbsWakeupAlarm
or EcuM_SetRelWakeupAlarm.

Note
If the returned value equals ‘0xFFFFFFFF’, no wake-up alarm is currently active

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-32   EcuM_GetWakeupTime

2015, Vector Informatik GmbH
Version: 5.00.00
88 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.11  EcuM_SetClock
Prototype
Std_ReturnType EcuM_SetClock (EcuM_UserType user, uint32 time)
Parameter
user
The user that wants to set up the clock
time
The absolute time value designated for the new time in seconds
Return code
E_OK
Time was successfully modified
E_NOT_ALLOWED
The user was not allowed to modify the time
Functional Description
This API can be used to modify the current time. Only special users are allowed to modify this time, e.g. for
test purposes.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-33   EcuM_SetClock
2015, Vector Informatik GmbH
Version: 5.00.00
89 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.12  EcuM_GetCurrentTime
Prototype
Std_ReturnType EcuM_GetCurrentTime (uint32 *time)
Parameter
time
Current system time in seconds
Return code
E_OK
Time was successfully returned
E_NOT_OK
A null pointer was passed as parameter ‘time’
Functional Description
This API can be used to get the current system time.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-34   EcuM_GetCurrentTime
2015, Vector Informatik GmbH
Version: 5.00.00
90 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.3.13  EcuM_SetState
Prototype
void EcuM_SetState(EcuM_StateType state);
Parameter
state
State indicated by BswM
Return code
void
none
Functional Description
Requests a specific state which will be mapped to the corresponding RTE mode. This mode will be used
to trigger a RTE mode switch.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from task level
Table 5-35   EcuM_SetState

2015, Vector Informatik GmbH
Version: 5.00.00
91 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.4
Services Provided by EcuM fixed
In the following the services are described which are only relevant for EcuM fixed:
5.4.1
EcuM_GetState
Prototype
Std_ReturnType EcuM_GetState (EcuM_StateType* state)
Parameter
state
Current EcuM State
Return code
E_OK
The parameter state was a not NULL_PTR
E_NOT_OK
The parameter state was a NULL_PTR
Functional Description
This API returns the current EcuM State. The possible EcuM States for the fixed EcuM can be seen in
chapter 3.3 States of EcuM fixed.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is reentrant.
Call Context
  Function could be called from task level
Table 5-36   EcuM_GetState
2015, Vector Informatik GmbH
Version: 5.00.00
92 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.4.2
EcuM_KillAllRUNRequests
Prototype
void EcuM_ KillAllRUNRequests (void)
Parameter
void
none
Return code
void
none
Functional Description
Deletes all RUN requests and ensures that no new RUN request is accepted. Additionally the EcuM self-
run request period will be aborted.

Note
The benefit of this function over an ECU reset is that the shutdown sequence is
  executed, which e.g. takes care of writing back NV memory contents.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-37   EcuM_ KillAllRUNRequests
2015, Vector Informatik GmbH
Version: 5.00.00
93 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.4.3
EcuM_KillAllPostRUNRequests
Prototype
void EcuM_ KillAllPostRUNRequests (void)
Parameter
void
none
Return code
void
none
Functional Description
Deletes all POST_RUN requests and ensures that no new POST_RUN request is accepted.

Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from application context.
Table 5-38   EcuM_ KillAllPostRUNRequests
2015, Vector Informatik GmbH
Version: 5.00.00
94 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.5
Services Used by EcuM
In the following table services provided by other components, which are used by the EcuM
are listed. Also refer to chapter 2.1.
For details about prototype and functionality refer to the documentation of the providing
component.
Component API
EcuM
EcuM
flex
fixed
BswM
BswM_EcuM_CurrentWakeup()


BswM_Init()


BswM_Deinit()


BswM_EcuM_RequestedState()


BswM_EcuM_CurrentState()


ComM
ComM_EcuM_WakeUpIndication()


ComM_GetStatus()


ComM_GetState()


ComM_CommunicationAllowed()


ComM_DeInit()


Det
Det_ReportError()


Dem
Dem_ReportErrorStatus()


Dem_Init()


Dem_Shutdown()


Gpt
Gpt_EnableNotification()


Gpt_EnableWakeup()


Gpt_SetMode()


Gpt_StartTimer()


Mcu
Mcu_SetMode()


Mcu_GetResetReason()


NvM
NvM_WriteAll()


NvM_CancelWriteAll()


NvM_KillWriteAll()


OS
ShutdownOS()


StartOS()


GetResource()


ReleaseResource()


EnableAllInterrupts()


DisableAllInterrupts()


RTE
Rte_Start()


Rte_Stop()


Rte_Switch_currentMode_currentMode()


Rte_Feedback_currentMode_currentMode()


SchM
SchM_Init()


SchM_Deinit()


2015, Vector Informatik GmbH
Version: 5.00.00
95 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
Component  API
EcuM
EcuM
flex
fixed
SchM_Enter_EcuM_ECUM_EXCLUSIVE_AREA_0()


SchM_Exit_EcuM_ECUM_EXCLUSIVE_AREA_0()


SchM_Enter_EcuM_ECUM_EXCLUSIVE_AREA_1()


SchM_Exit_EcuM_ECUM_EXCLUSIVE_AREA_1()


SchM_Enter_EcuM_ECUM_EXCLUSIVE_AREA_2()


SchM_Exit_EcuM_ECUM_EXCLUSIVE_AREA_2()


Table 5-39   Services used by the EcuM
5.6
Callback Functions
This chapter describes the callback functions that are implemented by the EcuM and can
be invoked by other modules. The prototypes of the callback functions are provided in the
header file EcuM_Cbk.h by the EcuM.
5.6.1
EcuM_SetWakeupEvent
Prototype
void EcuM_SetWakeupEvent (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
the source of the wake-up event.
Return code
void
none
Functional Description
Marks a wake-up event as pending if validation is required. If no validation is required then
EcuM_ValidateSetWakeupEvent will be called within this function.
Particularities and Limitations
  None
Call Context
  Function could be called from interrupt level or from task level
Table 5-40   EcuM_SetWakeupEvent
2015, Vector Informatik GmbH
Version: 5.00.00
96 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.6.2
EcuM_ValidateWakeupEvent
Prototype
void EcuM_ValidateWakeupEvent (EcuM_WakeupSourceType WakeupSource)
Parameter
WakeupSource
the wake-up source which should be validated
Return code
void
none
Functional Description
After wake-up, the ECU State Manager will stop the process during the WAKE-UP VALIDATION state to
wait for validation of the wake-up event. The validation is carried out with a call of this API service.
Particularities and Limitations
  Only ComM channels can validate Wake-up Events during ECUM_STATE_RUN.
Call Context
  Function could be called from interrupt level or from task level
Table 5-41   EcuM_ValidateWakeupEvent
2015, Vector Informatik GmbH
Version: 5.00.00
97 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.6.3
EcuM_AlarmCheckWakeup
Prototype
void EcuM_AlarmCheckWakeup(void)
Parameter
void
none
Return code
void
none
Functional Description
This API is used to update the system clock. The API is called by the EcuM callout EcuM_CheckWakeup or
directly by the GPT after one second has elapsed.
If during sleep the wake-up alarm which was set via the APIs EcuM_SetAbsWakeupAlarm or
EcuM_SetRelWakeupAlarm has expired, this API call will lead to a wake-up event.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from interrupt level
Table 5-42   EcuM_AlarmCheckWakeup

2015, Vector Informatik GmbH
Version: 5.00.00
98 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.6.4
Callback Functions by EcuM fixed
5.6.4.1
EcuM_CB_NfyNvMJobEnd
Prototype
void EcuM_CB_NfyNvMJobEnd (uint8 ServiceID, NvM_RequestResultType JobResult)
Parameter
ServiceID
Unique service ID of NVRAM manger service.
JobResult
[parameter is ignored by EcuM fixed]
Return code
void
none
Functional Description
Used to notify about the end of NVRAM jobs initiated by ECUM.
Particularities and Limitations
  Service ID: see table 'Service IDs'
  This function is synchronous.
  This function is non-reentrant.
Call Context
  Function could be called from interrupt level
Table 5-43   EcuM_AlarmCheckWakeup

5.7
Configurable Interfaces
5.7.1
Notifications
The EcuM does not provide notifications.
5.7.2
Callout Functions
At  its  configurable  interfaces  the EcuM  defines  callout  functions. The  declarations  of  the
callout functions are provided by the BSW module, i.e. the EcuM. It is the integrator's task
to  provide  the  corresponding  function  definitions.  The  definitions  of  the  callouts  can  be
adjusted to the system's needs. The  EcuM  callout function declarations are  described in
the following tables:
2015, Vector Informatik GmbH
Version: 5.00.00
99 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.1
EcuM_ErrorHook
Prototype
void EcuM_ErrorHook (Std_ReturnType reason)
Parameter
reason
The reason for the current call of the ErrorHook.
Return code
void
none
Functional Description
The ECU State Manager calls the Errorhook if the following error code occur:
  ECUM_E_HOOK_RAM_CHECK_FAILED
In that case it is not possible to continue processing. The integrator has to take the decision how the ECU
shall react in that situation.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in application context.
Table 5-44   EcuM_ErrorHook
5.7.2.2
EcuM_OnGoOffOne
Prototype
void EcuM_OnGoOffOne (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of additional activities in GO OFF I state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called right after entering ECUM_STATE_GO_OFF_ONE.
Table 5-45   EcuM_OnGoOffOne
2015, Vector Informatik GmbH
Version: 5.00.00
100 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.3
EcuM_OnGoOffTwo
Prototype
void EcuM_OnGoOffTwo (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of additional activities in GO OFF II state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called right after entering ECUM_STATE_GO_OFF_TWO.
Table 5-46   EcuM_OnGoOffTwo
5.7.2.4
EcuM_AL_SwitchOff
Prototype
void EcuM_AL_SwitchOff (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout shall take the code for shutting off the power supply of the ECU.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in EcuM_Shutdown(), task context
Table 5-47   EcuM_AL_SwitchOff
2015, Vector Informatik GmbH
Version: 5.00.00
101 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.5
EcuM_AL_Reset
Prototype
void EcuM_AL_Reset (EcuM_ResetType Reset)
Parameter
Reset
The parameter Reset describes the ResetType (refer to 5.1) that is currently
configured via EcuM_SelectShutdownTarget () (refer to 5.2.5).
Return code
void
none
Functional Description
This callout shall take the decision what kind of reset to be performed depending on the given Reset mode.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in application context.
Table 5-48   EcuM_AL_Reset
5.7.2.6
EcuM_AL_DriverInitZero
Prototype
void EcuM_AL_DriverInitZero (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout is invoked early in the PreOS Sequence during EcuM_Init().
Particularities and Limitations
  This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.
Call Context
  Invoked in EcuM_Init(), task context
Table 5-49   EcuM_AL_DriverInitZero
2015, Vector Informatik GmbH
Version: 5.00.00
102 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.7
EcuM_AL_DriverInitOne
Prototype
void EcuM_AL_DriverInitOne (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout is invoked late in the PreOS Sequence during EcuM_Init().
Particularities and Limitations
  This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.

Note
PostBuild data can be accessed via the global pointer EcuM_GlobalPBConfig_Ptr,
  example: EcuM_GlobalPBConfig_Ptr->CfgPtr_Com_Init.

Note
Variant data can be accessed via the global pointer EcuM_GlobalPCConfig_Ptr,
  example: EcuM_GlobalPCConfig_Ptr->CfgPtr_ComM_Init.

Call Context
  Invoked in EcuM_Init(), task context
Table 5-50   EcuM_AL_DriverInitOne
2015, Vector Informatik GmbH
Version: 5.00.00
103 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.8
EcuM_AL_DriverRestart
Prototype
void EcuM_AL_DriverRestart (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout shall provide driver initialization and other hardware related startup activities after a wake-up
event from SLEEP state. This callout should be a combination of EcuM_DriverInitZero and
EcuM_DriverInitOne.
Particularities and Limitations
  This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.

Note
PostBuild data can be accessed via the global pointer EcuM_GlobalPBConfig_Ptr,
  example: EcuM_GlobalPBConfig_Ptr->CfgPtr_Com_Init.

Note
Variant data can be accessed via the global pointer EcuM_GlobalPCConfig_Ptr,
  example: EcuM_GlobalPCConfig_Ptr->CfgPtr_ComM_Init.

Call Context
  Invoked directly after the wake-up phase
Table 5-51   EcuM_AL_DriverRestart
2015, Vector Informatik GmbH
Version: 5.00.00
104 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.9
EcuM_AL_SetProgrammableInterrupts
Prototype
void EcuM_AL_SetProgrammableInterrupts (void)
Parameter
void
none
Return code
void
none
Functional Description
On ECUs with programmable interrupt priorities, these priorities must be set before the OS is started.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in EcuM_Init(), task context
Table 5-52   EcuM_AL_SetProgrammableInterrupts
5.7.2.10  EcuM_McuSetMode
Prototype
void EcuM_McuSetMode (Mcu_ModeType McuMode)
Parameter
McuMode
Mode for the upcoming sleep mode
Return code
void
none
Functional Description
Switches the Mcu to a power saving mode during a sleep phase.
Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_GoHalt() or EcuM_GoPoll()
Table 5-53   EcuM_McuSetMode
2015, Vector Informatik GmbH
Version: 5.00.00
105 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.11  EcuM_WaitForSlaveCores
Prototype
void EcuM_WaitForSlaveCores (void)
Parameter
void
none
Return code
void
none
Functional Description
Is only called if EcuMSlaveCoreHandling is active. During the master core is waiting for the slave cores to
be ready for the upcoming sleep this callout is called cyclically.
In context of this callout the slave cores can be initiated to enter sleep.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called by EcuM_GoHalt() or EcuM_GoPoll()
Table 5-54   EcuM_WaitForSlaveCores

5.7.2.12  EcuM_StartOS
Prototype
void EcuM_StartOS (AppModeType appMode)
Parameter
appMode
Default OS application Mode
Return code
void
none
Functional Description
This callout is called at the end of EcuM_Init() to start the OS.

Note
In case of a MultiCore ECU all slave cores are started from the Master Core via the OS
  API StartCore() before the OS is started with a call to StartOS().

Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_Init()
Table 5-55   EcuM_StartOS
2015, Vector Informatik GmbH
Version: 5.00.00
106 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.13  EcuM_ShutdownOS
Prototype
void EcuM_ShutdownOS (Std_ReturnType ErrCode)
Parameter
ErrCode
E_OK
Return code
void
none
Functional Description
This callout is called at the end of EcuM_GoDown() to shut down the OS via
ShutdownOS(E_OK).

Note
In case of a MultiCore ECU this callout should lead to a call of
  ShutdownAllCores(E_OK), inside this OS API all cores are synchronized and stopped.

Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_GoDown()
Table 5-56   EcuM_ShutdownOS

2015, Vector Informatik GmbH
Version: 5.00.00
107 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.14  EcuM_GenerateRamHash
Prototype
void EcuM_GenerateRamHash (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout is intended to provide a RAM integrity test. The goal of this test is to ensure that after a long
SLEEP duration, RAM contents are still consistent. The RAM check itself must be provided by the
integrator.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Invoked just before setting the ECU into a sleep mode where the ECU is halted
Table 5-57   EcuM_GenerateRamHash
5.7.2.15  EcuM_CheckRamHash
Prototype
uint8 EcuM_CheckRamHash (void)
Parameter
void
none
Return code
0
Integrity test failed
1…255
Integrity test passed
Functional Description
This callout is intended to provide a RAM integrity check previously done with EcuM_GenerateRamHash().
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
   Invoked in task context
   Directly called after the wake-up of the ECU.
Table 5-58   EcuM_CheckRamHash
2015, Vector Informatik GmbH
Version: 5.00.00
108 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.16  EcuM_SleepActivity
Prototype
void EcuM_SleepActivity (void)
Parameter
void
none
Return code
void
none
Functional Description
The ECU State Manager invokes this callout periodically during the Poll Sequence if the MCU is not halted.
The EcuM polls periodically all sources that need polling and are active during the configured Sleep mode.
After all sources are polled EcuM_SleepActivity is called once.

Caution
The EcuM_SleepActivity is called in a blocking loop at maximum frequency. If a
  lower period is preferred, the integrator has to implement this behavior.

Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in task context.
Table 5-59   EcuM_SleepActivity
2015, Vector Informatik GmbH
Version: 5.00.00
109 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.17  EcuM_EnableWakeupSources
Prototype
void EcuM_EnableWakeupSources (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
Every bit set in the parameter indicates a wake-up source which should be
enabled in the current sleep mode.
Return code
void
none
Functional Description
This callout will be invoked when the EcuM enters a sleep state. The EcuM calls this callout for every bit
that is set as an active source for the current Sleep mode.
The integrator has to take care to implement the necessary activities to enable the corresponding wake-up
sources.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Invoked just before setting the ECU into a sleep mode
Table 5-60   EcuM_EnableWakeupSources
5.7.2.18  EcuM_DisableWakeupSources
Prototype
void EcuM_DisableWakeupSources (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
Every bit set in the parameter indicates a wake-up source which should be
enabled in the current sleep mode.
Return code
void
none
Functional Description
This callout will be invoked when the EcuM leaves a sleep state. The EcuM disables all wake-up sources
that have occurred during the recent sleep phase. The not occurred sources remain active till the EcuM
transits to ECUM_STATE_RUN after the successful validation of a wake-up source.
The integrator has to take care to implement the necessary activities to disable the corresponding wake-up
sources.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called just before RUN state is entered after a sleep     OR
  Called just before WAKEUP_VALIDATION state is entered
Table 5-61   EcuM_DisableWakeupSources
2015, Vector Informatik GmbH
Version: 5.00.00
110 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.19  EcuM_StartWakeupSources
Prototype
void EcuM_StartWakeupSources (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
Every bit set in the parameter indicates a wake-up source which is enabled in
the current sleep mode.
Return code
void
none
Functional Description
The callout shall start the given wake-up source(s) so that they are ready to perform wake-up validation.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in task context.
Table 5-62   EcuM_StartWakeupSources
5.7.2.20  EcuM_StopWakeupSources
Prototype
void EcuM_StopWakeupSources (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
Every bit set in the parameter indicates a wake-up source which should be
stopped after unsuccessful wake-up validation.
Return code
void
none
Functional Description
This callout shall stop the given wake-up source(s) after unsuccessful wake-up validation.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in task context.
Table 5-63   EcuM_StopWakeupSources
2015, Vector Informatik GmbH
Version: 5.00.00
111 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.21  EcuM_CheckWakeup
Prototype
void EcuM_CheckWakeup (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
ID of the wake-up source to be checked
Return code
void
none
Functional Description
This callout shall be called by the ISR of a wake-up source to set up the PLL and check wake-up sources
that may be connected to the same interrupt.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in interrupt context.
Table 5-64   EcuM_CheckWakeup
5.7.2.22  EcuM_CheckValidation
Prototype
void EcuM_CheckValidation (EcuM_WakeupSourceType wakeupSource)
Parameter
wakeupSource
Wake-up IDs of pending wake-up events.
Return code
void
none
Functional Description
This callout is called by the EcuM when wake-up validation of a wake-up event is necessary. The pending
wake-up event(s) are passed by the parameter in order to allow the necessary reaction depending on the
wake-up source.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called in WAKE-UP VALIDATION state
Table 5-65   EcuM_CheckValidation

2015, Vector Informatik GmbH
Version: 5.00.00
112 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.23  EcuM_DeterminePbConfiguration
Prototype
EcuM_ConfigRefType EcuM_DeterminePbConfiguration (void)
Parameter
void
none
Return code
EcuM_ConfigRefType
Pointer to the Post-Build structure
Functional Description
In the case of Post-Build Loadable or Selectable the EcuM gets the global configuration pointer via this
callout.

Note
In case of a MultiCore ECU this callout is only called on the core which starts up first.

Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Expected to be called in application context.
Table 5-66   EcuM_DeterminePbConfiguration
2015, Vector Informatik GmbH
Version: 5.00.00
113 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.2.24  EcuM_BswErrorHook
Prototype
void EcuM_BswErrorHook (uint16 BswModuleId, uint8 ErrorId)
Parameter
BswModuleId
The reporting BSW module
ErrorId
The Id of the reported error
Return code
void
none
Functional Description
This API can be called by Basic Software Modules to notify corrupted Postbuild configuration data.

Specified ErrorIds are:
  ECUM_BSWERROR_NULLPTR
  ECUM_BSWERROR_COMPATIBILITYVERSION
  ECUM_BSWERROR_MAGICNUMBER
Particularities and Limitations
  The handling of an occurred error has to be specified by the integrator.
Call Context
  Invoked in task context.
Table 5-67   EcuM_BswErrorHook
2015, Vector Informatik GmbH
Version: 5.00.00
114 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.3
Callout Functions by EcuM flex
5.7.3.1
EcuM_GptStartClock
Prototype
void EcuM_GptStartClock (Gpt_ChannelType GptChannel, Gpt_ModeType Mode,
Gpt_ValueType Value)
Parameter
GptChannel
The configured Gpt channel which serves as time base for alarm clock
Mode
The Gpt normal mode
Value
The value to start the Gpt timer for second based notification / wake up
Return code
Void
none
Functional Description
This callout prepares the Gpt for calling the callback EcuM_AlarmCheckWakeup every second to increment
the system time.

Note
This callout is only active if the EcuM alarm clock is enabled

Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_StartupTwo().
Table 5-68   EcuM_GptStartClock
2015, Vector Informatik GmbH
Version: 5.00.00
115 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.3.2
EcuM_GptSetSleep
Prototype
void EcuM_GptSetSleep (Gpt_ChannelType GptChannel, Gpt_ModeType Mode)
Parameter
GptChannel
The configured Gpt channel which serves as time base for alarm clock
Mode
The Gpt sleep mode
Return code
Void
none
Functional Description
This callout sets the Gpt to sleep mode and enables the wake up functionality of the Gpt.

Note
This callout is only active if the EcuM alarm clock is enabled

Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_GoHalt() or EcuM_GoPoll()
Table 5-69   EcuM_GptSetSleep
2015, Vector Informatik GmbH
Version: 5.00.00
116 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.3.3
EcuM_GptSetNormal
Prototype
void EcuM_GptSetNormal (Gpt_ChannelType GptChannel, Gpt_ModeType Mode)
Parameter
GptChannel
The configured Gpt channel which serves as time base for alarm clock
Value
The Gpt normal mode
Return code
Void
none
Functional Description
This callout sets the Gpt back to normal mode after the ECU has woken up from a sleep mode.

Note
This callout is only active if the EcuM alarm clock is enabled

Particularities and Limitations
  This function is filled by the configuration tool. It can be adapted by the integrator.
Call Context
  Expected to be called by EcuM_GoHalt() or EcuM_GoPoll()
Table 5-70   EcuM_GptSetNormal
2015, Vector Informatik GmbH
Version: 5.00.00
117 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.3.4
EcuM_AL_DriverInitBswM_<ID>
Prototype
void EcuM_AL_DriverInitBswM_<ID> (const EcuM_ConfigType *ConfigPtr)
Parameter
ConfigPtr
Pointer to global module configuration structure.
Return code
void
none
Functional Description
This callout can be invoked by the BswM to initialize the stack of the ECU.

Note
The ID and the count of this callout depends on the configuration. The integrator can
 configure multiple driver init lists of this type.

Particularities and Limitations
 This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.
Call Context
 Invoked in BswM_Init(), task context
Table 5-71 EcuM_AL_DriverInitBswM

2015, Vector Informatik GmbH
Version: 5.00.00
118 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4
Callout Functions by EcuM fixed
5.7.4.1
EcuM_AL_DriverInitTwo
Prototype
void EcuM_AL_DriverInitTwo (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout is invoked during EcuM_StartupTwo(), prior the Rte is started.
Particularities and Limitations
  This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.

Note
PostBuild data can be accessed via the global pointer EcuM_GlobalPBConfig_Ptr,
  example: EcuM_GlobalPBConfig_Ptr->CfgPtr_Com_Init.

Note
Variant data can be accessed via the global pointer EcuM_GlobalPCConfig_Ptr,
  example: EcuM_GlobalPCConfig_Ptr->CfgPtr_ComM_Init.

Call Context
  Invoked in EcuM_StartupTwo(), task context
Table 5-72   EcuM_AL_DriverInitTwo
2015, Vector Informatik GmbH
Version: 5.00.00
119 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4.2
EcuM_AL_DriverInitThree
Prototype
void EcuM_AL_DriverInitThree (void)
Parameter
void
none
Return code
void
none
Functional Description
This callout is invoked during EcuM_StartupTwo(), after the Rte is started.
Particularities and Limitations
  This function is filled by the configuration tool. It can be extended by the integrator by using the
Userblocks.

Note
PostBuild data can be accessed via the global pointer EcuM_GlobalPBConfig_Ptr,
  example: EcuM_GlobalPBConfig_Ptr->CfgPtr_Com_Init.

Note
Variant data can be accessed via the global pointer EcuM_GlobalPCConfig_Ptr,
  example: EcuM_GlobalPCConfig_Ptr->CfgPtr_ComM_Init.

Call Context
  Invoked in EcuM_StartupTwo(), task context
Table 5-73   EcuM_AL_DriverInitThree

2015, Vector Informatik GmbH
Version: 5.00.00
120 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4.3
EcuM_OnEnterRun
Prototype
void EcuM_OnEnterRun (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of activities before entering RUN state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called just before entering RUN state.
Table 5-74   EcuM_OnEnterRun
5.7.4.4
EcuM_OnExitRun
Prototype
void EcuM_OnExitRun (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of activities before leaving RUN state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called just before leaving RUN state.
Table 5-75   EcuM_OnExitRun
2015, Vector Informatik GmbH
Version: 5.00.00
121 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4.5
EcuM_OnGoSleep
Prototype
void EcuM_OnGoSleep (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of additional activities while module is in GO SLEEP state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called after entering GO SLEEP state.
Table 5-76   EcuM_OnGoSleep
5.7.4.6
EcuM_OnPrepShutdown
Prototype
void EcuM_OnPrepShutdown (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of additional activities in PREP SHUTDOWN state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called just after entering PREP SHUTDOWN state.
Table 5-77   EcuM_OnPrepShutdown
2015, Vector Informatik GmbH
Version: 5.00.00
122 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4.7
EcuM_OnExitPostRun
Prototype
void EcuM_OnExitPostRun (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of activities while leaving POST RUN state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called while leaving POST RUN state.
Table 5-78   EcuM_OnExitPostRun
5.7.4.8
EcuM_OnFailedNvmWriteAllJobReaction
Prototype
void EcuM_OnFailedNvmWriteAllJobReaction (void)
Parameter
void
none
Return code
void
none
Functional Description
The ECU State Manager will call this function in case that a Nvm_WriteAll() job was not finished in time.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
Table 5-79   EcuM_OnFailedNvmWriteAllJobReaction
2015, Vector Informatik GmbH
Version: 5.00.00
123 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.7.4.9
EcuM_OnWakeupReaction
Prototype
void EcuM_OnWakeupReaction (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of additional activities in WAKEUP_REACTION state.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called in ECUM_STATE_WAKEUP_REACTION state.
Table 5-80   EcuM_OnFailedNvmWriteAllJobReaction
5.7.4.10  EcuM_OnRTEStartup
Prototype
void EcuM_OnRTEStartup (void)
Parameter
void
none
Return code
void
none
Functional Description
Allows the execution of activities before starting the RTE.
Particularities and Limitations
  This function has to be filled with code by the integrator.
Call Context
  Invoked in task context
  Called before Rte_Start() is executed. Module state: STARTUP
Table 5-81   EcuM_OnRTEStartup

2015, Vector Informatik GmbH
Version: 5.00.00
124 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.8
Service Ports
5.8.1
Client Server Interface
A client server interface is related to a Provide Port at the server side and a Require Port
at client side.
5.8.1.1
Provide Ports on EcuM Side
At  the  Provide  Ports  of  the  EcuM  the  API  functions  described  in  5.2  are  available  as
Runnable Entities. The Runnable Entities are invoked via Operations. The mapping from a
SWC client call to an Operation is performed by the RTE. In this mapping the RTE adds
Port Defined Argument Values to the client call of the SWC, if configured.
The  following  sub-chapters  present  the  Provide  Ports  defined  for  the  EcuM  and  the
Operations defined for the Provide Ports, the API functions related to the Operations to be
added by the RTE.

5.8.1.1.1
ShutdownTarget Port
Operation
API Function
SelectShutdownTarget
EcuM_SelectShutdownTarget()
GetLastShutdownTarget
EcuM_GetLastShutdownTarget()
GetShutdownTarget
EcuM_GetShutdownTarget()
SelectShutdownCause
EcuM_SelectShutdownCause()
GetShutdownCause
EcuM_GetShutdownCause()
Table 5-82   Shutdown Target Port
5.8.1.1.2
BootTarget Port
Operation
API Function
SelectBootTarget
EcuM_SelectBootTarget()
GetBootTarget
EcuM_GetBootTarget()
Table 5-83   BootTarget Port
2015, Vector Informatik GmbH
Version: 5.00.00
125 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.8.1.1.3
AlarmClock Port
Operation
API Function
SelectRelWakeupAlarm
EcuM_SelectRelWakeupAlarm()
SelectAbsWakeupAlarm
EcuM_SelectAbsWakeupAlarm()
AbortWakeupAlarm
EcuM_AbortWakeupAlarm()
GetCurrentTime
EcuM_GetCurrentTime()
GetWakeupTime
EcuM_GetWakeupTime()
SetClock
EcuM_SetClock()
Table 5-84 AlarmClock Port

Caution
The AlarmClock Port is only available in case of EcuM flex.

5.8.1.1.4
StateRequest Port

Operation
API Function
Port Defined Argument Value
RequestRUN
EcuM_RequestRUN()
EcuM_UserType UserId
ReleaseRUN
EcuM_ReleaseRUN()
EcuM_UserType UserId
RequestPOST_RUN
EcuM_RequestPOST_RUN()
EcuM_UserType UserId
ReleasePOST_RUN
EcuM_ReleasePOST_RUN()
EcuM_UserType UserId
GetState
EcuM_GetStateWrapper()
EcuM_UserType UserId
Table 5-85 StateRequest Port

Info
The GetState operation above is mapped to an additional API function

EcuM_GetStateWrapper() which has to be introduced to be compliant with ASR3
Microsar EcuM. This API is not described in chapter 5.2 because the functionality is the
same as EcuM_GetState().

2015, Vector Informatik GmbH
Version: 5.00.00
126 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
5.8.1.2
Require Ports on EcuM Side
The EcuM calls operations at its Require Ports. These Operations have to be provided by
the SWCs by means of Runnable Entities. These Runnable Entities implement the
callback functions expected by the EcuM.
The following sub-chapters present the Require Port defined for the EcuM, the Operations
that are called from the EcuM and the related Notifications.
5.8.1.2.1
currentMode Port
Operation
RTE Interface
Mode Declaration Group
currentMode
Rte_Switch_currentMode_currentMode
STARTUP
RUN
POST_RUN
SLEEP
WAKE_SLEEP
SHUTDOWN
Table 5-86 currentMode Port

Caution
The Ports CurrentMode and StateRequest are only available in case of EcuM fixed.

2015, Vector Informatik GmbH
Version: 5.00.00
127 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
6  AUTOSAR Standard Compliance
6.1
Deviations
6.1.1
Deviation in the Naming of API Parameters
6.1.1.1
ResetSleepMode
The parameter “mode” has been changed to “resetSleepMode” for the following APIs:
>  EcuM_GetLastShutdownTarget()
>  EcuM_GetShutdownTarget()
>  EcuM_SelectShutdownTarget()
6.1.1.2
TargetState
The parameter “target” has been changed to “targetState” for the following API:
>  EcuM_SelectShutdownTarget()
6.1.1.3
ShutdownTarget
The parameter “shutdownTarget” has been changed to “target” for the following API:
>  EcuM_GetShutdownTarget()
>  EcuM_GetLastShutdownTarget()
6.1.1.4
Target (ShutdownTarget)
The parameter “target” has been changed to “shutdownCause” for the following API:
>  EcuM_SelectShutdownCause()
6.1.1.5
Target (BootTarget)
The parameter “target” has been changed to “BootTarget” for the following API:
>  EcuM_SelectBootTarget()
>  EcuM_GetBootTarget()
6.1.1.6
Sources
The parameter “sources” has been changed to “WakeupSource” for the following API:
>  EcuM_ClearWakeupEvent()
>  EcuM_SetWakeupEvent()
>  EcuM_ValidateWakeupEvent()
6.1.2
Starting of the Validation Timer
The validation timer is not started by calling EcuM_SetWakeupEvent(), instead it is started
with the next MainFunctionCycle.
6.1.3
Multiplicity of Parameters
6.1.3.1
EcuMResetReasonRef
The parameter has been changed to optional so that not every wake-up source must have
configured an Mcu reset reason.
2015, Vector Informatik GmbH
Version: 5.00.00
128 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
6.1.3.2
EcuMSleepMode
The parameter has been changed to optional to allow code optimization on ECUs without
the possibility to switch ECUM_STATE_OFF.
6.1.3.3
EcuMConfigConsistencyHash
The parameter has been changed to optional because it is only necessary in the case of
variant post build.
6.1.3.4
Removed parameter ConfigPtr from DriverInit Lists
Removed the parameter ConfigPtr from the prototypes of the following Callouts:
>  EcuM_AL_DriverInitOne()
>  EcuM_AL_DriverInitTwo()
>  EcuM_AL_DriverInitThree()

6.2
Additions/ Extensions
6.2.1
Additional Configuration Parameters
To fulfill the jobs of the EcuM some more parameters beyond the AUTOSAR specification
are needed. The description of these parameters can be found in the BSWMD file which is
part of the delivery.
The following containers are added:
>
EcuMDriverInitListBswM

The following parameters are added:
>
EcuMAdditionalInitCode
>
EcuMGoDownRequestID
>
EcuMAdditionalIncludes
>
EcuMUserConfigurationFile
>
EcuMCheckWakeupTimeout
>
EcuMDeferredBswMNotification
>
EcuMGptChannelRef
>
EcuMSlaveCoreHandling
>
EcuMGenModeSwitchPort
>
EcuMIncludeDem
>
EcuMModeSwitchRteAck
>
EcuMGenModeSwitchPort
>
EcuMNvmCancelWriteAllTimeout
>
EcuMEnableFixBehavior
>
EcuMBswCoreId
6.2.2
Buffering of Wake ups if the BswM is Not Initialized
In  early  phases  of  the  ECU,  wake-up  events  can  occur  and  should  not  be  missed.  The
EcuM  detects  these  Wake-up  Events and  if the  BswM is  not  initialized  the Event  will  be
buffered and reported to the BswM as soon as the BswM is initialized by the EcuM.
2015, Vector Informatik GmbH
Version: 5.00.00
129 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
6.2.3
Buffering of Wake ups if the ComM is Not Initialized
In  early  phases  of  the  ECU,  wake-up  events  can  occur  and  should  not  be  missed.  The
EcuM checks if the ComM is active by the routine ComM_GetStatus(), if the ComM is not
active  in  this  phase  the  Wake-up  Event  is  also  buffered.  In  the  EcuM_MainFunction  the
EcuM checks if the ComM is still uninitialized and the Wake-up Event is reported as soon
as possible to the ComM.
6.2.4
Additional API EcuM_ClearValidatedWakeupEvent
The  EcuM  implements  an  API  to  clear  only  the  validated  wakeup  events. A  call  of  the
regular  API  EcuM_ClearWakeupEvent  leads  to  a  clear  of  all  events,  pending  wakeup
events will be lost in this case.
It is necessary to clear the validated wakeup events to enter a sleep mode  or shutdown
the Ecu.
6.2.5
Support of Asynchronous Transceiver Handling
To  support  asynchronous  transceiver  handling  a  check-wakeup  validation  timeout  was
introduced  for  wake-up  sources  which  cannot  be  checked  in  the  context  of
EcuM_CheckWakeup.
6.2.6
Deferred notification of the BswM about wake-up events
To prevent that the notification via BswM_EcuM_CurrentWakeup() is executed in context
of an interrupt (via EcuM_SetWakeupEvent or EcuM_ValidateWakeupEvent), the
notification can be deferred to the next cycle of the EcuM_MainFunction. If the notification
is executed deferred or not can be configured via the parameter
EcuMDeferredBswMNotification.

6.2.7
Additional Callback EcuM_AlarmCheckWakeup
This  callback  is  called  by  the  Gpt  every  second  to  increment  the  EcuM  clock  which  is
provided by the alarm clock feature.
6.2.8
Additional API EcuM_GoToSelectedShutdownTarget
This  API  can  be  called  e.g.  from  the  BswM  without  knowledge  about  the  currently
configured  shutdown  target.  The  EcuM  decides  if  EcuM_GoHalt(),  EcuM_GoPoll()  or
EcuM_GoDown() has to be called.
6.2.9
Additional Callout EcuM_WaitForSlaveCores
This  callout  is  only  active  in  case  of  MultiCore  and  if  the  parameter
EcuMSlaveCoreHandling  is  set  true.  In  this  case,  the  EcuM  Master  Core  calls  cyclically
this callout. It can be used to initiate that the sleep is also entered on the slave core.
6.2.10  Support of EcuM fixed
The EcuM supports the EcuM with fixed state machine. The EcuM fixed can be configured
without EcuM flex or combined.
6.2.10.1  Shutdown Target ECUM_STATE_RESET
The shutdown target ECUM_STATE_RESET is available and the callout EcuM_AL_Reset
is  available, independent  of  EcuM_Flex configuration.  The  ResetMode  parameter  will  be
passed  to  EcuM_AL_Reset  but  EcuM  does not  check  if  the  parameter  is  valid,  because
this is a EcuM flex parameter.
2015, Vector Informatik GmbH
Version: 5.00.00
130 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
6.2.10.2  Synchronization of EcuM and RTE modes
Some transitions in the EcuM state machine lead to RTE mode switch notifications via the
API Rte_Switch_currentMode_currentMode().
If the acknowledge mechanism of the EcuM is configured active, EcuM remains in its state
until the RTE has acknowledged the current mode switch.
6.3
Limitations
6.3.1
Inter Module Checks
The EcuM does not check the AUTOSAR version of included external modules.
6.3.2
Recording of Shutdown Causes
The EcuM does not  support the facility to record recent shutdown causes. Therefore the
following two APIs are not supported:
>  EcuM_GetMostRecentShutdown()
>  EcuM_GetNextRecentShutdown()
6.3.3
Not Supported Configuration Parameters and Containers
Some of the specified configuration parameters are not supported. These parameters are
marked with the addition “Not used” in the corresponding parameter description. The
description is located within the module’s BSWMD file which is part of the delivery.
The following containers (including the parameters) are not supported in this release:
>
EcuMShutdownTarget
>
EcuMTTII
The following parameters are not supported in this release:
>
EcuMSleepModeSuspend
>
EcuMAlarmClockTimeOut
>
EcuMFlexEcucPartitionRef
>
EcuMResetLoopDetection
>
EcuMIncludeDem
>
EcuMIncludeDet
>
EcuMNvramReadallTimeout
>
EcuMIncludeNvM
>
EcuMTTIIEnabled
>
EcuMTTIIWakeupSourceRef

6.3.4
Wake-up Events after Reset Reason Translation are not Validated
During the initialization the EcuM get the reason for the current startup via the Mcu reset
reason translation. For this translated events the wake-up validation is not performed.
6.3.5
EcuM Fixed Limitations
  NvM_ReadAll() is not started by the EcuM. This can be done by the integrator e.g.
in DriverInitListTwo().
  EcuM_AL_Reset is available, independent of EcuM_Flex configuration. ResetMode
parameter will be passed to EcuM_AL_Reset, but EcuM checks not if the parameter
is valid.
2015, Vector Informatik GmbH
Version: 5.00.00
131 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
  TTII  is  not  supported.  As  a  consequence,  the  callout  EcuM_OnWakeupReaction
has no parameter and no return value.
  EcuM_WakeupReactionType is not supported.
  EcuM_GetStatusOfWakeupSource is not supported.
  The  following  APIs  are  not  available  if  EcuM  flex  and  EcuM  fixed  are  both
configured:
>  EcuM_GoHalt
>  EcuM_GoPoll
>  EcuM_GoDown
>  EcuM_GoToSelectedShutdownTarget
2015, Vector Informatik GmbH
Version: 5.00.00
132 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
7  Glossary and Abbreviations
7.1
Glossary
Term
Description
Configuration Tool
Tool for generation like DaVinci Configurator Pro
MSN
Module Short Name, the AUTOSAR short name of the module, e.g. Can,
CanIf, EcuM, etc.
Table 7-1   Glossary
7.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
BSWMD
Basic Software Module Description
BswM
Basis Software Mode Manager
CAN
Controller Area Network
ComM
Communication Manager
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Electronic Control Unit
EcuC
ECU configuration description
HIS
Hersteller Initiative Software
Gpt
General Purpose Timer
ICU
Input Capture Unit
ISR
Interrupt Service Routine
MCU
Microcontroller Unit
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
MSN
Module Short Name
PLL
Phase Locked Loop
RTE
Runtime Environment
SchM
Scheduling Manager
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
Table 7-2   Abbreviations
2015, Vector Informatik GmbH
Version: 5.00.00
133 / 134
based on template version 4.8.3

Technical Reference MICROSAR EcuM Flex
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 5.00.00
134 / 134
based on template version 4.8.3

Document Outline

9 - Flash Driver

Flash Driver

Component Documentation

9.1 - AUTOSAR_FLS_Component_UserManual

AUTOSAR MCAL R4.0 User's Manual

9.2 - AUTOSAR_FLS_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70

9.3 - AUTOSAR_FLS_Component_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual

FLS Driver Component Ver.1.0.5

Embedded User‟s Manual
Target Device:

RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice
1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to
change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest
product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different
information to be disclosed by Renesas Electronics such as that disclosed through our website.
2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third
parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,
express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas
Electronics or others.
3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.
4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of
semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and
information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by you or third
parties arising from the use of these circuits, software, or information.
5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws and
regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products or the
technology described in this document for any purpose relating to military applications or use by the military, including but not limited
to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or incorporated
into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign laws or
regulations.
6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does not
warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by you
resulting from errors in or omissions from the information included herein.
7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and "Specific".
The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated below.  You
must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may not use any
Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas Electronics.
Further, you may not use any Renesas Electronics product for any application for which it is not intended without the prior written
consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by you or third
parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which the product is
not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of each Renesas
Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data books, etc.
"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; auport and visual
equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.
"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime
systems; safety equipment; and medical equipment not specifically designed for life support.
"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or systems
for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare intervention (e.g.
excision, etc.), and any other applications or purposes that pose a direct threat to human life.
8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,
especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation
characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages
arising out of the use of Renesas Electronics products beyond such specified ranges.
9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific
characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas
Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against
the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a
Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control and
malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation of
microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.
10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of each
Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations that
regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics
assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
11.
This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas
Electronics.
12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this
document or Renesas Electronics products, or if you have any other inquiries.

(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned
subsidiaries.
(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.
3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
ANSI
American National Standards Institute
API
Application Programming Interface
AUTOSAR
AUTomotive Open System ARchitecture
BSW
Basic SoftWare
DEM
Diagnostic Event Manager
DET/Det
Development Error Tracer
ECU
Electronic Control Unit
EEPROM
Electrically Erasable Programmable Read Only Memory
FCL
Code Flash Library
FDL
Data Flash Library
FLS
FLaSh Driver
GNU
GNU‟s Not Unix
HW
HardWare
ID/Id
Identifier
MCAL
Microcontroller Abstraction Layer
NA
Not Applicable
RAM
Random Access Memory
ROM
Read Only Memory
RTE
Run Time Environment
SCHM/SchM
Scheduler Manager
SW
SoftWare

Definitions

Term
Represented by
Sl. No.
Serial Number

5

6

10

Introduction                                                                                                                            Chapter 1

Chapter 1
Introduction

The purpose of this document is to describe the information related to FLS
Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of FLS Driver
Component. The system overview of complete AUTOSAR architecture is
shown in the below Figure:

Micro control ler Drivers
Memory Dri vers
Communication Drivers
I/O Drivers

In

In
te

W
t
r
e
n
a
r
GP
MC
a
F

tc
n
n
F
l
le
C

C
A
al

a
EEP
L
I
D
C
h
x
W
L
D
T
U
ore
I

do

l
AN
I
S
N
R

M

U
O
M
C

Fl

ay

g

a
R

a

s

sh
OM
h

E
P
Micro-
x
L
Unit
o
t
I
.
N
w

er
controller

Figure 1-1  System Overview of FLS Driver Component in AUTOSAR MCAL Layer

The  FLS  Driver  Component  is  part  of  BSW  which  is  accessible  by  RTE.
This  RTE  is  a  middle  ware  layer  providing  communication  services  for  the
application  software  and  thereby  it  is  possible  to  map  the  application
software components between different ECUs.

The  RTE  provides  the  encapsulation  of  Hardware  channels  and  basic
services  to the  Application  Software  Components.  So  it  is  possible  to  map
the Application Software-Components between different ECUs.

The  Basic  Software  Modules  are  located  below  the  RTE.  The  Basic
Software  itself  is  divided  into  the  subgroups:  System  Services,  Memory,
Communication  and  IO  Hardware-Abstraction.  The  Complex  Drivers  are
also located below the RTE. Among others, the Operating System (OS), the
Watchdog manager and the Diagnostic services are located  in the System
Services  subgroup.  The  Memory  subgroup  contains  modules  to  provide
access to the non-volatile memories, namely Flash and EEPROM. Here the
flash  operation  will  be  handled  by  flash  driver,  this  module  uses  a
underlying  FCL  and  FDL  SW  libraries  for  accessing  and  programming  of
flash.

On  board  Device  Abstraction  provides  an  interface  to  physical  values  for
AUTOSAR  software  components.  It  abstracts  the  physical  origin  of  signals
(their paths to the hardware FLSs) and normalizes the signals with respect
to  their  physical  appearance.  The  microcontroller  driver  provides  services
for  basic  microcontroller  initialization,  power  down  functionality,  reset  and
microcontroller specific functions required from the upper layers.
11

  Chapter 1                                                                                                                            Introduction

Application/RTE invoking

AUTOSTAR defined Flash operations

Flash Driver Software Components - FLS

Code Flash access layer / Data Flash

access Layer

Flash Hardware

Figure 1-2  System Overview Of AUTOSAR Architecture

The  FLS  application  software  components  are  located  at  the  top  and  can
gain access to the rest of the ECU and also to other ECUs only through the
RTE. This RTE is a middleware layer providing communication services for
the  application  software  and  thereby  it  is  possible  to  map  the  application
software components between different ECUs.

This FLS Software Module is located below the RTE. The FLS Component
APIs are directly invoked by the application or RTE. The FLS Component is
responsible  for  erase/write/read/compare  data  on  the  code  flash  and  data
flash memories.

The FLS component makes use of the FCL and FDL, which is an underlying
software library contains the FCL and FDL APIs to perform the activities like
accessing  and  programming  the  on-chip  code  flash  and  data  flash
hardware.  This  means  FCL  and  FDL  offers  all  functions  and  commands
necessary  to  reprogram  the  application  in  a  user  friendly  C  language
interface.

The  FLS  Component  layer  provides  the  wrapper  for  the  Code  Flash  and
Data  Flash  Library,  which  comprises  of  API  for  erase/write data  to  on-chip
code  flash  and  data  flash  memory  of  the  device.  The  FLS  Component
conforms  to  the  AUTOSAR  standard  and  is  implemented  mapping  to  the
AUTOSAR FLS Software Specification.

FCL and FDL acts as a programming interface between the Flash memory
HW and higher level user applications; in this case it is the AUTOSAR FLS
module. The FCL and FDL offers all required functions to handle code flash
and  data  flash  programming,  that  means  programming  the  flash  memory
without  programming  tools  and  during  program  execution.  FCL  and  FDL
offer  an  easy-  to-use  interface  to  the  internal  firmware  functionality.  By
calling  the  FCL  and  FDL  library  functions  from  user program,  the  contents
of the flash memory can easily be rewritten in the field.

12

Introduction
Chapter 1

The  functional  parameters  of  FLS  software  components  are  statically
configurable to fit as far as possible to the real needs of each ECU.

1.1
Document Overview

The document has been segmented for easy reference. The table below
provides user with an overview of the contents of each section:

Section
Contents
Section1 (Introduction)
This section provides an introduction and overview of FLS Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure, Make file structure for FLS
Process)
Driver Component. This section also explains about the Make file
descriptions, Integration of FLS Driver Component with other
components, building the FLS Driver Component along with a sample
application.
Section 4 (Forethoughts)
This section provides brief information about the FLS Driver Component,
the preconditions that should be known to the user before it is used,
diagnostic channel, limit check feature, sample and hold feature,
conversion time and stabilization time, DMA and ISR operations, data
consistency details, deviation list and user mode and supervisor mode.
Section 5 (Architecture Details)
This section describes the layered architectural details of the FLS Driver
Component.
Section 6 (Registers Details)
This section describes the register details of FLS Driver Component.
Section 7 (Interaction between
This section describes interaction of the FLS Driver Component with the
The User And FLS Driver
upper layers.
Component)
Section 8 (FLS Driver Component  This section provides information about the FLS Driver Component
Header And Source File
source files is mentioned. This section also contains the brief note on the
Description)
tool generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the FLS Driver Component Code
Generation Tool.
Section 10 (Application
This section explains all the APIs provided by the FLS Driver
Programming Interface)
Component.
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13 (P1M Specific
This section provides the P1M Specific Information.
Information)
Section 14 (Release Details)
This section provides release details with version name and base
version.

13

Chapter 1 Introduction

14

Reference Documents
Chapter 2

Chapter 2
Reference Documents

Sl. No.
Title
Version
1.
AUTOSAR_SWS_FlashDriver.pdf
3.2.0
2.
r01uh0436ej0070_rh850p1x.pdf
0.70
3.
AUTOSAR_SWS_CompilerAbstraction.pdf
  3.2.0
4.
AUTOSAR_SWS_MemoryMapping.pdf
  1.4.0
5.
AUTOSAR_SWS_PlatformTypes.pdf
  2.5.0
6.
AUTOSAR_BSW_MakefileInterface.pdf
  0.3
7.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
  -
Note: AUTOSAR BUGZILLA is a database, which contains concerns raised
against information present in AUTOSAR Specifications.
8.
Code Flash Library for RH850 devices (FCL Library)
V2.00
9.
Data Flash Library for RH850 devices (FDL Library)
V2.00
15

Chapter 2 Reference Documents

16

Integration And Build Process
Chapter 3

Chapter 3
Integration and Build Process

In this section the folder structure of the FLS Driver Component is explained.
Description of the Make files along with samples is provided in this section.

Remark  The details about the C Source and Header files that are generated by the
FLS Driver Generation Tool are mentioned in the
“AUTOSAR_FLS_Tool_UserManual.pdf”.

3.1.
FLS Driver Component Make file

The Make file provided with the FLS Driver Component consists of the GNU
Make  compatible  script  to  build  the  FLS  Driver  Component  in  case  of  any
change in the configuration. This can be used in the upper level Make file (of
the application) to link and build the final application executable.

3.1.1. Folder Structure
The files are organized in the following folders:

Remark  Trailing slash „\‟ at the end indicates a folder

X1X\common_platform\modules\fls\src\Fls.c
\Fls_Internal.c
\Fls_Ram.c
\Fls_Version.c
\Fls_Irq.c

X1X\common_platform\modules\fls\include\Fls.h
\Fls_Debug.h
\Fls_Internal.h
\Fls_PBTypes.h
\Fls_Ram.h
\Fls_Types.h
\Fls_Version.h
\Fls_Irq.h

X1X\P1x\modules\fls\src\fdl_descriptor.c
\fcl_descriptor.c
\r_fcl_hw_access.c
\r_fcl_hw_access_asm.850
\r_fcl_user_if.c
\r_fdl_hw_access.c
\r_fdl_user_if.c
17

Chapter 3 Integration And Build Process

X1X\P1x\modules\fls\include
\fdl_cfg.h
\r_fcl.h
\r_fcl_env.h
\r_fcl_global.h
\r_fcl_types.h
\r_fdl.h
\r_fdl_env.h
\r_fdl_global.h
\r_fdl_mem_map.h
\r_fdl_types.h
\r_typedefs.h
X1X\P1x\modules\fls\sample_application\<SubVariant>\make\ghs
\App_FLS_<SubVariant>_Sample.mak

X1X\P1x\modules\fls\sample_application\<SubVariant>\obj\<compiler>
(Note: For example compiler can be ghs.)

X1X\common_platform\modules\fls\generator\Fls_X1x.exe
X1X\P1x\common_family\generator
\Global_Application_P1x.trxml
\Sample_Application_P1x.trxml
\P1x_translation.h

X1X\P1x\modules\fls\generator
\R403_FLS_P1x_BSWMDT.arxml
X1X\P1x\modules\fls\user_manual
(User manuals will be available in this folder)

Notes:
1. <Compiler> can be ghs.
2. <Device_name> can be 701304, 701305, 701310, 701311, 701312, 701313,
701314, 701315, 701318, 701319, 701320, 701321, 701322, 701323.

3. <SubVariant> can be P1M.

4. <AUTOSAR_version> can be 4.0.3.
18

Forethoughts
Chapter 4

Chapter 4
Forethoughts
4.1.
General
Following information will aid the user to use the FLS Driver Component
software efficiently:
•
The  start-up  code  is  ECU  specific.  FLS  Driver  Component  does  not
implement the start-up code.
•
Example  code  mentioned  in  this  document  shall  be  taken  only  as
a reference for implementation.
•
All  development  errors  will  be  reported  to  DET  by  using  the  API
Det_ReportError provided by DET.
•
All  production  errors  will  be  reported  to  DEM  by  using  the  API
Dem_ReportErrorStatus provided by DEM.
•
The  FLS  Driver  Component  is  developed  supports  only  on-chip  ROM
and  no  external  devices  are  considered.  Hence  the  parameters  related
to external devices are ignored by the Generation Tool.
•
The FLS Driver Component does not provide functionalities for setting of
protection flags, boot cluster size, swapping of boot block and flashing of
boot  block  and  they  are  out  of  scope  for  FLS  Driver  Component
implementations.
•
Program  execution  from  Flash  ROM  is  prohibited  during  flash
programming.
Therefore  all  FLS  Components  are  located  in  RAM.  The  FLS
components  will  be  copied  from  Flash  ROM  to  RAM  during  the  startup.
The FLS user has to assure that the application for programming control
is also located to
RAM area during ongoing flash programming operations.

•
The FLS Driver Component‟s job processing function (Fls_MainFunction)
is a polled function.
•
Fls_SetMode does not provide any functionality to the user. Since there
are  no  different  flash  memory  access  modes  available.  This  API  shall
only be a dummy function.
•
The  configurations  provided  for  fast  mode  operation  are  ignored  by  the
Generation Tool and only configurations for normal mode operations are
accepted as the underlying device and the FCL and FDL doesn‟t provide
any functionality.
•
The Fls_Erase() API computes the sectors that need to be erased based
on  the  provided  target  address  and  length.  When  DET  is  enabled  the
error  will  be  reFLSed  if  the  length  of  the  bytes  to  be  erased  is  not  in
multiples of flash sector size.
•
The  configuration  parameter  FlsMaxEraseNormalMode  which  specifies
the maximum data can be erased in one cycle of Fls_MainFunction() for
data flash. The value for the parameter FlsMaxEraseNormalMode should
be in multiples of data flash sector size.
•
Fls_CF_read_memory_u08()  and  R_FDL_FCUFct_ReadOperation()  will
read  the  data  from  the  flash  memory  depending  on  configuration  of
parameters  FlsMaxReadNormalMode  and  FlsMaxCFReadNormalMode
which  specifies  maximum  data  can  be  read  in  one  cycle  of
Fls_MainFunction().
•
Maximum value of FlsMaxReadNormalMode and
FlsMaxCFReadNormalMode parameters specifies the size of a
temporary buffer in RAM which is used when Fls_Read and
Fls_Compare are called. The resulting RAM consumption has to be
considered.
•
R_FCL_I_write_memory_u32()  and    R_FDL_I_write_memory_u32()
writes  the  data  from  target  buffer  to  flash  addresses  depending  on
configuration
of
parameters
FlsMaxWriteNormalMode
and
19

Chapter 4                                                                                                                          Forethoughts

FlsMaxCFWriteNormalMode  which  specifies  maximum  data  can  be
written in one cycle of Fls_MainFunction().
•
The length of the data that has to be programmed on to the flash should
be  in multiples of flash  page. The FLS  Driver Component does not pad
bytes if the length is not in multiples of flash page. It is the responsibility
of  the  application  to  pad  bytes  such  that  the  length  of  the  data  is  in
multiples of flash page.
•
The  normal  write  verification  using  the  direct  memory  read  access  is
performed when DET is enabled.
•
The processing of blank check operation will be applicable for Data flash
only since no supporting APIs are in Code Flash Library.
•
The component will support only the user mode of flash memory. Internal
mode is not in the scope of this implementation.
•
During  activated  flash  environment,  the  access  to  flash  is  not  possible.
Hence  the  user  should  ensure  that  all  the  application  and  supporting
components code that needs to be executed during flash operation need
to locate in RAM.
•
The  device  supports  servicing  of  interrupts  during  self-programming.
During  activated  flash  environment,  the  interrupt  vector  address  in  the
flash will not be available. The interrupt vectors can be relocated to RAM
during  flash  programming.  For  details  please  refer  Exception  Handling
Address Switching Function in the according device CPU user manual.
•
The  FLS  Driver  Component  will  only  invoke  the  call  back  notification
functions.  However,  the  implementation  of  the  call  back functions  is  the
responsibility of the upper layer.
•
The  configuration  parameter  „FlsFclRamAddress‟  minimum  range  is
0xFEDE0000  and  the  maximum  range  is  „0xFEDFF4C8‟  instead  of
„0xFEDFFFFF‟ (RAM end address) as per device specification. Since the
FCL  routines  are  copied  to  RAM  location  during  initialization.  The  RAM
size  required  for  FCL  routines  is  0xB38  bytes.  The  maximum  range  is
provided with consideration of RAM size required for FCL routines.
•
The
user
should
ensure
while
configuring
the
parameter
„FlsFclRamAddress‟ value that the RAM area should not be effected the
RAM area used for FLS driver RAM memory sections.
•
When  the  parameter  „FlsTimeoutMonitoring‟  is  configured  as  true  then
the  timeout  values  for  Erase,  Write,  Read  and  blank  check  are
generating
based
on
the
parameters
„FlsCFEraseTime‟,
„FlsCFWriteTime‟  and  „FlsCFReadTime‟  and  the  values  configured  for
„FlsMaxCFEraseNormalMode‟,
„FlsMaxCFWriteNormalMode‟
and
„FlsMaxCFReadNormalMode‟  for  code  flash.  Time  out  values  are
generating based on the parameters „FlsEraseTime‟, „FlsWriteTime‟ and
„FlsReadTime‟,  „FlsBlankCheckTime‟  and  the  values  configured  for
„FlsMaxEraseNormalMode‟,
„FlsMaxWriteNormalMode‟,
„FlsMaxReadNormalMode‟ for data flash.
•  FLS  driver  supports  three  flash  programming  modes:  Code  Flash  only
(CF), both Code Flash and Data Flash (CFDF) and Data Flash only (DF).
The  flash  programming  mode  can  be  configured  via  parameter
"FlsAccess". The first two programming modes (CF, CFDF) are relevant
for flash bootloader only. User application shall not program Code Flash
during  system  runtime.  From  safety  point  of  view  FLS  module  in
AUTOSAR BSW shall not include Code Flash programming functionality
and shall supFLS Data Flash access only.  Note: Flash bootloader is so
far out of scope of AUTOSAR. User is responsible to verify and use FLS
driver with proper configurations according to use-cases.
•
Fls_Cancel  Api  will  not  affect/cancel  the  Fls_Suspend  or  Fls_Resume
operations.
•
In  Fls_Suspend  the  timeout  value  for  R_FDL_Handler  will  be  300
microseconds at 200MHz.
20

Forethoughts
Chapter 4

•
Data Flash Memory Read Cycle Setting Register (EEPRDCYCL) is used to
specify the number of wait cycles to be inserted  when reading the data  in
the data flash. The initial value of the register is taken by default. If required
user application shall set this register as per P1M device user manual.
•
The  file  Interrupt_VectorTable.c  provided  is  just  a  Demo  and  not  all
interrupts  will  be  mapped  in  this  file.  So  the  user  has  to  update  the
Interrupt_VectorTable.c as per his configuration.
4.2.
Preconditions
Following preconditions have to be adhered by the user, for proper
functioning of the FLS Driver Component:
•  The  user  should  ensure  that  FLS  Driver  Component  API  requests  are
invoked  in  the  correct  and  expected  sequence  and  with  correct  input
arguments.
•  Validation of input parameters is done only when the static configuration
parameter  FLS_DEV_ERROR_DETECT  is  enabled.  Application  should
ensure that the right parameters are passed while invoking the APIs when
FLS_DEV_ERROR_DETECT is disabled.
•
A mismatch in the version numbers will result in compilation error.
Ensure that the correct versions of the header and the source files are
used.
•  The files Fls_Cfg.h, fcl_descriptor.h, fcl_cfg.h, Fls_Cbk.h, fdl_descriptor.h,
and Fls_PBcfg.c generated using FLS Generation Tool have to be linked
along with FLS Driver Component source files.
•  The FLS Driver Component needs to be initialized by calling Fls_Init()
before calling any other Fls functions.
•  Values for production code Event Ids should be assigned externally by the
configuration of the DEM.
•  The      Fls_MainFunction()  should  be  invoked  regularly  by  the  Basic
Scheduler. Though not specified by AUTOSAR, calling Fls_MainFunction
by  polling  mechanism  is  also  possible.  Ensure  that  the  FLS  Driver
Component  is  initialized  before  enabling  the  invocation  of  this  scheduled
function to avoid reporting of a DET error when enabled.
•  It  is  prohibited  to  call  user  code  in  ROM  or  FCL  functions,  which  need
ROM  execution  (i.e.  Fls_Init())  during  activated  flash  environment,  this
means  during  code  flash  programming  operations.  In  case  of  ROM
execution during code flash programming fatal error occurs.
•  A blank check pass does not confirm that it is possible to write to this word
(4 Bytes). Also partly written/erased words may have a blank check pass
but  write  is  not  allowed  under  this  condition.  A  blank  check  fail  does  not
confirm  a  stable  read  value.  Even  though  parts  of  a  word  are  at  least
partly  written,  random  read  data  are  still  possible,  so  are  ECC  error
indications for single error corrections and double error detection.
•  Due to the above shown limitations the information which can be given by
Fls_BlankCheck,  either  passing  or  failing,  is  limited.  It  cannot  be  used  to
determine  the  current  state  of  a  flash  cell  in  a  meaning  full  way  without
additional  information  obtained  by  other  means.  The  blank  check  should
only be used to confirm or check some flow status but should not be used
to determine  if  a  flash  cell  can  be  read  or  written.  FLS022, FLS055  from
AUTOSAR  Specification  of  Flash  Driver  are  not  fulfilled  here  because
blank check itself is not able to identify erasure state of flash cell which is
ready  for  write  operation.  Please  refer  to  application  note  document
"RV40F DataFlash Usage" for more details about blank check and usage
hints.
•  Fls_ReadImmediate  API  should  not  be  used  to  read  blank  cells.  User
application  shall  handle  the  errors  associated  with  blank  cell  read  using
Fls_ReadImmediate API.
21

Chapter 4                                                                                                                          Forethoughts

•
Calling FLS functions, especially Cancel/Suspend/Resume/MainFunction
Apis by a higher priority ISR must be prevented by upper layer to avoid
possible re-entrancy issue.
•
Interrupt mode supports Fls_Erase, Fls_Write APIs on Data Flash only.
•
The watchdog timer does not stop during the execution of the FCL.
•
It  is  not  possible  to  change  the  content  of  the  request  structure  during
command  operation.  If  request  data  is  changed  during  command
operation, the library will crash.
•
Before executing a write operation, please make sure the given address
range is erased.
•
If  a  cancel  request  is  accepted,  during  an  on-going  write  or  erase
operation  and  a  previous  operation  is  already  suspended,  then  both
operations will be cancelled.
•
Cancel  and  suspend/resume  operations  are  not  allowed  in  case  of  two
library instances as the effect is not evaluated.
•
Standby  is  allowed  but  both  instances  have  to  consider  that  wakeup  is
required before continuing.
•
Correct  frequency  configuration  is  essential  for  Flash  programming
quality  and  stability.  Wrong  configuration  could  lead  to  loss  of  data
retention  or  Flash  operation  fail.  If  the  CPU  frequency  is  a  fractional
value, round up the value to the nearest integer. The clock reference of
FLS  driver  is  taken  from  the  CPU  clock.Do  not  change  the  CPU
frequency  during  operation.  If  the  frequency  has  to  be  changed,
reinitialize the FLC with proper CPU frequency.
•
All  functions  are  not re-entrant.  So,  re-entrant  calls  of  any  FCL  function
must be avoided.
•
It is not possible to modify the Code Flash in parallel to a modification of
the Data Flash or vice versa due to shared hardware resources.
•
If a cancel request is accepted, during an on-going write, erase, or blank
check  operation  and  aprevious  operation  is  already  suspended,  then
both operations will be cancelled.
•  It is not always possible to nest suspend and/or stand-by.
E.g: Any operation ► suspend ► suspend – is not possible.
Any operation ► stand-by ► stand-by – is not possible.
Any operation ► stand-by ► suspend – is not possible.
Write or Erase ► suspend ► Erase operation – is not possible
Write operation ► suspend ► other Write operation – is not possible
Any  operation  ►  suspend  ►  other  operation  ►  suspend  –  is  not
possible

4.3.
Data Consistency
To support FLS the reentrancy and interrupt services, the FLS Software
component will ensure the data consistency while accessing their own
RAM storage or hardware registers. The FLS module will use below macro
for respective higher and lower version.

#if (FLS_AR_VERSION == FLS_AR_HIGHER_VERSION)

#define FLS_ENTER_CRITICAL_SECTION (Exclusive_Area)
SchM_Enter_Fls_##Exclusive_Area()

#define FLS_EXIT_CRITICAL_SECTION (Exclusive_Area)
SchM_Exit_Fls_##Exclusive_Area()

#elif (FLS_AR_VERSION == FLS_AR_LOWER_VERSION)

#define FLS_ENTER_CRITICAL_SECTION (Exclusive_Area)
SchM_Enter_Fls(Exclusive_Area)

22

Forethoughts
Chapter 4

#define FLS_EXIT_CRITICAL_SECTION (Exclusive_Area)
SchM_Exit_Fls(Exclusive_Area)
#endif

The following exclusive areas along with scheduler services are used to
provide data integrity for shared resources:
    FLS_DRIVERSTATE_DATA_PROTECTION

4.4.
Deviation List
Table 4-1  FLS Driver Component Deviation List

Sl. No.
Description
AUTOSAR
Bugzilla
1.
The  fast  mode  parameters  „FlsMaxReadFastMode‟  and
-
„FlsMaxWriteFastMode‟  of  the  container  „FlsConfigSet are
unused.
2.
The parameters „FlsAcLoadOnJobStart‟ and
-
„FlsUseInterrupts‟ of the container „FlsGeneral‟ is unused.
3.
The flash access routines are not placed into a separate
-
C-module like 'Fls_ac.c'.
4.
The flash access code is not loaded to RAM on job start.
-
5.
The parameters „FlsDefaultMode‟ and „FlsProtection‟,
-
FlsAcWrite‟ and „FlsAcErase‟ of the container „FlsConfigSet‟
are unused.
6.
The parameters „FlsAcLocationErase‟, „FlsAcLocationWrite‟,  -
„FlsAcSizeErase‟ and „FlsAcSizeWrite‟ of the container
„FlsPublishedInformation‟ are unused.
7.
The component will support only the on-chip flash memory.
-
External flash is not in the scope of this implementation.
8.
FLS_E_READ_FAILED_DED  error  code  will  be  reported  to  -
DEM  if  read  job  is  failed  when  double  bit  ECC  error  is
generated.
9.
The  API  Fls_GetVersionInfo  is  implemented  as  macro  -
without DET error FLS_E_PARAM_POINTER.

4.5.
User mode and supervisor mode
The below table specifies the APIs which can run in user mode, supervisor
mode or both modes

23

Chapter 4                                                                                                                          Forethoughts

   Table 4-2                 User mode and Supervisor mode details when Data Flash enabled
Sl. No  API Name
User Mode
Supervisor
Known limitation in User mode
Mode

The Fls_Init is failing in User

mode because the Library

initialization R_FDL_Init is failing

while executing the API's

R_FDL_IFct_ExeCodeInRAM

which is located in

Fls_Init
-
x
r_fdl_hw_access.c file. This
1
function will execute from the
RAM and is fails due to ICCTRL
have access permission in only
supervisor mode.
2
Fls_Read
x
x
-
.
3
Fls_SetMode

.
4
Fls_Write
x
x
-
.
5
Fls_Cancel
x
x
-
6
Fls_GetStatus
x
x
-
.
7
Fls_GetJobResult
x
x
-
8
Fls_Erase
x
x
-
.
9
Fls_Compare
x
x
-
.
10
x
x
-
Fls_GetVersionInfo
11
x
x
Fls_MainFunction
-
12
Fls_BlankCheck
x
x
-
13
x
x
Fls_ReadImmediate
-
12.
x
x
Fls_Suspend
-
13.
Fls_Resume
x
x
-

24

Forethoughts
Chapter 4

  Table 4-3                User mode and Supervisor mode details When Code Flash enabled
Sl. No  API Name
User Mode
Supervisor  Known limitation in User mode
Mode
1
-
x
The Fls_Init is failing in User mode
because the Library initialization
R_FCL_Init is failing while
executing the library functions in
RAM. This is because the function
“R_FCL_FCUFct_PrepareEnviron
ment" and internally calls the
function
"R_FCL_FCUFct_Clear_Cache"
Fls_Init
which clears the flash cache. The

"R_FCL_FCUFct_Clear_Cache"
function will execute STSR
instruction (store contents of
system register) for storing
contents of ICCTRL (instruction
cache control) to system register.
Since the ICCTRL have the access
permission in only supervisor mode
and is fails in user mode.
2
Fls_Read
x
x
-
.
3
Fls_SetMode

4
Fls_Write
x
x
-
.
5
Fls_Cancel
x
x
-
.
6
Fls_GetStatus
x
x
-
.
7
Fls_GetJobResult
x
x
-
.
.
8
Fls_Erase
x
x
-
.
9
Fls_Compare
x
x
-
.
10
Fls_GetVersionInfo
x
x
-
11
-
x
The Fls_MainFunction is failing in
User mode because it will process
all internal functions which will
execute the R_FCL_Handler and
_R_FCL_Execute functions in
RAM. This is because the function
"R_FCL_FCUFct_HandleMultiOper
ation" and internally calls the
function
Fls_MainFunction
"R_FCL_FCUFct_Clear_Cache"
which clears the flash cache. The
"R_FCL_FCUFct_Clear_Cache"
function will execute STSR
instruction (store contents of
system register) for storing
contents of ICCTRL (instruction
cache control) to system register.
Since the ICCTRL have the access
permission in only supervisor mode
and is fails in user mode.

25

Chapter 4 Forethoughts

26

Architecture Details
Chapter 5

Chapter 5
Architecture Details
The FLS Software architecture is shown in the following figure. The FLS user
shall directly use the APIs to configure and execute the FLS conversions:

Application/RTE invoking

AUTOSTAR defined Flash operations

Flash Driver Software Components - FLS

Code Flash access layer / Data Flash

access Layer

Flash Hardware

Figure 5-1 FLS Driver Component Architecture

The basic architecture of the FLS Driver Component is illustrated in the
following Figure:
27

Chapter 5 Architecture Details

Application layer

Fls_GetVersionInfo()
Fls_Read()
Fls_Co
Fls_GetJobResult()
Fls_Can
Fls_Write()
Fls_Erase()
mpare(
Fls_GetStatus()
cel()
)

Fls_SetMode()

Fls_MainFunction()
Fls_Init()

Return
Return
Fls_Ge
Fls_Ge
R_FCL_I
Return
Cancels
Fls_Ge
R_FCL_Execute
Fls_GenC
s
s
nCom
nCom
nit ()
s the
the
nCom
R_FCL_Handler
ommand
withou
version
mand
mand

status/r
current
mand
R_FDL_Execute
=
t any
inform
=
=

esult
ongoing
=
R_FDL_Handler
FLS_CO
functio
ation
FLS_C
FLS_C
job
FLS_C
MMAND

nality
OMM
OMM

OMM
_ERASE
AND_
AND_

AND_
READ

COMP

WRIT
ARE
R_FC

L_Cop
R_FDL_

ySecti
Init ()
Compare bytes
ons ()
in buffer with
flash memory

FLS Driver layer

FDL layer
FCL layer

Micro Controller

Figure 5-2 Component Overview Of FLS Driver Component

The internal architecture of FLS Driver Component is shown in the above
figure. The FLS Driver Component Software Component provides services for:

The FLS Driver Component is divided into the following sub modules based on
the functionality required:

•
Initialization
•
Erasing the flash memory
•
Writing to the flash memory
•
Reading the flash memory
•
Fast Read to the application memory without performing blank check
•
Validating contents of flash memory
•
Cancellation of Request
•
Reading result and status information
•
Module version information
•
Blank check of flash memory
•
Job Processing
•
Fls_Suspend suspends the ongoing job.
•
Fls_Resume performs the resume of previous suspended job.

28

Architecture Details
Chapter 5

Initialization

The initialization sub-module provides the service for initialization of the flash
driver and  initializes the  global  variables used  by  the FLS Component. FCL
initialization  API  (R_FCL_Init)  will  be  used  for  successful  initialization  of
internal  code  flash  programming  environment  and  internal  variables.  After
successful FCL initialization, R_FCL_Copysections function will be called for
copying the FCL routines to RAM. FDL initialization API (R_FDL_Init) will be
used  for  successful  initialization  of  internal  data  flash  programming
environment and internal variables.

The API related to this sub-module is Fls_Init().

Flash Memory Erasing Module

This  sub-module  provides  the  service  for  erasing  the  blocks  of  the  flash
memory.  The  request  will  be  processed  by  the  job  processing  function
Fls_MainFunction(). In this job processing function the FCL library functions
R_FCL_Execute  and  R_FCL_Handler  are  called  to  erase  the  requested
code  flash  memory  blocks.  The  FDL  library  functions  R_FDL_Execute  and
R_FDL_Handler are called to erase the requested data flash memory blocks.
In  single  cycle  of  Fls_MainFunction()  call,  R_FCL_Handler()  erase  the
number  of  code  flash  memory  blocks  of  flash  memory  depending  on
configuration
of
parameter
FlsMaxCFEraseNormalMode
and
R_FDL_Handler()  erase  the  number  of  data  flash  memory  blocks  of  flash
memory depending on configuration of parameter FlsMaxEraseNormalMode.
The job is processed till the requested numbers of blocks are erased in the
flash memory.
The API related to this sub-module is Fls_Erase().

Flash Memory Reading Module

This  sub-module  provides  the  service  for  reading  the  contents  of  the  flash
memory.  The  request  will  be  processed  by  the  job  processing  function
Fls_MainFunction  ().  In  this  job  processing  function  blank  check  for  the
specified  words  will  be  initiated  first.  If  the  cell  is  blank  then  the  application
buffer  will  be  filled  with  the  value  specified  by  the  parameter
„FlsErasedValue‟. If the cell is not blank then reading of the specified words
from  the  Flash  memory  will  be  initiated  by  calling  the  FCL  or  FDL  library
function. This function reads the specified number of words from consecutive
Flash addresses starting at the specified address and writes it into a buffer.
In  single  cycle  of  Fls_MainFunction()  call,  R_FDL_FCUFct_ReadOperation
will
read
the
data
from
the
data
flash
memory
and
Fls_CF_read_memory_u08  will  read  byte  data  from  code  flash  memory
depending  on  configuration  of  parameter  FlsMaxReadNormalMode  for  data
flash  and  FlsMaxCFReadNormalMode  foe  code  flash. The  job  is  processed
till the requested bytes of length are copied into the application buffer.
The API related to this sub-module is Fls_Read ().

Flash Memory Writing Module

This  sub-module  provides  the  service  for  writing  to  the  flash  memory.  The
request will be processed by the job processing function Fls_MainFunction().
In this  job  processing  function  the  writing  of  specified  number  of data bytes
from buffer to flash memory will be initiated by calling either the FCL or FDL
library  function.  These  functions  write  the  specified  number  of  words  from
buffer  to  consecutive  Flash  addresses  starting  at  the  specified  address.  In
single  cycle  of  Fls_MainFunction()  call,  either  R_FCL_Handler()  or
R_FDL_Handler()  writes  the  data  from  target  buffer  to  flash  addresses
depending  on  configuration  of  parameter  FlsMaxWriteNormalMode  for  data
29

Chapter 5                                                                                                                Architecture Details

flash  and  FlsMaxCFWriteNormalMode  for  code  flash.  The  job  is  processed
till the requested number of bytes is written to the flash memory.

The API related to this sub-module is Fls_Write().

Flash Memory Contents Validating Module

This sub-module provides the service for comparing the contents of the flash
memory with the application buffer. The request will be processed by the job
processing  function  Fls_MainFunction  ().  This  compare  operation  will  be
implemented  by  calling  either  FCL  or  FDL  library  function.  These  functions
initiate reading of defined words in flash and store it in the temporary buffer.
Then  actual  data  in  application  buffer  will  be  compared  with  data  in
temporary  buffer.  Here  data  will  be  compared  in  terms  of  bytes.  In  single
cycle
of
Fls_MainFunction()
call,
either
R_FCL_Handler()
or
R_FDL_Handler()  will  read  the  data  from  the  flash  memory  depending  on
configuration  of  parameter    FlsMaxReadNormalMode  for  data  flash  and
FlsMaxCFReadNormalMode  for  code  flash.  The  job  is  processed  till  the
requested  number  of  bytes  are  read  and  compared  with  the  application
buffer.
The API related to this sub-module is Fls_Compare().

Request Cancellation Module

This  sub-module  provides  the  service  for  cancelling  an  ongoing  memory
request.  After  aborting  the  current  ongoing  memory  operations  this  sub-
module  prepares  internal  variables  to  accept  the  next  Read/Write/Erase/
Compare  command.  The  cancel  request  will  be  synchronous  and  a  new  job
can be requested immediately after the return from this function.

The API related to this sub-module is Fls_Cancel().

Result Reading And Status Information Providing Module

This  sub-module  provides  the  services  for  getting  the  current  status  of  the
module  or  results  of  the  initiated  job  request  or  the  response  to  previously
issued command and return the current status of the current job execution. All
these services  will be done by evaluating either FCL  or FDL functions status
and error codes from FCL or FDL library.

The APIs related to this sub-module are Fls_GetStatus, Fls_GetJobResult.

Software Component Version Info Module

This  module  provides  API  for  reading  Module  Id,  Vendor  Id  and  vendor
specific version numbers.

The API related to this sub-module is Fls_GetVersionInfo().

Job Processing Module

The  command  requests  are  always  processed  by  the  main  function
(Fls_MainFunction)  that  is  invoked  cyclically  by  the  scheduler.  This  function
will  invoke  the  status  check  of  the  FCL  or  FDL  library  while  processing  the
flash  operations  requests.  This  API  derives  the  internal  driver  status.
Completion of the flash operation needs to be checked in order to continue the
reprogramming flow.

Fls_BlankCheck
This sub-module provides the service for performing blank check of the flash
memory words. The request will be processed by the job processing function
30

Architecture Details
Chapter 5

Fls_MainFunction().  This  function  is  invoked  to  perform  the  blank  check  of
the  single  word.  The  FDL  library  function  R_FDL_Handler  is  called  to
perform  the  requested  data  flash  memory  word  blank  check.  The  job  is
processed till the requested numbers of words are performed with the blank
check in the flash memory.
The  API  related  to  this  sub-module  is  Fls_BlankCheck().This  API  is
applicable for Data Flash only.

Fls_ReadImmediate

This  sub-module  provides  the  service  for  reading  the  contents  of  the  flash
memory.  The  request  will  be  processed  by  the  job  processing  function
Fls_MainFunction (). This function reads the specified number of words from
consecutive  Flash  addresses  starting  at  the  specified  address  and  writes  it
into  a buffer. In single cycle of Fls_MainFunction() call, R_FDL_Handler  will
read  the  data  from  the  data  flash  memory.  The  data  from  flash  memory
(source  address)  is  read  to  the  data  buffer  (Target  address)  of  application
without  performing  blank  check  before  read.  The  job  is  processed  till  the
requested bytes of length are copied into the application buffer.
The  API  related  to  this  sub-module  is  Fls_ReadImmediate  ().  This  API  is
applicable for Data Flash only.

Fls_Suspend

This sub-module provides the service of suspending the ongoing job.
Fls_Suspend is synchronous API. Fls_Suspend will block CPU (by calling FDL
handler) for certain of time to perform suspend operation
(R_FDL_SuspendRequest) and confirm the suspended status of the FDL
library.

Fls_Resume

This sub-module provides the service of resume of previous suspended job.
Fls_Resume is synchronous API. Fls_Resume acknowledges the resume
request by calling R_FDL_ResumeRequest command and it returns
immediately.

31

Chapter 5 Architecture Details

32

Registers Details
Chapter 6

Chapter 6
Registers Details
This section describes the register details of FLS Driver Component.

Table 6-1 Register Details
Register
Register
Macro/Variable
Access
Access
Config
Registers
8/16/32
R/W/RW
API Name
Parame
Used
bits
ter

FLMDCNT
32
RW
-
FLS_FLMDCNT
Fls_SetFLMD0
FLMDPCM
32
RW
-
FLS_FLMDPCMD
D

FHVE3
32
RW
-
FLS_FHVE3
Fls_SetFHVE
FHVE15
32
RW
-
FLS_FHVE15

31

Chapter 6 Registers Details

32

Interaction Between The User And FLS Driver Component
Chapter 7

Chapter 7 Interaction Between The User And FLS
Driver Component
The details of the services supported by the FLS Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

7.1.
Services Provided By FLS Driver Component To The
User

The FLS Driver Component provides the following functions to upper layers:

•
Programming of code flash
•
Writing contents to data flash memory
•
Erase flash memory sectors
•
Read flash contents to the application memory
•
Fast Read to the application memory without performing blank check
•
Validate flash contents comparing with the application memory
•
Cancel the ongoing erase, write, read or compare requests.
•
Read the result of the last job
•
Blank check of flash memory
•
Read the status of the FLS Driver Component.
•
Fls_Suspend suspends the ongoing job.
•
Fls_Resume performs the resume of previous suspended job.
33

Chapter 7 Interaction Between The User And FLS Driver Component

34

FLS Driver Component Header And Source File Description
Chapter 8

Chapter 8 FLS Driver Component Header And
Source File Description

This section explains the FLS Driver Component‟s C Source and C Header
files. These files have to be included in the project application while integrating
with other modules.

The C header file generated by FLS Software Generation Tool:
For only Code Flash access
•
Fls_Cbk.h
•
Fls_Cfg.h
•
fcl_descriptor.h
•
fcl_cfg.h

For only Data Flash access
•
Fls_Cbk.h
•
Fls_Cfg.h
•
fdl_descriptor.h

For both Code Flash and Data Flash access
•
Fls_Cbk.h
•
Fls_Cfg.h
•
fcl_descriptor.h
•
fcl_cfg.h
•
fdl_descriptor.h

The C source file generated by FLS Driver Generation Tool:

•
Fls_PBcfg.c

The FLS Driver Component C header files:
•
Fls.h
•
Fls_Debug.h
•
Fls_Internal.h
•
Fls_Types.h
•
Fls_PBTypes.h
•
Fls_Version.h
•
Fls_Ram.h
•
Fls_Irq.h

The FLS Driver Component source files:
•
Fls.c
•
Fls_Internal.c
•
Fls_Ram.c
•
Fls_Version.c
•
Fls_Irq.c

The FLS specific C header files:
•
Compiler.h
•
Compiler_Cfg.h
•
MemMap.h
•
Platform_Types.h

The FCL and FDL library header and source files:
•
r_fcl.h
•
r_fcl_env.h
•
r_fcl_global.h
35

Chapter 8                                            FLS Driver Component Header And Source File Description

•
r_fcl_types.h
•
r_fdl.h
•
r_fdl_env.h
•
r_fdl_global.h
•
r_fdl_types.h
•
r_fdl_mem_map.h
•
fdl_cfg.h
•
r_typedefs.h
•
r_fdl_user_if.c
•
r_fdl_hw_access.c
•
r_fcl_user_if.c
•
r_fcl_hw_access_asm.850
•
r_fcl_hw_access.c
•
fcl_descriptor.c
•
fdl_descriptor.c

The description of the FLS Driver Component files is provided in the table
below:

         Table 8-1                Description of the FLS Driver Component Files

File
Details
Fls_Cfg.h
This file is generated by the FLS Software Generation Tool for various
FLS Driver Component pre-compile time  parameters.   The macros and
the parameters generated will vary with respect to the configuration in the
input ECU Configuration description file. This file also contains the handles
for Fls Pin configuration set.
Fls_Cbk.h
This file contains declarations of notification functions to be used by the
application. The notification function name can be configured.
fcl_cfg.h
This  file  contains  the  device  specific  parameter  that  needs  to  be
configured  for different devices.
Fls_PBcfg.c
This file contains post-build configuration data. The structures
related to FLS Initialization are provided in this file. Data structures
will vary with respect to parameters configured.
Fls.h
This  file  provides  extern  declarations  for  all  the  FLS  Driver  Component
APIs.  This  file  provides  service  Ids  of  APIs,  DET  Error  codes  and  type
definitions for FLS Software initialization structure. This header file shall be
included in other modules to use the features of FLS Driver Component.
Fls_Debug.h
This file provides Provision of global variables for debugging purpose.
Fls_Internal.h
This file contains the prototypes for internal functions of Flash Wrapper
Component.
Fls_Types.h
This file contains the common macro definitions and the data types
required internally by the FLS software component.
Fls_Ram.h
This file contains the extern declarations for the global variables that are
defined in Fls_Ram.c file and the version information of the file.
Fls_Version.h
This file contains the macros of AUTOSAR version numbers of all modules
that are interfaced to FLS.
Fls_Irq.h
This file contains the external declaration for the interrupt functions used
by FLS Driver Module.
Fls.c
This file contains the implementation of all APIs.
Fls_Ram.c
This file contains the global variables used by FLS Driver Component.
Fls_Internal.c
This file contains the  Internal functions  implementations of flash wrapper
component.
36

FLS Driver Component Header And Source File Description
Chapter 8

File
Details
Fls_Version.c
This file contains the code for checking version of all modules that are
interfaced to FLS.
Fls_Irq.c
This file contains the implementation of all the interrupt functions used by
FLS Driver Module.
Compiler.h
Provides  compiler  specific  (non-ANSI)  keywords.  All  mappings  of
keywords, which are not standardized, and/or compiler specific are placed
and organized in this compiler specific header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
MemMap.h
This  file  allows  to  map  variables,  constants  and  code  of  modules  to
individual memory sections. Memory mapping can be modified as per ECU
specific needs.
Platform_Types.h
This file provides provision for defining platform and compiler dependent
types.
fdl_descriptor.h
This file contains FDL run-time configuration descriptor variable related
defines.
fdl_cfg.h
This file contains FDL pre-compile definitions.
r_fcl.h
Header file containing FCL user interface function prototypes.
r_fcl_types.h
This File contains the FCL user interface type definitions.
r_fcl_global.h
This  file contains FCL  Flash programming global  type  defines, function
and variables.
r_fcl_env.h
This file contains FCL Flash programming hardware related definitions.
r_fdl.h
Header file containing FDL user interface function prototypes.
r_fdl_types.h
This File contains the FDL user interface type definitions.
r_fdl_global.h
This file contains  FDL  Flash  programming  global type  defines, function
and variables.
r_fdl_env.h
This file contains FDL Flash programming hardware related definitions.
r_typedefs.h
This file contains renesas standard type definitions.
fcl_descriptor.h
This file contains FCL run-time configuration descriptor variable related
defines.
r_fcl_user_if.c
This file contains the FCL user interface functions.
r_fcl_hw_access.c
This file contains the FCL hardware interface functions.
fcl_descriptor.c
This file contains the Descriptor variable definition.
r_fdl_user_if.c
This file contains the FDL user interface functions.
r_fdl_hw_access.c
This file contains the FDL hardware interface functions.
fdl_descriptor.c
This file contains the Descriptor variable definition.
r_fcl_hw_access_as
This file contains the FCL hardware interface functions.
m.850
Fls_PBTypes.h
This file contains the type definitions of post build parameters. It also
contains the macros used by the FLS Driver Component.
r_fdl_mem_map.h
This file contains FDL section mapping definitions.
rh850_Types.h
This file provides macros to perform supervisor mode (SV) write enabled
Register ICxxx and IMR register writing using OR/AND/Direct operation.
37

Chapter 8 FLS Driver Component Header And Source File Description

38

Generation Tool Guide
Chapter 9

Chapter 9
Generation Tool Guide
For information on the FLS Driver Code Generation Tool, please refer
“AUTOSAR_FLS_Tool_UserManual.pdf” document.
39

Chapter 9 Generation Tool Guide

40

Application Programming Interface
Chapter 10

Chapter 10  Application Programming Interface
This section explains the Data types and APIs provided by the FLS Driver
Component to the Upper layers.
10.1. Imported Types

This section explains the Data types imported by the FLS Driver Component
and lists its dependency on other modules.

10.1.1. Standard Types
In this section all types included from the Std_Types.h are listed:
• Std_VersionInfoType
10.1.2. Other Module Types
In this section all types included from the Dem.h are listed.
• Dem_EventIdType
• Dem_EventStatusType
• Memif_JobResultType
• Memif_StatusType

10.2. Type Definitions

This section explains the type definitions of FLS Driver Component according
to AUTOSAR Specification
Table 10-1  Fls_CommandType

Name:
Fls_CommandType
Type:
Enumeration

FLS_COMMAND_NONE
Used to Set the command to none.

FLS_COMMAND_ERASE
Command used for Erase.

FLS_COMMAND_WRITE
Command used for Write.
Range:
FLS_COMMAND_READ
Command used for Read.
FLS_COMMAND_COMPARE
Command used for Compare.
FLS_COMMAND_BLANKCHECK
Command used for Blank check.

FLS_COMMAND_READ_IMM
Command used for fast Read.
Description:  Enumeration for driver commands.

Table 10-2  Fls_FlashType

Name:
Fls_FlashType
Type:
Enumeration

FLS_DF_ACCESS
Indicate the operations to be performed
Range:
for data flash.
FLS_CF_ACCESS
Indicate the operations to be performed
for code flash.
Description:  Enumeration for flash access type.

41

Chapter 10                                                                                   Application Programming Interface

10.3. Function Definitions

            Table 10-3             Function Definitions

Sl. No
API’s
API’s specific

1.
Fls_Init
-
2.
Fls_Erase
-
3.
Fls_Write
-
4.
Fls_Cancel
-
5.
Fls_GetStatus
-
6.
Fls_GetJobResult
-
7.
Fls_Read
-
8.
Fls_Compare
-
9.
Fls_SetMode
-
10.
Fls_GetVersionInfo
-
11.
Fls_MainFunction
-
12.
FlsJobEndNotification
-
13.
FlsJobErrorNotification
-
14.
Fls_BlankCheck
-
15.
Fls_ReadImmediate
-
16.
Fls_Suspend
-
17.
Fls_Resume
-
42

Development And Production Errors
Chapter 11

Chapter 11  Development And Production Errors

In this section the development errors that are reported by the FLS Driver
Component are tabulated. The development errors will be reported only when
the pre compiler option FlsDevErrorDetect is enabled in the configuration.
The production code errors are not supported by FLS Driver Component.

11.1  FLS Driver Component Development Errors
The following table contains the DET errors that are reported by FLS Driver
Component. These errors are reported to Development Error Tracer Module
when the FLS Driver Component APIs are invoked with wrong input
parameters or without initialization of the driver.

Table 11-1  DET Errors of FLS Driver Component

Sl. No.
1
Error Code
FLS_E_UNINIT
Related API(s)
Fls_Erase, Fls_Write, Fls_Read, Fls_Compare, Fls_Cancel,
Fls_GetStatus, Fls_GetJobResult, Fls_MainFunction, Fls_Init,
Fls_ReadImmediate, Fls_BlankCheck, Fls_Suspend,
Fls_Resume
Source of Error
When the API service is invoked before initialization.
Sl. No.
2
Error Code
FLS_E_PARAM_ADDRESS
Related API(s)
Fls_Erase, Fls_Write, Fls_Read, Fls_Compare, Fls_ReadImmediate,
Fls_BlankCheck
Source of Error
When the API service is invoked with a wrong address.
Sl. No.
3
Error Code
FLS_E_PARAM_LENGTH
Related API(s)
Fls_Erase, Fls_Write, Fls_Read, Fls_Compare, Fls_ReadImmediate,
Fls_BlankCheck
Source of Error
When the API service is invoked with a wrong length.
Sl. No.
4
Error Code
FLS_E_PARAM_DATA
Related API(s)
Fls_Write, Fls_Read, Fls_Compare, Fls_ReadImmediate
Source of Error
When the API service is invoked with a NULL buffer address.
Sl. No.
5
Error Code
FLS_E_BUSY
Related API(s)
Fls_Init, Fls_Erase, Fls_Write, Fls_Read, Fls_Compare,
Fls_ReadImmediate, Fls_BlankCheck
Source of Error
When the API service is invoked when the driver is still busy.
Sl. No.
6
Error Code
FLS_E_VERIFY_ERASE_FAILED
Related API(s)
Fls_MainFunction
Source of Error
When the erase verification fails.
Sl. No.
7
43

Chapter 11 Development And Production Errors

Error Code
FLS_E_VERIFY_WRITE_FAILED
Related API(s)
Fls_MainFunction
Source of Error
When the write verification fails.
Sl. No.
8
Error Code
FLS_E_PARAM_CONFIG
Related API(s)
Fls_Init
Source of Error
API initialization service invoked with wrong parameter.
Sl. No.
9
Error Code
FLS_E_TIMEOUT
Related API(s)
Fls_MainFunction
Source of Error
API service invoked when time out supervision of a read, write, erase or
compare job failed
Sl. No.
10
Error Code
FLS_E_INVALID_DATABASE
Related API(s)
Fls_Init
Source of Error
API service Fls_Init called without/with a wrong database is reported
using following error code

11.2
FLS Driver Component Production Errors
The following table contains the DEM errors that are reported by FLS Driver
Component. These are the hardware errors reported during runtime.

Table 11-2 DEM Errors of FLS Driver Component
Sl. No.
1
Error Code
FLS_E_ERASE_FAILED
Related API(s)
Fls_CFProcessEraseCommand and Fls_DFProcessEraseCommand
Source of Error
When the Erase API service is invoked and the FCL or FDL returns the job
result as failed. Error will be reported by the job processing function.
Sl. No.
2
Error Code
FLS_E_WRITE_FAILED
Related API(s)
Fls_CFProcessWriteCommand and Fls_DFProcessWriteCommand
Source of Error
When the Write API service is invoked and the FCL or FDL returns the job
result as failed.
Error will be reported by the job processing function.
Sl. No.
3
Error Code
FLS_E_READ_FAILED
Related API(s)
Fls_CFProcessReadCommand and Fls_DFProcessReadCommand
Source of Error
When the Read API service is invoked and the FCL or FDL returns the job
result as failed.
Error will be reported by the job processing function.
Sl. No.
4
Error Code
FLS_E_COMPARE_FAILED
Related API(s)
Fls_CFProcessCompareCommand and Fls_DFProcessCompareCommand
44

Development And Production Errors
Chapter 11

Source of Error
When the Compare API service is invoked and the FCL or FDL returns the job
result as failed.
Error will be reported by the job processing function.
Sl. No.
5
Error Code
FLS_E_READ_FAILED_DED
Related API(s)
Fls_DFProcessReadCommand
Source of Error
When the Read API service is invoked and the FDL returns the job result
as failed when double bit ECC error is generated.
Error will be reported by the job processing function.
45

Chapter 11 Development And Production Errors

46

Memory Organization
Chapter 12

Chapter 12  Memory Organization
Following picture depicts a typical memory organization, which must be met for
proper functioning of FLS Driver Component software.

ROM Section
FLS Driver Component
RAM Section

Library/ Object Files

FLS Driver code related to
   Segment Name:

APIs are placed in this
X1
   NOINIT_RAM_UNSPECIFIED

Y1

memory. Segment Name:

FLS_PUBLIC_CODE_RAM

Segment Name:
X2
Segment Name:

FLS_PRIVATE_CODE_RAM
R_FDL_Data
Y2

Segment Name:
X3

FLS_SAMPLE_CODE_RAM
Segment Name:
Y3

R_FCL_DATA

Segment Name:

R_FCL_CODE_ROM
X4

Segment Name:

Segment Name:
FLS_PUBLIC_CODE_RAM
Y4

R_FCL_CODE_RAM
X5

Segment Name:

R_FCL_CODE_ROMRAM
Segment Name:
X6

FLS_PRIVATE_CODE_RAM
Y5

Segment Name:

R_FCL_CODE_RAM_EX_PROT
X7

Segment Name:

FLS_SAMPLE_CODE_RAM
Y6
Segment Name:

FLS_FAST_CODE_ROM
X8

Segment Name:
Segment Name:

X9
reserved_FCLCopy
Y7
RAM_UNSPECIFIED

Segment Name:

FLS_CFG_DBTOC_UNSPECIFIED
Segment Name:
X10

Y8

Segment N
ame:

R_FDL_Text
  X11
Segment Name:

RAM_1BIT
Y9

Segment Name:


X12

R_FDL_Const

     Segment Name:
FL S_BUFFER_CODE_RAM
Y10

Figure 12-1  FLS Driver Component Memory Organization
47

Chapter 12                                                                               Memory Organization

ROM Sections:

FLS_PUBLIC_CODE_RAM  (X1):  This  section  consists  of  FLS  Driver
Component  internal  functions  and  scheduler  function  that  can  be  located  in
code memory. This section is copied on to RAM by the GHS start-up routines.

FLS_PRIVATE_CODE_RAM  (X2):  This  section  consists  of  FLS  Driver
Component APIs and FCL functions that can be located in code memory. This
section is copied on to RAM by the GHS start-up routines.

FLS_SAMPLE_CODE_RAM  (X3):  This  section  needs  to  be  aligned  at  the
end of FLS code sections in RAM, for exception protection.

R_FCL_CODE_ROM (X4): This section needs to be aligned at the end of FCL
code sections in RAM, for exception protection. This section is copied to RAM
by FCL library internal mechanism.

R_FCL_CODE_RAM  (X5):    This  section  contains  the  code  executed  at  the
beginning  of  self-programming.  This  code  is  executed  at  the  original  location,
e.g. internal Flash. The library initialization is part of this section

R_FCL_CODE_ROMRAM  (X6):    This  section  contains  the  FCL  library.  This
section is copied to RAM by FCL library internal mechanism.

R_FCL_CODE_RAM_EX_PROT (X7):  This  section  contains  the  FCL  library.
This section is copied to RAM by FCL library internal mechanism or remains in
the ROM depending on FCL mode setting.

FLS_FAST_CODE_ROM (X8):  Interrupt  functions  of  FLS  Driver  Component
code that can be located in code memory.

R_FDL_Text (X11): This section consists of the FDL code. This can be located
in code memory.

R_FDL_Const (X12):  This section consists of the constants in ROM that  are
used by FDL software component. This can be located in code memory.

RAM Sections: Following are the Ram sections mapped.

NOINIT_RAM_UNSPECIFIED (Y1):  This section consists of the global RAM
variables that are used internally by FLS software component and other
software components. The specific sections of respective software
components will be merged into this RAM section accordingly.

R_FDL_Data (Y2): This section consists of the global RAM pointer variables
that  are used  by FDL  software  component.  This  can be located  in data
memory.

R_FCL_DATA (Y3): This section consists of the global RAM pointer variables
that  are  used  by  FCL  software  component.  This  can  be  located  in  data
memory

FLS_PUBLIC_CODE_RAM  (Y4):  This  section  consists  of  FLS  Driver
48

Memory Organization
Chapter 12

Component.  These  sections  are  copied  on  to  RAM  by  the  GHS  start-up
routines.

FLS_PRIVATE_CODE_RAM  (Y5):  This  section  consists  of  FLS  internal
software component. These sections are copied on to RAM by the GHS start-
up routines.

FLS_SAMPLE_CODE_RAM (Y6): This section needs to be aligned at the end
of the FLS code sections in RAM, for exception protection. These sections are
copied on to RAM by the GHS start-up routines

reserved_FCLCopy (Y7):  This  section is  required for  locating the  underlying
FCL  library  component. It  must  be  assured to  locate  this  section  at  the  RAM
start.  This  needs  to  be  in-line  with  FLS  configuration  parameter
“FclRamAddress”.

NOINIT_RAM_32BIT (Y8): This section consists of  the global RAM  variables
of  32-bit  size  that  are  used  internally  by  FLS  software  component and  other
software  components.  The  specific  sections  of  respective  software
components will be merged into this RAM section accordingly.

RAM_1BIT (Y9): This section consists of the global RAM variables of 1-bit size
that  are  initialized  by  start-up  code  and  used  internally  by  FLS  software
component  and  other  software  components.  The  specific  sections  of
respective  software  components  will  be  merged  into  this  RAM  section
accordingly.

FLS_BUFFER_CODE_RAM(Y10):  This  section  consists  of  the  global  RAM
variables  used  for  temporary  buffer  that  are  initialized  by  start-up  code  and
used  internally  by  FLS  Driver  Component  and  other  software  components.
The specific sections  of respective software components  will be merged  into
this RAM section accordingly.

RAM_UNSPECIFIED(X9):  This  section  consists  of  the  global  RAM  variables
that  are  generated  by  FLS  Driver  Component  Generation  Tool.  This  can  be
located in data memory.

FLS_CFG_DBTOC_UNSPECIFIED(X10): This section consists of FLS Driver
Component  database  table  of  contents  generated  by  the  FLS  Driver
Component Generation Tool. This can be located in code memory.

49

Chapter 12 Memory Organization

50

P1M Specific Information                                                                                                  Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:

  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
  R7F701320
  R7F701321
  R7F701322
  R7F701323

13.1.  Interaction between the User and FLS Driver
Component
The details of the services supported by the FLS Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

13.1.1. Translation header File
  The translation header file supports following devices:
  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
  R7F701320
  R7F701321
  R7F701322
  R7F701323

13.1.2. Services Provided By FLS Driver Component to the User

The FLS Driver Component provides the following functions to upper layers:
•
Programming of code flash
•
Erase memory sectors
•
Read flash contents to the application memory
•
Fast read immediate to the application memory without blankcheck.
51

Chapter 13                                                                        P1M Specific Information

•
Validate flash contents comparing with the application memory
•
Cancel the ongoing erase, write, read or compare requests.
•
Read the result of the last job
•
Blank check of flash memory sector.
•
Read the status of the FLS Driver Component.
•
Suspend the erase, write and read operation.
•
Resume the erase, write and read operation.

13.1.3. Parameter Definition File
                           Table 13-1               PDF information for P1M
PDF files
Devices
supported
R403_FLS_P1M_04_05.arxml
701304, 701305
701310, 701311, 701312, 701313,
R403_FLS_P1M_10_to_15.arxml
701314, 701315
701318, 701319, 701320, 701321,
R403_FLS_P1M_18_to_23.arxml
701322, 701323

13.1.4. ISR Functions for FLS module
The table below provides the list of handler addresses corresponding to the hardware unit ISR(s)
in FLS Driver Component. The user should configure the ISR functions mentioned below:

          Table 13-2                Interrupt Functions For FLS Module

Interrupt Source
Name of the ISR Function
FLENDNM_ISR
FLS_FLENDNM_ISR

FLS_FLENDNM_CAT2_ISR

13.2. Sample Application
13.2.1 Sample Application Structure
The Sample Application is provided as reference to the user to understand the
method in which the FLS APIs can be invoked from the application. The
Sample Application is provided for three use-cases of only data flash or only
code flash or for both code flash and data flash supported. Depending on the
configured use-case, the Sample Application is built based on setting of the
flag 'FLS_ACCESS_FLAG' in „App_Fls_P1M_Sample.mak‟ file to either
„CODEFLASH_ACCESS‟ or „DATAFLASH_ACCESS‟ or „CFDF_ACCESS‟ by
the user during compile time in order to compile corresponding library source
files.

52

P1M Specific Information Chapter 13

Figure 13-1 Overview Of FLS Driver Sample Application

The Sample Application of the P1M is available in the path

X1X\P1x\modules\fls\sample_application

X1X\P1x\modules\fls\definition\<AUTOSAR_version>\<SubVariant>\
\R403_FLS_P1M_04_05.arxml
\R403_FLS_P1M_10_to_15.arxml
\R403_FLS_P1M_18_to_23.arxml

X1X\P1x\modules\fls\sample_application\<SubVariant>\
 <AUTOSAR_version>\
\src\Fls_PBcfg.c
\include\fdl_descriptor.h
\include\Fls_Cfg.h
\include\Fls_Cbk.h

 \config\App_FLS_P1M_701304_Sample.arxml
 \config\App_FLS_P1M_701304_Sample.html
 \config\App_FLS_P1M_701304_Sample.one

 \config\App_FLS_P1M_701305_Sample.arxml
 \config\App_FLS_P1M_701305_Sample.html
 \config\App_FLS_P1M_701305_Sample.one

 \config\App_FLS_P1M_701310_Sample.arxml
 \config\App_FLS_P1M_701310_Sample.html
 \config\App_FLS_P1M_701310_Sample.one

 \config\App_FLS_P1M_701311_Sample.arxml
 \config\App_FLS_P1M_701311_Sample.html
 \config\App_FLS_P1M_701311_Sample.one

 \config\App_FLS_P1M_701312_Sample.arxml
 \config\App_FLS_P1M_701312_Sample.html
 \config\App_FLS_P1M_701312_Sample.one

 \config\App_FLS_P1M_701313_Sample.arxml
 \config\App_FLS_P1M_701313_Sample.html
 \config\App_FLS_P1M_701313_Sample.one
53

Chapter 13                                                                        P1M Specific Information

                                            \config\App_FLS_P1M_701314_Sample.arxml
                                \config\App_FLS_P1M_701314_Sample.html
                                \config\App_FLS_P1M_701314_Sample.one

                                \config\App_FLS_P1M_701315_Sample.arxml
                                \config\App_FLS_P1M_701315_Sample.html
                                                        \config\App_FLS_P1M_701315_Sample.one

                                \config\App_FLS_P1M_701318_Sample.arxml
                                \config\App_FLS_P1M_701318_Sample.html
                                \config\App_FLS_P1M_701318_Sample.one

                                            \config\App_FLS_P1M_701319_Sample.arxml
                                \config\App_FLS_P1M_701319_Sample.html
                                \config\App_FLS_P1M_701319_Sample.one

                                \config\App_FLS_P1M_701320_Sample.arxml
                                \config\App_FLS_P1M_701320_Sample.html
                                                        \config\App_FLS_P1M_701320_Sample.one

                                \config\App_FLS_P1M_701321_Sample.arxml
                                    \config\App_FLS_P1M_701321_Sample.html
                                \config\App_FLS_P1M_701321_Sample.one

                                \config\App_FLS_P1M_701322_Sample.arxml
                                \config\App_FLS_P1M_701322_Sample.html
                                \config\App_FLS_P1M_701322_Sample.one

                                                    \config\App_FLS_P1M_701323_Sample.arxml
                                \config\App_FLS_P1M_701323_Sample.html
                                \config\App_FLS_P1M_701323_Sample.one

In the Sample Application all the FLS APIs are invoked in the following
sequence:

•  The API Fls_GetVersionInfo is invoked to get the version Information of FLS
component with  a  variable of  Std_VersionInfoType type, after the  call  of  this
API  the  passed  parameter will  get  updated  with  the  FLS  Driver  Component
version details.

•  The API Fls_Init is invoked with config pointer. This API performs the
initialization of the FLS Driver Component. This will in turn calls R_FCL_Init()
and R_FCL_Copysections() which will initialize FCL internal variables. This
API initializes all the elements (Global Variables) of Global structure.

•  The API Fls_Erase() is invoked to erase one or more complete Flash
Sectors.

•  The API Fls_Write() is invoked to write the one or more complete flash pages
to the flash device from the application data buffer

•  The API Fls_Read() is invoked to read the requested length of flash memory
and stores it in the application data buffer.

•  The API Fls_Compare() is invoked to compare the contents of an area of
flash memory with that of an application data buffer.

•  The API Fls_Cancel() is invoked to cancel an ongoing flash operations like
read, write, erase or compare job.

•  The API Fls_Getstatus() returns the FLS module state synchronously.

54

P1M Specific Information Chapter 13

• The API Fls_GetJobResult() returns the result of the last job synchronously.

• The API Fls_Setmode(), this API does not provide any functionality.

• The API Fls_Mainfunction() is invoked performs processing of the flash
Read, Erase, write or compare jobs. It‟s a scheduled function. The
Fls_Mainfunction() accepts only read, write, erase or compare job at a time.

• The API Fls_ReadImmediate() is invoked for reading of the flash memory.
The data from flash memory (source address) is read to the data buffer
(Target address) of application without performing blank check before read.

• The API Fls_BlankCheck() is invoked to read the byte data from code flash
memory.

Remark The API Fls_MainFunction needs to be called in a certain time interval
configured using the parameter "FlsCallCycle". Hence, the sample application
invokes the API „Fls_MainFunction‟ periodically in a loop with sufficient
software delay. Since neither the interrupt vector table nor the interrupt handler
routines, which are normally located in the flash memory, are accessible while
self-programming is active, the timer interrupt is not used for this purpose. In
order to do so, interrupt acknowledges have to be re-routed to non-flash
memory. This can be achieved by suitably modifying the start-up code to
access the system registers (SW_CFG/SW_BASE respectively EH_CFG/
EH_BASE) to reroute the interrupt vector of the timer interrupt to the RAM
area.

13.2.2 Building Sample Application
13.2.2.1.Configuration Example
This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details.
Configuration Details:
App_FLS_<SubVariant>_<Device_Name>_Sample.arxml

13.2.2.2.Debugging the Sample Application
Remark GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete the
build process using the delivered sample files.

Open a Command window and change the current working directory to “make”
directory present as mentioned in below path:
“external/X1X/P1x/common_family/make/<compiler>”

Now execute batch file SampleApp.bat with following parameters:

SampleApp.bat fls <AUTOSAR_version> <Device_Name>

After this, the tool output files will be generated with the configuration as
mentioned is available in the path:
“X1X\P1x\modules\fls\sample_application\<SubVariant>\<AUTOSAR_version>
\config”

• After this, all the object files, map file and the executable file
App_FLS_P1M_Sample.out will be available in the output folder
(“X1X\P1x\modules\fls\sample_application\<SubVariant>\obj\<compiler>” in
this case).

• The executable can be loaded into the debugger and the sample application
55

Chapter 13 P1M Specific Information

can be executed.

Remark Executable files with „*.out‟ extension can be downloaded into the target
hardware with the help of Green Hills debugger.

If any configuration changes (only post-build) are made to the ECU
Configuration Description files

“X1X\P1x\modules\fls\sample_application\<SubVariant>\<AUTOSAR_version>\
config\ App_FLS_P1M_<Device_name>_Sample.arxml”

App_FLS_P1M_<Device_name>_Sample.arxml” the database alone can be
generated by using the following commands.
 make –f App_FLS_<SubVariant>_Sample.mak generate_fls_config
 make –f App_FLS_<SubVariant>_Sample.mak
 App_FLS_<SubVariant>_Sample.s37

•
After this, a flash able Motorola S-Record file App_FLS_
App_FLS_<SubVariant>_Sample.s37_Sample.s37 is available in the
output folder.

Note : 1. <compiler> for example can be “ghs”.
2. <Device_Name> indicates the device to be compiled, which can be 701304,
701305, 701310, 701311, 701312, 701313, 701314, 701315, 701318,
701319, 701320, 701321, 701322, 701323.
3. <SubVariant> can be P1M.
 4. <AUTOSAR_version> can be 4.0.3.

13.3. Memory and Throughput
13.3.1 ROM/RAM Usage

The details of memory usage for the typical configuration, with DET enabled as
provided in Section 13.3.2.1 Configuration Example are provided in this
section.

Table 13-3 ROM/RAM Details With DET
Sl. No. ROM/RAM
Segment Name
Size in bytes
for 701312
1.
ROM
ROM.FLS_PUBLIC_CODE_RAM
3040

ROM.FLS_PRIVATE_CODE_RAM
2312

ROM.FLS_APPL_CODE_RAM
1986

R_FCL_CODE_ROM
0

R_FCL_CODE_RAM
0

R_FCL_CODE_ROMRAM
0

R_FCL_CODE_RAM_EX_PROT
32

FLS_FAST_CODE_ROM
212
56

P1M Specific Information Chapter 13

2.

RAM
reserved_FCLCopy
9216

FLS_PUBLIC_CODE_RAM
3040

FLS_PRIVATE_CODE_RAM
2312

FLS_APPL_CODE_RAM
1986

R_FCL_DATA
0

R_FDL_Data
84

NOINIT_RAM_UNSPECIFIED
4

RAM_UNSPECIFIED
44

FLS_BUFFER_CODE_RAM
100

Table 13-4 ROM/RAM Details Without DET
Sl. No.
ROM/RAM
Segment Name
Size in bytes
for 701312
1.
ROM
ROM.FLS_PUBLIC_CODE_RAM
3040

ROM.FLS_PRIVATE_CODE_RAM
2312

ROM.FLS_APPL_CODE_RAM
2012

R_FCL_CODE_ROM
0

R_FCL_CODE_RAM
0

R_FCL_CODE_ROMRAM
0

R_FCL_CODE_RAM_EX_PROT
32

FLS_FAST_CODE_ROM
212
57

Chapter 13                                                                        P1M Specific Information

2.
RAM
reserved_FCLCopy
9216

FLS_PUBLIC_CODE_RAM
3040

FLS_PRIVATE_CODE_RAM
2312

FLS_APPL_CODE_RAM
2012

R_FCL_DATA
0

R_FDL_Data
84

NOINIT_RAM_UNSPECIFIED
4

RAM_UNSPECIFIED
44

FLS_BUFFER_CODE_RAM
100

Remark  The section “reserved_FCLCopy” might not be the actual RAM area, but only
the „reserved‟ area.

13.3.2 Stack Depth

The worst-case stack depth for FLS Driver Component is for the typical
configuration provided in Section 13.3.2.1 Configuration Example.

Table 13-5  Stack Depth Table

Sl. No
Device Name
Stack Depth (in Bytes)

1.
R7F701312
384

13.3.3 Throughput Details
The throughput details of the APIs for the configuration mentioned in the
Section 13.3.2.1Configuration Example are listed here. The clock frequency
used to measure the throughput is 80MHz for all APIs.

Table 13-6  Throughput Details Of The APIs

Sl. No.
API Name
Throughput in µ
Remarks
seconds for
701312
1.
Fls_Init
487.80
-
2.
Fls_Erase
  9.450
-
3.
Fls_Write
9.630
-
4.
Fls_Cancel
1.440
-
5.
Fls_GetStatus
0.630
-
6.
Fls_GetJobResult
0.630
-
7.
Fls_Read
2.520
-
8.
Fls_Compare
2.430
-
58

P1M Specific Information Chapter 13

Sl. No.
API Name
Throughput in µ
Remarks
seconds for
701312
9.
Fls_SetMode
NA
This API does not
provide any
functionality
10.
Fls_GetVersionInfo
0.540
-
11.
Fls_BlankCheck
5.940
-
12.
Fls_ReadImmediate
2.430
-
13.
Erase Operation
9.090
This is the time taken for
the complete erase
operation of 256 bytes
data length.
14.
Write Operation
9.990
This is the time taken
for the complete write
operation of 256 bytes
data length.
15.
Fls_BlankCheck operation
6.120
This is the time taken
for performing blank
check operation of
256 bytes data length.
16.
Fls_ReadImmediate
2.610
This is the time taken
for the complete fast
read operation of 256
bytes data length
without performing
blank check before
read.
17.
Read Operation
2.340
This is the time taken
for the complete read
operation of 256 bytes
data length.
18.
Compare Operation
2.520
This is the timetaken
for the complete
compare operation of
256 bytes data length.
59

Chapter 13 P1M Specific Information

Sl. No.
API Name
Throughput in µ
Remarks
seconds for
701312
19.
FLENDNM_ISR operation
8.550
This is the time taken
for the complete Erase
of 1 block data length.
9.360
This is the time taken
for the complete Write
of 1 word data length.
20
Fls_Suspend
38.430
-

21
Fls_Resume
6.587
-

60

Release Details
Chapter 14

Chapter 14 Release Details

FLS Driver Software

Version: 1.3.1

61

Chapter 14 Release Details

62

Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
28-Oct-2013
2.
As per CR 066, below changes are made.
1.0.1
22-Jan-2014
1.  The Figure "Component Overview of FLS Driver Component “is
alignment corrected.
2.  FLS driver component version information is updated.
3.  In chapter 6 Register Details are updated.
4.  Chapter 2 is updated for referenced documents version.
5.  Section 4.1 is updated for removing information about
“FlsWriteInternalVerify”.
6.  Section 4.1 and 5 are updated to replace API name
„R_FCL_I_read_memory_u08‟ by „Fls_CF_read_memory_u08‟.
7.  Section 4.1, General is updated for adding information about time
out values of erase, read, write and blank check.
8.  Section 4.2 is updated for removing Fls_LengthType restriction on
size as precondition.
9.  Section 4.5 is updated for adding supervisor and user mode details
for added devices.
10.  Section 13.1.1 is updated for adding the device names.
11.  Section 13.2 is updated for assembler and linker details.
12.  Section 13.3 is updated for naming convention change of
parameter definition files.
13.  “FLS_E_PARAM_POINTER” is removed from Table11-1.
14.  Section13.4 is updated for RAM/ROM usage details.

3.
As per CR 107 Following changes are made:
1.0.2
02-Sep-2014
1.  Chapter 2: „Reference document‟ is updated.
2.  Chapter 4: „Forethoughts‟ is updated for Following:
•
Section 4.1 „General‟ is updated for description.
•
Section 4.2 „Preconditions is updated for description to
add Fls_BlankCheck and Fls_ReadImmediate API.
•
Section 4.3 „Data consistency‟ is updated for description
to add macro for version.
•
Section 4.4 „deviation List‟ is updated to add
Fls_GetVersionInfo API.
•
Section 4.4 „User mode and supervisor mode‟: Table 4-2
is updated for „Fls_Cancel API‟ and to add
„Fls_BlankCheck‟ and „Fls_ReadImmediate‟ API.
•
Section 4.4: Table 4.3 is updated to add „Fls_Suspend‟
and „Fls_Resume‟ API.
3.  Chapter 5: „Architecture Details‟ is updated to add „Fls_Suspend‟,
„Fls_Resume‟, „Fls_BlankCheck‟ and „Fls_ReadImmediate‟ API.
4.  Chapter 6: „Register Details‟ is updated for register access.
5.  Chapter 7 and Section 13.1.2 is updated to add „Fls_Suspend‟,
„Fls_Resume‟, „Fls_BlankCheck‟ and „Fls_ReadImmediate‟
services.
6.  Chapter 8 is updated to add „Fls_Irq.h‟ and „Fls_Irq.c‟
7.  Chapter 10 is updated for following:
•
Section 10.2 is updated to remove Fls_„VerifyType‟ type
definition.
•
Section 10.3 is updated to add „Fls_Suspend‟,
„Fls_Resume‟, „Fls_BlankCheck‟ and
„Fls_ReadImmediate‟ API.

63

Sl.No.  Description
Version
Date

8.  Chapter 12: „Memory Organization‟:Figure 12-1 and desrcription is

updated to add „FLS_FAST_CODE_ROM‟,
„RAM_UNSPECIFIED‟,„FLS_CFG_DBTOC_UNSPECIFIED‟ and
„FLS_BUFFER_CODE_RAM‟.
9.  Chapter 13 is updated for Following:
•
Chapter 13 is updated to remove R7F701300-
R7F701303, R7F701306- R7F701309 and to add
R7F701318- R7F701323 P1M supported devices.
•
Section 13.1.3 and section 13.1.4 are added for
parameter definition files and for ISR function
respectevely.
•
Section 13.2.1 is updated for compiler, Linker and
Assembler options.
•
Section 13.3 is updated for Sample Application path and
description to add „Fls_ReadImmediate‟ and
„Fls_BlankCheck‟ API.
•
Section 13.4: „Memory and throughput‟ is updated.
10.  Chapter 14: „Release Details‟ is updated for FLS Driver Version.
4
As per CR 31 Following changes are made:
1.0.3
14-Oct-2014
1.  Table 11-1 DET Errors of FLS Driver Component is updated.
2.  Section 13.3.1 Sample Application Structure is updated.
3.  Section 13.4.1 RAM/ROM details is updated.
4.  Chapter 14 Release Details is updated to correct Chapter
heading.
5.  Section 4.1 is updated to change the description from „F1L‟ to
„P1M‟.
5
As per CR 82 Following changes are made:
1.0.4
02-Dec-2014

1.  Section 4.5 is updated for user and supervisory mode.
2.  Section 13.2.1 is updated for removal –c option.
3.  Chapter 3 is updated for update in trxml file path of sample
application.
4.  Page 64 is updated for header correction.
5.  Section 13.1.2 is updated for suspend and resume services.
6.  Chapter 5 is updated for page number and header.
7.  Section 13.4.3 is updated for throughput.

6
The following changes are made:
1.0.5
24-Apr-2015

1.  Chapter 2: „Reference document‟ is updated
2.  As part of device support activity for R7F701304, R7F701305,
R7F701313, R7F701315, R7F701318 to R7F701323 updated
sections 3.1.1, 13.1.1, 13.1.2, 13.3.1.
3.  Updated version number and copyright year.
4.  Updated section 13.4 for memory and throughput.
5.  Removed  section Compiler,Linker and Assembler in Chapter13.
6.  Removed Test_Application_P1x.trxml path from Section 3.1.1.
7.  Section 4.1 is updated for adding note in Forethoughts.
8.  Chapter 12 is updated.
9.  Section 4.2. Preconditions is updated.
10.  Updated Tables 4-2 and 4-3 in Section 4.5.
11.  Chapter 14: „Release Details‟ is updated for FLS Driver Version

64

65

AUTOSAR MCAL R4.0.3 User's Manual
FLS Driver Component Ver.1.0.5
Embedded User’s Manual

Publication Date: Rev.0.01, April 24, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3
User‟s Manual

Document Outline

9.4 - AUTOSAR_FLS_Tool_UserManual

AUTOSAR MCAL R4.0 User's Manual

9.5 - AUTOSAR_FLS_Tool_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36

9.6 - AUTOSAR_FLS_Tool_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual

FLS Driver Component Ver.1.0.3

Generation Tool User‟s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.
   3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
   11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
AUTOSAR
AUTomotive Open System ARchitecture
BSWMDT
Basic Software Module Description Template
DEM/Dem
Diagnostic Event Manager
ECU
Electronic Control Unit
FLS
FLash Driver
id
Identifier
MCAL
Microcontroller Abstraction Layer
MCU
MicroController Unit
XML
eXtensible Mark-up Language

Definitions

Terminology
Description
BSWMDT File
This file is the template for the Basic Software Module Description.
Configuration XML File
This file contains the setting of command line options.
ECU Configuration Description
Input file to FLS Driver Generation Tool. It is generated by ECU
File
Configuration Editor.
Sl.No
Serial Number.
Translation XML File
This file contains the translation and device specific header file path.

5

6

List of Figures

Figure 3-1
Overview of FLS Driver Generation Tool ....................................................................... 13

List of Tables

Table 5-1
Output Files Description .................................................................................................. 17

8

Introduction Chapter 1

Chapter 1
Introduction

The FLS Software component provides the service for initializing the whole
FLS structure of the microcontroller.

The FLS Software Component comprises of two sections as Embedded
Software and the Generation Tool to achieve scalability and configurability.

The document describes the features of the FLS Software Generation Tool.
FLS Software Generation Tool is a command line tool that extracts
information from ECU Configuration Description File and generates FLS
Software C Header files and Source Files (Fls_Cbk.h, Fls_Cfg.h, fcl_cfg.h,
fdl_descriptor.h, fcl_descriptor.h and Fls_PBcfg.c).

This document contains information on the options, input and output files of
the FLS Software Generation Tool. In addition, this manual covers a step-
by-step procedure for the usage of tool.

ECU Configuration Description File contains information about FLS
configuration.

1.1
Document Overview

This user manual is organized as given in the table below:

Section
Contents
Section 1 (Introduction)
Provides an introduction to the document and explains how information
is organized in this manual.
Section 2 (Reference)
Provides a list of documents referred while developing this document.
Section 3 (FLS Driver
Provides the component overview of FLS Driver.
Generation Tool Overview)
Section 4 (Input Files)
Provides information about ECU Configuration Description File.
Section 5 (Output Files)
Explains the output files that are generated by the FLS Driver
Generation Tool.
Section 6 (Precautions)
Contains precautions to be taken during configuration of ECU
Configuration Description File.
Section 7 (User Configuration
Describes about user configuration validation done by the FLS Driver
Validation)
Generation Tool.
Section 8 (Messages)
Describes all the Error/Warning/Information messages of R4.0.3 which
helps the user to understand the probable reason for
the same.
Section 9 (Notes)
Provides notes to help the user to understand this document better.

9

Chapter 1 Introduction

10

Reference
Chapter 2

Chapter 2
Reference

2.1
Reference Documents

The following table lists the documents referred to develop this document:

Sl.No. Title
Version
1.
Specification of Flash Driver for R4.0.3
3.2.0
AUTOSAR_SWS_FlashDriver.pdf

2.
P1x Parameter Definition File
1.1.1

R403_FLS_P1M_04_05.arxml
3.
P1x Parameter Definition File
1.1.1
R403_FLS_P1M_10_to_15.arxml
4.
P1x Parameter Definition File
1.0.1
R403_FLS_P1M_18_to_23.arxml

2.2
Trademark Notice

Microsoft and Windows are trademarks/registered trademarks of Microsoft
Corporation.

11

Chapter 2
Reference

12

FLS Driver Generation Tool Overview
Chapter 3

Chapter 3
FLS Driver Generation Tool Overview

FLS Driver Generation Tool overview is shown
below.

ECU

Configuration

Fls_Cbk.h,
Description
FLS Driver
Fls_Cfg.h,
File, BSWMDT
fcl_cfg.h,
File, Translation
Generation
fdl_descriptor.h,
XML File and
Tool
fcl_descriptor.h
Configuration
Fls_PBcfg.c
XML File

Figure 3-1 Overview of FLS Driver Generation Tool

FLS Driver Generation Tool is a command line tool that extracts, analyzes the
configuration details provided in the input file and validates correctness of the
data and provides scalability and configurability for FLS Driver module. It
accepts ECU Configuration Description File(s), BSWMDT File, Translation
XML File and Configuration XML File as input and displays appropriate
context sensitive error messages for wrong input and exits. Tool creates the
Log file Fls.log) that contains the list of Error/Warning/Information messages in
the output directory.

For the error free input file, the tool generates the following output files:

If FLS Driver is configured for Data Flash then generation tool will generate
Fls_Cfg.h, Fls_Cbk.h, Fls_PBcfg.c and fdl_descriptor.h files.

If FLS Driver is configured for Code Flash then generation tool will generate
Fls_Cfg.h, Fls_Cbk.h, Fls_PBcfg.c, fcl_Cfg.h and fcl_descriptor.h files.

Fls_Cfg.h, Fls_Cbk.h, fcl_cfg.h, fdl_descriptor.h, fcl_descriptor.h will be
compiled and linked with FLS Driver Component. Fls_PBcfg.c will be
compiled and linked separately from the other C Source files and placed in
flash.

ECU Configuration Description File can be created or edited using ECU
Configuration Editor.

13

Chapter 3                                                                                 FLS Driver Generation Tool Overview

Remark

•  In case of errors the generation tool returns a 1, in case of no errors the
generation tool returns a 0.

•  FLS Driver Generation Tool uses “Common Published Information” from
FLS module specific BSWMDT File. FLS module specific BSWMDT File
should not be updated manually since it is”Static Configuration” file.

14

Input Files
Chapter 4

Chapter 4 Input Files

FLS Driver Generation Tool accepts ECU Configuration Description
File(s), BSWMDT File, Translation XML File and Configuration XML File
as input. FLS Driver Generation Tool needs information about FLS Driver
module. Hence ECU Configuration Description File should contain
configuration of
FLS Driver module. Generation Tool ignores any other AUTOSAR
component configured in the ECU Configuration Description File. ECU
Configuration Description File can be generated using configuration editor.

ECU Configuration Description File must comply with AUTOSAR standard
ECU Configuration Description File format.

Remark The detailed explanation about the parameters and containers are found in
Parameter Definition File mentioned in the Reference Documents section.

15

Chapter 4 Input Files

16

Output Files
Chapter 5

Chapter 5  Output Files

FLS Driver Generation Tool generates configuration details in C Header and C
Source  files  (Fls_Cbk.h,  Fls_Cfg.h,  fcl_cfg.h,  fdl_descriptor.h,  fcl_descriptor.h,
Fls_PBcfg.c ).

The content of each output file is given in the table below:

Table 5-1  Output Files Description

Output File
Details
Fls_Cbk.h
This file contains call-back functions prototype declarations.
Fls_Cfg.h
This file contains pre-compile time parameters.
Fls_PBcfg.c
This file contains post-build time parameters.
fdl_descriptor.h
This file contains FDL run-time configuration descriptor variable related defines. This
file will be generated, if the FLS configured as Data Flash.
fcl_cfg.h
This file contains pre-compile time parameters related to FCL Library. This file will
be generated, if the FLS configured as Code Flash.
fcl_descriptor.h
This file pre-compile time parameters related to FCL descriptor. This file will be
generated, if the FLS configured as Code Flash.

Remark  Output files generated by FLS Driver Generation Tool should not be modified
or edited manually.

17

Chapter 5 Output Files

18

Precautions
Chapter 6

Chapter 6  Precautions

•
ECU Configuration Description File and BSWMDT File must comply with
AUTOSAR standard for R4.0.3 ECU Configuration Description File and
BSWMDT File respectively.

•
The input file must contain FLS Driver module.

•
Default Translation XML File (Fls_X1x.trxml) should be present in same
location of Fls_X1x.exe when the variant specific trxml file is not given as
input in command line.

•
Default Configuration XML File (Fls_X1x.cfgxml) must be present in same
location of Fls_X1x.exe.

•
If Translation XML File is not provided on the command line, Fls_X1x.trxml
which is present in same location of Fls_X1x.exe is considered as „default‟
Translation XML File.

•
If Configuration XML File is not provided on the command line,
Fls_X1x.cfgxml which is present in same location of Fls_X1x.exe is
considered as „default‟ Configuration XML File.

•
Translation XML File should contain the file extension „.trxml‟.

•
Configuration XML File should contain the file extension „.cfgxml‟.

•
All the function names and the string values configured should follow C
syntax for variables. It can only contain alphanumeric characters and “_”. It
should start with an alphabet.

•
If the output files generated by FLS Driver Generation Tool are modified
externally, then they may not produce the expected results or may lead to
error/warning/Information messages.

•
Short Name for a container should be unique within a name space.

•
An error free ECU Configuration Description File generated from
configuration editor has to be provided as input to the FLS Driver
Generation Tool. Otherwise Tool may not produce the expected results or
may lead to errors/warnings/information messages.

•
User has to make sure that the respective device specific configuration file
is used otherwise Tool may not produce the expected results or may lead
to errors/warnings/information messages.

•
The description file should always be generated using  AUTOSAR
specified configuration editor and it should not be edited manually.

Remark  Please refer the FLS Component User Manual for deviations from AUTOSAR
specifications, if any.

19

Chapter 6 Precautions

20

User Configuration Validation
Chapter 7

Chapter 7 User Configuration Validation

This section provides help to analyze the error, warning and information
messages displayed during the execution of FLS Driver Generation Tool. It
ensures conformance of input file with syntax and semantics. It also performs
validation on the input file for correctness of the data.

For more details on list of Error/Warning/Information messages that are
displayed as a result of input file(s) validation, refer Chapter 8 “Messages”.

The Generation Tool displays error or warning or information when the user
has configured incorrect inputs. The format of Error/Warning/Information
message is as shown below.

•
ERR/WRN/INF<mid><xxx>: <Error/Warning/Information Message>.
where,
<mid>: 092- FLS Driver Module id (092) for user configuration checks.

000 - for command line checks.

<xxx>: 001-999 - Message id.

•
File Name: Name of the file in which the error has occurred.

•
Path: Absolute path of the container in which the parameter is present.

„File Name‟ and „Path‟ need not be present for all Error/Warning/Information
messages.

21

Chapter 7 User Configuration Validation

22

      Messages
    Chapter 8

Chapter 8  Messages

The messages help to identify the syntax or semantic errors in the ECU
Configuration Description File. Hence it ensures validity and correctness of the
information available in the ECU Configuration Description File.

The following section gives the list of error, warning and information messages
displayed by the Generation Tool.

8.1  Error Messages

ERR092001: Number of fields is not same for the entity 'Structure Name'.

This error occurs, if the number of fields is not same in the structure that is to be
generated in the output file.

ERR092002: Field 'Field Name' is empty in the entity 'Structure Name'.

This error occurs, if the structure fields that are to be generated in the output
file are empty.

ERR092003: 'FLS Driver / MCU Driver' Component is not present in the
input file(s).

This error occurs, if FLS Driver or MCU Driver component is not present in the
input ECU Configuration Description File(s).

ERR092004: The parameter ‘parameter name’ in the container ‘container
name’ should be configured.

This error occurs, if any of the mandatory configuration parameter(s)
mentioned below is (are) not configured in ECU Configuration Description File.
The list of mandatory parameters with respect to container is listed below:

Parameter Name
Container Name
FlsCancelApi

FlsCompareApi

FlsDevErrorDetect

FlsGetJobResultApi
FlsGeneral

FlsGetStatusApi

FlsSetModeApi

FlsVersionInfoApi

FlsVersionCheckExternalModules

FlsCriticalSectionProtection

FlsDeviceName

FlsAccess

23

Chapter 8
Messages
Parameter Name
Container Name
FlsVirtualBoundaryAddress

FlsTimeoutMonitoring
FlsGeneral
FlsGeneral
FlsUseInterrupts

FlsEraseTime

FlsReadTime

FlsPublishedInformation
FlsWriteTime
FlsCancelTime
FlsErasedValue
FlsBlankCheckTime
FlsSuspendTime
FlsCallCycle

FlsMaxReadNormalMode
FlsConfigSet
FlsMaxWriteNormalMode
FlsMaxEraseNormalMode
FlsSectorIndex

FlsSectorOption

FlsNumberOfSectors
FlsSector
FlsPageSize
FlsSectorSize
FlsSectorStartaddress
FlsBlankCheck

FlsDFBaseAddress

FlsDFBlockSize

FlsDFTotalBlocks

FlsDFTotalSize
FlsDataFlash
FlsFdlCpuFrequency
FlsBlankCheckApi
FlsReadImmediateApi
FlsSuspendApi
FlsResumeApi
FlsCFTotalSize

FlsCFSmallBlockBaseAddress

FlsCFNormalBlockBaseAddress

FlsCFSmallBlockSize

FlsCFNormalBlockSize

FlsCFTotalSmallBlocks

FlsCFTotalNormalBlocks

FlsCodeFlash
FlsFclRamAddress
FlsCommandExecutionMode
FlsFclCpuFrequency
FlsCFEraseTime
FlsCFWriteTime
FlsCFCancelTime
FlsMaxCFReadNormalMode
FlsMaxCFWriteNormalMode
FlsMaxCFEraseNormalMode
FlsCFReadTime
24

Messages
 Chapter 8

Parameter Name
Container Name
FLS_E_READ_FAILED

FLS_E_WRITE_FAILED

FLS_E_READ_FAILED_DED
FlsDemEventParameterRefs
FLS_E_ERASE_FAILED

FLS_E_COMPARE_FAILED

Remark

 • The container FlsCodeFlash its parameters are mandatory only when the
 parameter FlsAccess is configured as FLS_CODEFLASH_ACCESS.

 • The container FlsDataFlash its parameters are mandatory only when the
 parameter FlsAccess is configured as FLS_DATAFLASH_ACCESS.

 ERR092007: The value configured for the parameter 'parameter name'
 should follow C syntax <[a-zA-Z][a-zA-Z0-9_]>.

This error occurs, if the value of configuration parameters mentioned in below
table does not adhere to C syntax as if the value contains characters other
than (a-z, A-Z, 0-9 or “_”). The parameter value should always start with an
alphabet.

Parameter Name
Container Name
FlsJobEndNotification
FlsConfigSet
FlsJobErrorNotification
FlsEccSedNotification
FlsDataFlash
FlsEccDedNotification

ERR092012: The reference path <reference value> provided for the
parameter 'parameter name’ within the container
'FlsDemEventParameterRefs' is incorrect.

This error occurs, if the reference path <reference value> provided for the
following parameters within the container 'FlsDemEventParameterRefs' is
incorrect.

Parameter Name
Container Name
FLS_E_COMPARE_FAILED

FLS_E_ERASE_FAILED
FlsDemEventParameterRefs
FLS_E_READ_FAILED
FLS_E_WRITE_FAILED
FLS_E_READ_FAILED_DED

ERR092014: The value configured for the parameter 'parameter name’ in
the container 'FlsSector' should be unique within an 'FlsConfigSet.

This error occurs, if the value configured for the following parameters in the
container FlsSector is not unique within an FlsConfigSet.

Parameter Name
Container Name

25

Chapter 8
 Messages
FlsSectorIndex
FlsSector
FlsSectorOption

ERR092015: The value configured for the parameter ‘parameter name’ in
the container ‘FlsSector' should be <actual value>, since the sector is
configured as <value of FlsSectorOption>.

This error occurs, if the value configured for the following parameters in the
container FlsSector is not as per below table.

FlsSectorOption
FlsNumberOfSector
FlsSectorSize
FLS_DF_SECTOR
512
64
FLS_CF_SMALL_BLK_SECTOR
8
8192

FLS_CF_NORMAL_BLK_SECTOR
14
32768

ERR092017: The value configured for the parameter ‘parameter name' in
the container 'container name' should be same for the FlsSectorIndex
<value of FlsSectorIndex> across the multiple configuration set of
'FlsConfigSet'.

This error occurs, if the value configured for the following parameters in the
respective container is not same for the FlsSectorIndex across the multiple
configuration set of FlsConfigSet.

Parameter Name
Container Name
FlsSectorOption

FlsSector
FlsSectorSize
FlsNumberOfSectors
FlsSectorStartaddress

ERR092018: The values configured for the parameters
'FlsEccSedNotification' and 'FlsEccDedNotification' in the container
'FlsDataFlash' and the values configured for the parameters
'FlsJobEndNotification' and 'FlsJobErrorNotification' in any of the
'FlsConfigSet' container should be unique.

This error occurs, if the values configured for the parameters
'FlsEccSedNotification' and 'FlsEccDedNotification' in the container
'FlsDataFlash' and the values configured for the parameters
'FlsJobEndNotification' and 'FlsJobErrorNotification' in any of the
'FlsConfigSet' container is not unique. For example, the following table shows
the conditions when the error message occurs.

Container : FlsDataFlash
Container : FlsConfigSet
FlsEccSedNotification FlsEccDedNotification FlsJobEndNotification FlsJobErrorNotification
EccSedNotification
EccSedNotification
EccSedNotification
EccSedNotification
26

Messages
 Chapter 8

EccSedNotification
EccSedNotification
-
-
-
-
EccSedNotification
EccSedNotification
-
EccSedNotification
-
EccSedNotification

ERR092019: The value configured for the parameter 'parameter name' in
the container ‘FlsDemEventParameterRefs' should be same across the
multiple configuration set of 'FlsConfigSet'.

This error occurs, if the value configured for the following parameters in the
container FlsDemEventParameterRefs is not same across the multiple
configuration set of FlsConfigSet.

Parameter Name
Container Name
FLS_E_COMPARE_FAILED

FLS_E_ERASE_FAILED

FLS_E_READ_FAILED
FlsDemEventParameterRefs

FLS_E_WRITE_FAILED

ERR092020: The value configured for the parameter ‘FlsSectorIndex' in
the container ‘FlsSector' should be same across the multiple
configuration set of 'FlsConfigSet'.

This error occurs, if the value configured for the parameter FlsSectorIndex in
the container FlsSector is not same across the multiple configuration set of
FlsConfigSet.

ERR092021: The sub-container ‘FlsDataFlash' and its parameters should be
configured in ‘FlsGeneral' container, since the parameter 'FlsAccess' in
'FlsGeneral' container is configured as <FLS_DATAFLASH_ACCESS>.

This error occurs, if the sub-container FlsDataFlash and its parameters is not
configured in FlsGeneral container and the parameter FlsAccess in FlsGeneral
container is configured as FLS_DATAFLASH_ACCESS.

ERR092022: The sub-container ‘FlsCodeFlash' and its parameters should
be configured in ‘FlsGeneral' container, since the parameter 'FlsAccess' in
'FlsGeneral' container is configured as <FLS_CODEFLASH_ACCESS>.

This error occurs, if the sub-container FlsCodeFlash and its parameters is not
configured in FlsGeneral container and the parameter FlsAccess in FlsGeneral
container is configured as FLS_CODEFLASH_ACCESS.

ERR092023: The reference path of MCU <configured value of
FlsFdlCpuFrequency> provided for the parameter ‘FlsFdlCpuFrequency’ in
the container 'FlsDataFlash' is incorrect.

This error occurs, if the reference path of MCU provided for the parameter
FlsFdlCpuFrequency in the container FlsDataFlash is incorrect.

ERR092024: The 'FlsSector' container should be configured with
parameter ‘FlsSectorOption' as 'FLS_DF_SECTOR', since the parameter
'FlsAccess' in 'FlsGeneral' container is configured as

27

Chapter 8
 Messages
<FLS_DATAFLASH_ACCESS>.

This error occurs, if the FlsSector container is not configured with parameter
FlsSectorOption as FLS_DF_SECTOR and the parameter Flacks in
FlsGeneral container is configured as FLS_DATAFLASH_ACCESS.

ERR092025: The 'FlsSector' container should be configured with
parameter ‘FlsSectorOption' as ‘FLS_CF_NORMAL_BLK_SECTOR',
since the parameter 'FlsAccess' in 'FlsGeneral' container is configured
as <FLS_CODEFLASH_ACCESS>.

This error occurs, if the FlsSector container is not configured with parameter
FlsSectorOption as FLS_CF_NORMAL_BLK_SECTOR and the parameter
FlsAccess in FlsGeneral container is configured as
FLS_CODEFLASH_ACCESS.

ERR092026: The 'FlsSector' container should be configured with
parameter ‘FlsSectorOption' as ‘FLS_CF_SMALL_BLK_SECTOR', since
the parameter 'FlsAccess' in 'FlsGeneral' container is configured as
<FLS_CODEFLASH_ACCESS>.

This error occurs, if the FlsSector container is not configured with parameter
FlsSectorOption as FLS_CF_SMALL_BLK_SECTOR and the parameter
FlsAccess in FlsGeneral container is configured as
FLS_CODEFLASH_ACCESS.

ERR092028: The value configured for the parameter
'FlsSectorStartaddress' should be within the range of <range of value> for
the <configured value of FlsSectorOption>.

This error occurs, if the value configured for the parameter
FlsSectorStartaddress is not within the below range.

FlsSectorOption
Range of value for FlsSectorStartaddress

0

FLS_DF_SECTOR
to

(value configured for FlsVirtualBoundaryAddress - 1)

(value configured for FlsVirtualBoundaryAddress)
FLS_CF_SMALL_BLK_SECTOR

to

(value configured for FlsVirtualBoundaryAddress +
value configured for FlsCFSmallBlockSize)

(value configured for FlsVirtualBoundaryAddress + value
FLS_CF_NORMAL_BLK_SECTOR
configured for FlsCFSmallBlockSize + 1)

to

(value configured for FlsVirtualBoundaryAddress + value
configured for FlsCFTotalSize)

ERR092029: The value configured for the parameter 'FlsTotalSize' should be
(FlsNumberOfSectors * FlsSectorSize) since the parameter 'FlsAccess' in
28

Messages
 Chapter 8

'FlsGeneral' container is configured as <FLS_DATAFLASH_ACCESS>.

This error occurs, if the FlsGeneral container is not configured with parameter
FlsTotalSize as FlsDFTotalSize and the parameter FlsAccess in FlsGeneral
container is configured as FlsDataFlash.

ERR092030: The ‘FlsGeneral’ container should be configured with
parameter ‘'FlsTotalSize'' as ‘FlsCFTotalSize', since the parameter
'FlsAccess' in 'FlsGeneral' container is configured as <FlsCodeFlash>.

This error occurs, if the FlsGeneral container is not configured with parameter
FlsTotalSize as FlsCFTotalSize and the parameter FlsAccess in FlsGeneral
container is configured as FlsCodeFlash.

ERR092031: The ‘FlsGeneral’ container should be configured with
parameter ‘'FlsTotalSize'' as sum of ‘FlsCFTotalSize' and ‘ FlsDFTotalSize’ ,
since the parameter 'FlsAccess' in 'FlsGeneral' container is configured as
<FLS_DATA_CODE_FLASH_ACCESS >.
This error occurs, if the FlsGeneral container is not configured with parameter
FlsTotalSize as sum of FlsDFTotalSize and FlsCFTotalSize and the parameter
FlsAccess in FlsGeneral container is configured as
FLS_DATA_CODE_FLASH_ACCESS.

8.2 Warning Messages
 None

8.3 Information Messages

INF092001: The parameter 'parameter name' in the container
‘FlsConfigSet' is not configured.

This information occurs, if the parameters FlsJobEndNotification or
FlsJobErrorNotification in the container FlsConfigSet are not configured.

INF092002: The sub-container ‘FlsCodeFlash' and its parameters in
'FlsGeneral' container are not considered for the implementation, since
the parameter 'FlsAccess' in the ‘FlsGeneral' container is configured as
<FLS_DATAFLASH_ACCESS>.

This information occurs, if the sub-container FlsCodeFlash and its parameters
in FlsGeneral container are configured and the parameter FlsAccess in the
FlsGeneral container is configured as FLS_DATAFLASH_ACCESS.

INF092003: The sub-container ‘FlsDataFlash' and its parameters in
'FlsGeneral' container are not considered for the implementation, since
the parameter 'FlsAccess' in the ‘FlsGeneral' container is configured as
<FLS_CODEFLASH_ACCESS>.

This information occurs, if the sub-container FlsDataFlash and its parameters in
FlsGeneral container are configured and the parameter FlsAccess in the
FlsGeneral container is configured as FLS_CODEFLASH_ACCESS.

29

Chapter 8
 Messages

INF092004: The container ‘FlsSector' having the short name <short name
of FlsSector container> and its parameters are not considered for the
implementation, since the parameter ‘FlsSectorOption' for this sector is
configured as <configured value of FlsSectorOption> and the parameter
'FlsAccess ' in the ‘FlsGeneral ' container is configured as
<FLS_DATAFLASH_ACCESS>.

This information occurs, if the container FlsSector with the parameter
FlsSectorOption is configured as FLS_CF_SMALL_BLK_SECTOR or
FLS_CF_NORMAL_BLK_SECTOR and the parameter FlsAccess in the
FlsGeneral container is configured as FLS_DATAFLASH_ACCESS.

INF092005: The container ‘FlsSector' having the short name <short name
of FlsSector container> and its parameters are not considered for the
implementation, since the parameter ‘FlsSectorOption' for this sector is
configured as <FLS_DF_SECTOR> and the parameter 'FlsAccess ' in the
‘FlsGeneral ' container is configured as <FLS_CODEFLASH_ACCESS>.

This information occurs, if the container FlsSector with the parameter
FlsSectorOption for this container is configured as FLS_DF_SECTOR and
the parameter FlsAccess in the FlsGeneral container is configured as
FLS_CODEFLASH_ACCESS.
30

Notes
Chapter 9

Chapter 9 Notes

“Generation Tool” and “Tool” terminologies are used interchangeably to refer
FLS Driver Generation Tool.

31

Chapter 9
Notes

32

Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
29-Oct-2013
2.
Following changes are made:
1.0.1
28-Jan-2014
•
Error messages ERR092010, ERR092018, ERR092029,
ERR092030 and ERR092031 are added.
•
Error message ERR092007is updated.

3.
Following changes are made:
1.0.2
2-Sep-2014
•
FlsUseInterrupts parameter is added in FlsGeneral container
in error message ERR092004 in section 8.1. Error Messages.

•
FlsSuspendTime parameter is added in
FlsPublishedInformation container in error message
ERR092004 in section 8.1.1. Error Messages.

•
FlsBlankCheckApi, FlsReadImmediateApi, FlsSuspendApi
and FlsResumeApi parameters are added in FlsDataFlash
container in error message ERR092004 in section 8.1.1.
Error Messages.

•
Error messages ERR092008, ERR092009 and ERR092010
are deleted and error message ERR092018 is updated in
section 8.1 Error Messages.
4
The following changes are made:
1.0.3
24-Apr-2015
•
Pdf name and version are updated in  Section 2.1
•
Added parameters FlsCancelTime and FlsCFCancelTime in
the list of mandatory parameters in Section 8.1.
•
The description of error ERR092029 is updated in Section
8.1.
•
Updated version number and copyright year.

33

AUTOSAR MCAL R4.0.3 User's Manual
FLS Driver Component Ver.1.0.3
Generation Tool User's Manual

Publication Date: Rev.0.01, April 24, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson Road,  Newmarket, Ontari o  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf, Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics (Shanghai) Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics Hong  Kong  Limited
Unit  1601-1613, 16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok, Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics Singapore Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  Keppel  Bay  Tower,  Singapore 098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

9.7 - Fls Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Fls

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Fls_Renesas_Ar4.0.3_01.03.01_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3170

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

10 - Flash EEPROM Emulation

Flash EEPROM Emulation

Component Documentation

10.1 - AN-ISC-8-1161_FEE_alignments_to_reduce_data_loss_through_ECC

FEE alignments to reduce data loss through ECC

10.2 - AN-ISC-8-1161_FEE_alignments_to_reduce_data_loss_through_ECC_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6

10.3 - AN-ISC-8-1161_FEE_alignments_to_reduce_data_loss_through_ECCs

FEE alignments to reduce data loss through ECC
Version 1.0
2014-08-06
Application Note AN-ISC-8-1161

Author(s)
Goß, Michael
Restrictions
Customer confidential - Vector decides
Abstract
Alignments and ECC handling of flash devices have to be considered with the MICROSAR FEE
configuration

Table of Contents

1.0
Overview .......................................................................................................................................................... 1
2.0
Hardware Alignment Problem .......................................................................................................................... 1
3.0
FEE Alignment Configuration .......................................................................................................................... 4
3.1
FEE Write Alignment ..................................................................................................................................... 4
3.2
FEE Address Alignment ................................................................................................................................ 4
3.3
Recommendation for FEE Alignment Configuration ..................................................................................... 5
4.0
List of Affected Platforms ................................................................................................................................. 6
5.0
Additional Resources ....................................................................................................................................... 6
6.0
Contacts ........................................................................................................................................................... 6

1.0  Overview
This application note addresses a hardware dependent topic of microcontrollers which may lead to a corruption of
data entities in the flash memory. This document describes alignment attributes and ECC (Error Correction Code)
error handling of the flash memory hardware and how the MICROSAR Flash EEPROM Emulation (FEE) has to be
configured in order to avoid problems.
In section 2 the problem is illustrated on the basis of a particular microcontroller family, which is affected by this
behavior.
Section 3 describes the MICROSAR FEE alignment characteristics and points out configuration details, which have
to be taken into account.
In section 4 microcontroller families are listed which are known to show the described behavior.
2.0  Hardware Alignment Problem
The following hardware dependent problem is illustrated on basis of Freescale MPC560xB (Bolero) microcontroller
family. Generally the characteristics of every microcontroller should be examined to the effect that the described
problem is prevented.
In some microcontrollers, for instance in Freescale’s MPC560xB family, the hardware specific write alignment
differs from the read alignment. Particularly this can cause an issue if the read alignment is greater than the write
alignment. In this case the treatment of ECC (Error Correction Code) errors by the microcontroller can result in
corruption of data entities.
By way of illustration and for further considerations the alignment properties of MPC560xB family are depicted in
the following table:
Write alignment
8 byte (64 Bit)
Read alignment
16 byte (128 Bit)
Table 1 – Write and read alignment of MPC560xB microcontrollers
1
Copyright © 2014 - Vector Informatik GmbH
Contact Information: www.vector.com or +49-711-80 670-0

FEE alignments to reduce data loss through ECC

In figure 1 the addressing schemes of this hardware is described in accordance with read- or write-accesses to the
flash memory.

Figure 1 – Memory addressing

For further considerations: The smallest writable unit in this flash is called a page with a size of 8 byte.
The handling of programming (write) accesses differs from read accesses due to the alignment sizes. On the one
hand, programming the flash memory is possible with a page size of 8 byte (64 Bit) and therefore the write
addresses have to be aligned to 8 byte boundaries. On the other hand reading from the flash memory is hardware
specifically aligned to 16 byte boundaries. In consequence, the data being read from the flash memory contains
two pages of written data. It is required by AUTOSAR to provide memory abstraction and non-aligned memory
access. Nevertheless when performing read jobs, this flash memory controller always accesses 16 byte-sized
address spaces due to internal constraints. Therefore even if only one byte is requested by the application, the
flash memory controller accesses 16 bytes of data. As a consequence misaligned read accesses to hardware may
be accomplished by several 16 byte reads. The requested data then is extracted from the received packages and
assembled correctly before passing it to the upper layer.
For each written page (8 byte) one ECC is calculated to add some redundancy to a data set, which can be used to
check its consistency, and to recover data determined to be corrupted. The ECC implemented within the flash
memory module will correct single bit failures and detect double bit failures. Correction of single bit errors takes
place within the flash memory controller whereas the flash cell content remains unchanged. Depending on the
used platform, e.g. MPC560xB, ECC error handling varies. For further considerations the ECC error handling is
evaluated with regard to the microcontroller family MPC560xB.
If an uncorrectable ECC error occurs, an error response is signaled and the requested access is terminated with
an error. This implies that an ECC error in one page results in an erroneous read operation which actually
accesses two pages of written data. Hence reading from an address aligned to the 16 byte boundary fails if just
one page therein contains an uncorrectable ECC error. As a result the second potentially error-free page within this
read boundary will be treated as corrupted thereby as well.
The reason for an uncorrectable ECC error in a flash page is for example an aborted programming access due to a
reset. Figure 2 illustrates how one ECC error affects read operations.

2
Application Note AN-ISC-8-1161

FEE alignments to reduce data loss through ECC

Figure 2 – ECC error affects read operation

Figure 2 depicts that one ECC error within a 16 byte address boundary leads to an unsuccessful reading. If one
ECC error is received during read access, the flash memory controller does not update the read buffer. Thus
reading from this address fails even if one of the two pages is consistent.
This means the occurrence of one uncorrectable ECC error in a page treats the neighboring page within the 16
byte address boundary also as corrupted. This situation is particularly problematic if the start addresses of two
neighboring data blocks are not aligned to 16 byte address boundaries, as shown in figure 3.

Figure 3 – Two data blocks not aligned to 16 Byte (128-bit) address boundaries

As depicted in figure 3, an ECC error in one data block may result in the corruption of another data block. Either
the first page of data block 2 (left diagram) or the last page of data block 1 (right diagram) cannot be read in case
of an ECC error in the other block. Usually the first and the last pages of a data block contain information (e.g.
block id, block length) which is used for management purposes. If these pages cannot be read the entire data
block may be corrupted.
An application using the MICROSAR FEE with such insufficient alignment settings may run in data consistency
issues as described in the following example:
A (simplified) configuration contains one block with multiple instances. After writing this block several times, the
programming access is aborted due to a reset while writing the first page of the block. In consequence the block
with latest data was not written successfully and an uncorrectable ECC error occurs. Generally, when reading data
of a specific block from flash memory, the MICROSAR FEE returns the content of the last written data. In case the

3
Application Note AN-ISC-8-1161

FEE alignments to reduce data loss through ECC

last written instance is corrupt, e.g. due to a write abort (reset), the MICROSAR FEE returns the second latest
data. In this scenario the uncorrectable ECC error in the latest instance corrupts the second latest instance and
thus the MICROSAR FEE returns the data of the third latest instance to the application. Thus it cannot be assured
that the returned data is up-to-date.
A worst case scenario would be a completely corrupted flash image caused by an uncorrectable ECC error at
particular positions. As a result, neither read nor write accesses to the flash memory would be possible.
Regarding the impact of this behavior on an application, if reading data from the flash memory the following results
are possible:
•  Successful reading, no ECC error occurred, last written data is returned to the application
•  Successful reading, ECC error occurred, outdated data is returned to the application
•  Unsuccessful reading, ECC error occurred, no data is returned to the application
3.0  FEE Alignment Configuration
The MICROSAR FEE (Flash EEPROM Emulation) implementation is capable of addressing this hardware behavior
by providing two different alignment settings. It is distinguished between:
•  Write Alignment
•  Address Alignment
Following sections describe both FEE alignments’ purposes.
3.1  FEE Write Alignment
The write alignment is used for all write requests the FEE issues to the flash. Both flash addresses and job lengths
are always integer multiples of this value. Normally this value corresponds to the page size of the underlying flash
device and describes the smallest writeable unit of the flash hardware. Regarding to the microcontroller family
MPC560xB programming accesses to the flash are aligned to 8 byte (64 bit) address boundaries.
3.2  FEE Address Alignment
The address alignment influences the way FEE stores data entities in flash memory. Single entities, e.g. FEE
sector header, will start at addresses that are an integer multiple of FEE address alignment. In this way data
entities cannot influence other entities which are already stored in flash memory, especially if programming
accesses get aborted (i.e. ECC error), e.g. due to a reset.
In figure 4 different settings of address alignments are depicted in order to show the effect of this configuration
parameter.

Figure 4 – Effect of different FEE Address Alignment configurations

4
Application Note AN-ISC-8-1161

FEE alignments to reduce data loss through ECC

Left diagram of figure 4 shows that the start address of each data block is aligned to an 8 byte (64 bit) boundary.
Whereas the right diagram pictures a configuration in which the start address of each data block is aligned to a 16
byte (128 bit) boundary.
If performing read accesses to the flash memory, these configurations make a difference as soon as ECC errors
are considered. As illustrated in figure 3 an ECC error in one page corrupts the neighboring page due to the
hardware dependent size of read alignment.
Figure 5 points out that different data blocks have no influence on each other, if the address alignment setting
corresponds to the hardware dependent read alignment.

Figure 5 – ECC errors do not affect integrity of neighboring data blocks

In figure 5 two different situations are shown. On the one hand (left diagram) an ECC error in the last page of data
block 1 occurred. Reading from this address will fail but the other data block is not affected by this. On the other
hand (right diagram) an ECC error in the first page of data block 2 will not impair the integrity of data block 1.
It is shown that an appropriate configuration of FEE address alignment ensures that data blocks do not corrupt
each other due to ECC errors. The start address of each data entity is aligned in a way that read requests always
access only one block at a time.
3.3  Recommendation for FEE Alignment Configuration
As required by AUTOSAR, the MICROSAR FEE implementation is hardware independent. Still the MICROSAR
FEE provides a configurable write alignment and address alignment in order to address hardware dependent
characteristics. As it is illustrated using the example of MPC560xB platform, buffer sizes and alignments
constraints of read operations may differ from programming operations. In order to configure MICROSAR FEE
appropriately, it is recommended to check the hardware manual of the flash device for relevant data. Often this
information does not come out of manuals clearly. In case of ambiguity it is recommended to contact the
semiconductor manufacturer.
•  Configuring FEE write alignment:
The value of FEE write alignment should be set to the page size of the flash device in bytes. Note that FEE
does not support write alignments smaller than 8 bytes due to internal reasons.
•  Configuring FEE address alignment:
The value of the FEE address alignment should be set to the read alignment of the flash device in bytes.
Thus the start address of each data block is aligned in a way that ECC errors in one block do not corrupt

5
Application Note AN-ISC-8-1161

FEE alignments to reduce data loss through ECC

other blocks. Needless to say, FEE address alignment must not be configured smaller than FEE write
alignment.

4.0  List of Affected Platforms
The following list makes no claims of being complete. Only platforms are listed which are known to be affected. In
order to evaluate the problem regarding a specific non-listed platform, it is necessary to check the hardware
manual of the flash memory device for write/read alignments and ECC error handling. To remove ambiguity it may
also be useful to check with the semiconductor manufacturer.
List of affected microcontroller families:
•  Freescale Bolero MPC560xB/C
•  Freescale Pictus MPC560xP
•  Freescale Spectrum MPC560xS
•  Freescale Komodo MPC567xK
•  Freescale Monaco MPC563xM

5.0  Additional Resources
For additional information and how the relevant data for configuration is extracted from HW manuals see reference
manual of Freescale MPC5604BCRM microcontroller as an example:
In chapter 27.4.1 Module structure it is described how the flash memory is addressable for program (write) and
read accesses.
The chapter 27.8.7 Flash error response operation summarizes the ECC error handling of this specific flash
hardware.

VECTOR APPLICATION NOTE
AN-ISC-2-1100 ECC Error Handling on MPC55XX

6.0  Contacts
For a full list with all Vector locations and addresses worldwide, please visit http://vector.com/contact/.

6
Application Note AN-ISC-8-1161

Document Outline

10.4 - Fee Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Fee

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Fee_Vector_Ar4.0.3_08.00.10_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3169

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

10.5 - TechnicalReference_Fee

MICROSAR FEE

10.6 - TechnicalReference_Fee_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85

10.7 - TechnicalReference_Fees

MICROSAR FEE
Technical Reference

Version 8.01.00

Authors
Christian Kaiser
Status
Released

Technical Reference MICROSAR FEE

Document Information
History
Author
Date
Version
Remarks
Christian Kaiser
2012-06-26
8.00.00
-
Removed revision history entries, due to
major changes in component.
-  Removed all references to Fee30Inst2
-
Added Ch. 2.4.2 “Partitions”,
-
Added Ch. 4.3.2 “Fee_InitEx”, updated Ch.
4.3.1
-
Reworked Ch. 2.3, Ch. 2.6, Ch. 2.10, Ch.
3.1.1, 4.4.1, Ch. 5
-
Changes throughout the document:
introduction of partitions
-
Added Ch. 6.3.4
-  Added Ch. 2.4.3.1
Christian Kaiser
2012-09-20
8.00.01
-
Minor editorial changes in Ch. 5
-
Added Ch. 5.2.1
Christian Kaiser
2013-03-05
8.00.02
-
Ch. 1:  AUTOSAR version(s)
-
Ch. 6.3.1: maximum number of Partitions
Christian Kaiser
2014-03-11
8.00.03
-
Editorial changes (rework of review
findings)
-
Ch. 5.1.5.5: corrected description of
“Suspend Long”
-
Ch. 3.5: Critical Section description
-
Ch. 1.1 – updated figure, added notes.
Claudia Mausz
2015-02-13
8.01.00
-
Add new chapter:
2.12 Fee_MainFunction Triggering
Reference Documents
No.
Title
Version
[1]  AUTOSAR_SWS_Flash_EEPROM_Emulation.pdf
--
[2]  AUTOSAR_SWS_DET.pdf
V2.2.1
[3]  AUTOSAR_BasicSoftwareModules.pdf
V1.3.0

Please note
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 8.01.00
2 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

1  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module FEE as specified in [1].

Supported AUTOSAR Release*:
3 and 4
Supported Configuration Variants:
link-time with AUTOSAR 3
pre-compile with AUTOSAR 4

Vendor ID:
FEE_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
FEE_MODULE_ID
21 decimal
(according to ref. [3])
* For the precise AUTOSAR Release please see the release specific documentation.

The  FEE enables  you to access a dedicated flash area for storing data persistently.  It  is
intended to be used exclusively either by the NVRAM Manager or on SW instance within a
Flash-Boot-Loader in the Boot-Loader mode.
Further on, the module depends on some other modules, like DET for error handling, the
underlying Flash driver for hardware access and the MEMIF for consistent types.
2015, Vector Informatik GmbH
Version: 8.01.00
9 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

1.1
Architecture Overview
The following figure shows where the FEE is located in the AUTOSAR architecture.

Figure 1-1 AUTOSAR architecture
2015, Vector Informatik GmbH
Version: 8.01.00
10 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Th cle
a
s f
s o
S ll
a o
n w
db ing
ox
figure shows the FEE and its relationship to other modules.
Nv M
«use»
EcuM
MemIf
«optional»
«initialize»
«use»
«include»
Det
Fee
SchM
«optional»
«use»
«triggers»
«use»
«optional»
Fls

Figure 1-2  FEE in a typical (AUTOSAR) SW architecture

Note
Figure 1-2 shows the normal case. In general FEE does not depend on who actually
  uses it, and who provides required services. E.g. it does not matter who provides
mechanisms to synchronize access to critical sections (chapter 3.5), or who actually
calls Fee_MainFunction. It also doesn’t matter whether callbacks (Fls to FEE, FEE
to NvM) are directly called as depicted in the figure, or whether they are “intercepted”
by someone.

Caution
FEE assumes exclusive usage of Fls. Allowing other components to use Fls’s services
  results in synchronization issues, which are hard to solve. Hence this shall be avoided.

2015, Vector Informatik GmbH
Version: 8.01.00
11 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2  Functional Description
2.1
Features
The features listed in this chapter cover the complete functionality specified in [1].
The  "supported"  and  "not  supported"  features  are  presented  in  the  following  two  tables.
For further information of not supported features also see chapter 6.

The following features described in [1] are supported:
Feature
The module operates on blocks provided by the NVRAM Manager. Read accesses to blocks are
handled byte-wise.
Hardware restrictions like erase cycles or sector sizes are abstracted and not visible for the
upper layer.
Incomplete writes (e.g. due to reset) are detected.
The virtual sectors use a wrap-around concept with backup of the most recent data blocks.
Possibility to retrieve the number of erase cycles of a logical sector (done via the API service
Fee_GetEraseCycle()). This feature is an add-on to the AUTOSAR standard.
Possibility to retrieve the number of write cycles of a block (done via the API service
Fee_GetWriteCycle()).This feature is an add-on to the AUTOSAR standard.
Possibility to force sector switches (done via the API service
Fee_ForceSectorSwitch()).This feature is an add-on to the AUTOSAR standard.
API to perform data conversion after configuration update i.e. blocks whose payload has
changed may be converted according to new configuration without data-loss. This feature is an
add-on to the AUTOSAR standard.

Info
This feature is optional, i.e. it has to be ordered explicitly.

Fee supports Flash Address Spaces (provided by Fls) of up to 2GBytes, i.e. Sectors to be used
by FEE may resist in range 0x00000000 to 0x7FFFFFFF
Fee_MainFunction Triggering: Possibility to call the Fee_MainFunction in a cyclic task or in
a background task.
Table 2-1   Supported SWS features
The following features described in [1] are not supported:
Feature
The MAXIMUM_BLOCK_TIME is not supported by the FEE, because no time reference is provided
to the FEE.
Table 2-2   Not supported SWS features
2015, Vector Informatik GmbH
Version: 8.01.00
12 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.2
Initialization
The FEE is initialized and operational after Fee_Init() has been called.

Caution
The FEE is driven asynchronously, i.e. jobs are requested via dedicated API, and they
  are processed by calling Fee_MainFunction().

Initialization  just  prepares  FEE  to  accept  and  process  requests.  Initialization  of  sectors
(checking  their  headers  and  determining  new/old  one)  is  deferred  until  first  request  is
being started on a partition.

Additionally after initialization, any sector switch processing is disabled:
>  Sector Switch Processing in Background (see 2.7.1) can be enabled by
Fee_SetMode(MEMIF_MODE_SLOW).
>  Depending on “FSS Control API” (see Ch. 5.1.7.1) they can only be enabled by:
>  Fee_EnableFss(), if “FSS Control  API” was enabled. In that case write requests
beyond Foreground Sector Switch Threshold are disabled; refer to chapter 2.10.
>  Fee_Write() / Fee_InvalidateBlock() / Fee_EraseImmediateBlock(),
otherwise.
These implicit defaults help to ensure that FEE does not perform any write, or even erase
operations during ECU start-up, unless explicitly requested by user.

Caution
It is not recommended to use any of the mentioned services during ECU’s start-up
  phase. Special care needs to be taken about write requests: Proper initialization (order)
of application software is important to prevent from too early write accesses to NV
memory.

2.3
States
2.3.1
Module States
Point in Time
Module State
After Reset, before Fee_Init was called
MEMIF_UNINIT
When Fee_Init() returns
MEMIF_ BUSY_INTERNAL
When accepting a job request.
MEMIF_BUSY
If rejecting a job request.
No change.
Upon completing a job (including returning from Fee_SetMode())
MEMIF_BUSY_INTERNAL
Pending internal operations (while no user job is pending)
MEMIF_BUSY_INTERNAL
Not even an internal job is pending
MEMIF_IDLE
2015, Vector Informatik GmbH
Version: 8.01.00
13 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Table 2-3   Module states

Note
State MEMIF_UNINIT can only be delivered after reset, if start-up code was executed,
  and section FEE_START_SEC_VAR_INIT_UNSPECIFIED was mapped to an
appropriate section, being initialized by startup code. See also: chapter 3.2

2015, Vector Informatik GmbH
Version: 8.01.00
14 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Note
Normally (unless Fee_Cancel was called) FEE_IDLE state can only be entered via
  FEE_BUSY_INTERNAL.
Whenever FEE leaves MEMIF_BUSY_STATE due to job completion it asynchronously
checks all partitions for their fill levels, and the necessity of sector switch. Therefore,
even if no sector switch is necessary or allowed, it takes few Fee_MainFunction
cycles to finally become (and report) IDLE

stm GlobalFsm
PowerOff
Power-On Reset
MEMIF_UNINIT
PowerOff
power-off
Reset
Fee_Init
initialized
MEMIF_BUSY_INTERNAL
Fee_Cancel
MEMIF_IDLE
Fee_ForceSectorSwitch,
Fee_SetMode
jobCompleted
/jobResult = [MEMIF_JOB_OK,
Fee_Cancel
MEMIF_JOB_FAILED,
/jobResult = MEMIF_JOB_CANCELLED
MEMIF_BLOCK_INVALID,
MEMIF_BLOCK_INCONSISTENT]
Fee_Read, Fee_Write, Fee_Invalidate,
Fee_EraseImmediateBlock,
Fee_EraseImmediateBlock,
Fee_Invalidate, Fee_Read, Fee_Write,
Fee_ConvertBlockConfig
Fee_ConvertBlockConfig
/jobResult = MEMIF_JOB_PENDING
/jobResult = MEMIF_JOB_PENDING
MEMIF_BUSY
Fee_ForceSectorSwitch

Figure 2-1 FEE Module States

2015, Vector Informatik GmbH
Version: 8.01.00
15 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.3.2
Job States/Results

Point in Time
Job State
After successfully finished job
MEMIF_JOB_OK
After a job has been accepted
MEMIF_JOB_PENDING
After Fee_Cancel()
MEMIF_JOB_CANCELLED
After a read job has been finished and an invalidated block
MEMIF_BLOCK_INVALID
was found
After a block is read which has not been written successfully
MEMIF_BLOCK_INCONSISTENT
before.
After a job has been finished and retrieving data (independent  MEMIF_JOB_FAILED
from management information of payload data) from the Flash
failed
Table 2-4   Job states
2015, Vector Informatik GmbH
Version: 8.01.00
16 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.4
Flash organization
Figure 2-2 gives an overview of how FEE organizes flash memory, and how FEE’s three
main concepts – (User) Blocks, Partitions and Logical Sectors – are related.
pkg Ov erall Flash management concepts
Nv M
NVM::User Blocks
{1..*}
0..1
FEE
0..1
FEE::UserBlocks
{1..*}
0..1
1
FEE::Partition
{1..*}
2
FEE::Logical Sector
0..1
(Data)Flash
1..*
(Data)Flash::Physical Sector
{2..*}

Figure 2-2 From User Blocks to Flash Sectors
2.4.1
Block Handling
2.4.1.1
Block Chunks
Block chunks are the smallest entities the FEE can allocate dynamically in Flash. A chunk
allocation reserves space for a configurable number (refer to chapter 5.1.4) of versions of
the associated block. FEE continues writing new versions (aka instances) of this block into
its most recent chunk, until it’s full. Writing the next instance requires allocation of a new
2015, Vector Informatik GmbH
Version: 8.01.00
17 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

chunk.  Each  block’s  chunks  build  up  a  linked  list  in  flash:  each  chunk  points  to  its
successor.
2.4.1.2
Block Search
A  requested  block  is  searched  by  following  the  links  provided  by  the  block  chunks.  The
start  point  is  the  default  area  of  the  block.  If  the  chunk  link  is  not  valid  the  search  is
continued within the current chunk using a binary search algorithm.
The search concept provides fast access to every block as only the needed block chunks
are accessed.
2.4.2
Partitions
FEE employs a concept of partitions. A partition can be thought of an emulation space that
is managed separately from other ones:
>  Errors in one partition do not affect data in other ones
>  Error states (e.g. Read-Only Mode) are local to a single partition.
>  Job processing in one partition does (almost) not depend on sector switch processing
(chapter 2.7) in other partitions.
However,  compared  to  two  FEEs  operating  on  two  different  flash  devices,  partitions  still
require synchronization:
>  FEE is still restricted to use one single flash driver.
>  According to AUTOSAR, FEE is still limited to one pending user request.
>  Only one partition can perform a sector switch at a time
>  Sector switch processing can only be interrupted when processing a block completed.
Each partition consists of two logical sectors, which in turn are mapped to physical flash
sectors.
During configuration, each logical block must be assigned to a partition.

Note
FEE configurations for FBL and Application do not need to share all partitions. E.g. a
  partition containing only application data may remain unknown to the FBL. However,
shared partitions must refer to identical Fls configurations (FlsConfigSet container), and
they must match in address and size, as well as in alignment settings.

2015, Vector Informatik GmbH
Version: 8.01.00
18 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Example
Most typical as well as most recommended use case for partitions is the physical
  separation of frequently and infrequently written data. Such a separation reduces
sector switch efforts, because a whole partition would be infrequently updated.
Therefore, separation also increases availability data. However, it may increase
number of flash’s erase cycles over life-time, because frequently written data will
usually (it depends on actual amounts) be spread over less flash memory.

2.4.3
Logical Sectors
The  FEE  divides  the  physical  flash  assigned  to  a  partition  in  two  parts,  called  logical
sectors.  Each  logical  sector  must  be  mapped  to  one  or  more  continuous  physical  Flash
sectors. Logical sectors do not need to be aligned on physical sector boundaries, i.e. they
may  start  and/or  end  within  physical  sectors.  However,  start  and  end  addresses  must
adhere to the configured address alignment.

Note
The mapping of logical to physical sectors is mutual exclusive, i.e. physical sectors
  may not be shared between logical sectors.
It results in a minimum number of physical sectors that must be available to define
(additional) partitions: Per partition, two physical sectors must be provided by HW (and
Fls).

Caution
Unused flash space within a physical sector must not be used (neither read nor write)
  by other software. It should be assumed to be erased, because FEE does never write
it, but it will be erased, too, with each sector erase triggered by FEE.

Besides the lower logical sector must be located at a smaller address than the upper one,
both sectors may be located anywhere within the flash space provided by the underlying
driver  (considering  restrictions  imposed  by  hardware  or  the  driver,  of  course),  i.e.  there
may be a gap between them.

Furthermore, the two logical sectors must be erasable independently from each other, i.e.
they must be mapped to distinctive physical sectors.
The size of the smaller logical sector defines the maximal number of blocks  that  can be
handled by the FEE.

Info
Within AUTOSAR specification logical sectors are called virtual sectors.

2015, Vector Informatik GmbH
Version: 8.01.00
19 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.5
Processing
All  jobs  (Read,  Write,  InvalidateBlock,  EraseImmediateBlock,  GetWriteCycle,
GetEraseCycle, ForceSectorSwitch) will be executed asynchronously with the help of a job
state machine.

Caution
The FEE must be initialized before the services are called.

Caution
Only one job can be accepted at a time. Hence, it is not allowed to request an
  asynchronous job to the FEE as long as the currently pending job has not been
completed.

While
internal
operations
are
performed
(current
status
is
equal
to
MEMIF_BUSY_INTERNAL) a job can be accepted, but actual processing may be deferred
due to sector switch handling (see chapter 2.7 for more details).
2.5.1.1
Initial processing
In order to become able to process a request, FEE has to determine both logical sectors’
states, i.e. whether they are usable at all, and which one contains most recent data. Once
FEE determined these states, it maintains them in RAM.
Since a request is always associated with a partition, FEE performs this initialization step
at beginning of normal job processing.
2015, Vector Informatik GmbH
Version: 8.01.00
20 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Expert Knowledge
FEE attempts to read both sector headers, i.e. the first 8 bytes in each logical sector.
  This processing takes at least 3 cycles (from initial job request to start of actual job
processing), assuming FEE does not have to wait for Fls, i.e. Fls_Read processing
completes between two Fee_MainFunction calls.

Info
If one of both Fee sector headers is erased or corrupted, and the other one is ok, FEE
  tries to use the valid sector; erasing the other one will be done either when necessary,
or when no user jobs are pending (see also chapter 2.7)
If both sector headers are erased, FEE behaves as if flash is nearly full (see also
2.7.2): It will erase one logical sector and write its header, as part of first write class
job’s processing.
If both sector headers are corrupted or one header is corrupted and the other is
erased, FEE calls the user error callback function, if configured. Refer to chapter
3.3.5.3

2.5.1.2
Processing of Read Job
The  FEE  provides  the  service  Fee_Read()  for  reading  a  block.  This  service  reads  the
data of the block which has been most recently written.
This asynchronous job is initiated with the API function Fee_Read() and is processed by
subsequent calls of Fee_MainFunction() (see also chapter 2.3).
2.5.1.3
Processing of Write Job
To write the current block content to flash memory the API function Fee_Write() is used.
FEE  searches the next free position in the  most recent block  chunk  to  write  block’s  new
instance to.
This asynchronous job is initiated with the API function Fee_Write() and is processed by
subsequent calls of Fee_MainFunction() (see also chapter 2.3).
2.5.1.4
Processing of InvalidateBlock Job
To
invalidate
the
block
content
in
flash
memory
the
API
function
Fee_InvalidateBlock()  is  used.  The  FEE  component  marks  the  block  as  invalid;
upon success, subsequent read attempts report MEMIF_BLOCK_INVALID.

Expert Knowledge
Block Invalidation is very similar to Block Write, as it also creates a new instance, i.e. it
  consumes flash memory.

This asynchronous job is initiated with the API function Fee_InvalidateBlock() and is
processed by subsequent calls of Fee_MainFunction() (see also chapter 2.3).
2015, Vector Informatik GmbH
Version: 8.01.00
21 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.5.1.5
Processing of EraseImmediateBlock Job
Immediate data is data of a block  which  should be written with a higher priority than the
other blocks.
To mark an immediate block as erased the API function Fee_EraseImmediateBlock()
is  used.  As  the  FEE  component  can’t  erase  the  corresponding  block  it  writes  invalid
information for the block to the flash memory.

Expert Knowledge
FEE processes EraseImmediateBlock jobs identically to InvalidateBlock jobs.

This asynchronous job is initiated with the API function Fee_EraseImmediateBlock()
and is processed by subsequent calls of Fee_MainFunction() (see also chapter 2.3).
2.5.1.6
Processing of GetEraseCycle Job
The  erase  cycle  counter  is  increased  during  every  erase  of  a  certain  logical  sector  and
consequently counts the erase cycles of the flash.
To  get  the  erase  cycle  counter  of  a  specified  logical  sector,  the  API  function
Fee_GetEraseCycle()  is  used.  The  availability  of  this  service  is  configurable  at  pre-
compile time which can be done via the configuration tool.
This  asynchronous  job  is  initiated  with  the API  function  Fee_GetEraseCycle()  and  is
processed by subsequent calls of Fee_MainFunction() (see also chapter 2.3).
2.5.1.7
Processing of GetWriteCycle Job
The write cycle counter counts the write cycles of each block.
To  get  the  write  cycle  counter  of  a  specified  block,  the  API  function
Fee_GetWriteCycle()  is  used.  The  availability  of  this  service  is  configurable  at  pre-
compile time which can be done via the configuration tool.
This  asynchronous  job  is  initiated  with  the API  function  Fee_GetWriteCycle()  and  is
processed by subsequent calls of Fee_MainFunction()(see also chapter 2.3).
2.6
Error Handling
The module offers detection of errors.
Errors are classified in development and production errors.
Development  errors should  be detected and fixed during development/integration phase.
Those errors are caused by faulty configuration or incorrect usage of the module’s API.
Production errors are hardware errors and software exceptions that cannot be avoided and
are  also  expected  to  occur  in  production  code.  FEE  has  no  case  to  report  a  production
error.
2015, Vector Informatik GmbH
Version: 8.01.00
22 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.6.1
Development Error Reporting
Development  errors  are  reported  to  DET  using  the  service  Det_ReportError()  as
specified  in  [2],  if  development  error  detection  and  reporting,  are  enabled  (see  chapter
5.1.5.1).
If another module than DET is used for development error reporting, the function prototype
for  reporting  the  error  can  be  configured  by  the  integrator,  but  must  have  the  same
signature as the service Det_ReportError() (see chapter 2.6.3).
The reported FEE ID can be found in chapter 1.
The  reported  service  IDs  identify  the  services  which  are  described  in  4.3.  The  following
table presents the service IDs and the related services:
Service ID
Service
0x00u
Fee_Init() / Fee_InitEx()
0x01u
Fee_SetMode()
0x02u
Fee_Read()
0x03u
Fee_Write()
0x04u
Fee_Cancel()
0x05u
Fee_GetStatus()
0x06u
Fee_GetJobResult()
0x07u
Fee_InvalidateBlock()
0x08u
Fee_GetVersionInfo()
0x09u
Fee_EraseImmediateBlock()
0x10u
Fee_JobEndNotification()
0x11u
Fee_JobErrorNotification()
0x12u
Fee_MainFunction()
0x20u
Fee_GetEraseCycle()
0x21u
Fee_GetWriteCycle()
0x22u
Fee_GetSectorSwitchStatus()
0x23u
Fee_ForceSectorSwitch()
0x24u
Fee_ConvertBlockConfig()
Table 2-5   Mapping of service IDs to services
The errors reported to DET are described in the following table:
Error Code
Description
0x02
FEE_E_INVALID_BLOCK_NO
This error code is reported if an API service is called with
invalid block number.
0x10
FEE_E_PARAM_DATABUFFERPTR  It is reported if a pointer parameter of an API service is
called with the NULL_PTR value.
0x11
FEE_E_PARAM_SECTOR_NUMBER  It is reported if the Fee_GetEraseCycle() API service is
called with an invalid logical sector number.
0x12
FEE_E_PARAM_LENGTH_OFFSET  It is reported if the Fee_Read() API service is called with
2015, Vector Informatik GmbH
Version: 8.01.00
23 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Error Code
Description
invalid BlockOffset and Length values.
0x13
FEE_E_BUSY
It is reported if one of the asynchronous API services has
been called in parallel.
0x14
FEE_E_NO_INIT
It is reported if one of the API services has been called
without an initialized FEE.
0x15
FEE_E_PARAM_MODE
Neither MEMIF_MODE_SLOW nor MEMIF_MODE_FAST
has been passed to Fee_SetMode()
Table 2-6   Errors reported to DET

Expert Knowledge
All error codes starting from 0x10 are defined in addition to [1].

2.6.1.1
Parameter Checking
AUTOSAR requires that API functions check the validity of their parameters. The checks
listed  in Table 2-7  are  internal parameter checks of the API functions. These checks are
intended  for  development  error  detection  and  can  be  en-/disabled  separately;  it  is
described in chapter 5.1.5.
Capability of controlling execution of single checks is an addition to AUTOSAR which just
requires  to  en-/disable  the  complete  parameter  checking  via  the  parameter
FEE_DEV_ERROR_DETECT.
The following table shows which parameter checks are performed on which services:
Check

_PARAM_DATABUFFERPTR
Service
FEE_E_INVALID_BLOCK_NO
FEE_E
FEE_E_PARAM_SECTOR_NUMBER
FEE_E_PARAM_LENGTH_OFFSET
FEE_E_PARAM_MODE
FEE_E_BUSY
FEE_E_NO_INIT
Fee_Init()

Fee_SetMode()




Fee_Read()







Fee_Write()





Fee_Cancel()


Fee_GetStatus()

Fee_GetJobResult()


2015, Vector Informatik GmbH
Version: 8.01.00
24 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Check

_PARAM_DATABUFFERPTR
Service
FEE_E_INVALID_BLOCK_NO
FEE_E
FEE_E_PARAM_SECTOR_NUMBER
FEE_E_PARAM_LENGTH_OFFSET
FEE_E_PARAM_MODE
FEE_E_BUSY
FEE_E_NO_INIT
Fee_InvalidateBlock()




Fee_GetVersionInfo()



Fee_EraseImmediateBlock()




Fee_JobEndNotification()


Fee_JobErrorNotification()


Fee_MainFunction()


Fee_GetEraseCycle()






Fee_GetWriteCycle()





Fee_GetSectorSwitchStatus()

Fee_ForceSectorSwitch()


Fee_ConvertBlockConfig()





Table 2-7   Development Error detection: Assignment of checks to services
2.6.2
Production Code Error Reporting
FEE does not report any production related error to an error/event manager like DEM.
2.6.3
Error notification
All detected errors in development mode are by default reported to the Development Error
Tracer (DET), but can be configured regarding called function and include file.
The error declaration must have following syntax:
Prototype
Prototype syntax described in chapter 8.2.2 Det_ReportError of [2].
Parameter
ModuleId
Specifies the identifier of the module causing the error. The module Id of FEE
can be found in chapter 1.
InstanceId
The identifier of the index based instance of a module, starting from 0. Thus
the FEE is a single instance module it will pass 0 as InstanceId.
ApiId
The identifier of the API function, which caused the error.
ErrorCode
The number of the specific error.
2015, Vector Informatik GmbH
Version: 8.01.00
25 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Return code
void
--
Functional Description
User function for the Fee_Errorhook, which specifies development errors.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  called in application context
Table 2-8   Det_ReportError
2.7
Sector Switch
The  sector  switch  is  responsible  to  gather  most  recent  instances  data  of  all
blocks/datasets from one logical sector (= source sector) and write them to the other one
(= target sector). After this procedure has been finished, the source sector can be erased
to prepare it for storing data again.

Expert Knowledge
Under certain conditions, no copy is necessary at all. However, finally FEE has to erase
  a sector to reclaim free flash space.

There are different reasons to perform a sector switch
  Threshold exceeded (see below)
  User Request (Fee_ForceSectorSwitch)
  Critical Block Handling (refer to ch. 2.11)
2.7.1
Background Sector Switch (BSS)
Sector  Switches  will  be  processed  in  background,  unless  FEE  was  set  to  “Fast  Mode”
(refer to ch. 4.3.3). This means that processing occurs only if no user job is pending.
Sector  Switch  processing  is  interruptible  by  user  jobs  after  a  block  has  been  processed
(copied, or decision to skip copying was taken).
2.7.2
Foreground Sector Switch (FSS)
A  Sector  Switch  being  processed  in  Foreground  defers  a  write  job.  That  means  a  job
cannot be processed before a sector switch has been completed.
Such a sector switch is not interruptible by any other job.
2015, Vector Informatik GmbH
Version: 8.01.00
26 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Expert Knowledge
The actual reason is the pending job that was deferred. At most one job may be
  pending at any time.

FSS processing is always initiated to a pending write job for a particular block. This block
is associated with a specific partition; thus a FSS will be performed on that partition only.
2.7.3
Sector Overflow
A sector overflow occurs, if FEE failed to complete data copy, because both logical sectors
ran out  of  space. Since in  that case both sectors contain most  recent data instances (of
different blocks), FEE is unable to continue with erase operation without losing most recent
data.
Such an event is caused by several consecutive aborted write attempts.

Caution
Such aborts should be avoided wherever possible, i.e. they shall be considerable being
  exceptional (thus rare) events. Especially a SW reset shall be performed only if FEE is
IDLE.

A  sector overflow  is  local  to one  particular  partition,  i.e.  other  partitions  are  not  affected.
Probability of an overflow depends on different parameters:
>  Probability of resets, of course
>  Partition’s write load, which can be defined as number of bytes over time.
>  (Foreground) Sector Switch in relation to blocks’ sizes.
To minimize effects caused by under-voltage situations FEE provides additional services;
see chapter 2.10.
Accepting loss of most recent data instances, FEE may be instructed to perform a sector
erase in order to restore write ability; see chapter 3.3.5.3. Additionally the risk of losing
data can be restricted to certain “uncritical” blocks at configuration time. For details refer to
chapter 2.11.

2.7.4
Sector switch reserves and thresholds
The  FEE  determines  the  necessity  of  a  sector  switch  based  upon  exceeding  a  related
threshold value. This value is always an offset relative to the start address of the currently
“newer” sector.

2015, Vector Informatik GmbH
Version: 8.01.00
27 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Basic Knowledge
A threshold is considered to have been exceeded, if one sector (the older one) is full
  and the other one (newer sector) is filled up to (or exceeding) this certain level.

Note
To assure that a sector switch in FBL mode can copy FBL’s data and an unknown
  amount of application data, sector switch has to start as early as possible. Therefore in
FBL mode a sector switch starts once the newer logical sector is used. This might
degrade efficiency of flash usage, but since it would happen in FBL mode only, effects
are negligible.

In configuration “reserve values”, rather than the thresholds, need to be specified by user.
During generation the thresholds to be used by FEE are calculated based on these values
and  block  configuration.  “Reserve”  is  meant  as  follows:  How  much  space  the  FEE  shall
reserve  additionally  to  the  space  complete  block  configuration  would  consume  in  flash
(that is the amount of flash space that would be consumed, when every block was written
exactly once).
Thus a reserve value of 0 means: For every configured block, one chunk is reserved; FEE
shall start sector switch once less than one chunk per block fits into flash.
A reserve greater than 0 adds additional space resulting in more possible aborts until the
flash runs full (sector overflow).
The  worst  case  number  of  additional  resets  the  FEE  can  deal  with  is  the  FSS  reserve
divided by the size of the largest chunk.
There is no standard recommendation how to configure this threshold, because this value
depends on  the  individual  environment  of  the  ECU  and  the  configuration  of  the memory
stack, like:
  total available flash memory
  number of blocks/datasets
  size of the blocks/datasets
  page size of the flash hardware
  general handling of blocks, i.e. when blocks/datasets are written down  to the non-
volatile memory
2.7.5
Background Sector Switch Reserve/Threshold
A  sector  switch  in  background  mode  (BSS)  is  the  type  of  sector  switch  that  should
normally occur. In flash, both sectors are currently in use, but there is quite much space
available.
Exceeding BSS threshold causes FEE to start BSS processing, as described above.
2015, Vector Informatik GmbH
Version: 8.01.00
28 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.7.6
Foreground Sector Switch/Threshold
If  flash/partition  fill  level  exceeds  FSS  threshold,  it  is  quite  full.  It  can  be  seen  as  “last
chance processing”. Therefore, a write job directed to that partition will be deferred in order
to complete FSS first.
FSS  threshold  also  indicates  most  critical  fill-level:  once  it  is  exceeded,  a  call  to
Fee_DisableFss()  becomes  effective,  i.e.  in  that  case  FEE  terminates  write  requests
delivering error result.
Since BSS  is  defined to  start  earlier  than  FSS,  its  threshold  is  smaller. This  also means
that an FSS implies BSS, i.e. processing is done in Background, as described above.

Expert Knowledge
FEE keeps track of logical sector’s state. Once copying most recent data completed, it
  internally marks the “older” sector as out-dated. This results in reducing criticality: Flash
is still almost full, but we just need to erase a sector. An FSS becomes rather a BSS;
after completing the copy process, a pending write job gets the chance to be processed
before sector format is being started. If Flash is too full, the job will be deferred again; it
has to wait for completion of sector format.

2.8
Data Conversion

Info
This feature is optional, i.e. it has to be ordered explicitly.

Standard  FEE  implementation  allows  to  update  the  block  configuration,  and  to  modify
block  lengths  with  one  restriction:  Existing  data  of  blocks,  whose  payload  (length)  was
changed,  will  be  lost.  Trying  to  read  such  a  block  will  lead  to  job  result
MEMIF_BLOCK_INVALID,  until  the  block  has  been  re-written  according  to  new
configuration.
Data Conversion provides a “framework” enabling the SW to keep even those blocks: The
FEE scans Dataflash content. For each block (in detail: each block’s most recent instance)
it finds, a callback function will be invoked. This function gets following arguments:
>  Unique block identifier (each dataset is treated separately)
>  (pointer to) most recent data
>  old length (as found in flash)
>  new length (according to current configuration), if block is still configured.
Within the callback the user may decide what the FEE shall do with this block:
>  skip it (it will be lost after finalization of Conversion)
>  write it according to old length
>  write it according to new length
2015, Vector Informatik GmbH
Version: 8.01.00
29 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

The data passed to the callback may be modified; the FEE will write them, if desired. This
is  the  actual  conversion.  Since  the  FEE  is  not  able  to  detect  internal  configuration
changes, the callback will also be invoked for blocks whose length did not change.

Info
The callback might need to implement some code to make correct decisions, e.g. if
  different blocks need to be treated differently, additionally depending on old
configuration (from which version the update to current version has been performed)

If  a  block  does  not  contain  any  data,  i.e.  it was  never  (successfully)  written,  it  had  been
invalidated, or it became corrupted by other means, the callback will not be invoked; there
is no data to be converted.

Caution
Conversion must be triggered immediately after start-up, using
  Fee_ConvertBlockConfig (refer to 4.3.17), before upper layers get running, and
before a sector switch (with complete configuration) has been performed. Therefore it
must happen before the first write request (including invalidate and erase) was issued
to the FEE, and before an explicit Fee_ForceSectorSwitch has been requested.
Otherwise the sector switch would remove all out-dated (removed or payload changed)
data blocks

2.9
Flash Page Size impacts
The  smallest  writeable  entity,  called  page  size,  differs  for  example  from  2  byte  on  the
S12XDP512 up to 128 byte on the TC1796.  The size of  every kind of data  to  be  written
must be rounded up to a multiple flash device’s page size. Therefore padding is added, if
the data doesn’t fit a multiple of the page size.
For example, if you want to write 13 byte (incl. management information) into the flash of a
TC1796, the padding which is needed is 115 byte to reach a multiple of the page size 128
byte.  But  if  you  want  to  write  13  byte  (incl.  management  information)  into  the  flash  of  a
S12XDP512, the padding which is needed is only  1 byte to reach a multiple of the page
size 2 byte.
This  example  shows,  that  the  flash  could  be  used  much  more  efficient,  if  data  which
should be written matches the page size or is only a little smaller. That is to say, that it is
possible to write more instances of  a block/dataset of the same type into a smaller flash
with small page size than into a larger flash where plenty of padding has to be added.
2.10  Services for handling under-voltage situations
The  FEE  provides  two  sets  of  functions  enabling  you  to  handle  under-voltage  situations
properly.
Both sets focus on different use cases:
Fee_SuspendWrites()  is  intended  to  react  on  actual  under-voltage  situation  detected
via dedicated monitoring circuitry. Usually there is some amount of time (few milliseconds)
2015, Vector Informatik GmbH
Version: 8.01.00
30 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

to  react  on  such  conditions  until  a  low  voltage  reset  occurs.  Its  counterpart,
Fee_ResumeWrites(),  was  introduced  in  order  to  prevent  from  stalling,  if  voltage
reaches normal range, without any reset.
The  other  set,  namely  Fee_EnableFss()  and  Fee_DisableFss(),  respectively,  is
intended  to  signal  the  increased  or  decreased  risk  of  resets  to  the  FEE.  For  instance,
usually engine start (cranking) might be a situation of higher risk, while  a running engine
might be a much safer situation. Since this function set deals with risks, they will only have
a noticeable effect if the flash becomes too full, i.e. if Foreground Sector Switch Threshold
exceeded.  As  long  as  flash  is  not  at  a  critical  fill  level  (denoted  by  Foreground  Sector
Switch Threshold), the write operations and (background) sector switch are permitted. On
the  other  hand,  execution  of  FSS  may  be  disabled.  In  this  case,  write  requests  are
forbidden, once FSS became necessary; they will fail with error result.

Caution
If this set of functions is enabled in configuration, FEE does not automatically enable
  FSS, i.e. execution of Foreground Sector Switches is disabled per default (after
Fee_Init()). In order to enable execution of FSS, you will have to call
Fee_EnableFss() once ECU start-up completed, and operating conditions are stable
(esp. normal voltage).

Basic Knowledge
Execution of Sector switch (“garbage collection”) is essential to keep FEE writable. In
  case of exceeded Foreground Sector Switch Thresholds the flash is at a critical fill
level, i.e. cleaning up has become urgently necessary. Writing new data in this situation
might consume additional flash space; it would become insufficient to complete the
sector switch afterwards.

Caution
It should be ensured Fee_EnableFss()will  be called after start-up, at least under
  normal conditions. Otherwise FSS’s intention of “last-chance processing” would be
foiled; exceeding FSS threshold would cause entering read only mode. This in turn
should be exceptional behaviour.

Expert Knowledge
As stated in chapter 2.7.6, criticality reduces once block copy has been completed.
  Thus, if Fee_DisableFss() was recently called, FEE remains writable, once block
copy completed, and only sector erase is outstanding.

2015, Vector Informatik GmbH
Version: 8.01.00
31 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

2.11  Critical Data Blocks
In order to keep FEE writable in case of sector overflows (chapter 2.7.3), it has to erase
one  logical  sector.  Though  this  event  is  an  exception,  occurring  really  rarely,  the  erase
causes loss of recent data instances.
While  such  a  loss  would  be  uncritical  to  some  data  blocks,  losing  some  other  blocks’
recent  instances  might  cause  the  whole  ECU  to  cease  working.  Such  data  blocks  are
essential  to  ECUs  operability;  losing  them  is  critical  (as  would  result  in  “defective  ECU”
requiring service). FEE configuration provides the possibility to mark these blocks.

Basic Knowledge
Typically data block’s “criticality” rises with decreasing write frequency. The more
  infrequently a block will be written the less number of older instances exist, and the
larger their semantic difference would be, disqualifying them for usage as fall-back
data.

As a result FEE ensures that any write access keeps all “critical” Data Blocks’ most recent
instances within one logical sector. Thus there is always one logical sector that might be
erased (in case of error) without losing such “critical” data.
Keeping critical data together requires conditional execution of sector switch. If necessary,
i.e.  if  a  critical  block  cannot  be  written  into  the  same  logical  sector  containing  all  other
critical blocks, FEE performs a Foreground Sector Switch.
Since  each  block  configured  to  be  critical  may  cause  an  additional  sector  switch  before
writing a new instance, flash usage over life-time increases due to additional block copies.

Note
Due to independency of partitions, the differentiation between critical and “not as
  critical” data blocks is also local to a partition. On one hand FEE only has to care about
all critical blocks in a particular partition. On the other hand, resolving a sector overflow
(by formatting a sector) may cause loss of recent uncritical data in only that partition.

Basic Knowledge
By marking all Blocks assigned to one partition as “critical”, that partition can be
  configured to operate with so called “single sector usage”, that is, FEE ensures that all
data blocks’ recent instances are located within a single logical sector. Before switching
to the other one, all recent instances will be copied. This results in most robust
operations (concerning aborts). However, there are penalties in performance,
especially because no BSS can actually be performed, as well as in flash usage,
because always all recent data instances will be copied.

2015, Vector Informatik GmbH
Version: 8.01.00
32 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Expert Knowledge
Even though the FEE in FBL does not know anything about Application’s, critical blocks
  can be handled safely, unless added to FBL configuration and set to “uncritical” (thus
configured inconsistently).

Caution
If Data Flash is being shared between Application and FBL, it is highly recommended
  to configure all FBL blocks being “critical”. Typically there are some blocks, containing
information about Application’s validity and information whether to start Application or
FBL. These blocks are critical to an ECU!

Note
It is not recommended to mark blocks as “critical” and “immediate”. Requirements on
  both types contradict: while “immediate” data are required to be written fast, “critical”
data are required to be written very safely, implying additional operations, which slow
down write performance.
2.12  Fee_MainFunction Triggering

In  AUTOSAR  release  4.x  an  additional  option  is  introduced,  to  be  able  to  call  the
Fee_MainFunction in a cyclic task or in a background task.
The  cyclic  task  (default  configuration)  is  used  when  the  main  function  shall  be  triggered
periodically. Typically the cycle time needs to be defined, for example 10ms.
If the Fee_MainFunction shall be accessed quicker, the function shall be called in a
background task. The background task runs when the system has nothing to do further.
The Fee_MainFunction is called as often as the available CPU load allow.

Caution
If the system is overloaded, it may happen that the background task is no longer called.

Note
The Fee_MainFunction should not be triggered faster than Fls_MainFunction,
  because the FEE must wait for the FLS.

2015, Vector Informatik GmbH
Version: 8.01.00
33 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

3  Integration
This chapter gives necessary information for the integration of  the MICROSAR  FEE  into
an application environment of an ECU.
3.1
Scope of Delivery
The delivery of the  FEE contains the files which are described in the chapters 3.1.1 and
3.1.2.
3.1.1
Static Files
File Name
Description
Fee.h
Defines the public interface of MICROSAR FEE module.
Fee_Types.h
Defines public types of FEE.
Fee.c
Implements the MICROSAR FEE module. Contains the API part of the
implementation, as well as the state machine.
Fee_IntBase.h
Defines basic internal type definitions
Fee_Int.h
Defines the internal interface for all module internal source files, as well as
the container for all RAM variables which are used by the FEE.
Fee_Partition.h  Provide internal services to manage partitions
Fee_Partition.c
Fee_Sector.h
Internal services abstracting access to logical sectors
Fee_Sector.c
Fee_ChunkInfo.h  Internal services providing access to Chunks and instances contained
Fee_ChunkInfo.c  within.
Fee_Cbk.h
Defines the callback interface for the lower layer.
Fee_bswmd.arxml  Contains the formal notation of all information, which belongs to the FEE.
Identifier.xml
Defines all configuration parameters.
Fee.xml
Defines the GUI which represents this module.
If_AsrIfFee.jar  Generator plug-in for DaVinci Configurator 5
Table 3-1   Static files
Only Fee.h shall be included directly by other components.
3.1.2
Dynamic Files
The dynamic files are generated by the configuration tool DaVinci Configurator.
File Name
Description
Fee_Cfg.h
Contains the static configuration part of this module.
Fee_Lcfg.c
Contains the link-time part of configuration.
Fee_PrivateCfg.h  Contains the static configuration part, which is only included of this
module.
Table 3-2   Generated files
2015, Vector Informatik GmbH
Version: 8.01.00
34 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

3.2
Compiler Abstraction and Memory Mapping
The  objects  (e.g.  variables,  functions,  constants)  are  declared  by  compiler  independent
definitions  –  the  compiler  abstraction  definitions.  Each  compiler  abstraction  definition  is
assigned to a memory section.
The  following  table  contains  the  memory  section  names  and  the  compiler  abstraction
definitions defined for the FEE and illustrate their assignment among each other.
Compiler Abstraction
Definitions

Memory Mapping

Sections

FEE_API_CODE
FEE_APPL_CODE
FEE_APPL_CONFIG
FEE_APPL_DATA
FEE_CONST
FEE_PRIVATE_CODE
FEE_PRIVATE_CONST
FEE_PRIVATE_DATA
FEE_VAR
FEE_VAR_NOINIT
FEE_START_SEC_CODE




FEE_START_SEC_CONST_UNSPECIFIED





FEE_START_SEC_APPL_CONFIG_UNSPECIFIED



FEE_START_SEC_VAR_NOINIT_UNSPECIFIED


FEE_START_SEC_VAR_INIT_UNSPECIFIED



Table 3-3   Compiler abstraction and memory mapping
  FEE_START_SEC_CODE / FEE_STOP_SEC_CODE
–  Placement of all API functions
–  FEE_API_CODE
Calling convention for all API functions
Note that these functions are called from different modules, suitable
convention depends on global section mapping.
–  FEE_PRIVATE_CODE
Calling convention all internal functions
It is recommended to locate all FEE code sections into one single output
section and to make the internal function calls as “near” as possible.
  FEE_START_SEC_APPL_CONFIG_UNSPECIFIED /
FEE_STOP_SEC_APPL_CONFIG_UNSPECIFIED
–  FEE_APPL_CONFIG
Configurable constants allocated in Fee_Lcfg.c
  FEE_START_SEC_CONST_UNSPECIFIED /
FEE_STOP_SEC_CONST_UNSPECIFIED
2015, Vector Informatik GmbH
Version: 8.01.00
35 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

–  FEE_PRIVATE_CONST
Internal constants, to be accessed only from within FEE.
–  FEE_CONST
All module constants, to be accessed from outside the FEE

Expert Knowledge
At least on 16bit platforms it is recommended to locate code and constants into same
  memory area, in order to get most efficient access (“near”).

  FEE_START_SEC_VAR_NOINIT_UNSPECIFIED /
FEE_STOP_SEC_VAR_NOINIT_UNSPECIFIED
–  FEE_VAR_NOINIT
Module variables which do not need to be initialized (not even zeroed out)
There are not intended to be accessed outside FEE.

  FEE_START_SEC_VAR_INIT_UNSPECIFIED /
FEE_STOP_SEC_VAR_INIT_UNSPECIFIED
–  FEE_VAR
Internal global variables of the module which must be initialized by start-up
code and which are not fixed to one type

Note
Currently Fee_ModuleStatus_t is the only variable that needs to be initialized, in
  order to get the “(Un)Init Development Check” working.
If this check was disabled at pre-compile time, FEE does not have any initialized
variables.

FEE_APPL_DATA is used to reference to buffers provided by client software.

Caution
The distance of FEE_APPL_DATA must be the same or bigger than the distance of
  FEE_VAR_NOINIT.

3.3
Dependencies on SW Modules
3.3.1
OSEK/AUTOSAR OS
This operating system is used for task scheduling, interrupt handling, global suspend and
restore  of  interrupts  and  creating  of  the  Interrupt  Vector  Table.  Resources  like  shared
variables can be protected by the usage of OS services.
2015, Vector Informatik GmbH
Version: 8.01.00
36 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Note
FEE does not directly depend on OS. Rather, dependency is actually created by
  integrator when configuring OS services and assigning Fee_MainFunction to an OS
task

3.3.2
Module SchM
In  an  AUTOSAR  environment,  protection  of  “critical  sections”  is  encapsulated  by  the
Scheduling Manager, SchM.
Integrator  has  to  ensure,  SchM  maps  critical  section  functions  to  appropriate  services.
Therefore SchM just encapsulates dependency to OS.

Note
Dependency on SchM can be globally disabled in DaVinci Configurator. Then the
  (probable) more direct dependency to OS would be used.

3.3.3
Module Det
This module  is  the  Development  Error Tracer.  It  is  optional  and  records  all  development
errors for diagnostic purposes.
Its usage can be enabled and disabled by the switch FEE_DEV_ERROR_DETECT.
If  another  module  is  used  for  development  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError() (see chapter 2.6.3).
3.3.4
Module Fls
The Fls driver provides the access to the underlying hardware. The specific properties of
the flash hardware influence the configuration of the FEE component.
Its services are called to request a special job to the driver.
2015, Vector Informatik GmbH
Version: 8.01.00
37 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

3.3.5
Callback Functions
3.3.5.1
Lower layer interaction
The  FEE  offers  the  usage  of  callback  notification  functions  for  the  underlying  driver  to
inform
the
FEE
that
a
job
has
finished
successfully
or
not.
The
Fee_JobEndNotification()  is  called  when  a  job  is  completed  with  a  positive  result
and the  Fee_JobErrorNotification()  is  called  when a  job  is  cancelled,  aborted  or
failed.

Note
The interaction between FEE and the underlying driver does not need to be performed
  via a notification mechanism. Also polling mode can be chosen if desired.

3.3.5.2
Upper layer interaction
The  NVM  offers the usage of callback notification functions for the  FEE,  to get  informed
that a job has finished successfully or not. The  Nvm_JobEndNotification() is called
when a job is completed with a positive result and the Nvm_JobErrorNotification()
is called when a job is cancelled, aborted or failed.

Note
The interaction between NVM and FEE does not need to be performed via a
  notification mechanism. Also polling mode can be chosen if desired.

2015, Vector Informatik GmbH
Version: 8.01.00
38 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

3.3.5.3
User Error Callback
Prototype
uint8 Appl_CriticalErrorCallback (uint8 partitionId, Fee_SectorError
errCode)
Parameter
partitionId
ID of partition the error occurred.
Note that FEE publishes symbolic names
(macros) as chosen in configuration.
errCode
See chapter 4.2.2
Return code
FEE_ERRCBK_REJECT_WRITE
FEE’s partition shall enter “read only mode”
currently pending and all subsequent write
requests will be completed with result
MEMIF_JOB_FAILED
FEE_ERRCBK_REJECT_ALL
FEE’ partition shall enter “reject all mode” all
subsequent requests, including currently pending
one, will be completed with result
MEMIF_JOB_FAILED
FEE_ERRCBK_RESOLVE_AUTOMATICALLY Try to resolve error automatically. This might
result in loss of most recent data instances.
Functional Description
This function may be implemented by environment software, if special handling for serious errors
is necessary. For instance, FEE’s default behavior might not be feasible, or additional handling,
such as reporting an event to the DEM is required.




Info
FEE’s default behavior is to keep itself running and writable. This means, per default
  the FEE tries to resolve the problem automatically, unless the error code is
FEE_SECTOR_FORMAT_FAILED, where it would enter read-only mode.




Additionally, if development mode is configured, checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer
to chapter 2.6.1).
Particularities and Limitations
  This service is synchronous.
  This service is non re-entrant.
  This service is always available.
Expected Caller Context
  This routine might be called on interrupt level, depending on the calling function.

Each  error  results  in  a  specific  default  behavior,  which  becomes  effective  if  User  Error
Callback was disabled in configuration. This default behavior can also be requested from
User Error Callback by using FEE_ERRCBK_RESOLVE_AUTOMATICALLY.
2015, Vector Informatik GmbH
Version: 8.01.00
39 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Error Code
Default behavior
FEE_SECTORS_CORRUPTED
Try to erase/re-init logical sectors.
FEE_SECTOR_OVERFLOW
Erase the newer logical sector.
FEE_SECTOR_FORMAT_FAILED
Enter read only mode.
Return value FEE_ERRCBK_RESOLVE_AUTOMATICALLY may
be used by user-implemented error callback. It results in
retrying logical sector format. Since it might fail with same error,
retries should be limited within error callback .
FEE_SECTOR_CRITICAL_FILL_LEVEL  Just continue, i.e. perform foreground sector switch, if it is
enabled.
Table 3-4   Error Codes and FEE’s default behavior

3.4
Dependencies on HW modules
The FEE is principally hardware independent. Nevertheless, the Fls driver has to provide
some  parameters  (defined  in  the  BSWMD  file)  the  FEE  relies  on,  e.g.  the  page  size  or
sector sizes.
3.5
Critical Sections
In  general  Fee_MainFunction  and  FEE’s  job API  may  concurrently  access  variables;
they
need
to
be
synchronized.
FEE
defines
one
critical
section,
FEE_EXCLUSIVE_AREA_0.  Sections  of  code  to  be  synchronized  are  very  short;  they
contain  only  few  instructions,  and  their  run  times  do  not  depend  on  configuration.
Therefore, a simple global interrupt lock may be used, though not necessary.
If Fee_MainFunction (the OS task(s) it is running in) cannot be preempted by callers of
FEE API (especially NvM_MainFunction) and vice versa, no synchronization mechanism
is necessary, at all.

Changes
A second type of critical section, FEE_EXCLUSIVE_AREA_1, became obsolete. It
  should not be used. Rather, it should just map to “nothing”. As specified by AUTOSAR
MainFunctions are not re-entrant.
If Fee_MainFunction may be called from different (task) contexts, which may pre-
empt each other, a synchronization mechanism (e.g. an OS Resource) should be
locked and released outside.
Usually other Main Function calls, in particular NvM_MainFunction and/or
Fls_MainFunction would require synchronization as well. Thus, an externally
defined mechanism could be better adapted to specific needs.

2015, Vector Informatik GmbH
Version: 8.01.00
40 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

4  API Description
4.1
Interfaces Overview
For an interfaces overview please see Figure 1-2.
4.2
Type Definitions
4.2.1
Fee_SectorSwitchStatusType
Description
This type specifies the possible status values of the sector switch.
Range
FEE_SECTOR_SWITCH_IDLE
The sector switch is currently not running.
FEE_SECTOR_SWITCH_BLOCK_COPY The sector switch is currently busy with copying blocks/datasets in a
partition from the logical source sector to the logical target sector.
FEE_SECTOR_SWITCH_ERASE
The sector switch is currently busy formatting the previous source
sector in a partition.
FEE_SECTOR_SWITCH_UNINIT
The FEE is not initialized. Currently, this value is not used.
Table 4-1   Fee_SectorSwitchStatusType

Info
This is an addition to AUTOSAR.

4.2.2
Fee_SectorErrorType
Description
This type specifies the possible errors which shall describe erroneous situations the FEE can reach.
Range
FEE_SECTORS_CORRUPTED
The sector headers respectively the sector ID of both logical
sectors could not be read. Hence, the most recent sector could
not be determined.
FEE_SECTOR_OVERFLOW
Both logical sectors are completely filled and it is not possible to
write any data. Nevertheless, it is still possible to read data from
the Flash memory.
FEE_SECTOR_FORMAT_FAILED
One logical sector could not be allocated correctly, e.g. sector
header is not valid.
2015, Vector Informatik GmbH
Version: 8.01.00
41 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

FEE_SECTOR_CRITICAL_FILL_LEVEL Foreground Sector Switch Threshold exceeded, and both logical
sectors are currently in use. This means that the flash is nearly
full. If FSS was disabled, this error code also denotes a
temporary read only condition, since FEE won’t write to flash
unless Fee_EnableFss was called.

Note
This code actually does not denote an error.
  Rather it denotes a “risky” situation; an error
(sector overflow) might follow.

Table 4-2   Fee_SectorError  Type

Info
This is an addition to AUTOSAR.

4.3
Services provided by FEE
The FEE API consists of services, which are realized by function calls.

Info
Most of the following API functions report development errors as listed in chapter 2.6.1.
  If an error is detected the concerning API function will be left without any further
actions.

4.3.1
Fee_Init
Prototype
void Fee_Init(void)
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 8.01.00
42 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description
This service initializes the FEE module and all needed internal variables.
The FEE module doesn't support any runtime configuration. Hence, a pointer to the configuration structure
is not needed by this service.
The FEE does not initialize the underlying Flash driver, but this shall be done by the ECUM module. (This is
no AUTOSAR deviation.)
This function is specified in [1], and it should be used unless, a different configuration shall be used by
FEE.

Info
This service calls Fee_InitEx (see clause 4.3.2), passing pointer to generated
  Fee_Config structure.

Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
>  This service shall not be called during a pending job.
Expected Caller Context
>  Expected to be called in application context.
Table 4-3   Fee_Init
4.3.2
Fee_InitEx
Prototype
void Fee_InitEx(Fee_ConfigType* config)
Parameter
config
Pointer to FEE’s Block configuration, which is always named Fee_Config; it
is defined in Fee_Lcfg.c, and its declaration is available via Fee.h.

Expert Knowledge
This parameter enables sharing FEE code between a Flash

Bootloader and application, while both use different Block
configurations.

Return code
void
--
Functional Description
This is an alternative/extended service to initialize the FEE module and all needed internal variables.
The FEE does not initialize the underlying Flash driver, but this shall be done by the ECUM module. (this is
no AUTOSAR deviation)
2015, Vector Informatik GmbH
Version: 8.01.00
43 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
>  This service shall not be called during a pending job.
Expected Caller Context
>  Expected to be called in application context.
Table 4-4   Fee_InitEx
4.3.3
Fee_SetMode
Prototype
void Fee_SetMode(MemIf_ModeType Mode)
Parameter
Mode
MEMIF_MODE_SLOW: Enable processing of Background Sector Switches
MEMIF_MODE_FAST: Disable processing of Background Sector Switches
Return code
void
--
2015, Vector Informatik GmbH
Version: 8.01.00
44 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description

Expert Knowledge
Deviating from [1], this function does not call underlying Flash driver’s related
  function, Fls_SetMode().

Info
This service is a synchronous call and does not need to be processed by the
  Fee_MainFunction().

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).

Caution
Calling Fee_SetMode() has significant impact on FEE’s behavior. After startup of
  the ECU (ReadAll-process by the NVM has finished), the FEE is set to
MEMIF_MODE_SLOW, which is initiated by the NVM, if configured accordingly. This is
an indicator to the FEE, which enables processing relative time consuming sector
switch in background, i.e. while no user jobs are pending. Refer to chapter 2.7 for
details on sector switches.
On the other hand, during shut-down, performing sector switches in background may
be inhibited by setting FEE to MEMIF_MODE_FAST.

Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-5   Fee_SetMode
4.3.4
Fee_Read
Prototype
Std_ReturnType Fee_Read
(
  uint16 BlockNumber,
  uint16 BlockOffset,
  uint8 *DataBufferPtr,
  uint16 Length
)
2015, Vector Informatik GmbH
Version: 8.01.00
45 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Parameter
BlockNumber
Handle of a block (depending on block configuration)
BlockOffset
Read address offset inside the block
DataBufferPtr
Number of bytes to read
Length
Pointer to data buffer
Return code
E_OK
Read job has been accepted.
E_NOT_OK
Read job has not been accepted.
Functional Description
This function starts the read processing for the specified block.

Info
The job processing is asynchronous. The result of the finished job can be polled by
  calling Fee_GetJobResult().

When the current block is found, the parameters BlockOffset and Length are used to call the Read function
of the underlying Fls driver to read out the content of the flash memory to the provided DataBufferPtr.
As the processing is asynchronous the return value of the Fls Read function can only be returned indirectly
via the job result.
Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).
Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-6   Fee_Read
4.3.5
Fee_Write
Prototype
Std_ReturnType Fee_Write
(
  uint16 BlockNumber,
  uint8 *DataBufferPtr
)
Parameter
BlockNumber
Handle of the block (depending on block configuration)
DataBufferPtr
Pointer to data buffer
2015, Vector Informatik GmbH
Version: 8.01.00
46 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Return code
E_OK
Write job has been accepted
E_NOT_OK
Write job has not been accepted.
Functional Description
This function starts the write processing for the specified block.

Info
The job processing is asynchronous. The result of the finished job can be polled by
  calling Fee_GetJobResult().

When the next free area for the block was found, the content of the provided DataBufferPtr is written to the
flash memory.
Additionally, management information is stored to identify the block.
The real count of bytes which must be written depends on the hardware specific page alignment and the
size of the management information.
As the processing is asynchronous the return value of the Fls write function can only be returned indirectly
via the job result.
Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).
Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-7   Fee_Write
4.3.6
Fee_Cancel
Prototype
void Fee_Cancel(void)
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 8.01.00
47 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description
This service cancels a currently pending job.
The state of the FEE  will be set to MEMIF_IDLE.
If the FEE is currently IDLE, calling this service is without any effect.

Expert Knowledge
Additional actions, especially unwinding internal state machine stack and cancelling a
  pending Fls job, will be done asynchronously, before a starting a subsequent write
job.
A read request, immediately following Fee_Cancel(), would be deferred in order to
avoid cancelling sector switch processing in a destructive manner.

Caution
A running sector switch (on any partition) will not be cancelled in destructive manner,
  if FSS threshold was exceeded. Therefore a subsequent write job will be deferred,
until a running copy process (for one single block) has been finished.
Additionally, a subsequent write request would be deferred due to performing
complete FSS, if FSS threshold was exceeded in requested block’s partition .

Fee_DisableFss() may be used to shorten response times, especially the latter case.
Copy would not be started and write requests would fail, rather than waiting for FSS
completion (see chapter 2.10).

Additionally, if development mode is configured, checks are done and in case of failure they are reported to
the DET by default with the according service ID and the reason of occurrence (refer to chapter 2.6.1).
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-8   Fee_Cancel
4.3.7
Fee_GetStatus
Prototype
MemIf_StatusType Fee_GetStatus(void)
Parameter
--
--
2015, Vector Informatik GmbH
Version: 8.01.00
48 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Return code
MEMIF_UNINIT
The FEE is currently not initialized -> Fee_Init() must be called to use
the functionality of the FEE.
MEMIF_IDLE
The FEE is currently idle -> no asynchronous job available
MEMIF_BUSY
The FEE is currently busy-> a asynchronous job is currently processed by
the FEE
MEMIF_BUSY_INTERNAL
The FEE has to process internal operations to ensure further write and/or
invalidate jobs.
Functional Description
This service returns the FEE’s current module state synchronously. Refer to chapter 2.3.1 for more details.
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-9   Fee_GetStatus
4.3.8
Fee_GetJobResult
Prototype
MemIf_JobResultType Fee_GetJobResult(void)
Parameter
--
--
Return code
MEMIF_JOB_OK
The last job has been finished successfully.
MEMIF_JOB_PENDING
The last job is waiting for execution or currently being executed.
MEMIF_JOB_CANCELLED
The last job has been cancelled by the Fee_Cancel() service.
MEMIF_JOB_FAILED
The Flash driver reported an error or the FEE could not achieve the
requested job due to hardware errors (e.g. memory cell defects).
MEMIF_BLOCK_INCONSISTENT
The data of requested block could not be read, because the data are
corrupt.
MEMIF_BLOCK_INVALID
The requested block has been invalidated previously by the service
Fee_InvalidateBlock() or reading from an erased block is
achieved (independent from called Fee_EraseImmediateBlock()
or a never written block).
Functional Description
This service returns the result of the last job executed. Refer to chapter 2.6.1 for more details.
2015, Vector Informatik GmbH
Version: 8.01.00
49 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-10   Fee_GetJobResult
4.3.9
Fee_InvalidateBlock
Prototype
Std_ReturnType Fee_InvalidateBlock(uint16 BlockNumber)
Parameter
BlockNumber
Number of the block (depending on block configuration).
Return code
E_OK
Invalidate job has been accepted.
E_NOT_OK
Invalidate job has not been accepted.
Functional Description
This service invokes the invalidation procedure for the selected block. If the service succeeds the most
recent data block is marked as INVALID.

Info
The job processing is asynchronous. The result of the finished job can be polled by
  calling Fee_GetJobResult().

When the last/current block was found the next free area will be written with special invalidate information.
As this information is saved in flash memory it is resistant against resets.

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).
Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-11   Fee_InvalidateBlock
2015, Vector Informatik GmbH
Version: 8.01.00
50 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

4.3.10  Fee_GetVersionInfo
Prototype
void Fee_GetVersionInfo(Std_VersionInfoType *VersionInfoPtr)
Parameter
VersionInfoPtr
Pointer to where to store the version information of this module.
Return code
void
--
Functional Description
This service returns the version information of this module. The version information includes:
>  Module ID
>  Vendor ID
>  Instance ID
>  Vendor specific version numbers.
Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
0). The function does not perform any action in case of a failure.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is available, depending on pre-compile configuration checkbox 'Enable
Fee_GetVersionInfo API' which is configured within the configuration tool.
Expected Caller Context
>  Expected to be called in application context.
Table 4-12   Fee_GetVersionInfo
4.3.11  Fee_EraseImmediateBlock
Prototype
Std_ReturnType Fee_EraseImmediateBlock(uint16 BlockNumber)
Parameter
BlockNumber
Number of the block (depending on block configuration).
Return code
E_OK
Erase job has been accepted.
E_NOT_OK
Erase job has not been accepted.
2015, Vector Informatik GmbH
Version: 8.01.00
51 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description
This function doesn’t erase flash memory.
The addressed block is marked as invalid, thus a subsequent read request on the invalidated block
completes with MEMIF_BLOCK_INVALID.

Info
The job processing is asynchronous. The result of the finished job can be polled by
  calling Fee_GetJobResult().

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).
Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
>  This service shall only be called by e.g. diagnostic or similar system service to pre-erase the
area for immediate data if necessary.
Expected Caller Context
>  Expected to be called in application context.
Table 4-13   Fee_EraseImmediateBlock
4.3.12  Fee_MainFunction
Prototype
void Fee_MainFunction(void)
Parameter
--
--
Return code
void
--
Functional Description
This service triggers the processing of the internal state machine and handles the asynchronous job and
management operations.
The complete handling of the job and the detection of invalidated or inconsistent blocks will be done in the
internal job state machine.
Additionally, if development mode is configured, checks are done and in case of failure they are reported to
the DET by default with the according service ID and the reason of occurrence (refer to chapter 2.6.1).
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
2015, Vector Informatik GmbH
Version: 8.01.00
52 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

>  Expected to be called in application context.
Table 4-14   Fee_MainFunction
4.3.13  Fee_GetEraseCycle
Prototype
Std_ReturnType Fee_GetEraseCycle(
  uint8 SectorNumber,
  uint32 *DataPtr
)
Parameter
SectorNumber
Identifies partition and logical sector whose erase cycle counter shall be
retrieved:
The least significant bit chooses the sector (0 or 1, meaning lower sector or
upper sector, respectively); higher bits identify the partition. Partitions’
symbolic names may be used, but values must be adapted (doubled).
DataPtr
Pointer to data buffer.
Return code
E_OK
Job has been accepted.
E_NOT_OK
Job has not been accepted.
Functional Description
This service retrieves the erase cycle counter of the specified logical sector in the provided buffer. The user
can determine how often the specific sector has been erased.

Info
This API service is not used by the NVM. It is just a feature to retrieve the number of
  erase cycle of a specific logical sector.

Info
The job processing is asynchronous. The result of the finished job can be polled by
  calling Fee_GetJobResult().

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).

Info
This is an addition to AUTOSAR.

2015, Vector Informatik GmbH
Version: 8.01.00
53 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is available, depending on pre-compile configuration checkbox 'Enable
Fee_GetEraseCycle API' which is configured within the configuration tool.
Expected Caller Context
>  Expected to be called in application context.
Table 4-15   Fee_GetEraseCycle
4.3.14  Fee_GetWriteCycle
Prototype
Std_ReturnType Fee_GetWriteCycle
(
  uint16 BlockNumber,
  uint32 *DataPtr
)
Parameter
BlockNumber
Number of the block, provided by the FEE.
DataPtr
Pointer to data buffer.
Return code
E_OK
Job has been accepted.
E_NOT_OK
Job has not been accepted.
Functional Description
This service retrieves the write cycle counter of a specified block and saves in the provided buffer.

Info
This API service is not used by the NVM. It is just a feature to retrieve the number of
  write cycles of a specific block.

Info
The job processing is asynchronous. The result of the finished job can be polled by calling
  Fee_GetJobResult().

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).

Info
This is an addition to AUTOSAR.

2015, Vector Informatik GmbH
Version: 8.01.00
54 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is available, depending on pre-compile configuration checkbox 'Enable
Fee_GetWriteCycle API' which is configured within the configuration tool.
Expected Caller Context
>  Expected to be called in application context.
Table 4-16   Fee_GetWriteCycle
4.3.15  Fee_GetSectorSwitchStatus
Prototype
Fee_SectorSwitchStatusType Fee_GetSectorSwitchStatus(void)
Parameter
--
--
Return code
Fee_SectorSwitchStatusType see chapter 4.2.1
Functional Description
This function returns the current status of the sector switch. See chapter 4.2.1 for the specific return values.
For more information about the sector switch see chapter 2.7.

Info
This service determines FEE’s current sector switch processing state.
  Necessity of a sector switch does not imply this service to return a value different
FEE_SECTOR_SWITCH_IDLE. For example, FEE will also report
FEE_SECTOR_SWITCH_IDLE when copying a block completed, until it starts the next
one.

Info
This is an addition to AUTOSAR.

Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  Expected to be called in application context.
Table 4-17   Fee_GetSectorSwitchStatus
2015, Vector Informatik GmbH
Version: 8.01.00
55 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

4.3.16  Fee_ForceSectorSwitch
Prototype
Std_ReturnType Fee_ForceSectorSwitch(void)
Parameter
--
--
Return code
E_OK
Job has been accepted.
E_NOT_OK
Job has not been accepted.
Functional Description
This service forces a sector switch to be performed on all configured partitions in “Foreground Mode”, i.e.
the FEE will defer next incoming job until switch has been completed.
Purpose of this API is to compact partitions’ flash usages to one logical sector each.

Caution
Fee must be initialized and idle before calling Fee_ForceSectorSwitch().

Note
This API service is not used by the NVM.

Note
The processing state can be queried using Fee_GetStatus. It switches to
  MEMIF_IDLE once all partitions have been processed.

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).

Note
This service is an addition to AUTOSAR.

Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is available, depending on pre-compile configuration checkbox 'Enable
Fee_ForceSectorSwitch API' which is configured within the configuration tool.
Expected Caller Context
>  Expected to be called in application context.
Table 4-18   Fee_ForceSectorSwitch
2015, Vector Informatik GmbH
Version: 8.01.00
56 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

4.3.17  Fee_ConvertBlockConfig
Prototype
Std_ReturnType Fee_ConvertBlockConfig
(
  const Fee_ConversionOptionsType* options
)
Parameter
Options
Pointer to structure of type Fee_ConversionOptionsType, containing the
pointer to the user buffer and to the callback to be invoked for each block:

userBuffer
Pointer to user buffer to hold block data. Note that the
area pointed to must be large enough to hold largest
possible block’s (across all configurations) data.
notificationPtr
Pointer to callback function.
Return code
E_OK
Job has been accepted.
E_NOT_OK
Job has not been accepted.
2015, Vector Informatik GmbH
Version: 8.01.00
57 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description
This service requests conversion of block configuration, as described in 2.7.5.
FEE uses the buffer passed in options->userBuffer to read block data from data flash and to pass
them to the user callback options->notificationPtr for each block it finds in data flash (having a
VALID instance).

Caution
Fee must have been initialized and it must be idle before calling
  Fee_ConvertBlockConfig().
Additionally, the upper SW layers (NvM) shall be stalled, i.e. it must be prevented
from issuing requests to the FEE.

Basic Knowledge
Block conversion affects all partitions, i.e. FEE will iterate over all partitions. Don’t
  expect any specific order; decisions should be based on parameters passed to “Data
Conversion Callback” (chapter 4.3.17).

Info
This API service is not used by the NVM.

Info
Job completion may be polled by calling Fee_GetStatus(); Job result may be
  determined using Fee_GetJobResult().

Additionally, if development mode is configured, parameter checks are done and in case of failure they are
reported to the DET by default with the according service ID and the reason of occurrence (refer to chapter
2.6.1).

Info
This service is an addition to AUTOSAR.

Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is available, depending on pre-compile configuration checkbox 'Enable
Fee_ConvertDataBlocks API' which is configured within the configuration tool.
Expected Caller Context
2015, Vector Informatik GmbH
Version: 8.01.00
58 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

>  Expected to be called in application context.
Table 4-19   Fee_ConvertBlockConfig
4.3.18  Fee_SuspendWrites
Prototype
void Fee_SuspendWrites(void)
Parameter
-
-
Return code
void
--
Functional Description
This service instructs Fee to block all write class jobs (writing, invalidating and erasing a block).
Pending jobs will be blocked, i.e. they won’t be finished. Next Fee_MainFunction calls cause FEE to enter a
safe state (by means of Flash content). Once such state was reached, FEE does not issue new write
requests to Fls.
Multiple subsequent calls to this service don’t have additional effects, i.e. to re-enable write accesses only
one call to Fee_ResumeWrites is necessary.

Info
As long as write class jobs are suspended no sector switch will be executed!

For more information, refer to chapter 2.10.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  May be called at interrupt level.
Table 4-20   Fee_SuspendWrites
4.3.19  Fee_ResumeWrites
Prototype
void Fee_ResumeWrites(void)
Parameter
-
-
Return code
void
--
2015, Vector Informatik GmbH
Version: 8.01.00
59 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Functional Description
This service instructs Fee to allow all write class jobs (writing, invalidating and erasing a block), including
sector switch processing, again which have been suspended using Fee_SuspendWrites().
Multiple calls to this service enable write processing once, i.e. to disable it again there is still one call to
Fee_SuspendWrites necessary.
For more information, refer to chapter 2.10.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  May be called at interrupt level.
Table 4-21   Fee_ResumeWrites
4.3.20  Fee_DisableFss
Prototype
void Fee_DisableFss(void)
Parameter
-
-
Return code
Void
-
Functional Description
This function disables execution of foreground sector switch when threshold is reached. A typical situation
using this function is start of engine.

Info
When foreground sector switch threshold is reached and a write class job (writing,
  erasing or invalidating a block) shall be processed, this job ends with result
MEMIF_JOB_FAILED.

For more information, refer to chapter 2.10.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  Availability depends on setting of “Enable API to allow/prohibit FSS” (see ch. 5.1.7.1)
Expected Caller Context
>  Expected to be called in application context.
Table 4-22   Fee_DisableFss
2015, Vector Informatik GmbH
Version: 8.01.00
60 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

4.3.21  Fee_EnableFss
Prototype
void Fee_EnableFss(void)
Parameter
-
-
Return code
void
-
Functional Description
This function enables execution of foreground sector switch when threshold is reached.
For more information, refer to chapter 2.10.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  Availability depends on setting of “Enable API to allow/prohibit FSS” (see ch. 5.1.7.1)
Expected Caller Context
>  Expected to be called in application context.
Table 4-23   Fee_EnableFss
4.4
Services used by FEE
In the following table services provided by other components, which are used by the FEE
are  listed.  For details about  prototype and functionality refer to the documentation of  the
providing component.
Component
API
DET
Det_ReportError (optionally)
FLS
Fls_Read
Fls_Write
Fls_Erase
Fls_GetStatus (if polling mode deactivated)
Fls_GetJobResult (if polling mode deactivated)
Fls_SetMode
Fls_Cancel
NVM
NvM_JobEndNotification (optionally)
NvM_JobErrorNotification (optionally)
OS
Interrupt locking/unlocking functions (optionally)
2015, Vector Informatik GmbH
Version: 8.01.00
61 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Table 4-24 Services used by the FEE
4.4.1
Data Conversion Callback
This user-implemented callback is related to the Feature “Data Conversion” (refer to
2.7.5); a pointer to such a function shall be passed to Fee_ConvertBlockConfig (see
4.3.17).
Prototype
Single Channel
uint8 <Function_Name>
(
 uint8* userBuffer,
 uint32 blockId,
 uint16 oldLength,
 uint16 newLength
)
Parameter
userBuffer
Pointer to user data buffer, containing block’s most recent data read from

flash. Content may be modified. Points to the userBuffer originally passed to
Fee_ConvertBlockConfig
blockId
Unique 28bit block identifier, consisting of 4bit Partition Index (bits 27:24) 16bit

“Block Tag” (bits 23..16) and 8bit data index (bits 7..0)1
oldLength
Old data length, as found in flash; the user buffer will contain exactly

oldLength data bytes
newLength
New data length as given in current configuration, the FEE has been initialized

with.
Return code
FEE_CONVERSION_WRITE Instruct the FEE to keep data (user buffer’s content) according to old length.
_OLD_LENGTH
Data to be written will not be readable using the Fee_Read (if the both lengths
actually differ), but they will be kept in flash, after
Fee_ConvertBlockConfig processing completes.
It is useful if several subsequent runs of Fee_ConvertBlockConfig are
necessary to perform update with multiple stages.
FEE_CONVERSION_WRITE Instruct the FEE to write data (user buffer’s content) according to new length.
_NEW_LENGTH
FEE_CONVERSION_SKIP Instruct the FEE to skip this block. It will write nothing. Block data will actually
get lost when Fee_ConvertBlockConfig processing completes.
Functional Description

This callback has to be implemented by user. It should synchronously perform any action that is necessary
to convert block data from old format to new format (e.g. lengths).
Particularities and Limitations
> Since the FEE is busy with Fee_ConvertBlockConfig processing, it is not allowed to issue any
other request to it.

1 Bit 0 is defined to be the least significant bit, regardless of used platform.
2015, Vector Informatik GmbH
Version: 8.01.00
62 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Call context
>  Called from context of Fee_MainFunction
Table 4-25   User defined conversion callback
4.5
Callback Functions
This chapter describes the callback functions that are implemented by the FEE and can be
invoked  by  other  modules.  The  prototypes  of  the  callback  functions  are  provided  in  the
header file Fee_Cbk.h by the FEE.
4.5.1
Fee_JobEndNotification
Prototype
void Fee_JobEndNotification(void)
Parameter
--
--
Return code
void
--
Functional Description
This routine shall be called by the underlying flash driver to report the successful end of an asynchronous
operation.

Info
This function is configurable at pre-compile time using the parameter
  FEE_POLLING_MODE.

Additionally, if development mode is configured, checks are done and in case of failure they are reported to
the DET by default with the according service ID and the reason of occurrence (refer to chapter 0).
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  This routine might be called on interrupt level, depending on the calling function.
Table 4-26   Fee_JobEndNotification
4.5.2
Fee_JobErrorNotification
Prototype
void Fee_JobErrorNotification(void)
Parameter
--
--
2015, Vector Informatik GmbH
Version: 8.01.00
63 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Return code
void
--
Functional Description
This routine shall be called by the underlying flash driver to report the failure of an asynchronous operation.

Info
This function is configurable at pre-compile time using the parameter
  FEE_POLLING_MODE.

Additionally, if development mode is configured, checks are done and in case of failure they are reported to
the DET by default with the according service ID and the reason of occurrence (refer to chapter 0).
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  This routine might be called on interrupt level, depending on the calling function.
Table 4-27   Fee_JobErrorNotification
4.6
Configurable Interfaces
API
Description
Function Fee_GetVersionInfo()
This function can be enabled/disabled by the configuration
switch ‘Enable Fee_GetVersionInfo API’. Refer to chapter
5.1.7.
Function Fee_GetEraseCycle()
This function can be enabled/disabled by the configuration
switch ‘Enable Fee_GetEraseCycle API’. Refer to chapter
5.1.7.
Function Fee_GetWriteCycle()
This function can be enabled/disabled by the configuration
switch ‘Enable Fee_GetWriteCycle API’. Refer to chapter
5.1.7.
Function Fee_ForceSectorSwitch()
This function can be enabled/disabled by the configuration
switch ‘Enable Fee_ForceSectorSwitch API’. Refer to
chapter 5.1.7.
Functions
The functions can be enabled/disabled by the configuration
Fee_JobEndNotification()
switch ‘Poll Flash driver’. Refer to chapter 5.1.6.2.
Fee_JobErrorNotification()
Functions
The functions can be enabled/disabled by the configuration
Fee_EnableFss()
switch ‘Enable API to allow/prohibit FSS’. Refer to chapter
Fee_DisableFss()
5.1.7.

Function Fee_ConvertBlockConfig()  The functions can be enabled/disabled by the configuration
switch ‘Enable Data Conversion API’. Refer to chapter 5.1.7.
Table 4-28   Configurable interfaces
2015, Vector Informatik GmbH
Version: 8.01.00
64 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

5  Configuration
FEE can be configured using following tools:
>  DaVinci Configurator 5, domain “Memory” (AUTOSAR 4 packages only).
Parameters are explained within the tool; parameters described in this chapter might
not   directly correspond to parameters visible in Configurator 5’s GUI.
>  DaVinci Configurator 4 (AUTOSAR 3 packages only; for a detailed description see this
chapter)
>  Using a generic configuration editor (GCE)
5.1
Configuration with DaVinci Configurator
5.1.1
Start configuration of the FEE
The component name of the Flash-EEPROM-Emulation in DaVinci Configurator is “FEE”.
In the “Architecture view” (initial page) of the DaVinci Configurator, the FEE can be opened
by  its  context  menu  to  start  its  configuration.  Optionally,  the  FEE  can  be  opened  for
configuration with the component list under the “Memory” tab located at the left side of the
DaVinci Configurator.
5.1.2
Useful Chunk-Sizes (instance counts)
Carefully  chosen  chunk-sizes  may  significantly  improve  FEE’s  performance  as  well  as
robustness.

Note
Chunk sizes’ effects are basically local to a single partition, i.e. a partition’s
  performance and robustness is affected. Another partition might be affected indirectly
by sector switch processing (which is not immediately interruptible).
Therefore, when changing a block’s settings, other blocks in same partition must be
considered.

Though it is not necessary (usually it is not even possible) to estimate optimum chunk-
sizes, they should be configured to reasonable values. Therefore their effects are
summarized first:
Basically a block’s instance count depends on the estimated number of write cycles,
relative to other blocks’ write cycles, as well as on its size, in relation to logical sector size.
A “(too) small” / “(too) large” chunk is meant to be related with “write cycle” and/or “block’s
size”.

Small chunks:
>  In general small chunks are suited for large and/or infrequently written blocks.
Allocating a small chunk results in less flash-space being reserved for related block
(instances).
2015, Vector Informatik GmbH
Version: 8.01.00
65 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

>  Smaller chunks result in less space wasted by aborts (resets), and more retries being
possible in a sector in case of resets.
>  They result in more overhead in flash. This becomes significant with small blocks (little
payload), large page size, and number of write cycles.
>  Decreased efficiency of flash usage, i.e. more erase cycles over life-time
>  Result in increased average search efforts. Since FEE does not hold position
information in RAM (neither Look-up tables, nor any caching mechanisms), searching
must be done for each asynchronous block operation. Since one block’s chunks
(within one logical sector) build up a linked list; this list becomes longer. Each list node
(chunk) requires one additional flash request, requiring additional Fee_MainFunction
and Fls_MainFunction cycles.

Large chunks:
>  Frequently written, small blocks usually benefit from larger chunks.
>  Overhead in flash is reduced
>  Decreased average search efforts, for two reasons:
>  Skipping an obsolete chunk means skipping more obsolete instances; the linked list
becomes shorter.
>  Searching within a chunk is implemented to have logarithmic effort.
>  Allocating a large chunk results in more flash space (for more instances) being
reserved. If chunk is too large, it would never be used, because writing other blocks
already caused a sector switch.
>  Increased flash usage also may increase vulnerability to aborts, because space for
other blocks shrinks. Usually each block requires at least one chunk per logical sector
(to hold at least data copied during sector switch).

The larger a block’s payload is, the smaller the instance count should be. It becomes less
and less possible that such a chunk could be too small, because there is an absolute
upper limit, how often a chunk fits into logical sector.

It is highly not recommended to try “optimizing” a block configuration in order to get only
one chunk per block, resulting in nearly completely filled logical sector. Rather the chunk
sizes should be set in a way that some reserve remains to be used dynamically. It is
advisable to use approximately 50% of smaller logical sector. However it is more important
to keep enough space to write even the largest blocks several times (regardless of actual
write cycles  due to aborts). On the other hand reserves might also be lower, if a
partition will be written (very) infrequently, and if written to, the situation is known to be
stable (very low risk of aborted writes).

Based  on  estimated  number  of  write  cycles,  it  is  sufficient  to  care  about  chunk  sizes  of
most  frequently  written  blocks  only  (additionally  considering  their  sizes).  In  typical
2015, Vector Informatik GmbH
Version: 8.01.00
66 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

configurations  the  write  cycles  differ  by  magnitudes  (1  …  1’000’000)  –  only  the  largest
ones  (e.g.  more  than  100’000  cycles,  then  more  than  10’000  cycles)  need  to  be
considered. Blocks being written less than one hundredth of most frequently written one,
may usually be considered to be constant; their instance count should be 1. If one or more
large  blocks  are  frequently  written,  check  their  maximum  possible  number  writes  per
sector. This can be used as threshold to consider blocks being constant.

5.1.3
Update of block configuration
It  is  possible  to  update  the  block  configuration  (size,  datasets,...)  of  each  block.  Every
block  which  should  be  readable  after  the  block  configuration  update  must  get  the  same
BlockID  as  before  (preconditioned  that  the  size  of  this  block  has  not  changed).  The
BlockID could be set manually if the “BlockID fixed” is checked.

Note
It is not possible to “move” a block from one partition to another with an update, while
  keeping its data.

After flashing the new block configuration it is possible, but not actually necessary, to use
Fee_ForceSectorSwitch() in order to clean up flash contents, causing flash layout to
be  prepared.  In  order  to  perform  a  complete  update  of  flash  layout  –  i.e.  to  clean  up  /
update  all  logical  sectors,  across  all  partitions  –,  a  second  subsequent  run  of
Fee_ForceSectorSwitch()may be used .
Writing
updated
blocks
will
be
possible
independent
of
usage
of
Fee_ForceSectorSwitch().
5.1.4
FEE Configuration tab
Attribute
Value
Values
Description
Name
Type
The default value
is written in bold
Block Configuration
FBL
--
ON
This checkbox must be checked, if the current block configuration
Configuration
OFF
is the flash boot loader configuration. Otherwise it must not be

checked.
Insert Block
--
--
This button inserts a FEE block into the table. This is only
necessary if additional blocks are needed. All NVM blocks are
inserted automatically.
Delete Block  --
--
This button deletes the selected block from the table. Only blocks
which where inserted with the "Insert Block" button should be
deleted with this button. NVM blocks should be deleted in the
NVM configuration. They are deleted automatically in the FEE
block table.
Move Up
--
--
This button moves a selected block one row above. The order of
the block in the table influences the physical default position
within the Flash.
2015, Vector Informatik GmbH
Version: 8.01.00
67 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value
Values
Description
Name
Type
The default value
is written in bold
Move Down
--
--
This button moves a selected block in the table one row below.
The order of the block in the table influences the physical default
position within the Flash.
Calculate
--
--
This button calculates the FEE block numbers, as well as
BlockIDs, unless set to “fixed”.

Caution
This button must be pressed before generation
  process is started.

BlockID
uint16
no default
The BlockID will be set automatically by clicking the “Calculate”-
0...65535
button. The BlockID could also be set manually (see BlockID

fixed).
The BlockID must be unique within a partition, i.e. amongst  all
blocks assigned to same partition.
In order to save flash space it is recommended to start
numbering with 0 for each partition.

Caution
If the block configuration shall be updated, each
  block which should be readable after the block
configuration update must get the same
BlockID as before.

NVM
--
--
This field shows the name of the corresponding NVM block
Blockname
entered within the NVM and is forwarded to the FEE.
For user added blocks (within the FEE) this field is empty.

Info
The NVM Blockname can not be modified at all. It
  provides the information to the user to associate the
FEE block configuration to the corresponding NVM
block.

2015, Vector Informatik GmbH
Version: 8.01.00
68 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value
Values
Description
Name
Type
The default value
is written in bold
Fee
C-
Valid C
This field shows the name of the configured FEE block.
Blockname
identifier identifier,
In the AUTOSAR ECUC file, it becomes the name of the Block
default:
Configuration container.
Fee_User

Block<n>
Info
As required by AUTOSAR, the linkage between
 block name and its numeric handle (“Block
Num”) will be generated. Depending on global
tool settings, the prefix “Fee_” will be added, or
omitted.

Block Num
uint16
2…65534, no The even number of the FEE block.
default
These not modifiable values will be calculated by pressing the
button "Calculate". The dataset selection bits are used to
calculate the block number.

Caution
The BlockNum should not be used directly. Instead
 use the symbolic block names, defined in Fee_Cfg.h
(see chapter 3.1.2).

Datasets
--
1
This field determines the number of datasets configured for a
1…255
dedicated block.

Info
The number of datasets can not be modified if the
 block is configured within and forwarded from the
NVM. If the block is created within the FEE, the
datasets can be adjusted for corresponding block.

Size
uint16
1
The natural size (in bytes) of the block (payload).
1…65535

Info
The size can not be modified if the block is
 configured within and forwarded from the NVM,
because these blocks provide their size on their own.

2015, Vector Informatik GmbH
Version: 8.01.00
69 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value
Values
Description
Name
Type
The default value
is written in bold
Chunk block  --
1, 3, 7,
This field determines the number of blocks which can be stored
count
15, 31, 63,
within one block chunk. For blocks which are written often the

127, 255, 511,  number should be larger and vice versa.
1023, 2047,

4095, 8191,
Caution
16383, 32767
This value must always be adjusted within the FEE
  and is never forwarded from the upper layer,
because this value is responsible to abstract
hardware constraints to the upper layer.

Partition
Ref.
--
Reference to a defined partition container.
Write Cycles  --
1…
The estimated/desired number of write cycles which are required
10000
for the block. According to this value, the number of blocks within

a chunk shall be influenced, but which is not done automatically
...10000000
and is left to the user.

Info
Currently, the adjustment of this value has no effect.
  Instead the number of blocks within a chunk (Chunk
block count) influences the distribution of the
data/blocks on the Flash memory.

High Prio
--
ON
This field denotes that the block contains high priority data. If it is
OFF
'ON' the block/dataset can be erased and contains high priority

data. If it is 'OFF' the block/dataset cannot be erased and
contains "normal" data.
For example, high priority data can be supposed as crash data.

Info
The marker for high priority data can not be modified
  if the block is configured within and forwarded from
the NVM. If the block is created within the FEE, the
datasets can be adjusted for corresponding block.

Caution
A block can only be erased by the API function
  Fee_EraseImmediateBlock() if the
appropriate block is set to contain high priority data.

Critical Data  --
ON
Marks a block to be critical, i.e. essential, for ECU operation.
OFF
Refer to chapter 2.11.
BlockID fixed  --
ON
This checkbox must be checked, to be able to set the BlockID
OFF
manually.

2015, Vector Informatik GmbH
Version: 8.01.00
70 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Table 5-1   Fee configuration
5.1.5
General Settings tab
5.1.5.1
Error Detection – Development Mode
Attribute
Value
Values
Description
Name
Type
The default
value is written
in bold
Check
--
ON
Preprocessor switch for enabling/disabling checking the block
Parameter Block
OFF
number, whether it is in allowed range.

Number
Affected API functions:
>  Fee_Read()
>  Fee_Write()
>  Fee_InvalidateBlock()
>  Fee_EraseImmediateBlock()
>  Fee_GetWriteCycle()
Enable
--
ON
Preprocessor switch to enable/disable development error
Development
OFF
detection and reporting.

Error Detection
It is the main switch over following items:
>  Check Uninitialized Module
>  Check Parameter (except parameter Block Number)
>  Errorhook
>  Include File
In production mode, this switch should be disabled to save
ROM/RAM and to speed up the module.
Check
--
ON
Preprocessor switch to enable/disable the check of an
Uninitialized
OFF
initialized module before any API service of the FEE (expect

Module
Fee_Init() and Fee_GetVersionInfo()) is used.
Check Busy
--
ON
If this check is enabled, it will be checked if an asynchronous
Module
OFF
job is currently running and another shall be started.

Check
--
ON
If this check is activated, it will be checked if a block is
Immediate Data
OFF
configured to hold high priority data and shall be erased via

the service Fee_EraseImmediateBlock.
Check
--
ON
Preprocessor switch for enabling/disabling parameter
Parameter
OFF
checking of API services at all.

It is the main switch over following items:
>  Check Parameter Block Number
>  Check Sector Number
>  Check Parameter Length and Offset
>  Check Parameter DataBufferPtr for Null Pointer
>  Check Parameter Mode
2015, Vector Informatik GmbH
Version: 8.01.00
71 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value
Values
Description
Name
Type
The default
value is written
in bold
Check
--
ON
Preprocessor switch for enabling/disabling checking the sector
Parameter
OFF
number, whether it is in allowed range.

Sector Number
Affected API function:
>  Fee_GetEraseCycle()
Check
--
ON
Preprocessor switch for enabling/disabling checking the length
Parameter
OFF
and offset values, whether they are in allowed range.

Length and
Affected API function:
Offset
>  Fee_Read()
Check
--
ON
Preprocessor switch for enabling/disabling checking, whether
Parameter for
OFF
the pointer parameter are different from a null pointer.

Null Pointer
Affected API functions:
>  Fee_Read()
>  Fee_Write()
>  Fee_GetEraseCycle()
>  Fee_GetWriteCycle()
>  Fee_GetVersionInfo()
Check
--
ON
Preprocessor switch for enabling/disabling checking the mode
Parameter Mode
OFF
values, whether it is in allowed range.

>  Fee_SetMode()
Development
--
ON
Preprocessor switch for enabling/disabling the Development
Error Reporting
OFF
Error Reporting.

Errorhook
C-function  Valid C-
Specifies the function that shall be called if a development
identifier
function
error has occurred.
identifier,
(see chapter 2.6.3 for function signature)
default:
Det_ Report
Error
Include File
header
Valid header  Specifies the file that shall be included if development error
file
file, default:
reporting shall be used. The API used by the FEE must be
Det.h
specified within this file.

Table 5-2   Error Detection – Development Mode
5.1.5.2
Area “Error Callback”
Attribute  Value
Values
Description
Name
Type
The default value is written
in bold
Use Error
--
ON,
Defines whether the Error Callback notification mechanism
Callback
shall be used to inform the application about a serious

OFF
condition the Fee had detected.

2015, Vector Informatik GmbH
Version: 8.01.00
72 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute  Value
Values
Description
Name
Type
The default value is written
in bold
Callback
C-function  Valid C-function
Defines the function of the application that will be called if
Function
identifier
identifier, default:
a critical condition has been entered by the Fee. It is
Appl_CriticalError
expected, that the application is responsible to react on

Callback
this situation according to the parameter value which has

been passed.
Refer to chapter 3.3.5.3
Include File  header file  Valid header file,
Defines the header file containing the Error Callback
default:
function.
Appl_Include.h
Table 5-3   Error Callback
5.1.5.3
Area Buffer
Attribute
Value
Values
Description
Name
Type
The default value is
written in bold
Internal
uint16
64, 128, 256,
Size of internal buffer to be used for instance allocation during
Buffer Size
512, 1024
write job processing and for instance copy during sector switch.

Must be an integral power of two.

Must be larger than largest “Write Alignment” setting.

Info
The number of Fls_Read – Fls_Write request
  pairs necessary to copy a whole block
depends on its size and Internal Buffer size.

5.1.5.4
Area “Upper Layer”
Following  controls  are  visible  only,  if  an  NvM  is  enabled  (part  of  configuration)  and  its
parameter "Use Polling Mode" (NvmPollingMode) is unchecked (set to False). A hint about
NVM’s current polling mode setting (including availability at all) will be additionally shown.
FEE should be used in polling mode, if NVM is disabled.
Attribute
Value
Values
Description
Name
Type
The default value is written
in bold
Job End
C-function
Valid C-function
The name of the job end callback function shall be
Notification
identifier
identifier, default:
inserted to this field.
NvM_JobEnd
It is called to report to the upper layer that the job
Notification
processing was finished successfully.
Usually this function is provided by the NVM.

Job Error
C-function
Valid C-function
The name of the job error callback function shall be
Notification
identifier
identifier, default:
inserted to this field.
2015, Vector Informatik GmbH
Version: 8.01.00
73 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value
Values
Description
Name
Type
The default value is written
in bold
NvM_JobError
It is called to report to the upper layer that the job
Notification
processing was finished with failure. Usually this
function is provided by the NVM.
Include File for  header file
Valid header file,
In this field it can be inserted the name of the include
Callbacks
default:
file that holds the callback declarations of the upper
NvM_Cbk.h
layer.

Table 5-4   Upper Layer
5.1.5.5
Area “Critical Section Handling”

Changes
Fee 8.xx.xx only supports Critical Section services provided by an AUTOSAR Basic
  Software Scheduler (SchM). It ignores manual settings made, if “Use BSW Scheduler
(SchM)” was disabled in “Board Setting / OS Sevices”

Attribute
Value
Values
Description
Name
Type
The default value is
written in bold
Short-Lasting
--
Use Suspend
Defines the function set that will be called when short-
Actions
Functions
lasting critical sections are entered or left. Refer to
UseOS Functions
chapter 3.5.

UseEnable

Functions
Long-Lasting
--
Use Suspend
Defines the function set that will be called when long-
Actions
Functions
lasting critical sections are entered or left. Long-lasting
UseOS Functions
actions are Fee_MainFunction as a whole. Refer to

chapter 3.5.
UseEnable
Functions

Table 5-5   Critical Section Services

Note
Both dropdown lists are invisible, if the BSW Scheduler is enabled within the OS configuration
  tab of the ECU configuration.

5.1.6
Partitions
The left panel of partitions shows a tree-like overview of currently configured partitions. In
this panel partitions can be added, deleted and renamed, as well.
2015, Vector Informatik GmbH
Version: 8.01.00
74 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Attribute
Value  Values
Description
Name
Type  The default value is
written in bold
Partition
Ref.
--
Choose a flash configuration.
Device
All partitions in one single flash device must refer to the same
Flash Configuration (of type
/AUTOSAR/Fls/FlsConfigSet)
Currently, FEE is restricted to use one Flash Driver only, i.e. all
partitions must point the same configuration.
Lower Sector  --
--
In this combo box the start address of the lower logical sector
Start Address
shall be selected. The values of the list are just typical values.
A custom value may be entered; it must adhere to the “Fls
address alignment” (see below).
Lower Sector  --
1024
Choose lower logical sector’s size in bytes. The combo box
Size
suggests some typical values; a custom size may be entered.
The size must also adhere to “Fls address alignment” (see
below).
Upper Sector  --
--
In this combo box the start address of the upper logical sector
Start Address
shall be selected. The values of the list are suggestions,
derived from the chosen Fls driver (which depends on the
used controller). A custom value may be entered; it must
adhere to the “Fls address alignment” (see below).
The upper sector’s start address must be located in a distinct
physical sector, with higher address, than the last address of
the lower sector.
Upper Sector  --
1024
Choose upper logical sector’s size in bytes. The combo box
Size
suggests some typical values; a custom size may be entered.
The size must also adhere to “Fls address alignment” (see
below).
Fls address
--
8,
In this drop down list the virtual page size in bytes will be set.
alignment
64, 128, 256, 512,
This must be a power of two and be equal to or larger than the
1024
“Flash page size for write jobs”. This value will be used to

check logical sectors’ alignment, to align of block instances as
well as Fee management information.
Fls Page
--
8,
In this drop down list the Fls page size for write jobs in bytes
Size for write
64, 128, 256, 512,
will be set. This must be an integral multiple of the hardware
jobs
1024
specific flash page size. This value will be used for the write

alignment, instead of the Fls page size of the hardware.
Table 5-6   Lower Layer

2015, Vector Informatik GmbH
Version: 8.01.00
75 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

5.1.6.1
Area “Management”
Attribute
Value
Values
Description
Name
Type
The default value is
written in bold
Background
uint32
--
If there is less free space by writing data continuously to the
Reserve
Fee, the sector switch in background mode will be started.

Info
See chapter 2.7 for more details.

Foreground
uint32
--
If there is less free space by writing data continuously to the
Reserve
Fee, the sector switch in foreground mode will be started.

Info
See chapter 2.7 for more details.

Table 5-7   sector switch reserve
5.1.6.2
Area “Lower Layer”
This panel is independent from partitions; its setting has global meaning.
Attribute
Value  Values
Description
Name
Type  The default value is
written in bold
Poll Flash
--
ON
Enables/disables polling of the underlying Flash driver.
Driver
OFF
If polling is disabled, make sure, that the callbacks
Fee_JobEndNotification() and
Fee_JobErrorNotification(), respectively, have been
configured in the Flash driver.

Info
If polling is enabled the callback functions are not
  available, because there is no needed to. An
additional hint will be visible in that case.

Table 5-8   Lower Layer

2015, Vector Informatik GmbH
Version: 8.01.00
76 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

5.1.7
Module API tab
5.1.7.1
API Configuration
Attribute Name
Value  Values
Description
Type  The default
value is
written in
bold
Enable
--
ON
Preprocessor switch to enable/disable the existence of the
Fee_GetVersionInfo API
OFF
API service

Fee_GetVersionInfo().

Info
If this checkbox is switched off, the
  corresponding parameter check ("Check
Parameter VersionInfo") within the "General
Settings" tab is deselected and disabled.

Enable
--
ON
Preprocessor switch to enable/disable the existence of the
Fee_GetEraseCycle API
OFF
API service

Fee_GetEraseCycle().

Info
If this checkbox is switched off, the
  corresponding parameter check ("Check
Parameter Sector Number") within the
"General Settings" tab is deselected and
disabled.

Enable
--
ON
Preprocessor switch to enable/disable the existence of the
Fee_GetWriteCycle API
OFF
API service Fee_GetWriteCycle().
Enable
--
ON
Preprocessor switch to enable/disable the existence of the
Fee_ForceSectorSwitch
OFF
API service

Fee_ForceSectorSwitch().
API
Enable Data Conversion  --
ON
Preprocessor switch to enable/disable the existence of
API
OFF
Fee_ConvertDataBlocks.

Info
If this feature was disabled at delivery time,
  this switch is still available, but it is disabled.
It cannot be used to enable the feature “Data
Conversion”.

Enable API to
--
ON
Preprocessor switch to enable/disable function set
allow/prohibit FSS
OFF
Fee_EnableFss()/Fee_DisableFss()
Refer to chapter 2.10.
Table 5-9   API Configuration

2015, Vector Informatik GmbH
Version: 8.01.00
77 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

5.1.7.2
Provided API
Attribute
Value
Values
Description
Name
Type
The default value is
written in bold
Provided API  --
--
This group shows the API services which are currently
provided by the FEE depending on its configuration.
Table 5-10   Provided API
5.2
Configuration Parameters only visible in GCE
There  are  parameters  that  cannot  be  configured  using  the  comfort  view  of  DaVinci
Configurator.  These  parameters  should  only  be  modified,  if  really  necessary,  and  if  the
user knows about their effects. These parameters’ default values are usable in very most
cases.
To  meet  platform  specific  requirements  and/or  restrictions,  they  may  also  be  pre-
configured during integration/delivery, i.e. they might not be changeable at all.
Attribute Name
Value  Values
Description
Type
The default
value is
written in
bold
FeeMaxLinkTableSize
Integer  0 … 4095  Defines the maximum size of the Link Table. The link table
(Maximum Number of
itself improves performance of FEE, but it reduces space
LinkTable Entries)
available for user data. Thus it might be desirable to limit its

size. Especially on devices with very limited flash space
and/or considerably large pages (e.g. TriCore TC179x) the
performance penalty resulting from reducing the link table
size (or disabling it completely, i.e. by setting size to 0),
would be feasible.
Table 5-11   Parameters only visible in GCE view.
5.2.1
Fls API deviating from AUTOSAR naming convention
FEE is able to use any AUTOSAR compliant Fls “out of the box”, i.e. associating a partition
with a driver, its API is defined and FEE can be generated. This is the case for all internal
device drivers whose API shall exactly match the naming given in Flash Driver SWS. It is
also true for an external device driver, which shall include Vendor ID and a so-called “API
infix”; both shall be published in its module description file.
However,  sometimes  an  Fls  doesn’t  fully  comply,  or  there  might  be  technical  reasons  to
deviate from AUTOSAR.
Example
Due to address space limitiation mentioned in chapter 2.1, it is necessary to use some
  “proxy Fls”, if FEE (a partition) shall address an Fls’s sectors beyond 2GB limit (≥
0x80000000). Using this Feature of FEE, its function names do not need to comply with
AUTOSAR.

In such a case FEE would not compile (or not link) because used function names do not
match Fls’s provided ones. This can be solved as follows:
2015, Vector Informatik GmbH
Version: 8.01.00
78 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

1.  Add container FeeFlsApi to container FeeGeneral.
2.  New Container may be renamed
3.  Enter name of Fls’s include file
4.  Change function names according to your needs. Parameter names are self-
explaining; they map from SWS function names (e.g. Fls_Read) to actually
implemented names (e.g. MyVeryOwn_ReadFunction).
5.  Associate this container with an existing Fls configuration (FeeFlsDeviceIndex is a
reference to a container of type Fls/FlsGeneral).

Expert Knowledge
Container FeeFlsApi has a multiplicity of 0..*, i.e. you may create an arbitrary number
  of Flses. Generator matches references to Fls drivers with partitions’ references to Fls
(runtime) configurations to generate necessary information of drivers which are actually
used. Of course, each Fls driver instance must be referenced at most once.

2015, Vector Informatik GmbH
Version: 8.01.00
79 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

6  AUTOSAR Standard Compliance
6.1
Deviations
6.1.1
Maximum Blocking Time
The parameter FEE_MAXIMUM_BLOCK_TIME is not supported by the current version of the
FEE, because a time reference is missing to support this requirement.
6.2
Additions/ Extensions
6.2.1
Parameter Checking
The  internal  parameter  checks  of  the API  functions  can  be  en-/disabled  separately.  The
AUTOSAR standard  requires en-/disabling of the complete parameter checking only. For
details see chapter 2.6.1.
6.2.2
Fee_InitEx
See chapter 4.3.2 for further information.
6.2.3
GetEraseCycle
See chapter 2.5.1.6 and 4.3.13 for further information.
6.2.4
GetWriteCycle
See chapter 2.5.1.7 and 4.3.14 for further information.
6.2.5
GetSectorSwitchStatus
See chapter 4.3.15 for further information.
6.2.6
ForceSectorSwitch
See chapter 4.3.16 for further information.
6.2.7
Fee_ConvertBlockConfig
This Service, and all related types, settings, etc. add the capability of performing data
conversion after a configuration update. Note that this extension is optional; it must be
ordered explicitly.
For more information refer to chapter 2.8.
6.2.8
Fee_SuspendWrites / Fee_ResumeWrites
See chapters 2.10, 4.3.18 and 4.3.19 for further information.
6.2.9
Fee_EnableFss / Fee_DisableFss
See chapters 2.10, 4.3.20 and 4.3.21 for further information.
6.3
Limitations
AUTOSAR does not specify how a FEE implementation shall organize flash memory.
Additionally there are no requirements on performance or robustness. Following
restrictions result from postulating and implementing such requirements.
6.3.1
Partitions
Current implementation limits the maximum number of partitions to 4.
2015, Vector Informatik GmbH
Version: 8.01.00
80 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

6.3.2
Flash Usage
Fee cannot provide whole configured flash memory for user data storage.
Net payload to be stored in flash memory is roundabout 25% of assigned flash memory, or
more precisely, 50% of the smaller logical sector’s size.
In addition to memory overhead caused by internal management information to be stored
along with user data, and to overhead caused by flash space to be reserved for dynamic
allocation  (in  order  to  process  write  requests),  the  FEE  must  adhere  to  HW’s  alignment
requirements.  Usually this alignment is determined by flash’s smallest  writable  entity,  i.e.
the flash page size. However, on some platforms, alignment must be even more stringent,
because read and write accesses must be secured, so that  they don’t endanger already
stored information.
This means: it might be possible to add stuffing bytes carrying no information. Depending
on  flash  device  and  related  alignment  requirements,  this  overhead  might  become
significant, additionally reducing the total amount of user data that may be stored in flash.
6.3.3
Performance
Due  to  dynamic  flash  allocation,  dependent  on  configuration  and  actual  write  accesses,
the performance, by means of request processing time (i.e. number of Fee_MainFunction
call  cycles),  fluctuates.  Starting  with  an  empty  flash,  job  processing  time  increases  over
time  up  to  a  maximum  search  effort  (one  logical  sector  is  completely  filled).  When  the
other sector is initially used, search efforts reduce again.
Additionally  worst  case  blocking  times  are  mostly  affected  by  clean-up  operation  (copy
recent  data  instances)  and  sector  erase.  Latter  one  is  determined by  HW;  usually  erase
timings  are  at  scales  of  hundreds  of  milliseconds  per  16kBytes.  Their  frequency  highly
depends on flash usage (data amount as well as write frequency).

Expert Knowledge
The worst case – a complete sector switch that includes copying all data and erase the
  logical sector – is a very exceptional case, as it would mean that nothing was
successfully copied so far, but flash is full, i.e. erase is necessary in order to remain
writeable.

6.3.4
Aborts/Resets
Aborts/resets  during  write  operations  result  in  artifacts  in  flash  memory,  increasing  flash
usage.  Frequent  resets  may  prevent  FEE  from  completing  a  clean-up  operation  (Sector
Switch), but cause much wasted space due to the artifacts.
Finally  the  partition  may  overflow.  There  is  no  space  left  to  copy  data  from  one  logical
sector  to  the  other  one,  which  is  the  precondition  to  perform  a  sector  erase  without  any
recent  data  instance.  This  overflow  may  be  reported  by  FEE,  and  an  erase  may  be
executed,  accepting  the  risk  of  data  loss.  For  more  information,  refer  to  chapter  3.3.5.3.
2015, Vector Informatik GmbH
Version: 8.01.00
81 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

Additionally  the  FEE  allows  marking  data  blocks  as  essential  for  ECU’s  operation;  they
must never be lost (chapter 2.11).
Finally,  FEE  provides  services  for  handling  under-voltage  situations  in  safer  ways;  see
chapter 2.10.
6.3.5
Write Cycle and Erase Cycle Counters
Blocks’ Write Cycle and Sectors’ Erase Counters allow monitoring flash usage over time.
Especially,  they  allow  re-evaluating  initial  estimations  of  blocks  write  cycles.

Erase cycle counters can be used to estimate total flash usage over ECU’s life-time. A key
parameter  is  the  number  of  erase  cycles  per  physical  sector,  which  is  limited  on  Flash
EEPROM devices.
Precisions  of  both  kinds  of  cycle  counters  are  limited.  Especially  interrupted  accesses
and/or resets reduce precision, for certain reasons.

Caution
Blocks’ Write Cycle and Sectors’ Erase Cycle counters shall be used for statistical
  purposes only. Especially, they shall not be used to affect code execution in any way.

2015, Vector Informatik GmbH
Version: 8.01.00
82 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

7  Glossary and Abbreviations
7.1
Glossary
Term
Description
DaVinci Configurator  Tool to create a consistent and optimized ECU configuration. Generation
and validation tool for MICROSAR components.
Block Tag
Identifies a block in data flash. See also: Block Id
Block Id
Identifier used to uniquely identify blocks in a partition. Stored in data
flash, it consists of Block Tag and Data Index.
In conjunction with partition ID, every block in FEE can be uniquely
identified.
The Block Id abstracts from 16Bit Block Number passed via API; it
depends on current configuration, in particular on Dataset Selection Bits.
The block tag is one cornerstone in FEE’s update capability: As long as a
Block Id does not change across configuration updates, it can be found in
data flash, data may be kept, if block length also remained unchanged.
Table 7-1   Glossary

7.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Electronic Control Unit
ECUM
ECU Manager
EEPROM
Electrically Erasable Programmable Read Only Memory
FBL
Flash Bootloader
FEE
Flash EEPROM Emulation Module
FLS
Flash Driver
HIS
Hersteller Initiative Software
MEMIF
Memory Abstraction Interface Module
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
NVM
NVRAM Manager
NVRAM
Non Volatile Random Access Memory
SchM
(AUTOSAR) Scheduling Manager
2015, Vector Informatik GmbH
Version: 8.01.00
83 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
Table 7-2 Abbreviations

2015, Vector Informatik GmbH
Version: 8.01.00
84 / 85
based on template version 3.1

Technical Reference MICROSAR FEE

8 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com

2015, Vector Informatik GmbH
Version: 8.01.00
85 / 85
based on template version 3.1

Document Outline

11 - GM Gateway Diagnostic Add-On

GM Gateway Diagnostic Add-On

Component Documentation

11.1 - Diag Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Diag

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Diag_Vector_GMLAN3.1_02.07.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/02/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

11.2 - TechnicalReference_GGDA

GM Gateway Diagnostic Add-On

11.3 - TechnicalReference_GGDA_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41

11.4 - TechnicalReference_GGDAs

Technical Reference GM Gateway Diagnostic Add-On

GM Gateway Diagnostic Add-On
Technical Reference

GGDA
Version 1.8

Authors
Mishel Shishmanyan, Matthias Heil
Status
Released

2015, Vector Informatik GmbH
Version: 1.8
1 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
Document Information
History
Author
Date
Version Remarks
Mishel Shishmanyan
2005-11-08
1.0
Created
Mishel Shishmanyan
2006-01-31
1.1
Rework and textual corrections.
Matthias Heil
2006-02-20
1.2
Extensions for multibus support
Mishel Shishmanyan
2007-01-24
1.3
Modified:
- 5.1.1 “1st step – GENtool”
- 5.1.1.2 ”UUDT Transmitter
Configuration”
- 5.1.2 “2nd step – Ggda_par.h
file”

Added:
- 5.2 “Timings Parameter”
- 5.3 “Supported Diagnostic
Services”
- 5.4 “Development and
Integration Support”
- 5.5 “Target Address Acceptance
on Functional Requests”
Mishel Shishmanyan
2007-02-16
1.4
Modified:
- 5.1.3.1”CAN Channel
Configuration”
Added:
- 5.3.1
InitializeDiagnosticOperationMode
($10 $xx)
- 5.3.3 ReadDiagnosticInformation
($A5 $02)
Matthias Heil
2007-05-29
1.5
Added: Infobox clarifying cdb-
Attributes for functional receive
message
Matthias Heil
2008-04-04
1.6
Added: Configuration aspects
regarding GENy configuration Tool
Matthias Heil
2012-05-04
1.7
Added: Added description of
configuration file values for mode
$A9 selection
Matthias Heil
2015-05-28
1.8
Added: Precondition for
DisableNormalCommunication
(Sid: $28)
2015, Vector Informatik GmbH
Version: 1.8
2 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
Reference Documents
No.
Title
[1]
TechnicalReference_CANdesc_GM_Opel.pdf

Caution
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one

specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 1.8
3 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
1  Introduction
The GGDA (GM Gateway Diagnostic Add-on) is a small diagnostic software component
with reduced functionality to support only the GM’s gateway non-diagnostic physical
channel. This module is optimized only for this purpose and is thus very efficient. The
following goals are achieved with its usage:

-  implements  a  complete  ISO-TP  API  for  reception/transmission  of  diagnostic
messages;
-  implements  an own UUDT message transmitter with timeout and data consistency
protection;
-  implements  completely  all  GM  required  diagnostic  services  for  a  minimum
diagnostic operations;
-  provides CANdesc-like API for the ReadDiagnosticInformation service to reduce the
application fault memory diagnostic API complexity;
-  provides  event  notifications  to  the  application  for  each  relevant  diagnostic  state
change (e.g. communication control disabled, wake-up link, return to normal mode,
etc.);
-  monitors the tester-present timeout;
-  monitors the request processing time and sends automatically RCR-RP response if
the final response is not registered at the P2/P2Ex times.
-  implements the required interaction functionality for proper VN management;
-  sends unsolicited positive response on service $20 when the tester-present timeout
event.
-  has minimum ROM/RAM and run-time overhead for gateways;

2015, Vector Informatik GmbH
Version: 1.8
7 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
2 Overview
The GGDA component takes a place parallel to the fully functional diagnostic layer
CANdesc. It serves only the diagnostic services on the other communication channel on
the gateway, to provide the necessary minimum of diagnostics for GM.
Application
GGDA
CANdesc
ISO-TPMC
CANdrv
CAN controller
CAN controller
HS-CAN
LS-CAN(s)

Figure 2-1 System overview.
Caution
The GGDA component must be always placed on the low speed CANs, since the ECU

will be not flash-able on this side. If the gateway is a flash-able ECU it shall be flashed
only from the CANdesc side.

Caution
GGDA is not designed to be a stand-alone component. It operates only together with the

CANdesc component in the system.

2015, Vector Informatik GmbH
Version: 1.8
8 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
3  Management Functions
To be able to work properly, the GGDA component must be managed with the following
APIs as described:

3.1
Initialization
GgdaInitPowerOn
Prototype
void GgdaInitPowerOn (void)
Parameter
-
-
Return code
-
-
Functional Description
In order to run properly the GGDA component must be initialized.
Particularities and Limitations
  Interrupts must be disabled to guarantee consistent state machine initialization.
  This function shall be called at ECU power-up but if needed, considering the above limitation
this API may be called any time the component has to be initialized.
Call context
  Any.

3.2
Processing
The  GGDA  component  contains  two  tasks  for  processing  speed  and  CPU  load
optimization. The timer task (GgdaTimerTask) needs to be called cyclically  exactly in the
configured  time  period.  The  cycle  time  defaults  to  the  same  value  as  configured  for
CANdesc, but can be changed in ggda_par.h if needed: (example for 10ms cycle time):
Configuration:
#define kGgdaTimerMsCycle                                            10   /*ms*/
2015, Vector Informatik GmbH
Version: 1.8
9 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
GgdaTimerTask
Prototype
void GgdaTimerTask (void)
Parameter
-
-
Return code
-
-
Functional Description
Call this function cyclically exactly in the configured time period to achieve correct timeout monitoring.
Particularities and Limitations
  The function iterates through all configured channels.
Call context
  Background loop with equal priority as GgdaStateTask().
Table 3-1   GgdaTimerTask
GgdaStateTask
Prototype
void GgdaStateTask (void)
Parameter
-
-
Return code
-
-
Functional Description
Call this function cyclically as fast as possible to achieve maximum service processing performance.
Constant call time period is not necessary to be considered since there is only event polling and no time
management.
Particularities and Limitations
  The function iterates through all configured channels
Call context
  Background loop with equal priority as GgdaTimerTask().
Table 3-2   GgdaStateTask

2015, Vector Informatik GmbH
Version: 1.8
10 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4  What is inside
The GGDA software component implements completely all GM required services on the
non-diagnostic side of the gateway. Some events and call-backs are necessary to be
implemented by the application, since they reference other ECU application’s specific
functionality. Below you will find the implementation description of the GGDA referenced by
the diagnostic service specification.

4.1
InitializeDiagnosticOperationMode (Sid $10)
This service is only needed if the ECU must support one of the following sub-functions:
4.1.1
DisableAllDTCs ( $02)
Configuration:
In order to activate this feature, please see the configuration details in chapter 5.1.3.
If this feature is activated and the tester sends a valid request of this service, the following
call-back function will be called:
ApplGgdaOnDisableAllDtc
Prototype
void ApplGgdaOnDisableAllDtc ( void )
Parameter
-
-
Return code
-
-
Functional Description
Notifies about requested service to disable the DTC setting.
Particularities and Limitations
  Available only if configured.
Call context
  Called from the GgdaStateTask context.
Table 4-1   ApplGgdaOnDisableAllDtc

2015, Vector Informatik GmbH
Version: 1.8
11 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.1.2
WakeUp Link ($04)
Configuration:
In order to activate this feature, please see the configuration details in chapter 5.1.3.
If this feature is activated and the tester sends a valid request of this service, the following
call-back function will be called:
ApplGgdaOnWakeUpLink
Prototype
void ApplGgdaOnWakeUpLink ( void )
Parameter
-
-
Return code
-
-
Functional Description
Notifies about requested service for wake up.
Particularities and Limitations
  Available only if configured.
Call context
  Called from the GgdaStateTask context.
Table 4-2   ApplGgdaOnWakeUpLink

2015, Vector Informatik GmbH
Version: 1.8
12 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.2
ReadEcuIdentification (Sid $1A)
From  this  service  only  one  identifier  is  necessary  to  be  supported  ($B0)  and  it  is
completely implemented in GGDA.
Configuration:
Since  this  service  returns  the  ECU  address,  you  have  to  configure  the  correct  ECU
address id. The configuration defaults to the address configured for CANdesc.
In  CANgen  configurations  the  value  can  be  changed  in  Ggda_par.h  (example:  ECU
address is 0x3B):
#define kGgdaEcuNumber                                               0x3B

In GENy configurations this value is configurable in the GENy tool.

2015, Vector Informatik GmbH
Version: 1.8
13 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.3
ReturnToNormalMode (Sid: $20)
If a valid request of this service has been received, or a timeout of the tester-present timer
has been detected, the following APIs will be called:
ApplGgdaOnReturnToNormalMode
Prototype
void ApplGgdaOnReturnToNormalMode ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel on which the GGDA has restored normal
mode. You can safely ignore this parameter if the GGDA only
handles one channel.
Return code
-
-
Functional Description
Notifies about leaving all activities activated from the tester (e.g. CommControlHalted, WakeUpLink, etc.) up
to now. Within this function call you have to enable the DTC setting (if previously disabled).
Particularities and Limitations
  None
Call context
  Called from the GgdaStateTask context.
Table 4-3   ApplGgdaOnReturnToNormalMode
If the ECU was simulating the flash-process, the following function will be called to perform
an ECU reset (within or outside the callback):
ApplGgdaForceEcuReset
Prototype
void ApplGgdaForceEcuReset ( void )
Parameter
-
-
Return code
-
-
Functional Description
Notifies about ECU reset execution. The reset can be done immediately or later (if some EEPROM writing is
needed). If a diagnostic response was necessary, it already has been sent before this function is called.
Particularities and Limitations
  None
Call context
  Called from the GgdaStateTask context.
Table 4-4   ApplGgdaForceEcuReset

2015, Vector Informatik GmbH
Version: 1.8
14 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.4
DisableNormalCommunication (Sid: $28)
Once a  valid  service  of  this  type has  been requested  the  GGDA will  (optionally)  request
application permission to process it:
ApplGgdaMayDisableNormalComm
Prototype
vuint8 ApplGgdaMayDisableNormalComm ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel on which the request has been received. You
can safely ignore this parameter if the GGDA only handles one
channel.
Return code
vuint8
kDescOk – if the communication control request can be accepted or
kDescFailed – if the communication control request shall NOT be
accepted.
Functional Description
Once a valid diagnostic request $28 was received this function will be called. The application shall decide
whether to accept the communication control request, or to reject it.
Rejection will always result in NRC ‘ConditionsNotCorrect’
Particularities and Limitations
  Entering NormalCommDisabled can fail even if the application has allowed the service. Use
ApplGgdaOnDisableNormalComm as notification of the state change. Also, your code may not
depend on ApplGgdaOnDisableNormalComm being called after this function has returned
kDescOk.
  This callback is called only when enabled in the configuration tool.
Call context
  Called from the GgdaStateTask context.
Table 4-5   ApplGgdaMayDisableNormalComm
Once the service has been processed, the application will be notified about the new state
with the call of:
2015, Vector Informatik GmbH
Version: 1.8
15 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
ApplGgdaOnDisableNormalComm
Prototype
void ApplGgdaOnDisableNormalComm ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel on which the GGDA disabled
communication. You can safely ignore this parameter if the GGDA
only handles one channel.
Return code
-
-
Functional Description
Notifies about entering in disabled normal communication mode. The GGDA has already disabled
communication when this function is called.
Particularities and Limitations
  None
Call context
  Called from the GgdaStateTask context.
Table 4-6   ApplGgdaOnDisableNormalComm

2015, Vector Informatik GmbH
Version: 1.8
16 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.5
TesterPresent (Sid $3E)
This service is completely handled by GGDA. The valid request resets the tester-present
timeout timer.
FAQ
Functionally requested valid $3E resets always the tester present timeout timer (even if

currently another service processing is in progress). The timeouts are supervised
independently for each configured channel.

2015, Vector Informatik GmbH
Version: 1.8
17 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.6
ProgrammingMode (Sid: $A5)
The  GGDA  implements  the  whole  GM  flash  process  preparation  flow,  considering  the
correct services’ requests order. The application will be asked only if it is ready to accept
the entering in program mode request. Once accepted, the GGDA component handles the
remaining services.

Info
The flowcharts for supporting this service are equal to the one used in CANdesc- just

the API names are different. Please, refer to [1] for details.

Info
Please, note that the same return type vuint8 is used here to allow you to implement a

central condition check API to your application.

4.6.1
RequestProgrammingMode ($01)

ApplGgdaMayEnterProgMode
Prototype
vuint8 ApplGgdaMayEnterProgMode ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel on which the request has been received. You
can safely ignore this parameter if the GGDA only handles one
channel.
Return code
vuint8
kDescOk – if the programming mode shall be accepted or
kDescFailed –if the programming mode shall NOT be accepted.
Functional Description
Once the diagnostic request $A5 $01 was received from the CANdesc module this function will be called.
The application shall decide whether to accept the requested programming mode or to reject it.
Particularities and Limitations
  None
Call context
  Called from the GgdaStateTask context.
Table 4-7   ApplGgdaMayEnterProgMode

2015, Vector Informatik GmbH
Version: 1.8
18 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.6.2
RequestHiSpeedProgrammingMode ($02)
Configuration:
In order to activate this feature, please see the configuration details in chapter 5.1.3.
ApplGgdaMayEnterHiSpeedProgMode
Prototype
vuint8 ApplGgdaMayEnterHiSpeedProgMode ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel on which the request has been received. You
can safely ignore this parameter if the GGDA only handles one
channel.
Return code
vuint8
kDescOk – if the programming mode shall be accepted or
kDescFailed –if the programming mode shall NOT be accepted.
Functional Description
Once the diagnostic request $A5 $02 was received from the CANdesc module this function will be called.
The application shall decide whether to accept the requested programming mode or to reject it.
Particularities and Limitations
  None
Call context
  Called from the GgdaStateTask context.
Table 4-8   ApplGgdaMayEnterHiSpeedProgMode

2015, Vector Informatik GmbH
Version: 1.8
19 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.6.3
EnableProgrammingMode ($03)
Once the requested programming mode has been accepted, the GGDA module performs
just a state transition here to allow the ECU programming mode compliant behaviour (e.g.
no response on $A5 $03, no response on the next request $20 and suppressed unsolicited
positive response on Sid $20 on tester-present timeout.

2015, Vector Informatik GmbH
Version: 1.8
20 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.7
ReadDiagnosticInformation (Sid: $A9)
The GGDA implements the whole GM fault memory reading process flow. The application
will  be  asked  with  the  usage  of  signal  API  to  provide  the  necessary  information  and  if
iteration is needed, the API will be used multiple times.

Info
The flow-charts for supporting this service are equal to the one used in CANdesc – just

the API names are different. Please, refer to [1] for details.

4.7.1
ReadStatusOfDTCByDTCNumber ($80)
Configuration:
In order to activate this feature, please see the configuration details in chapter 5.1.3.
ApplGgdaGetDtcStatusByNumber
Prototype
void ApplGgdaGetDtcStatusByNumber ( GgdaContextIndexType context
  vuint16 dtcNum,
  vuint8 failureTypeByte )
Parameter
- context
- Identifies the channel on which the request has been received.
- dtcNum
You can safely ignore this parameter if the GGDA only handles one
- failureTypeByte
channel.
- The DTC which status will be checked from the application
- The failure type combination.
Return code
-
-
Functional Description
Once the diagnostic request $A9 $80 was received from the CANdesc module this function will be called.
Particularities and Limitations
  Available only if mode $A9 is enabled and level $80 is supported
Call context
  Called from the GgdaStateTask context.
Table 4-9   ApplGgdaGetDtcStatusByNumber
2015, Vector Informatik GmbH
Version: 1.8
21 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
GgdaRdiDtcStatusByNumberFound
Prototype
void GgdaRdiDtcStatusByNumberFound ( GgdaContextIndexType context,
vuint8 statusByte )
Parameter
- context
- Identifies the channel for which the request is answered.
- statusByte
Please pass ‘0’ (zero) here if the GGDA only handles one channel.
- The found DTC’s status byte value.
Return code
-
-
Functional Description
Once the application has been requested to find a specific DTC through the call of
ApplGgdaGetDtcStatusByNumber function, it shall confirm the status of the search process with this API if
such a DTC has been found.
Particularities and Limitations
  Available only if mode $A9 is enabled and level $80 is supported
Call context
  Any
Table 4-10   GgdaRdiDtcStatusByNumberFound
GgdaRdiDtcStatusByNumberNotFound
Prototype
void GgdaRdiDtcStatusByNumberNotFound ( GgdaContextIndexType context )
Parameter
- context
- Identifies the channel for which the request is answered.
Please pass ‘0’ (zero) here if the GGDA only handles one channel.
Return code
-
-
Functional Description
Once the application has been requested to find a specific DTC through the call of
ApplGgdaGetDtcStatusByNumber function, it shall confirm the status of the search process with this API if
NO such a DTC has been found.
Particularities and Limitations
  Available only if mode $A9 is enabled and level $80 is supported
Call context
  Any
Table 4-11   GgdaRdiDtcStatusByNumberNotFound

2015, Vector Informatik GmbH
Version: 1.8
22 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.7.2
ReadStatusOfDTCByStatusMask ($81)
Info
Please, not that the same data type DescRdiDtcRecord is used here to allow you to

implement a central data acquisition API to your application.

ApplGgdaGetDtcStatusByMask
Prototype
void ApplGgdaGetDtcStatusByMask ( GgdaContextIndexType context,
  vuint16 iterPos,
  vuint8 statusMask)
Parameter
- context
- Identifies the channel for which the request is answered. You can
- iterPos
safely ignore this parameter if the GGDA only handles one channel.
- statusMask
- The next DTC status scanner start position (assumed normal iterator);
- The searched status mask.
Return code
-
-
Functional Description
Once the diagnostic request $A9 $81 was received from the CANdesc module this function will be called. It
will be called as long as the application responds each time with GgdaRdiDtcStatusByMaskFound until the
application some time responses with GgdaRdiDtcStatusByMaskNotFound.
Particularities and Limitations
  The application is responsible to hold the DTC information separate for each channel.
Requests on different channels may request different status masks.
Call context
  Called from the GgdaStateTask context.
Table 4-12   ApplGgdaGetDtcStatusByMask
2015, Vector Informatik GmbH
Version: 1.8
23 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
GgdaRdiDtcStatusByMaskFound
Prototype
void GgdaRdiDtcStatusByMaskFound (GgdaContextIndexType context,
  const DescRdiDtcRecord * const
pDtcReport)
Parameter
- context
- Identifies the channel for which the request is answered. Please pass
- pDtcReport
‘0’ (zero) here if the GGDA only handles one channel.
- The found DTC’s response relevant information.
Return code
-
-
Functional Description
Once the application has been requested to find a specific DTC through the call of
ApplGgdaGetDtcStatusByMask function, it shall confirm the status of the search process with this API if
such a DTC has been found. Additionally all required by the DescRdiDtcRecord data structure
information shall be initialized as described in [1].
Particularities and Limitations
  Available only if mode $A9 is enabled.
Call context
  Any
Table 4-13 GgdaRdiDtcStatusByMaskFound

GgdaRdiDtcStatusByMaskNotFound
Prototype
void GgdaRdiDtcStatusByMaskNotFound (GgdaContextIndexType context
vuint8 dtcSam)
Parameter
- context
- Identifies the channel for which the request is answered. Please pass
- dtcSam
‘0’ (zero) here if the GGDA only handles one channel.
- The DTC Status Availability Mask.
Return code
-
-
Functional Description
Once the application has been requested to find a specific DTC through the call of
ApplGgdaGetDtcStatusByMask function, it shall confirm the status of the search process with this API if no
(more) such a DTC has been found. Additionally the status availability mask shall be as described in [1].
Particularities and Limitations
  Available only if mode $A9 is enabled
Call context
  Any
Table 4-14   GgdaRdiDtcStatusByMaskNotFound
2015, Vector Informatik GmbH
Version: 1.8
24 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On

2015, Vector Informatik GmbH
Version: 1.8
25 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
4.7.3
SendOnChangeDTCCount ($82)

ApplGgdaEnableOnChangeDtcCount
Prototype
void ApplGgdaEnableOnChangeDtcCount (GgdaContextIndexType context
   vuint8 statusMask)
Parameter
- context
- Identifies the channel for which the request is answered. You can
- statusMask
safely ignore this parameter if the GGDA only handles one channel.
- the monitored DTCs’ matching status mask.
Return code
-
-
Functional Description
Once the diagnostic request $A9 $82 was received from the CANdesc module this function will be called.
The application shall store the statusMask parameter value and start its background DTC count evaluation
algorithm.
Particularities and Limitations
  The application is responsible to support several concurrent counting algorithms. Requests on
different channels may request different status mask
  Available only if mode $A9 is enabled and level $82 is supported
Call context
  Called from the GgdaStateTask context.
Table 4-15   ApplGgdaEnableOnChangeDtcCount
ApplGgdaDisableOnChangeDtcCount
Prototype
void ApplGgdaDisableOnChangeDtcCount (GgdaContextIndexType context)
Parameter
- context
- Identifies the channel for which the counting is to be cancelled. You
can safely ignore this parameter if the GGDA only handles one
channel.
Return code
-
-
Functional Description
This function will be called to notify the application for stopping the background DTC count monitoring
mechanism.
Particularities and Limitations
  Available only if mode $A9 is enabled and level $82 is supported
Call context
  Called from the GgdaStateTask context.
Table 4-16   ApplGgdaDisableOnChangeDtcCount
2015, Vector Informatik GmbH
Version: 1.8
26 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
GgdaRdiOnDtcCountChanged
Prototype
void GgdaRdiOnDtcCountChanged (GgdaContextIndexType context,
vuint16 newCount)
Parameter
- context
- Identifies the channel for which the request is answered. Please pass
- newCount
‘0’ (zero) here if the GGDA only handles one channel.
- (Changed) new number of DTCs
Return code
-
-
Functional Description
Call this function when you have detected a DTC count change.
Particularities and Limitations
  The application is responsible to support several concurrent counting algorithms. Requests on
different channels may request different status mask
  Available only if mode $A9 is enabled and level $82 is supported
Call context
  Any.
Table 4-17   GgdaRdiOnDtcCountChanged

GgdaRdiDeactivateOnChangeDtcCount
Prototype
void GgdaRdiDeactivateOnChangeDtcCount ( GgdaContextIndexType context)
Parameter
- context
- Identifies the channel for which the counting is to be deactivated.
Please pass ‘0’ (zero) here if the GGDA only handles one channel.
Return code
-
-
Functional Description
Call this function if you need explicitly to stop the DTC count change activity in the GGDA component.
Particularities and Limitations
  Available only if mode $A9 is enabled and level $82 is supported
Call context
  Any.
Table 4-18   GgdaRdiDeactivateOnChangeDtcCount

2015, Vector Informatik GmbH
Version: 1.8
27 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5  Configuration in CANGen
Some of the configuration aspects were already mentioned at the affected features of the
component. The remaining set of configuration options is described here:
5.1
Communication Parameter
5.1.1
1st step – GENtool
Prior  adding  your  database  files  in  your  configuration  you  shall  assure  the  following
requirements:
-  The CAN channel on which CANdesc shall operate (HS-CAN) shall use a DBC file
with all CANdesc required message attributes (for USDT and UUDT messages) set
to the appropriate values. See [1] for further instructions.
-  For  CANgen  versions  prior  to  4.23.49,  the  UUDT  messages  used  by  the  GGDA
may not have the message type attribute set in the DBC file.

2015, Vector Informatik GmbH
Version: 1.8
28 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5.1.1.1
USDT Connection Configuration
Once  you  have  prepared  the  DBC  files  and  their  CAN  mapping,  you  can  create  your
configuration  as  usual.  Since  CANdesc  is  automatically  prepared  for  the TPMC API  you
have only to adapt the hook functions for each GGDA TP connection:

Figure 5-1 GGDA OSEK-TP configuration
The TP timing parameters are the same as those for the CANdesc connection.
Info
Please note that this is an example configuration where the GGDA was configured to

use the connections 0 and 2. The connection numbers may vary for your configuration.

The  transport  layer  must  be  configured  to  support  an  additional  feature  for  the  GGDA
component:  GM  requires  that  any  request  length  (except  zero-length)  shall  be
accepted independent of the buffer size. After the reception has been accomplished
with  success,  it  shall  be  checked  if  the  buffer  size  is  enough  to  handle  the whole
request data. If it is not true, a negative response $12 must be sent.
To  activate  the  buffer-overflow  option  of  the  TPMC,  used  for  implementing  this
requirement, a user-config file is needed to be prepared with the following content:
#define TP_USE_OVERRUN_INDICATION kTpOn
Assuming  that  the  file  name  was  tpmc_ggda.cfg,  you  have  to  add  the  path  to  it  in  the
GENtool as shown below:
2015, Vector Informatik GmbH
Version: 1.8
29 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On

Figure 5-2 User-config file for the GGDA TPMC configuration.

A functionally requested service is not received by the TPMC, but by the GGDA
component it self. Therefore the necessary pre-copy function must be configured manually
in the GENtool as shown below:

Figure 5-3 „GgdaFuncPrecopy“ configuration.

Caution
If you have the ‘DiagState’ attribute set to ‘true’ in your database for the GGDA channels,
you need to also select the ‘App-Message’ check box.
Else, the ‘GgdaFuncPrecopy’ function will be replaced by ‘TpFuncPrecopy’ during the
generation process.

2015, Vector Informatik GmbH
Version: 1.8
30 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5.1.1.2
UUDT Transmitter Configuration
Since  the  GGDA  component  handles  also  the  $A9  service,  the  embedded  UUDT
transmitter  must  be  configured  too.  Please,  enter  the  confirmation function  name for  the
UUDT  message  on  the  GGDA  CAN  channel  as  shown  below  (channel  2  messages  not
visible here):

Figure 5-4 „GgdaUudtConfirmation“ configuration
Caution
From CANGen 4.23.49 on, please select the ‘App-Message’ check box for the UUDT

message the GGDA is to use.

2015, Vector Informatik GmbH
Version: 1.8
31 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5.1.2
2nd step – Ggda_par.h file
Once  you  are  done  with  the  GENtool  settings,  you  have  to  adapt  the  GGDA  module
configuration in the Ggda_par.h file. Most settings default to the same value as configured
for the CANdesc component, but they can be changed if needed.
The  number  of  channels  the  GGDA  works  on  defaults  to  the  number  of  CAN  channels
minus one, for the full CANdesc diagnostics. This can be changed in Ggda_par.h:
Number of CAN channels for GGDA
#define kGgdaNumContexts                                          (kCanNumberOfChannels - 1)

5.1.3
3rd step – Ggda_par.c file
In the Ggda_par.c file the connection parameters are configured.
The  first  step  is  change  the  following  #include  directive  to  include  your  configuration
header file, and to remove the #error directive:
ECU configuration header
#error “Please include your ECU configuration header file. Then remove this line”
#include “YourECU.h”
5.1.3.1
CAN Channel Configuration
For  each  channel  you  need  to  fill  out  a  configuration  context  struct  in  the  configuration
array GgdaCanConfig.
CAN configuration structure
typedef
{
#if (GGDA_CONFIG_SERVICE_A9_SUPPORT == GGDA_CONFIG_ON)

CanTransmitHandle
uudtResMsgHandle;
#endif

CanChannelHandle
canChannel;

canuint8
optionalModes;
}GgdaCanConfigType;
The optional modes each channel can support are
Optional modes per channel
kGgdaDisableAll
No optional modes supported
kGgdaEnableModeA502
Enable HiSpeed support (mode $A5 02)
kGgdaEnableMode1002
Enable support for DisableAllDTCs request (mode $10 02)
kGgdaEnableMode1004
Enable support for WakeUpLink request (mode $10 04)
kGgdaEnableMode10xx
Enable support for all levels of mode $10
kGgdaEnableModeA980
Enable support for mode $A9 80 and $A9 81
kGgdaEnableModeA981
Enable support for mode $A9 81
kGgdaEnableModeA982
Enable support for mode $A9 81 and $A9 82
kGgdaEnableModeA9xx
Enable support for all levels of mode $A9
kGgdaEnableAll
Enable all optional modes
2015, Vector Informatik GmbH
Version: 1.8
32 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
Caution
Please take into account that the settings in this table must be consistent with those that

determine the availability of the corresponding service. You have to set the appropriate
service specific setting to have consistent configuration on GGDA (please refer chapters
: 5.3 “Supported Diagnostic Services” ).

Example
Example
For a configuration with 3 channels, CAN0 and CAN2 are handled by GGDA. The CAN

message for UUD responses is named mUUDResfroDut, and CAN0 supports HiSpeed
programming. Both channels shall support modes $10 02 and $10 04. The configuration
would look like this:
CAN configuration
const GgdaCanConfigType ggdaCanConfig[kGgdaNumContexts] =
{
  {
#if (GGDA_CONFIG_SERVICE_A9_SUPPORT == GGDA_CONFIG_ON)

CanTxmUUDResfroDUT_0,
/* UudtResMsgHandle for Can 0*/
#endif

kCanIndex0,
/* CanChannel 0 */

kGgdaEnableAll
/* Levels 02, 04 - Hispeed support */
  },
  {
#if (GGDA_CONFIG_SERVICE_A9_SUPPORT == GGDA_CONFIG_ON)

CanTxmUUDResfroDUT_2,
/* UudtResMsgHandle for Can 2*/
#endif

kCanIndex2,
/* CanChannel for Can 0 */

kGgdaEnable1002 | kGgdaEnable1004  /* Levels 02, 04 - No HiSpeed support */
  }
};

Caution
Please take into account that the message transmission handle is configuration

dependent (refer the section 5.3.2 ”ReadDiagnosticInformation ($A9)”!

5.1.3.2
Static TP Channel Configuration
The static TP channel configuration is separate from the CAN configuration in the context
configuration array ggdaTpConfig. Again, a struct needs to be filled in for each channel.
Static TP configuration structure
typedef struct
{

canuint8 tpTxChannel;

canuint8 tpRxChannel;
}GgdaTpConfigType;
2015, Vector Informatik GmbH
Version: 1.8
33 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
Example
Example
For the example the TP is configured as described in chapter 5.1.1.1. The CAN

transmit/receive handles are prefixed with “CanTx”/”CanRx”.
Static TP configuration
const GgdaTpConfigType ggdaTpConfig[kGgdaNumContexts] =
{

/* Tp channels for Can 0 */

{

CanTxDiag,
/* TpTxChannel for Can 0*/

CanRxDiag
/* TpRxChannel for Can 0*/

},

/* Tp channels for Can 2 */

{

CanTxDiag2,
/* TpTxChannel for Can 2*/

CanRxDiag2
/* TpRxChannel for Can 2*/

}
};

Caution
Please take care and assure that the order of ggdaCanConfig and ggdaTpConfig is the

same.

Info
The context parameter passed to the context depending callback functions ApplGgda*

actually is an index into these configuration arrays. If you need more information about
the CAN channel on which a request was received, you can include ggda_par.h in your
application and access these configuration structures.

5.2
Timings Parameter
All  needed  GM  diagnostics  time  parameters  are  taken  from  the  CANdesc  configuration
and should therefore comply with GMW 3110 v 1.5, but they are still configurable. If you
need  to  adjust  a  parameter,  you  can  adapt  the  GGDA  module  configuration  in  the  file
Ggda_par.h (all times are in ms units):
Tester Present timeout
#define kGgdaTimeoutS1                                               5000 /*ms*/

RequestCorrectlyReceived-ResponsePending (RCR-RP) timeouts
#define kGgdaTimeoutP2                                               100  /*ms*/
#define kGgdaTimeoutP2Ex                                           1000 /*ms*/

2015, Vector Informatik GmbH
Version: 1.8
34 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
VN_Diagnsotic timeout
#define kGgdaTimeoutVnDiagnostics 8000 /*ms*/

2015, Vector Informatik GmbH
Version: 1.8
35 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5.3
Supported Diagnostic Services
Some  of  the  services  implemented  in  GGDA  are  optionally  supported  (depends  on  the
current  ECU  specification).  Therefore  they  can  be  deactivated  in  order  to  save  ECU
resources.
5.3.1
InitializeDiagnosticOperationMode ($10 $xx)
In  order  to  specify  whether  any  sub-function  of  this  service  will  be  supported  or  not  by
GGDA, you have to modify the switches in the Ggda_par.h file. Example for activating the
services:
Service $10 $02 support
#define GGDA_CONFIG_SERVICE_10_02_SUPPORT                              GGDA_CONFIG_ON
Service $10 $04 support
#define GGDA_CONFIG_SERVICE_10_04_SUPPORT                              GGDA_CONFIG_ON

Caution
Please take into account that this switch enables/disables the complete support of this

service. You have to set the appropriate channel specific setting to have consistent
configuration on GGDA (please refer 5.1.3.1”CAN Channel Configuration”).

5.3.2
ReadDiagnosticInformation ($A9)
In  order  to  specify  whether  this  service  will  be  supported  or  not  by  GGDA,  you  have  to
modify the switch in the Ggda_par.h file. Example for activating the service:
Service $A9 support
#define GGDA_CONFIG_SERVICE_A9_SUPPORT                                                      GGDA_CONFIG_ON
#define GGDA_CONFIG_SERVICE_A9_80_SUPPORT                                                GGDA_CONFIG_ON
#define GGDA_CONFIG_SERVICE_A9_82_SUPPORT                                 GGDA_CONFIG_ON
Mode  $A9  81  is  always  enabled  if  GGDA_CONFIG_SERVICE_A9_SUPPORT  is  set  to
GGDA_CONFIG_ON.

5.3.3
ReadDiagnosticInformation ($A5 $02)
In  order  to  specify  whether  this  service  will  be  supported  or  not  by  GGDA,  you  have  to
modify the switch in the Ggda_par.h file. Example for activating the service:
Service $A5 $02 support
#define GGDA_CONFIG_SERVICE_A5_02_SUPPORT                              GGDA_CONFIG_ON
Caution
Please take into account that this switch enables/disables the complete support of this

service. You have to set the appropriate channel specific setting to have consistent
configuration on GGDA (please refer 5.1.3.1”CAN Channel Configuration”).

2015, Vector Informatik GmbH
Version: 1.8
36 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
5.4
Development and Integration Support
In ordert to lighten the integration support of GGDA in your ECU this module provide own
monitoring functionality than can be optionally turned one using the switch in Ggda_par.h.
Example for turning debug support on:
Debug support
#define GGDA_CONFIG_DEBUG                              GGDA_CONFIG_ON

5.5
Target Address Acceptance on Functional Requests
GGDA handles by itself the functional request reception. The used target address will be
evaluated and GGDA decides whether to accept or ignore the requested frame. There are
two  use-cases for  the  ECUs:  a  non-gateway  and  a  gateway  ECUs.  GGDA  synchronizes
the current use case with the CANdesc use case detection (please refer the [1] for more
details on CANdesc gateway usage configuration).
If you want to override this detection use the switch below to specify your use-case:
Gateway address support
#define GGDA_CONFIG_GW_SUPPORT                              GGDA_CONFIG_ON

2015, Vector Informatik GmbH
Version: 1.8
37 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
6  Configuration in GENy
6.1
Communication Parameters
For  all  channels  the  GGDA  shall  be  used  on  set  up  the  communication  databases  as
described in [1]
The activate the Diag_CanDescGgdaExt_Gm module in the GENy tool on the appropriate
channels.  You  will  not  be  able  to  activate  the  Ggda  module  on  the  same  channel  as
CANdesc.

If  the  DBC  file  is  set  up  correctly  the  communication  configuration  will  be  set  up
automatically.

6.2
General Parameters
You  can  configure  the  parameters  that  affect  GGDA  as  a  whole  on  the  ‘root’
Diag_CanDescGgdaExt_Gm entry of the component tree.

Figure 6-1 Global configuration parameters in GENy
2015, Vector Informatik GmbH
Version: 1.8
38 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On

ECU settings, Timing Parameters
Most parameters default to the CANdesc values, which is the recommended setting. If you
disable  the  checkbox  ‘Use  CANdesc  setting’,  you  are  able  to  override  the  defaults  with
own values.
6.3
Supported Diagnostic services
You  can  configure  the  channel  specific  parameters  depending  on  the  channel  entries
below the Diag_CanDescGgdaExt_Gm entry.
The  HiSpeed  support  is  only  available  if  that  functionality  is  supported  by  the
Nm_Gmlan_Gm module. To allow more flexibility in use cases, the configuration tool does
not prevent to enable support for mode $A5 02 on a DW Link, and does not enforce it on a
SW Link either.
If mode $A9 is supported, the level $81 is mandatory and cannot be disabled.

Figure 6-2 Channel specific configuration parameters in GENy

2015, Vector Informatik GmbH
Version: 1.8
39 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
7  Integration
In order to integrate properly GGDA, your diagnostic application must comply to the
following include rules in this order:
-  Always include can_inc.h (resp. v_inc.h) as first header file.
-  If this application source file manages the TPMC initialization and task calls, include
the tpmc.h file;
-  Include desc.h;
-  Include ggda.h;
-  Include (if necessary) all header files required by your application source file.

Caution
Using CANGen, the GGDA is not supported by CCL. In this case your application needs

to explicitely call GgdaInitPowerOn, GgdaStateTask and GgdaTimerTask.
Using GENy this restriction does not apply.

2015, Vector Informatik GmbH
Version: 1.8
40 / 41
based on template version 5.1.0

Technical Reference GM Gateway Diagnostic Add-On
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com
2015, Vector Informatik GmbH
Version: 1.8
41 / 41
based on template version 5.1.0

Document Outline

12 - I/O Hardware Abstraction

I/O Hardware Abstraction

Component Documentation

12.1 - IoHwAb Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. IoHwAb

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. IoHwAb_Vector_Ar4.0.3_03.00.00_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3171

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/06/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

12.2 - TechnicalReference_IoHwAb

YourTopic

12.3 - TechnicalReference_IoHwAb_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33

12.4 - TechnicalReference_IoHwAbs

MICROSAR IOHWAB
Technical Reference

Version 3.00.02

Authors
Christian Leder
Status
Released

Technical Reference MICROSAR IOHWAB
Document Information
History
Author
Date
Version
Remarks
Christian Marchl
2007-02-09  1.00.00
Initial version
Christian Marchl
2007-08-09  1.01.00
Typos corrected; Added description for
component name field
Christian Marchl
2007-12-13  1.01.01
Version adapted according to new
version scheme
Christoph Ederer
2008-05-21  2.00.00
Transfer of the document to new
Technical Reference template; Adapted
descriptions and screenshots to new
software version
Christoph Ederer
2008-07-11
2.00.01
Update of document due to changes in
DCM interface and RTE usage
Christoph Ederer
2009-01-14  2.01.00
Update of the naming of graphical
elements in the configuration,
Screenshots reworked, DCM
subfunctions reworked, Added
description of default value in
configuration
Christoph Ederer
2009-03-23  2.01.01
Updated development error detection
in GUI description, toolchain naming
updated,  hints added to chapter 4.1.2
Christoph Ederer
2009-07-21  2.02.00
Updated description of the generation
process (user blocks, autom. SWC
generation), updated AUTOSAR figure,
added information on user defined
signals
Christoph Ederer
2009-09-25  2.02.01
Reworked description of DCM interface
Christoph Ederer
2010-11-26
2.02.02
>  Added chapter 4.3 Critical Sections
>  GUI description updated
>  Added information about necessary
make process modifications to 4.1.2
Christoph Ederer
2011-03-02
2.02.03
Reworked the service descriptions in
chapters 5.4.3, 5.4.7 and 5.4.10:
parameter ‘signal’ is [inout], now
Christoph Ederer
2013-04-10  3.00.00
>  Component rework and update to
AUTOSAR 4
>  Update to new Configuration Tooling
‘DaVinci Configurator 5’
Christian Leder
2014-03-14  3.00.01
Generated file adapted from IoHwAb.c
to IoHwAb_30.c
Christian Leder
2014-06-18  3.00.02
ReturnType changed in CS port
operation
2014, Vector Informatik GmbH
Version: 3.00.02
2 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_SWS_IOHardwareAbstraction.pdf
V3.2.0
(available at:
http://www.autosar.org/download/R4.0/AUTOSAR_SWS_IOHa
rdwareAbstraction.pdf)
[2]   AUTOSAR
AUTOSAR_SWS_DevelopmentErrorTracer.pdf
V3.2.0
(available at:
http://www.autosar.org/download/R4.0/AUTOSAR_SWS_Deve
lopmentErrorTracer.pdf)
[3]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
V1.6.0
(available at:
http://www.autosar.org/download/R4.0/AUTOSAR_TR_BSWM
oduleList.pdf)
[4]   AUTOSAR
AUTOSAR_EXP_VFB.pdf
V2.2.0
(available at:
http://www.autosar.org/download/R4.0/AUTOSAR_EXP_VFB.
pdf)

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2014, Vector Informatik GmbH
Version: 3.00.02
3 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
3.00.00
>  Update to AUTOSAR 4
>  Full support of Client/Server port functionality
>  Full support of Sender/Receiver port functionality
>  Full BSW Schedulable Entity support
>  Full Runnable Entity Support
>  Update of configuration tooling to DaVinci Configurator 5.x
Table 1-1   Component history

2014, Vector Informatik GmbH
Version: 3.00.02
7 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
2  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module IOHWAB as specified in [1].

Supported AUTOSAR Release*:
4
Supported Configuration Variants:
pre-compile
Vendor ID:
IOHWAB_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
IOHWAB_MODULE_ID
254 decimal
(according to ref. [3])
* For the precise AUTOSAR Release 3.x please see the release specific documentation.

The  aim  of  the  IOHWAB  is  to  provide  ECU  hardware-independent  data  transition  from
driver modules up to the Software Components. To fulfill this task the IOHWAB generates
a Software Component description from the user configuration. This Software Component
description can be imported by the ‘Vector DaVinci Developer’ and/or the RTE module.
After import, the IOHWAB is displayed like a normal Software Component (SW-C) with a
set of
>  Client/Server Ports,
>  Sender/Receiver Ports,
>  Runnable Entities
within  the  ‘DaVinci  Developer’  modeling  tool.  Other  SW-Cs  can  access  I/O  modules  via
these ports through the RTE and the I/O Hardware Abstraction.
This  release  of  the  IOHWAB  is  a  completely  generic  approach  and  does  not  generate
ready-to-use  code  files.  Instead,  it  generates  function  stubs  (containing  user  code
sections,  called  ‘User  Blocks’  –  see  7.1,  0)  that  are  accessible  via  the  supported
AUTOSAR interfaces: Sender/Receiver Ports, Client/Server Ports, Runnable entities.
2014, Vector Informatik GmbH
Version: 3.00.02
8 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
2.1
Architecture Overview
The following figure shows where the IOHWAB is located in the AUTOSAR architecture.

Figure 2-1 AUTOSAR 4.x Architecture Overview

2014, Vector Informatik GmbH
Version: 3.00.02
9 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
The  next  figure  shows  the  interfaces  to  adjacent  modules  of  the  IOHWAB.  These
interfaces are described in chapter 5.

Figure 2-2  Interfaces to adjacent modules of the IOHWAB
Applications do not access the services of the BSW modules directly. They use the service
ports  provided  by  the  BSW  modules  via  the  RTE.  The  service  ports  provided  by  the
IOHWAB are listed in chapter 5.7 and are defined in [1].
2014, Vector Informatik GmbH
Version: 3.00.02
10 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
3  Functional Description
3.1
Features
The features listed in the following tables cover the complete functionality specified for the
IOHWAB.
The AUTOSAR  standard  functionality  is  specified  in  [1],  the  corresponding  features  are
listed in the tables
>  Table 3-1   Supported AUTOSAR standard conform features
>  Table 3-2   Not supported AUTOSAR standard conform features
The following features specified in [1] are supported:
Supported AUTOSAR Standard Conform Features
Abstraction of MCAL signals
Creation of a Software Component Description file that can be imported by DaVinci Developer
Table 3-1   Supported AUTOSAR standard conform features
The following features specified in [1] are not supported:
Not Supported AUTOSAR Standard Conform Features
Automatic abstraction of I/O modules (Implementation of the ‘firmware’ has to be done by the
user)
I/O control via DCM
Support of BswInterruptEntities
Automatic signal aging and debouncing
Production Error Detection
AUTOSAR Debugging
Table 3-2   Not supported AUTOSAR standard conform features
3.2
Initialization
Initialization is not necessarily needed for the IOHWAB. Therefore, the provided service for
initialization can be removed by a pre-compile option during the configuration phase.

Basic Knowledge
It is not intended to initialize drivers in the IOHWAB initialization function. Driver
  initialization has to be done by the ECUM.

3.3
States
The IOHWAB itself neither has certain module  states nor does any handling of  states of
lower-level drivers. Caring about time flows and states is the user’s responsibility.
2014, Vector Informatik GmbH
Version: 3.00.02
11 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
3.4
Main Functions
The  I/O  Hardware  Abstraction  module  does  not  provide  (a)  fix  main  function(s),  but
implements a generic approach, i.e. main functions can be created in the configuration and
are generated into the configuration source files.
The I/O Hardware Abstraction refers to main functions as ‘BSW Schedulable Entities’, see
5.3.4.  After  creating  a  BSW  Schedulable  Entity  in  the  configuration,  the  configured
information  is  passed  to  the  RTE/SCHM  via  ‘Internal  Behavior’.  After  the  generation  is
finished, the Schedulable Entity functionality can be implemented in the function template
in the file ‘IoHwAb_30.c’. At runtime, it will be called cyclically by the SCHM as configured.
3.5
Error Handling
3.5.1
Development Error Reporting
By  default,  development  errors  are  reported  to  the  DET  using  the  service
Det_ReportError() as specified in [2], if ‘Development Mode’ and ‘Development Error
Reporting’ are enabled in the configuration tool.
If  another  module  is  used  for  development  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError().
The reported IOHWAB ID is 254.
The  reported  service  IDs  identify  the  services  which  are  described  in  5.2.  The  following
table presents the service IDs and the related services:
Service ID
Service
0x01
IoHwAb_Init()
0x10
IoHwAb_GetVersionInfo()
Table 3-3   Service IDs
The errors reported to DET are described in the following table:
Error Code
Description
IOHWAB_E_INV_POINTER  API service called with “NULL pointer” as parameter
Table 3-4   Errors reported to DET

3.5.2
Production Code Error Reporting
As  production  error  reporting  is  typically  done  on  driver  level,  the  IOHWAB  does  not
provide any reporting mechanism.  Nonetheless,  production error reporting can be added
manually to ‘IoHwAb_30.c’, if necessary.

2014, Vector Informatik GmbH
Version: 3.00.02
12 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
4  Integration
This chapter gives necessary information for the integration of  the MICROSAR  IOHWAB
into an application environment of an ECU.

4.1
Scope of Delivery
The delivery of the IOHWAB contains the files which are described in the chapters  4.1.1
and 4.1.2:

4.1.1
Static Files
File Name
Description
IoHwAb.h
Declares the interface of the MICROSAR component IOHWAB
Table 4-1   Static files

4.1.2
Dynamic Files
The dynamic files are generated by the configuration tool DaVinci Configurator.
File Name
Description
IoHwAb_30.c
Code template that contains the interfaces of the IOHWAB as well as
the generated API function templates.
IoHwAb_Cfg.h
Contains the static configuration of the IOHWAB
IoHwAb_Cbk.h
Code template for prototypes of callback functions
IoHwAb_Types.h  Contains all the data types that are used in the IOHWAB (File is only
used, if RTE usage is deactivated)
Table 4-2   Generated files
2014, Vector Informatik GmbH
Version: 3.00.02
13 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Edit
The files ‘IoHwAb_30.c’ and ‘IoHwAb_Cbk.h’ are code templates, i.e. after generation
  they are not complete and require user modifications.

Edit
Generated code templates are not part of the AUTOSAR make files provided by the
  module, because the file may be copied to different locations in an integration package
(e.g. a common folder for all editable code templates).
Please add all generated code templates to your make process, manually. If the Vector
make environment is used, add the file to the variable ‘APP_SOURCE_LST’ in the file
‘Makefile.project.part.defines’.

For successfully integrating the IOHWAB in a MICROSAR environment, there are further
files needed. These Files can be generated by the RTE generator.
File Name
Description
Rte_IoHwAb.h  Contains the prototypes of all the IOHWAB operation services
Rte_Type.h
Contains all the data types that are used in the IOHWAB
Table 4-3   Files generated by the RTE Generator
4.2
Critical Sections
The IOHWAB implements the following critical section:
>  IOHWAB_EXCLUSIVE_AREA_0: This critical section can be used to protect code
passages that may contain coherent operations. The critical section shall prevent task
switches.

Edit
This critical section can be used in the user code. To create a protected code passage,
  call the macro IoHwAb_GlobalSuspend() before the protected part and
IoHwAb_GlobalRestore() after it.

Caution
Be sure to use critical sections scarcely and keep them as short as possible, because
  they may affect the system performance. Furthermore, pay attention that you do not
nest critical sections and always close opened sections.

2014, Vector Informatik GmbH
Version: 3.00.02
14 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
4.3
Generated Template Files
A generated template file in this document is a file which:
> is generated by the generation tool at every generation process
> the user can modify for his needs
> preserves that the user implementation will not be overwritten during the next
generation process

4.3.1
User Blocks
In order not to overwrite the user code, the template file contains special comments, where
code can be inserted. The comments have the following format:
/**********************************************************************************
* DO NOT CHANGE THIS COMMENT! <USERBLOCK NAME> DO NOT CHANGE THIS COMMENT
***********************************************************************************/

/**********************************************************************************
* DO NOT CHANGE THIS COMMENT! </USERBLOCK> DO NOT CHANGE THIS COMMENT
***********************************************************************************/

Do not edit manually
Do not modify or delete the comment lines!

The following example explains where the code can be implemented:

Figure 4-1 User Block Implementation Area
Every code outside this area will be overwritten during the next generation process.

The I/O Hardware Abstraction provides the following generated template files:
> IoHwAb_30.c
> IoHwAb_Cbk.h
2014, Vector Informatik GmbH
Version: 3.00.02
15 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
4.3.2
Unrecognized/Deleted Signals
If  a  Port  Prototype,  Runnable  Entity  or  BSW  Schedulable  Entity  is  removed  from  or
renamed in the configuration, possibly already implemented code would be lost, because
the  generated  service  would  be  deleted  from  the  generated  file.  In  this  case,  the
‘IoHwAb_30.c’ template file contains a section at the end, which receives the code from all
services whose associated signals have been deleted:
/* Section for deleted/unrecognized user blocks: */
#if 0
#endif

Caution
This section only contains code from signals that have been deleted during the last
  generation process. During the next generation, the section will be cleared.

2014, Vector Informatik GmbH
Version: 3.00.02
16 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
5  API Description
The  API  of  the  I/O  Hardware  Abstraction  is  mainly  generic,  only  IoHwAb_Init  and
IoHwAb_GetVersionInfo are permanent. The fixed API is described in the chapter 5.2, the
generic, configuration-specific API is described in 5.3.
5.1
Type Definitions
The I/O Hardware Abstraction module does not provide any default types, but implements
a generic approach, i.e. types can be created in the configuration and are generated into
the configuration source files (either by the I/O Hardware Abstraction itself or by the RTE).

The current implementation supports the creation of the following types:
>  Typedefs to primitive types (provided by AUTOSAR Standard/Platform Types)
>  Arrays (consisting of primitive types or types that are derived from these)
>  Structs ((consisting of primitive types or types that are derived from these)

Types can be created/configured via the following configuration containers:
>  …/IoHwAbDatatypes/IoHwAbImplementationTypes/IoHwAbTypeReference
>  …/IoHwAbDatatypes/IoHwAbImplementationTypes/IoHwAbArray
>  …/IoHwAbDatatypes/IoHwAbImplementationTypes/IoHwAbRecord
The destination file of the typedefs after the generation process depends on the following
configuration switch: ‘/MICROSAR/IoHwAb/IoHwAbGeneral/IoHwAbUseRte’.
If the RTE is used, the file ‘Rte_Type.h’ will contain the typedefs. Otherwise, the typedefs
are generated into the file ‘IoHwAb_Types.h’.
5.2
Services provided by IOHWAB
5.2.1
IoHwAb_Init
Prototype
void IoHwAb_Init ( void )
Parameter
--
--
Return code
void
--
Functional Description
This function stub can be used to implement any initialization activities and shall be called by the ECUM. It
is not intended to initialize drivers in the IOHWAB initialization function. Driver initialization has to be done
by the ECUM.
2014, Vector Informatik GmbH
Version: 3.00.02
17 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
Particularities and Limitations
>  Service ID: see table 'Service IDs'
>  This function is synchronous.
>  This function is non-reentrant.
>  This service can be disabled using the configuration parameter
‘/MICROSAR/IoHwAb/IoHwAbGeneral/IoHwAbUseInitFunction’
Expected Caller Context
>  Expected to be called in application context (EcuM)
Table 5-1   IoHwAb_Init
5.2.2
IoHwAb_GetVersionInfo
Prototype
void IoHwAb_GetVersionInfo ( Std_VersionInfoType *versioninfo )
Parameter
versioninfo
Pointer to where the version information shall be stored
Return code
void
--
Functional Description
This service returns the version information of this module. The provided information is:
>  Module ID
>  Vendor ID
>  Version Information
Particularities and Limitations
>  Service ID: see table 'Service IDs'
>  This function is synchronous.
>  This function is non-reentrant.
>  This service can be disabled using the configuration parameter
‘/MICROSAR/IoHwAb/IoHwAbGeneral/IoHwAbVersionInfoApi’
Expected Caller Context
>  Expected to be called in application context
Table 5-2   IoHwAb_GetVersionInfo

5.3
Generated API Function Templates
The  following  service  descriptions  do  not  refer  to  certain  API  functions,  but  to  function
stubs that will be generated by the IOHWAB. The service name, as well as the parameter
format is influenced by the configuration settings.
2014, Vector Informatik GmbH
Version: 3.00.02
18 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Caution
The following functions can be invoked concurrently by the RTE. As software on the
 lower layer may not support concurrency, the application should avoid parallel calls of
signal services.

5.3.1
Client/Server Operation:
IoHwAb_<CSPortPrototypeName>_<OperationName>
Prototype
Std_ReturnType IoHwAb_<CSPortPrototypeName>_<OperationName> ( <ConfiguredType>
<*><OperationArgumentName> )
Parameter
<OperationArgumentNa Configured operation parameter
me>
Return code
Std_ReturnType
ReturnType can be configured / defined in the configuration phase.
Functional Description
This service is the implementation of an operation contained in a configured Client/Server Port Prototype.
Particularities and Limitations
> This function is synchronous.
> This function is non-reentrant.
Expected Caller Context
> Expected to be called in application context (RTE)
Table 5-3 IoHwAb_<CSPortPrototypeName>_<OperationName>

2014, Vector Informatik GmbH
Version: 3.00.02
19 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Practical Procedure
A Client/Server Operation can be created by the following steps:
 > Create a Client/Server Interface by adding an instance of the configuration container
‘/MICROSAR/IoHwAb/IoHwAbCSPortInterface’
> Create the corresponding operations by adding instances of the configuration
container ‘/MICROSAR/IoHwAb/IoHwAbCSPortInterface/IoHwAbOperation’ and add
operation arguments (‘…/IoHwAbOperation/IoHwAbOperationArgument’)
> Create a Client/Server PortPrototype by adding an instance of the configuration
container ‘/MICROSAR/IoHwAb/IoHwAbCSPortPrototype’ and set the contained
parameter ‘IoHwAbCSPortInterfaceRef’ to the Port Interface created before

Edit
This function is a template that contains no implementation code. Add the
 implementation in the file ‘IoHwAb_30.c’. More Information about where to implement
your code can be found in 4.3.1.

5.3.2
Sender/Receiver Port Runnable:
IoHwAb_<SRPortPrototypeName>_<Read/Write>
Prototype
void IoHwAb_<SRPortPrototypeName>_<Read/Write> ( void )
Parameter
--
--
Return code
void
--
Functional Description
This service is the implementation of a port element contained in a configured Sender/Receiver Port
Prototype.
Particularities and Limitations
> This function is synchronous.
> This function is non-reentrant.
Expected Caller Context
> Expected to be called in application context (RTE)
Table 5-4 IoHwAb_<SRPortPrototypeName>_<Read/Write>

2014, Vector Informatik GmbH
Version: 3.00.02
20 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Practical Procedure
A Sender/Receiver port element can be created by the following steps:
 > Create a Sender/Receiver Interface by adding an instance of the configuration
container ‘/MICROSAR/IoHwAb/IoHwAbSRPortInterface’
> Create the corresponding port elements by adding instances of the configuration
container ‘/MICROSAR/IoHwAb/IoHwAbSRPortInterface/IoHwAbPortElement’
> Create a Sender/Receiver PortPrototype by adding an instance of the configuration
container ‘/MICROSAR/IoHwAb/IoHwAbSRPortPrototype’ and set the contained
parameter ‘IoHwAbSRPortInterfaceRef’ to the Port Interface created before

Edit
This function is a template that contains no implementation code. Add the
 implementation in the file ‘IoHwAb_30.c’. More Information about where to implement
your code can be found in 4.3.1.

5.3.3
Runnable Entity: IoHwAb_< RunnableName>
Prototype
void IoHwAb_<RunnableName> ( )
Parameter
--
--
Return code
void
--
Functional Description
This service is the implementation of a Runnable Entity.
Particularities and Limitations
> This function is synchronous.
> This function is non-reentrant.
2014, Vector Informatik GmbH
Version: 3.00.02
21 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
Expected Caller Context
> Expected to be called in application context (RTE)
Table 5-5 IoHwAb_<PortPrototypeName>_<Read/Write>

Practical Procedure
A Runnable Entity can be created by the following steps:
 > Create a Runnable Entity by adding an instance of the configuration container
‘/MICROSAR/IoHwAb/IoHwAbRunnable’ and configure the contained parameters.

Edit
This function is a template that contains no implementation code. Add the
 implementation in the file ‘IoHwAb_30.c’. More Information about where to implement
your code can be found in 4.3.1.

5.3.4
Schedulable Entity: IoHwAb_<SchedulableName>
Prototype
void IoHwAb_<SchedulableName> ( void )
Parameter
--
--
Return code
void
--
Functional Description
This function is the implementation of a BSW Schedulable Entity.
Particularities and Limitations
> This function is synchronous.
> This function is non-reentrant.
2014, Vector Informatik GmbH
Version: 3.00.02
22 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
Expected Caller Context
>  Expected to be called in application context (RTE)
Table 5-6   [Service name]

Practical Procedure
A BSW Schedulable Entity can be created by the following steps:
  Create a Schedulable Entity by adding an instance of the configuration container
‘/MICROSAR/IoHwAb/IoHwAbSchedulable’ and configure the contained parameters.

Edit
This function is a template that contains no implementation code. Add the
  implementation in the file ‘IoHwAb_30.c’. More Information about where to implement
your code can be found in 4.3.1.

5.4
Services used by IOHWAB
In  the  following  table  services  provided  by  other  components,  which  are  used  by  the
IOHWAB  are  listed.  For  details  about  prototype  and  functionality  refer  to  the
documentation of the providing component.
Component
API
DET
Det_ReportError (optional)
DIO
All (optional)
GPT
All (optional)
ICU
All (optional)
PORT
All (optional)
PWM
All (optional)
SPI
All (optional)
Table 5-7   Services used by the IOHWAB
5.5
Callback Functions
This release of the IOHWAB does not implement any callback functions. If necessary, the
user may implement prototypes of callback functions in the file IoHwAb_Cbk.h.

Note
It is not possible to pass an approaching callback function through the RTE to the
  software component. Actions for handling callbacks have to be implemented inside the
IOHWAB.

2014, Vector Informatik GmbH
Version: 3.00.02
23 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
5.6
Configurable Interfaces
5.6.1
Notifications
The I/O Hardware Abstraction does not provide Notifications.
5.7
Service Ports
5.7.1
Client Server Interface
A client server interface is related to a Provide Port at the server side and a Require Port
at client side.
5.7.1.1
Provide Ports on IOHWAB Side
All the Provide Ports of the IOHWAB the API functions described in 5.2 are available as
Runnable Entities. The Runnable Entities are invoked via Operations. The mapping from a
SWC client call to an Operation is performed by the RTE. In this mapping the RTE adds
Port Defined Argument Values to the client call of the SWC, if configured.
The following sub-chapters present the Provide Ports defined for the IOHWAB and the
Operations defined for the Provide Ports, the API functions related to the Operations and
the Port Defined Argument Values to be added by the RTE.

5.7.1.1.1
Provide Ports
Operation
API Function
Port Defined Argument Values
<IoHwAbOperation> IoHwAb_<IoHwAbCSPortPrototy <*><IoHwAbOperationArgume
pe>_<IoHwAbOperation>
nt>
Table 5-8 Provide Ports
5.7.1.2
Require Ports on IOHWAB Side
The I/O Hardware Abstraction does not provide any Require Ports.

2014, Vector Informatik GmbH
Version: 3.00.02
24 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
6  Configuration
In the IOHWAB the attributes can be configured with the following tools:
>  Configuration in DaVinci Configurator
>  Configuration in DaVinci Developer
6.1
Configuration Variants
The IOHWAB supports the configuration variants
>  VARIANT-PRE-COMPILE
The  configuration  classes  of  the  IOHWAB  parameters  depend  on  the  supported
configuration variants. For their definitions please see the IoHwAb_bswmd.arxml file.
6.2
Configuration Workflow
This  chapter  describes  the  workflow  that  is  necessary  to  integrate  the  I/O  Hardware
Abstraction into a MICROSAR system.
The I/O Hardware Abstraction is not a classic BSW module, as it has not only interfaces
with  other  BSW  modules,  but  an  interface  with  one  or  more  Application  Components
above  the  RTE.  For  this  reason,  the  IOHWAB  has to define a  way  to  communicate  with
Application Components through the RTE.
The  basic  concepts  for  such  interaction  are  described  in  [4].  This  chapter  gives  only  a
description of the technical realization in the MICROSAR tool chain.
The following diagram gives an overview of the interaction between the involved tools and
the user.

2014, Vector Informatik GmbH
Version: 3.00.02
25 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Figure 6-1 Configuration Workflow
For a successful integration of the I/O Hardware Abstraction into a MICROSAR system
please execute the following steps:
 Configure the ‘IoHwAb’ module in the DaVinci Configurator and save the
Configuration. The Software Component description of the I/O Hardware Abstraction is
generated automatically upon saving and can be found in the SIP folder (‘<SIP
Folder>\internal\<Application Folder>\Config\ServiceComponents’).
2014, Vector Informatik GmbH
Version: 3.00.02
26 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
  Open the DaVinci Developer project or create a new one and import the I/O Hardware
Abstraction’s SWC file as follows:

Figure 6-2  SWC import select file
  Select the SWC file and start the import. After the import is finished, the module with
all configured ports, interfaces and data types should be present in your project:
2014, Vector Informatik GmbH
Version: 3.00.02
27 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Figure 6-3  Imported Software Component
  Create a new application software component and create the counterparts of the ports
that are provided/required by the I/O Hardware Abstraction component type.

Caution
Do not connect the SWC ports in the DaVinci Developer, because no more
  configuration of the RTE inside DaVinci Configurator would be possible, then.

2014, Vector Informatik GmbH
Version: 3.00.02
28 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Figure 6-4  I/O Hardware and Application Software Component
  Save and close the DaVinci Developer project.
  Switch back to the DaVinci Configurator and configure the RTE module by using the
‘Runtime System’ domain editor.
  First, create the Software Components of I/O Hardware Abstraction and Application
inside the RTE by using the ‘ECU Software Components Editor’
2014, Vector Informatik GmbH
Version: 3.00.02
29 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB

Figure 6-5
  Go to ‘Application Components’ container and add two Software Components, the
‘IoHwAb’ and the Software Component(s) created in the DaVinci Developer.

Caution
The I/O Hardware Abstraction SWC description exists twice in this selection. Please
  use the SWC description with the path
‘/MICROSAR_SWCS_DEV/IoHwAb_swc/ComponentTypes/IoHwAb’. This is the SWC
description created by the DaVinci Developer. Otherwise, all modifications to the
Software Component that have been done in the DaVinci Developer would not be
adapted.

  The next step is connecting the ports of the components with the ‘Add Component
Connection’ editor. Start the editor and select I/O Hardware Abstraction and
2014, Vector Informatik GmbH
Version: 3.00.02
30 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
Application Software Component and map the ports as needed. If the ports of the both
components can be connected 1:1, the ‘Automatic Mapping’ can be used.
  Last, the Runnable Entities of both components have to mapped to OS Tasks. This
can be done by using the ‘Add Task Mapping’ editor.
  Validate and generate the configuration.

Caution
If you have to change the configuration of the I/O Hardware Abstraction after the SWC
  has been imported into the DaVinci Developer workspace, the SWC has to be imported
again, every time it is changed, because the DaVinci Developer will not adapt the
changes automatically.

Caution
If you have to change the DaVinci Developer project after the Software Components
  have been created in the RTE configuration, the DaVinci Configurator project has to be
closed and re-opened and the Application Components in the ‘ECU Software
Components’ editor have to be removed and re-added, because the DaVinci
Configurator will not adapt the changes automatically.

2014, Vector Informatik GmbH
Version: 3.00.02
31 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
7  Glossary and Abbreviations
7.1
Glossary
Term
Description
DaVinci Configurator  Configuration tool for MICROSAR components
User Block
Especially marked, user editable code section within a generated C-
Source file – these code sections are not overwritten when the module
configuration is being re-generated
Table 7-1   Glossary

7.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Electronic Control Unit
HIS
Hersteller Initiative Software
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
PPORT
Provide Port
RPORT
Require Port
RTE
Runtime Environment
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
Table 7-2   Abbreviations

2014, Vector Informatik GmbH
Version: 3.00.02
32 / 33
based on template version 5.6.0

Technical Reference MICROSAR IOHWAB
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2014, Vector Informatik GmbH
Version: 3.00.02
33 / 33
based on template version 5.6.0

13 - Interaction Layer

Interaction Layer

Component Documentation

13.1 - Il Integration Manual

Integration Manual

For

Il

VERSION: 1

DATE: 02/02/17

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	02/02/17

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

Configuration REQUIREMeNTS

The Il component is provided with a template file for configuration of the module. This template file should be copied into the project for inclusion in the build after adapting the template for the needs of the project. Additionally, the leading underscore should be removed from this file. This file can be found in the “tools/template/” folder of this component. For details on how to adapt, third party documentation found in this component can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

13.2 - Il Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Il

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Il_Vector_GMLAN3.1_05.11.00_01.02.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/03/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

13.3 - TechnicalReference_GENy_InteractionLayer

YourTopic

13.4 - TechnicalReference_GENy_InteractionLayer_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115

13.5 - TechnicalReference_GENy_InteractionLayers

Vector Interaction Layer
Technical Reference

Il_Vector
Version 2.10.03

Authors
Klaus Emmert, Gunnar Meiss, Heiko Hübler
Status
Released

Technical Reference Vector Interaction Layer

1 Document Information
1.1
History
Author
Date
Version Remarks
P. Jost
2000-05-05 1.0
creation
P. Jost
2000-06-29 1.1
some corrections
P. Jost
2000-07-13 1.2
changes in Figure 4 and some further corrections
P. Jost
2000-08-06 1.3
correction of the First-Value Class
P. Jost
2000-09-13 1.4
little corrections in the description of the TxTask and IlInit
P. Jost
2001-03-01 1.5
message related transmission modes
example for timeout monitoring
multi channel support
known problems
integration example
P. Jost
2001-06-22 1.6
some names of attributes changed
DataChanged flag
Tx timeout monitoring
Rx and Tx default values
new screen shots of the current Gentool
changes in the state machine
and further little corrections
S. Hoffmann
2001-07-05 1.61
some corrections and branch for an OEM
P. Jost
2001-07-13 1.62
adapted the corrections of version 1.61 for general IL
P. Jost
2002-04-05 1.63
Signal groups
Multiple physical and virtual ECU support
Multiplex Signals
Rx timeout monitoring: reload of timer and message
related notification
Notification in interrupt and task context (IL Polling)
IL<Tx/Rx>StateTask
Attributes for Rx timeout monitoring updated
Configuration Tool pictures updated
P. Jost
2002-08-16 1.7
Name of this document changed from User Manual to
Technical Reference
Multiple Indication Flags per Signal
Macro to Get and Clear at once
Chapter for Configuration Tool updated
”New Style” API
Data Type Prefix for Signal Access
Further Callbacks for State Machine
Initialization – IlInitPowerOn
ECU Timeout
H. Hörner
2003-06-16 1.8
Several wording and spelling issues corrected
List of abbreviations and glossary removed, replaced by
an own document
Implementation details moved to an Annex
2013, Vector Informatik GmbH
Version: 2.10.03
2 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

K. Emmert
2003-09-02 1.9
Some design and link modifications.
H. Hörner
2004-05-14 2.0
Add usage of VStdLib
Documented return value of flag get macros
Difference between GenMsgDelayTime and
GenMsgStartDelayTime clarified
Some clarifications about signal groups
Wording enhanced for multiplexed signals
Klaus Emmert 2005-06-10 2.01
Added support for GENy
Gunnar Meiss
Added new feature dynamic timeout handling
Added raw API for multiplex signals
Reworked dbc attributes chapter
Added matrix with transmission modes
Gunnar Meiss 2005-08-02 2.02
Adapted GenMsgFastOnStart

Added GENy Multiplex Support
Klaus Emmert 2005-11-04 2.03
Added AUTOSAR API for GENy, configuration and signal
Gunnar Meiss
access.
Added GenMsgFastOnStart for multiplex messages in
GENy
Added ESCAN00014120 CANGen
Added ESCAN00008602 CANGen
Added ESCAN00008604 CANGen
Reworked ESCAN00010718
Gunnar Meiss 2006-02-16 2.04
Added GENy Multiple ECU Reference
Added ESCAN00013633
DynRxTimeout API postfix and data types have changed.
Klaus Emmert 2006-03-13 2.05
Signal Groups for GENy
Gunnar Meiss 2006-04-06 2.06
Added Indexed API discontinuation for GENy.
Corrected ApplIlFatalError Prototype
Improved GenSigTimeoutMsg_<ECU>
Corrected GenSigSendType description
Removed GenSigTimeoutMsg_<ECU> for GENy
Gunnar Meiss 2007-05-16 2.07
Opaque Data Types ESCAN00016935 GENy
Improved documentation of call contexts of API functions
ESCAN00017472, ESCAN00018014, ESCAN00014156,
ESCAN00013962, ESCAN00013423, ESCAN00008047,
ESCAN00008755
Gunnar Meiss 2007-12-17 2.08
Added GenSigSuprvResp, GenSigSuprvRespSubValue
and GenSigTimeoutMsg_<ECU> for GENy
Updated API descriptions
Updated GenMsgStartDelayTime
Updated GenMsgIlSupport
ESCAN00024092
Gunnar Meiss 2008-04-21 2.08.01 ESCAN00024091
Gunnar Meiss 2008-07-17 2.09.00 Reworked Document Structure
ESCAN00024902 Added Node Mapped dbc Attributes
2013, Vector Informatik GmbH
Version: 2.10.03
3 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Updated Abbreviations and Glossary with CIWI
ESCAN00028781 Added IlTxRepetitionsAreActive and
IlTxSignalsAreActive
ESCAN00028787 Reset Timeout Flags On Release
Added Geny attribute descriptions
ESCAN00023799 Added Limitation
ESCAN00025371 Updated Dynamic Timeout Monitoring
ESCAN00029109 Added Documentation of Generated
APIs
Gunnar Meiss  2008-10-17  2.09.01  ESCAN00030172 The description of IlRxWait()
is ‎incorrect
Gunnar Meiss  2011-05-19  2.09.02  ESCAN00049272 OnChangeAndIfActive and
OnChangeAndIfActiveWithRepetition is described
incorrect in Table  3-6 "Send Type Matrix"
ESCAN00049615 Incorrect Enumeration Values of the
dbc attribute "ILUsed"
ESCAN00048272 Incorrect Timing Diagram of the
Transmit Fast if Signal Active Transmission Mode
Heiko Hübler  2012-03-13  2.10.00  Added Signal status information (UpdateBits)
Heiko Hübler  2012-05-14  2.10.00  Added description for the GENy GUI attribute “timeout
time”
Heiko Hübler  2012-09-13  2.10.01  Added description for PreConfig Switch “Enable
UpdateBit Support”
Changed “Send on Init” description
Heiko Hübler  2012-11-07  2.10.02  ESCAN00041782: One 'e' too much in Technical
Reference
ESCAN00062898: Adapted description of Delimitation of
the Bus Load
Heiko Hübler  2013-05-13  2.10.03  ESCAN00052197: The OnChange Event is triggered if
the value for IlPut changes out of the range
Table 1-1   History of the Document

2013, Vector Informatik GmbH
Version: 2.10.03
4 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

1.2
Reference Documents
No.
Source
Title
Version
[1]
Vector
Vector CAN driver. Technical Reference

[2]
Vector
Vector Multiple ECUs. Technical Reference
1.00.00
[3]
Vector
Vector Configuration Tool. Online Documentation.

(no printed manual available)
[4]
OSEK
OSEK/COM, Version 3.0.3
3.00.03
[5]

Z.120 (1996). Message Sequence Chart (MSC).
April.1996
ITU-T, Geneva
[6]
Vector
Interaction Layer User Manual

[7]
AUTOSAR  AUTOSAR Specification of Module COM 2.0.0
2.00.00
[8]
AUTOSAR  AUTOSAR Specification of Module COM 3.1.0
3.1.0
Table 1-2   Reference Documents
Please note
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2013, Vector Informatik GmbH
Version: 2.10.03
5 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

2  Introduction
Nowadays cars are growing to become more and more complex systems. The functionality
of a modern car is not dominated by mechanical components anymore. Electrical Control
Units (ECU), sensors and actors became irreplaceable parts of a car. They are responsible
for  the  reasonable  functions  of  the  power  train,  the  chassis  and  the  body  of  a  car.  An
example for some ECUs is shown in Figure 2-1  Example  for  Some  ECU’s  in  a  Modern
Vehicle.
In  many  ways  the  functionality  of  an  ECU  in  a  car  depends  on  information  provided  by
other ECUs. For example the ECU of the dashboard needs the number of revolutions per
time  of  the  wheels  to  display  the  car’s  speed.  As  a  result  communication  between  the
ECUs is a significant component of a modern vehicle.
The  communication  between  ECUs  should  essentially  remain  encapsulated.  The
application working on an ECU should not need to know how to transmit or receive data
from other ECUs. Therefore Vector Informatik GmbH provides a set of components for the
communication of ECUs by the CAN bus.
uc Ecu Use Cases
dashboard
seat
air conditioning
engine  control
central locking
w heel pr essure
light c ontrol
door
control

Figure 2-1
Example for Some ECU’s in a Modern Vehicle
These communication components are called CANbedded. They relieve the application of
its  communication  assignment  including  the  exchange  of  simple  data,  diagnostic  data,
2013, Vector Informatik GmbH
Version: 2.10.03
11 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

network  management  data,  calibration  data  and  more. This  document  is  concerned  with
the data exchange via an Interaction Layer.
The Vector Interaction Layer hides all the communication related parameters and physical
values from the application to ease the workload of the application. In case of transmission
the  application  just  needs  to  pass  data  to  be  transmitted  to  the  Interaction  Layer.  The
Interaction Layer decides when to transmit the data. Because the transmission depends of
the chosen Transmission Mode which defines for example a periodic or an event triggered
transmission  of  data.  The  other  way  round,  in  case  of  reception  of  data  the  Interaction
Layer will notify the application about the arrival of data. Then the application could decide
whether to read the updated data.
In any case the application does not need to know how the data is transmitted or received
by the lower communication layers. It follows that the data structures of the application will
be  independent  of  the  communication  data  structures  (e.g.  bus  frames).  The  result  is  a
higher reusability of the application software.
To  control  the  Interaction  Layer  by  the  means  of  starting,  suspending  or  deactivating  a
further API is provided. It is intended to be used for example by the Network Management.
By  this API  it  is  possible  to  realize  some  CAN  related  modes  like  Sleep  Mode,  Bus-off
Mode or Low-Voltage-Mode.

This manual is divided into three main chapters. The Overview introduces the features and
concepts  of  the  Interaction  Layer.  Next,  the  Functional  Description  explains  the  state
machine, the communication flow, the data access and the transmission and reception of
data.  Technical  Description,  the  last  of  the  main  chapters  concerns  with  details  of  code
generation, the API of the Interaction Layer and the usage or the Interaction Layer with or
without an operating system.
2.1
Architecture Overview
The  implementation  of  the  Interaction  Layer  is  intended  to  relieve  the  application  of
communication tasks. The Interaction Layer is one of the communications components of
CANbedded offered by Vector Informatik GmbH. In Figure 2-2  Layer  model  of  the  Vector
CAN  communication  components  CANbedded  it  is  shown  how  the  Interaction  Layer  is
embedded in the CANbedded protocol stack.
The communication software user has to be supplied with suitable access mechanisms to
permit the adaptation of the ECU's behaviour to the network. Furthermore, the application
needs  mechanisms  which  permit  a  structured  access  to  the  data  of  the  network.  Such
mechanisms are provided by the Interaction Layer of Vector Informatik GmbH and will be
described in  this manual. The Interaction Layer is responsible for separation of the Data
Link  Layer  dependent  low-level  driver  (CAN  driver)  and  the  application  task  which  is
independent of the underlying bus system.
2013, Vector Informatik GmbH
Version: 2.10.03
12 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Figure 2-2
Layer model of the Vector CAN communication components CANbedded
The  CAN  Driver  provides  a  mostly  hardware  independent  interface  to  the  higher
communication layers. This enables the hardware independent implementation of the latter
components and the target platform independent reuse of them.
2.2
Data Access Concept
The CAN bus uses messages to transmit user data. A message is 0 to 8 bytes long. The
user information often does not match exactly 1, 2, 3 ... or 8 bytes. For example to transmit
the state of a switch only 1 bit will be needed. This single bit has to be send in a 1 byte
CAN  frame.  The  7  remaining  bits  will  be  left  blank.  To  prevent  such  an  overhead  the
remaining bits could be used to transmit other short user information. The user information
combined to a message is called signals. Figure 2-3 Signal-oriented  Access
to
Data
provided by the Interaction Layer shows the combination of signals in the transmit section
2013, Vector Informatik GmbH
Version: 2.10.03
13 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

and  the  splitting  of  messages  in  the  receive  section  of  the  Interaction  Layer.  This
mechanism, of cause, also lowers the bus load and raises the efficiency of data exchange.
The  key  aspect  of  the  Interaction  Layer  is  the  transmission  and  the  reception  of  data.
Therefore  the  Interaction  Layer  provides  a  signal  oriented  data  interface  called  Signal
Interface. The Signal Interface offers an API to write and read data. If data was written by
the application, the Signal Interface decides depending on the Transmission Mode whether
to transmit the data. The Signal Interface is located on the top of the Message Manager
which is responsible for the transmission and reception of messages. By these options the
application will be relieved of this area of responsibility.
Application
Write data
Read data
Signal Interface
Signal Interface
Interaction Layer
Transmit Message
Receive Message
CAN Driver

Figure 2-3
Signal-oriented Access to Data provided by the Interaction Layer
To transmit a signal the application just needs to write it to the Interaction Layer by calling
ILPut. The Interaction Layer will decide what to do with the updated data. The decision
depends on the chosen Transmission Mode and the delay timer. More information about
Transmission  Modes  and  delay  timer  could  be  found  in  chapter  3.7  Data  Transmission.
However,  the  application  does  not  need  to  care  about  any  further  steps.  The  Vector
Interaction Layer results in a supplementary support for the application.
For data exchange the Interaction Layer and the Data Link Layer need to copy the data
several times. For example in case of reading a signal by the application the data has to
be  copied  to  the  application’s  memory.  But  the  reception  of  messages  is  handled  by  an
interrupt  which  could  intermit the  copying  of  data.  In  case of  reception,  for  example,  the
data has to be copied from the receive buffer of the CAN interface to the memory of the
ECU by the interrupt handler. However, the Interaction Layer guarantees the consistency
of  any  transmitted  or  received  data  and  relieves  the  application  of  this  area  of
responsibility,  too.  A  further  description  of  this  problem  will  follow  in  chapter  3.6.1  Data
Consistency.
2013, Vector Informatik GmbH
Version: 2.10.03
14 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

2.3
Adapt the Vector Interaction Layer
To allow  the  application  to  access  data  in  a  signal-oriented manner,  the  Signal  Interface
provides macros and functions. The macro and function names are derived directly from
the  signal  short  names  in  the  network  database  (also  known  as  data  dictionary  or
communication  database).  The  signal  names  have  prefixes  and  suffixes  which  can  be
defined by the user.
CANdela
Network
Database
Database
Application
Configuration Tool
Specific
Data
Generation
Configuration
Signal
Interface
Header
Includes
CANbedded
CANdesc
Software
Application
Parameters
Source
Components
Compiler, Linker
Executable

Figure 2-4
Usage of the network database to generate parts of the Interaction Layer
These functions and macros will be generated by the Configuration Tool using the network
database  related  to  a  project.  For  this  purpose,  the  car  manufacturer  makes  the  latest
version of the network database available to all suppliers. Each ECU producer receives -
in  addition  to  the  network  component  implementation  for  "her/his"  processor  -  the
Configuration  Tool  by  which  the  supplier  generates  the  parts  of  the  communication
components that are relevant to the particular ECU.
All application specific data which are made available by the supplier is saved in a
separate file to preserve this information in the case of a network database update. The
Configuration Tool checks for consistency of application specific data and the network
database.
Figure 2-4
Usage  of  the  network  database  to  generate  parts  of  the  Interaction  Layer
shows the usage of the Configuration Tool.
2013, Vector Informatik GmbH
Version: 2.10.03
15 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

If  the  communication  components  use  more  than  one  CAN-channel,  the  macros  and
functions  have  to  be  generated  for  each  CAN-channel  with  the  corresponding  network
database.  In  the  Configuration  Tool,  a  channel-index  must  be  chosen  that  indicates  on
which CAN-channel the data dictionary is used.
Syntactically,  data  is  always  accessed  by  a  function.  Nevertheless,  this  might  actually
involve a macro. Whether there is a function call or a macro for direct access to the data
buffer  underlying  the  command  will  depend  on  the  signal's  data  type.  This  will  make  it
possible  to  change  the  implementation  between  functions  and  macros  without  having  to
change the syntax in the source code of the application. The use of macros is preferable
with  regard  to  run  time.  However,  if  two  or  more  bytes  have  to  be  read  for  the  signal
access a function has to be used. This would allow including synchronization mechanisms
(see  section  3.6.1)  for  the  data  access  within  these  functions.  For  reasons  of  efficiency,
values with more than 32 bits are passed by data pointers, i.e. if the function is called the
application  passes  a  pointer  to  a  memory  location  where  the  function  stores  the  signal
value. The application is responsible for providing sufficient  memory space.  If  a signal is
entered  in  the  network  database,  e.g.  as  a  34  bit  signal,  the  application  must  pass  a
pointer  to  a  memory  area  with  5  bytes.  When  signals  are  transmitted  compressed  in  a
message,  i.e.  they  only  use  a  few  bits  within  a  byte,  the  Signal  Interface  expands
appropriately  for  reading  by  the  application  and  compresses  appropriately  for  writing  by
the  application.  For  example,  reading  of  compressed  signals  take  up  1  to  7  bits,  the
signals  are  mapped  to  one  byte  each  for  the  application.  Internally  the  Signal  Interface
continues to store these data in its memory in compressed form.

2013, Vector Informatik GmbH
Version: 2.10.03
16 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3  Functional Description
3.1
Features
The  interface  is  divided  into  different  communication  layers.  The  Interaction  Layer
including  the  Signal  Interface  and  the  Message  Manager  put  on  the  Data  Link  Layer
represented  by  the  Vector  CAN  driver.  These  layers,  as  described  in  chapter  2.1
Architecture Overview, are responsible for a number of tasks listed below.

The following features are supported:
Supported Feature
Receive Messages:
Provide signal-oriented access to data which arrived over the CAN bus.
Notify the application on signal level, if a message has arrived (indication).
Monitors receive messages to determine whether they arrive periodically (timeout monitoring).
Use default values in case of timeout or when the reception was stopped.
Transmit Messages:
Provide signal-oriented access to data to be sent over the CAN bus.
Provide different Transmission Modes to offer the application various mechanisms to transmit
data.
Notify the application on signal level, if a message was transmitted (confirmation).
Monitor transmit messages to determine whether they had been actually transmitted (timeout
monitoring).
Always keep a delay time between send requests of a message. This should delimit the bus
load.
Use default values in case of timeout or when the transmission was stopped.
Table 3-1
Supported features
3.2
Initialization
If  the  CCL  is  not  used  in  the  software  stack,  the  application  has  to  initialize  the
components.
Example
Here is an example, if the initialization has to be implemented by the application.

/* Disable interrupts during the initialization of the
Components */
DisableInterrupts();

/* Initialize all components */
CanInitPowerOn();
IlInitPowerOn();
TpInitPowerOn();
2013, Vector Informatik GmbH
Version: 2.10.03
17 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

DiagInit();

/* Enable interrupts */
EnableInterrupts();
3.3
Interaction Layer State Machine
An ECU can be in several states. These are normal-operation, sleep mode, bus-off mode
and  others.  In  different  states  the  communication  components  have  to  meet  different
requirements.  Therefore  a  state  machine  is  defined  for  the  Interaction  Layer  which
consists of the states uninit, running, waiting and suspended (See in Figure 3-2  State
Machine of the Interaction Layer). The state machine is  instantiated  per channel and for
each communication direction (See in Figure 3-1  Rx and Tx State Machines).

Figure 3-1
Rx and Tx State Machines
stm State Machine
Running
Wait
Rele ase
Start
St op
Waiting
Suspe nded
St op
IlIn it,
IlInitP owerOn

Figure 3-2
State Machine of the Interaction Layer
2013, Vector Informatik GmbH
Version: 2.10.03
18 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.3.1
States
3.3.1.1
Uninit
After  power-on  the  Interaction  Layer  will  be  in  the  uninit-state.  Initializing  the  Interaction
Layer will lead to a state transition to the state suspended.
3.3.1.2
Running
The running state is used for normal operation.
  Receive Section
Reception of data is enabled as well as timeout monitoring and notification.
  Transmit Section
Transmission of data is enabled. Signal Interface and Message Manager are working.
The notification and the timeout monitoring are activated.
3.3.1.3
Waiting
This state was designed for example to support bus-off mode or low-voltage mode.
  Receive Section
Reception of data is enabled as well as the notification for indication. The timeout
monitoring will be turned off to prevent timeout detection of messages from an ECU
which is in bus-off mode and does not transmit data.
  Transmit Section
Transmission of data and the timeout monitoring will be disabled and the API will keep
on working. So the application could request the transmission of data, but the
Interaction Layer won’t follow immediately. The transmit requests will be stored and
executed, when the state transits to Running. Transmission bursts are avoided if
GenMsgStartDelay timings are defined, if this state is used in the bus-off mode.
3.3.2
State Transitions
The transitions of the state machine are divided into transmit and receive sections of the
Interaction Layer and will usually be initiated by the Network Management. The application
does not need to get involved here.
3.3.2.1
Init
The  component  variables  are  initialized.  There  is  an  option  for  initializing  the  transmit
buffer and/or the receive buffer with default values. If no default value was configured, the
buffers will be initialized with 0. The content of the default values is defined at compile time
within the Configuration Tool. The flags will all be reset. If configured in the Configuration
Tool, the application will be notified by invoking signal related callback functions.
3.3.2.2
Start
The receive section and the transmit section respectively are started within this transition.
Communication
Description
Section
Receive Section
>  The flags used for notification will be reset. These are in particular: the
first value flag, the data changed flag, the indication flag and the Rx
timeout flag.
>  Timeout monitoring will be started by a reload of the timers.
>  The values of the messages will be set to their default values, if defined at
2013, Vector Informatik GmbH
Version: 2.10.03
19 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Communication
Description
Section
compile time.
>  If configured in the Configuration Tool, the application will be notified by
invoking ApplIlRxStart() and/or signal related callback functions.
Transmit Section
>  The flags used for notification will be reset. These are in particular: the

confirmation flag and the Tx timeout flag.
>  The timers used for cycle times (e.g. for Send Periodic) will be initialized
and started after the start delay time.
>  Timeout monitoring will be enabled by a reset of the timers.
>  The values of the signals will be set to their default values, if defined at
compile time.
>  If configured in the Configuration Tool, the application will be notified by
invoking ApplIlTxStart() and/or signal related callback functions.
Table 3-2
Start transition events
3.3.2.3
Stop
The  reception  and  the  transmission  of  messages  respectively  are  stopped  within  this
transition.
Communication
Description
Section
Receive Section
>  The flags used for notification won’t be changed.
>  The timer used for timeout monitoring will be stopped.
>  If configured, the values of the signals will be set to their default values.
Otherwise they won’t be changed.
>  If configured in the Configuration Tool, the application will be notified by
invoking ApplIlRxStop() and/or signal related callback functions.
Transmit Section
>  The flags used for notification won’t be changed.

>  If configured, the values of the messages will be set to their default
values. Otherwise they won’t be changed.
>  Transmission and timeout monitoring will be stopped.
>  If configured in the Configuration Tool, the application will be notified by
invoking ApplIlTxStop() and/or signal related callback functions.
Table 3-3
Stop transition events
3.3.2.4
Wait
The  receive  section  and  the  transmit  section  respectively  are  deactivated  within  this
transition.
Communication
Description
Section
Receive Section
>  Timeout monitoring will be stopped.
Transmit Section
>  The flags used for notification won’t be changed.

>  The values of the messages won’t be changed but could be updated by
the application.
>  Transmission and timeout monitoring will be stopped.
>  Requests for direct transmissions are stored in the waiting state. The
2013, Vector Informatik GmbH
Version: 2.10.03
20 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Communication
Description
Section
related messages are transmitted after leaving the waiting state (release).
Table 3-4
Wait transition events
3.3.2.5
Release
The  receive  section  respectively  the  transmit  section  are  activated  again  within  this
transition.
Communication
Description
Section
Receive Section
>  The timeout monitoring will be restarted by reloading the timers.
>  The timeout flags are cleared, if configured (only GENy).
Transmit Section
>  The timers used for cycle times and timeout monitoring will be continued.

The values won’t be changed to avoid interference between periodic
transmitted messages on the bus (bursts). Pending requests for direct
transmissions are performed. This can lead to a burst of messages after
leaving the waiting state.
Table 3-5
Release transition events
3.4
Main Functions
The Interaction Layer provides two functions (IlRxTask and IlTxTask) that have to be called
cyclically as configured in GENy by the Application, OS or CCL.
2013, Vector Informatik GmbH
Version: 2.10.03
21 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Figure 3-3  Call of the Interaction Layer cyclic function
Example
Here is an example, if the task calls have to be implemented by the application.

for(;;)
{
  /* periodic call of IlRxTask() and IlTxTask() */
  if (flag_10ms)
  {
  IlRxTask();
    IlTxTask();
   flag_10ms = 0;  /* clear flag which was set by a timer
*/
  }
}

2013, Vector Informatik GmbH
Version: 2.10.03
22 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.5
Interaction Layer Communication Concept
3.5.1
Interface Concept
The  Interaction  Layer  as  placed  in  the  layer  model  has  got  two  interfaces  -  one  to  the
upper layer represented by the application and one to the layer below, the Data Link Layer.
The receipt and the transmission of data is the main task of the Interaction Layer. To fulfil
both of these tasks the Interaction Layer represented by its interfaces need to interact in
different  ways  with  its  communication  partners.  Therefore  different  techniques  like
functions, interrupts and periodic tasks are used.
To enable the transmission of data for the application, functions and macros are provided
by the Interaction Layer. The application could call these functions and macros whenever it
needs  to.  The  Interaction  Layer  usually  copies  the  data  to  be  transmitted  to  its  local
memory,  sets  a  transmit  request  and  leaves  the  processor  to  the  application.  The  data
actually will be transmitted later by a periodic task. This task checks at a defined period of
time for transmit requests and executes them by calling the Data Link Layer.  However, the
application  does  not  need  to  know  anything  about  the  process  of  transmission.  It  just
needs to call the function respectively macro related to a signal to start the transmission
process.  A  detailed  description  of  this  proceeding  is  given  in  chapter  3.7  Data
Transmission.
The  received  data  has  to  be  treated  immediately  when  arrived.  This  will  be  done  by  a
receive  interrupt.  Inside  the  interrupt  handler  only  the  time  critical  work  is  done.  The
remaining  not  time  critical  work  will  be  done  by  a  periodic  task  which  for  example  is
responsible for the notification of the application. To get the signal values the application
has to poll these values by calling functions respectively macros related to the signals. To
decide  whether  to  get  new  data  the  application  will  be  notified  about  the  arrival  of  new
data. The reception is described more detailed in chapter 3.8 Data Reception.
3.5.2
Notification Mechanisms
Two  mechanisms  are  provided  for  the  notification  of  the  application.  These  are:  flag-
interface and function-interface.
If  the  flag  interface  is  used,  the  application  has  to  poll  the  flags  which  were  set  by  the
Interaction  Layer.  To  maintain  as  much  separation  as  possible  between  a  message  and
the signals of a message each signal can have its own flags or functions. Parameterization
for  this  is  performed  in  the  Configuration  Tool.  Flag  access  is  done  by  C  macros.  The
macro name is comprised of the signal name and a postfix.
If the function interface is used, the application has to provide callback functions which are
called  by  the  Interaction  Layer.  The  function  name  comprises  the  signal  name  and  its
indication-function’s pre- and postfixes.
3.6
Data Access
3.6.1
Data Consistency
Since the Data Link Layer operates interrupt-driven, the read and write access to CAN
data can be interrupted by a write or read request of the Data Link Layer. Under some
circumstances this can lead to incorrect data if the data access in the Interaction Layer
involves multiple bytes.
Figure 3-4  Synchronization Problem of Data Access describes a write operation of two
bytes performed by the application. After the first byte is read (r 0x01) from the memory the
2013, Vector Informatik GmbH
Version: 2.10.03
23 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

read operation was interrupted by the write operation (w 0xAB and w 0xFF) of the IRQ of a
receive message. However, the application continues reading the second byte (r 0xAB)
after the interrupt routine finished. This causes an inconsistency of data read by the
application. The same problem could occur during any access to shared memory.
Interrupted Read Operation
read operation interrupted
0xAB 0x01
Application
R
R
0
0
x
x
0
A
1
In
B
0x02 0x01
te
0x02 0xFF
0xAB 0xFF
R
Signal memory
rr
T
u
W
W
I
low byte
p
high byte
2 byte value
t
0
0
x
x
F
A
F
B
Interaction Layer
m
e
s
s
a
g
e
0xAB 0xFF
Data Link Layer

Figure 3-4
Synchronization Problem of Data Access
To  prevent  this,  synchronization  mechanisms  were  inserted  for  read/write  into  the
Interaction  Layer.  Accesses  on  signals  which  do  not  need  any  synchronization  (e.g.  bit
signals) could be executed as macros. The access to other signals must be routed through
functions, because suitable synchronization mechanisms can be inserted there. The signal
functions  are  generated  by  the  Configuration  Tool,  where  suitable  synchronization
mechanisms are included.
The choice of the synchronization method depends on the particular processor type and
will be made by the Configuration Tool. One possibility for example is to disable interrupts
while reading or writing data. So the interrupts can’t disturb the access mechanism.
3.6.2
Signal Interface
The Signal Interface provides functions/macros for read access and writes access to the
shared CAN data memory. Each signal has its own function/macro whose argument is the
signal  value  or  a  data  pointer.  The  function  name  comprises  the  signal  name  from  the
network database and suitable application-specific prefixes and suffixes. The data access
functions can be implemented as macros or as actual functions as receive functions can
be. The two variants do not differ syntactically. The implementation reserves the option of
implementing signal access as a macro or as a function.
For read access to the transmit buffer and write access to the receive buffer, respectively,
macros  are  provided.  E.g.  the  usual  operation  on  a  receive  signal  is  reading  new  data.
2013, Vector Informatik GmbH
Version: 2.10.03
24 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Therefore, a function or a macro will be provided. Additionally a macro for write access to
this receive signal can be configured. By default these macros are switched off, but can be
configured by the Configuration Tool. If not needed, we recommend not switch the macros
on, because of the resources functions need.
Depending on the size of the signal, the type of argument for data access can differ. If the
signal length is lower than or equal to 8 bit, the signal argument is treated as a vuint8 (8-bit
unsigned char). Signals, which are between 9 bit and 16 bit are treated as vuint16 (16-bit
unsigned short) values. If the signal size is between 17 bit and 32 bit a vuint32 (unsigned
long) will be used as signal argument. For signals greater than 32 bit, the function requests
a  pointer  to  the  source  data  buffer.  I.e.  the Application  has  to  pass  a  data  pointer  to  a
memory area of sufficient size.
3.6.3
AUTOSAR Signal Interface
The Vector Interaction Layer can be configured to support the signal access as defined in
the AUTOSAR COM specification Version 2.0 [8].
The signal access is realized by using one function for write access and one function for
read access. The signal that has to be written or read is given as parameter, as well as the
value for a  write  access.   The  signal that  is  read  is  stored  to  the location  given  with  the
second  parameter.  See  in  the  API  below  and  the  examples  in  chapter  3.6.4  Example:
Writing and reading a signal value.
Example
A signal is written using
  Com_ReturnType Com_SendSignal (Com_SignalIdType SignalId,
Com_ApplicationDataRefType SignalDataPtr);
A signal is read using
Com_ReturnType Com_ReceiveSignal(Com_SignalIdType SignalId,
Com_ApplicationDataRefType SignalDataPtr);

The  AUTOSAR  signal  access  is  implementation  via  efficient  macros.  Due  to  this,  the
SignalId is the unique name of the signal as displayed by GENy and not an own data type
as  specified  by  [8].  The  SignalDataPtr  is  a  vuint8  pointer  to  the  location  where  the
received signal should be written to.
Please note

  Signals defined in the dbc file can be accessed.
  No local communication is supported.
  The return value is always E_OK.
  Restrictions of the standard API are inherited.
  Opaque Data types are mapped to unit data types according to the following list:
Bit length 1..8      -> vuint8
Bit length 9..16   -> vuint16
Bit length 17..32  -> vuint32
.
2013, Vector Informatik GmbH
Version: 2.10.03
25 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.6.4
Example: Writing and reading a signal value
The database contains the signals "EngineSpeed" (36 bit), "InteriorLight" (1 bit signal),
"NewTemperature" (36 bit), “NewWindowPos” (16bit) and “EngineRPM” (30bit). The user
configures the prefixes "ILPut" and “ILGet” and the suffix "_Sig”. By this configuration the
Configuration Tool derives the functions shown below.

/* Application makes memory space available */
/* -------------------------------------------------- */
unsigned char EngineSpeed [5];
unsigned char InteriorLight;
unsigned char NewTemperature [5];
unsigned short NewWindowPos;
unsigned long EngineRPM;

/* Receive and transmit signals */
/* --------------------------------------------------- */
ILGetRxEngineSpeed_Sig( &EngineSpeed ); /* Signal value > 32 Bit
*/
InteriorLight = ILGetRxInteriorLight_Sig(); /* Signal value <= 8
Bit */
ILPutTxTemperature_Sig( &NewTemperature); /* Signal value > 32
Bit */
ILPutTxWindowPos_Sig( NewWindowPos ); /* Signal value <= 16 Bit
*/
EngineRPB = ILGetRxEngineRPM_Sig(); /* Signal value <= 32 Bit */

/* Receive and transmit signals using AUTOSAR API */
/* --------------------------------------------------- */
Com_ReceiveSignal(EngineSpeed_Sig, EngineSpeed ); /* Signal value
> 32 Bit */
Com_ReceiveSignal(InteriorLight_Sig, &InteriorLight) /* Signal
value <= 8 Bit */
Com_SendSignal(Temperature_Sig, NewTemperature); /* Signal value
> 32 Bit */
Com_SendSignal(WindowPos_Sig, &NewWindowPos); /* Signal value
<= 16 Bit */
Com_ReceiveSignal(EngineRPM_Sig, &EngineRPB); /* Signal value
<= 32 Bit */

Caution
All generated signal access only provides unsigned integer values. Signed, float and

the scaling factors (as adjustable in CANdb++) are not supported and have to be
interpreted by the application.

2013, Vector Informatik GmbH
Version: 2.10.03
26 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.6.5
Signal Groups
Physically dependent signals often need to be transmitted together. Therefore, the
Interaction Layer provides the possibility to combine signals to a signal group. With a
signal group the application can collect the data of dependent signals and invoke the
transmission when the group is complete. The definition of the groups is done in the data
base file (DBC), the data collection in a reserved buffer.
With the configuration tool GENy settings for a whole group can be done, e.g. the way of
how to react in case of a group reception or the usage of a buffer provided by the
application.
The strategy for transmitting a signal group is to update all group signals and then sending
the group.
And vice versa is the strategy for receiving a signal group. The group is updated and then
every signal can be read.
There must be distinguished between two different APIs:
 IL API (with data buffer provided by the application or data buffer provided by the IL)
 AUTOSAR API
3.6.5.1
Il API
The IL API can be used with a buffer provided by the application or the buffer provided by
the IL. This can be selected on the configuration view of each signal group in GENy.
IL Buffer used
If the GENy checkbox Use Appl SignalGroupBuffer on the configuration view of the
single groups is not checked the standard buffer defined by the IL is used. The Interaction
Layer provides a structure in which the related signals are combined.

Example
Transmission of a signal group with IL API.
 IlGetTx<groupname>();
IlPutTx<signalname>(data)
…
IlPutTx<groupname>();

Example
Reception of a signal group with IL API.
 IlGetRx<groupname>()
value = IlGetRx<signalname>(dataPtr);
…

2013, Vector Informatik GmbH
Version: 2.10.03
27 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Appl SignalGroupBuffer used
With the GENy checkbox Use Appl SignalGroupBuffer on the configuration view of the
single groups the usage of the buffer provided by the application is activated. You have to
provide this buffer.

Example
Transmission of a signal group with IL API and buffer provided by the application.

/* declare the buffer */
V_MEMRAM0 V_MEMRAM1 _c_<groupname>_buf V_MEMRAM2
<groupname>;
/* initialize the buffer */
IlGetTx<groupname>ShadowBuffer(&<groupname>);

IlPutTx<signalname>SigShadowBuffer(&<groupname>, data);
…
IlPutTx<groupname>ShadowBuffer(&<groupname>);

Example
Reception of a signal group with AUTOSAR API and buffer provided by the application.

/* declare the buffer */
V_MEMRAM0 V_MEMRAM1 _c_IlRxGroup00_buf V_MEMRAM2
<groupname>;
/* initialize the buffer */
IlGetRx<groupname>ShadowBuffer(&<groupname>);
value = IlGetRx<groupname>SigShadowBuffer(&<groupname>,
dataPtr);

3.6.5.2
AUTOSAR API
Using the AUTOSAR API there is no way to define an own shadow buffer for the storage of
the signal groups. The predefined shadow buffer is used.
Updating the buffer for transmission:
Example
Transmission of a signal group with AUTOSAR API.

Com_UpdateShadowSignal(<signalname>, &data);
2013, Vector Informatik GmbH
Version: 2.10.03
28 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

…
Com_SendSignalGroup(<groupname>);

Example
Reception of a signal group with AUTOSAR API.

Com_ReceiveSignalGroup(<groupname>);
Com_ReceiveShadowSignal(<signalname>, &ret);
…

3.6.5.3
GENy configuration
Almost any setting that is available for a single signal also is available for a signal group
and can be selected on the configuration view of the signal group in GENy. In detail this is:
 Put and get macros
 Indication flag and function
 Confirmation flag and function
 Timeout flag and function
 Notification in case of state machine transition: init, start, stop
 Default values

Caution
Signal groups and multiplex messages cannot be combined in one message!.

3.6.6
Default Values
Each signal may have a default value which is defined in the Configuration Tool at compile
time. These default values are used for
 Initializing the Interaction Layer (IlInitPowerOn)
 Starting the receive section (IlRxStart)
 Suspending the receive section (IlRxStop)
 Starting the transmit section (IlTxStart)
 Suspending the transmit section (IlTxStop)
 Replacing signal values in the case of receive errors (time out)
By initializing the Interaction the signal values will be set to 0 (zero), if no default values
were defined. The user can define a single default value for each signal and configure, if it
should be used when the Interaction Layer is initialized or when the receive section or the
transmit section were started or stopped.
2013, Vector Informatik GmbH
Version: 2.10.03
29 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

At  compile  time  the  user  could  define  what  the  Interaction  Layer  should  do,  if  a  receive
error occurred. It is possible to keep the old signal values or to replace them by a default
value (only if defined).

The largest  default value which  can be set  in the configuration tool is 0xffffffff (32 Bit).  If
signals  greater  than  32  Bits  are  used,  they  have  to  be  set  by  the  application  e.g.  in
ApplIlTxStart().
3.7
Data Transmission
There are many ways data could be sent e.g. cyclic or triggered by a change of an initial
value,  etc.  The  concept  behind  transmitting  data  with  the  Vector  Interaction  Layer  is
explained in the following.
3.7.1
Transmission Concept
The  Vector  Interaction  Layer  offers  a  set  of  so-called  transmission  modes. According  to
these modes the signals and messages are being sent. The setting of the modes has to be
done in the DBC file using the CANdb++ editor for any signal.
The following signal transmission modes are selectable:
  Cyclic
  OnWrite
  OnWriteWithRepetition
  OnChange
  OnChangeWithRepetition
  IfActive
  IfActiveWithRepetition
  NoSigSendType
  OnChangeAndIfActive
  OnChangeAndIfActiveWithRepetition

Additionally there are also transmission modes for messages:
  Cyclic
  IfActive
  NoMsgSendType
The  resulting  transmission  mode  is  an  OR  between  the  message  and  the  signal
transmission  mode. The  greyed  fields  describe  the  attribute  to  be  set  to  for  this  specific
transmission mode.
Signal Related
Mixed
Advanced

Transmission
Transmission
Transmission
2013, Vector Informatik GmbH
Version: 2.10.03
30 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

          Message
NoMsgSendType

Cyclic
IfActive
Signal
Cyclic
Transmit fast if signal is

Cyclic Transmission
active
(automatically set for all
signals in this message)
or
Cyclic Transmission
GenMsgCycleTime
GenMsgCycleTime
GenMsgCycleTimeFast
GenSigInactiveValue
OnWrite
Cyclic
Transmit fast if signal is

OnEvent [Write]
Will be sent immediately
Transmission
active
after a write access.
or
(automatically set for all
OnEvent [Write]
signals in this message)
(immediately)
or
OnEvent [Write]
Will be sent immediately after
a write access.
GenMsgCycleTime
GenMsgCycleTimeFast
GenSigInactiveValue
OnWriteWithRepetition
Cyclic
Transmit fast if signal is

OnEvent [Write] with
Repetition
Transmission
active

or
(automatically set for all
OnEvent [Write]
signals in this message)
with Repetition
or
OnEvent [Write] with
Repetition
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenMsgNrOfRepetition
GenMsgCycleTimeFast  GenSigInactiveValue
GenMsgNrOfRepetition  GenMsgNrOfRepetition
OnChange
Cyclic
Transmit fast if signal is

OnEvent [Change]
Will be sent immediately
Transmission
active
after value changed.
or
(automatically set for all
OnEvent [Change]
signals in this message)
Will be sent
or
immediately after value  OnEvent [Change]
changed.
Will be sent immediately after

value changed.

GenMsgCycleTime
GenMsgCycleTimeFast

GenSigInactiveValue
2013, Vector Informatik GmbH
Version: 2.10.03
31 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

OnChangeWithRepetition
Cyclic
Transmit fast if signal is
  OnEvent [Change]
with Repetition
Transmission
active

or
(automatically set for all
OnEvent [Change]
signals in this message)
with Repetition
or
OnEvent [Change] with
Repetition
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenMsgNrOfRepetition
GenMsgCycleTimeFast
GenSigInactiveValue

GenMsgNrOfRepetition  GenMsgNrOfRepetition
IfActive
Cyclic
Transmit fast if signal is

Transmit fast if signal
is active.
Transmission
active

or
(automatically set for all
Transmit fast if
signals in this message)
signal is active.
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenSigInactiveValue
GenMsgCycleTimeFast
GenSigInactiveValue

GenSigInactiveValue
IfActiveWithRepetition
Cyclic
Transmit fast if signal is

Transmit fast if signal
is active with
Transmission
active with Repetition
Repetition
or
(automatically set for all

Transmit fast if
signals in this message)
signal is active with
Repetition
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenSigInactiveValue
GenMsgCycleTimeFast
GenSigInactiveValue

GenMsgNrOfRepetition
GenSigInactiveValue
GenMsgNrOfRepetition

GenMsgNrOfRepetition
NoSigSendType
Cyclic
Transmit fast if signal is

No Transmission
Transmission
active
(GenMsgCycleTime
(automatically set for all
must be set)
signals in this message,
GenMsgCycleTimeFast must
be set)
GenMsgCycleTime
GenMsgCycleTimeFast
GenSigInactiveValue
OnChangeAndIfActive
Cyclic
Transmit fast if signal is

Transmit fast if signal
is active
Transmission
active

or
or
(automatically set for all

Transmit fast if
signals in this message)
OnEvent [Change]
signal is active with
Will be sent immediately
Repetition
after value changed.
or
OnEvent [Change]
Will be sent
immediately
after value changed.
2013, Vector Informatik GmbH
Version: 2.10.03
32 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenSigInactiveValue
GenMsgCycleTimeFast
GenSigInactiveValue

GenSigInactiveValue
OnChangeAndIfActiveWi
Transmit fast if signal  Cyclic
Transmit fast if signal is
thRepetition
Transmission
active with Repetition

is active with

Repetition
or
(automatically set for all

or
Transmit fast if
signals in this message

)
signal is active with
OnEvent [Change]
Repetition
Will be sent immediately
or
after value changed.
OnEvent [Change]
Will be sent
immediately
after value changed.
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast

GenSigInactiveValue
GenMsgCycleTimeFast
GenSigInactiveValue

GenMsgNrOfRepetition
GenMsgNrOfRepetition

GenSigInactiveValue

GenMsgNrOfRepetition
Table 3-6
Send Type Matrix

Caution
OnChange parameters will always trigger a send event if an overlapping bit of the value
  written is equals one.
For the correct OnChange behaviour the application must cast the value of a signal to
the signal bit length on the bus, before the IlPut macro is called.

It is the job of the data base engineer (or a suitable program) to assign the signals to the
messages to get the desired transmission modes for any message and signal.
The application does not need to know the transmission mode of the signals. It just calls
the  function  to  write  or  read  the  signal  value  (ILPutTxsignalname  or
ILGetRxsignalname). Everything else will be done by the Signal Interface.
In case of periodic transmission modes only two different cycle times could be chosen for
signals  combined  in  the  same  message.  Therefore,  the  cycle  time  of  a  periodically
transmitted  signal  depends  on  the  cycle  time  of  other  signals  defined  for  periodic
transmission  related  to  the  same  message.  The  application  developer  is  responsible  for
choosing sensible combinations of signals for a message. She/He will be supported by the
Configuration Tool.
The transmission modes resulted from the combinations as shown in the table above are
explained in detail in chapter 3.7.2 Signal Related Transmission Modes.
3.7.2
Signal Related Transmission Modes
This  summarizes  the  first  column  of  the  table  above.  The  message  send  type  is  set  to
NoMsgSendType.
2013, Vector Informatik GmbH
Version: 2.10.03
33 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.7.2.1
Cyclic Transmission
A static period is used to transmit the signals cyclically using this transmission mode. This
mode could be used to transmit signals which are frequently changing their values like the
rpm of an engine for example. The period should be adapted to the speed the signals are
changing their values. Short periods causes high bus load.
As shown in Figure 3-5  Timing Diagram of the Periodic Transmission Mode signals could
be  updated  asynchronously  to  the  period  of  transmission.  Each  time  the  transmission
takes  place  the  Interaction  Layer  checks  for  the  current  value  of  the  message.  This,  of
cause, could lead into the loss of data, if a signal was updated two or more times within a
period.
This Cyclic Transmission Mode actually just copies the signal data. The cyclic transmission
of the messages is done using the GenMsgSendType.
Cyclic Transmission Mode
Application
IlPu
asynchronous
t (5
writing
)
Signal memory
periodical
polling
Interaction Layer
IlTask
t
IlTask
IlTask
IlTask
m
IlTask
IlTask
IlTask
m
e
e
s
s
s
s
a
a
g
g
e
e
(5)
Data Link Layer
GenMsgCycleTime

Figure 3-5
Timing Diagram of the Periodic Transmission Mode
3.7.2.2
OnEvent (OnWrite, OnChange)
Signals  using  this  transmission  mode  will  be  transmitted  once  each  time  the  IlPut-
function  was  called.  The  transmission  of  the  signals  may  be  delayed  by  the  delay  timer
(see  chapter  3.7.6  Reduction  of  Transmission  Bursts  and  3.7.7  Delimitation  of  the  Bus
Load)  to  delimit  the  bus  load.  This  transmission  mode,  for  example,  could  be  used  for
event triggered signals as the state of a switch.
Figure 3-6
Timing  Diagram  of  the  Transmission  Mode  OnEvent  –  OnWrite  shows  the
timing diagram of the event triggered transmission mode.
  Writing a signal which is related to the OnWrite transmission mode causes the
transmission of the message which contains this signal.
2013, Vector Informatik GmbH
Version: 2.10.03
34 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

  Changing a signal which is related to the OnChange transmission mode causes the
transmission of the message which contains this signal.
The TxTask checks if the delay time elapsed and decides whether to transmit the message
immediately or to delay the transmission until the delay time elapsed. This could cause the
loss of data, if the signal was updated two or more times while delay time.

Send OnEvent - OnWrite
Application
lo
s
IL
t
IL
IL
P
s
P
P
u
i
u
u
t
g
_
t_
t_
(
n
a
(
a
b
(a
)
l
)
)
IlTask
IlTask
IlTask
Interaction Layer
t
m
IlTask
IlTask
IlTask
m
IlTask
e
e
s
s
s
s
a
a
g
g
e
e
(

a
(a
)
)
Data Link Layer
GenMsgDelayTime

Figure 3-6
Timing Diagram of the Transmission Mode OnEvent – OnWrite
The  Diagram  for  OnEvent  –  OnChange  looks  like  the  same  way  but  the  decision  on
whether to send or not is met by a comparison between the old and the new signal value.
It will only be sent if the value changes.
3.7.2.3
OnEvent with Repetition (OnWrite, OnChange)
The transmission of the signals using this transmission mode will be repeated n-times after
the  ILPut-function  was  called  once.  For  example,  this mode  could  be  used to transmit
important signals which have not to be missed like safety critical information.
Each  call  of  the  ILPut-function  sets  the  repeat  counter  (repeat_counter
[GenMsgNrOfRepetitions]  =  n).  The  repeat  counter  is  decremented  with  each
transmission of the signal. The transmission takes place each time the delay timer elapses
and the repeat counter is still greater than 0. After the ILPut-function the message will be
sent n times.
2013, Vector Informatik GmbH
Version: 2.10.03
35 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

OnEvent with Repetition - OnWrite
Application
IlPu t (5)
Signal memory
IlTask
IlTask
IlTask
Interaction Layer
t
IlTask IlTask IlTask IlTask
m
IlTask
m
IlTask
m
IlTask IlTask IlTask IlTask
e
e
e
s
s
s
s
s
s
a
a
a
g
g
g
e
e
e
(

5
(
(
5
5
)
)
)
Data Link Layer
GenMsgCycleTimeFast
GenMsgNrOfRepetitions = 3

Figure 3-7
Timing Diagram of OnEvent with Repetition - OnWrite
The  Diagram  for  OnEvent  –  OnChange  looks  like  the  same  way  but  the  decision  on
whether to send or not is met by a comparison between the old and the new signal value.
It will only be sent if the value changes.
3.7.2.4
Transmit Fast if Signal is Active
This  transmission  mode  is  a  Cyclic  Transmission  Mode  with  a  trigger  condition.  If  the
decision is met that the signal is active, the message will be send cyclically with the period
GenMsgCycleTimeFast.
In the Example in Figure 3-8  Timing  Diagram  of  the  Transmit  Fast  if  Signal  Active
Transmission  Mode  the  condition  is  defined  as  x!=10.  This  will  cause  the  transmission
mode to transmit the signal with the period GenMsgCycleTimeFast. If the signal value is
equal to 10 the signal is not sent.
2013, Vector Informatik GmbH
Version: 2.10.03
36 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Transmission Fast if Signal Active
the signal is active if its value is not 10.
Application
I
I
I
l
l
l
P
P
P
u
u
u
t
t
t

(
(
(
5
2
1
)
0
0
)
)
Decision
If(x!=10)
IlTask
IlTask IlTask IlTask IlTask IlTask
IlTask IlTask
IlTask IlTask IlTask IlTask
Interaction Layer
t
IlTask IlTask
m
m
m
IlTask
IlTask
e
e
e
s
s
s
s
s
s
a
a
a
g
g
g
e
e
e

(

(
5
(2
2
)
0
0
)
)
Data Link Layer
GenMsgCycleTimeFast

Figure 3-8
Timing Diagram of the Transmit Fast if Signal Active Transmission Mode
If two or more signals using this transmission mode are combined to the same message, a
rule is needed to regulate switching between the periods.
Figure 3-9
Example  for  Combining  Signals  Related  of  the  Send  Fast  if  Signal Active
Mode  to  the  Same  Message  shows  an  example  where  three  signals  (A,  B  and  C)  are
combined  to  the  same  message.  If  signal A was  written  and meet  the defined  condition,
the transmission starts with the fast period. This state is stored in a flag presented by the
three squares (grey = set, white = not set). The switch will cause the fast transmission of
all signals combined to this message. A second write command for signal A won’t cause
anything,  if  the  value  of A  still  meets  the  condition.  If  signal  B  was  written  and  meet  its
condition  the  flag  for  signal  B  will  be  set.  This  should  cause  the  transmission  mode  to
switch  to  the  fast  period.  But  this  was  already  done  so  nothing  will  happen.  The  signal
value for B which is written next does not meet the condition so the transmission should
stop. This won’t happen, because the flag for signal A is still set. To switch the transmission
off all flags need to be reset. This is shown by setting the flag for signal C, reset the flag for
signal A and reset the flag for signal C. After no set flag remains, the transmission stops.
Short: If signals using the Transmit Fast if Signal Active Mode are combined to the same
message, the message will be transmitted fast if one ore more of them meets its condition.
It will not be transmitted if none of them meet its condition.
2013, Vector Informatik GmbH
Version: 2.10.03
37 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Multiple Signals in Transmit Fast if Signal Active Mode
Application
A
A
B
B
C
A
C
Signal Interface
S
S
S
S
S
S
S
e
e
e
to
e
to
to
t
t
t
p
t
p
p
IlTask
IlTask
Interaction Layer
IlTask
m
e
s
s
a
g
e
Data Link Layer
GenMsgCycleTimeFast

Figure 3-9
Example for Combining Signals Related of the Send Fast if Signal Active Mode to the Same Message
3.7.2.5
Transmit Fast if Signal is Active with Repetition
This  is  the  same  mode  as  above  with  the  exception  that  the  last  transmission  after  the
signal became inactive will be sent n times.
Transmission Fast if Signal Active with Repetition
the signal is active if its value is not 10.
Application
I
I
I
l
l
l
P
P
P
u
u
u
t
t
t

(
(
(
5
2
1
)
0
0
)
)
Decision
If(x!=10)



IlTask
IlTask IlTask IlTask IlTask IlTask
IlTask IlTask
IlTask IlTask IlTask IlTask
Interaction Layer
t
IlTask IlTask
m
m
m
m
m
IlTask
IlTask
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
a
a
a
a
a
g
g
g
g
g
e
e
e
e
e

(

(
(
(
5
(2
2
1
1
)
0
0
0
0
)
)
)
)
Data Link Layer
GenMsgCycleTimeFast
GenMsgCycleTimeFast
GenMsgNrOfRepetitions = 2


Figure 3-10
Timing Diagram of the Transmit Fast if Signal Active Transmission Mode
2013, Vector Informatik GmbH
Version: 2.10.03
38 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.7.3
Mixed Transmission Mode
The mixed transmission modes are represented of the second column in the table above.
This  is  a  combination  of  the  already  shown  signal  oriented  transmission  modes  and  the
cyclic transmission mode for the message the signals are assigned to.
3.7.3.1
Cyclic (Message) Transmission OR Cyclic (Signal) Transmission
This  is  absolutely  the  same  as  already  described  in  3.7.2.1,  see  there  for  more
information.
3.7.3.2
Cyclic (Message) Transmission OR OnEvent [Write]
The signal is sent cyclically with the period  GenMsgCycleTime and additionally after an
IlPut-function call.
Mixed Transmission Mode - Cyclic OR OnEvent [Write]
Application
2
0
Interaction Layer
m
m
m
m
e
e
m
e
e
s
s
e
s
s
s
s
s
s
s
a
a
s
a
a
g
g
a
g
g
e
e
g
e
e
(

e

c
(c
(

c
(c
y
y
(2
y
y
c
c
0
c
c
le
le
l
)
e
le
)
)
)
)
Data Link Layer
GenMsgDelayTime
GenMsgDelayTime
GenMsgDelayTime GenMsgDelayTime
GenMsgCycleTime
GenMsgCycleTime
GenMsgCycleTime

Figure 3-11
Mixed Transmission Mode – Cyclic OR OnEvent [Write]
The  cyclic  transmission  is  delayed  because  of  the  GenMsgDelayTime  that  has  to  be
waited until the next transmission is possible.  As a result two cyclic messages can have a
distance that is smaller than GenMsgCycleTime.
3.7.3.3
Cyclic (Message) Transmission OR OnEvent [Write] with Repetition
The  same  behaviour  as  above  but  the  event  triggered  message  transmission  will  be
performed GenMsgNrOfRepetitions times with the period of GenMsgCycleTimeFast.
The delay times are taken into account.
2013, Vector Informatik GmbH
Version: 2.10.03
39 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.7.3.4
Cyclic (Message) Transmission OR OnEvent [Change]
This is the same transmission mode as shown in 3.7.3.2 with the exception that the trigger
for sending the event message is a change of the signal value. In the example below the
message value changes from 5 to 20. This change is the trigger for the transmission.
Mixed Transmission Mode - Cyclic OR OnEvent [Change]
Application
5
2
0
Decision
If(x>10)
Interaction Layer
m
m
m
m
m
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
a
a
a
a
a
g
g
g
g
g
e
e
e
e
e

(

(
(
(
5
(5
2
2
2
)
)
0
0
0
)
)
)
Data Link Layer
GenMsgDelayTime
GenMsgDelayTime
GenMsgDelayTime GenMsgDelayTime
GenMsgCycleTime
GenMsgCycleTime
GenMsgCycleTime

Figure 3-12
Mixed Transmission Mode – Cyclic OR OnEvent [Change]
3.7.3.5
Cyclic (Message) Transmission OR OnEvent [Change] with Repetition
The  same  behaviour  as  above  but  the  event  triggered  message  transmission  will  be
performed GenMsgNrOfRepetitions times with the period of GenMsgCycleTimeFast.
The delay times are taken into account.
3.7.3.6
Cyclic (Message) Transmission OR Transmit Fast If Signal is Active
Choosing this combination, the signal is transmitted cyclically with the GenMsgCycleTime
until  the  signal  becomes  active.  Then  the  signal  is  transmitted  with  the
GenMsgCycleTimeFast until the signal becomes inactive. The period changes then back
to GenMsgCycleTime.
2013, Vector Informatik GmbH
Version: 2.10.03
40 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Transmission Fast if Signal Active Mode
the signal is active if its value is not 10.
Application
I
I
I
l
l
l
P
P
P
u
u
u
t
t
t

(
(
(
5
2
1
)
0
0
)
)
Decision
If(x!=10)
IlTask
IlTask IlTask IlTask IlTask IlTask
IlTask
IlTask
Interaction Layer
t
m
IlTask IlTask
m
m
m
m
m
e
IlTask
IlTask IlTask
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
s
s
a
a
a
a
a
a
g
g
g
g
g
g
e
e
e
e
e
e
(

1
(

(
(
(
5
(2
2
2
1
0
)
0
0
0
0
)
)
)
)
)
Data Link Layer
GenMsgCycleTime
GenMsgCycleTimeFast
GenMsgCycleTime

Figure 3-13
Mixed Transmission Mode – Cyclic OR Fast If Signal is Active
3.7.3.7
Cyclic (Message) Transmission OR Transmit Fast If Signal is Active with
Repetition
The same behaviour as above but the last message of the fast transmission phase is sent
GenMsgNrOfRepetions times before switching to the GenMsgCycleTime sending
period.
2013, Vector Informatik GmbH
Version: 2.10.03
41 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Mixed Transmission Mode - Cyclic OR
the signal is active if its value is not 10.
Transmission Fast if Signal Active with Repetition
Application
I
I
I
l
l
l
P
P
P
u
u
u
t
t
t

(
(
(
5
2
1
)
0
0
)
)
Decision
If(x!=10)
IlTask
IlTask IlTask IlTask IlTask IlTask
IlTask IlTask
IlTask IlTask IlTask IlTask
Interaction Layer
t
m
m
IlTask IlTask
m
m
m
m
m
e
IlTask
IlTask
e
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
s
s
s
s
a
a
a
a
a
a
a
g
g
g
g
g
g
g
e
e
e
e
e
e
e
(

1
(

(
(
(
(
5
(2
2
1
1
1
0
)
0
0
0
0
0
)
)
)
)
)
)
Data Link Layer
GenMsgCycleTimeFast
GenMsgCycleTime
GenMsgCycleTimeFast
GenMsgNrOfRepetitions = 2

Figure 3-14
Mixed Transmission Mode – Cyclic OR Fast If Signal is Active with Repetition
3.7.3.8
Cyclic (Message) Transmission OR NoSigSendType
The message is sent cyclically with GenMsgCycleTime and with it all signals.
3.7.4
Advanced Transmission Modes
These  combinations  are  only  used  by  a  few  OEMs  and  described  in  the  OEM-specific
Interaction Layer documentation.
3.7.5
Notification Classes
Two  types  of  notification  classes  are  available  which  cause  the  notification  of  the
application  by  flag  or  function.  The  flags  are  all  set  to  0  at  the  start  of  transmission
(Function IlTxStart() ).
  The Configuration Tool can be used to assign a separate Confirmation Class for each
signal. This event will be set by the Data Link Layer if the particular message was sent
on the bus.
If a flag is used for notification, the application is responsible for clearing this flag.
Caution
This callback function is called in interrupt context! Reduce the runtime of this function to

a minimum

The time between a transmit request and the actual transmission of a signal can be
supervised by timeout monitoring. A Timeout Class will be set, if the signals were not
transmitted within a defined period of time.

2013, Vector Informatik GmbH
Version: 2.10.03
42 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.7.6
Reduction of Transmission Bursts
To prevent transmission bursts caused by interference the start of periodic transmission
could be delayed. Therefore, a start delay time related to a message could be defined at
compile time. Take e.g. three periodically transmitted messages. If the transmission of the
three messages would be started at the same time, the simultaneous transmission of two
or three messages will take place at same points in time. To delay the beginning of the
periodic transmission of some messages is an appropriate way to reduce these
simultaneous transmissions.
3.7.7
Delimitation of the Bus Load
To delimit the bus load a delay time will be inserted after each transmission of data. A
defined delay time is related to a message. This means that delay time will be inserted no
matter what transmission mode was used or by which signal the transmission of the
message was caused.
The usage of a delay time may cause the delay of the transmission. For example the
combination of a periodically transmitted message and a directly transmitted message
could cause a delay as shown in Figure 3-15 Delay Time to Delimit Bus Load. The dashed
arrows stand for periodically transmitted messages. If the direct transmission of a signal
was requested by calling ILPut while the timer GenMsgDelayTime was not elapsed yet, the
transmission of the signal will be delayed till the timer GenMsgDelayTime is elapsed.
To ensure that the message is minimum delayed the GenMsgDelayTime, one tx task cycle
is added to the delay counter, so a message is delayed for GenMsgDelayTime + a time <
tx task cycle.
This ensures that the message is never transmitted before the expiration of
GenMsgDelayTime.
2013, Vector Informatik GmbH
Version: 2.10.03
43 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Delay Time
Application
IL
IL
P
P
u
u
t
t
Interaction Layer
T
_
m
c
y
e
c
s
le
s

a
e
g
la
e
p
s
e
d
Data Link Layer
GenMsgDelayTime
GenMsgDelayTime
GenMsgCycleTime
GenMsgCycleTime

Figure 3-15
Delay Time to Delimit Bus Load
3.7.8
Transmission Timeout Monitoring
The  Interaction  Layer  provides  a  feature  to  monitor  the  transmission  of  signals.  The
timeout monitoring for transmitted signals was intended to supervise  the time between a
transmit  request  and  the  actual  transmission  of  the  signal.  Therefore,  a  timer  will  be
activated, after a transmission was requested. If the successful transmission was notified
(confirmation), the timer will be deactivated. If the timer elapsed before the confirmation,
the application will be notified about the timeout.
To configure timeout monitoring for a signal the flag or function for the notification needs to
be chosen in the Configuration Tool. If no notification was chosen, the timeout monitoring
will be deactivated for this signal.
3.7.9
Transmission of Initialization Messages
The  Interaction  Layer  provides  a  function  to  transmit  a  set  of  messages,  called
IlSendOnInitMsg().  This  function  is  intended  to  be  used  at  initialization  time.  It  will
transmit each of the messages in the set only once. The transmission modes of the signals
and messages will be ignored. The messages belonging to the set  can be configured at
compile time by using the Configuration Tool.
2013, Vector Informatik GmbH
Version: 2.10.03
44 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.8
Data Reception
3.8.1
Reception Concept
To  receive  new  data  the  Interaction  Layer  has  to  process  the  messages  immediately.
Therefore all tasks will be interrupted to copy the new data to the RAM. On the other hand
the time of interrupt should be as short as possible. By that reason all the jobs which are
not time critical like for example the notification of  the application are done by a periodic
task. Therefore the Interaction Layer provides several functions and an interrupt handler.
Further, the Interaction Layer provides several notification classes for example to notify the
application  about  updated  values.  The  usual  response  of  the  application  is  to  read  the
updated  signal  values  by  calling  functions  or  macros  provided  by  the  Signal  Interface
(ILGetRxsignalname).  Everything  else  will  be  done  by  the  Signal  Interface  and  the
underlying Message Manager.
3.8.2
Notification Classes
Four  types  of  notification  classes  are  available  which  cause  the  notification  of  the
application by flag or function. The flags are all set to 0 at the start of receiving ( Function
IlRxStart() ). All classes are optional and in order to save code and run time they can
be removed by a configuration switch at compile time, set in the Configuration Tool.

1)  If a message was received an Indication Class will be set by the Interaction Layer. By
this event the application can determine whether a new message has arrived.
If a flag is used for notification, the application can always check the message contents
for  changes  and  perform  tasks  accordingly,  if  the  flag  is  set.  The  application  is
responsible to clear the flag which was set by the Interaction Layer.
If needed, multiple indication flags for a single signal can be configured. By this feature
several parts of the application can be notified independently.
2)  For periodic receive messages the Interaction Layer takes care of timeout monitoring. A
Timeout Class is set, if a message which should be received periodically arrives too
late.  Too  late  means  that  a  new  message  with  the  same  ID  was  not  received  after
timeout time (Example: timeout time = 2.5x cycle time) elapsed. The timeout time of a
CAN-message is defined at compile time. All timeout functions are running in the same
context as the IlRxTask() does.
If a flag is used for notification, the flag will be set and cleared by the Interaction Layer.
The application  is  also  allowed  to  clear  the flag,  but  the  Interaction Layer  will  always
overwrite it, if an event occurred.
3)  The First-Value Class notifies the application about the first reception of a signal. This
is done by setting an event each time a  signal has been received. Actually, the First-
Value Class and the Indication Class are working the same way.
Only a flag could be used as notification mechanism for this class. The flag will be set
by the Interaction Layer. The application is responsible to clear the flag. The flag will be
reset by IlRxStart to recognize for example the first received message after power-
on or bus-off.
4)  A Data-Changed Class is provided for ECUs with processors of a higher performance
class. This event is set if the message contents of an incoming CAN message differs
from the contents  of the memory in  the controller's CAN buffer.  For Full-CAN objects
this  requires  a  copy  of  the  message  in  RAM  (increased  RAM  requirement  in  the
2013, Vector Informatik GmbH
Version: 2.10.03
45 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

controller). Using a mask, portions of the message can be masked out for the
comparison. Since the mask is applied to the message bit wise, changes involving
partial information of a signal can be used (e.g. only the upper 12 bits of a 16 bit
signal).
Only a flag can be used as notification mechanism for this class. The flag will be set by
the Interaction Layer. The application is responsible to clear the flag.
3.8.3
Timeout Monitoring
The periodic receipt of messages which are periodically transmitted by another network
node could be overseen by timeout monitoring. For this purpose a time-out timer is
provided by the Interaction Layer. This timer will be restarted each time the related
message was received. If the timeout timer elapses before the next related message was
received, the application will be notified (see chapter 3.8.2 Notification Classes). When a
timeout occurs the current value of the message is not valid anymore. In this case the
message's memory area in the controller can be pre-filled with 0 (zero) or with a default
value (if defined) in order to preserve emergency operation of the application.
The attribute GenSigTimeoutTime_<ECU> in the network database needs to be set to
activate the timeout monitoring. The attribute GenSigTimeoutMsg_<ECU> may be set to
the default value. Then the message, which contains the current signal, will be monitored.
In the following example the configuration of the attributes in the network database will be
shown. A network node A transmits a signal to network node B by the Periodic
Transmission Mode. Network node B as the receiver of the signal wants to monitor the
periodic reception. Therefore, the attributes GenSigTimeoutMsg_<ECU> and
GenSigTimeoutTime_<ECU> needs to be adapted for this signal. For the timeout
monitoring by the network node B the name of the two attributes must be changed to
GenSigTimeoutMsg_B and GenSigTimeoutTime_B. If another network node, for example
network node XY, wants to monitor the reception of this signal, too, the attributes
GenSigTimeoutMsg_XY and GenSigTimeoutTime_XY have to be added. Further the
values need to be defined for the attributes. For the attribute GenSigTimeoutMsg_B we
need to fill in the message ID of the message which includes the signal to be monitored.
The attribute GenSigTimeoutTime_B contains the timeout time. If the signal was not
received within this time, the application will be notified.
The value of the dbc attribute GenSigTimeoutTime_<ECU> is displayed on each rx signal
in the GENy GUI.
2013, Vector Informatik GmbH
Version: 2.10.03
46 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Caution
If the Timeout Time is editable the value is not derived from the dbc attribute
 GenSigTimeoutTime_<ECU>, in this case the timeout time can only be edited in the
GENy GUI.

For diagnosis efforts the Interaction Layer provides an advanced timeout monitoring for
messages. This includes the possibility to reload the timeout timer and the message
related notification of the application when this timer elapsed again. I.e. after the first
timeout occurred the Interaction Layer will notify the application about the timeout of each
signal included in the message. Then the application can reload the timeout timer. After
this timer elapsed again, the Interaction Layer will notify the application about the timeout
of the whole message. After the reload of the timer the application won’t be notified about
the signal’s timeout again.
3.8.4
Dynamic Timeout Monitoring
If it is required to assign different timeout values to a timer or to start and stop at timer at
run-time, a special API can be activated for each signal. The change of one signal of a
message influences all signal timers of a message. The dynamic timeout counters are
treated by the state machine in the same way as normal timeout events. The timeout
defined in the database is the initial timer, which is set on IlInitPowerOn.
Example
You have to supervise a signal, which is received every 200 ms. If a first timeout after
 500 ms is detected, another timeout is started. After the following timeout of 4 s, a fault
memory entry has to be logged.

/* check timeout flag */
if (IlGetRxGwDataTimeout())
{
 /* clear timeout flag */
2013, Vector Informatik GmbH
Version: 2.10.03
47 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

 IlClrRxGwDataTimeout();
 /* read current timeout value */
 if (IlGetRxGwDataDynRxTimeout() == 500)
 {
 /* First Timeout Level */
 IlSetRxGwDataDynRxTimeout(4000); /* assign new timeout value */
 IlStartRxGwDataDynRxTimeout();/* start timer */
 ToggleEcuState();
 }else
 {
 /* Second Timeout Level */
 IlStopRxGwDataDynRxTimeout();/* stop timer */
 SetErrorMemoryEvent();
 /* Reset the timeout start,
 if the signal is received the next time */
 IlSetRxGwDataDynRxTimeout(500);
 }
}

Caution
The timeout value access is implemented as macro. The parameter
 IlSetRx<SignalName>DynRxTimeout and the return value of
IlGetRx<SignalName>DynRxTimeout is always IltRxTimeoutCounter which is defined to
vuint16. Due to this, the maximum timeout counter is 65535.

3.9
Signal status information (UpdateBits)
The UpdateBit Support is used to indicate whether the application has updated the Signal
value.[8] Only Signals and Signal Groups can have UpdateBits. A partial signal cannot
have an UpdateBit. Multiplexed Signals can have UpdateBits if the UpdateBit is
multiplexed with the same multiplexor value.
Info
For detailed information see AUTOSAR Specification of Module COM [8]

3.9.1
Configuration
An UpdateBit has no configurable attributes in GENy. There is no special switch in GENy
to enable UpdateBit support.
Caution

UpdateBits cannot be used in combination with Multiplex API Raw.


UpdateBit Support needs the CanCopyToCan Driver API.[1]

UpdateBit cannot be used in combination with dynamic DLC.

GroupSignals (partial signals) cannot have UpdateBits.

UpdateBit cannot be used if common buffer is used without identity manager.

2013, Vector Informatik GmbH
Version: 2.10.03
48 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.9.1.1
DBC File
In the DBC file an UpdateBit has the size of one Bit and the postfix “_UB”. The UpdateBit
name is a combination between the UpdateBit Signal name and the postfix “_UB” e.g. the
Signal <SignalName> has the UpdateBit <SignalName>_UB.
UpdateBit dbc file attributes:
GenSigSendType
Fix: NoSigSendType
GenSigTimeoutTime_<ECU>
Message specific timeout time

Signal with UpdateBit attributes:
GenSigTimeoutTime_<ECU>
UpdateBit specific timeout time

3.9.2
UpdateBit Transmission
If the application writes via a Put Macro a Signal with an UpdateBit, the UpdateBit will be
set to one. The UpdateBit is reset to zero after the message is transmitted once.
Info

 If a message has signals with UpdateBits the PreTransmitt function is used
by the Il_Vector.
 RDS macros can’t be used in combination with UpdateBits.
 It is possible to use the AUTOSAR Signal Interface in combination with
UpdateBits.

3.9.3
UpdateBit Reception
The Indication Flag/Function of a Signal with UpdateBit will only be set/called if the
UpdateBit of the Signal is set.
3.9.3.1
Timeout
A Signal with an UpdateBit can have a Signal specific timeout. The Signal specific timeout
monitors the time between two UpdateBits equal 1. The value of the DBC Attribute
“GenSigTimeoutTime” on the Signal with the UpdateBit is the UpdateBit specific timeout
time.
The value of the DBC Attribute “GenSigTimeoutTime” is displayed as timeout time on each
RxSignal in the GENy GUI. If the timeout time is editable in the GENy GUI the value is not
derived from the DBC Attribute “GenSigTimeoutTime” and must be configured in the GUI.
Info
 The UpdateBit specific timeout can be used in combination with Dynamic
Timeout Monitoring.

2013, Vector Informatik GmbH
Version: 2.10.03
49 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.10  Multiple Channel Support
3.10.1  Overview
Sometimes two or more CAN Controllers are used on the same CAN bus. Therefore, the
CAN Driver and the Interaction Layer have to be adapted to multi channel support. This
could be done in two ways. First, the whole source code could be doubled. We will refer to
this as Crx (Code replicated) Interaction Layer. Second, a single source code could work
with doubled data buffers. We will refer to this as Idx (Indexed) Interaction Layer because
the access to the data buffers will be controlled by an index. The following two sections will
describe these two possibilities.
Note that only API services which relate to one specific channel, i.e. one physical medium
have  to  distinguish  between  different  channels.  Signal  access  services  are  not  channel
related.

3.10.2  Idx (Indexed) Interaction Layer
An Idx Interaction Layer will work on two or more CAN busses without doubling of code. It
will work with multiple data buffers which can be accessed by an index. This results in a
kind of array. And even the access by the application will be similar to an  array. Function
names  won’t  get  a  suffix  as  for  the  Crx  Interaction  Layer.  The  access  to  the  different
buffers will be done by a parameter. We will refer to this parameter as index.
For example the function call IlTxTask() of a single channel Interaction Layer will result
in IlTxTask( 0 ) for channel number 0 and IlTxTask( 1 ) for channel number 1 of
an Idx Interaction Layer. However, the initialization of all the channels will be handled by
the single function IlInitPowerOn().
3.11  Advanced Communication Features
3.11.1  Physical Multiple and Multiple Configuration ECU
Please see in [2].

3.11.2  Multiplexed Signals
To save message IDs the Interaction Layer supports the use of several message layouts
for a single message. The signals combined in this several layouts are called multiplexed
signals.  The  current  message  layout  will  be  indicated  by  a  multiplexor  signal  (mode
signal).
3.11.2.1  Standard API
The  Interaction  Layer  will  provide  data  access  and  notification  mechanisms  for  all
multiplexed signals. I.e. multiplexed signals will be encapsulated by the Interaction Layer.
However,  here  are  some  restrictions  and  some  helpful  information  for  the  use  of
multiplexed signals:
The several layouts are defined in the network database
The current layout will be chosen by the use of a multiplexor signal (mode signal)
With multiplexed signals only the Cyclic transmission modes can be used
2013, Vector Informatik GmbH
Version: 2.10.03
50 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

The actual cycle time of a multiplexed signal can be calculated by the following formula:
Message Cycle Time * Number of Message Layouts = Multiplexed Signal Cycle Time
A delay time has to be specified for messages with multiplexed signals by means of the
attribute GenMsgDelayTime.
Data changed flags are not supported for multiplexed signals
Note  that  multiplexed  signals  are  provided  by  the  Interaction  Layer  in  version  3.27  and
higher.
3.11.2.2  Raw API
The  Interaction  Layer  provides  a  raw  interface  for  multiplex  signals.  The  advantage  is
runtime improvement, reduction of Ram and Rom requirements.
Example
The following code example demonstrates the implementation of a reception of a
  multiplexed signal.
  Configure a PreCopy function for the multiplex message in the CAN Driver.
  Configure RDS access to the signals multiplexor signal and multiplexed signals, of
the message MultiplexMessage. MultiplexedSignal is for example valid, if the
MultiplexorSignal is 0x10
vuint16 MyMultiplexedSignal;
/* Implementation of the reserved indication function */
void ApplRawApiMultiplexMessagePrecopy(CanReceiveHandle
rxObject)
{
/* Get the multiplexor value */
vuint8 MyMultiplexorSignal;
MyMultiplexorSignal = IlGetRxCANMultiplexorSignal();

/* Check for the correct multiplexor */
if ( MyMultiplexorSignal == 0x10 )
{
/* Get the multiplexed signal */
MyMultiplexedSignal = IlGetRxCANMultiplexedSignal();
}
if ( MyMultiplexorSignal == 0xA3 )
{
/*
Implement the reception of other Multiplexed Signals
for the Multiplexorvalue 0xA3 here
*/
}
…………
/* The returnvalue kCanNoCopyData is mandatory */
return kCanNoCopyData;
}

2013, Vector Informatik GmbH
Version: 2.10.03
51 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Example
The following code example shows the implementation of a transmission of a
  multiplexed signal.
  Configure a Pretransmit function for the multiplex message in the Can Driver.
  Configure Rds access to write the Multiplexor signal and multiplexed signals, of the
message multiplex message. MultiplexedSignal for example is valid, if the
MultiplexorSignal is 0x10

vuint16 MyMultiplexedSignal;
vuint16 MyMultiplexorValue;

void
ApplRawApiMultiplexMessagePretransmit(CanTransmitHandle
txObject)
{
  /* Implementation of the Multiplexor toggle mechanism */
if ( MyMultiplexorValue == 0x43 )
{
  IlPutTxCANMultiplexorSignal(0x10);
  IlPutTxCANMultiplexedSignal(MyMultiplexedSignal);
/*
Implement here the transmission of other signals for the
multiplexor 0x10
*/
MyMultiplexorValue = 0x10;
}
else if ( MyMultiplexorValue == 0x10 )
{
  IlPutTxCANMultiplexorSignal(0x43);
  /*
Implement here the transmission of other signals for the
multiplexor 0x43
*/
MyMultiplexorValue = 0x43;
}
…………
/* The returnvalue kCanNoCopyData is mandatory */
return kCanNoCopyData;
}

2013, Vector Informatik GmbH
Version: 2.10.03
52 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

3.11.3 Manipulation of the Notification Frequency
The periodic tasks for transmission and reception (See 3.4 Main Functions) are
responsible for all the cyclic tasks the Interaction Layer has to do. Both need runtime and
for this reason the application developer wants to set the cycle time to invoke the tasks as
high as possible. A high cycle time has the major drawback that the notification about
urgent events will slow down, too. This is because the events will be checked within these
tasks. I.e. they are checked in the same cycle time.
To solve this problem the Interaction Layer provides a function called
IL<Tx/Rx>StateTask. This function is responsible for the notification of the application.
It will check, if there was any event the application wants to be notified about and notifies
the application. The function will be invoked by the IL<Tx/Rx>Task in the defined cycle
time. Further this function can be invoked by the application any time it is necessary. So
the developer can shorten the time between checking for new events and for notification.
To reduce the time between an event and the notification even more, the application can
be notified in interrupt context. This feature can be configured by the Configuration Tool for
each message and will have effect on each signal the message contains. Checking for
events in interrupt context means checking for events each time a message was
transmitted or received, respectively. This is the fastest way to be notified by the
Interaction Layer.
It’s recommended to think about the consequences of using the StateTask or the
notification in interrupt context, respectively. Both ways to speed up the notification has
pros and cons.

2013, Vector Informatik GmbH
Version: 2.10.03
53 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

4  Integration
This chapter gives necessary information for the integration of the Interaction Layer into an
application environment of an ECU.
4.1
Include structure
To use the Vector Interaction Layer, only the file il_inc.h must be included in all application
components  that  want  to  use  Interaction  Layer  functionality.  The  file  can_inc.h  (which
provides the CAN Driver interface and data buffers) must not be included separately, it is
automatically included by il_inc.h.

Figure 4-1  Including Interaction Layer
4.2
Scope of Delivery
The delivery of the Interaction Layer contains the files which are described in the chapters
4.2.1 and 4.2.2:
4.2.1
Static Files
File Name
Description
il_inc.h
This is the header file to be included by other components to use the Interaction
Layer.
il_def.h
This is the header file of the Interaction Layer.
il.c
This is the source file of the Interaction Layer.
Table 4-1
Static files
4.2.2
Dynamic Files
The dynamic files are generated by the configuration tool GENy.
File Name
Description
il_cfg.h
This is the generated header file containing pre-compile switches.
2013, Vector Informatik GmbH
Version: 2.10.03
54 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

File Name
Description
il_par.h
This is the generated header file providing symbolic defines, macros and
prototypes.
il_par.c
This is the generated source file containing generated parameters and functions.
Table 4-2
Generated files
4.3
Operating Systems Requirements
The  CAN  communication  components  are  designed  and  programmed  to  work  with  or
without  operating  systems.  Since  the  components  have  to  work  without  an  operating
system,  resource  locking  mechanisms  are  not  handled.  To  lock  critical  resources,
interrupts  will  be  disabled  and  restored.  The  CAN  driver  (Data  Link  Layer)  provides
functions to fulfil this task.
Each component has one or two functions (tasks) which have to be called periodically. For
operating  systems  it  is  advisable  to  create  one  task  and  call  all  the  Interaction  Layer
component  functions  subsequently.  To  implement  different  periods  of  time,  the  OS  task
could have a counter to implement this.
Data consistency issues:
Cyclic  IL  tasks  are  not  allowed  to  interrupt  signal  accesses.  This  has  the  following
consequences:
>  No cyclic IL task shall be called on Interrupt level e.g. directly in a timer ISR.
>  In a priority driven multitasking operating system with preemptive scheduling such as
OSEK-OS cyclic IL tasks should have a lower priority than the tasks performing signal
accesses.
To ensure data consistency on pre-emptive multi-tasking operating systems or when using
IL signal access services on interrupt level, there are two things to keep in mind.
>  The Interaction Layer provides mechanisms to keep data consistency on multi-byte
signals. That means, reading multi-byte data is always done while interrupts are locked.
In that case, no task switch can occur. The disadvantage to that mechanism is a longer
interrupt latency time. If your system is critical to long latency times, ensure that your
system works properly in all cases.
>  Bit field manipulation is done by macros. Some compilers and processors realize bit
field manipulation by read-modify-write accesses. If data access to bit fields in the same
byte is used in pre-emptive tasks or on interrupt level, a problem could be caused. Try
to avoid this or make resource locking to such accesses.
These  issues  can  be  circumvented  by  using  the  Interaction  Layer  API  only  in  non-
preemptive tasks.

2013, Vector Informatik GmbH
Version: 2.10.03
55 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

5 Configuration
In the Interaction Layer the attributes can be configured with the following methods:
> Configuration in GENy for a detailed description see 5.2 Configuration with GENy
> Configuration in Database, for a detailed description see chapter 5.1 Configuration in
Data Base
5.1
Configuration in Data Base
The following attributes can be used to configure the Interaction Layer in the DBC file.

Info
Bold Value Types should be Used as default. Value Types marked with * are available

for CANgen compatibility reasons.

Caution
Don’t mix up the order of enumeration values. Not the value of the attribute is
 interpreted, the position of the selected value.

Caution
The “Type of Object” can be configured in the dbc file for some attributes as “Signal” or
 “Node – Mapped Rx Signal”. Use only one “Type of Object” in a single dbc file. If the
“Type of Object” is “Signal”, the attribute must be defined in the dbc file for each Ecu.
Due to this, replace <ECU> in the attribute name by the Node name.

Name
ILUsed
Description
This attribute must be defined, to use the Vector Interaction Layer with this
node.
0 : The node is cannot be used with the Interaction Layer
1 : The node is can be used with the Interaction Layer
Type Of Object
Node
Value Type
Enumeration
Default
No
Values
No, Yes

2013, Vector Informatik GmbH
Version: 2.10.03
56 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Name
GenMsgILSupport
Description
Configurate the usage of the Interaction Layer for this message
0 : The message is not used by the Interaction Layer
1 : The message is used by the Interaction Layer
Type Of Object
Message
Value Type
Enumeration
Default
Yes
Values
No, Yes

5.1.1
Send Type

Info
The strings used for the GenMsgSendType is often OEM-specific and can differ from

here.

Name
GenMsgSendType
Description
Message related transmission mode.
Use only Cyclic for messages with multiplexed signals.
Type Of Object
Message
Value Type
Enumeration
Default
NoMsgSendType (Use only signal related transmission modes.)
Values
Cyclic, NotUsed, NotUsed, NotUsed, NotUsed, NotUsed, NotUsed, IfActive,
NoMsgSendType

Name
GenSigSendType
Description
Signal related transmission mode.
Use only NoSigSendType for messages with multiplexed signals.
Type Of Object
Signal
Value Type
Enumeration
Default
NoSigSendType
Values
Cyclic, OnWrite, OnWriteWithRepetition, OnChange,
OnChangeWithRepetition, IfActive, IfActiveWithRepetition, NoSigSendType,
OnChangeAndIfActive, OnChangeAndIfActiveWithRepetition

2013, Vector Informatik GmbH
Version: 2.10.03
57 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

5.1.2
Send Type Dependent

Name
GenMsgCycleTime
Description
Time in ms between each cyclic transmission of a message.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Name
GenMsgCycleTimeFast
Description
Value of the second cycle time, if the GenMsgSendType/GenMsgSendType
IfActive or GenMsgFastOnStart is configured.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Name
GenMsgNrOfRepetition
Description
Number of repetitions used if the GenSigSendType is
OnChangeWithRepetition, OnWriteWithRepetition, IfActiveWithRepetition or
OnChangeAndIfActiveWithRepetition is defined.
The number of repetitions can be configured separately for each message. To
reduce Rom and Ram requirements configure the same number for each
message.
This value defines how often a message is sent before its transmission is
stopped. See e.g. Figure 3-7  Timing Diagram of OnEvent with Repetition -
OnWrite.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Caution
Please note, the attribute GenSigStartValue sets the Default value at initialization time,

not if IlRxStart or IlTxStart is called. Due to historical and compatibility reasons, this
confusing definition cannot be changed any more.

2013, Vector Informatik GmbH
Version: 2.10.03
58 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Name
GenSigStartValue
Description
This Value is the default value for the signal, if IlInitPowerOn is called.
The string value type can represent hexadecimal and integer values.
Type Of Object
Signal
Value Type
String, Integer*, Float*
Default
0x0
Minimum
0x0
Maximum
0xffffffffffffffff

Name
GenSigInactiveValue
Description
Value for which Transmit Fast If Active will be set inactive. It is not
recommended to use Hex values, due to the range restriction.
The string value type can represent hexadecimal and integer values. The
usage of the hex value is not recommended, because it cannot represent
values greater than 0x7fffffff.
Type Of Object
Signal
Value Type
String, Hex*
Default
0x0
Minimum
0x0
Maximum
0xffffffffffffffff  Hex : 0x7fffffff

Name
GenSigTimeoutValue
Description
This Value is the timeout default value for the signal, if a timeout occurs.
The integer value allows the definition of timeout values for signals with a
maximum Length of 4 Bytes.
Type Of Object
Signal
Value Type
Integer
Default
0x0
Minimum
0x0
Maximum
4294967296

2013, Vector Informatik GmbH
Version: 2.10.03
59 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

5.1.3
Advanced Attributes

Name
GenMsgDelayTime
Description
This is the minimum time in ms between the transmissions of messages with
the same identifier.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Name
GenMsgStartDelayTime
Description
This is the time in ms after IlTxStart has been called, when the cyclic
transmission event starts.
If a transmission is triggered by OnEvent, OnEventWithRepetition, IfActive,
IfActiveWithRepetition within the MsgStartDelayTime, the transmission is not
performed within the GenMsgStartDelayTime.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Name
GenMsgFastOnStart
Description
This is the time in ms after IlTxStart has been called, where the message is
transmitted cyclic with GenMsgCycleTimeFast.
The value has to be an integer multiple of GenMsgCycleTimeFast.
Type Of Object
Message
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

2013, Vector Informatik GmbH
Version: 2.10.03
60 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

5.1.4
Timeout Supervision Attributes

Name
ILTxTimeout
Description
Value of the timeout time in ms for Tx used for all messages within the
channel. To use the timeout monitoring it must be activated for each signal in
the Configuration Tool.
Type Of Object
Network
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

Name
GenSigTimeoutMsg_<ECU>
Description
Message ID to enable the timeout monitoring for signals which are not
transmitted periodically by the receiver <ECU>. If this attribute is set to default
the message will chosen, which contains the current signal.
If you must reference extended IDs, use the following representation format,
where the CAN identifier is combined with 0x80000000 by a logical or.
Example: ID 0x208 is used for the standard ID and ID 0x80000208 for the
extended ID.
Type Of Object
Signal
Value Type
Hex
Default
0
Minimum
0x80000000
Maximum
0xfffffff

Name
GenSigTimeoutMsg
Description
Message ID to enable the timeout monitoring for signals which are not
transmitted periodically by the receiver Ecu. If this attribute is set to default the
message will chosen, which contains the current signal.
If you must reference extended IDs, use the following representation format,
where the CAN identifier is combined with 0x80000000 by a logical or.
Example: ID 0x208 is used for the standard ID and ID 0x80000208 for the
extended ID.
Type Of Object
Node – Mapped Rx Signal
Value Type
Hex
Default
0
Minimum
0x80000000
Maximum
0xfffffff

2013, Vector Informatik GmbH
Version: 2.10.03
61 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Please note
The database attribute GenSigTimeoutMsg has the following limitations:
Relations to messages containing multiplexed signals are not supported.
Relations from messages containing multiplexed signals are not supported.

Name
GenSigTimeoutTime_<ECU>
Description
Timeout time in ms used for this signal received by <ECU>.
If different GenSigTimeoutTime_<ECU> values are configured for a message,
the lowest timeout time (strongest definition) is used for timeout monitoring.
The value of the attribute is displayed as Timeout Time on each RxSignal in
the GENy GUI.
Type Of Object
Signal
Value Type
Integer
Default
0
Minimum
0
Maximum
65535
Please note
If the timeout time on a RxSignal is editable, the value is not derived from the

database attribute GenSigTimeoutTime_<ECU>.

Name
GenSigTimeoutTime
Description
Timeout time in ms used for this signal received by Ecu.
If different GenSigTimeoutTime values are configured for a message, the
lowest timeout time (strongest definition) is used for timeout monitoring.
Type Of Object
Node – Mapped Rx Signal
Value Type
Integer
Default
0
Minimum
0
Maximum
65535

2013, Vector Informatik GmbH
Version: 2.10.03
62 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Name
GenSigSuprvResp
Description
This value preconfigurates the timeout flag and timeout default value.
0 : Preconfigurate nothing
1 : A timeout flag is configured for the signal
2 : A timeout default value is configured for the signal
3 : A timeout flag and timeout default value is configured for the signal
Type Of Object
Node – Mapped Rx Signal
Value Type
Enumeration
Default
None
Values
None, TimeoutFlag, TimeoutDefaultValue, TimeoutFlag and
TimeoutDefaultValue

Name
GenSigSuprvRespSubValue
Description
This Value is the timeout default value for the signal, if a timeout occurs.
The integer value allows the definition of timeout values for signals with a
maximum Length of 4 Bytes.
Type Of Object
Node – Mapped Rx Signal
Value Type
Integer
Default
0x0
Minimum
0x0
Maximum
4294967296

5.1.5
Former Attributes
The following attributes are not supported any more.
Name
GenMsgNoIalSupport
Replaced by
GenMsgILSupport
Description
GenMsgILSupport is the inverted view of the attribute GenMsgNoIalSupport.

5.1.6
Example
A signal A and a signal B are included in the message XY. Signal A should be transmitted
periodically by the cycle time of 50ms. Signal B should be transmitted each time an event
occurs.
For signal A we chose the Periodic Transmission Mode (Transmission Modes see chapter
3.7.2). For the event driven transmission of signal B, the Direct Transmission Mode will fit
best.
Next  step  is  to  choose  the  attributes  for  this  constellation.  To  chose  the  Periodic
Transmission  Mode  for  signal A  we  need  to  set  the  GenSigSendType  to  Cyclic  and  the
GenMsgCycleTime to 200 [ms]. To choose the Direct Transmission Mode for signal B we
need to set the GenSigSendType to OnWrite. This will result to the attributes listed in the
table below.
2013, Vector Informatik GmbH
Version: 2.10.03
63 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Node Attribute
Value
Comment
ILUsed
Yes
Yes, use the Interaction Layer within
this network node.

Attribute for Message XY
Value
Comment
GenMsgDelayTime
Yes
not necessary for this example
GenMsgCycleTime
50 [ms]
Value of the cycle time of the
message. There can’t be signals with
different cycle times combined in one
message. Therefore this is the cycle
time of signal A.
GenMsgCycleTimeFast

not necessary for this example
GenMsgStartDelayTime

not necessary for this example
GenMsgILSupport
Yes
Enable the usage of the Interaction
Layer for this message (for messages
used by diagnosis, network
management ...).
GenMsgNrOfRepetition

not necessary for this example
GenMsgSendType
NoMsgSendType
We use only signal related
transmission modes within this
example. Therefore, see
GenSigSendType.

Attribute for Signal A
Value
Comment
GenSigSendType
Cyclic
Use the Periodic Transmission Mode
for signal A.
GenSigInactiveValue

not necessary for this example
GenSigTimeoutMsg_<ECU>

not necessary for this example
GenSigTimeoutTime_<ECU>

not necessary for this example
Attribute for Signal B
Value
Comment
GenSigSendType
OnWrite
Use the Direct Transmission Mode for
signal B.
GenSigInactiveValue

not necessary for this example
GenSigTimeoutMsg_<ECU>

not necessary for this example
GenSigTimeoutTime_<ECU>

not necessary for this example

The result of combining signal A and signal B with different Transmission Modes to one
message XY will be shown in the timing diagram below. The dashed lines are used in
consideration of signal A. The solid lines are used in consideration of signal B.
2013, Vector Informatik GmbH
Version: 2.10.03
64 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Message XY
Application
IL
IL
I
I
I
L
L
L
IL
IL
IL
P
P
P
P
P
P
P
P
u
u
u
u
u
u
u
u
tA
tB
t
t
t
A
A
A
tB
tB
tB
Interaction Layer
M
e
s
s
a
g
e
X
Y
Data Link Layer
GenMsgCycleTime
50ms
signal A
50ms
50ms
50ms

Figure 5-1
A Signal with the Periodic Transmission Mode and one with the Direct Transmission Mode Combined to a message.
5.2
Configuration with GENy
Info
The detailed information for all checkboxes and settings is given in the so-called

OnScreen Help view of GENy just by clicking the checkbox or the name of the switch.
This is activated via View | OnScreen Help.
Information about how to work with GENy can be found in the OnlineHelp of GENy
opened via Help | Help topics.

Figure 5-2
OnScreen Help View for fast information
In the Configuration Tool GENy all settings for the Vector Interaction Layer are done via
the marked tree items.
2013, Vector Informatik GmbH
Version: 2.10.03
65 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Figure 5-3
Overview of Vector Interaction Layer Configuration in GENy
2013, Vector Informatik GmbH
Version: 2.10.03
66 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

IL Vector
Configure the basic settings for the Vector Interaction Layer. Use the OnScreen Help View
of GENy to get more information about each option.
Support for AUTOSAR
The Vector Interaction Layer can be configured to support a signal API according to the

AUTOSAR Specification of Module COM [8]. This has effects on the signal API, see
more there…

Channels
Define the task call cycle times.
Tx/Rx Messages
Most  of  those  entries  are  fixed  and  already  set  in  the  DBC  file  and  explained  for
information only.
Tx/Rx Signals
This  is  where  to  configure  the  settings  for  the  signals,  its  access  macros,  the  way  of
notification, etc.
Attribute Name
Value
Default  Description
Type
Value
ModuleInstance > Il_Vector
User Config File
String

N.a.
The Interaction Layer configuration file (il_cfg.h) is
generated by GENy. If you want to overwrite settings in the
generated Il_Vector configuration file (il_cfg.h), you can
specify a path to a user defined configuration file.

The user defined configuration file will be included at the
end of the generated file il_cfg.h. Therefore definitions in
the user defined configuration file can overwrite definitions
in the generated configuration file.
Start/Stop API
Boolean

false
The two API functions 'IlStartCycle' and 'IlStopCycle' are
enabled which enable or disable the transmission of one
single cyclic message. This option is necessary for
software tests or special use cases. It is recommended not
to use this option.
Timeout Monitoring on  Boolean  false
If this option is enabled timeout monitoring of a message is
first Reception
started when this message is received for the first time.

Normally timeout monitoring starts after the Rx part of the
Interaction Layer is started or resumed.
ModuleInstance > Il_Vector > Notification Classes > State Machine Transition
Init
Boolean

false
This callback function is called after the Interaction Layer
has been initialized. The callback function itself
(ApplIlInit()) must be provided by the application.
Rx Start
Boolean

false
This callback function is called if the Rx branch of the
Interaction layer is started. The callback function
(ApplIlRxStart()) itself must be provided by the application.
Tx Start
Boolean

false
This callback function is called if the Tx branch of the
Interaction layer is started. The callback function itself
2013, Vector Informatik GmbH
Version: 2.10.03
67 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
(ApplIlTxStart()) must be provided by the application.
Rx Stop
Boolean

false
This callback function is called if the Rx branch of the
Interaction layer is stopped. The callback function itself
(ApplIlRxStop()) must be provided by the application.
Tx Stop
Boolean

false
This callback function is called if the Tx branch of the
Interaction layer is stopped. The callback function itself
(ApplIlTxStop()) must be provided by the application.
ModuleInstance > Il_Vector > Debug Support
Argument Check
Boolean

false
Used to enable extended checks of the arguments passed
to functions of the Interaction Layer. If an error was
detected, the return value of the functions will contain an
error code. This option should be used for debugging
purposes only and not in production code.
Assertion Handling
Boolean

false
The SW component provides built-in debug support
(assertion) to ease up the integration and test into the
user's project.
Please see the technical reference for detailed information
on the available options and how to use them.

In general, the usage of assertions is recommended during
the integration and pre-test phases. It is not recommended
to enable the assertions in production code due to
increased runtime and ROM needs.

The assertion checks the correctness of the assigned
condition and calls an error handler in case this fails. The
error handler is called with an error number. Information
about the defined error numbers is given in the technical
reference.
ModuleInstance > Il_Vector
AUTOSAR Signal API Boolean

false
Configure the Vector Interaction Layer to support the signal
access as defined in the AUTOSAR Specification of
Module COM Version 1.0.0.
Efficient macros are additionally generated if Put/Get
signal access is configured.

A signal is written using:
Com_ReturnType Com_SendSignal(<SigName>,
&<data>);

A signal is read using
Com_ReturnType Com_ReceiveSignal(<SigName>,
&<data>);

Please see the documentation chapter 'AUTOSAR Signal
Interface'.
AUTOSAR
Enum
N.a.
Select the AUTOSAR COM interface that shall be provided
Specification Version
by the Il_Vector.

Detect Active
Boolean false
If this option is enabled an API is activated, to detect, if
Repetitions API
messages are transmitted with repetitions and the

repetitions are active.

API:
1 Channel :Il_Boolean IlTxRepetitionsAreActive()
2013, Vector Informatik GmbH
Version: 2.10.03
68 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
2..N Channels :Il_Boolean
IlTxRepetitionsAreActive(<channel>)
Detect Active Signals Boolean false
If this option is enabled an API is activated, to detect, if
API
signals are active and transmitted with the fast cycle time.

API:
1 Channel :Il_Boolean IlTxSignalsAreActive()
2..N Channels :Il_Boolean
IlTxSignalsAreActive(<channel>)
Reset Rx Timeout
Boolean false
If this option is enabled and the transition IlRxRelease is
Flags On IlRxRelease
performed all rx timeout flags on the channel are cleared.

Boolean

Enable

false
This option enables UpdateBit Support
UpdateBit Support
Channel > Il_Vector > Task Call Cycle Time
IlRxTask [ms]
Integer

10
This is the time base of the receive branch of the
Interaction Layer.

Make sure that the value you enter here in the Generation
Tool is the same as the cycle time for calling the function
'IlRxTask'. If it is not, the timing of the receive branch in the
IL will not work properly (e.g. for timeout monitoring). All
timings of the Rx branch (e.g. timeouts) must be a multiple
of this cycle time.

If you enter e.g. 10 [ms] in the Generation Tool the function
'IlRxTask' must be called every 10ms.
IlTxTask [ms]
Integer

10
This is the time base of the transmit branch of the
Interaction Layer.

Make sure that the value you enter here in the Generation
Tool is the same as the cycle time for calling the function
'IlTxTask'. If it is not, the timing of the transmit branch in
the IL will not work properly (e.g. wrong timing of cylic send
messages). All timings of the Tx branch (e.g. cycle times of
transmit messages) must be a multiple of this cycle time.

If you enter e.g. 10 [ms] in the Generation Tool the function
'IlTxTask' must be called every 10ms.
Message > Il_Vector > Database Attributes
CycleTime [ms]
Integer

0
The CANdb attribute 'GenMsgCycleTime' is displayed as
defined in the dbc file. This value is only relevant for
messages with a cyclic transmission mode. For other
messages '0' is displayed.
CycleTimeFast [ms]
Integer

0
The CANdb attribute 'GenMsgCycleTimeFast' is displayed
as defined in the dbc file. This value is only relevant for
messages with a transmission mode including a fast cyclic
rate. For other messages '0' is displayed.
DelayTime [ms]
Integer

0
The CANdb attribute 'GenMsgDelayTime' is displayed as
defined in the dbc file. This attribute defines the minimum
transmit delay between two subsequent messages of the
same ID.
FastOnStart [ms]
Integer

0
The CANdb attribute 'GenMsgFastOnStart' is displayed as
defined in the dbc file. 'GenMsgFastOnStart' is the duration
2013, Vector Informatik GmbH
Version: 2.10.03
69 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
in ms of a startup phase in which the message is
transmitted with a higher rate (GenMsgCycleTimeFast).
NrOfRepetition
Integer

0
The CANdb attribute 'GenMsgNrOfRepetition' is displayed
as defined in the dbc file. This attribute defines the number
of repetitions of a message caused by signal updates of
signals which have transmission modes with repetition.
TxMessage > Il_Vector
Polling
Boolean

true
The Interaction Layer confirmation of the sent message is
handled in the CAN driver confirmation context. This
context depends on the CAN driver Tx polling
configuration. For details please see the CAN driver
documentation.

CAN driver Tx polling is activated
===========================
If IL polling is activated, the message confirmation is
handled via the CAN driver confirmation flag that is polled
in the 'IlTxTask'. The Interaction Layer notification is
separated from the initial event.

If IL polling is deactivated, the message confirmation is
handled via the CAN driver confirmation function that is
called directly by the CAN driver in its own polling context.

CAN driver Tx polling is deactivated
=============================
If IL polling is activated, the message confirmation is
handled via the CAN driver confirmation flag that is polled
in the 'IlTxTask'. This is to minimize the interrupt load.

If IL polling is deactivated, the message confirmation is
handled via the CAN driver confirmation function that is
called directly by the CAN driver in the interrupt context.
Disabling the polling results in longer ISR run times.

PLEASE NOTE:
The implemented application code in this context must be
programmed interrupt context secure.

It's recommended to use the default.
Send on Init
Boolean

false
If you enable the attribute 'Send on Init' the selected Tx
message is added to the set of messages which will be
transmitted when 'IlSendOnInitMsg()' is called.
If the DBC attribute "NetworkInitialization” is available at a
message, the value of “Send on Init” is derived of this dbc
attribute.
TxMessage > Il_Vector > Database Attributes
StartDelayTime [ms]
Integer

0
The CANdb attribute 'GenMsgStartDelayTime' is displayed
as defined in the dbc file. This attribute defines the time
between 'IlTxStart()' and the begin of the cyclic
transmission of a message.
RxMessage > Il_Vector
2013, Vector Informatik GmbH
Version: 2.10.03
70 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
Polling
Boolean

false
The Interaction Layer indication of the receive message is
handled in the CAN driver indication context. This context
depends on the CAN driver Rx polling configuration. For
details please see the CAN driver documentation.

CAN driver Rx polling is activated
===========================
If IL polling is activated, the message indication is handled
via the CAN driver indication flag that is polled in the
'IlRxTask'. The Interaction Layer notification is separated
from the initial event.

If IL polling is deactivated, the message indication is
handled via the CAN driver indication function that is called
directly by the CAN driver in its own polling context.

CAN driver Rx polling is deactivated
=============================
If IL polling is activated, the message indication is handled
via the CAN driver indication flag that is polled in the
'IlRxTask'. This is to minimize the interrupt load.

If IL polling is deactivated, the message indication is
handled via the CAN driver indication function that is called
directly by the CAN driver in the interrupt context.
PLEASE NOTE:
The implemented application code in this context must be
programmed interrupt context secure.

It's recommended to use the default.
RxMessage > Il_Vector > Notification Classes
Timeout Function
String

If a valid function name is defined in the IL 'Timeout
Function' field, this function is called by the Interaction
Layer when a timeout of this receive message occurs. The
timeout time for this message is defined in the data base
file (dbc).

API: void Appl<MsgName>MsgTimeout(void)
MsgSignal > Il_Vector > Database Attributes
InactiveValue
String

0
The CANdb attribute 'GenSigInactiveValue' is displayed as
defined in the dbc file. This attribute is relevant for signals
with the transmission mode 'IfActive'.
RxSignal > Il_Vector > Signal Access
Put
Boolean

false
The generation of signal value write access macros and -
functions for receive signals can be enabled or disabled. If
enabled, the Generation Tool will generate macros and
functions for signal access using the signal names in the
network data base (macros or functions, depending on the
type of the signal).

API:
 Length <=1Byte void IlPutRx<SigName>(vuint8 data)
1Byte< Length <=2Byte void IlPutRx<SigName>(vuint16
2013, Vector Informatik GmbH
Version: 2.10.03
71 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
data)
2Byte< Length <=4Byte void IlPutRx<SigName>(vuint32
data)
4Byte< Length void IlPutRx<SigName>(vuint8*
pData)

If the AUTOSAR signal API is enabled, set the signal value
via
Com_ReturnType Com_SendSignal(<SigName>,
&<data>);

Please see the documentation of Il_Vector, chapter
'AUTOSAR Signal Interface'.
Get
Boolean

true
The generation of signal value read access macros and -
functions for receive signals can be enabled or disabled. If
enabled, the Generation Tool will generate macros and
functions for signal access using the signal names in the
network data base (macros or functions, depending on the
type of the signal).

API:
 Length <=1Byte vuint8 IlGetRx<SigName>(void)
1Byte< Length <=2Byte vuint16
 IlGetRx<SigName>(void)
2Byte< Length <=4Byte vuint32
 IlGetRx<SigName>(void)
4Byte< Length void IlGetRx<SigName>(vuint8*
pData)

If the AUTOSAR signal API is enabled, read the signal
value via
Com_ReturnType Com_ReceiveSignal(<SigName>,
&<data>)

Please see the documentation of Il_Vector, chapter
'AUTOSAR Signal Interface'.
RDS
Boolean

false
Enable macros to read from the Rx register of the CAN
controller. This switch will be used for example by the
'DataChanged' flag.

CAUTION:
Use these macros in a PreCopy function only!

API:
 Length <=1Byte vuint8 IlGetRxCAN<SigName>(void)
1Byte< Length <=2Byte vuint16
 IlGetRxCAN<SigName>(void)
2Byte< Length <=4Byte vuint32
 IlGetRxCAN<SigName>(void)
4Byte< Length void IlGetRxCAN<SigName>(vuint8*
pData)
RxSignal > Il_Vector > Notification Classes > Indication
Flag
Pool

N.a.
If this signal is received, one or more flags with the same
names plus pre- and postfix from the name decorator
configuration view will be set.
2013, Vector Informatik GmbH
Version: 2.10.03
72 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value

CAUTION:
The flag(s) must be reset by the application. It is
recommended to use the macros for flag manipulation.

API:
vuint8 IlGetRx<SigName>SigIndication(void)
void IlSetRx<SigName>SigIndication(void)
void IlClrRx<SigName>SigIndication(void)
vuint8 IlGetClrRx<SigName>SigIndication(void)
Function
Pool

N.a.
If this signal is received, one or more functions with these
names plus pre- and postfix from the name decorator
configuration view will be called.

CAUTION:
- The function(s) may run in interrupt context (if polling is
not activated), so keep action short within.
- If you use more than one indication function they are
called in the order they are displayed in GENy.

API: void ApplIl<SigName>SigIndication(void)
RxSignal > Il_Vector > Notification Classes > Firstvalue
Flag
Pool

N.a.
If this signal is received for the first time after the system
startup the 'FirstValue' flag will be set. This flag can not
and should not be reset. The only reset is a restart of the
Interaction Layer.

API:
vuint8 IlGetRx<SigName>SigFirstvalue(void)
void IlSetRx<SigName>SigFirstvalue(void)
void IlClrRx<SigName>SigFirstvalue(void)
RxSignal > Il_Vector > Notification Classes > DataChanged
Flag
Pool

N.a.
If this signal is received and the new signal value differs
from the current signal value, the 'DataChanged' flag(s)
are set. The name of the flags are built-up using this name
plus pre- and postfixes from the name decorator
configuration view.

CAUTION:
The flag(s) must be reset by the application. It is
recommended to use the macros for flag manipulation.

API:
vuint8 IlGetRx<SigName>SigDataChanged(void)
void IlSetRx<SigName>SigDataChanged(void)
void IlClrRx<SigName>SigDataChanged(void)
RxSignal > Il_Vector > Notification Classes > Timeout
Flag
Pool

N.a.
The interaction layer is able to supervise receive signals. If
the message containing the signal is not received within a
(in data base file dbc) predefined time one ore more
timeout flags are set. The name of the flags are built-up
using this name plus pre- and postfixes from the name
decorator configuration view.

2013, Vector Informatik GmbH
Version: 2.10.03
73 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
CAUTION:
The flag(s) must be reset by the application. It is
recommended to use the macros for flag manipulation.

API:
vuint8 IlGetRx<SigName>SigTimeout(void)
void IlSetRx<SigName>SigTimeout(void)
void IlClrRx<SigName>SigTimeout(void)
Function
Pool

N.a.
The interaction layer is able to supervise receive signals. If
the message containing the signal is not received within a
(in data base file dbc) predefined time one ore more
timeout functions are called. The name of the functions are
built-up using these names plus pre- and postfixes from
the name decorator configuration view.

CAUTION:
- The function(s) may run in interrupt context (if polling is
not activated), so keep action short within.
- If you use more than one indication function they are
called in the order they are displayed in GENy.

API: void ApplIl<SigName>SigTimeout(void)
RxSignal > Il_Vector > Notification Classes > State Machine Transition
Init
String

If you enter a function name you determine for this receive
signal that an init function shall be called after the
Interaction Layer was initialized. The default is the name of
the signal, but you can change this name. The final name
of the function will be determined out of the defined pre-
and postfixes on the name decorator configuration view
and the specified name.

API: void ApplIl<SigName>RxInit(void)
Start
String

If you enter a function name you determine for this receive
signal that this start function shall be called after the
Interaction Layer was switched to the running state. The
default is the name of the signal, but you can change this
name. The final name of the function will be determined
out of the defined pre- and postfixes on the name
decorator configuration view and the specified name.

API: void ApplIl<SigName>RxStart(void)
Stop
String

If you enter a function name you determine for this receive
signal that this stop function shall be called after the
Interaction Layer was suspended. The default is the name
of the signal, but you can change this name. The final
name of the function will be determined out of the defined
pre- and postfixes on the name decorator configuration
view and the specified name.

API: void ApplIl<SigName>RxStop(void)
RxSignal > Il_Vector > Default Value
Init
Boolean

false
Use the default values below at initialization time to
initialize the signal buffer. If you enable this feature, the
fields
2013, Vector Informatik GmbH
Version: 2.10.03
74 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
- Start default
- Stop default
- Default value
will be activated and can be configured, too.
Start
Boolean

false
Use the default value to initialize the signal buffer within
the callcontext of 'IlRxStart()'. To use this option the default
of 'Init' must be used, too.
Stop
Boolean

false
Use the default value, which is set in the callcontext
'IlRxStop()' to initialize the signal buffer. To use this option
the default at 'IlInit()' must be used, too.
Value
String

0
Use the default value within 'IlInit()', 'IlRxStart()' and
'IlRxStop()' to initialize the signal buffer. The data type of
the default value depends on the data type of the related
signal.
RxSignal > Il_Vector > Default Value > Timeout
Enable
Boolean

false
Use the default value to replace the signal value in case of
a timeout.
Value
String

0x0
Default value to replace the signal value in case of timeout.
The data type of the default value depends on the data
type of the related signal. The attribute in the data base file
must be set to be able to set the wanted default value.
RxSignal > Il_Vector > API
Dynamic Timeout
Boolean

false
The timeout of the receive signals can be set dynamically.
If enabled an additional API to access the timer is
provided. This functionality is required for special use
cases and should normally be disabled.

API:
* IlGetRx<SigName>DynRxTimeout (void)
void IlSetRx<SigName>DynRxTimeout(*)
void IlStartRx<SigName>DynRxTimeout(void)
void IlStopRx<SigName>DynRxTimeout(void)
* This type depends on the configuration.
TxSignal > Il_Vector > Signal Access
Put
Boolean

true
The generation of signal value write access macros and
functions for send signals can be enabled or disabled. If
enabled, the Generation Tool will generate macros and
functions for signal access using the signal names in the
network data base (macros or functions, depending on the
type of the signal).

API:
 Length <=1Byte void IlPutTx<SigName>(vuint8 data)
1Byte< Length <=2Byte void IlPutTx<SigName>(vuint16
data)
2Byte< Length <=4Byte void IlPutTx<SigName>(vuint32
data)
4Byte< Length void IlPutTx<SigName>(vuint8* pData)

If the AUTOSAR signal API is enabled, set the signal value
via
Com_ReturnType Com_SendSignal(<SigName>,
&<data>);
2013, Vector Informatik GmbH
Version: 2.10.03
75 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value

For details please see the documentation of Il_Vector,
chapter 'AUTOSAR Signal Interface'.
Get
Boolean

false
The generation of signal value read access macros and
functions for send signals can be enabled or disabled. If
enabled, the Generation Tool will generate macros and
functions for signal access using the signal names in the
network data base (macros or functions, depending on the
type of the signal).

API:
 Length <=1Byte vuint8 IlGetTx<SigName>(void)
1Byte< Length <=2Byte vuint16
 IlGetTx<SigName>(void)
2Byte< Length <=4Byte vuint32
 IlGetTx<SigName>(void)
4Byte< Length void IlGetTx<SigName>(vuint8* pData)

If the AUTOSAR signal API is enabled, read the signal
value via
Com_ReturnType Com_ReceiveSignal(<SigName>,
&<data>)

For details please see the documentation of Il_Vector,
chapter 'AUTOSAR Signal Interface'.
RDS
Boolean

false
Macros to write and read the Tx register of the CAN
controller. These macros can only be used in the context of
the PreTransmit function.

Set API:
 Length <=1Byte void IlPutTxCAN<SigName>(vuint8
data)
1Byte< Length <=2Byte void
IlPutTxCAN<SigName>(vuint16 data)
2Byte< Length <=4Byte void
IlPutTxCAN<SigName>(vuint32 data)
4Byte< Length void IlPutTxCAN<SigName>(vuint8*
pData)
TxSignal > Il_Vector > Notification Classes > Confirmation
Flag
Boolean

false
After successful transmission of a signal, the Interaction
Layer sets the confirmation flag.

API:
vuint8 IlGetIlTx<SigName>SigConfirmation()
void IlSetIlTx<SigName>SigConfirmation()
void IlClrIlTx<SigName>SigConfirmation()
Function
String

If you enter a function name you determine for this transmit
signal that a confirmation function shall be called after
transmission of this signal. The default is the name of the
signal, but you can change this name. The final name of
the function will be determined out of the defined pre- and
postfixes on the name decorator configuration view and
the specified name.

API: void ApplIl<SigName>SigConfirmation(void)
2013, Vector Informatik GmbH
Version: 2.10.03
76 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
TxSignal > Il_Vector > Notification Classes > Timeout
Flag
Boolean

false
To supervise the actual transmission of signals, a timeout
flag can be configured. If a signal is sent and the
confirmation is not received until timeout, the application
will be notified by this timeout flag.

API:
vuint8 IlGetIlTx<SigName>SigTimeout()
void IlSetIlTx<SigName>SigTimeout()
void IlClrIlTx<SigName>SigTimeout()
Function
String

If you enter a function name you determine for this transmit
signal that a timeout function shall be called if the
confirmation will not occur in time. The default is the name
of the signal, but you can change this name. The final
name of the function will be determined out of the defined
pre- and postfixes on the name decorator configuration
view and the specified name.

API: void ApplIl<SigName>SigTimeout(void)
TxSignal > Il_Vector > Notification Classes > State Machine Transition
Init
String

If you enter a function name you determine for this transmit
signal that an init function shall be called after the
Interaction Layer was initialized. The default is the name of
the signal, but you can change this name. The final name
of the function will be determined out of the defined pre-
and postfixes on the name decorator configuration view
and the specified name.

API: void ApplIl<SigName>TxInit(void)
Start
String

If you enter a function name you determine for this transmit
signal that a start function shall be called after the
Interaction Layer was switched to the running state. The
default is the name of the signal, but you can change this
name. The final name of the function will be determined
out of the defined pre- and postfixes on the name
decorator configuration view and the specified name.

API: void ApplIl<SigName>TxStart(void)
Stop
String

If you enter a function name you determine for this transmit
signal that a stop function shall be called after the
Interaction Layer was suspended. The default is the name
of the signal, but you can change this name. The final
name of the function will be determined out of the defined
pre- and postfixes on the name decorator configuration
view and the specified name.

API: void ApplIl<SigName>TxStop(void)
TxSignal > Il_Vector > Default Value
Init
Boolean

false
Use the default value at initialization time to initialize the
signal buffer. If you activate the initialization default value
handling, the following fields (Start, Stop and Value) will be
enabled and can be configured, too.
Start
Boolean

false
Use the default value to initialize the signal buffer within
the callcontext of 'IlTxStart()'. To use this option 'Init' in
2013, Vector Informatik GmbH
Version: 2.10.03
77 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default Description
Type
Value
'Default Value' must be activated, too.
Stop
Boolean

false
Use the default value with 'IlTxStop' to initialize the signal
buffer. To use this option 'Init' in 'Default Value' must be
activated, too.
Value
String

0
Use the default value within 'IlInit()', 'IlTxStart()' and
'IlTxStop()' to initialize the signal buffer. The data type of
the default value depends on the data type of the related
signal. To use this option 'Init' in 'Default Value' must be
activated, too.
MsgSignalContainer > Il_Vector > Signal Access
Shadow Buffer
Boolean

false
If this option is enabled, the appplication has to provide the
shadow buffer for signal groups.
Due to this setting, the signal group API changes. For
detailed information please see the technical reference of
IL_Vector.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Confirmation
Prefix
String

Appl
Specify the prefix for the signal confirmation function.
Postfix
String
Specify the postfix for the signal confirmation function.

SigConfir

mation
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Indication
Prefix
String

Appl
Specify the prefix for the signal indication function.
Postfix
String
Specify the postfix for the signal indication function.

SigIndica

tion
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Tx Timeout
Signal Prefix
String

Appl
Specify the prefix for the signal based timeout function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Rx Timeout
Signal Prefix
String

Appl
Specify the prefix for the signal based timeout function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Tx Timeout
Signal Postfix
String
Specify the postfix for the signal based timeout function.

TxSigTim

eout
ModuleInstance > Il_Vector > Notification Mechanism > Functions > Rx Timeout
Signal Postfix
String
Specify the postfix for the signal based timeout function.

RxSigTi

meout
Message Prefix
String

Appl
Specify the prefix for the message based timeout function.
Message Postfix
String
Specify the postfix for the message based timeout

MsgTime
out
function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Rx Init
Prefix
String

Appl
Specify the prefix for the Rx signal init callback function.
Postfix
String

RxInit
Specify the postfix for the Rx signal init callback function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Tx Init
Prefix
String

Appl
Specify the prefix for the Tx signal init callback function.
Postfix
String

TxInit
Specify the postfix for the Tx signal init callback function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Rx Start
Prefix
String

Appl
Specify the prefix for the Rx signal start callback function.
Postfix
String

RxStart
Specify the postfix for the Rx signal start callback function.
2013, Vector Informatik GmbH
Version: 2.10.03
78 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default  Description
Type
Value
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Tx Start
Prefix
String

Appl
Specify the prefix for the Tx signal start callback function.
Postfix
String

TxStart
Specify the postfix for the Tx signal start callback function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Rx Stop
Prefix
String

Appl
Specify the prefix for the Rx signal stop callback function.
Postfix
String

RxStop
Specify the postfix for the Rx signal stop callback function.
ModuleInstance > Il_Vector > Notification Mechanism > Functions > State Machine Transition > Tx Stop
Prefix
String

Appl
Specify the prefix for the Tx signal stop callback function.
Postfix
String

TxStop
Specify the postfix for the Tx signal stop callback function.
ModuleInstance > Il_Vector > Signal Access > Rx
Get Prefix
String

IlGetRx
Specify the prefix for the Rx signal read access functions
and macros.
Put Prefix
String

IlPutRx
Specify the prefix for the Rx signal write access functions
and macros.
ModuleInstance > Il_Vector > Signal Access > Tx
Get Prefix
String

IlGetTx
Specify the prefix for the Tx signal read access functions
and macros.
Put Prefix
String

IlPutTx
Specify the prefix for the Tx signal write access functions
and macros.
ModuleInstance > Il_Vector > RDS Signal Access
Rx Get Prefix
String
Specify the prefix for the Rx signal read access functions

IlGetRxC
AN
and macros.
Tx Put Prefix
String
Specify the prefix for the Tx signal write access functions

IlPutTxC
AN
and macros.
ModuleInstance > Il_Vector > Signal Access > Rx
SignalGroup Get
String
IlGetRx
Specify the prefix for the Rx signal group read access
Prefix
functions and macros.

SignalGroup Put
String
IlPutRx
Specify the prefix for the Rx signal group write access
Prefix
functions and macros.

ModuleInstance > Il_Vector > Signal Access > Tx
SignalGroup Get
String
IlGetTx
Specify the prefix for the Tx signal group read access
Prefix
functions and macros.

SignalGroup Put
String
IlPutTx
Specify the prefix for the Tx signal group write access
Prefix
functions and macros.

ModuleInstance > Il_Vector > Dynamic Rx Timeout API
Get Prefix
String

IlGetRx
Specify a prefix for the user defined
IlGetRxDynamicTimeout function.
Set Prefix
String

IlSetRx
Specify a prefix for the user defined
IlSetRxDynamicTimeout function.
Start Prefix
String

IlStartRx  Specify a prefix for the user defined
IlStartRxDynamicTimeout function.
Stop Prefix
String

IlStopRx  Specify a prefix for the user defined
IlStopRxDynamicTimeout function.
Postfix
String
Specify a postfix for the generated DynamicApi

DynRxTi
meout
macros/functions.
2013, Vector Informatik GmbH
Version: 2.10.03
79 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Attribute Name
Value
Default  Description
Type
Value
ModuleInstance > Il_Vector > Notification Mechanism > Flags > Prefixes
Get
String

IlGet
Specify the prefix for macros to read flags.
Set
String

IlSet
Specify the prefix for macros to write flags.
Clear
String

IlClr
Specify the prefix for macros to clear flags.
Get + Clear
String

IlGetClr
Specify the prefix for macros to read and clear flags.
ModuleInstance > Il_Vector > Notification Mechanism > Flags > Postfixes
Indication
String
Specify the postfix for indication flag macros.

Indicatio

n
Confirmation
String
Specify the postfix for confirmation flag macros.

Confirma

tion
FirstValue
String
Specify the postfix for FirstValue flag macros.

Firstvalu

e
Tx Timeout
String
Specify the postfix for Tx timeout flag macros.

TxTimeo

ut
Rx Timeout
String
Specify the postfix for Rx timeout flag macros.

RxTimeo

ut
DataChanged
String
Specify the postfix for DataChanged flag macros.

DataCha

nged
MsgSignal > Il_Vector > Database Attributes
MsgSendType
Object

N.a.
CANdb attribute 'GenMsgSendType'
SigSendType
Object

N.a.
CANdb attribute 'GenSigSendType'
Message > Il_Vector > Database Attributes
SendType
Object

N.a.
CANdb attribute 'GenMsgSendType'
Table 5-1
GENy attributes

2013, Vector Informatik GmbH
Version: 2.10.03
80 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

6 API Description
6.1.1
TypeDefinitions
The types defined by the Interaction Layer are described in this chapter.
Type Name
C-Type
Description
Value Range
CanChannelHandle
c-type
Can Driver channel object
0..<ChannelIdmax>
identifier.
Zero-based integer number
IlReceiveHandle
c-type
Interaction Layer Rx message
0..<RxMessageIdmax>
object identifier.
Zero-based integer number
IlTransmitHandle
c-type
Interaction Layer Tx message
0..<TxMessageIdmax>
object identifier.
Zero-based integer number
Il_Status
c-type
Il_Status : the value must be

decoded with the following set
of macros.
The macros will return 0 (false)
or 1 (true).
- IlIsTxRun(state) : Tx is
running
- IlIsTxWait(state) : Tx is
waiting
- IlIsTxSuspend(state) : Tx is
suspended
- IlIsRxRun(state) : Rx is
running
- IlIsRxWait(state) : Rx is
waiting
- IlIsRxSuspend(state) : Rx is
suspended
Il_Boolean
c-type
A boolean result defined by the IL_FALSE
Interaction Layer.
IL_TRUE
"_c_" and
c-type
The SignalGroupBufferType is
the network signal group
a generated data type for each
name
signal group.
and the postfix "_buf".
tIlModuleContextStructPtr c-type
pointer to a

tIlModuleContextStruct struct
Table 6-1
Type definitions

2013, Vector Informatik GmbH
Version: 2.10.03
81 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

6.1.2
Services provided by Interaction Layer

Caution
The APIs of the IL do not support reentrant calls and must not interrupt each other.
Exceptions are described in the API description. See also chapter 4.3 Operating
Systems Requirements.

6.1.2.1
IlInitPowerOn

IlInitPowerOn
Prototype
void IlInitPowerOn (void)
Parameter
void
none

Return code
void
none

Functional Description
This method initializes the Il_Vector on all channels.
IlInit is called for every channel.
Particularities and Limitations
The function is called by the Application or Ccl (Communication Control Layer).
Call context
The function must be called with disabled interrupts.
The function must not interrupt IlRxTask, IlRxStateTask, IlTxTask, IlTxStateTask, IlInit, IlRxStart, IlTxStart,
IlRxStop, IlTxStop.

6.1.2.2
IlInit
IlInit
Prototype
Single Channel
Single Receive Channel
void IlInit (void)
Multi Channel
Indexed (MRC)
void IlInit (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
82 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This method initializes the Il_Vector on a channel.
Rx and Tx data buffers and flags are set to the initial state. If no default value for a message is defined, the
data buffer is set to 0x00.
Particularities and Limitations
The function is called by the Application, Ccl (Communication Control Layer) or IlInitPowerOn.
Call context
The function must be called with disabled interrupts.
The function must not interrupt IlRxTask, IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlRxStart,
IlTxStart, IlRxStop, IlTxStop.

6.1.2.3
IlRxStart
IlRxStart
Prototype
Single Channel
Single Receive Channel
void IlRxStart (void)
Multi Channel
Indexed (MRC)
void IlRxStart (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method enables the reception of messages. The transition "start" of the Rx state machine is
performed.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function must be called on task level.
The function must not interrupt IlRxTask, IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit,
IlTxStart, IlRxStop, IlTxStop.

6.1.2.4
IlTxStart
IlTxStart
Prototype
Single Channel
Single Receive Channel
void IlTxStart (void)
Multi Channel
Indexed (MRC)
void IlTxStart (CanChannelHandle channel)
2013, Vector Informatik GmbH
Version: 2.10.03
83 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method enables the transmission of messages and starts the transmission of periodic messages. The
transition "start" of the Tx state machine is performed.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function must be called on task level.
The function must not interrupt IlRxTask, IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit,
IlTxStart, IlRxStop, IlTxStop.

6.1.2.5
IlRxStop
IlRxStop
Prototype
Single Channel
Single Receive Channel
void IlRxStop (void)
Multi Channel
Indexed (MRC)
void IlRxStop (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method disables the reception of messages. The transition "stop" of the Rx state machine is
performed. The method is used for example to enter the Sleep Mode of an ECU.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function must be called on task level.
The function must not interrupt IlRxTask, IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit,
IlTxStart, IlRxStop, IlTxStop.

6.1.2.6
IlTxStop
IlTxStop
Prototype
Single Channel
Single Receive Channel
void IlTxStop (void)
2013, Vector Informatik GmbH
Version: 2.10.03
84 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Multi Channel
Indexed (MRC)
void IlTxStop (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method disables the transmission of messages (Sleep Mode). The transition "stop" of the Tx state
machine is performed. The method is used for example to enter the Sleep Mode of an ECU.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function must be called on task level.
The function must not interrupt IlInitPowerOn, IlInit, IlRxTask, IlRxStateTask, IlRxTimerTask, IlTxTask,
IlTxStateTask, IlTxTimerTask, IlRxStart, IlTxStart, IlRxStop

6.1.2.7
IlRxWait
IlRxWait
Prototype
Single Channel
Single Receive Channel
void IlRxWait (void)
Multi Channel
Indexed (MRC)
void IlRxWait (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method halts the timeout monitoring of reception messages. The transition "wait" of the Rx state
machine is performed. The method is used for example when the bus-off mode of an ECU was entered.‎
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function can be called on task and interrupt level.

2013, Vector Informatik GmbH
Version: 2.10.03
85 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

6.1.2.8
IlTxWait
IlTxWait
Prototype
Single Channel
Single Receive Channel
void IlTxWait (void)
Multi Channel
Indexed (MRC)
void IlTxWait (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method halts the transmission of messages. The transition "wait" of the Tx state machine is
performed. The method is used for example when the bus-off mode of an ECU was entered.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function can be called on task and interrupt level.

6.1.2.9
IlRxRelease
IlRxRelease
Prototype
Single Channel
Single Receive Channel
void IlRxRelease (void)
Multi Channel
Indexed (MRC)
void IlRxRelease (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
The transition "release" of the Rx state machine is performed.
-Restart the Rx Timeout Monitoring
-Clear the timeout flags if IL_ENABLE_SYS_RX_RESET_TIMEOUT_FLAGS_ON_ILRXRELEASE is
defined.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function can be called on task and interrupt level.
2013, Vector Informatik GmbH
Version: 2.10.03
86 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

6.1.2.10  IlTxRelease
IlTxRelease
Prototype
Single Channel
Single Receive Channel
void IlTxRelease (void)
Multi Channel
Indexed (MRC)
void IlTxRelease (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method resumes the transmission of messages from the "Waiting" state. The transition "release" of the
Tx state machine is performed.
Particularities and Limitations
The function is called by the Application or Nm (Network Management).
Call context
The function can be called on task and interrupt level.

6.1.2.11  IlRxTask
IlRxTask
Prototype
Single Channel
Single Receive Channel
void IlRxTask (void)
Multi Channel
Indexed (MRC)
void IlRxTask (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method must be called periodically in the Rx task cycle time configured in the generation tool. The
IlRxTimerTask and IlRxStateTask are called by this method.
Particularities and Limitations
The function is called by the Application or Ccl (Communication Control Layer).
Call context
2013, Vector Informatik GmbH
Version: 2.10.03
87 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

The function must be called on task level.
The function must not interrupt IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit, IlRxStart,
IlTxStart, IlRxStop, IlTxStop

6.1.2.12  IlTxTask
IlTxTask
Prototype
Single Channel
Single Receive Channel
void IlTxTask (void)
Multi Channel
Indexed (MRC)
void IlTxTask (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method must be called periodically in the Tx task cycle time configured in the generation tool. The
IlTxTimerTask and IlTxStateTask are called by this method.
Particularities and Limitations
The function is called by the Application or Ccl (Communication Control Layer).
Call context
The function must be called on task level.
The function must not interrupt IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit, IlRxStart,
IlTxStart, IlRxStop, IlTxStop

6.1.2.13  IlRxStateTask
IlRxStateTask
Prototype
Single Channel
Single Receive Channel
void IlRxStateTask (void)
Multi Channel
Indexed (MRC)
void IlRxStateTask (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method is called periodically by the IlRxTask. The function can be called in a faster rate than the
IlRxTask to check additionally for polled indication events. The usage of the IlRxTask shall be preferred.
2013, Vector Informatik GmbH
Version: 2.10.03
88 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Particularities and Limitations
The function is called by the Application or IlRxTask.
Call context
The function must be called on task level.
The function must not interrupt IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit, IlRxStart,
IlTxStart, IlRxStop, IlTxStop

6.1.2.14  IlTxStateTask
IlTxStateTask
Prototype
Single Channel
Single Receive Channel
void IlTxStateTask (void)
Multi Channel
Indexed (MRC)
void IlTxStateTask (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method is called periodically by the IlTxTask. The function can be called in a faster rate, than the
IlTxTask, to check additionally for polled confirmation events. The usage of the IlTxTask shall be preferred.
Particularities and Limitations
The function is called by the Application or IlTxTask.
Call context
The function must be called on task level.
The function must not interrupt IlRxStateTask, IlTxTask, IlTxStateTask, IlInitPowerOn, IlInit, IlRxStart,
IlTxStart, IlRxStop, IlTxStop

6.1.2.15  IlSendOnInitMsg
IlSendOnInitMsg
Prototype
Single Channel
Single Receive Channel
void IlSendOnInitMsg (void)
Multi Channel
Indexed (MRC)
void IlSendOnInitMsg (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
89 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This method serves to set a transmission request flag for all messages configured as SendOnInit
messages.
Particularities and Limitations
The function is called by the Application.
Call context
The function must be called on task level.

6.1.2.16  IlGetStatus
IlGetStatus
Prototype
Single Channel
Single Receive Channel
Il_Status IlGetStatus (void)
Multi Channel
Indexed (MRC)
Il_Status IlGetStatus (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
Il_Status
Il_Status : the value must be decoded with the following set of macros.

The macros will return 0 (false) or 1 (true).
- IlIsTxRun(state) : Tx is running
- IlIsTxWait(state) : Tx is waiting
- IlIsTxSuspend(state) : Tx is suspended
- IlIsRxRun(state) : Rx is running
- IlIsRxWait(state) : Rx is waiting
- IlIsRxSuspend(state) : Rx is suspended
Functional Description
Gets the current state of the Interaction Layer state machine.
Particularities and Limitations
The function is called by the Application.
Call context
The function can be called on task and interrupt level.

6.1.2.17  IlTxRepetitionsAreActive
IlTxRepetitionsAreActive
Prototype
Single Channel
Single Receive Channel
Il_Boolean IlTxRepetitionsAreActive (void)
Multi Channel
2013, Vector Informatik GmbH
Version: 2.10.03
90 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Indexed (MRC)
Il_Boolean IlTxRepetitionsAreActive
(CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
Il_Boolean
IL_TRUE : Messages with repetitions are queued for transmission.

IL_FALSE : No message with repetitions is queued for transmission.
Functional Description
This method can be used to detect if messages with repetitions are queued for transmission on a channel.
Particularities and Limitations
The function is called by the Application.
Caution
The function does not support Virtual Networks.

Call context
The function can be called on task and interrupt level.

6.1.2.18 IlTxSignalsAreActive
IlTxSignalsAreActive
Prototype
Single Channel
Single Receive Channel
Il_Boolean IlTxSignalsAreActive (void)
Multi Channel
Indexed (MRC)
Il_Boolean IlTxSignalsAreActive (CanChannelHandle
channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
Il_Boolean
IL_TRUE : Signals are in the active state.

IL_FALSE : No signal is in the active state.
Functional Description
This method can be used to detect if signals are active on a channel.
Particularities and Limitations
The function is called by the Application.
Caution
The function does not support Virtual Networks.

Call context
The function can be called on task and interrupt level.

2013, Vector Informatik GmbH
Version: 2.10.03
91 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

6.1.3
Generated Services provided by the Interaction Layer

Info
The generated service declarators in this chapter are depending on the configuration.

6.1.3.1
Read and Write Signals and Signal Groups

WriteSignalByValue
Prototype
void WriteSignalByValue (vuintx sigData)
Parameter
sigData
new value of the signal.

(vuint8) : The length of the network signal is between 1 and 8 bits.
(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
Return code
void
none

Functional Description
Write a signal value to the message buffer and evaluate the transmission mode for Tx signals. The function
is generated optimized for the configuration and can be a function like macro or generated function. The
generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlPutTx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

WriteSignalByReference
Prototype
void WriteSignalByReference (vuint8 *pData)
Parameter
pData
pointer to a vuint8 array with the new value of the signal. The length of the

network signal is between 33 and 64 bits.
Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
92 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
Write a signal value to the message buffer and evaluate transmission mode for Tx signals. The function is
generated optimized for the configuration and can be a function like macro or generated function. The
generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlPutTx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

ReadSignalByValue
Prototype
vuintx ReadSignalByValue (void)
Parameter
void
none

Return code
vuintx
(vuint8) : The length of the network signal is between 1 and 8 bits.

(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
Functional Description
Read a signal value from the message buffer. The function is generated optimized for the configuration and
can be a function like macro or generated function. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlGetRx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

ReadSignalByReference
Prototype
void ReadSignalByReference (vuint8 *pData)
Parameter
pData
pointer to a vuint8 array where the value of the signal shall be stored. The

length of the network signal is between 33 and 64 bits.
Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
93 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
Read a signal value from the message buffer. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlGetRx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

WriteGroupedSignalByValue
Prototype
void WriteGroupedSignalByValue (SignalGroupBufferType pBuffer, vuintx
sigData)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
sigData
new value of the signal.

(vuint8) : The length of the network signal is between 1 and 8 bits.
(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
Return code
void
none

Functional Description
Write a grouped signal value to the signal group buffer. The function is generated optimized for the
configuration and can be a function like macro or generated function. The generated prototype declarator is
composed of
- a configurable prefix for writing signals and
- the network signal name and
- "ShadowBuffer" e.g. <IlPutTx><NetworkSignalName>ShadowBuffer.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

WriteGroupedSignalByReference
2013, Vector Informatik GmbH
Version: 2.10.03
94 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Prototype
void WriteGroupedSignalByReference (SignalGroupBufferType pBuffer,
vuint8 *pData)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
pData
pointer to a vuint8 array with the new value of the signal. The length of the

network signal is between 33 and 64 bits.
Return code
void
none

Functional Description
Write a grouped signal value to the signal group buffer. The function is generated optimized for the
configuration and can be a function like macro or generated function. The generated prototype declarator is
composed of
- a configurable prefix for writing signals and
- the network signal name and
- "ShadowBuffer"
e.g. <IlPutTx><NetworkSignalName>ShadowBuffer.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

ReadGroupedSignalByValue
Prototype
vuintx ReadGroupedSignalByValue (SignalGroupBufferType pBuffer)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
Return code
vuintx
(vuint8) : The length of the network signal is between 1 and 8 bits.

(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
2013, Vector Informatik GmbH
Version: 2.10.03
95 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
Read a signal value from the message buffer. The function is generated optimized for the configuration and
can be a function like macro or generated function. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name and
- "ShadowBuffer"
e.g. <IlGetRx><NetworkSignalName>ShadowBuffer.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

ReadGroupedSignalByReference
Prototype
void ReadGroupedSignalByReference (SignalGroupBufferType pBuffer,
vuint8 *pData)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
pData
pointer to a vuint8 array where the value of the signal shall be stored. The

length of the network signal is between 33 and 64 bits.
Return code
void
none

Functional Description
Read a signal value from the message buffer. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name and
- "ShadowBuffer"
e.g. <IlGetRx><NetworkSignalName>ShadowBuffer.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

WriteSignalGroup
2013, Vector Informatik GmbH
Version: 2.10.03
96 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Prototype
void WriteSignalGroup (SignalGroupBufferType pBuffer)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
Return code
void
none

Functional Description
Write a signal group from the signal group buffer to the message buffer and evaluate the transmission
mode for Tx signals. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal group name and
- "ShadowBuffer" e.g. <IlPutTx><NetworkSignalGroupName>ShadowBuffer.
Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

ReadSignalGroup
Prototype
void ReadSignalGroup (SignalGroupBufferType pBuffer)
Parameter
pBuffer
pointer to the signal group buffer.

(SignalGroupBufferType) : the generated data type for each signal group.
->"Shadow Buffer" is enabled in the configuration for the signal group:
The application has to provide a shadow buffer with the generated type.
The generated data type name can be identified by the prefix "_c_" and the
network signal group name and the postfix "_buf".
->"Shadow Buffer" is disabled in the configuration for the signal group:
The parameter is omitted and the IL provides the shadow buffer.
Return code
void
none

Functional Description
Read a signal group from the message buffer to the signal group buffer. The generated prototype
declarator is composed of
- a configurable prefix for writing signals and
- the network signal group name and
- "ShadowBuffer"
e.g. <IlGetRx><NetworkSignalGroupName>ShadowBuffer.
2013, Vector Informatik GmbH
Version: 2.10.03
97 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Particularities and Limitations
The function is called by the application.
Call context
The function can be called on task and interrupt level.

6.1.3.2
Read and Write Signals and SignalGroups in the RDS Buffer.

WriteSignalByValue2RDS
Prototype
void WriteSignalByValue2RDS (vuintx sigData)
Parameter
sigData
new value of the signal.

(vuint8) : The length of the network signal is between 1 and 8 bits.
(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
Return code
void
none

Functional Description
Write a signal or grouped signal value to the register of the CAN controller. The function is generated
optimized for the configuration and can be a function like macro or generated function. The generated
prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlPutTx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function must be called in the context of the signals message specific CAN Driver PreTransmit
function.

WriteSignalByReference2RDS
Prototype
void WriteSignalByReference2RDS (vuint8 *pData)
Parameter
pData
pointer to a vuint8 array with the new value of the signal. The length of the

network signal is between 33 and 64 bits.
Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
98 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
Write a signal or grouped signal value to the register of the CAN controller. The function is generated
optimized for the configuration and can be a function like macro or generated function. The generated
prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlPutTx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function must be called in the context of the signals message specific CAN Driver PreTransmit
function.

ReadSignalByValueFromRDS
Prototype
vuintx ReadSignalByValueFromRDS (void)
Parameter
void
none

Return code
vuintx
(vuint8) : The length of the network signal is between 1 and 8 bits.

(vuint16) : The length of the network signal is between 9 and 16 bits.
(vuint32) : The length of the network signal is between 17 and 32 bits.
Functional Description
Read a signal or grouped signal value from the register of the CAN controller. The function is generated
optimized for the configuration and can be a function like macro or generated function. The generated
prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlGetRx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function must be called within the context of the signals message specific CAN Driver PreCopy
function.

ReadSignalByReferenceFromRDS
Prototype
void ReadSignalByReferenceFromRDS (vuint8 *pData)
Parameter
pData
pointer to a vuint8 array where the value of the signal shall be stored. The

length of the network signal is between 33 and 64 bits.
2013, Vector Informatik GmbH
Version: 2.10.03
99 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Return code
void
none

Functional Description
Read a signal or grouped signal value from the register of the CAN controller. The length of the network
signal is between 33 and 64 bits. The generated prototype declarator is composed of
- a configurable prefix for writing signals and
- the network signal name
e.g. <IlGetRx><NetworkSignalName>.
Particularities and Limitations
The function is called by the application.
Call context
The function must be called within the context of the signals message specific CAN Driver PreCopy
function.

6.1.3.3
Notification Flags of Signals, Signal Groups and Grouped Signals

GetNotificationFlag
Prototype
vuint8 GetNotificationFlag (void)
Parameter
void
none

Return code
vuint8
(vuint8) 0 : The notification is NOT set.

> 0 : The notification is set.
Functional Description
This macro is used to detect the notification of a signal, signal group or grouped signal. The generated
prototype declarator is composed of
- a configurable prefix for the notification flag to get flags and
- the network signal, signal group or grouped signal name and
- a configurable postfix for the notification flag.
e.g. <IlGet><NetworkSignalName><Indication>.
Particularities and Limitations
The macro is called by the application.
Call context
The macro can be called on task and interrupt level.

SetNotificationFlag
Prototype
void SetNotificationFlag (void)
2013, Vector Informatik GmbH
Version: 2.10.03
100 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Parameter
void
none

Return code
void
none

Functional Description
This macro sets the notification flag of a signal, signal group or grouped signal. The generated prototype
declarator is composed of
- a configurable prefix for the notification flag to set flags and
- the network signal, signal group or grouped signal name and
- a configurable postfix for the notification flag.
e.g. <IlSet><NetworkSignalName><Indication>.
Particularities and Limitations
The macro is called by the application.
Call context
The macro must be called with disabled interrupts or in a non-preemptive task.

ClearNotificationFlag
Prototype
void ClearNotificationFlag (void)
Parameter
void
none

Return code
void
none

Functional Description
This macro clears the notification flag of a signal, signal group or grouped signal. The generated prototype
declarator is composed of
- a configurable prefix for the notification flag to clear flags and
- the network signal, signal group or grouped signal name and
- a configurable postfix for the notification flag.
e.g. <IlClr><NetworkSignalName><Indication>.
Particularities and Limitations
The macro is called by the application.
Call context
The macro must be called with disabled interrupts or in a non-preemptive task.

GetAndClearNotificationFlag
Prototype
vuint8 GetAndClearNotificationFlag (void)
2013, Vector Informatik GmbH
Version: 2.10.03
101 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Parameter
void
none

Return code
vuint8
(vuint8) 0 : The notification is NOT set

> 0 : The notification is set.
Functional Description
This macro is used to determine and clear the notification of a signal, signal group or grouped signal. The
generated prototype declarator is composed of
- a configurable prefix for the notification flag to get and clear flags
- and the network signal, signal group or grouped signal name and
- a configurable postfix for the notification flag.
e.g. <IlGetClr><NetworkSignalName><Indication> The get and clear macro is only provided for the signal,
signal group or grouped signal indication flag.
Particularities and Limitations
The macro is called by the application.
Call context
The macro can be called on task and interrupt level.

6.1.3.4
Dynamic Rx Timeout

GetDynamicRxTimeout
Prototype
IltRxTimeoutCounter GetDynamicRxTimeout (void)
Parameter
void
none

Return code
IltRxTimeoutCounter
(IltRxTimeoutCounter) The current Rx timeout counter in milliseconds with the

maximum value 65535.
Functional Description
This method is used to receive the timeout counter in milliseconds for a message. The generated prototype
declarator is composed of
- a configurable prefix for the reception of the dynamic timeout counter and
- the network signal, signal group or grouped signal name and
- a configurable postfix for the dynamic timeout.
e.g. <IlGetRx><NetworkSignalName><DynRxTimeout>.
Particularities and Limitations
The macro is called by the application.
Caution
This API is signal oriented, but the effect will take place for all signals in the message.

Call context
The macro can be called on task and interrupt level.

2013, Vector Informatik GmbH
Version: 2.10.03
102 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

SetDynamicRxTimeout
Prototype
void SetDynamicRxTimeout (IltRxTimeoutCounter msTimer)
Parameter
msTimer
The new Rx timeout counter in milliseconds with the maximum value 65535.

Return code
void
none

Functional Description
This method is used to set the timeout counter in milliseconds for a message. The generated prototype
declarator is composed of
- a configurable prefix for setting the dynamic timeout counter and
- the network signal, signal group or grouped signal name and
- a configurable postfix for setting the dynamic timeout.
e.g. <IlSetRx><NetworkSignalName><DynRxTimeout>.
Particularities and Limitations
The macro is called by the application.
Caution
This API is signal oriented, but the effect will take place for all signals in the message.

Call context
The macro must be called with disabled interrupts or in a non-preemptive task.

StartDynamicRxTimeout
Prototype
void StartDynamicRxTimeout (void)
Parameter
void
none

Return code
void
none

Functional Description
This method is used to start a stopped timeout counter for a message. The generated prototype declarator
is composed of
- a configurable prefix for starting the dynamic timeout counter and
- the network signal, signal group or grouped signal name and
- a configurable postfix for starting the dynamic timeout.
e.g. <IlSetRx><NetworkSignalName><DynRxTimeout>.
Particularities and Limitations
The macro is called by the application.
Caution
This API is signal oriented, but the effect will take place for all signals in the message.

2013, Vector Informatik GmbH
Version: 2.10.03
103 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Call context
The macro can be called on task and interrupt level.

StopDynamicRxTimeout
Prototype
void StopDynamicRxTimeout (void)
Parameter
void
none

Return code
void
none

Functional Description
This method is used to stop the timeout counter for a message. The generated prototype declarator is
composed of
- a configurable prefix for stopping the dynamic timeout counter and
- the network signal, signal group or grouped signal name and
- a configurable postfix for stopping the dynamic timeout.
e.g. <IlSetRx><NetworkSignalName><DynRxTimeout>.
Particularities and Limitations
The macro is called by the application.
Caution
This API is signal oriented, but the effect will take place for all signals in the message.

Call context
The macro can be called on task and interrupt level.

6.1.4
Callback Functions
All callback functions can be activated or deactivated by a switch in the Configuration Tool.
If a callback function is activated by the user, the application has to provide this function.
6.1.4.1
ApplIlInit
ApplIlInit
Prototype
Single Channel
Single Receive Channel
void ApplIlInit (void)
Multi Channel
Indexed (MRC)
void ApplIlInit (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
104 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This method is called to indicate the performed initialization.
Particularities and Limitations
none
Call context
The function is called by the IL in the context of IlInit.

6.1.4.2
ApplIlRxStart
ApplIlRxStart
Prototype
Single Channel
Single Receive Channel
void ApplIlRxStart (void)
Multi Channel
Indexed (MRC)
void ApplIlRxStart (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method is called to indicate the performed transition start for the Rx state machine.
Particularities and Limitations
none
Call context
The function is called by the IL in the context of IlRxStart.

6.1.4.3
ApplIlTxStart
ApplIlTxStart
Prototype
Single Channel
Single Receive Channel
void ApplIlTxStart (void)
Multi Channel
Indexed (MRC)
void ApplIlTxStart (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
105 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This method is called to indicate the performed transition start for the Tx state machine.
Particularities and Limitations
none
Call context
The function is called by the IL in the context of IlTxStart.

6.1.4.4
ApplIlRxStop
ApplIlRxStop
Prototype
Single Channel
Single Receive Channel
void ApplIlRxStop (void)
Multi Channel
Indexed (MRC)
void ApplIlRxStop (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

Functional Description
This method is called to indicate the performed transition stop for the Rx state machine.
Particularities and Limitations
none
Call context
The function is called by the IL in the context of IlRxStop.

6.1.4.5
ApplIlTxStop
ApplIlTxStop
Prototype
Single Channel
Single Receive Channel
void ApplIlTxStop (void)
Multi Channel
Indexed (MRC)
void ApplIlTxStop (CanChannelHandle channel)
Parameter
channel (Indexed)
Handle of the logical Can Driver channel.

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
106 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This method is called to indicate the performed transition stop for the Tx state machine.
Particularities and Limitations
none
Call context
The function is called by the IL in the context of IlTxStop.

6.1.4.6
ApplIlFatalError
ApplIlFatalError
Prototype
void ApplIlFatalError (vuint8 errorNumber)
Parameter
errorNumber
numeric error code

Return code
void
none

Functional Description
If assertions are configured, this function is called to indicate invalid user conditions (API, reentrance),
inconsistent generated data, hardware errors and internal errors.
Particularities and Limitations
none
Call context
The function is be called by the IL on task and interrupt level.

6.1.5
Generated Callback Functions
All callback functions can be activated or deactivated by a switch in the Configuration Tool.
If a callback function is activated by the user, the application has to provide this function.

Info
The generated callback declarators in this chapter are depending on the configuration.

NotificationFunction
Prototype
void NotificationFunction (void)
Parameter
void
none

Return code
void
none

2013, Vector Informatik GmbH
Version: 2.10.03
107 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Functional Description
This function is used to determine the notification of a signal, signal group or grouped signal. The
generated prototype declarator is composed of
a configurable prefix for the notification and
the network signal, signal group or grouped signal name and
a configurable postfix for the notification.
e.g. <ApplIl><NetworkSignalName><SigIndication>.
Particularities and Limitations
The function is called by the IL and implemented by the application.
Call context
The function is called notification class and configuration dependent:
- Indication :
->Il polling is enabled in the configuration for the message:
The function is called in the context of the IlRxTask or IlRxStateTask.
->Il polling is disabled in the configuration for the message:
The function is called in the context of the CAN Driver message indication function.
- Confirmation :
->Il polling is enabled in the configuration for the message:
The function is called in the context of the IlTxTask or IlTxStateTask.
->Il polling is disabled in the configuration for the message:
The function is called in the context of the CAN Driver message confirmation function.
- RxTimeout :
->The function is called in the context of the IlRxTask or IlRxTimerTask.
- TxTimeout :
->The function is called in the context of the IlTxTask or IlTxTimerTask.

TransitionChangeNotificationFunction
Prototype
void TransitionChangeNotificationFunction (void)
Parameter
void
none

Return code
void
none

Functional Description
This function is used to determine the transition change of a signal, signal group or grouped signal. The
generated prototype declarator is composed of
- a configurable prefix for the transition notification and
- the network signal, signal group or grouped signal name and
- a configurable postfix for the transition notification.
e.g. <ApplIl><NetworkSignalName><TxStart>.
Particularities and Limitations
The function is called by the IL and implemented by the application.
Call context
The function is called in the context of IlInitPowerOn, IlInit, IlRxStart, IlTxStart, IlRxStop, IlTxStop.

2013, Vector Informatik GmbH
Version: 2.10.03
108 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

RxMessageTimeoutFunction
Prototype
void RxMessageTimeoutFunction (void)
Parameter
void
none

Return code
void
none

Functional Description
This function is used to determine the Rx timeout of a message. The generated prototype declarator is
composed of
- a configurable prefix for the Rx message timeout and
- the network message name and
- a configurable postfix for the Rx message timeout.
e.g. <ApplIl><NetworkMessageName><MsgTimeout>.
Particularities and Limitations
The function is called by the IL and implemented by the application.
Call context
The function is called in the context of the IlRxTask or IlRxTimerTask.

2013, Vector Informatik GmbH
Version: 2.10.03
109 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

7 Limitations

7.1
CANgen Compatibility
7.1.1
Database attributes
Signal value definitions are defined sometimes as decimal or hexadecimal value. Due to
this signal values can be defined as string attribute in the database. Both value
representations are interpreted by GENy. GENy is fully compatible to attributes used with
CANGen. Deviations are described in chapter 5.1.5 Former Attributes.
7.1.2
Application Code
If you want to use your existing application with generated GENy code, pay attention to:
Rx Rds Write access and Tx Rds Read access is not supported any more.
The IlOldstyleAPI is not supported any more.
A strict Naming concept is introduced with GENy. The default Pre- and Postfixes have
changed. (The prefix „_a_“ is now „Appl“) It is possible for you, to restore the CANGen
compatible Pre- and Postfixes in the NameDecorator.
Data Type Prefixes are not supported any more.
The Prefixes of Signal Handles have been changed to „IlTxSigHnd“ and „IlRxSigHnd“
instead of „ILTx“.
The Can Driver Interface is in GENy strictly separated from the Interaction Layer. Due to
this, a used Appl message must be adapted.
> The Can Driver message Indication flag postfix is now separately configurable from
the IL Indication Flag.
> If Can Driver Signal access macros are used for signals <= 1 Byte, the function style
interface is not supported any more. The signal value is assigned like a value to a
variable
CANGen supported a configuration switch, to activate the multiple channel interfaces in
single channel configurations. This feature is discontinued in GENy.
7.1.3
Generator
> ESCAN00024091
If “Common Buffer” is configured between Rx or Tx messages which are used in
different identities of the ECU, configure both messages in the CAN Driver as Basic
CAN message and use the same Basic CAN object.
> ESCAN00017472
Do not configure Common Buffer for messages containing multiplexed signals.
> ESCAN00023799
2013, Vector Informatik GmbH
Version: 2.10.03
110 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Do not configure Common Buffer for tx messages which are used in the same identitiy
containing signals the GenSigSendType OnChange or OnChangeWithRepetition.

2013, Vector Informatik GmbH
Version: 2.10.03
111 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

8 Glossary and Abbreviations
8.1
Glossary
Term
Description
API
Application Program Interface, for OSEK: The description of the user
interface to the operating system, communications and network
management functions.
AUTOSAR
Automotive Open System Architecture
bus
Defines what we call internal as channel or connection.
CAN
Controller Area Network protocol originally defined for use as a
communication network for control applications in vehicles.
CANGen
Generation tool for CANbedded components
configuration
The communication configuration adapts the communication stack to the
specific component requirements by means of the Generation Tool.
DBC
CAN data base format of the Vector company which is used by Vector
tools
ESCANXXXXXXXX
Vector PES Clearquest Database ID. Replace XXXXXXXX by the
numeric identifier.
generation tool
See CANgen, DBKOMGen and GENy. The generation tool configures the
communication stack, Flash Bootloader, etc. based on database
attributes (vehicle manufacturer), project settings (module supplier) and
license information (Vector).
GENy
Generation tool for CANbedded and MICROSAR components
ID
Identifier (e.g. Identifier of a CAN message)
manufacturer
Vehicle manufacturer
message
A message is responsible for the logical transmission and reception of
information depending on the restrictions of the physical layer. The
definition of the message contents is part of the data base given by the
vehicle manufacturer.
module
A module designates a controller (Identical with ECU).
MRC
Multiple Receive Channel
MSC
Message Sequence Chart
Mutual exclusion
To modify shared data, a task must be able to get exclusive access for a
limited time, i.e. all other tasks must be excluded to access this data. All
tasks modifying shared data must be able to do this exclusion. Therefore
this exclusion is called mutual exclusion.
Node
A network topological entity. Nodes are connected by data links forming
the network. Each node is separately addressable on the network.
Online
(Normal) state of the data link layer. Application and Network
Management communication are possible.
OSEK
Name of the overall project: Abbreviation of the German term "Offene
Systeme und deren Schnittstellen fÃ¼r die Elektronik im Kraftfahrzeug" -
Open Systems and the Corresponding Interfaces for Automotive
Electronics.
2013, Vector Informatik GmbH
Version: 2.10.03
112 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

Protocol
A formal set of conventions or rules governing the exchange of
information between protocol entities. Protocol comprises syntax and
semantics of the protocol messages as well as the instructions on how to
react to them.
Register
A register is a memory area in the controller, e.g. in the CAN controller.
Distinguish register from Buffer.
Release
State transition of a task from waiting to ready. At least one event has
occurred which a task has waited on.
Request
A service primitive in compliance with the ISO/OSI Reference Mode (ISO
7498). With the service primitive 'request' a service user requests a
service from a service provider.
Resource
Generally, resources are hardware or software components which are
managed by the operating system. The OSEK operating system provides
resources to support task coordination by mutual exclusion of critical
sections. As an example, the scheduler is treated like a resource. A task
which holding the scheduler cannot be interrupted by all other tasks.
Resource Management. Access control for inseparable operations to
jointly used (logic) resources or devices, or for control of a program flow.
Response
A service primitive defined in the ISO/OSI Reference Model (ISO 7498).
The service primitive 'response' is used by a service user in order to reply
to a preceding indication from service provider.
Running
A task state. In the running state, the CPU is assigned to the task, so that
its instructions can be executed. Only one task can be in this state at any
point in time. The state is entered by the state transition start and can be
exited via the state transitions Wait, Preempt or Terminate.
Safety
A situation in which the risk is equal or lower than the limit risk. Risk is a
measure which considers both the probability of an accident and the
expected extend of damage in the case of an accident. The limit risk is
the highest risk which is still justifiable.
Software specification A software specification is a set of requirements that can be of different
types, as behavior, interfaces, timing constraints, needed resources,
safety, etc.
Start
State transition of a task from ready to running. A ready task selected by
the scheduler is executed.
SWC
Software Component, application software entity in AUTOSAR
Task
A task provides the framework for the execution of functions. Therefore a
task has a context of its own, i.e. a stack, a register retrieval range and a
memory of its own. A task can be executed in principle on a processor
concurrently with other tasks. A task is executed under the control of the
scheduler according to the task priority assigned to it, and to the selected
scheduling policy. A distinction is made between basic tasks and
extended task.
Task level
Processing level where the actual application software, is executed.
Tasks are executed according to the priority assigned to them, and to the
selected scheduling policy. Other processing levels are: Interrupt level
and operating system level.
Task priority
The priority of a task is a measure for the precedence with which the task
is to be executed. In principle, priorities are defined statically. However, in
particular cases (see Priority Ceiling Protocol) a task can be processed
2013, Vector Informatik GmbH
Version: 2.10.03
113 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

by the operating system with a defined higher priority. As a capability of
the CC, tasks of the same priority are admissible within a system. Tasks
of equal priority are started  according to the order in which they are
called. To this effect, extended tasks which change from the waiting state
into the ready state are treated like new tasks.
Validation
Confirmation by examination and provision of objective evidence that the
particular requirements for a specific intended use are fulfilled. Ensuring
the correctness of a specification.
wait
State transition of a task from running to waiting. The running task
requires an event to continue operation. It causes its transition into the
waiting state by using a system service.
Window
Communication object of the data link layer for sending and receiving NM
messages.

8.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
CCL
Communication Control Layer
COM
Communication Layer
CPU
Central Processing Unit
DM
Deadline Monitoring
ECU
Electronic Control Unit
IL
Interaction Layer
IRQ
Interrupt Request
ISO
International Standardization Organization
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
NM
Network Management
OEM
Original Equipment Manufacturer
OS
Operating System
OSI
Open Systems Interconnection
RAM
Random Access Memory
RDS
Read Data Segment
ROM
Read-Only Memory
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software specification

2013, Vector Informatik GmbH
Version: 2.10.03
114 / 115
based on template version 3.7

Technical Reference Vector Interaction Layer

9 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com
2013, Vector Informatik GmbH
Version: 2.10.03
115 / 115
based on template version 3.7

Document Outline

13.6 - TechnicalReference_InteractionLayer_GM

YourTopic

13.7 - TechnicalReference_InteractionLayer_GM_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48

13.8 - TechnicalReference_InteractionLayer_GMs

Interaction Layer for General Motors
Technical Reference

Il_Vector_Gm with GENy
Version 2.01.02

Authors
Ralf Fritz, Gunnar Meiss, Heiko Hübler
Status
Released

Technical Reference Interaction Layer for General Motors

1  Document Information
This  document  may  be  revised  and  appear  in  several  versions.  The  document  will  be
classified to permit identification of updates  and versions.
This  user manual  is related  to the  source  code version  (Il_Vector_Gm)  1.01.00 or higher.
1.1
History
Author
Date
Version  Remarks
Ralf Fritz
2003-08-05
1.00
creation
Ralf Fritz
2004-07-02
1.01
Changed description for ILSetTxMessageEnable
Ralf Fritz
2004-07-16
1.02
Sample corrected. Restriction added.
Ralf Fritz
2005-04-27
1.03
Timeout and Source Learning description extended.
New Layout.
Ralf Fritz
2005-08-01
1.04
Adaptation  of return values of several functions.
Ralf Fritz
2007-03-29
1.05
Corrected chapter 3.1.2.2
and 3.1.2.3
Ralf Fritz
2007-05-01
1.06
Switch to new documentation template.
Gunnar Meiss
2008-01-17
2.00
Added  GENy Support
Heiko  Hübler
2012-10-18
2.01.00  Added  Robustness Changes
Added  Clearing Flags on Deactivate VN
(ESCAN00061059)
Heiko  Hübler
2012-10-26
2.01.01  Changed description of Clearing Flags on Deactivate
VN
Heiko  Hübler
2013-01-31
2.01.02  Updated  GMLAN  version (ESCAN00064595)
improved the description of Source Address Timeout
Supervision (ESCAN00064519)
Table 1-1
History of the Document
1.2
Reference Documents
No.  Source
Title
Version
[1]    Vector
Technical Reference of Vector’s CAN driver
2.23.00
(TechnicalReference_CANDriver.pdf).
[2]    Vector
Vector Interaction Layer Technical Reference for GENy.
2.08.00
(TechnicalReference_GENy_InteractionLayer.pdf).
[3]    Vector
Technical Reference of Vector’s GMLAN  Network Management
1.07.00
(TechnicalReference_GMLAN_NM.pdf).
[4]    OSEK/VDX  OSEK/VDX Communication Specification 3.0.3.
3.0.3
Table 1-2
Reference Documents
2013, Vector Informatik GmbH
Version: 2.01.02
2 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Please note
We have configured the programs in accordance with your specifications in the


questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered  to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2013, Vector Informatik GmbH
Version: 2.01.02
3 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

8.2
Interaction Layer Internal Interfaces .................................................................... 47
9
Contact.............................................................................................................................. 48

2013, Vector Informatik GmbH
Version: 2.01.02
6 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

2  Component History
This  chapter  describes  the  implementation  of  the  Vector  Interaction  Layer  for  General
Motors in GENy.
2.1
Il_Vector_Gm  Version 1.00.00
2.1.1
What is new?
>  The  Interaction  Layer  is configured  with  GENy.
>  API to handle  signal groups.
>  Mask bit support.
2.1.2
What has changed?
>  The  Validity bit API  is the same API as for Mask bits or signal  groups.
>  Reduction  of the  code size.
2.2
Il_Vector_Gm  Version 1.01.00
2.2.1
What is new?
>  IlRxDeactivateVnMsg  clears  now the  flags of deactivated  messages (see 3.5).
2.2.2
What has changed?
>  The  Rx  timeout  table(IlRxTimeoutTbl)  was moved to gmlcal.c  and can now  be calibrated
(post build).

2013, Vector Informatik GmbH
Version: 2.01.02
8 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

3  Functional Description
3.1
Data Transmission
This  chapter  describes the data transmission  concept of Il_Vector_Gm.

Caution
The data transmission differs to the Il_Vector  data transmission described in [2].

3.1.1
Cyclic Transmission
The  cyclic  transmission  is  configured  in  the  network  database  with  the  attributes
GenMsgSendType  and  GenSigSendType  (See  in  chapter  5.1.1  Send  Type).  If  either  the
message  or  a  signal  of  the  message  is  configured  as  cyclic,  the  message  is  transmitted
periodically.  The  period  of  the  message  is  defined  with  the  dbc  attribute
GenMsgCycleTime  (See in [2]).
The  cyclic  transmission  of  a  message  starts  automatically,  if  the  Il_Vector_Gm  is  initialized
and  the  transition  IlTxStart  is  performed  for  the  channel  and  a  VN  is  active  which is related
to a signal within  a message.
The  following  sequence  diagram describes the  cyclic transmission  of a message.

2013, Vector Informatik GmbH
Version: 2.01.02
9 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Figure 3-1  Sequence Diagram of Cyclic Transmission
3.1.2
Event Based Transmission
If  the  GenSigSendType  OnAnyChange,  OnChangeIfActive,  OnDelta  is  defined  in  the
network  database  for  signals,  the  application  has  to  take  care  of  the  transmission  event
and triggers the  transmission  of signals.

Caution
If the application does not trigger the transmission, data can get lost.

To  implement  this  functionality,  the  Il_Vector_Gm  provides  to  the  application  StateOn  Flags
per  signal  and  the  IlSetEvent  API  (See  in  chapter  6.2.1.1  IlSetEvent).  The  following
sequence  diagram  shows  the  event  based  transmission  in  detail.  The  application  checks
the  VN  activity  of  the  signal  and  if  a  related  VN  is  active,  the application calls IlSetEvent to
set  a  transmission  request.  The  transmission  takes  place  either  within  the  next  call  of  the
IlTxTask  (See Figure 3-2  Sequence  Diagram  of  Event  based  Transmission),  or  the
transmission  is  delayed,  until  the  message  delay  time  is  elapsed  (See  Figure  3-3

Sequence  Diagram  of  Event  based  Transmission  with  Delay  and  the  description  of  the
GenMsgDelayTime  in [2]).

Example
The following  code is an example of a event based transmission.

/* Write the value to the data buffer for the signal
“EngOilTemp” */
IlPutTxEngOilTemp(5);
/* Check, that the signal is in an active VN */
if (IlGetTxEngOilTempStateOn())
{
2013, Vector Informatik GmbH
Version: 2.01.02
10 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

  /* Perform the transmission request and
  use the generated signal handle from il_par.h as parameter */
  IlSetEvent(IlTxSigEngOilTemp);
}

The  message  transmission  results  of  the  implemented  signal  transmission  modes.  More
than  one transmission  type  can be implemented  in one message.

Figure 3-2  Sequence Diagram of Event based Transmission
2013, Vector Informatik GmbH
Version: 2.01.02
11 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Figure 3-3 Sequence Diagram of Event based Transmission w ith Delay
2013, Vector Informatik GmbH
Version: 2.01.02
12 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

3.1.3
Mixed Transmission
The  implementation  of  event  based  transmission  modes  for  signals  can  be  combined  with
cyclic  transmission.  The  event  based  transmission  does  not  influence  the  periodic
transmission  event.  If  the  event  transmission  request  is  set  in  the  same  timeslot  as  the
periodic transmission  event,  the  transmission  request  is merged.
If  the  GenSigSendType  OnWrite,  OnAnyChange,  OnChangeIfActive,  OnDelta  is  defined  in
the  network  database  for  signals,  the  application has to take care of the transmission event
and triggers the  transmission  of signals.

Caution
If the application does not trigger the transmission, data can get lost.

Figure 3-4  Sequence Diagram of Cyclic and Event based Transmission in combination
2013, Vector Informatik GmbH
Version: 2.01.02
13 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

3.2
Signal Access
The  signal  API  for  normal  signals  is  performed  as  described  in  [2].  If  GENy  detects,  that
the  message  contains  a  signal  with  a  related  validity,  mask  or  VDA  (Virtual  Device
Availability)  bit,  the  signals  are  merged  into  a  new  created  signal  group,  to  access  the
signals consistently.

Example
The following  code is an example for a Signal “EngOilTemp” with validity  bit
  EngOilTempV which is grouped into the signal group EngOilTempGroup. A indication
flag has been configured for the signal “EngOilTemp”. The shadow buffer for the signal
group is provided  by the Interaction Layer.

vuint8 data = 0;
/* Check, that the signal is received */
if (IlGetRxEngOilTempIndication())
{
  /* Clear the indication flag */
  IlClrRxEngOilTempIndication();
  /* Check, that the signal is in an active VN */
  if (IlGetRxEngOilTempStateOn())
  {
    /* Read the complete signal group to a temporary buffer */
    IlGetRxEngOilTempStateOnGroup();
    /* Check the validity bit */
    if(IlGetRxEngOilTempV() == 0)
    {
      /* Read the signal value and continue data processing */
      data = IlGetRxEngOilTemp();
    }
  }
}

Validity  Bit Value
Description
0
The signal value is valid.
1
The signal value is NOT valid.
Table 3-1
Validity Bit Value Interpretation
2013, Vector Informatik GmbH
Version: 2.01.02
14 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

VDA  Bit Value
Description
0
The virtual  device is NOT available.
1
The virtual  device is available.
Table 3-2
VDA Bit Value Interpretation

Caution
Due to historical compatibility reasons, the interpretation of validity and VDA bit value is
  different.

3.3
Extended CAN Identifiers
GMLAN V3.1 is intended  to be used with  standard and extended  CAN identifiers.
This  extended  CAN  Identifiers  are  introduced  to  provide  the  so  called  Source  Learning
with  Supervision  mechanism.  This  is  an  extension  to  the  already  provided  timeout  and
fault  recovery  functions.
3.3.1
Source Learning
The  29-bit header of an extended  CAN Identifier  is separated into different  fields:
Priority Field
Bit 28-26  3 bit field used to adjust a message's importance when the
transmitter arbitrates for the bus.
The value  is specified in the network database and cannot
be changed at runtime.
Parameter Field
Bit 25-13  13 bit field used to identify  the parameter(s) contained
within the data field of the message. The parameter(s) will
be assigned as ID as they are added to the network
database.
The value  is specified in the network database and cannot
be changed at runtime.
Reserved
Bit 12-8
All remaining bits within the 29 bit header shall be
reserved for future use. All reserved bits are set to zero by
the CAN  Driver.
Source Address Field
Bit 7-0
8 bit field used to identify  the module which transmitted the
message.
The source address of an ECU is set by the application in
the startup code at runtime via the API
IlSetOwnNodeAddress  (See in chapter 6.1.1.7
IlSetOwnNodeAddress).
Table 3-3
Extended CAN Identifier fields
If  an  extended  CAN  Identifier  is  received  by  an  ECU,  the  priority  and  source  address  are
filtered  by  the  use  of  masks  generated  by  the  generation  tool.  The  filter  for  CAN  identifier
of  the  CAN  controller  ignores  the  parameter  values and reserved bits when the message is
2013, Vector Informatik GmbH
Version: 2.01.02
15 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

received.  This  enables  the  system  to  learn  the  source  address  for  a  specific  message. I.e.
the  source address can be set dynamically.
The  application  is  notified  by  the  call  of ApplIlSourceAddressLearned (See in chapter 6.3.1
ApplIlSourceAddressLearned),  if a new  source  address has been learned  by the  ECU.
If  the  source  address  of  message  changes  or  the  message  is  received  the  first  time  the
callback
function
ApplIlRxMsgSrcAddressLearned
(See
in
chapter
6.3.2
ApplIlRxMsgSrcAddressLearned)  is  called  additional  to  indicate  the  relationship  between
the  message and the  current  ECU, which  transmits  the  message.
No  source  address  is  learned  at  the  first  ECU  start  up.  The  source  addresses  of  all  RX
messages  are set by default to either 254 or 255. A message with a source address of 254
is  not  mandatory.  Messages  with  a  source  address  of  255  will  be  mandatory.  The  source
address  can  be  read  by  the  function  IlGetRxMessageSourceAddress  (See  in  chapter
6.2.1.4 IlGetRxMessageSourceAddress).
If  the  application  needs  to  identify  the  current  communication  state  of  a  learned  node  the
function  IlGetNodeCommActiveState  (See  in  chapter  6.2.1.2  IlGetNodeCommActiveState)
is provided by the  Interaction  Layer.
During  the  reception  of  messages  the  Interaction  Layer  learns  and  stores  the  source
address  of  each received message. The application has to store the source addresses in a
permanent  memory  location  to  avoid  a  new  learning  phase  of  the  system.  If  the  system  is
powered  up  again,  the  application  has  to  program  the  previously  learned  Source
addresses
via
IlSetRxMessageSourceAddress
(See
in
chapter
6.2.1.3
IlSetRxMessageSourceAddress).  An  example  of  the  relearning  is  provided  in  chapter  4.2
Initialization.
3.3.2
Source Address Timeout Supervision
The  Node  Communication Active  message  (NCA  message)  is  transmitted  by  each ECU in
the  network,  if  the  communication  is  active  for  a  VN  (Except  VN  0,  this  one is reserved for
diagnosis).  With  this  message  it  is  possible to learn the source address of an ECU, even if
no other  extended  Identifier  message is transmitted.
The  node  timeout  supervision  starts  with  the  reception  of  the  first  extened  id  message  that
is  no  NCA  message.  If  no  extended  Identifier  message  with  the  already  learned  source
address  is  received,  a  timeout  occurs.  The  timeout  is  notified  to  the  application  by  the  call
of  ApplIlNodeCommActiveFailed  (See  in  chapter  6.3.4 ApplIlNodeCommActiveFailed)  with
the  missing  source  address.  The  timeout  supervision  is  performed  even  for  messages,
which  are  not  learned  by  the  ECU.  If  mandatory  messages  are  missing,  the  source
address  255  is  passed  and  254  for  optional  messages.  If  the  timeout  of a source address
is  detected,  it  can  be  assumed,  that  all  signals  related  to  that  source  address  are  in
timeout.  Additional  timeout  notifications  for  extended  Identifier  messages  (message
timeout  function,  signal  timeout  flags  or  timeout  function)  are  called  or  set  and  timeout
default  values  are set if they  are configured.
If  an  extended  Identifier  message  with  the  already  learned  source  address  is  received
again  (e.g.  the  NCA  message),  the  application  is  notified  with  the  call  of
ApplIlNodeCommActiveRecovery  (See in chapter  6.3.3 ApplIlNodeCommActiveRecovery).

2013, Vector Informatik GmbH
Version: 2.01.02
16 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

3.4
Application  Controlled Message Filter
The  application  can  enable  and  disable  the  transmission  and  the  reception  of  messages,
which  affects  all  signals  included  in  that  messages.  See  in  chapter  6.2.1.5
IlSetRxMessageEnable  and chapter  6.2.1.6 IlSetTxMessageEnable.

Example
Here is an example implementation of the message filter that has been prepared for
  you.
void ApplIlInit(void)
{
  /* Disable the reception of the message RPM_F */
  vError = IlSetRxMessageEnable(IlRxMsgRPM_F,
kIlMessageDisabled );

  /* Disable the transmission of the message Vspeed */
  vError = IlSetTxMessageEnable(IlTxMsgVSpeed,
kIlMessageDisabled );
}

3.5
Clearing Flags on Deactivate VN
The  switch  “Enable  Clearing  Flags  on  Deactivate  VN”,  in  the  GENy  GUI,  enables  clearing
flags  if  the  function  IlRxDeactivateVnMsg  is  called.  This  function  is  called  by  the  NM  to
deactivate a VN.
These  flags  are  cleared:  first  value  flags,  timeout  flags,  node  timeout  flags  and  indication
flags.
Only  flags  of messages which  have  been deactivated  in IlRxDeactivateVnMsg  are cleared.
A message gets deactivated if all VNs a message is in are deactivated.
Info
If you have an old project and activate this feature you may have to adapt your

application.

Info
The flags for a signal are cleared when all VNs associated to any signal of the message

are deactivated

2013, Vector Informatik GmbH
Version: 2.01.02
17 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

4  Integration
This  chapter  includes  an  example  for  the  integration  of  the  Interaction  Layer.  Most
configurations  depend  on  the  customer’s  environment.  Therefore,  we  can  only  describe  a
single  simple  configuration  just  to  show  how  it  could  look like. We use pseudo code for our
example. It  won’t be possible to compile this code.
4.1
Include structure
To  use  the  Vector  Interaction  Layer  for  GMLAN,  only  the  file  il_inc.h  must  be  included  in  all
application  components  that  want  to  use  Interaction  Layer  functionality.  The  file  can_inc.h
(which  provides  the  CAN  Driver  interface  and  data  buffers)  must  not  be  included
separately,  it is automatically  included  by il_inc.h.

Figure 4-1  Including Il_Vector_Gm
4.2
Initialization
If  the  CCL  is  not  used  in  the  software  stack,  the  application  has  to  initialize  the
components.
Example
Here is an example, if the initialization  has to be implemented by the application.

/* Disable interrupts during the initialization of the
Components */
DisableInterrupts();

/* Initialize all components */
CanInitPowerOn();
IlInitPowerOn();
TpInitPowerOn();
2013, Vector Informatik GmbH
Version: 2.01.02
18 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

DiagInit();

IlSetOwnNodeAddress(srcAddress);
/* Enabling Interrupts is no longer critical, but not
recommended. */

/* Relearn already learned source addresses from the EPROM
*/
for (Hnd = 0 ; Hnd < iNrOfEPROMElements ; Hnd++ )
{
 IlSetRxMessageSourceAddress(ReadRxHandleFromEPROM(Hnd),
 ReadSrcAdressFromEPROM(Hnd));
}

/* Enable interrupts */
EnableInterrupts();

4.3
Cyclic function
The IlRxTask and IlTxTask must be called cyclically as configured in GENy by the
Application, OS or CCL.
2013, Vector Informatik GmbH
Version: 2.01.02
19 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Figure 4-2  Call of the Il_Vector cyclic function
Example
Here is an example, if the task calls have to be implemented by the application.

for(;;)
{
  /* periodic call of IlRxTask() and IlTxTask() */
  if (flag_10ms)
  {
    IlRxTask();
    IlTxTask();
    flag_10ms = 0;  /* clear flag which was set by a timer
*/
  }
}

2013, Vector Informatik GmbH
Version: 2.01.02
20 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

5  Configuration
5.1
Database Attributes
This  chapter  describes  the  dbc  network  database  attributes,  which  can  be  used  with
Il_Vector_Gm.
Info
The strings used for the enumerated database attributes are often OEM-specific and

can differ here from general descriptions. Do not change the order of string values in
enumerated database attributes. The code generator evaluates always the numerical
indexe of the string list.

Caution
Don’t mix up the order of enumeration values. Not the value  of the attribute is

interpreted, the position of the selected value.

5.1.1
Send Type
Name
GenMsgSendType
Description
Message related transmission mode.
Type Of Object
Message
Value Type
Enumeration
Default
CyclicX
Values
CyclicX, SpontanX,  NotUsed, NotUsed, NotUsed,  NotUsed, NotUsed,
NotUsed, NoMsgSendType

Name
GenSigSendType
Description
Signal related transmission mode.
Type Of Object
Signal
Value Type
Enumeration
Default
NoSigSendType
Values
Periodic, NotUsed, NotUsed,  NotUsed, NotUsed, NotUsed, NotUsed,
NoSigSendType,  NotUsed, NotUsed,  OnAnyChange, OnChangeIfActive,
OnDelta

5.1.2
Default Values
Caution
Please note, the attribute GenSigStartValue  sets the Default value at initialization  time,

not if IlRxStart or IlTxStart  is called. Due to historical and compatibility reasons, this
2013, Vector Informatik GmbH
Version: 2.01.02
21 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

confusing definition  cannot be changed any more.

Name
GenSigStartValue
Description
This value is the default value for the signal, if IlInitPowerOn  is called.
The string value type can represent hexadecimal and integer values.
Type Of Object
Signal
Value Type
String, Integer*,  Float*
Default
0x0
Minimum
0x0
Maximum
0xffffffffffffffff

5.1.3
Tx NCA Message
Name
NodeStatusMsgID
Description
This value is the Extended CAN identifier  of the Tx “Node Communication
Active” message.
Type Of Object
Network
Value Type
Hex
Default
0xFFF800
Minimum
0x1FFFFFFF
Maximum
0xffffffffffffffff

Name
NodeStatusMsgCycleTime
Description
This value is the cycle time of the Tx “Node Communication Avtive” message.
The message is transmitted, if a virtual network is active.
Type Of Object
Network
Value Type
Integer
Default
1200
Minimum
0
Maximum
65535

2013, Vector Informatik GmbH
Version: 2.01.02
22 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Name
NodeStatusMsgTimeoutTime
Description
This value is the timeout time supervision of the Rx Node Communication
Active message.
Type Of Object
Network
Value Type
Integer
Default
3000
Minimum
0
Maximum
65535

5.1.4
Timeout Supervision
Name
GenMsgMandatoryToSupervision
Description
This value represents the initial source address, which will  be indicated to the
application via ApplIlNodeCommActiveFailed,  if no other source address has
been learned. If No is set, the source address is set to 254, else 255 is set.
Type Of Object
Message
Value Type
Enumeration
Default
No
Values
No, Yes

Name
GenSigSendOnInit
Description
If a signal of a message has this value set to Handler,  the SendOnInit  property
of the message is activated and preconfigurated.
The message is transmitted, if IlSendOnInitMsg()  or IlQueueVnMsg()  is called
(Called if an initial  active VN  is activated) or the virtual network is activated (a
VN can start locally or remotely if a VNMF  message is received).
Type Of Object
Signal
Value Type
Enumeration
Default
NotInitialized
Values
NotInitialized,  Application,  Handler

2013, Vector Informatik GmbH
Version: 2.01.02
23 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Name
GenSigSuprvResp
Description
This value preconfigurates the timeout flag and timeout default value.
0 : Preconfigure nothing
1 : A timeout flag is configured for the signal
2 : A timeout default value is configured for the signal
3 : A timeout flag and timeout default value  is configured for the signal
Type Of Object
Node – Mapped  Rx Signal
Value Type
Enumeration
Default
None
Values
None, Notify,  Substitute, NotifySubstitute

Name
GenSigSuprvRespSubValue
Description
This Value is the timeout default value for the signal, if a timeout occurs.
The integer value allows the definition  of timeout values for signals with a
maximum Length of 4 Bytes.
Type Of Object
Node – Mapped  Rx Signal
Value Type
Integer
Default
0x0
Minimum
0x0
Maximum
4294967296

2013, Vector Informatik GmbH
Version: 2.01.02
24 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

6  API Description
The  following  chapter  extends  or  replaces  API  function  descriptions  provided  in  the
Technical  Reference  of the  Interaction  Layer  [2].
6.1
Administrative  functions
6.1.1.1
IlInitPowerOn
IlInitPowerOn
Prototype
void IlInitPowerOn (void)
Parameter
void
none
Return code
void
none
Functional Description
This  method  initializes the Il_Vector  on all channels.
IlInit  is called for  every  channel.
Particularities and Limitations
The  function  is called  by the Application  or  Ccl (Communication  Control  Layer).
Call context
The  function  must be called  with disabled  interrupts.
The  function  must not interrupt  IlRxTask, IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInit, IlRxStart,  IlTxStart,
IlRxStop,  IlTxStop.

6.1.1.2
IlInit
IlInit
Prototype
Single Channel
Single  Receive  Channel
void IlInit (void)
Multi  Channel
Indexed  (MRC)
void IlInit (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
2013, Vector Informatik GmbH
Version: 2.01.02
25 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Functional Description
This  method  initializes the Il_Vector  on a channel.
Rx and  Tx data  buffers  and  flags  are  set to the initial  state. If  no default  value  for  a message  is defined,  the
data buffer  is set to 0x00. IlNwmInit  of Nm_Gmlan_Gm  is called if  the initialization  is performed.
Particularities and Limitations
The  function  is called  by the Application,  Ccl (Communication  Control  Layer)  or  IlInitPowerOn.
Call context
The  function  must be called  with disabled  interrupts.
The  function  must not interrupt  IlRxTask, IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlRxStart,
IlTxStart,  IlRxStop,  IlTxStop.

6.1.1.3
IlRxTask
IlRxTask
Prototype
Single Channel
Single  Receive  Channel
void IlRxTask (void)
Multi  Channel
Indexed  (MRC)
void IlRxTask (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  must be called  periodically  in the  Rx task cycle time configured  in the generation  tool. The
IlRxTimerTask  and  IlRxStateTask  are  called  by this method.
Particularities and Limitations
The  function  is called  by the Application  or  Ccl (Communication  Control  Layer).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,  IlRxStart,
IlTxStart,  IlRxStop,  IlTxStop

6.1.1.4
IlTxTask
IlTxTask
Prototype
Single Channel
Single  Receive  Channel
void IlTxTask (void)
Multi  Channel
2013, Vector Informatik GmbH
Version: 2.01.02
26 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Indexed  (MRC)
void IlTxTask (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  must be called  periodically  in the Tx  task cycle time configured  in the generation  tool. The
IlTxTimerTask  and  IlTxStateTask  are  called  by this method.
Particularities and Limitations
The  function  is called  by the Application  or  Ccl (Communication  Control  Layer).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,  IlRxStart,
IlTxStart,  IlRxStop,  IlTxStop

6.1.1.5
IlRxStateTask
IlRxStateTask
Prototype
Single Channel
Single  Receive  Channel
void IlRxStateTask (void)
Multi  Channel
Indexed  (MRC)
void IlRxStateTask (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  is called  periodically  by the IlRxTask.  The  function  can be  called  in a faster  rate than  the
IlRxTask  to check additionally  for  polled  indication  events.  The  usage  of the  IlRxTask  shall be  preferred.
- The  source addresses  queued  for  the source  address  learning  are  learned.
- The  timeout counter  for  the source  address  is started, if the  source address  is not already  known.
Particularities and Limitations
The  function  is called  by the Application  or  IlRxTask.
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,  IlRxStart,
IlTxStart,  IlRxStop,  IlTxStop

2013, Vector Informatik GmbH
Version: 2.01.02
27 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

6.1.1.6
IlTxStateTask
IlTxStateTask
Prototype
Single Channel
Single  Receive  Channel
void IlTxStateTask (void)
Multi  Channel
Indexed  (MRC)
void IlTxStateTask (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  is called  periodically  by the IlTxTask.  The  function  can be called  in a faster  rate,  than the
IlTxTask,  to check additionally  for  polled  confirmation  events.  The  usage  of  the IlTxTask  shall be  preferred.
Particularities and Limitations
The  function  is called  by the Application  or  IlTxTask.
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,  IlRxStart,
IlTxStart,  IlRxStop,  IlTxStop

6.1.1.7
IlSetOwnNodeAddress
IlSetOwnNodeAddress
Prototype
Single Channel
Single  Receive  Channel
Il_Status IlSetOwnNodeAddress (vuint8 srcAddress)
Multi  Channel
Indexed  (MRC)
Il_Status IlSetOwnNodeAddress (CanChannelHandle
channel, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
srcAddress
Source  address  of  this ECU,  which  will be  added  to the low  byte of  each
extended  ID  transmitted by the CAN  driver.
Return code
Il_Status
IL_OK  : the node  address  has been  set.
IL_ERROR  : the node  is not configured  for  the  usage  of GMLAN  extended
identifiers  and  the source  address  is not  accepted.
Functional Description
This  method  sets the source  address  for  this ECU.
2013, Vector Informatik GmbH
Version: 2.01.02
28 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Particularities and Limitations
none
Call context
The  function  must be called  on task level  after  CanInitPowerOn  is called AND  before  interrupts  are
activated.

6.2
Service functions
6.2.1.1
IlSetEvent
IlSetEvent
Prototype
void IlSetEvent (IlTransmitHandle ilTxHnd)
Parameter
ilTxHnd
Handle  of  the Tx message.
Return code
void
none
Functional Description
This  method  serves  to set a  transmission request  for  a message.
Particularities and Limitations
The  function  is called  by the Application  or  by IlPutTx  method.
Call context
The  function  can be  called on  task and  interrupt  level.

6.2.1.2
IlGetNodeCommActiveState
IlGetNodeCommActiveState
Prototype
Single Channel
Single  Receive  Channel
vuint8 IlGetNodeCommActiveState (vuint8 srcAddress)
Multi  Channel
Indexed  (MRC)
vuint8 IlGetNodeCommActiveState (CanChannelHandle
channel, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
srcAddress
Source  address  of  an  ECU.
2013, Vector Informatik GmbH
Version: 2.01.02
29 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Return code
vuint8
kIlNodeUnknown  : The  given  node  address  has not been  learnt.
kIlNodeFailed  : This  node  is in timeout  state.
kIlNodeActive  : Node  is sending  messages  (at least one  NCA).
kIlNodeIdle  : Node  address  is in the list, but is currently inactive.
Functional Description
This  method  returns  the  state of  an ECU  in the  network. The  Il  searches for  the srcAddress and  returns  the
status.
Particularities and Limitations
none
Call context
The  function  must be called  on task level.

6.2.1.3
IlSetRxMessageSourceAddress
IlSetRxMessageSourceAddress
Prototype
Il_Status IlSetRxMessageSourceAddress (IlReceiveHandle ilRxHnd, vuint8
srcAddress)
Parameter
ilRxHnd
Handle  of  the Rx message.
srcAddress
Source  address  of  an  ECU for  this message.
Return code
Il_Status
IL_OK  : the source  address  is now  configured  for  the Rx message
IL_ERROR  : ilRxHnd  is invalid  or  ilRxExtIdHnd  is inconsistent or  channel  is
inconsistent
Functional Description
This  method  sets the source  address  as learned  for  a Rx message.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  must be called  on task level.

6.2.1.4
IlGetRxMessageSourceAddress
IlGetRxMessageSourceAddress
Prototype
Il_Status IlGetRxMessageSourceAddress (IlReceiveHandle ilRxHnd, vuint8
*pSrcAddress)
2013, Vector Informatik GmbH
Version: 2.01.02
30 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Parameter
ilRxHnd
Handle  of  the Rx message.
pSrcAddress
Pointer  to where  the source  address  of  a message  has to be stored.
Return code
Il_Status
IL_OK  : the source  address  is now  returned  for  the  Rx message
IL_ERROR  : ilRxHnd  is invalid  or  ilRxExtIdHnd  is inconsistent or  channel  is
inconsistent
Functional Description
This  method  returns  the  source address  a  Rx message learnt  in the last session.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  must be called  on task level.

6.2.1.5
IlSetRxMessageEnable
IlSetRxMessageEnable
Prototype
Il_Status IlSetRxMessageEnable (IlReceiveHandle ilRxHnd, vuint8 type)
Parameter
ilRxHnd
Handle  of  the Rx message.  Use the message  handle  generated  in il_par.h!
type
kIlMsgEnabled  or  kIlMsgDisabled
Return code
Il_Status
IL_OK  : the Rx messages  handle  has  been  activated  or  deactivated
IL_ERROR  : the Rx messages  handle  is out of  range
Functional Description
This  method  activates  or  deactivates  the reception  of  a message.
Particularities and Limitations
Only messages  which are  handled  by the  Interaction  Layer  can be enabled  or disabled.  TP  and  NM
messages  are not  affected  (NCA,  HLVW, VNMF, USDT  and  UUDT  messages).
Call context
The  function  must be called  in the context of ApllIlInit().

6.2.1.6
IlSetTxMessageEnable
IlSetTxMessageEnable
Prototype
Il_Status IlSetTxMessageEnable (IlTransmitHandle ilTxHnd, vuint8 type)
2013, Vector Informatik GmbH
Version: 2.01.02
31 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Parameter
ilTxHnd
Handle  of  the Tx message.  Use the  message handle  generated  in il_par.h!
type
kIlMsgEnabled  or  kIlMsgDisabled
Return code
Il_Status
IL_OK  : the Tx messages  handle  has been  activated  or  deactivated
IL_ERROR  : the Tx messages  handle  is out of  range
Functional Description
This  method  activates  or  deactivates  the transmission  of  a message.
Particularities and Limitations
Only messages  which are  handled  by the  Interaction  Layer  can be enabled  or disabled.  TP  and  NM
messages  are not  affected  (NCA,  HLVW, VNMF, USDT  and  UUDT  messages).
Call context
The  function  must be called  in the context of ApllIlInit().

6.2.1.7
IlGetTransmitMessageStatus
IlGetTransmitMessageStatus
Prototype
vuint8 IlGetTransmitMessageStatus (IlTransmitHandle ilTxHnd)
Parameter
ilTxHnd
Handle  of  the Tx message.  Do  not use the generated  signal  handles  for  the
message  indirection!
Return code
vuint8
(vuint8)  0 : the message  is idle  and  no transmission  is expected  from  the  Il
kIlTxMsgQueued  : the transmission  is requested  to the CAN  Driver  and  wait
for  confirmation
kIlTxMsgPending  : the  message  is pending  for  queuing  in the Il.
Functional Description
The  function  provides  the status of the  message.
Particularities and Limitations
The  function  is called  by the Application.
Call context
The  function  can be  called on  task and  interrupt  level.

6.3
Callback functions
The  following  functions  have  to  be  implemented  by  the  application  if  the  configuration  in
GENy  activates  the callback  function.
2013, Vector Informatik GmbH
Version: 2.01.02
32 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

6.3.1
ApplIlSourceAddressLearned
ApplIlSourceAddressLearned
Prototype
Single Channel
Single  Receive  Channel
void ApplIlSourceAddressLearned (vuint8 srcAddress)
Multi  Channel
Indexed  (MRC)
void ApplIlSourceAddressLearned (CanChannelHandle
channel, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
srcAddress
Source  address  that has been  learned.
Return code
void
none
Functional Description
This  method  is called  to indicate, that a new  source  address  had  been  detected  and  learned  from  a node
on  the network.  This  method  can be  influenced  by the call of  IlSetRxMessageSourceAddress.  If  a node
transmits the NCA  message  and  other  extended  Ids are  not used, ApplIlRxMsgSrcAddressLearned  will
never  be  called, but this one  will be called.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  is called  in the context the IlRxStateTask  or IlSetRxMessageSourceAddress.

6.3.2
ApplIlRxMsgSrcAddressLearned
ApplIlRxMsgSrcAddressLearned
Prototype
Single Channel
Single  Receive  Channel
void ApplIlRxMsgSrcAddressLearned (IlReceiveHandle
ilRxHnd, vuint8 srcAddress)
Multi  Channel
Indexed  (MRC)
void ApplIlRxMsgSrcAddressLearned (CanChannelHandle
channel, IlReceiveHandle ilRxHnd, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilRxHnd
Handle  of  the Il Rx message,  where  the source  address  has been  learnt  from.
srcAddress
Source  address  that has been  learned.
Return code
void
none
2013, Vector Informatik GmbH
Version: 2.01.02
33 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Functional Description
This  method  is called  to indicate, that a new  source  address  had  been  detected  and  learned  from  a node
on  the network  from  a specific message. This  method  is not influenced  by the call of
IlSetRxMessageSourceAddress.  The  function  shall be used,  to store  the learned  value  and  reset it during
start-up  via  IlSetRxMessageSourceAddress  where  the ilRxHnd  is needed.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  is called  by the IlRxStateTask.

6.3.3
ApplIlNodeCommActiveRecovery
ApplIlNodeCommActiveRecovery
Prototype
Single Channel
Single  Receive  Channel
void ApplIlNodeCommActiveRecovery (vuint8
srcAddress)
Multi  Channel
Indexed  (MRC)
void ApplIlNodeCommActiveRecovery (CanChannelHandle
channel, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
srcAddress
Source  address  of  an  ECU.
Return code
void
none
Functional Description
This  method  is called  to indicate, that an  extended  Identifier  from  the source  address  has been  received
again  after  a communication  failure  had  been  detected.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  is called  in the context the IlRxStateTask  or IlSetRxMessageSourceAddress.

6.3.4
ApplIlNodeCommActiveFailed
ApplIlNodeCommActiveFailed
Prototype
Single Channel
Single  Receive  Channel
void ApplIlNodeCommActiveFailed (vuint8 srcAddress)
Multi  Channel
2013, Vector Informatik GmbH
Version: 2.01.02
34 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Indexed  (MRC)
void ApplIlNodeCommActiveFailed (CanChannelHandle
channel, vuint8 srcAddress)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
srcAddress
Source  address  of  an  ECU.
Return code
void
none
Functional Description
This  method  is called  to indicate, that timeout  supervision  of  the Node  Communication  Active  message  of  a
source  address  has been  failed.
Particularities and Limitations
The  function  is only  available  if Extended-Identifiers  are  used.
Call context
The  function  is called  by the IlRxTimerTask.

2013, Vector Informatik GmbH
Version: 2.01.02
35 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

7  Abbreviations
Abbreviation
Description
API
Application  Programming Interface
CAN
Controller Area Network
CCL
Communication Control Layer
ECU
Electronic Control Unit
HLVW
High Voltage  Wake Up
MRC
Multiple  Receive Channel
NCA
Node Communication Active
NM
Network Management
OS
Operating System
USDT
Unacknowledged  and Segmented Data Transfer
UUDT
Unacknowledged  and Unsegmented Data Transfer
VDA
Virtual Device Availability
VN
Virtual Network
VNMF
Virtual Network Management  Frame

2013, Vector Informatik GmbH
Version: 2.01.02
36 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

8  Appendix
8.1
Nm_Gmlan_Gm  Interface
The  following  methods  are  interface  functions  provided  by  the  Interaction  Layer  for  the
Gmlan  Network  Management.
Caution
Do not use this functions from within the application unless not explicitly  required.

8.1.1
IlRxStart
IlRxStart
Prototype
Single Channel
Single  Receive  Channel
void IlRxStart (void)
Multi  Channel
Indexed  (MRC)
void IlRxStart (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  enables  the reception  of  messages. The  transition  "start" of the  Rx state machine  is
performed.
- The  flags used  to indicate  virtual  network  activity  are  cleared.
- Suspend  the timeout counter  for  source address  255  and  254.
- Suspend  the timeout counter  for  learned  source  addresses  by clearing  the number  of  active  Rx messages
per  source  address.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxTask, IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,
IlTxStart,  IlRxStop,  IlTxStop.

8.1.2
IlTxStart
IlTxStart
2013, Vector Informatik GmbH
Version: 2.01.02
37 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Prototype
Single Channel
Single  Receive  Channel
void IlTxStart (void)
Multi  Channel
Indexed  (MRC)
void IlTxStart (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  enables  the transmission of  messages  and  starts the transmission of  periodic  messages. The
transition  "start" of  the Tx state machine  is performed.
- The  flags used  to indicate  virtual  network  activity  are  cleared.
- Requests  are  queued  to be  transmitted by the call of  IlSendOnInitMsg.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxTask, IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,
IlTxStart,  IlRxStop,  IlTxStop.

8.1.3
IlRxStop
IlRxStop
Prototype
Single Channel
Single  Receive  Channel
void IlRxStop (void)
Multi  Channel
Indexed  (MRC)
void IlRxStop (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  disables  the reception  of messages. The  transition  "stop" of  the Rx state machine  is
performed.  The  method  is used  for  example  to enter  the Sleep  Mode  of  an  ECU.
- The  timeout flags  for  the application  are  cleared.
- All Rx virtual  networks  must be deactivated  to call IlRxStop().
2013, Vector Informatik GmbH
Version: 2.01.02
38 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlRxTask, IlRxStateTask,  IlTxTask,  IlTxStateTask,  IlInitPowerOn,  IlInit,
IlTxStart,  IlRxStop,  IlTxStop.

8.1.4
IlTxStop
IlTxStop
Prototype
Single Channel
Single  Receive  Channel
void IlTxStop (void)
Multi  Channel
Indexed  (MRC)
void IlTxStop (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  disables  the transmission  of messages  (Sleep  Mode).  The  transition  "stop" of  the Tx state
machine  is performed.  The  method  is used for  example  to enter  the Sleep  Mode  of  an ECU.
- All Tx virtual  networks  must be  deactivated  to call IlTxStop.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  must be called  on task level.
The  function  must not interrupt  IlInitPowerOn,  IlInit,  IlRxTask,  IlRxStateTask,  IlRxTimerTask,  IlTxTask ,
IlTxStateTask,  IlTxTimerTask,  IlRxStart, IlTxStart,  IlRxStop

8.1.5
IlRxWait
IlRxWait
Prototype
Single Channel
Single  Receive  Channel
void IlRxWait (void)
Multi  Channel
Indexed  (MRC)
void IlRxWait (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
2013, Vector Informatik GmbH
Version: 2.01.02
39 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Return code
void
none
Functional Description
This  method  halts the reception  of messages. The  transition  "wait" of  the Rx state machine  is performed.
The  method  is used  for  example  when  the bus-off  mode  of  an  ECU  was entered.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  can be  called on  task and  interrupt  level.

8.1.6
IlTxWait
IlTxWait
Prototype
Single Channel
Single  Receive  Channel
void IlTxWait (void)
Multi  Channel
Indexed  (MRC)
void IlTxWait (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  halts the transmission  of messages. The  transition  "wait" of  the Tx state machine  is
performed.  The  method  is used  for  example  when  the bus -off  mode  of  an  ECU  was entered.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  can be  called on  task and  interrupt  level.

8.1.7
IlRxRelease
IlRxRelease
Prototype
Single Channel
Single  Receive  Channel
void IlRxRelease (void)
Multi  Channel
Indexed  (MRC)
void IlRxRelease (CanChannelHandle channel)
2013, Vector Informatik GmbH
Version: 2.01.02
40 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  restarts the reception  of  messages from  the  "Waiting" state. The  transition  "release"  of  the Rx
state machine  is performed.
- The  timeout counters  for  all source  addresses  are  restarted.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  can be  called on  task and  interrupt  level.

8.1.8
IlTxRelease
IlTxRelease
Prototype
Single Channel
Single  Receive  Channel
void IlTxRelease (void)
Multi  Channel
Indexed  (MRC)
void IlTxRelease (CanChannelHandle channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  resumes  the transmission  of  messages from  the "Waiting" state. The  transition "release"  of  the
Tx  state machine  is performed.
Particularities and Limitations
The  function  is called  by the Application  or  NM (Network  Management).
Call context
The  function  can be  called on  task and  interrupt  level.

8.1.9
IlRxActivateVnMsg
IlRxActivateVnMsg
Prototype
Single Channel
2013, Vector Informatik GmbH
Version: 2.01.02
41 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Single  Receive  Channel
Il_Status IlRxActivateVnMsg (vuint8 ilVnHnd)
Multi  Channel
Indexed  (MRC)
Il_Status IlRxActivateVnMsg (CanChannelHandle
channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
Il_Status
IL_ERROR  : a parameter  check has failed  OR the  Rx state machine  of  the
channel  is not in the running  state
IL_VN_ALREADY_ACTIVE  : an  already  activated  VN has been  requested  for
activation
IL_VN_ACTIVATED  : the  VN is now  activated
Functional Description
This  method  starts all Rx messages  of a  VN.
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Rx state machine  of  the dependent  channel  is in the
running  state.

8.1.10  IlRxDeactivateVnMsg
IlRxDeactivateVnMsg
Prototype
Single Channel
Single  Receive  Channel
Il_Status IlRxDeactivateVnMsg (vuint8 ilVnHnd)
Multi  Channel
Indexed  (MRC)
Il_Status IlRxDeactivateVnMsg (CanChannelHandle
channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
Il_Status
IL_ERROR  : a parameter  check has failed  OR the  Rx state machine  of  the
channel  is not in the running  state
an  already  deactivated  VN has been  requested  for  deactivation
IL_VN_DEACTIVATE D  : the VN  is now  deactivated.
2013, Vector Informatik GmbH
Version: 2.01.02
42 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Functional Description
This  method  stops all Rx messages of  a VN. If  enabled,  the flags  of  the deactivated  messages  are  cleared
(see  3.5).
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Rx state machine  of  the dependent  channel  is in the
running  state.

8.1.11  IlTxActivateVnMsg
IlTxActivateVnMsg
Prototype
Single Channel
Single  Receive  Channel
Il_Status IlTxActivateVnMsg (vuint8 ilVnHnd)
Multi  Channel
Indexed  (MRC)
Il_Status IlTxActivateVnMsg (CanChannelHandle
channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
Il_Status
IL_ERROR  : a parameter  check has failed  OR the Tx  state machine  of  the
channel  is not in the running  state
IL_VN_ALREADY_ACTIVE  : an  already  activated  VN has been  requested  for
activation
IL_VN_ACTIVATED  : the  VN is now  activated
Functional Description
This  method  starts all Tx messages  of  a VN.
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Tx state machine  of  the dependent  channel  is in the
running  state.

8.1.12  IlTxDeactivateVnMsg
IlTxDeactivateVnMsg
Prototype
Single Channel
Single  Receive  Channel
Il_Status IlTxDeactivateVnMsg (vuint8 ilVnHnd)
2013, Vector Informatik GmbH
Version: 2.01.02
43 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Multi  Channel
Indexed  (MRC)
Il_Status IlTxDeactivateVnMsg (CanChannelHandle
channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
Il_Status
IL_ERROR  : a parameter  check has failed  OR the Tx  state machine  of  the
channel  is not in the running  state OR  an already  deactivated  VN has been
requested  for  deactivation
IL_VN_DEACTIVATE D  : the VN  is now  deactivated.
Functional Description
This  method  stops all Tx  messages of  a VN.
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Tx state machine  of  the dependent  channel  is in the
running  state.

8.1.13  IlRxStartVnMsgSupervision
IlRxStartVnMsgSupervision
Prototype
Single Channel
Single  Receive  Channel
void IlRxStartVnMsgSupervision (vuint8 ilVnHnd)
Multi  Channel
Indexed  (MRC)
void IlRxStartVnMsgSupervision (CanChannelHandle
channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
void
none
Functional Description
This  method  starts the Rx extended  id timeout supervision  for  all Rx messages of  a VN, if
- The  arguments  are  valid.
- The  Rx state machine  is in the running  state.
- The  Rx VN is active.
- The  Rx extended  id timeout  supervision  is not  already  started.
2013, Vector Informatik GmbH
Version: 2.01.02
44 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Rx state machine  of  the dependent  channel  is in the
running  state.

8.1.14  IlRxDeactivateVnMsgSupervision
IlRxDeactivateVnMsgSupervision
Prototype
Single Channel
Single  Receive  Channel
Il_Status IlRxDeactivateVnMsgSupervision (vuint8
ilVnHnd)
Multi  Channel
Indexed  (MRC)
Il_Status IlRxDeactivateVnMsgSupervision
(CanChannelHandle channel, vuint8 ilVnHnd)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
ilVnHnd
Il_Vector_Gm  internal  VN handle.
Return code
Il_Status
IL_ERROR  : a parameter  check has failed  OR the  Rx VN is not running  OR
the Rx state machine  of  the channel  is not in the running  state  an already
supervision  deactivated  VN has  been  requested  for  deactivation
IL_VN_DEACTIVATE D  : the timeout  supervision  of  the VN is now  deactivated.
Functional Description
This  method  stops the Rx timeout supervision  for  all Rx messages of  a VN.
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm.
Call context
The  function  must be called  on task level  and if  the Rx state machine  of  the dependent  channel  is in the
running  state.

8.1.15  IlResetRxTimeoutFlags
IlResetRxTimeoutFlags
Prototype
Single Channel
Single  Receive  Channel
void IlResetRxTimeoutFlags (void)
Multi  Channel
Indexed  (MRC)
void IlResetRxTimeoutFlags (CanChannelHandle
channel)
2013, Vector Informatik GmbH
Version: 2.01.02
45 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  clears Rx timeout  flags  of  the Application  and  internal  ilNodeCommActiveTimeoutFlags.
- The  flags used  internal  to indicate  NCA  timeout  are  cleared.
Particularities and Limitations
The  function  is called  by the Application.
Caution
Do  not call this Il  internal API  from  the application!

Call context
The  function  can be  called on  task and  interrupt  level.

8.1.16  IlRequeueTransmitMessages
IlRequeueTransmitMessages
Prototype
Single Channel
Single  Receive  Channel
void IlRequeueTransmitMessages (void)
Multi  Channel
Indexed  (MRC)
void IlRequeueTransmitMessages (CanChannelHandle
channel)
Parameter
channel  (Indexed)
Handle  of  the logical  CAN Driver  channel.
Return code
void
none
Functional Description
This  method  queues  again  all pending  Tx messages  and  set a  transmission request  for  these Tx
messages.
Particularities and Limitations
The  function  is called  by Nm_Gmlan_Gm  during  a Busoff  to queue  again  all Tx messages  that are  pended
for  transmission  to the CAN  Driver.  The  transmit queue  is cleared  of  the CAN  Driver  id  cleared  during  a
bus-off.  Therefore  all issued  messages must be retransmitted  by the Il.
Call context
The  function  must be called  on task level.

2013, Vector Informatik GmbH
Version: 2.01.02
46 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

8.2
Interaction Layer Internal  Interfaces
APIs  which  are  not  explicitly  described  in  this  or  any  other  documentation  for  the  usage
shall  not  be called  from the  application.
Caution
Do not use internal functions from within the application unless not explicitly required.

2013, Vector Informatik GmbH
Version: 2.01.02
47 / 48
based on template version 3.6

Technical Reference Interaction Layer for General Motors

9  Contact
Visit our  website for more information  on

>   News
>   Products
>   Demo software
>   Support
>   Training  data
>   Addresses

www.vector-informatik.com
2013, Vector Informatik GmbH
Version: 2.01.02
48 / 48
based on template version 3.6

Document Outline

13.9 - UserManual_GENy_InteractionLayer

Microsoft Word - UserManual_GENy_InteractionLayer.doc

13.10 - UserManual_GENy_InteractionLayer_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35

13.11 - UserManual_GENy_InteractionLayers

Interaction Layer
with GENy
User Manual
(Your First Steps)

Version 1.03.01

Vector Informatik GmbH, Ingerheimer Str. 24, 70499 Stuttgart
Tel. 0711/80670-0, Fax 0711/80670-399, Email can@vector-informatik.de
Internet http:\\www.vector-informatik.de

User Manual Interaction Layer

1 / 35

Authors:
Klaus Emmert
Version:
1.03.01
Status:
released (in preparation/completed/inspected/released)

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

2 / 35
History
Author
Date
Version
Remarks
Klaus Emmert
2004-04-29
1.00
Converted from Version 0.8 to
new User Manual Layout.
Klaus Emmert
2004-05-17
1.1
Usage of vstdlib added (started with
IL version 1.83)
Klaus Emmert
2005-06-24
1.02
GENy added as new
Configuration Tool.
Gunnar Meiss
2007-05-16
1.03
ESCAN00020395
Gunnar Meiss
2007-07-12
1.03.01
ESCAN00021408 Update
Contents

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

3 / 35
Motivation For This Work
What is a signal?
A Signal is an abstract container for information. It can hold physical values, states
or  commandos.  Signals  can  concern  the  complete  vehicle  or  only  some  control
units.
Using the Interaction Layer you do not have to take care about the transmission or
reception of signal or the data consistency. If you need the content of a signal, just
read it, if a value changed, just write it. All the rest is done by the Interaction Layer.

WARNING
All  application  code  in  any  of  the  Vector  User  Manuals  is  for  training
purposes only. They are slightly tested and designed to understand the basic
idea of using a certain component or a set of components.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

4 / 35
Contents
1
Welcome to the Interaction Layer User Manual............................................. 7
1.1
Beginners with the Interaction Layer start here? ................................ 7
1.2
For Advanced Users .......................................................................... 7
1.3
Special topics .................................................................................... 7
1.4
Additional Documents dealing with the Interaction Layer ................... 7
2
About This Document ..................................................................................... 8
2.1
How This Documentation Is Set-Up ................................................... 8
2.2
Legend and Explanation of Symbols.................................................. 9
3
Interaction Layer – An Overall View ............................................................. 10
3.1
Transmission problems.................................................................... 10
3.1.1
What is left to do for transmission .................................................... 10
3.2
Reception problems......................................................................... 11
3.2.1
What is left to do for Reception ........................................................ 11
3.3
Tools And Files................................................................................ 11
3.3.1
The data base file (DBC file)............................................................ 11
3.3.2
Configuration Tool ........................................................................... 12
3.3.3
Generation Process with CANbedded Software Component ........... 12
3.4
What Is the Vector Interaction Layer................................................ 14
3.5
What The Interaction Layer Does .................................................... 14
4
This Component – A More Detailed View..................................................... 15
4.1
Files to form the Interaction Layer.................................................... 15
4.1.1
Fix files that form the Interaction Layer ............................................ 15
4.1.2
Generated files that must not be changed, too................................. 15
4.1.2.1
Configuration Tool GENy ................................................................. 15
4.1.3
Configurable files............................................................................. 15
4.1.4
il.c.................................................................................................... 15
4.1.5
il_def. h............................................................................................ 15
4.1.6
Il_par.c............................................................................................. 15
4.1.7
il_par.h............................................................................................. 15
4.1.8
il_cfg.h ............................................................................................. 16
4.1.9
il_inc.h ............................................................................................. 16
4.1.9.1
Vstdlib.c / vstdlib.h ........................................................................... 16
4.1.10
Includes when using GENy.............................................................. 16
4.2
Handling of the Interaction Layer ..................................................... 16
5
A Basically Running Interaction Layer In 7 Steps ....................................... 18
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

5 / 35
5.1
STEP 1  Unpack the delivery ........................................................... 19
5.2
STEP 2  Configuration Tool and DBC File ....................................... 20
5.2.1
Working with the Configuration Tool GENy...................................... 21
5.2.1.1
Project Setup in GENy..................................................................... 21
5.2.1.2
Interaction Layer Settings in GENy .................................................. 21
5.3
STEP 3  Generate Files................................................................... 23
5.4
STEP 4  Add Files to Your Application............................................. 24
5.4.1
Using GENy..................................................................................... 24
5.5
STEP 5 Adaptations For Your Application ....................................... 25
5.6
STEP 6 Compile And Link ............................................................... 28
5.7
STEP 7 Test the Software Component ............................................ 28
5.7.1
Built-up of the test environment ....................................................... 28
5.7.2
Test of Interaction Layer .................................................................. 29
6
Further Information ....................................................................................... 31
6.1
States of the Interaction Layer ......................................................... 31
6.2
Debugging of Interaction Layer ........................................................ 31
6.3
Where to get the generated names for the macros and
functions .......................................................................................... 32
6.4
Usage of flags and functions............................................................ 32
6.5
Data Consistency ............................................................................ 33
7
Index................................................................................................................. 1

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

6 / 35
Illustrations
Figure 3-1
Transmission Problems ............................................................................ 10
Figure 3-2
Reception Problems ................................................................................. 11
Figure 3-3
Generation Process For Vector CANbedded Software Components ........ 13
Figure 3-4
Overview CAN Driver, Interaction Layer and Application .......................... 14
Figure 4-1
Including Vector Interaction Layer ............................................................ 16
Figure 5-1
Generation Information............................................................................. 23
Figure 5-2
The test environment................................................................................ 28
Figure 5-3
How to get an data base into CANoe........................................................ 29
Figure 5-4
Configure menu and Real adjustment....................................................... 29
Figure 5-5
A trace of the example application with timeout occurring......................... 29
Figure 5-6
Insert a generator block to send the message 201 all 10ms ..................... 30
Figure 5-7
A trace without timeout ............................................................................. 30
Figure 6-1
The State machine of the Interaction Layer .............................................. 31
Figure 6-2
Debug options for Interaction Layer.......................................................... 31

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

7 / 35
1  Welcome to the Interaction Layer User Manual
1.1
Beginners with the Interaction Layer start here?
You need some information about this document?
Chapter 2
What is the Interaction Layer?
Chapter 3.4

1.2
For Advanced Users
Start reading here.
Chapter 4
7 Steps for Interaction Layer integration.
Chapter 5


1.3
Special topics
States of the Interaction Layer
Chapter 6.1
Generated Names for macros and functions ?
Chapter 6.3
Flags and Functions
Chapter 0

1.4
Additional Documents dealing with the Interaction Layer
TechnicalReference_InteractionLayer
OEM-specific Documentation
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

8 / 35
2  About This Document
This  document  gives  you  an  understanding  of  the  Interaction  Layer.  You  will
receive  general  information,  a  step-by-step  tutorial  to  get  the  Interaction  Layer
running and to use its functionalities.
2.1
How This Documentation Is Set-Up
Chapter
Content
Chapter 1
The welcome page  is to navigate in the document. The main parts of the  document
can be accessed from here via hyperlinks.
Chapter 2
It  contains  some  formal  information  about  this  document,  an  explanation  of  legends
and symbols.
Chapter 3
In this chapter you get a brief introduction in this Interaction Layer and its tasks.
Chapter 4
Here you find some more insight in the Interaction Layer.
Chapter 5
Here  are  the  7  Steps  for  you  to  integrate  the  Interaction  Layer,  how  to  do  the
necessary settings in the Configuration Tool and how to connect the Interaction Layer
with your application.
Chapter 6
This chapter provides you with some further information.
Chapter 7
In this last chapter there is a list of experiences with the Interaction Layer.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

9 / 35
2.2
Legend and Explanation of Symbols
You  find  these  symbols  at  the  right  side  of  the  document.  They  indicate  special
areas in the text. Here is a list of their meaning.
These areas
to the right of
Symbol
Meaning
the text
contain brief
items of
information
The building bricks mark examples.
that will

facilitate your
search for
Comm
ents
You will find key words and information in short sentences in the margin. This will
and
specific
explanation
s
greatly simplify your search for topics.
topics.
The footprints will lead you through the steps until you can use the described
Interaction Layer.

There is something you should take care about.

Useful and additional information is displayed in areas with this symbol.

This file you are allowed to edit on demand.

This file you must not edit at all.

This indicates an area dealing with frequently asked questions (FAQ).


2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

10 / 35
3  Interaction Layer – An Overall View
One  of  the  important  tasks  in  programming  ECUs  for  modern  vehicles  is  the
handling  of  timers  for  actions  like  sending  messages  or  monitoring  incoming
messages.  In  some  cases  this  can  become  quite  complex  and  could  be  a  lot  of
programming work to do.

3.1
Transmission problems

ABS
What
When
How
Often
Timeout
& Defaults
Notification
Data consistency
Dashboard
The names of the

macros are
derived from the
signal names in
Figure 3-1  Transmission Problems
the database with
a pre- and a
postfix. You can

change the
default pre- and
The picture above mentions things to remember when transmitting data. You surely
suffixes in the
Configuration
know these kinds of problems.
Tool.
The Interaction Layer handles the classic problems with transmission and reception
for you. The information which signal or message should be sent in which timing,
which  signal  triggers  a  timeout  flag  when  it  is  not  received  any  more  and  further
information  is  stored  in  the  data  base  (DBC  file,  use  CANdb++  for  editing  DBC
data) and realized by the Interaction Layer.

Signal access
can be a macros
3.1.1  What is left to do for transmission
or a function. This
depends on the
Regarding the transmission, you just have to fill the signal memory locations (use
signal length, its
generated signal/message access macros or functions) with the current values, the
location in the
message and the
transmission itself is done by the Interaction Layer.
transmission
mode.
As you access the signals via macros or functions, the data consistency is granted.
The Configuraion
Tool always
The Interaction Layer notifies the application in case of important events, such as a
generated the
successful  transmission  of  a  signal  (confirmation)  or  a  timeout  when  a  signal  has
best way to
access a signal.
not been received.
Caution
Signal access macros or functions are always unsigned integer values !!!

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

11 / 35
3.2
Reception problems

New Data?
ABS
Notification
Timeout
& Defaults
Data
Consistency
Dashboard
Figure 3-2  Reception Problems

The names of the
The  picture  above  mentions  things  to  remember  when  receiving  data.  You  surely
macros are
know these kinds of problems.
derived from the
signal names in
the database with

a pre- and a
suffix. You can
change the
3.2.1  What is left to do for Reception
default pre- and
suffixes in the
Access the received data via the generated macros or functions any time you need
Configuration
Tool  tab Names.
the information. The macros and functions guarantee the data consistency.
Events are signaled to the application via flags (polling) or functions.
You  may  react  on  the  indications  for  reception,  changed  values  or  timeout.  This
depends on the demands of your application.
The Interaction Layer will free you from handling the data transmission and reception
as  far  as  possible.  This  job  is  shifted  to  the  data  base  engineer  who  develops  the
DBC file.

Caution
Signal access macros are always unsigned integer values!

3.3
Tools And Files
There is the same
DBC-file per bus
system (high
3.3.1  The data base file (DBC file)
speed, low
speed, etc) for all
suppliers to
The DBC file normally is designed by the vehicle manufacturer and distributed to all
guarantee a
suppliers that develop an ECU.
common basis for
development.
For  the  Interaction  Layer  it  contains  attributes  and  the  information  about  the
transmission  modes  of  the  signals  (and  messages)  and  e.g.  the  cycle  times.  It
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

12 / 35
contains  all  information  that  is  necessary  for  transmitting  and  receiving  signals,
which signal should be time monitored etc.
Every  supplier  uses  the  SAME  DBC  file  for  one  type  of  vehicle  to  guarantee  a
common basis for development.

3.3.2  Configuration Tool
The  Configuration  Tool  is  a  PC-Tool.  It  is  used  to  configure  the  CANbedded
components to the application’s needs. The Configuration Tool generates files that
you have to include in your application.
For the Vector Interaction Layer many of the settings are done in the DBC file (see
above)  and  many  setting  can  be  done  in  the  Configuration  Tool.  For  each  signal
flags,  default  values,  access  macros  or  functions  and  callback  functions  can  be
switched to on or off separately.

3.3.3  Generation Process with CANbedded Software Component
The Configuration Tool generates files that contain the configuration and the signal
interface of the CANbedded Software Components. In connection with the source
code  of  each  component,  CANbedded  can  be  compiled  and  linked  (see  Figure
3-3).
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

13 / 35

CANdela
Network
The standard
Database
Database
generation
process for
Vectors Software
Components.
Application
Configuration Tool
Specific
Data
Generation
Configuration
Signal
Interface
Header
Includes
CANbedded
CANdesc
Software
Application
Parameters
Source
Components
Compiler, Linker
Executable

Figure 3-3 Generation Process For Vector CANbedded Software Components
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

14 / 35
3.4
What Is the Vector Interaction Layer
os CAN
Application
Interaction
Layer
CAN Driver
CAN Controller
Transceiver
CAN Bus

Figure 3-4  Overview CAN Driver, Interaction Layer and Application

As  you  see  the  Interaction  Layer  is  a  higher  layer  than  the  CAN  Driver  and  uses
the services of the physical layer for transmission and reception.
3.5
What The Interaction Layer Does
The Vector Interaction Layer is responsible for transmission and reception of CAN
messages  according  their  transmission  modes,  timeout  monitoring  and  setting  of
default values. It provides a signal interface to the application.
Therefore  the  programming  effort  for  transmission  and  reception  of  signals  is
reduced on some settings on the DBC and in the Configuration Tool and the basic
implementation of the Vector Interaction Layer Component.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

15 / 35
4  This Component – A More Detailed View
4.1
Files to form the Interaction Layer
The Interaction Layer consists of 3 sorts of files.
4.1.1  Fix files that form the Interaction Layer
  il.c
  il_def.h
4.1.2  Generated files that must not be changed, too
4.1.2.1
Configuration Tool GENy
  Il_par.c
  Il_par.h
  Il_cfg.h

4.1.3  Configurable files
  il_inc.h or  _il_inc.h (the underscore means, this file has to be adapted by you)
4.1.4  il.c
This file contains the code for the Interaction Layer.
You must not change this file at all.
4.1.5  il_def. h
The file il_def.h is the header file of the Interaction Layer.
You must not change this file at all.
4.1.6  Il_par.c
Generated file for the Interaction Layer parameters.
You must not change this file at all.
4.1.7  il_par.h
Generated header for the Interaction Layer parameters.
You must not change this file at all.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

16 / 35
4.1.8  il_cfg.h
This  is  the  configuration  file  of  the  Interaction  Layer.  It  contains  the  configuration
switches according to your selections in the Configuration Tool.
Do not change this file.  You will loose the changes after the next generation process.
4.1.9  il_inc.h
INC  stands  for  include.  Here  you  can  add  includes  you  need.    Use  the  delivered
standard  il_inc.h  for  this  first  attempt  and  look  at  the  default  includes  as  an
example.
It is very important that you do NOT change the including order given in this header.

Include  this file  (as  you  did  it  with  can_inc.h)  in  every  c  file  where  you  need  CAN
functionality. Il_inc.h “replaces” can_inc.h if you use the Interaction Layer.

4.1.9.1
Vstdlib.c / vstdlib.h
You have to include the Vector standard library beginning with version 1.83 of the
Interaction Layer.
4.1.10 Includes when using GENy
To  use  the  Vector  Interaction  Layer,  only  the  file  il_inc.h  must  be  included  in  all
application components that want to use Interaction Layer functionality.
Application.c
il_inc.h
Normally the
Interrupts are

disabled after
reset, but this is
Figure 4-1  Including Vector Interaction Layer
not granted for
any hardware
platform.
4.2
Handling of the Interaction Layer
Make sure the
interrupts are
The  Interaction  Layer  has  to  be  added  to  the  application  and  initialized  directly
disabled.
after the initialization of the CAN Driver. Take care that the interrupts are disabled
DO NOT USE
THE FUNCTION
CanInteruptDisable
here.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

17 / 35
while  initialization  of  the  components.  Additionally  the  functions  IlRxTask()  and
IlTxTask()  have  to  be  called  cyclically  within  the  cycle  time  adjusted  in  the
Configuration Tool (IL options/Timings IL Vector Channel X).
It is very important for the correct function of the Interaction Layer that the timing you
entered in the Configuration Tool and the cycle you call the IlRxTask() and IlTxTask()
are the same. This is the basis for the timing of the Vector Interaction Layer.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

18 / 35
5  A Basically Running Interaction Layer In 7 Steps
STEP 1 :   UNPACK THE DELIVERY
Follow  the  install  shield  wizard  to  unpack  the  CANbedded  Software  Components  and
the Configuration Tool.
STEP 2:   CONFIGURATION TOOL AND DBC FILE
Read-in the DBC file in the Configuration Tool and make the configuration settings for
the CANbedded Software Components.
STEP 3:  GENERATE FILES
Generate the files in the appropriate folders.
STEP 4:   ADD FILES TO YOUR APPLICATION
Add the CANbedded C and H files to your project or makefile.
STEP 5:   ADAPTATIONS FOR YOUR APPLICATION
Now  your  application  files  must  be  modified  to  use  the  CANbedded  Software
Components (includes, cyclic calls, initialization) and do the call back functions.
STEP 6:   COMPILE AND LINK
Compile  and  link  the  complete  project  and  download  it  to  your  test  hardware  or
development environment.
STEP 7:   TEST THE SOFTWARE COMPONENT
Test the software via a suitable test environment.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

19 / 35
5.1
STEP 1  Unpack the delivery
The  delivery  of  CANbedded  Software  Components  normally  comprises  the
Configuration Tool and the source code of the software components.
You only have to start the
Setup.exe
The Configuration
Tool generates
files for  your
and to follow the install shield wizard.
application. It is
the connection
between your
hardware and
We recommend creating a shortcut to the Configuration Tool.
settings, the
requirements of
your vehicle

manufacturer and
the other ECUs,
your ECU has to

communicate
with.
Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

20 / 35
5.2
STEP 2  Configuration Tool and DBC File
We recommend for the integration of the Vector Interaction Layer to have a already
running  application  with  already  working  bus  communication  (CAN  Driver  is
integrated and running).
Normally the adjustments in the DBC file are done by the data base engineer. To
be able to use the Interaction Layer the data base attributes and the corresponding
You can safe
timings have to be set properly.
much time when
you start changes
after verifying the
functionality of
For  the  following  steps  we  used  a  very  simple  DBC  file  with  only  one  receive
the hardware and
software you use
message and two transmit messages.
as basis for
changes.

For more
information about
how to starup
with GENy refer
to the GENy
online help.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

21 / 35
5.2.1 Working with the Configuration Tool GENy
Open the Configuration Tool GENy,
5.2.1.1
Project Setup in GENy
create a new configuration and fill-out the Setup Dialog

 Pre-configuration file
 Microcontroller
 Derivative
 Compiler

Select the bus system (here CAN) and fill-out the Channel Setup
window

Browse for your Database file
and select your ECU out of the

Database Nodes list.

Select the Software Components Hw_xxx (in
this example it is the HC12), the CAN Driver
(DrvCan_Hw12MscanIdx) and with Il_Vector
the Interaction Layer.

Set
the
Generation
Paths
(<Shift> +<F7>) correctly.

5.2.1.2
Interaction Layer Settings in GENy
For this example we want to monitor the reception of the Signal_2. If this signal is
not received over an adjustable (in the DBC file – use CANdb++ editor) period of
time, a timeout occurs.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

22 / 35
There are two ways your application can be notified of a timeout,
  via a flag or
  a function.
In this example we use a function for notification.
Open  the  Configuration  Options  for  Signal_2  via  clicking  Signal_2  in  the
navigation view. Add a timeout function by clicking the  Add button and entering a
name or working with the default as shown.

Figure 5-1 Activate the Timeout Monitoring of Signal_2

Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

23 / 35
5.3
STEP 3  Generate Files

Click on the button
to start the generation process for GENy.

Figure 5-1  Generation Information
The results of the Generation Process are shown in the two views at the bottom of
GENy.
Generated Files
This is a list with all file that GENy has generated and the folder information.
Messages
Here  the  information  that  occurs  during  the  generation  process.  Take  care  of  this
information  after  any  generation  process.  Important  generation  error  information
could be displayed there as you see in the example above.

Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

24 / 35
5.4
STEP 4  Add Files to Your Application

5.4.1  Using GENy
Copy the core files for the Interaction Layer out of the delivery in the directory you
reserved for.
Add those new files together with the generated ones (see Figure 5-1) to the file list
of you compiler or makefile.
If you want to apply changes you have done in the Configuration Tool, you must start
the generation process again.  Remember compiling afterwards.

Starting  with  IL  implementation  version  1.83  the  IL  uses  the  Vector  standard  library
vstdlib  for  memory  copy  and  clear  routines  to  avoid  calls  to  the  C  standard  library.
Therefore  it  is  required  in  that  case  to  link  the  file  vstdlib.c  to  the  project.  The
v_def.h includes the corresponding header.

Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

25 / 35
5.5
STEP 5 Adaptations For Your Application
Using CANgen and GENy
To  be  able  to  compile  and  link,  you  have  to  do  a  few  further  adaptations  in  your
application.
This  is  the  example  you  know  from  the  CAN  Driver.  For  a  first  test,  this  simple
application  without  any  function  except  for  calling  the  Interaction  Layer  Tasks
IlRxTask() and IlTxTask() cyclically, is enough.
In  the  following  example  application  only  the  modifications  are  explained  and
emphasized.

Example for HC12:

/* Includes*********************************************************/
#include "can_inc. h"
#include "yourecu. h"
#inlcude”il_inc.h”;    /*  with  this  include,  the  other  two  will  be
                      included too.*/

unsigned char timerelapsed;
/*the  function  IlRxTask()  and  IlTxTask()
must not be called in interrupt context.  So
this  flag  is  used  as  an  indicator,  that  a
timer  interrupt  occurred  and  is  polled  in
the application. */

/*Function prototypes **********************************************/
void enableInterrupts( void );
void hardwareInit( void );

/*Main Function ****************************************************/
void main(void)
{
/*make  sure  that  the  interrupts  are  disabled  or  disable  interrupts
here.*/
  hardwareInit();
It is forbidden to
use any CAN

functionality
  CanInitPowerOn();
before
  IlInitPowerOn();
/*To use the Interaction Layer you have
CanInitPowerOn
!!!
                        to do the initialization first.
                    For the case your module does not know
                    this function, use IlInit(); */

timerelapsed = 0;  /* timerelapsed = 0x00 no interrupt occurred
                        timerelapsed = 0xff    interrupt occurred

  enableInterrupts();
  IlRxStart();
  IlTxStart();
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

26 / 35

  for(;;)
  {
    /* call of IlRxTask() and IlTxTask() if timerelapsed = 0xff*/
    if( timerelapsed == 0xff)
    {
        timerelapsed = 0;        /*clear the flag to call NmTask()
                               only once after a timer interrupt*/
        IlRxTask();               /*cyclic call for interaction layer*/
        IlTxTask();
    }
  }
}

void ApplCanBusOff( void )
{
  ;
}

void ApplCanWakeUp( void )
{
  /*Call-Back  function  at  the  transition  from  SleepMode  to  sleep
    indication recommended*/
}

void enableInterrupts( void )
{
  CLI();
}

/*This  is  the  function  called  in  case  of  a  timeout  of  the message_2  that
should be received cyclically*/

void ApplSignal_2SigTimeout( void )
{

  IlPutTxMissingSignal(0x3d);
                                      /*Trigger  to  send  this  message  in  case
                               of  a  timeout.  Both  names  are  defined
                               in the YourECU.h.*/
}

void hardwareInit( void )
{
  /*
  Do your hardware specific initializations here.
  Remember your TRANSCEIVER
  */
}

@interrupt void irq_dummy0(void)
{
  for( ;; );
  /*all
other
interrupts
except
the
CAN
                         Interrupts are routed to this function.*/
}

/*This  is  the  interrupt  function  of  the  timer  interrupt.    The  timer  will
be  reset  and  the  timerelapsed  indicates  the  occurrence  of  an  interrupt
for the application (see code above). */
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

27 / 35

@interrupt void irq_timer0(void)
{
  /*reload timer*/
  timerelapsed = 0xff;
}

You also have to do modifications in the interrupt vector table. The occurrence of a
timer  interrupt  has  to  lead  to  the  timer  interrupt  function.  In  this  example  you  see
that the vector for the timer0 interrupt is added
.
Example for HC12:

const functptr vectab[] = {        // @0xFFC4 start address of table
    CanTxInterrupt,                // $FFC4    CAN transmit
    CanRxInterrupt,                // $FFC6    CAN receive
    CanErrorInterrupt,             // $FFC8    CAN error
    irq_dummy0,                    // reserved
    irq_dummy0,                    //
    irq_dummy0,                    //
    CanWakeUpInterrupt,            // $FFD0 CAN wake-up
    irq_dummy0,                    //ATD
    irq_dummy0,                    //SCI 2
    irq_dummy0,                    //SPI
    irq_dummy0,                    //SPI
    irq_dummy0,                    //Pulse acc input
    irq_dummy0,                    //Pulse acc overf
    irq_dummy0,                    //Timer overf
    irq_dummy0,                    //Timer channel 7
    irq_dummy0,                    //Timer channel 6
    irq_dummy0,                    //Timer channel 5
    irq_dummy0,                    //Timer channel 4
    irq_dummy0,                    //Timer channel 3
    irq_dummy0,                    //Timer channel 2
    irq_dummy0,                    //Timer channel 1
    irq_timer0,                    //Timer channel 0
    irq_dummy0,                    //Real time
    irq_dummy0,                    //IRQ
    irq_dummy0,                    //XIRQ
    irq_dummy0,                    //SWI
    irq_dummy0,                    //illegal
    irq_dummy0,                    //cop fail
    irq_dummy0,                    //clock fail
    _stext                         //RESET
    };

Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

28 / 35
5.6
STEP 6 Compile And Link
Now start your compiler by calling the makefile or just clicking the start button, this
depends on your development tool chain.

Back to 9 Steps overview

5.7
STEP 7 Test the Software Component
You  remember  the  testing  method  from  the  CAN  Driver?  To  test  the  Interaction
Layer we use the same test environment with a few modifications.
5.7.1  Built-up of the test environment

Figure 5-2  The test environment

The network will consist of 2 nodes, a real one (YourECU) and the simulated one,
the TestNode (as named in the data base).
Open your CANoe or CANalyzer.
The next step is to Associate a new database, the same data base (DBC file)
you use for your application.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

29 / 35

Figure 5-3  How to get an data base into CANoe

Figure 5-4  Configure menu and Real adjustment
Make sure that the CANoe mode is switched to REAL and you have chosen the same
baud rate as in your real node YourECU.
5.7.2  Test of Interaction Layer
Now  start  your  Application  on  the  hardware  platform  and  the  CANoe/CANalyzer.
Now  you  should  see  the  cyclic  message  sent  via  the  Interaction  Layer,  the
Message_1.  Additionally  you  see  the  Timeout_Message,  because  the  cyclic
message from CANoe is not being sent.

Figure 5-5  A trace of the example application with timeout occurring
!!! CONGRATULATIONS !!!
The Interaction Layer is basically working.
Now  try  to  prevent  the  timeout  from  occurring.  Insert  a  generator  block  and  send
the message with the ID 201 (Message_2) e.g. in a cycle of e.g. 10ms.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

30 / 35

Figure 5-6  Insert a generator block to send the message 201 all 10ms
Restart  the  application  and  CANoe  and  the  Timeout_Message  will  not  occur
anymore.

Figure 5-7  A trace without timeout
This is working, too? You have implemented the Interaction Layer correctly for the
first time. Now you can go on.

Back to 9 Steps overview

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

31 / 35
6  Further Information
Now  the  Interaction  Layer  is  basically  working.  To  get  a  deeper  understanding  of
this  module  continue  with  this  chapter.  A  very  detailed  description  of  the  API  you
find in the Technical Reference of the Interaction Layer.
6.1
States of the Interaction Layer
The  following  figure  shows  the  state  machine  of  the  Interaction  Layer.  There  are
two identical state machines, one for transmission (Tx) and one for reception (Rx).
void IlRxStart( void );
IlRx
void IlInit( void );
void Il
Stop( void );
void IlInit( void );

void IlRxWait( void );
void IlTxStart( void );

void IlTxStop( void );
void IlTxWait( void );
void IlRxRelease( void );
void IlTxRelease( void );
running

Wait
Stop
PowerOn

Release
Start

waiting
suspended
Init
d
I
uninit

Stop

Figure 6-1  The State machine of the Interaction Layer
Use  the  functions  to  switch  the  states  of  the  Interaction  Layer  to  your  demands.
This  becomes  very  important  using  the  Interaction  Layer  together  with  a  Network
Management.
6.2
Debugging of Interaction Layer
Using the Interaction Layer you can select two main debug options.

Figure 6-2  Debug options for Interaction Layer

The argument check for the IL functions is used to check the arguments passed to
functions of the Interaction Layer. If an error was detected, the return value of the
functions  will  contain  an  error  code.  More  about  this  feature  see  the  Technical
Reference Interaction Layer.
The assertions you should use only during the development process.
2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

32 / 35
All assertions branch to the function
void ApplIlFatalError( ErrorCode );
where you can analyse the cause of the assertion.

6.3
Where to get the generated names for the macros and functions
To avoid errors
occurring from
false writing a
You know the situation, the files are generated and now you start to develop your
recommend to
copy and paste
application. What is the name of the generated macros for the indication function?
the name from
What is the correct writing of the callback function? You know the signal name and
the file
YourECU.h and
your pre- and postfixes but:
ilpar.h.

Using GENy
all this information you get out of the generated file:
ilpar.h.

6.4
Usage of flags and functions
The Interaction Layer is signal oriented. So all flags and functions notify events that
have  to  do  with  signals.  There  are  flags  and  functions  for  reception  and
transmission. See first all flags and functions concerning the reception of data.
Indication Flag
Indicates the reception of a signal
Indication Function
FirstValue Flag
Can be used to indicate the reception of the signal since the last
reset of this flag or of the Interaction Layer
DataChanged Flag
Indicates a changed signal
Timeout Flag
Indicates a missing reception of a signal for the adjusted time.
Timeout Function

to confirm the transmission there is one flag and one function.
Shows that the message containing the signal has been
Confirmation Flag
acknowledged by another node.
Confirmation Function
This acknowledge is sent when at least one ECU has receive the
message. The acknowledge triggers a transmit interrupt. Within
this interrupt the flag is set and the confirmation function is called.

You can use only
the flag, only the
The confirmation guarantees that the message containing the regarded signal has
function or both
combined. This is
been sent.
up to your
application.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual  Interaction Layer

33 / 35
6.5
Data Consistency
A  very  important  part  is  the  knowledge  about  data  consistency  and  the  situations
you have to take care for it.
Refer to the chapter dealing with the data consistency in the Technical Reference
of the Interaction Layer.

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

User Manual Interaction Layer

1 / 35
7 Index
Bootloader .................................................... 9
il_inc.h ......................................................... 16
clock............................................................ 27
Il_inc.h ......................................................... 15
compile........................................................ 25
ilpar.c........................................................... 15
Compile....................................................... 28
IlRxTask ................................................ 17, 26
confirmation ................................................ 10
IlTxTask................................................. 17, 26
dbc-file ........................................................ 11
Include......................................................... 16
Example ................................................ 25, 27
link ............................................................... 25
generation process ............................... 16, 24
Link.............................................................. 28
Generation Process .................................... 12
makefile ....................................................... 28
Generation Tool .......................................... 16
Motivation ...................................................... 3
il.c................................................................ 15
reception ................... 3, 10, 11, 14, 21, 31, 32
Il.c ............................................................... 15
Reception .............................................. 11, 32
il_cfg.h......................................................... 16
Test ............................................................. 28
il_def. h ....................................................... 15
transmission .................... 3, 10, 11, 14, 31, 32
il_def.h ........................................................ 15
vstdlib .......................................................... 24

2007, Vector Informatik GmbH

Version: 1.03.01

based on template version 1.8

14 - MCU Driver

MCU Driver

Component Documentation

14.1 - AUTOSAR_MCU_Component_UserManual

AUTOSAR MCAL R4.0 User's Manual

14.2 - AUTOSAR_MCU_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62

14.3 - AUTOSAR_MCU_Component_UserManuals

ss

AUTOSAR MCAL R4.0.3
User‟s Manual

MCU Driver Component Ver.1.0.5

Embedded User‟s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice

  1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.
  2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.

  3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.
  4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by you or third

parties arising from the use of these circuits, software, or information.

  5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.
  6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

  7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.
  8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.
  9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.
  10.  Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EURoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
  11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.
  12.  Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.

(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.
(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.
3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
ADC
Analog to Digital Converter
ANSI
American National Standards Institute
API
Application Programming Interface
AUTOSAR
AUTomotive Open System ARchitecture
CAN
Controller Area Network
CVM
Core Voltage Monitor
CLMA
Clock Monitor
DEM/Dem
Diagnostic Event Manager
DET/Det
Development Error Tracer
DIO
Digital Input Output
DMA
Direct Memory Access
ECU
Electronic Control Unit
EEPROM
Electrically Erasable Programmable Read-Only Memory
ECM/Ecm
Error Control Module
GNU
GNU‟s Not Unix
GPT
General Purpose Timer
HW
HardWare
ICU
Input Capture Unit
ID/Id
IDentifier
ISR
Interrupt Service Routine
I/O
Input and Output
KB
Kilo Byte
LIN
Local Interconnect Network
MCAL
Microcontroller Abstraction Layer
MCU/Mcu
MicroController Unit
NA
Not Applicable
NMI
Non Maskable Interrupt
MI
Maskable Interrupt
OS/Os
Operating System
PWM
Pulse Width Modulation
PLL
Phase Locked Loop
RAM/Ram
Random Access Memory
ROM
Read Only Memory
RTE
Run Time Environment
SPI
Serial Peripheral Interface
SW
SoftWare
WDT
WatchDog Timer

5

Definitions

Term
Represented by
Sl. No.
Serial Number
6

10

  Introduction

               Chapter 1

Chapter 1
Introduction

The purpose of this document is to describe the information related to
MCU Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of MCU Driver
Component. The system overview of complete AUTOSAR architecture
is shown in the below Figure:



Application Layer

AUTOSAR  RTE

System  Services

On board Device Abstraction

                                                                                           MCU Driver

Microcontroller

Figure 1-1  System Overview Of AUTOSAR Architecture

The MCU Driver is part of the Microcontroller Abstraction Layer (MCAL),
the lowest layer of Basic Software in the AUTOSAR environment.

11

Chapter 1

                 Introduction

The Figure in the following page depicts the MCU Driver as part of layered
AUTOSAR MCAL Layer:

Microcontroller Drivers
Memory Drivers
          Communication Drivers                                  I/O Drivers

in
e
in
te

x
t
r
te
e
n
S

W
r
r
a
P

n
F
n
l
a

GP
MC
a
a
EEP
H
CA
LI
le
tc
C
RA
l
l

a

N
x

h
o
F
F
n
N Dr
R

T
U
d
l

re

M
la
a
d
D
I
P
RO
a
CU
A

D
o
D
D
P
g

s
s
le
W
r
y

DC
r
T
I
OR
r
T
h
h
i
r
v

i

i

O
v
D
iv
e
e

D
M
Dr
er
v
D

M
Dr
Dr
e
e

r
e
st
r
s

r

i

r
i
D
v
Dr
Dr
T
r
i

v
r

i
i
D
v

i
v
v
er
v
r
er
D
er
i
i

er
er
r
e
iv
i
v
v
v

r
e
e
e
r

ive

e

r
r
r
r

r

M
E
&

G
WDT
C Po
U
Cl
Micro-
xt
F
E
l
E
L
PW
.
a
M
P
S
SCI
I
CA
IC

DIO
PT
n
B
i
o
s
R

N
C
PI
t
c
w
Controller  u
h

O

N
U
M
D

s

k

or

A

er

Figure 1-2  System Overview Of The MCU Driver In AUTOSAR MCAL Layer

The RTE provides the encapsulation of Hardware channels and basic
services to the Application Software Components. So it is possible to map the
Application Software-Components between different ECUs.

The Basic Software Modules are located below the RTE. The Basic Software
itself is divided into the subgroups: System Services, Memory,
Communication and I/O Hardware-Abstraction. The Complex Drivers are also
located below the RTE. Among others, the Operating System (OS), the
Watchdog manager and the Diagnostic services are located in the System
Services subgroup. The Memory subgroup contains modules to provide
access to the non-volatile memories, namely Flash and EEPROM. In the I/O
Hardware-Abstraction subgroup the whole MCU Driver Component is
provided.

On board Device Abstraction provides an interface to physical values for
AUTOSAR software components. It abstracts the physical origin of signals
(their paths to the hardware ports) and normalizes the signals with respect to
their physical appearance. The Microcontroller driver provides services for
basic microcontroller initialization, power down functionality, reset and
microcontroller specific functions required from the upper layers.
12

Introduction

                  Chapter 1

1.1.
Document Overview

The document has been segmented for easy reference. The table below
provides user with an overview of the contents of each section:

Section
Contents
Section1 (Introduction)
This section provides an introduction and overview of MCU Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure, Makefile structure for MCU
Process)
Driver Component. This section also explains about the Makefile
descriptions, Integration of MCU Driver Component with other
components, building the MCU Driver Component along with a sample
application.
Section 4 (Forethoughts)
This section provides brief information about the MCU Driver
Component, the preconditions that should be known to the user before
it is used, data consistency details and deviation list.
Section 5 (Architecture Details)
This section describes the layered architectural details of the MCU Driver
Component.
Section 6 (Registers Details)
This section describes the register details of MCU Driver Component.
Section 7 (Interaction between
This section describes interaction of the MCU Driver Component with
The User And MCU Driver
the upper layers.
Component)
Section 8 (MCU Driver
This section provides information about the MCU Driver Component
Component Header And Source
source files is mentioned. This section also contains the brief note on
File Description)
the tool generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the MCU Driver Component Code
Generation Tool.
Section 10 (Application
This section explains all the APIs provided by the MCU Driver
Programming Interface)
Component.
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13 (P1M Specific
This section provides P1M specific information also the information
Information)
about linker compiler and sample application.
Section 14 (Release Details)
This section provides release details with version name and base
version.
13

Chapter 1

Introduction

14

Reference Documents

Chapter 2

Chapter 2
Reference Documents

Sl. No.
Title
Version
1.
AUTOSAR_SWS_MCUDriver.pdf
3.2.0
2.
r01uh0436ej0070_rh850p1x.pdf
0.70
3.
AUTOSAR_SWS_MemoryMapping.pdf
1.4.0
4.
AUTOSAR_SWS_PlatformTypes.pdf
2.5.0
5.
AUTOSAR_BSW_MakefileInterface.pdf
0.3
6.
AUTOSAR_SWS_CompilerAbstraction.pdf
3.2.0
7.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
-
Note: AUTOSAR BUGZILLA is a database, which contains concerns
raised against information present in AUTOSAR Specifications.
15

Chapter 2 Reference Documents

16

Integration And Build Process

 Chapter 3

Chapter 3
Integration and Build Process

In this section the folder structure of the MCU Driver Component is explained.
Description of the Make files along with samples is provided in this section.

Remark The details about the C Source and Header files that are generated by the
MCU Driver Generation Tool are mentioned in the Generation Tool User‟s
Manual “AUTOSAR_MCU_Tool_UserManual.pdf”.

3.1.
MCU Driver Component Makefile

The Makefile provided with the MCU Driver Component consists of the GNU
Make compatible script to build the MCU Driver Component in case of any
change in the configuration. This can be used in the upper level Makefile (of
the application) to link and build the final application executable.

3.1.1.
Folder Structure

The files are organized in the following folders:

Remark Trailing slash „\‟ at the end indicates a folder

X1X\P1x\modules\mcu\src

\Mcu.c

\Mcu_Irq.c

\Mcu_Ram.c

\Mcu_Version.c

X1X\P1x\modules\mcu\include

\Mcu.h

\Mcu_Debug.h

\Mcu_Irq.h

\Mcu_PBTypes.h

\Mcu_Ram.h

\Mcu_Types.h

\Mcu_Version.h

X1X\P1x\modules\mcu\sample_application\<SubVariant>\make\<compiler>
\App_MCU_P1M_Sample.mak

X1X\P1x\modules\mcu\sample_application\<SubVariant>\obj\<Complier>

X1X\P1x\modules\mcu\generator
\Mcu_P1x.exe
\R403_MCU_P1x_BSWMDT.arxml

X1X\P1x\common_family\generator
\Global_Application_P1x.trxml
\Sample_Application_P1x.trxml
\P1x_translation.h
17

Chapter 3 Integration And Build Process

\Test_Application_P1x.trxml
X1X\P1x\modules\mcu\user_manual

(User manuals will be available in this folder)

 Note: 1. <Complier> can be ghs.
 2. <AUTOSAR_version> should be 4.0.3.
 3. <SubVariant> can be P1M.

18

Forethoughts
Chapter 4

Chapter 4
Forethoughts

4.1.
General

Following information will aid the user to use the MCU Driver Component
software efficiently:

•  The MCU Driver does not enable or disable the ECU or Microcontroller
power supply. The upper layer should handle this operation.

•  The start-up code is ECU and MCU specific. MCU Driver does
not implement the start-up code.

•  MCU specific initializations such as reset registers, one time writable
registers, interrupt stack pointer, user stack pointer and MCU internal
watchdog, MCU specific features of internal memory and registers are not
implemented by MCU Driver. These initializations should be implemented
by the start-up code.

•  MCU Driver does not implement any call-back notification functions.

•  MCU Driver does not implement scheduled functions.

•  The MCU Driver component is implemented as a Post build variant.

•  MCU Driver depends on Scheduler and Wake-up source service Modules
for disabling all relevant interrupts to protect writing into the protected
registers and invoking the ECU state manager functions.

•  In P1x PLL clocks are not configurable and it cannot be controlled by
software. It works with default values after main oscillator activated.
Hence in P1x Mcu dirver code Mcu_DistributePllClock()and
Mcu_GetPllStatus()API's none of the action are taken care except DET
errors.

•  The file Interrupt_VectorTable.c provided is just a Demo and not all
interrupts will be mapped in this file. So the user has to update the
Interrupt_VectorTable.c as per his configuration

4.2.
Preconditions

Following preconditions have to be adhered by the user, for proper
functioning of the MCU Driver Component:

•
The Mcu_Cfg.h, Mcu_Cbk.h and Mcu_Reg.h files generated by the MCU
Driver component Code Generation Tool must be compiled and linked
along with MCU Driver component source files.

•  The application has to be rebuilt, if there is any change in the Mcu_Cfg.h file
generated by the MCU Driver component Generation Tool.

•  File Mcu_PBcfg.c generated for single configuration set or multiple
configuration sets using MCU Driver component Generation Tool can
be compiled and linked independently.

•  The  authorization  of  the  user  for  calling  the  software  triggering  of  a
hardware reset is not checked in the MCU Driver. This is the responsibility
of the upper layer.

•  The MCU Driver component needs to be initialized before accepting
any request. The API Mcu_Init should be called by the ECU State
Manager Module to initialize MCU Driver Component.

19

Chapter 4 Forethoughts

The user should ensure that MCU Driver component API requests
are invoked in the correct and expected sequence and with correct
input arguments.

• Input parameters are validated only when the static configuration
parameter MCU_DEV_ERROR_DETECT is enabled. Application should
ensure that the right parameters are passed while invoking the APIs when
MCU_DEV_ERROR_DETECT is disabled.

• There are different clock settings possible. For more details, please refer
the respective device specific component user manual.

• If the handle of clock setting passed to the API Mcu_InitClock is not
configured to any one of the supported clock settings, then the
Development Error Detection function is invoked if the static configuration
parameter MCU_DEV_ERROR_DETECT is enabled.

• The MCU Driver initializes the clock generator as per the required
configuration settings and provides the configured clock sources for the
peripherals as applicable. It is the responsibility of the individual drivers to
select and initialize the respective driver specific registers as required for
their functionality with reference to the clock source provided by the MCU
Driver.

• The API Mcu_InitClock is implemented considering its invocation at run
time. Hence, there is a possibility of change in the baud rate set by the
peripheral drivers if the clock setting is different. Hence, the initialization of
the respective drivers after the invocation of Mcu_InitClock, is the
responsibility of the user of MCU Driver services.

• A mismatch in the version numbers of header and the source files results
in compilation error. User should ensure that the correct versions of the
header and the source files are used.

4.3.
Data Consistency

To support the re-entrance and interrupt services, the MCU Driver will ensure
the data consistency while accessing its own RAM storage or hardware
registers or to prevent any interrupts between the two write instructions of the
write protected register and the corresponding write enable register.
The MCU Driver will use SchM_Enter_Mcu_<Exclusive Area> and
SchM_Exit_Mcu_<Exclusive Area> functions.

The SchM_Enter_Mcu_<Exclusive Area> function is called before the data
needs to be protected and SchM_Exit_Mcu_<Exclusive Area> function is
called after the data is accessed.
The flowchart will indicate the flow with the precompile option
“McuCriticalSectionProtection” enabled.

The following exclusive area along with scheduler services is used to provide
data integrity for shared resources:
REG_DATA_PROTECTION
The functions SchM_Enter_Mcu_<Exclusive Area> and SchM_Exit_Mcu
_<Exclusive Area> can be disabled by disabling the configuration parameter
„McuCriticalSectionProtection‟.

4.4.
User Mode and Supervisor Mode

The below table specifies the APIs which can run in user mode, supervisor
20

Forethoughts
Chapter 4

mode or both modes

Table 4-1
Supervisor mode and User mode details

Sl.No.
API Name
User Mode Supervisor Known limitation in User
Mode
mode
1.
Mcu_Init
-
x
1. The enabling of the
interrupt will not be
possible.
2. Critical section protection
cannot be enabled
2.
Mcu_InitRamSection
x
x
Critical section protection
cannot be enabled
3.
Mcu_InitClock
x
x
-
4.
Mcu_DistributePllClock
x
x
-
5.
Mcu_GetPllStatus
x
x
-
6.
Mcu_GetResetReason
x
x
-
7.
Mcu_GetResetRawValue
x
x
-
8.
Mcu_PerformReset
x
x
-
9.
Mcu_SetMode
x
x
-
10.
Mcu_GetRamState
x
x
Critical section protection
cannot be enabled
11.
Mcu_LockStepSelfDiagnosticTest
x
x
Critical section protection
cannot be enabled
12.
Mcu_CvmSelfDiagnosticTest
x
x
-
13.
Mcu_ClmaSelfDiagnosticTest
x
x
-
14.
Mcu_EcmSelfDiagnosticTest
x
x
Critical section protection
cannot be enabled
15.
Mcu_SaveResetReason
x
x
Critical section protection
cannot be enabled

4.5.
Deviation List

Table 4-2
MCU Driver Deviation List

Sl. No.
Description
AUTOSAR Bugzilla / Mantis
1.
The parameter McuResetSetting from the
-
sub-container McuModuleConfiguration is
not considered.
2.
The MCU Driver considers the parameters of
-
RAM section configuration as pre-compile
parameters, since the number of RAM settings
are not known and hence the generation of
handles is not possible at post-build-time.
21

Chapter 4                                                                                                                           Forethoughts

Sl. No.
Description
AUTOSAR Bugzilla / Mantis
3.
The sub-container McuClockReferencePoint in
-
the Clock setting configuration is not used as
the reference frequencies specific to various
peripheral devices need to be published by
MCU Driver component.
4.
The parameter McuClockSettingId range in
54536
McuClockSettingConfig container is changed
from “1 to 255” to “0 to 255” since 0 is valid
minimum value for clock setting ID.
5.
If an invalid database is passed as a
-
parameter to API Mcu_Init, DET Error code
MCU_E_INVALID_DATABASE is reported to
DET.
6.
The Mcu_GetVersionInfo API is
-
implemented as macro without DET error
  MCU_E_PARAM_POINTER.

4.6.
RAM Initialization

RAM initialization done by an API call to Mcu_InitRamSection must not
overwrite other memory sections of static variables. A dedicated memory
section shall be defined in linker directive file.

4.7.
Callout API

The MCU_RESET_CALLOUT() API is the call out API from the Mcu
module which will be called by Mcu_PerformReset() API for the software
reset when configuration parameter McuSwResetCall Api is true. This
callout API needs to be filled by user to do the software reset. If the
configuration parameter McuSwResetCall Api is false, the callout shall not
be available and the software reset shall be handled by the MCU itself
using HW feature of the SW reset.
22

Architecture Details
Chapter 5

Chapter 5
Architecture Details

                 The MCU Driver architecture is shown in the following figure. The MCU user
                 shall directly use the APIs to configure and execute the MCU conversions:



Application Software (MCU user)



  MCU Driver

On-Chip Registers

On-Chip Hardware

Figure 5-1
MCU Driver Architecture

The MCU driver accesses the microcontroller hardware directly and is located
in the MCAL. MCU component provides the functionalities related to PLL
Initialization, Clock Initialization and Distribution, RAM sections Initialization,
PreScaler Initialization, MCU reduced Power Modes Activation and MCU
Reset Activation and Reason.

The component consists of the following sub modules based on the
functionality:

•  Initialization

•  Self-Diagnostic test for ECM, CVM, Clock Monitor and Lock Step.

•  Clock Initialization

•  RAM sections Initialization and Status Verification

•  MCU Reset Activation and Reason

•  Version Information

Initialization

This sub module provides the structures and APIs for both global and
controller specific initialization. MCU specific initialization is necessary in
order to ensure different startup behaviors of the microcontroller. This sub
23

Chapter 5                                                                                                                Architecture Details

module also checks if the data base is flashed.

Self-Diagnostic test for ECM, CVM, Clock Monitor and Lock Step

This functionality is provided as part MCU module initialization.
Self-diagnostic test for ECM error source is helpful to check the ECM error
output signal by creating the real ECM error signal.
Self-diagnostic test for CVM and CLMA is possible in real scenario.

Clock Initialization

The clock initialization sub module provides the functionality for generating all
the required clock signals for microcontroller operation from any one of the
available sources. It enables the provision for individual clock source
selection for CPU and groups of peripherals.

This sub module also provides the functionality for obtaining various
frequencies required for individual peripheral devices.

For available clock sources, please refer to the respective device specific
component user manual.

RAM sections Initialization and Status Verification

This sub module provides the functionality for initializing the RAM with the any
given value, at the selected blocks of the RAM and to verify the status of RAM.

MCU Reset Activation and Reason

The microcontroller reset activation will be performed by forcing a software
reset. This functionality will be done by using software reset register. ECM
error sources can also be configured for internal reset so that if any error
occurs device will activate reset.

To provide the reset reason, this sub module captures the information
available with RESF – Reset factor register. This register contains
information.

Version Information

This module provides APIs for reading Module Id, Vendor Id and vendor
specific version numbers.
24

  Registers Details                                                                                                                   Chapter 6

Chapter 6
Registers Details

This section describes the register details of MCU Driver Component.

Table 6-1
Register Details

Regist
er
API Name
Registers Used  Access  Config Parameter
Macro/Variable
8/16/
32 bits
(LpEcmSetting-
>ulEcmInternalResetReg
MCU_IRCFG0_INIT_VAL
ECMIRCFG0
32
0value &
UE
(~MCU_RAM_MASK0_V
ALUE))
LVICNT
32
LulLVICntValue
MCU_LVI_MASK
PROT1PHCM
32
-
MCU_WRITE_DATA
D
PROT1PS
32
-
-
ECMMICFG0
8
LucDataByte
-
HH
ECMNMICFG
8
LucDataByte
-
0HH
ECMIRCFG0
8
LucDataByte
-
HH
ECMMECLR
8
-
MCU_ONE
ECMMPCMD
32
-
MCU_WRITE_DATA
0
Mcu_Init
ECMCECLR
8
-
MCU_ONE
ECMCPCMD0
32
-
MCU_WRITE_DATA
ECMESSTC0
32
LulEcmStatusData
-
CVMDEW
8
LucCVMCntValue
-
PROTCMDCV
32
-
MCU_WRITE_DATA
M
PROTSCVM
32
-
-
MCU_ECM_ERROUT_TI
ECMEPCTL
8
-
MER
ECMPCMD1
32
-
MCU_WRITE_DATA
ECMPS
8
-
-
MCU_EIBD08_CPU1_VAL
EIBD8
32
-
UE
25

Chapter 6 Register Details

Regist
er
API Name
Registers Used Access Config Parameter
Macro/Variable
8/16/
32 bits
MCU_ENABLE_TABLE_I
EIC8L
8
-
NTERRUPT
MCU_ECMEMK0_FULL_
ECMEMK0
32
-
MASK
MCU_ECMEMK1_FULL_
ECMEMK1
32
-
MASK
MCU_ECM_ERROUT_MO
ECMEPCFG
8
-
DE
((LpEcmSetting-
>ulEcmMaskInterReg0va
lue &
ECMMICFG0
32
(~MCU_RAM_MASK0_V
-
ALUE)) |
MCU_IRCFG0_INIT_VA
LUE)
(LpEcmSetting-
>ulEcmMaskInterReg1va
ECMMICFG1
32
lue &
-
(~MCU_RAM_MASK1_V
ALUE))
(LpEcmSetting-
>ulEcmNonMaskInterRe
ECMNMICFG
32
g0value &
-
0
(~MCU_RAM_MASK0_V
ALUE))
(LpEcmSetting-
>ulEcmNonMaskInterRe
ECMNMICFG
32
g1value &
-
1
(~MCU_RAM_MASK1_V
ALUE))
(LpEcmSetting-
>ulEcmInternalResetReg
ECMIRCFG1
32
1value &
-
(~MCU_RAM_MASK1_V
ALUE))
MCU_ECM_DELY_TIMER
ECMDTMCTL
8
-
_STOP
ECMDTMCM
MCU_ECM_DLYTIMER_V
16
-
P
ALUE
LpEcmSetting-
>ulEcmDelayTimerReg0
Value, LpEcmSetting-
>ulEcmDelayTimerReg1
ECMDTMCFG
32
Value, LpEcmSetting-
-
0
>ulEcmDelayTimerReg2
Value, LpEcmSetting-
>ulEcmDelayTimerReg3
Value
ECMMESSTR
MCU_RAM_MASK0_VAL
32
-
Mcu_InitRamS
0
UE
ection
MCU_RAM_MASK0_VAL
ECMESSTC0
32
-
UE
26

  Registers Details                                                                                                                   Chapter 6

Regist
er
API Name
Registers Used  Access  Config Parameter
Macro/Variable
8/16/
32 bits
ECMMESSTR
MCU_RAM_MASK1_VAL
32
-
1
UE
MCU_RAM_MASK1_VAL
ECMESSTC1
32
-
UE
ECMPCMD1
32
-
MCU_WRITE_DATA
ECMPS
8
-
-
LpEcmSetting-
ECMMICFG0
32
>ulEcmMaskInterReg0va
-
lue
LpEcmSetting-
ECMMICFG1
32
>ulEcmMaskInterReg1va
-
lue
LpEcmSetting-
ECMNMICFG
32
>ulEcmNonMaskInterRe
-
0
g0value
LpEcmSetting-
ECMNMICFG
32
>ulEcmNonMaskInterRe
-
1
g1value
LpEcmSetting-
ECMIRCFG0
32
>ulEcmInternalResetReg
-
0value
LpEcmSetting-
ECMIRCFG1
32
>ulEcmInternalResetReg
-
1value
LpEcmSetting-
ECMEMK0
32
>ulEcmErrorMaskReg0V
-
alue
LpEcmSetting-
ECMEMK1
32
>ulEcmErrorMaskReg1V
--
alue
PROT1PHCM
32
-
MCU_WRITE_DATA
D
PROT1PS
32
-
-
Mcu_GpConfigPtr-
CLMA0CMPH
16
-
>usCLMA0CMPH
Mcu_GpConfigPtr-
CLMA0CMPL
16
-
>usCLMA0CMPL
Mcu_InitClock
CLMA0PCMD
8
-
MCU_WRITE_DATA
CLMA0PS
8
-
-
CLMA0CTL0
8
-
MCU_ONE
Mcu_GpConfigPtr-
CLMA1CMPH
16
-
>usCLMA1CMPH
Mcu_GpConfigPtr-
CLMA1CMPL
16
-
>usCLMA1CMPL
27

Chapter 6                                                                                                                       Register Details

Regist
er
API Name
Registers Used  Access  Config Parameter
Macro/Variable
8/16/
32 bits
CLMA1PCMD
8
-
MCU_WRITE_DATA
CLMA1PS
8
-
-
CLMA1CTL0
8
-
MCU_ONE
Mcu_GpConfigPtr-
CLMA2CMPH
16
-
>usCLMA2CMPH
Mcu_GpConfigPtr-
CLMA2CMPL
16
-
>usCLMA2CMPL
CLMA2PCMD
8
-
MCU_WRITE_DATA
CLMA2PS
8
-
-
CLMA2CTL0
8
-
MCU_ONE
Mcu_GpConfigPtr-
CLMA3CMPH
16
-
>usCLMA3CMPH
Mcu_GpConfigPtr-
CLMA3CMPL
16
-
>usCLMA3CMPL
CLMA3PCMD
8
-
MCU_WRITE_DATA
CLMA3PS
8
-
-
CLMA3CTL0
8
-
MCU_ONE
Mcu_Distribute
-
-
-
-
PllClock
Mcu_GetPllSta
-
-
-
-
tus
Mcu_GetReset
-
-
-
-
Reason
Mcu_GetReset
-
-
-
-
RawValue
MCU_RES_CORRECT_V
SWRESA
32
-
AL
Mcu_PerformR
PROT1PHCM
32
-
MCU_WRITE_DATA
eset
D
PROT1PS
32
-
-
Mcu_SetMode
-
-
-
-
Mcu_GetRamS
-
-
-
-
tate
Mcu_CvmSelf
MCU_TWELVE,
CVMDIAG
8
-
DiagnosticTest
MCU_ZERO
28

  Registers Details                                                                                                                   Chapter 6

Regist
er
API Name
Registers Used  Access  Config Parameter
Macro/Variable
8/16/
32 bits
MCU_CVM_FACTOR_CL
CVMFC
8
-
EAR
MCU_CVM_FACTOR_CL
CVMF
8
-
EAR
CVMDMASK
8
-
MCU_ONE, MCU_ZERO
PROTCMDCV
32
-
MCU_WRITE_DATA
M
PROTSCVM
32
-
-
CLMATESTS
32
-
-
CLMATEST
32
LulClmaXTestValue
-
Mcu_ClmaSelf
DiagnosticTest
PROT1PHCM
32
-
MCU_WRITE_DATA
D
PROT1PS
32
-
-
LpEcmSetting-
ECMEMK0
32
>ulEcmErrorMaskReg0V
-
alue
ECMMESSTR
32
LulEcmPseudoData
-
0
ECMCESSTR
32
LulEcmPseudoData
-
0
LpEcmSetting-
ECMEMK1
32
>ulEcmErrorMaskReg1V
-
alue
ECMMESSTR
MCU_ERROROUT_STAT
32
LulEcmPseudoData
1
US
ECMCESSTR
MCU_ERROROUT_STAT
32
LulEcmPseudoData
1
US
Mcu_EcmSelf
DiagnosticTest
ECMESSTC1
32
LulEcmPseudoData
-
MCU_ECM029_MASK_VA
ECMEMK0HH
8
-
LUE
ECMMICFG0
(~MCU_ECM029_MASK_
8
-
HH
VALUE)
ECMNMICFG
(~MCU_ECM029_MASK_
8
-
0HH
VALUE)
ECMIRCFG0
(~MCU_ECM029_MASK_
8
-
HH
VALUE)
ECMMECLR
8
-
MCU_ONE
ECMMPCMD
32
-
MCU_WRITE_DATA
0
29

Chapter 6 Register Details

Regist
er
API Name
Registers Used Access Config Parameter
Macro/Variable
8/16/
32 bits
ECMCECLR
8
-
MCU_ONE
ECMCPCMD0
32
-
MCU_WRITE_DATA
(MCU_ECM029_MASK_V
ECMESSTC0
32
LulEcmPseudoData
ALUE <<
MCU_TWENTYFOUR)
ECMPCMD1
32
-
MCU_WRITE_DATA
ECMPE0
32
LulEcmPseudoData
-
ECMPE1
32
LulEcmPseudoData
-
ECMPS
8
-
-
TESTCOMPR
(~MCU_LOCKSTEP_DUM
32
-
EG1
MY_VALUE)
TESTCOMPR
MCU_LOCKSTEP_DUMM
32
-
EG0
Y_VALUE
ECMMESSTR
Mcu_LockStep
32
-
MCU_TWO
0
SelfDiagnostic
Test
ECMESSTC0
32
-
MCU_TWO
ECMPCMD1
32
-
MCU_WRITE_DATA
ECMPS
8
-
-
POF
32
-
MCU_POF_RST
POFC
32
-
MCU_POF_CLEAR
Mcu_GpEcmSetting-
ECMMESSTR
32
>ulEcmInternalResetReg
-
0
0value
Mcu_GpEcmSetting-
ECMMESSTR
32
>ulEcmInternalResetReg
-
1
1value
Mcu_SaveRes
etReason
ECMESSTC0
32
LulEcmStatusData0
-
ECMESSTC1
32
LulEcmStatusData1
-
ECMPCMD1
32
-
MCU_WRITE_DATA
ECMPS
8
-
-
RESF
32
-
MCU_ZERO
30

  Registers Details                                                                                                                   Chapter 6

Regist
er
API Name
Registers Used  Access  Config Parameter
Macro/Variable
8/16/
32 bits
RESFC
32
-
MCU_RESF_CLEAR

31

Chapter 6 Register Details

32

Interaction Between The User And MCU Driver Component
Chapter 7

Chapter 7  Interaction between the User and MCU
Driver Component

The details of the services supported by the MCU Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

7.1.  Services Provided By MCU Driver Component To
User

The MCU Driver Component provides the following functions to upper layers,
if supported by hardware:

•
To Perform the Self diagnostic test for the ECM, CVM, Clock Monitor and
Lock step.

•  To initialize the RAM and to verify the status, section wise.

•  To initialize the MCU specific clock options.

•  To activate the specific clock to the MCU clock distribution.

•  To read the reset type from the hardware.

•  To perform the micro controller reset.

•  To read the MCU Driver component version information.

33

Chapter 7 Interaction Between The User And MCU Driver Component

34

  MCU Driver Component Header And Source File Description
Chapter 8

Chapter 8  MCU Driver Component Header And
Source File Description

This section explains the MCU Driver Component‟s C Source and C Header
files. These files have to be included in the project application while
integrating with other modules.

The C header file generated by MCU Driver Generation Tool:

•  Mcu_Cfg.h
•  Mcu_Reg.h
•  Mcu_Cbk.h

The C source file generated by MCU Driver Generation Tool:

•  Mcu_PBcfg.c

The MCU Driver Component C header files:

•  Mcu.h
•  Mcu_Debug.h
•  Mcu_Irq
•  Mcu_PBTypes.h
•  Mcu_Ram.h
•  Mcu_Types.h
•  Mcu_Version.h

The MCU Driver Component source files:

•  Mcu.c
•  Mcu_Irq.c
•  Mcu_Ram.c
•  Mcu_Version.c

The mcu specific C header files:

•  Compiler.h
•  Compiler_Cfg.h
•  MemMap.h
•  Platform_Types.h
•  rh850_Types.h

The description of the MCU Driver Component files is provided in the table
below:

Table 8-1
Description of the MCU Driver Component Files

File
Details
Mcu_Cfg.h
This file is generated by the MCU Driver Module Code
Generation Tool for MCU Driver Module pre-compile time
parameters. The macros and the parameters generated will
vary with respect to the configuration in the input ARXML file.
Mcu_Reg.h
This file contains the definitions for addresses of the hardware
registers used in the MCU Driver Module.
Mcu_Cbk.h
This file contains the extern declaration of call back functions
used in the MCU Driver Module.
35

  Chapter 8


   MCU Driver Component Header And Source File Description

File
Details
Mcu_PBcfg.c
This file contains post-build configuration data. The structures
related to MCU Initialization, clock and power mode setting are
provided in this file. Data structures will vary with respect to
parameters configured.
Mcu.h
This file provides extern declarations for all the MCU Driver
Module APIs. This file provides service Ids of APIs, DET Error
codes and type definitions for MCU Driver initialization
structure. This header file shall be included in other modules to
use the features of MCU Driver Module.
Mcu_Irq.h
This file contains the ISR functions prototypes of the MCU
Driver Module.
Mcu_Types.h
This file provides data structure and type definitions for
initialization of MCU Driver.
Mcu_PBTypes.h
This file contains the macros used for the post build time
parameters.
Mcu_Ram.h
This file contains the extern declarations for the global variables
that are defined in Mcu_Ram.c file and the version information
of the file.
Mcu_Version.h
This file contains the macros of AUTOSAR version numbers of
all modules that are interfaced to MCU.
Mcu_Debug.h
This file provides Provision of global variables for debugging
purpose.
Mcu.c
This file contains the implementation of all MCU Driver Module
APIs.
Mcu_Irq.c
This file contains the ISR functions of the MCU Driver Module.
Mcu_Ram.c
This file contains the global variables used by MCU Driver
Module.
Mcu_Version.c
This file contains the code for checking version of all modules
that are interfaced to MCU.
Compiler.h
Provides compiler specific (non-ANSI) keywords. All mappings
of keywords, which are not standardized, and/or compiler
specific are placed and organized in this compiler specific
header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
MemMap.h
This file allows mapping of variables, constants and code of
modules to individual memory sections. Memory mapping can
be modified as per ECU specific needs.
Platform_Types.h
This file provides provision for defining platform and compiler
dependent types.
rh850_Types.h
This file provides macros to perform supervisor mode (SV) write

enabled Register ICxxx and IMR register writing using
OR/AND/Direct operation
36

Generation Tool Guide
Chapter 9

Chapter 9
Generation Tool Guide

For more information on the MCU Driver Component Generation Tool, please
refer “AUTOSAR_MCU_Tool_UserManual.pdf”.

37

Chapter 9 G eneration Tool Guide

38

Application Programming Interface

    Chapter 10

Chapter 10  Application Programming Interface

This section explains the Data types and APIs provided by the MCU Driver
Component to the Upper layers.

10.1.  Imported Types

This section explains the Data types imported by the MCU Driver Component
and lists its dependency on other modules.

10.1.1.  Standard Types

In this section all types included from the Std_Types.h are listed:

•  Std_ReturnType

•  Std_VersionInfoType

10.1.2.  Other Module Types

In this chapter all types included from the Dem.h are listed:

•  Dem_EventIdType

•  Dem_EventStatusType

10.2.  Type Definitions

This section explains the type definitions of MCU Driver Component
according to AUTOSAR Specification.

For more type definitions refer the SWS of MCU driver as mentioned in
chapter 2.
10.2.1  Mcu_ClockType
Name:
Mcu_ClockType
Type:
uint8
Range:
1 to 2
Description:
Type definition for Mcu_ClockType used by the API Mcu_InitClock.

10.2.2  Mcu_RawResetType
Name:
Mcu_RawResetType
Type:
uint32
Range:
0 to 4294967295
Description:
Type definition for Mcu_RawResetType used by the API Mcu_GetResetRawValue.
    Note:   Mcu_GetResetRawValue API is returning the RESF register status.

10.2.3  Mcu_RamSectionType
Name:
Mcu_RamSectionType
Type:
uint8
Range:
0 to 255
Description:
Type definition for Mcu_RamSectionType used by the API Mcu_InitRamSection.

39

Chapter 10                                                                                   Application Programming Interfac e

10.2.4  Mcu_PllStatusTypes
Name:
Mcu_PllStatusType
Type:
Enumeration

MCU_PLL_LOCKED
PLL is locked

MCU_PLL_UNLOCKED
PLL is unlocked.
Range:
MCU_PLL_STATUS_UNDEFINED
PLL status is unknown
Description:
Status value returned by the API Mcu_GetPllStatus.
  Note:   As per CPU manual Mcu_GetPllStatus API is not supporting the PLL clock implementation.
          Hence Mcu_GetPllStatus is returning always MCU_PLL_LOCKED Status.

10.2.5  Mcu_RamStateType
Following are the type definitions which are specific to R4.0 used by the MCU
Driver module:
Name:
Mcu_RamStateType
Type:
Enumeration

MCU_RAMSTATE_INVALID  RAM State is valid.
Range:
MCU_RAMSTATE_VALID
RAM State is invalid.
Description:
Status value returned by the API Mcu_GetRamState

10.2.6  Mcu_ResetType
Name:
Mcu_ResetType
Type:
  Enumeration
Range:
  MCU_POWER_ON_CLEAR_RST

  MCU_PIN_RST

  MCU_SW_RST
  MCU_WDT_RST
  MCU_LOCK_STEP_CORE_RST
  MCU_CLMA0_UPPER_LIMIT_RST
  MCU_CLMA0_LOWER_LIMIT_RST
  MCU_CLMA2_UPPER_LIMIT_RST
  MCU_CLMA2_LOWER_LIMIT_RST
  MCU_CLMA1_UPPER_LIMIT_RST
  MCU_CLMA1_LOWER_LIMIT_RST
  MCU_CLMA3_UPPER_LIMIT_RST
  MCU_CLMA3_LOWER_LIMIT_RST
  MCU_LRAM_ECC2_ADDPTY_RST
  MCU_GRAM_ECC2_ADDPTY_RST
  MCU_CASHE_RAM_ECC2_RST
  MCU_CFLH_ECC2_ADDPTY_RST
  MCU_DATA_FLSH_ECC2_RST
  MCU_DTS_RAM_ECC2_RST
  MCU_CSIH_RAM_ECC2_RST
  MCU_CAN_RAM_ECC2_RST
  MCU_FLXR_RAM_ECC2_RST
  MCU_MODE0_RST
40

  Application Programming Interface

    Chapter 10

  MCU_MODE1_RST
  MCU_MODE2_RST
  MCU_PEGUARD_RST
  MCU_GRAM_GUARD_RST
  MCU_PBUSGUARD_RST
  MCU_SAR_ADC_PTY_RST
  MCU_DATA_PRTY_RST
  MCU_ECM_COMP_RST
  MCU_LVI_RST
  MCU_TEMP_SENSE_RST
  MCU_DMA_TRANSF_RST
  MCU_DMA_REG_PROTECT_RST
  MCU_LRAM_ECC1_PTY_RST
  MCU_GRAM_ECC1_RST
  MCU_CFLH_ECC1_RST
  MCU_DATA_FLSH_ECC1_RST
  MCU_DTS_RAM_ECC1_RST
  MCU_ALL_PERI_RAM_ECC1_RST
  MCU_BIST_ECC1_RST
  MCU_BIST_ECC2_RST
  MCU_FACI_TRANSF_RST
  MCU_ECM_DELY_OVRFLW_RST
  MCU_RESET_UNDEFINED
  MCU_RESET_UNKNOWN
Description:
Type of reset supported by the hardware
Note:
1.  All RAM related ECM error sources are enabled for maskable interrupts only after Ram
initialization.
2.  User should configure only one ECM event for each ECM error source at a time priority
level for the ECM event should be as follow:

  Internal Reset
  Maskable Interrupt
  Non Maskable Interrupt

10.2.7  Mcu_ClmaIndexType
Name:
Mcu_ClmaIndexType
Type:
Enumeration

MCU_CLMA0
CLMA0
Range:
MCU_CLMA1
CLMA1

MCU_CLMA2
CLMA2

MCU_CLMA3
CLMA3
Description:
Variable of this type is used to pass in Mcu_ClmaSelfDiagnosticTest API

41

Chapter 10                                                                                   Application Programming Interfac e

10.2.8
Mcu_ModeType
Name:
Mcu_ModeType
Type:
uint8
Range:
0 to 2
Description:
Type definition for Mcu_ModeType used by the API Mcu_SetMode.
Note: As per CPU Manual Mcu_SetMode API is not supporting for any standby mode.
      Hence the Mcu_ModeType parameter is unused for P1x MCU module implementation.

10.3.  Function Definitions

Table 10-1  API Provided by MCU Driver Component

Sl. No
API’s name
1.
Mcu_Init
2.
Mcu_InitRamSection
3.
Mcu_InitClock
4.
Mcu_DistributePllClock
5.
Mcu_GetPllStatus
6.
Mcu_GetResetReason
7.
Mcu_GetResetRawValue
8.
Mcu_PerformReset
9.
Mcu_SetMode
10.
Mcu_GetRamState
11.
Mcu_LockStepSelfDiagnosticTest
12.
Mcu_CvmSelfDiagnosticTest

13.
Mcu_ClmaSelfDiagnosticTest

14.
Mcu_EcmSelfDiagnosticTest
15.
Mcu_SaveResetReason
42

Development And Production Errors                                                                              Chapter 11
Chapter 11  Development And Production Errors

In this section the development errors that are reported by the MCU Driver
Component are tabulated. The development errors will be reported only when
the pre-compiler option McuDevErrorDetect is enabled in the configuration.
The production code errors are not supported by MCU Driver Component.

11.1.  MCU Driver Component Development Errors

The following table contains the DET errors that are reported by MCU Driver
Component. These errors are reported to Development Error Tracer Module
when the MCU Driver Component APIs are invoked with wrong input
parameters or without initialization of the driver.

Table 11-1
DET Errors of MCU Driver Component

Sl. No.
1
Error Code
MCU_E_PARAM_CONFIG
Related API(s)
Mcu_Init
Source of Error
When the API service is called without module initialization.
Sl. No.
2
Error Code
MCU_E_PARAM_CLOCK
Related API(s)
Mcu_InitClock
Source of Error
When Clock Setting is not within the settings defined in the configuration data
structure.
Sl. No.
3
Error Code
MCU_E_PARAM_RAMSECTION
Related API(s)
Mcu_InitRamSection
Source of Error
When RamSection is not within the sections defined in the configuration data structure.
Sl. No.
4
Error Code
MCU_E_PLL_NOT_LOCKED
Related API(s)
Mcu_DistributePllClock
Source of Error
When PLL is not locked.
Sl. No.
5
Error Code
MCU_E_UNINIT
Related API(s)
Mcu_InitRamSection, Mcu_InitClock, Mcu_DistributePllClock, Mcu_GetPllStatus,
Mcu_GetResetReason, Mcu_GetResetRawValue, Mcu_PerformReset,
Mcu_SetMode, Mcu_GetRamState
Source of Error
When the APIs are invoked without the initialization of the MCU Driver Component.
Sl. No.
6
Error Code
MCU_E_INVALID_DATABASE
Related API(s)
Mcu_Init
Source of Error
When the API is invoked with no database.
Sl. No.
7
Error Code
MCU_E_PARAM_MODE
Related API(s)
Mcu_SetMode
Source of Error
When the API is invoked with invalid MCU mode.

43

Chapter 11

                        Development And Production Errors

11.2.  MCU Driver Component Production Errors

In this section the DEM errors identified in the MCU Driver component are
listed. MCU Driver component reports these errors to DEM by invoking
Dem_ReportErrorStatus API. This API is invoked, when the processing of the
given API request fails.

Table 11-2
DEM Errors of MCU Driver Component

Sl. No.
1
Error Code
MCU_E_CLOCK_FAILURE
Related API(s)
Mcu_InitClock
Source of Error
When there is failure of the monitored clock frequency.
Sl. No.
2
Error Code
MCU_E_WRITE_TIMEOUT_FAILURE
Related API(s)
Mcu_PerformReset, Mcu_ProtectedWrite
Source of Error
When writing to a write-protected register fails
Sl. No.
3
Error Code
MCU_E_CVM_SELFDIAG_FAILURE
Related API(s)
Mcu_CvmSelfDiagnosticTest
Source of Error
When there is failure CVM self-diagnostic test.
Sl. No.
4

Error Code
MCU_E_CLM_SELFDIAG_FAILURE

Related API(s)
Mcu_ClmaSelfDiagnosticTest
Source of Error
When there is failure CLMA self-diagnostic test.
Sl. No.
5

Error Code
MCU_E_ECM_SELFDIAG_FAILURE

Related API(s)
Mcu_EcmSelfDiagnosticTest
Source of Error
When there is failure ECM self-diagnostic test.

44

  Memory Organization

               Chapter 12

Chapter 12  Memory Organization

Following picture depicts a typical memory organization, which must be met
for proper functioning of MCU Driver Component software.

ROM Section
MCU Driver Component
RAM  ect

Library  Object
es

MCU Driver code related to APIs is placed in
Global RAM of unspecific size required for

this memory.
MCU driver functioning.

X1
Y1

Segment Name:
Segment Name:

MCU PUBLIC_CODE_ROM
NOINIT_RAM_UNSPECIFIED

MCU Driver code related to internal
Global 8-bit RAM initialized by MCU Driver.

functions are placed in this memory

X2

Segment Name:
Segment Name:
Y2
NOINIT_RAM_8BIT

MCU_PRIVATE_CODE_ROM

MCU Driver code related to ISR functions are
Global 8-bit RAM to be initialized by start-

are placed in this memory
up code

X3
Y3

Segment Name:
Segment Name:

MCU_START_SEC_CODE_FAST
RAM_8BIT

Tool Generated Files

The const section (for MCU configuration
Global RAM of unspecific size required for

structure of type “Mcu_ConfigType”) in the file
MCU Driver functioning. The Generation tool

Mcu_PBcfg.c is placed in this memory.

X4
allocates this RAM.

Y4
Segment Name:


MCU_CFG_DBTOC_UNSPECIFIED
Segment Name:
44

MCU_CFG_RAM_UNSPECIFIED

The const section (other than

MCU Configuration structure) in the file

Mcu_PBcfg.c is placed in this memory.

X5

Segmentname:

MCU_CFG_DATA_UNSPECIFIED

The const section in the file Mcu_Pbcfg.c is

placed in this memory.

X6


Segment Name:

CONST_ROM_UNSPECIFIED



Figure 12-1  MCU Driver Component Memory Organization
                                                                                                                                                                                      45

Chapter 12

                                                  Memory organization

  ROM Section (X1, X2, X3, X4, X5 and X6):

MCU_PUBLIC_CODE_ROM (X1): API(s) of MCU Driver Component, which
can be located in code memory.

MCU_PRIVATE_CODE_ROM (X2): Internal functions of MCU Driver
Component code that can be located in code memory.

MCU_START_SEC_CODE_FAST (X3): Interrupt functions of MCU Driver
Component code that can be located in code memory.

MCU_CFG_DBTOC_UNSPECIFIED (X4): This section consists of MCU
Driver Component database table of contents generated by the MCU Driver
Component Generation Tool. This can be located in code memory.

MCU_CFG_DATA_UNSPECIFIED (X5): This section consists of MCU
Driver Component constant configuration structures. This can be located in
code memory.

CONST_ROM_UNSPECIFIED (X6): This section consists of MCU Driver
Component constant structures used for function pointers in MCU Driver
Component. This can be located in code memory.

RAM Section (Y1, Y2, Y3 and Y4):

NOINIT_RAM_UNSPECIFIED (Y1): This section consists of the global RAM
variables that are used internally by MCU Driver Component. This can be
located in data memory.

NOINIT_RAM_8BIT (Y2): This section consists of the global RAM variables of
8-bit size that are used internally by MCU Driver Component. This can be
located in data memory.

RAM_1BIT (Y3): This section consists of the global RAM variables of 1-bit
size that are initialized by start-up code and used internally by MCU Driver
Component. This can be located in data memory.

MCU_CFG_RAM_UNSPECIFIED (Y4): This section consists of the global
RAM variables that are generated by MCU Driver Component Generation
Tool. This can be located in data memory.

Remark

•
X1, X2, Y1, Y2 and Y3 pertain to only MCU Driver Component and do not
include memory occupied by Mcu_PBcfg.c file generated by MCU Driver Component
Generation Tool.

User must ensure that none of the memory areas overlap with each other. Even
„debug‟ information should not overlap.

46

  P1M Specific Information
                                              Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:
  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
  R7F701320
  R7F701321
  R7F701322
  R7F701323

13.1.  Interaction between the User and MCU Driver Component

The details of the services supported by the MCU Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

13.1.1.
Translation Header File

The P1x_translation.h translation header file supports following devices:

  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
  R7F701320
  R7F701321
  R7F701322
  R7F701323

13.1.2.
ISR Function

The table below provides the list of handler addresses corresponding to the
hardware unit ISR(s) in MCU Driver Component. The user should configure
the ISR functions mentioned below:

47

Chapter 13                                                                                                     P1M Specific Information

Table 13-1  ISR For MCU

Interrupt Source
Name of the ISR Function

MCU_FEINT_ISR
INTECM
MCU_ECM_EIC_ISR
13.1.3.
Parameter Definition File

             Parameter definition files support information for P1M
Table 13-2  PDF information for P1M

PDF Files
Devices supported
R403_MCU_P1M_04_05.arxml
701304, 701305
R403_MCU_P1M_10_to_15_18_to_23.arx 701310, 701311, 701312, 701313,
ml
701314, 701315, 7013018, 701319,
701320, 701321, 701322, 7013023

13.2.  Sample Application

13.2.1  Sample Application Structure

The  Sample  Application  is  provided  as  reference  to  the  user  to  understand
the method in which the MCU APIs can be invoked from the application.

G eneri c

A U T O S A R
R H 8 5 0
T Y P E S
C O M P I L E R
T Y P E S

D evices

P 1 x

S T U B
S T U B
S T U B
S T U B
M CU
S ample
D e t
D e m
S chM
O s
                                                                   Application


            Figure 13-1  Overview of MCU Driver Sample Application

48

P1M Specific Information

 Chapter 13

The Sample Application of the P1M is available in the path:

X1X\P1x\modules\mcu\sample_application

The Sample Application consists of the following folder structure:

X1X\P1x\modules\mcu\definition\<AUTOSAR_version>\<SubVariant>
 \R403_MCU_P1M_04_05.arxml
 \R403_MCU_P1M_10_to_15_18_to_23.arxml
X1X\P1x\modules\mcu\sample_application
\<SubVariant>\<AUTOSAR_version>
\src\Mcu_PBcfg.c
\include\Mcu_Cfg.h
\include\Mcu_Cbk.h
\include\Mcu_Reg.h

\config\App_MCU_P1M_701304_Sample.arxml
\config\App_MCU_P1M_701304_Sample.html
\config\App_MCU_P1M_701304_Sample.one

\config\App_MCU_P1M_701305_Sample.arxml
\config\App_MCU_P1M_701305_Sample.html
\config\App_MCU_P1M_701305_Sample.one

\config\App_MCU_P1M_701310_Sample.arxml
\config\App_MCU_P1M_701310_Sample.html
\config\App_MCU_P1M_701310_Sample.one

\config\App_MCU_P1M_701311_Sample.arxml
\config\App_MCU_P1M_701311_Sample.html
\config\App_MCU_P1M_701311_Sample.one

\config\App_MCU_P1M_701312_Sample.arxml
\config\App_MCU_P1M_701312_Sample.html
\config\App_MCU_P1M_701312_Sample.one

\config\App_MCU_P1M_701313_Sample.arxml
\config\App_MCU_P1M_701313_Sample.html
\config\App_MCU_P1M_701313_Sample.one

\config\App_MCU_P1M_701314_Sample.arxml
\config\App_MCU_P1M_701314_Sample.html
\config\App_MCU_P1M_701314_Sample.one

\config\App_MCU_P1M_701315_Sample.arxml
\config\App_MCU_P1M_701315_Sample.html
\config\App_MCU_P1M_701315_Sample.one

\config\App_MCU_P1M_701318_Sample.arxml
\config\App_MCU_P1M_701318_Sample.html
\config\App_MCU_P1M_701318_Sample.one

\config\App_MCU_P1M_701319_Sample.arxml
\config\App_MCU_P1M_701319_Sample.html
\config\App_MCU_P1M_701319_Sample.one

\config\App_MCU_P1M_701320_Sample.arxml
\config\App_MCU_P1M_701320_Sample.html
\config\App_MCU_P1M_701320_Sample.one
49

Chapter 13                                                                                                    P1M Specific Information

\config\App_MCU_P1M_701321_Sample.arxml
\config\App_MCU_P1M_701321_Sample.html
\config\App_MCU_P1M_701321_Sample.one

\config\App_MCU_P1M_701322_Sample.arxml
\config\App_MCU_P1M_701322_Sample.html
\config\App_MCU_P1M_701322_Sample.one

\config\App_MCU_P1M_701323_Sample.arxml
\config\App_MCU_P1M_701323_Sample.html
\config\App_MCU_P1M_701323_Sample.one

In the Sample Application all the MCU APIs are invoked in the following
sequence:

•  The API Mcu_Init is invoked with a valid database address for the proper
initialization of the MCU Driver, all the MCU Driver control registers and
RAM variables will get initialized after this API is called.

•  The API Mcu_InitRamSection is invoked to initialize the RAM section wise
as provided from the configuration structure.

•  The API Mcu_InitClock is invoked to initialize the clock sources Main Osc,
High Speed Internal ring Oscillator.

•  The API Mcu_GetPllStatus is invoked to provide the lock status of the
PLL. This API will return the PLLstatus as MCU_PLL_LOCKED or
MCU_PLL_UNLOCKED.

•  The API Mcu_GetResetReason is invoked to read the reset type from
the hardware by checking the RESF register and if not supported,
returns MCU_POWER_ON_RESET. This API shall clear the reset
factor register.

•  The API Mcu_GetResetRawValue is invoked to return reset type value
from the hardware register RESF

•  The API Mcu_GetVersionInfo is invoked to get the version of the MCU
Driver module with a variable of Std_VersionInfoType, after the call of
this API the passed parameter will get updated with the MCU Driver
version details.

•  The API Mcu_PerformReset invoked to microcontroller reset is
performed by accessing the software reset register.

•  The API Mcu_SetMode is invoked to activate the MCU power modes.

Remark  To unmask all resets „target pinmask k‟ command is used.

13.2.2  Building Sample Application

13.2.2.1.
Configuration Example
This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details.

50

P1M Specific Information

 Chapter 13

Configuration Details: App_MCU_P1M_701312_Sample.html

13.2.2.2.
Debugging the Sample Application

Remark GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete
the build process using the delivered sample files.

Open a Command window and change the current working directory to “make”
directory present as mentioned in below path:

“X1X\P1x\common_family\make\<compiler>”

Now execute the batch file SampleApp.bat with following parameters:

SampleApp.bat mcu <AUTOSAR_version> <Device_name>

•
After this, the tool output files will be generated with the configuration
as mentioned in App_MCU_P1M_701312_Sample.html file available
in the path:

“X1X\P1x\modules\mcu\sample_application\<SubVariant>\<AUTOSAR_ve
rsion>\config\App_MCU_P1M_701312_Sample.html”

•
After this, all the object files, map file and the executable file
App_MCU_P1M_Sample.out will be available in the output folder:
(“X1X\P1x\modules\mcu\sample_application\<SubVariant>
\obj\<compiler>”)

•
The executable can be loaded into the debugger and the sample
application can be executed

Remark Executable files with „*.out‟ extension can be downloaded into the target
hardware with the help of Green Hills debugger.
• If any configuration changes (only post-build) are made to the ECU
Configuration Description files
“X1X\P1x\modules\mcu\sample_application\<SubVariant>\<AUTOSAR_versi
on>\config\App_MCU_P1M_701312_Sample.arxml”

•
The database alone can be generated by using the following commands.
make –f App_MCU_P1M_Sample.mak generate_mcu_config
 make –f App_MCU_P1M_Sample.mak App_MCU_P1M_Sample.s37
•
After this, a flash able Motorola S-Record file App_MCU_P1M_Sample.s37
is available in the output folder.
Note: The <Device_name> indicates the device to be compiled, which can be
701304, 701305, 701310, 701311, 701312, 701313, 701314, 701315, 701318,
701319, 701320, 701321, 701322, 701323.

13.3. Memory and Throughput
13.3.1. ROM/RAM Usage

The details of memory usage for the typical configuration, with DET disabled
as provided in Section 13.3.2.1 Configuration Example are provided in this
section.

51

Chapter 13                                                                                                    P1M Specific Information

Table 13-3  ROM/RAM Details without DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes in
GHS
1.
ROM
MCU_PUBLIC_CODE_ROM
3578
MCU_PRIVATE_CODE_ROM
2788
MCU_FAST_CODE_ROM
1276
MCU_CFG_DBTOC_UNSPECIFIED
52
MCU_CFG_DATA_UNSPECIFIED
760

ROM.RAM_1BIT
3

ROM.RAM_32BIT
8
2.
RAM
RAM_UNSPECIFIED
16
RAM_1BIT
3
NOINIT_RAM_8BIT
0
RAM_32BIT
8
NOINIT_RAM_UNSPECIFIED
16
MCU_CFG_RAM_UNSPECIFIED
0

The details of memory usage for the typical configuration, with DET enabled
and  all  other configurations as  provided in  13.3.2.1  Configuration Example
are provided in this section.

Table 13-4  ROM/RAM Details with DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes in
GHS
1.
ROM
MCU_PUBLIC_CODE_ROM
3566
MCU_PRIVATE_CODE_ROM
2788
MCU_FAST_CODE_ROM
1276
MCU_CFG_DBTOC_UNSPECIFIED
52
MCU_CFG_DATA_UNSPECIFIED
760

ROM.RAM_1BIT
3

ROM.RAM_32BIT
8

52

P1M Specific Information

  Chapter 13

Sl. No.  ROM/RAM
Segment Name
Size in bytes in
GHS
2.
RAM
RAM_UNSPECIFIED
16
RAM_1BIT
3
NOINIT_RAM_8BIT
0
RAM_32BIT
8
NOINIT_RAM_UNSPECIFIED
16
MCU_CFG_RAM_UNSPECIFIED
0

13.3.2.
Stack Depth

The worst-case stack depth for MCU Driver Component for the typical
configuration provided in Section 13.3.2.1 Configuration Example is
approximately 64 bytes.

13.3.3.
Throughput Details

The throughput details of the APIs for the configuration mentioned in the

Section 13.3.2.1 Configuration Example is as given below.

Table 13-5  Throughput Details of the APIs

Throughput in

Sl. No.
API Name
microseconds in GHS  Remarks
1.
Mcu_Init
45.5391
-
2.
Mcu_InitClock
154.55
-
3.
Mcu_GetPllStatus
0.25
-
4.
Mcu_InitRamSection
9.137
-
5.
Mcu_GetResetReason
0.25
-
6.
Mcu_GetResetRawValue
0.25
-
7.
Mcu_GetVersionInfo
0.12
-
8.
Mcu_GetRamState
0.562
-
9.
Mcu_DistributePllClock
0.12

10.
Mcu_SetMode
0.12
-
11.
Mcu_PerformReset
0.12
-
12.
Mcu_FEINT_ISR
0.437
-

53

Chapter 13 P1M Specific Information

54

Release Details

  Chapter 14

Chapter 14  Release Details

MCU Driver Software

Version: 1.0.3

55

Chapter 14 Release Details

56

Revision History

Sl. No.  Description
Version
Date
1.
Initial Version
1.0.0
18-Oct-2013
2.
Following changes are made:
1.0.1
30-Apr-2014
1.  Chapter 2 is updated for reference documents.
2.  Section 4.3 is updated for Exclusive Area name change.
3.  Section 4.4 is updated for adding user and supervisor mode
details for new APIs.
4.  Chapter 6 is updated for Register details used in APIs.
5.  Chapter 8 is updated for adding file description for tool
generated file „Mcu_Cbk.h‟.
6.  Section 10.3 is updated for adding new APIs in function
definition.
7.  Section 11.1 is updated for adding DET error.
8.  Chapter 13 and section 13.1.1 is updated for adding new
supported devices.
9.  Section 13.2 is updated for change in compiler and linker version
details.
10.  Section 13.3 is updated for adding latest configuration details for
supported devices.
11.  Section 13.3.2 is updated for change in configuration example
for sample application testing.
12.  Section 13.4 is updated for updating ROM/RAM, Stack and
Throughput details.
13.  Chapter 14 is updated for increment in MCU Driver software
version.
3.
Following changes are made:
1.0.2
09-May-2014
1.  Chapter 4 is updated for adding a new section regarding RAM
Initialization.
2.  Chapter 13 and section 13.3.1 is updated for removal of
unsupported devices.
4.
Following changes are made:
1.0.3
20-Oct-2014
1.  Chapter 2 is updated for referenced documents version.
2.  Section 13.1.1 is updated for adding the device names.
3.  Section 13.2 is updated for compiler, assembler and linker
details.
4.  Section 13.3 is updated to add parameter definition file and
sample application configuration files for all P1M devices.
5.  Chapter 14 is updated for MCU driver component version
information.
6.  Deviation list is updated to add MCU_E_PARAM_POINTER
error for Mcu_GetVersioInfo API and AUTOSAR requirement.
5
Following changes are made:
1.0.4
12-Dec-2014
1.  Chapters 7 to 11 updated to start at odd page.

2.  Date in Revision History updated.
3.  Document page numbers are corrected.

4.  Chapter 11 updated to add MCU_E_PARAM_MODE DET.

5.  Page number is removed from publication info page.
6. Section 13.2 is updated for compiler, assembler and linker details.

7. Chapter 8 is update to include rh850_types.h file.
8. Section 13.4 is updated for Memory and throughput details.

57

6
Following changes are made:
1.0.5
30-Apr-2015
1.  New section, “4.7 Callout API” added to chapter 4.
2.  Information regarding Interrupt vector table is added to “Section
4.1 General”.
3.  As part of device support activity for R7F701304, R7F701305,
R7F701313, R7F701315, R7F701318 to R7F701323 updated
sections 3.1.1, 13.1, 13.2.
4.  Removed section Compiler,Linker and Assembler in Chapter13.
5.  Updated section 13.3 for memory and throughput
6.  Copyright information has been changed to 2015

58

59

AUTOSAR MCAL R4.0.3 User's Manual
MCU Driver Component Ver.1.0.5
Embedded User’s Manual

Publication Date: Rev.0.01, Apr 30, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

14.4 - AUTOSAR_MCU_Tool_UserManual

AUTOSAR MCAL R4.0 User's Manual

14.5 - AUTOSAR_MCU_Tool_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38

14.6 - AUTOSAR_MCU_Tool_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual

MCU Driver Component Ver.1.0.3

Generation Tool User‟s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice
1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject
to change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the
latest product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and
different information to be disclosed by Renesas Electronics such as that disclosed through our website.
2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of
third parties by or arising from the use of Renesas Electronics products or technical information described in this document. No
license, express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of
Renesas Electronics or others.
3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.
4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of
semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and
information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by
you or third parties arising from the use of these circuits, software, or information.
5.
When exporting the products or technology described in this document, you should comply with the applicable export control
laws and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics
products or the technology described in this document for any purpose relating to military applications or use by the military,
including but not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may
not be used for or incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable
domestic or foreign laws or regulations.
6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics
does not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages
incurred by you resulting from errors in or omissions from the information included herein.
7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and
"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as
indicated below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.
You may not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent
of Renesas Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended
without the prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or
losses incurred by you or third parties arising from the use of any Renesas Electronics product for an application categorized as
"Specific" or for which the product is not intended where you have failed to obtain the prior written consent of Renesas
Electronics.  The quality grade of each Renesas Electronics product is "Standard" unless otherwise expressly specified in a
Renesas Electronics data sheets or data books, etc.
"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual
equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.
"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti-
crime systems; safety equipment; and medical equipment not specifically designed for life support.
"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or
systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare
intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.
8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,
especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation
characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or
damages arising out of the use of Renesas Electronics products beyond such specified ranges.
9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have
specific characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further,
Renesas Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard
them against the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a
Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire
control and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the
evaluation of microcomputer software alone is very difficult, please evaluate the safety of the final products or system
manufactured by you.
10.   Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility
of each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and
regulations that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.
Renesas Electronics assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws
and regulations.
11.   This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas
Electronics.
12.   Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this
document or Renesas Electronics products, or if you have any other inquiries.

(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority-
owned subsidiaries.
(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.
3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
AUTOSAR
AUTomotive Open System ARchitecture
BSWMDT
Basic Software Module Description Template
DEM
Diagnostic Event Manager
ECM
Error Control Module
ECU
Electronic Control Unit
Id
Identifier
MCAL
Micro Controller Abstraction Layer
MCU
Micro Controller Unit
SPAL
Standard Peripheral Abstraction Layer
XML
eXtensible Mark-up Language

Definitions

Terminology
Description
BSWMDT File
This file is the template for the Basic Software Module Description.
Configuration XML File
This file contains the setting of command line options.
ECU Configuration Description
Input file to MCU Driver Generation Tool. It is generated by ECU
File
Configuration Editor.
Sl.No
Serial Number.
Translation XML File
This file contains the translation and device specific header file path.

5

6

List of Figures

Figure 3-1
Overview of MCU Driver Generation Tool ........................................................................... 13

List of Tables

Table 5-1
Output Files Description ......................................................................................................... 17

8

Introduction
Chapter 1

Chapter 1 Introduction

The MCU Driver component provides services for basic microcontroller
initialization, Error Control Module (ECM), reset and microcontroller
specific functions required from other SPAL components.

The MCU Driver Component comprises of two sections i.e., Embedded
Software and Generation Tool to achieve scalability and configurability.

The document describes the features of the MCU Driver Generation Tool.
MCU Driver Generation Tool is a command line tool that extracts information
from ECU Configuration Description File, BSWMDT File and generates MCU
Driver C source and C header files (Mcu_PBcfg.c, Mcu_Reg.h, Mcu_Cbk.h
and Mcu_Cfg.h).

1.1.
Document Overview

This user manual is organized as given in the table below:

Section
Contents
Section 1 (Introduction)
Provides an introduction to the document and explains how information
is organized in this manual.
Section 2 (Reference)
Provides a list of documents referred while developing this document.
Section 3 (MCU Driver
Provides the MCU Driver Generation Tool Overview.
Generation Tool Overview)
Section 4 (Input Files)
Provides information about ECU Configuration Description File.
Section 5 (Output Files)
Explains the output files that are generated by the MCU Driver
Generation Tool.
Section 6 (Precautions)
Contains precautions to be taken during configuration of ECU
Configuration Description File.
Section 7 (User Configuration
Describes about user configuration validation done by the MCU Driver
Validation)
Generation Tool.
Section 8 (Messages)
Describes all the Error/Warning/Information messages of R4.0.3 which
helps the user to understand the probable reason for the same.
Section 9 (Notes)
Provides notes to help the user to understand this document better.

9

Chapter 1 Introduction

10

Reference
Chapter 2

Chapter 2 Reference

2.1.
Reference Documents

The following table lists the documents referred to develop this document:

Sl. No Title
Version
1.
Autosar R4.0
3.2.0

AUTOSAR_SWS_MCUDriver.pdf
2.
P1x Parameter Definition File
1.1.4

R403_MCU_P1M_04_05.arxml.arxml

3.
P1x Parameter Definition File
1.0.1

R403_MCU_P1M_10_to_15_18_to_23.arxml.arxml

2.2.
Trademark Notice

Microsoft and Windows are trademarks/registered trademarks of Microsoft
Corporation.

11

Chapter 2 Reference

12

MCU Driver Generation Tool Overview
Chapter 3

Chapter 3  MCU Driver Generation Tool Overview

MCU Driver Generation Tool overview is shown below.

ECU

Configuration

Description File,
Mcu_Cfg.h,
MCU Driver
Translation XML
Mcu_Reg.h,
Generation
File, BSWMDT File
Mcu_Cbk.h,
Tool
and
Mcu_PBcfg.c
Configuration
XML File

Figure 3-1  Overview of MCU Driver Generation Tool

MCU Driver Generation Tool is a command line tool that extracts, analyzes
the configuration details provided in the input file and validates correctness of
the data and provides scalability and configurability for MCU Driver module. It
accepts ECU Configuration Description File(s), Translation XML File,
BSWMDT File and Configuration XML File as input and displays appropriate
context sensitive error messages for wrong input and exits. Tool creates the
Log file (Mcu.log) that contains the list of Error/Warning/Information messages
in the output directory.

For the error free input file, the tool generates the following output files:
Mcu_Cfg.h, Mcu_Reg.h, Mcu_Cbk.h and Mcu_PBcfg.c.

Mcu_Cfg.h, Mcu_Reg.h and Mcu_Cbk.h will be compiled and linked with
MCU Driver Module. Mcu_PBcfg.c will be compiled and linked separately
from the other C Source files and placed in flash.

ECU Configuration Description File can be created or edited using ECU
Configuration Editor.

Remark
•
In case of errors the generation tool returns a 1, in case of no errors
the generation tool returns a 0.

•
MCU Driver Generation Tool uses “Common Published Information” from
MCU module specific BSWMDT File. MCU module specific BSWMDT File
should not be updated manually since it is ”Static Configuration” file.

13

Chapter 3 MCU Driver Generation Tool Overview

14

Input Files
Chapter 4

Chapter 4 Input Files

MCU Driver Generation Tool accepts ECU Configuration Description File(s),
Translation XML File, BSWMDT File and Configuration XML File as input.
MCU Driver Generation Tool needs information about MCU Driver module.
Hence ECU Configuration Description File should contain configuration of
MCU Driver module. Generation Tool ignores any other AUTOSAR
component configured in the ECU Configuration Description File. ECU
Configuration Description File can be generated using configuration editor.

ECU Configuration Description File must comply with AUTOSAR standard
ECU Configuration Description File format.

Remark The detailed explanation about the parameters and containers are found in
Parameter Definition File mentioned in Reference Documents section.

15

Chapter 4 Input Files

16

Output Files
Chapter 5

Chapter 5  Output Files

MCU Driver Generation Tool generates configuration details in C Header and
C Source files Mcu_Cfg.h, Mcu_Reg.h, Mcu_Cbk.h and Mcu_PBcfg.c.

The content of each output file is given in the table below:

Table 5-1  Output Files Description

Output File
Details
Mcu_Cfg.h
This file contains pre-compile time parameters.
Mcu_Reg.h
This file contains the definitions for addresses of the hardware registers used in the
MCU Driver Module.
Mcu_Cbk.h
This file contains callback function prototype declarations to be used by application.
Mcu_PBcfg.c
This file contains post-build configuration data.

Remark  Output files generated by MCU Driver Generation Tool should not be modified
or edited manually.

17

Chapter 5 Output Files

18

Precautions
Chapter 6

Chapter 6  Precautions

•  ECU Configuration Description File and BSWMDT File must comply with
AUTOSAR standard for R4.0.3 ECU Configuration Description File and
BSWMDT File respectively.

•  The input file must contain MCU Driver and DEM component related
configuration.

•  Default Translation XML File (Mcu_P1x.trxml) should be present in same
location of Mcu_P1x.exe when the variant specific trxml file is not given as
input in command line.

•  Default Configuration XML File (Mcu_P1x.cfgxml) must be present in same
location of Mcu_P1x.exe.

•  If  Translation  XML  File  is  not  provided  on  the  command  line,
Mcu_P1x.trxml  which  is  present  in  same  location  of  Mcu_P1x.exe  is
considered as „default‟ Translation XML File.

•  If Configuration XML File is not provided on the command line,
Mcu_P1x.cfgxml which is present in same location of Mcu_P1x.exe is
considered as „default‟ Configuration XML File.

•  Translation XML File should contain the file extension „.trxml‟.

•  Configuration XML File should contain the file extension „.cfgxml‟.

•  All the function names and the string values configured should follow C
syntax for variables. It can only contain alphanumeric characters and “_”. It
should start with an alphabet.

•  If the output files generated by MCU Driver Generation Tool are modified
externally, then they may not produce the expected results or may lead to
error/warning/Information messages.

•  Short Name for a container should be unique within a name space.

•  An error free ECU Configuration Description File generated from
configuration editor has to be provided as input to the MCU Driver
Generation Tool. Otherwise Tool may not produce the expected results or
may lead to errors/warnings/information messages.

•  User has to make sure that the respective device specific configuration file
is used. Otherwise Tool may not produce the expected results or may lead
to errors/warnings/information messages.

•  The description file should always be generated using AUTOSAR specified
configuration editor and it should not be edited manually.

Remark  Please refer the MCU Component User Manual for deviations from AUTOSAR
specifications, if any.

19

Chapter 6 Precautions

20

User Configuration Validation
Chapter 7

Chapter 7 User Configuration Validation

This section provides help to analyze the error, warning and information
messages displayed during the execution of MCU Driver Generation Tool. It
ensures conformance of input file with syntax and semantics. It also performs
validation on the input file for correctness of the data.

For more details on list of Error/Warning/Information messages that are
displayed as a result of input file(s) validation, refer Chapter 8 “Messages”.

The Generation Tool displays error or warning or information when the user
has configured incorrect inputs. The format of Error/Warning/Information
message is as shown below.

• ERR/WRN/INF<mid><xxx>: <Error/Warning/Information Message>.

where,
<mid>: 101 - MCU Driver Module Id (101) for user configuration checks.

000 - for command line checks.

<xxx>: 001-999 - Message Id.

• File Name: Name of the file in which the error has occurred.

• Path: Absolute path of the container in which the parameter is present.

„File Name‟ and „Path‟ need not be present for all Error/Warning/Information
messages.

21

Chapter 7 User Configuration Validation

22

Messages
Chapter 8

Chapter 8  Messages

The messages help to identify the syntax or semantic errors in the ECU
Configuration Description File. Hence it ensures validity and correctness of the
information available in the ECU Configuration Description File.

The following section gives the list of error, warning and information messages
displayed by the Generation Tool.

8.1  Error Messages

ERR101001: Number of fields is not same for the entity 'Structure Name'.

This error occurs, if the number of fields is not same in the structure that is to
be generated in the output file.

ERR101002: Field 'Field Name' is empty in the entity 'Structure Name'.

This error occurs, if the structure fields that are to be generated in the output
file are empty.

ERR101003: 'MCU Driver' or 'DEM Driver' Component is not present in the
input file(s).

This error occurs, if MCU Driver or DEM Driver component is not present in
the input ECU Configuration Description File(s).

ERR101004: The parameter 'parameter name' in the container 'container
name' should be configured.

This error occurs, if any of the mandatory configuration parameter(s)
mentioned below is (are) not configured in ECU Configuration Description File.
The list of mandatory parameters with respect to container is listed below:

Parameter Name
Container Name
McuVersionCheckExternalModules

McuDevErrorDetect

McuGetRamStateApi

McuInitClock

McuNoPll

McuPerformResetApi
McuGeneralConfiguration

McuVersionInfoApi

McuCriticalSectionProtection

McuSwResetCallApi

McuEcmDelayTimerOverflowValue

McuEcmErrorOutputMode

23

Chapter 8                                                                                                                               Messages

Parameter Name
Container Name
McuEcmErrorOutTimer

McuRamSectorSetting

McuDeviceName

McuClm0Operation

McuGeneralConfiguration
McuClm0MonitoringClockAccuracy

McuClm0SamplingClockAccuracy
McuClm1Operation
McuClm1MonitoringClockAccuracy
McuClm1SamplingClockAccuracy
McuClm2Operation
McuClm2MonitoringClockAccuracy
McuClm2SamplingClockAccuracy
McuClm3Operation
McuClm3MonitoringClockAccuracy
McuClm3SamplingClockAccuracy
McuCvmSelfDiagnosticTest
McuClma0SelfDiagnosticTest
McuClma1SelfDiagnosticTest
McuClma2SelfDiagnosticTest
McuClma3SelfDiagnosticTest
McuEcmSelfDiagnosticTest
McuReadBackConfiguration

McuLoopCount
McuLockStepSelfDiagnosticTest
McuLviDetectionLevel

McuLviResetMask

McuCvmOutMaskFbist
McuModuleConfiguration
McuCvmOutMaskDiag
McuCvmOutputFilter
McuCvmResetEnable
McuClockSettingId

McuMainOsciFrequency
McuClockSettingConfig
McuCpuMainSysClk
McuUnitName
McuUnitName

McuHighspeedPeriClk
McuPeripheralClock
McuUnitName

McuLowspeedPeriClk
McuPeripheralClock
McuWdtCounterDivider

McuWdtacounterClk
McuUnitName
McuPeripheralClock
McuExternalClk0SourceSel

McuExternalClk0DividerSel

McuExternalClock0
McuExternalClkOutSetting
McuExternalClk1SourceSel
McuExternalClk1DividerSel
McuExternalClock1
24

Messages
Chapter 8

Parameter Name
Container Name
McuEcmErrorMaskableInterrupt

McuEcmErrorNonMaskableInterrupt
McuEcmErrorSource0 to McuEcmErrorSource42
McuEcmErrorInternalReset
(except McuEcmErrorSource2,
McuEcmErrorSource3, McuEcmErrorSource13,
McuEcmErrorNMIDelayTimer
McuEcmErrorSource25 and
McuEcmErrorMIDelayTimer
McuEcmErrorSource35)
McuEcmErrorOutputMask

McuEcmErrorInternalReset

McuEcmErrorOutputMask
McuEcmErrorSource129
MCU_E_CLOCK_FAILURE

McuDemEventParameterRefs
MCU_E_WRITE_TIMEOUT_FAILURE
McuModeType

McuMode
McuModeSettingConf
McuRamDefaultValue

McuRamSectionBaseAddress

McuRamSectorSettingConf
McuRamSectionSize
McuRamTypeSel

McuRstRsnConfPowOnClr

McuRstRsnConfPinRst

McuRstRsnConfSwRst
McuRstRsnConfWdta

McuRstRsnConfLockStepCompare
McuRstRsnConfClkMonUprLimErMosc

McuRstRsnConfClkMonLwrLimErMosc
McuRstRsnConfClkMonUprLimErWdt

McuRstRsnConfClkMonLwrLimErWdt
McuRstRsnConfClkMonUprLimErPclk
McuResetReason
McuRstRsnConfClkMonLwrLimErPclk

McuRstRsnConfClkMonUprLimErPe1
McuRstRsnConfClkMonLwrLimErPe1

McuRstRsnConfLRamEcc2AddPrty

McuRstRsnConfInstCacheRamEcc2
McuRstRsnConfCodeFlsEcc2AddPrty

McuRstRsnConfDataFlsEcc2

McuRstRsnConfDtsRamEcc2
McuRstRsnConfCsihRamEcc2

McuRstRsnConfCanRamEcc2

McuRstRsnConfFrRamEcc2
McuRstRsnConfFlsProgMode

McuRstRsnConfTestMode

McuRstRsnConfSingChipModInact
McuRstRsnConfPeGuard

McuRstRsnConfPBusGuard

McuRstRsnConfSarAdcPrty
McuRstRsnConfBusDataPrty

McuRstRsnConfEcmCompare

McuRstRsnConfLvi
McuRstRsnConfTempSensor

25

Chapter 8 Messages

Parameter Name
Container Name

McuRstRsnConfDmaTrans
McuRstRsnConfDmaViol

McuRstRsnConfLRamEcc1
McuResetReason
McuRstRsnConfCodeFlsEcc1
McuRstRsnConfDataFlsEcc1


McuRstRsnConfDtsRamEcc1

McuRstRsnConfPeriRamEcc1
McuRstRsnConfBistCodeEcc1
McuRstRsnConfBistCodeEcc2
McuRstRsnConfFaci
McuRstRsnConfEcmDelayOverFlow
McuRstRsnConfRstUndefined
McuRstRsnConfRstUnknown
McuRstRsnConfCvmRst

ERR101005: The value for parameter ‘parameter name’ present in the
container 'container name' should be same across multiple
configuration set 'McuModuleConfiguration'.

This error occurs, if the value configured for the following parameter present
in the respective container is not same across multiple configuration set
McuModuleConfiguration.

 Parameter
 Container
McuMainOsciFrequency
 McuClockSettingConfig
McuWdtCounterDivider
 McuWdtacounterClk

ERR101006: The value of the parameter
'McuEcmErrorMaskableInterrupt' should configure as <true> since the
'McuMiNotification' parameter is configured in container <Configured
ecm error source container>.

This error occurs, if the value of the parameter
McuEcmErrorMaskableInterrupt is not configure as true, since the
McuMiNotification parameter is configured in container <Configured ecm
error source container>.

ERR101007: The configured value in 'McuPeripheralClock' in container
'McuWdtacounterClk' should be equal to <8000000/configured value of
McuWdtCounterDivider parameter>.

This error occurs, if the configured value in McuPeripheralClock in container
McuWdtacounterClk is not equal to <8000000/configured value of
McuWdtCounterDivider parameter>.

ERR101008: The configured value in 'McuExternalClockX' in container
'McuExternalClkOutSetting' should be equal to
<McuExternalClkXSourceSel/McuExternalClkXDividerSel>.

This error occurs, if the configured value in McuExternalClockX in container
McuExternalClkOutSetting is not equal to
<McuExternalClkXSourceSel/McuExternalClkXDividerSel>.
26

Messages
Chapter 8


 Remark Where X=0 or 1

ERR101009: The value of the parameter
'McuEcmErrorNonMaskableInterrupt' should configure as <true> since
the 'McuNmiNotification' parameter is configured in container
<Configured ecm error source container>.

This error occurs, if the value for parameter
McuEcmErrorNonMaskableInterrupt is not configure as true, since the
McuNmiNotification parameter is configured in container <Configured ecm
error source container>.

ERR101017: The value for parameter 'parameter name' configured in
container 'container name' should be <expected value of parameter>. In
general per configuration set, the value of 'parameter name' parameter
should start with <0> and should be sequential without any gaps.

This error occurs, if the value configured for the following parameter in the
respective container does not start with 0 and not sequential in multiple
configurations set container McuModuleConfiguration.

Parameter
Container
McuClockSettingId
McuClockSettingConfig

 Remark As issue raised in Bugzilla: 54536 Autosar parameter
McuClockSettingId in McuClockSettingConfig container range is changed to 0
to 255 instead of 1 to 255.

ERR101020: The value for parameter ' McuRamSectionBaseAddress ' in
container ' McuRamSectorSettingConf ' should be in the range.

This error occurs, if value for parameter McuRamSectionBaseAddress in
container McuRamSectorSettingConf is not in the range of <configured value
for McuRamTypeSel>.

ERR101022: Atleast one 'McuRamSectorSettingConf' container should be
configured. Since 'McuRamSectorSetting' parameter in
'McuGeneralConfiguration' container is configured as <true>.

This error occurs, if no McuRamSectorSettingConf container is configured and
parameter McuRamSectorSetting in McuGeneralConfiguration container is
configured as <true>.

ERR101026: The reference path <McuDemEventParameterRefs> provided
for the parameter 'Parameter Name' within the container 'Container Name'
is incorrect.

This error occurs, if the reference path <McuDemEventParameterRefs>
provided for the following parameters in McuDemEventParameterRefs
container is not correct.

Parameter
Container
MCU_E_CLOCK_FAILURE

McuDemEventParameterRefs

27

Chapter 8 Messages

Parameter
Container
MCU_E_WRITE_TIMEOUT_FAILURE

MCU_E_CVM_SELFDIAG_FAILURE

MCU_E_CLM_SELFDIAG_FAILURE
McuDemEventParameterRefs
MCU_E_ECM_SELFDIAG_FAILURE
MCU_E_LOCKSTEP_SELFDIAG_FAILURE

ERR101027: The short name of the container 'McuClockSettingConfig'
should be same for clock having 'McuClockSettingId' <value of
McuClockSettingId> across multiple configuration sets.

This error occurs, if the short name of the container McuClockSettingConfig is
not same for clock having same McuClockSettingId across multiple
configuration sets.

ERR101029: The value for parameter 'McuLviResetMask' present in
container 'McuModuleConfiguration' should be same across multiple
configurations set.

This error occurs, if the value for parameter McuLviResetMask present in
container McuModuleConfiguration is not same across multiple configurations
set.

ERR101031: The value for parameter 'McuInitClock' present in container
'McuGeneralConfiguration' should not be configured as <false>.

This error occurs, if the value for parameter McuInitClock present in container
McuGeneralConfiguration is configured as false.

ERR101032: The value for the parameter 'Parameter Name' present in the
container 'Container Name' should be same across multiple
configuration set 'McuModuleConfiguration'.

This error occurs, if the value configured for the following parameters in
McuDemEventParameterRefs container is not same across multiple
configuration set container McuModuleConfiguration.

Parameter
Container
MCU_E_CLOCK_FAILURE

MCU_E_WRITE_TIMEOUT_FAILURE


MCU_E_CVM_SELFDIAG_FAILURE

McuDemEventParameterRefs
MCU_E_CLM_SELFDIAG_FAILURE

MCU_E_ECM_SELFDIAG_FAILURE

MCU_E_LOCKSTEP_SELFDIAG_FAILURE

28

Messages
Chapter 8

ERR101035: The value for parameter 'McuClockSettingId' present in
container 'McuClockSettingConfig' should be same across multiple
configurations set container 'McuModuleConfiguration'.

This error occurs, if the value for parameter McuClockSettingId present in
container McuClockSettingConfig does not same across multiple configurations
set container McuModuleConfiguration.

ERR101036: Parameter 'MCU_E_CVM_SELFDIAG_FAILURE' should be
configured, since parameter 'McuCvmSelfDiagnosticTest' inside
container ‘McuGeneralConfiguration' is configured as <true>.

This error occurs, if parameter 'MCU_E_CVM_SELFDIAG_FAILURE' is not
configured, since parameter 'McuCvmSelfDiagnosticTest' inside container
„McuGeneralConfiguration' is configured as true.

ERR101037: Parameter 'MCU_E_CLM_SELFDIAG_FAILURE' should be
configured, since one or more of parameters
'McuClma0SelfDiagnosticTest', 'McuClma1SelfDiagnosticTest',
'McuClma2SelfDiagnosticTest' and 'McuClma3SelfDiagnosticTest' inside
container ‘McuGeneralConfiguration’ is configured as <true>.

This error occurs, if parameter 'MCU_E_CLM_SELFDIAG_FAILURE' is not
configured, since one or more of parameters 'McuClma0SelfDiagnosticTest',
'McuClma1SelfDiagnosticTest', 'McuClma2SelfDiagnosticTest' and
'McuClma3SelfDiagnosticTest' inside container „McuGeneralConfiguration‟ is
configured as true.

ERR101038: Parameter 'MCU_E_ECM_SELFDIAG_FAILURE' should be
configured, since parameter 'McuEcmSelfDiagnosticTest' inside
container 'McuGeneralConfiguration' is configured as <true>.

This error occurs, if parameter 'MCU_E_ECM_SELFDIAG_FAILURE' is not
configured, since parameter 'McuEcmSelfDiagnosticTest' inside container
„McuGeneralConfiguration' is configured as true.

ERR101039: Parameter 'MCU_E_LOCKSTEP_SELFDIAG_FAILURE'
should be configured, since parameter 'McuLockStepSelfDiagnosticTest'
inside container 'McuGeneralConfiguration' is configured as <true>.

This error occurs, if parameter 'MCU_E_LOCKSTEP_SELFDIAG_FAILURE' is
not configured, since parameter 'McuLockStepSelfDiagnosticTest' inside
container „McuGeneralConfiguration' is configured as true.

ERR101040: The value for parameters 'McuEcmErrorNMIDelayTimer' and
'McuEcmErrorMIDelayTimer' should not be configured as <true> for
containers 'McuEcmErrorSource4 to McuEcmErrorSource11'.

This error occurs, if the value for parameter 'McuEcmErrorNMIDelayTimer' and
'McuEcmErrorMIDelayTimer' are configured as true for containers
'McuEcmErrorSource4 to McuEcmErrorSource11'.

ERR101041: The value for parameter ‘Parameter Name’ present in
container McuGeneralConfiguration' should be configured as <true>
since parameter 'Parameter Name' is configured as <true> ".

29

Chapter 8 Messages

This error occurs, if the value configured for parameter on left column of
following table present in container McuGeneralConfiguration is true but value
configured for parameter on right column of following table is configured as
false.

The Parameter which is configured as <true>
Parameter that should be configured as
<true>
McuClma0SelfDiagnosticTest
McuClm0Operation

McuClma1SelfDiagnosticTest
McuClm1Operation

McuClma2SelfDiagnosticTest
McuClm2Operation
McuClma3SelfDiagnosticTest
McuClm3Operation

ERR101042: The value for the parameters 'parameter name' and
'parameter name' present in the container 'McuDemEventParameterRefs'
should be unique.

This error occurs, if the value configured for the following parameters in
McuDemEventParameterRefs container is not unique.

Parameter
Container
MCU_E_CLOCK_FAILURE

MCU_E_WRITE_TIMEOUT_FAILURE

MCU_E_CVM_SELFDIAG_FAILURE

McuDemEventParameterRefs
MCU_E_CLM_SELFDIAG_FAILURE
MCU_E_ECM_SELFDIAG_FAILURE
MCU_E_LOCKSTEP_SELFDIAG_FAILURE

ERR101043: Atleast one ‘McuWdtacounterClk’ container should be
configured. Since ‘McuClm2Operation’ parameter in
'McuGeneralConfiguration' container is configured as <true>.

This error occurs, if container McuWdtacounterClk is not configured since
parameter McuClm2Operation of container McuGeneralConfiguration is
configured as true.

ERR101044: The configured value for parameter ‘McuExternalClockX’ in
container 'McuExternalClkOutSetting’ should be equal to 0.

This error occurs, if the value configured for the parameter McuExternalClockX
in container McuExternalClkOutSetting is not equal to 0.

 Remark Where X=0 or 1
ERR101045: The value for parameters ‘McuEcmErrorMaskableInterrupt’
or ‘McuEcmErrorNonMaskableInterrupt’ should be <true> in all container
McuEcmErrorSource<12, 14, 17, 18 to 20, 34, 38 and 39> since
‘McuGetRamStateApi’ is configured as <true> in
‘McuGeneralConfiguration’ container.

This error occurs, if the value configured for the parameters
McuEcmErrorMaskableInterrupt or should be <true> in all containers
McuEcmErrorSource<12, 14, 17, 18 to 20, 34, 38 and 39> when
30

Messages
Chapter 8

McuGetRamStateApi‟ is configured as <true> in „McuGeneralConfiguration‟
container.

ERR101046: The order of container 'McuRamSectorSettingConf'
configuration and their short names should be same across multiple
configuration sets.

This error occurs, if the order of container 'McuRamSectorSettingConf'
configuration and their short are not same across multiple configuration

ERR101047: The number of 'McuRamSectorSettingConf' containers
should be same across multiple configuration sets.

This error occurs, if the number of 'McuRamSectorSettingConf' containers are
not same across multiple configuration sets.

8.2 Warning Messages

WRN101001: The value of the parameters
'McuEcmErrorNonMaskableInterrupt' and
'McuEcmErrorMaskableInterrupt' should not be <true> since the
parameter 'McuEcmErrorInternalReset' of the container <configured Ecm
error sources>is configured as <true>.

This warning occurs, if the value of the parameters
McuEcmErrorNonMaskableInterrupt and McuEcmErrorMaskableInterrupt is
<true> since the parameter McuEcmErrorInternalReset of the container
<configured Ecm error sources>is configured as <true>.

WRN101002: The value of the parameter 'McuEcmErrorMaskableInterrupt'
should not be <true> since the parameter
'McuEcmErrorNonMaskableInterrupt' of the container <configured Ecm
error sources> is configured as <true>.

This warning occurs, if the value of the parameter
McuEcmErrorMaskableInterrupt is <true> since the parameter
McuEcmErrorNonMaskableInterrupt of the container <configured Ecm error
sources>is configured as <true>.

8.3 Information Messages

INF101001: The configured ‘McuRamSectorSettingConf’ container is not
used. Since ‘McuRamSectorSetting’ parameter in
‘McuGeneralConfiguration’ container is configured as <false>.

This information occurs, if McuRamSectorSettingConf container is configured
and parameter McuRamSectorSetting in McuGeneralConfiguration container is
configured as <false>.

INF101002: The configured value for parameter ‘McuExternalClockX' will
be ignored if parameter 'McuExternalClkXSourceSel' is configured as
'MCU_NO_OUTPUT'.

This information occurs, if the configured value of parameter
McuExternalClockX is ignored when parameter McuExternalClkXSourceSel is
configured as MCU_NO_OUTPUT.

31

Chapter 8 Messages

 Remark Where X=0 or 1

INF101003: The parameter ‘McuEcmErrorMIDelayTimer’ / ’
McuEcmErrorNMIDelayTimer’ does not have any effect since the
corresponding intrrupt ‘McuEcmErrorMaskableInterrupt’ /
‘McuEcmErrorNonMaskableInterrupt’ is configured as <false> in
container ‘McuEcmErrorSource’ .

This information occurs, if the parameter McuEcmErrorMIDelayTimer is
configured when McuEcmErrorMaskableInterrupt is configured as false in
same or the parameter McuEcmErrorNMIDelayTimer is configured when
McuEcmErrorNonMaskableInterrupt is configured as false.

32

Notes
Chapter 9

Chapter 9 Notes

“Generation Tool” and “Tool” terminologies are used interchangeably to refer
MCU Driver Generation Tool.
33

35

Chapter 9
Notes
34

Revision History
Sl.No.  Description
Version
Date
1
Initial Version
1.0.0
18-Oct-2013
2
Following changes are made:
1.0.1
15-Apr-2014

•
Error message ERR101004 is updated in section 8.1 to add
the parameter McuRamSectorSetting,  McuRamTypeSel,
McuModeType and McuLockStepSelfDiagnosticTest and to
remove the parameters
MCU_E_CVM_SELFDIAG_FAILURE,
MCU_E_CLM_SELFDIAG_FAILURE and
MCU_E_ECM_SELFDIAG_FAILURE.

•
Error messages ERR101020,  ERR101022, ERR101036,
ERR101037, ERR101038, ERR101039, ERR101040,
ERR101041, ERR101042, ERR101043 and  ERR101044 are
added newly in section 8.1.

•
Information message INF101001 and INF101002 is added
newly in section 8.3.

•
Error messages ERR101026 and ERR101032 are updated in
section 8.1.
3
Following changes are made:
1.0.2
30-Oct-2014


Error message ERR101004 is updated in section 8.1.


Reference Documents section is updated for adding
Parameter Definition Files.


Chapter 6 Precautions is updated.


Remark of Chapter 4 Input Files is updated for PDF
reference.


Error messages ERR101045, ERR101046 and ERR101047
are added newly in section 8.1.


Information message INF101003 is added newly in section
8.3.


McuRstRsnConfCvmRst container is added in error message
ERR101004 table.

4
The follo  wing changes are made:
1.0.3
28-Apr-2015

•
Pdf name and version are updated in  Section 2.1

•
Updated version and copyright year.



35

AUTOSAR MCAL R4.0.3 User's Manual
MCU Driver Component Ver.1.0.3
Generation Tool User's Manual

Publication Date: Rev.0.01, April 29, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson Road,  Newmarket, Ontari o  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf, Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics (Shanghai) Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics Hong  Kong  Limited
Unit  1601-1613, 16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok, Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics Singapore Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  Keppel  Bay  Tower,  Singapore 098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

14.7 - Mcu Integration Manual

Integration Manual

For

Mcu

VERSION: 1

DATE: 01/06/16

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	01/06/16

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Summary Sheet
Synergy Project
Source Code
PolySpace
Integration Manual

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Configuration REQUIREMeNTS

Configuration of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name

Notes

Patched_MCU_FEINT_ISR

The Mcu module implements an interrupt that needs a patch for a hardware problem that exists on the P1M hardware (see Renesas Technical Update TN-RH8-S001A/E). Nexteer has created the appropriate workaround that subsequently calls the third party Mcu interrupt handler code. Therefore, when configuring the Mcu interrupt in the O/S the interrupt handler name should be configured to the Nexteer code with the workaround (“Patched_MCU_FEINT_ISR”) instead of directly referencing the third party handler Mcu interrupt handler code.

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

<This section is for appendix>

14.8 - Mcu Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Mcu

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Mcu_Renesas_Ar4.0.3_01.00.03_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3172

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Source Code

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

NxtrMcuIrqPatch.c

Source File Revision:

1

Header File Name:

N/A

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. N/A

MDD Name:

N/A

Revision:

N/A

FDD/SCIR/DSR/FDR/CM Name:

N/A

Revision:

N/A

Quality Check Items:

Rationale is required for all answers of No

for variable names

N/A

Comments:

for constant names

N/A

Comments:

for function names

N/A

Comments:

for other names (component, memory

N/A

Comments:

mapping handles, typedefs, etc.)

All paths assign a value to outputs, ensuring

N/A

Comments:

all outputs are initialized prior to being written

Requirements Tracability tags in code match the requirements tracability in the FDD

N/A

Comments:

requirements tracability in the FDD

All variables are declared at the function level.

N/A

Comments:

Synergy version matches change history

kzshz2: Intended Use: Indicate that the the versioning was confirmed by the peer reviewer(s). Rationale: There have been many occassions where versions were not updated in files and as a result Unit Test were referencing wrong versions. This often time leads to the need to re-run of batch tests.

N/A

Comments:

and Version Control version in file comment block

Change log contains detailed description of changes

N/A

Comments:

and Work CR number

Code accurately implements FDD (Document or Model)

N/A

Comments:

Verified no Compiler Errors or Warnings

KMC: Intended Use: To confirm no compiler errors or warnings exist for the code under review (warnings from contract header files may be ignored). Rationale: This is needed to ensure there will be no errors discovered at the time of integration. A Sandox project should be used; QAC can find compiler errors but not warnings.

N/A

Comments:

Component.h is included

N/A

Comments:

All other includes are actually needed. (System includes

N/A

Comments:

only allowed in Nexteer library components)

Software Design and Coding Standards followed:

Version:

Code comments are clear, correct, and adequate

Yes

Comments:

and have been updated for the change: [N40] and

all other rules in the same section as rule [N40],

plus [N75], [N12], [N23], [N33], [N37], [N38],

[N48], [N54], [N77], [N79], [N72]

Source file (.c and .h) comment blocks are per

Yes

Comments:

standards and contain correct information: [N41], [N42]

Function comment blocks are per standards and

Yes

Comments:

contain correct information: [N43]

Code formatting (indentation, placement of

Yes

Comments:

braces, etc.) is per standards: [N5], [N55], [N56],

[N57], [N58], [N59]

Embedded constants used per standards; no

N/A

Comments:

"magic numbers": [N12]

Memory mapping for non-RTE code

N/A

Comments:

is per standard

All execution-order-dependent code can be

N/A

Comments:

recognized by the compiler: [N80]

All loops have termination conditions that ensure

N/A

Comments:

finite loop iterations: [N63]

All divides protect against divide by zero

N/A

Comments:

if needed: [N65]

All integer division and modulus operations

N/A

Comments:

handle negative numbers correctly: [N76]

All typecasting and fixed point arithmetic,

N/A

Comments:

including all use of fixed point macros and

timer functions, is correct and has no possibility

of unintended overflow or underflow: [N66]

All float-to-unsiged conversions ensure the.

N/A

Comments:

float value is non-negative: [N67]

All conversions between signed and unsigned

N/A

Comments:

types handle msb==1 as intended: [N78]

All pointer dereferencing protects against

N/A

Comments:

null pointer if needed: [N70]

Component outputs are limited to the legal range

N/A

Comments:

defined in the FDD DataDict.m file : [N53]

All code is mapped with FDD (all FDD

N/A

Comments:

subfunctions and/or model blocks identified

with code comments; all code corresponds to

some FDD subfunction and/or model block): [N40]

Review did not identify violations of other

Yes

Comments:

coding standard rules

Anomaly or Design Work CR created

N/A

Comments: List Anomaly or CR numbers

for any FDD corrections needed

General Notes / Comments:

Code review only of code workaround for hardware errata

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 4: PolySpace

Rev 1.2

8-Jun-15

Peer Review Meeting Log (QAC/PolySpace Review)

Source File Name:

NxtrMcuIrqPatch.c

Source File Revision:

1

Source File Name:

Source File Revision:

Source File Name:

Source File Revision:

EA4 Static Analysis Compliance Guideline version:

01.01.00

Poly Space version:

Windows User: eg. 2013b 2013B

Polyspace sub project version:

Windows User: eg. TL108a_PolyspaceSuprt_1.0.0 NA

QAC version:

Windows User: eg 8.1.1-R N/A

QAC sub project version:

Windows User: eg. TL_100A_1.1.0 N/A

Quality Check Items:

Rationale is required for all answers of No

Contract Folder's header files are appropriate and

kzshz2: Intended Use: Identify that the contract folder contains only the information required for this component. All other variables, constants, function prototypes, etc. should be removed. Rationale: This will help avoid unit testers having to considers object not used. It will also avoid having other files required for QAC.

N/A

Comments:

function prototypes match the latest component version

100% Compliance to the EA4 Static Analysis

Yes

Comments:

Compliance Guideline

Are previously added justification and deviation

N/A

Comments:

comments still appropriate

Do all MISRA deviation comments use approved

N/A

Comments:

deviation tags

Cyclomatic complexity and Static path count OK

Creager, Kathleen: use Browse Function Metrics, STCYC and STPTH

Yes

Comments:

for all functions in the component per Design

and Coding Standards rule [N47]

General Notes / Comments:

Polyspace reports rule 2.1, however, assembly code is sufficiently isolated because it is in it's own file, so no violation here

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 5: Integration Manual

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Integration Manual Review)

Integration Manual Name:

kzshz2: Intended Use: Identify which file is being reviewed Rationale: Required for traceability. It will help to ensure this sheet is not attached to the wrong design review form. Mcu Integration Manual

Integration Manual Revision:

kzshz2: Intended Use: Identify which version of the integration manual has been reviewed. Rationale: Required for traceability between the MDD and review. Auditors will likely require this. 1

Quality Check Items:

Rationale is required for all answers of No

Synergy version matches header

Yes

Comments:

Latest template used

Yes

Comments:

Change log contains detailed description of changes

Yes

Comments:

Initial Version

Changes Highlighted (for Integrator)

N/A

Comments:

Initial Version

General Notes / Comments:

Integration manual only contains information relevant beyond what a standard BSW integration would required.

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

15 - Memory Abstraction Interface

Memory Abstraction Interface

Component Documentation

15.1 - MemIf Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. MemIf

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. MemIf_Vector_Ar4.0.3_03.01.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3173

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

15.2 - TechnicalReference_MemIf

YourTopic

15.3 - TechnicalReference_MemIf_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25

15.4 - TechnicalReference_MemIfs

MICROSAR MemIf
Technical Reference

Version 2.02.00

Authors
Tobias Schmid, Manfred Duschinger, Michael Goß
Status
Released

Technical Reference MICROSAR MemIf

1  Document Information
1.1
History
Author
Date
Version
Remarks
Tobias Schmid
2008-04-14
1.0
Creation of document
Manfred Duschinger
2013-02-20
1.01.00
Ch. 4.1. Update files
according to new generator
Ch. 6 Update Configuration
Michael Goß
2014-11-21
2.01.01
Typos were corrected and
content was modified a little
Michael Goß
2015-04-23
2.02.00
Content was updated
regarding SafeBSW MemIf
Table 1-1
History of the document
1.2
Reference Documents
No.
Title
Version
[1]
AUTOSAR_SWS_Mem_AbstractionInterface.pdf
V1.4.0
[2]
AUTOSAR_SWS_DET.pdf
V2.2.0
[3]
AUTOSAR_BasicSoftwareModules.pdf
V1.0.0
[4]
AUTOSAR_SWS_EEPROM_Abstraction.pdf
V2.0.0
[5]
AUTOSAR_SWS_Flash_EEPROM_Emulation.pdf
V2.0.0
Table 1-2
Reference documents

1.3
Scope of the Document
This technical reference describes the general use of module MemIf (AUTOSAR Memory
Abstraction Interface).

Please note
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 2.02.00
2 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

2  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module MemIf as specified in [1].

Supported AUTOSAR Release*:
4
Supported Configuration Variants:
PRE-COMPILE

Vendor ID:
MEMIF_VENDOR_ID
30 decimal
(=
Vector-Informatik,
according to HIS)
Module ID:
MEMIF_MODULE_ID
22 decimal
(according to ref. [3])
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

MemIf (Memory Abstraction Interface) provides the interface that is used by the NvM to
access NV memory devices. Two different types of NV memory are intended for use: Flash
memory and EEPROM. To abstract the hardware dependencies of the memory devices,
low level drivers with a commonly defined API are used: Fls and Eep (internal or external).
These modules are abstracted by the modules Fee (Flash EEPROM Emulation) and Ea
(EEPROM Abstraction). Both modules may exist at the same time.
MemIf offers a common interface for accessing Fee or Ea instances. In order to distinguish
those different instances MemIf provides a set of device handles, which may be used for
configuration of NvM.
2015, Vector Informatik GmbH
Version: 2.02.00
6 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

2.1
Architecture Overview
The following figure shows where the MemIf is located in the AUTOSAR architecture.

Figure 2-1
AUTOSAR architecture

The next figure shows the interfaces to adjacent modules of the  MemIf. These interfaces
are described in chapter 5.
COM
DCM
NvM
IPDU
Det
MemIf
Fee
FR
Ea
CAN IF
FR IF
Fls
Eep

Figure 2-2
Interfaces to adjacent modules of the MemIf
2015, Vector Informatik GmbH
Version: 2.02.00
7 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

3  Functional Description
3.1
Features
The features listed in this chapter cover the complete functionality specified in [1].
The  "supported"  and  "not  supported"  features  are  presented  in  the  following  two  tables.
For further information of not supported features also see chapter 7.
The following features described in [1] are supported:
Feature
MemIf allows the NVRAM manager to access multiple instances of memory hardware
abstraction modules (Fee or Ea), regardless of different APIs and implementations.
Table 3-1
Supported SWS features
3.2
Initialization
MemIf does not need any initialization. Nevertheless it is necessary to initialize all memory
hardware abstraction module instances that are interfaced by MemIf.

Caution
MemIf does not provide any services for initialization of underlying memory hardware
  abstraction modules. Initialization of these modules is not done by MemIf!

3.3
Main Functions
MemIf  does  not  implement  main-functions  that  would  need  recurring  execution.  Job
requests are mapped to the appropriate underlying memory hardware abstraction module,
which implements the main-function for processing the job.

Caution
MemIf is not responsible for calling main-functions of the underlying hardware
  abstraction modules. Calling main-functions cyclically has to be implemented in the
BSW Scheduler (or something similar).

3.4
Error Handling
3.4.1
Development Error Reporting
Development  errors  are  reported  by  default  to  DET  using  the  service
Det_ReportError(),  (specified  in  [2]),  if  the  pre-compile  configuration  parameter  for
“Development Mode” and “Development Error Reporting” are enabled.
2015, Vector Informatik GmbH
Version: 2.02.00
8 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

The  reported  service  IDs  identify  the  services  which  are  described  in  5.3.  The  following
table presents the service IDs and the related services:
Service ID
Service
1
MemIf_SetMode
2
MemIf_Read
3
MemIf_Write
4
MemIf_Cancel
5
MemIf_GetStatus
6
MemIf_GetJobResult
7
MemIf_InvalidateBlock
8
MemIf_GetVersionInfo
9
MemIf_EraseImmediateBlock
Table 3-2
Mapping of service IDs to services
The errors reported to DET are described in the following table:
Error Code
Description
0x01
MEMIF_E_PARAM_DEVICE
The parameter denoting the device index passed to
the API service is out of range.
0x02
MEMIF_E_PARAM_POINTER  The parameter passed to MemIf_GetVersionInfo
references no valid address (NULL-Pointer).
Table 3-3
Errors reported to DET

3.4.1.1
Parameter Checking
The following table shows which parameter checks are performed on which services:

Check
o
ter
t
g a

e
n
c

i
s
i
ed
me
es
a
nc

v
ss ci r er dres

dek  pa erv  pak efe  add
Service
ex
I s
i

P
Chec
ndi A
Chec
for r
alv
MemIf_GetVersionInfo


MemIf_SetMode

MemIf_Read


MemIf_Write


MemIf_Cancel


MemIf_GetStatus


MemIf_GetJobResult


MemIf_InvalidateBlock


MemIf_EraseImmediateBlock


Table 3-4
Development Error Reporting: Assignment of checks to services
2015, Vector Informatik GmbH
Version: 2.02.00
9 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

AUTOSAR requires that API functions check the validity of their parameters. The checks in
Table 3-4 are internal parameter checks of the API functions.
2015, Vector Informatik GmbH
Version: 2.02.00
10 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

4  Integration
This chapter gives necessary information for the integration of the MICROSAR MemIf into
an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the MemIf contains the files which are described in the chapters 4.1.1 and
4.1.2:
4.1.1
Static Files
File Name
Description
MemIf.h
API of module MemIf, only this file needs to be included by upper layer
software (e.g. NvM)
MemIf_Types.h
Defines all standard types, needed by upper layer modules as well as the
modules Fee and Ea.
This file needs to be included by all memory hardware abstraction
modules according to AUTOSAR.
MemIf.c
Implementation of the functionalities of the module MemIf
Table 4-1
Static files

4.1.2
Dynamic Files
The dynamic files are generated by the configuration tool.
File Name
Description
MemIf_Cfg.h
Configuration header file
MemIf_Cfg.c
Configuration source file
Table 4-2
Generated files

2015, Vector Informatik GmbH
Version: 2.02.00
11 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

4.2
Include Structure
deployment File Structure
Fee.h
«configurable
0..*
MemIf_Cfg.h
include»
Det.h
«include»
«configurable
Ea.h
include»
0..*
«include»
MemIf.h
MemIf_Types.h
«include»
Std_Types.h
«include»
«include»
«include»
«include»
MemIf.c
MemIf_Cfg.c

Figure 4-1
Include structure
4.3
Compiler Abstraction and Memory Mapping
The  objects  (e.g.  variables,  functions,  constants)  are  declared  by  compiler  independent
definitions  –  the  compiler  abstraction  definitions.  Each  compiler  abstraction  definition  is
assigned to a memory section.
The  following  table  contains  the  memory  section  names  and  the  compiler  abstraction
definitions, which are defined for the MemIf, and illustrates their assignment among each
other.

Compiler Abstraction
DE
Definitions

CO
A

_
T
E
A

T

T
D
S
E
A
L_
Memory Mapping
N
D
P
RIV
P
Sections
IF_CO
IF_CO
IF_P
IF_A
M
M
M
M
ME
ME
ME
ME
MEMIF_START_SEC_CONST_8BIT



MEMIF_STOP_SEC_CONST_8BIT
2015, Vector Informatik GmbH
Version: 2.02.00
12 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

MEMIF_START_SEC_CONST_32BIT



MEMIF_STOP_SEC_CONST_32BIT
MEMIF_START_SEC_CODE




MEMIF_STOP _SEC_CODE
Memory sections in which underlying memory




hardware abstraction modules’ code resides
Memory sections of data buffers, which are passed


to the API services for read or write jobs
Memory sections of buffers passed to


MemIf_GetVersionInfo
Table 4-3
Compiler abstraction and memory mapping
2015, Vector Informatik GmbH
Version: 2.02.00
13 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

5  API Description
5.1
Interfaces Overview
class Logical View
Nv M
MemIf
+  MemIf_Cancel(uint8) : void
+  MemIf_EraseImmediateBlock(uint8, uint16) : Std_ReturnType
+  MemIf_GetJobResult(uint8) : MemIf_JobResultType
+  MemIf_GetStatus(uint8) : MemIf_StatusType
+  MemIf_GetVersionInfo(Std_VersionInfoType*) : void
Det
+  MemIf_InvalidateBlock(uint8, uint16) : Std_ReturnType
+  MemIf_Read(uint8, uint16, uint16, MemIf_DataPtr_pu8*, uint16) : Std_ReturnType
+  Det_ReportError(uint16, uint8, uint8, uint8) : void
+  MemIf_SetMode(MemIf_ModeType) : void
+  MemIf_Write(uint8, uint16, MemIf_DataPtr_pu8) : Std_ReturnType
0..*
0..*
Fee
Ea
+  Fee_Cancel() : void
+  Ea_Cancel() : void
+  Fee_EraseImmediateBlock(uint16) : Std_ReturnType
+  Ea_EraseImmediateBlock(uint16) : Std_ReturnType
+  Fee_GetJobResult() : MemIf_JobResultType
+  Ea_GetJobResult() : MemIf_JobResultType
+  Fee_GetStatus() : MemIf_StatusType
+  Ea_GetStatus() : MemIf_StatusType
+  Fee_GetVersionInfo(Std_VersionInfoType*) : void
+  Ea_GetVersionInfo(Std_VersionInfoType) : void
+  Fee_Init() : void
+  Ea_Init() : void
+  Fee_InvalidateBlock(uint16) : Std_ReturnType
+  Ea_InvalidateBlock(uint16) : Std_ReturnType
+  Fee_Read(uint16, uint16, uint8*, uint16) : Std_ReturnType
+  Ea_Read(uint16, uint16, uint8*, uint16) : Std_ReturnType
+  Fee_SetMode(MemIf_ModeType) : void
+  Ea_SetMode(MemIf_ModeType) : void
+  Fee_Write(uint16, uint8*) : Std_ReturnType
+  Ea_Write(uint16, uint8*) : Std_ReturnType

Figure 5-1
MemIf interactions with other BSW
5.2
Type Definitions
Type Name
C-Type  Description
Value Range
MemIf_StatusType
enum
Denotes the states of
MEMIF_UNINIT
BSW modules in the
Module is not initialized
memory stack
MEMIF_IDLE
There are no pending jobs that
need processing
MEMIF_BUSY
Module is processing jobs, no
further job requests are accepted
MEMIF_BUSY_INTERNAL
No job requests are being
processed, but the module is busy
executing internal operations
2015, Vector Informatik GmbH
Version: 2.02.00
14 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

Type Name
C-Type  Description
Value Range
MemIf_JobResultType  enum
Denotes the result of a
MEMIF_JOB_OK
job request after
Job processing finished
processing of this job
successfully
MEMIF_JOB_FAILED
Job processing finished with an
error
MEMIF_JOB_PENDING
Job is currently being processed
MEMIF_JOB_CANCELLED
Job has been cancelled by the
user
MEMIF_BLOCK_INCONSISTENT
Job finished successfully, but data
is inconsistent
MEMIF_BLOCK_INVALID
Job finished successfully but data
has been invalidated
MemIf_ModeType
enum
Denotes the processing
MEMIF_MODE_SLOW
mode for a module in the  Jobs are processed with the
memory stack
configured properties for slow
mode
MEMIF_MODE_FAST
Jobs are processed with the
configured properties for fast mode
Table 5-1
Type definitions
5.3
Services provided by MemIf
The MemIf API consists of services, which are realized by function calls.
5.3.1
MemIf_GetVersionInfo
Prototype
void MemIf_GetVersionInfo ( Std_VersionInfoType * VersionInfoPtr )
Parameter
VersionInfoPtr
Reference to a version information structure in RAM

Return code
-
-
Functional Description
This service writes the version information of MemIf to the referenced structure.
Particularities and Limitations
  In case the input parameter references an invalid address (NULL-pointer) the error
MEMIF_E_PARAM_POINTER is reported to Det and execution of the service is aborted.
  This service is only available if “Version Info Api” is configured to STD_ON
2015, Vector Informatik GmbH
Version: 2.02.00
15 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

Expected Caller Context
  This service has no restriction to the allowed or expected caller context.
Table 5-2
MemIf_GetVersionInfo
5.3.2
MemIf_SetMode
Prototype
void MemIf_SetMode(MemIf_ModeType Mode )
Parameter
Mode
Mode to switch modules into

Return code
-
-
Functional Description
This service switches all underlying memory hardware abstraction modules to the requested mode of
operation, by calling [Ea|Fee]_SetMode (See description of respective module’s function).
Particularities and Limitations
  All memory abstraction modules have to be in state MEMIF_IDLE when this service is
executed.
Call context
>  This service has no restriction to the allowed or expected caller context.
Table 5-3
MemIf_SetMode
5.3.3
MemIf_Read
Prototype
Std_ReturnType MemIf_Read
(

uint8
DeviceIndex,

uint16  BlockNumber,

uint16  BlockOffset,

uint8*  DataBufferPtr,

uint16  Length
)
Parameter
DeviceIndex
Index of the memory hardware abstraction module to which the read operation

shall be delegated.
BlockNumber
Identifies the block to read in non

-volatile memory.
BlockOffset
Offset in the block identified by BlockNumber from which on reading is

performed
DataBufferPtr
Reference to the data buffer to which the data in non

-volatile memory is read
to.
Length
Number of bytes to read

2015, Vector Informatik GmbH
Version: 2.02.00
16 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

Return code
E_OK
Read job request is accepted by the addressed memory hardware abstraction

module.
E_NOT_OK
Read job request is rejected by the addressed memory hardware abstraction

module.
Functional Description
Delegates the job request to the appropriate memory hardware abstraction module by calling the service
[Ea|Fee]_Read of the addressed module instance (See description of respective module’s function)
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
>  NvM / Application
Table 5-4
MemIf_Read
5.3.4
MemIf_Write
Prototype
Std_ReturnType MemIf_Write
(

uint8
DeviceIndex,

uint16  BlockNumber,

uint8*  DataBufferPtr
)
Parameter
DeviceIndex
Index of the memory hardware abstraction module to which the write

operation shall be delegated.
BlockNumber
Identifies the block to write to non

-volatile memory.
DataBufferPtr
Reference to the data buffer whose content is written to non

-volatile memory
Return code
E_OK
Write job request is accepted by the addressed memory hardware abstraction

module.
E_NOT_OK
Write job request is rejected by the addressed memory hardware abstraction

module.
Functional Description
Delegates the job request to the appropriate memory hardware abstraction module by calling the service
[Ea|Fee]_Write of the addressed module instance (See description of respective module’s function)
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
2015, Vector Informatik GmbH
Version: 2.02.00
17 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

>  NvM / Application
Table 5-5
MemIf_Write
5.3.5
MemIf_Cancel
Prototype
void MemIf_Cancel ( uint8 DeviceIndex )
Parameter
DeviceIndex
Index of the memory hardware abstraction module whose job processing shall

be cancelled.
Return code
-
-
Functional Description
Delegates the cancel request to the appropriate memory hardware abstraction module by calling the
service [Ea|Fee]_Cancel of the addressed module instance (See description of respective module’s
function)
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
>  NvM / Application
Table 5-6
MemIf_Cancel
5.3.6
MemIf_GetStatus
Prototype
MemIf_StatusType MemIf_GetStatus ( uint8 DeviceIndex )
Parameter
DeviceIndex
Index of the memory hardware abstraction module whose job processing shall

be cancelled.
Return code
MEMIF_IDLE
Addressed module is ready to accept job requests

MEMIF_UNINIT
Addressed module is not initialized

MEMIF_BUSY
Addressed module is processing a job and is not able to accept new job

requests
MEMIF_BUSY_INTERNAL Addressed module is not processing any job requests, but the module is busy
  executing internal operations
Functional Description
Delegates the call to this service to the appropriate memory hardware abstraction module by calling the
service [Ea|Fee]_GetStatus (See description of respective module’s function).
2015, Vector Informatik GmbH
Version: 2.02.00
18 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices and unequal to MEMIF_BROADCAST_ID), the error code MEMIF_E_PARAM_DEVICE is
reported to Det and execution of the service is aborted.
>  In case the MEMIF_BROADCAST_ID is used as device index parameter, the overall status of all
underlying memory abstraction modules is returned. This overall status is computed as
follows:
>
MEMIF_IDLE – all underlying devices are in this state
>
MEMIF_UNINIT – at least one device returned this state
>
MEMIF_BUSY – at least one device returned this state and no other returned
MEMIF_UNINIT
>
MEMIF_BUSY_INTERNAL – at least one device returned this state and no other returned
MEMIF_BUSY or MEMIF_UNINIT
Call context
>  NvM / Application
Table 5-7
MemIf_GetStatus
5.3.7
MemIf_GetJobResult
Prototype
MemIf_JobResultType MemIf_GetJobResult ( uint8 DeviceIndex )
Parameter
DeviceIndex
Index of the memory hardware abstraction module whose job

processing shall be cancelled.
Return code
MEMIF_JOB_OK
Job processing finished successfully

MEMIF_JOB_FAILED
Job processing finished with an error

MEMIF_JOB_PENDING
Job is currently being processed

MEMIF_JOB_CANCELLED
Job has been cancelled by the user

MEMIF_BLOCK_INCONSISTENT
Job finished successfully, but data is inconsistent

MEMIF_BLOCK_INVALID
Job finished successfully but data has been invalidated

Functional Description
Delegates the call to this service to the appropriate memory hardware abstraction module by calling the
service [Ea|Fee]_GetJobResult (See description of respective module’s function).
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
>  NvM / Application
Table 5-8
MemIf_GetJobResult
2015, Vector Informatik GmbH
Version: 2.02.00
19 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

5.3.8
MemIf_EraseImmediateBlock
Prototype
Std_ReturnType MemIf_EraseImmediateBlock
(

uint8
DeviceIndex,

uint16  BlockNumber
)
Parameter
DeviceIndex
Index of the memory hardware abstraction module to which the operation shall

be delegated.
BlockNumber
Identifies the block to erase in non

-volatile memory.
Return code
E_OK
Erase job request is accepted by the addressed memory hardware abstraction

module.
E_NOT_OK
Erase job request is rejected by the addressed memory hardware abstraction

module.
Functional Description
Delegates the job request to the appropriate memory hardware abstraction module by calling the service
[Ea|Fee]_EraseImmediateBlock of the addressed module instance (See description of respective module’s
function)
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
>  NvM / Application
Table 5-9
MemIf_EraseImmediateBlock
5.3.9
MemIf_InvalidateBlock
Prototype
Std_ReturnType MemIf_InvalidateBlock
(

uint8
DeviceIndex,

uint16  BlockNumber
)
Parameter
DeviceIndex
Index of the memory hardware abstraction module to which the operation shall

be delegated.
BlockNumber
Identifies the block to invalidate in non

-volatile memory.
Return code
E_OK
Erase job request is accepted by the addressed memory hardware abstraction

module.
E_NOT_OK
Erase job request is rejected by the addressed memory hardware abstraction

module.
2015, Vector Informatik GmbH
Version: 2.02.00
20 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

Functional Description
Delegates the job request to the appropriate memory hardware abstraction module by calling the service
[Ea|Fee]_InvalidateBlock of the addressed module instance (See description of respective module’s
function)
Particularities and Limitations
>  If the parameter DeviceIndex is out of range (greater than the number of configured
devices), the error code MEMIF_E_PARAM_DEVICE is reported to Det and execution of the
service is aborted.
Call context
>  NvM / Application
Table 5-10
MemIf_InvalidateBlock
5.4
Services used by MemIf
In the following table services provided by other components, which are used by the MemIf
are  listed.  For details about  prototype and functionality refer to the documentation of  the
providing component.
Component
API
DET (see [2])
Det_ReportError
EA (see [4])
Ea_SetMode
Ea_Read
Ea_Write
Ea_Cancel
Ea_GetStatus
Ea_GetJobResult
Ea_InvalidateBlock
Ea_GetVersionInfo
Ea_EraseImmediateBlock
FEE (see [5])
Fee_SetMode
Fee_Read
Fee_Write
Fee_Cancel
Fee_GetStatus
Fee_GetJobResult
Fee_InvalidateBlock
Fee_GetVersionInfo
Fee_EraseImmediateBlock
Table 5-11
Services used by the MemIf
2015, Vector Informatik GmbH
Version: 2.02.00
21 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

6  Configuration
The  MEMIF  attributes  can  be  configured  using  the  DaVinci  Configurator.  The  outputs  of
the configuration and generation process are the configuration source files.
The description of each used parameter is set in the MemIf bswmd file.
2015, Vector Informatik GmbH
Version: 2.02.00
22 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

7  AUTOSAR Standard Compliance
7.1
Deviations
7.1.1
Extension of Error Codes
In contradiction to AUTOSAR standard MemIf019, no set of macros is implemented, which
maps  the  Memory  Abstraction  Interface  API  to  the  API  of  the  corresponding  memory
abstraction module.
7.2
Additions/ Extensions
No Extensions to AUTOSAR standard
2015, Vector Informatik GmbH
Version: 2.02.00
23 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

8  Glossary and Abbreviations
8.1
Glossary
Term
Description
DaVinci Configurator  Generation tool for MICROSAR components
Table 8-1
Glossary
8.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
DET
Development Error Tracer
ECU
Electronic Control Unit
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
SRS
Software Requirement Specification
SWS
Software Specification
NVRAM
Non Volatile RAM Manager
NvM
NVRAM Manager
Fee
Flash EEPROM Emulation
Ea
EEPROM Abstraction
Fls
Flash Driver
Eep
EEPROM Driver
RAM
Random Access Memory
Table 8-2
Abbreviations
2015, Vector Informatik GmbH
Version: 2.02.00
24 / 25
based on template version 3.1

Technical Reference MICROSAR MemIf

9 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 2.02.00
25 / 25
based on template version 3.1

Document Outline

16 - Network Management Interface

Network Management Interface

Component Documentation

16.1 - Nm Integration Manual

Integration Manual

For

Nm

VERSION: 1

DATE: 02/02/17

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	02/02/17

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

Configuration REQUIREMeNTS

The Nm component is provided with a template file for configuration of the module. This template file should be copied into the project for inclusion in the build after adapting the template for the needs of the project. Additionally, the leading underscore should be removed from this file. This file can be found in the “tools/template/” folder of this component. For details on how to adapt, third party documentation found in this component can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

16.2 - Nm Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Nm

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Nm_Vector_GMLAN3.1_04.04.03_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/03/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

16.3 - TechnicalReference_Nm_Gmlan_Gm

Nm_Gmlan_Gm

16.4 - TechnicalReference_Nm_Gmlan_Gm_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59

16.5 - TechnicalReference_Nm_Gmlan_Gms

Nm_Gmlan_Gm
Technical Reference

Version 2.03.01

Authors
Marco Pfalzgraf
Status
Released

Technical Reference Nm_Gmlan_Gm

1  Document Information
1.1
History
Author
Date
Version
Remarks
M. Radwick
2002-06-14
1.0
creation
M. Radwick
2002-12-24
1.1
Incorporate comments from Armin
Happel.
Added Introduction, Overview and
Functional sections.
Klaus Emmert
2004-02-23
1.2
New Layout.
Ralf Fritz
Minor changes.
Ralf Fritz/ Laura Winder
2004-10-12
1.3
Minor changes in API chapter.
Ralf Fritz
2005-05-09
1.4
Data types changed
Ralf Fritz
2005-08-02
1.5
Macros to access the return value of
IlNwmIsActiveVN added
Ralf Fritz
2006-10-02
1.6
Changed description of bus-off recovery
time.
Ralf Fritz
2007-03-23
1.7
Function description of
IlNwmGetActiveListVN changed.
Calibration section removed
Description of ApplNwmReinitRequest
corrected.
Markus Schwarz
2007-12-06
2.00
ESCAN00021184
added description for GENy
adapted to new template
changed order of chapters
Markus Schwarz
2010-07-16
2.00.01
ESCAN0030766: added chapter 4.5
Marco Pfalzgraf
2012-08-15
2.01.00
ESCAN00055995,
ESCAN00055998:
adapted chapters 6.2 and 6.3.3
Marco Pfalzgraf
2012-08-31
2.02.00
ESCAN00054683: Corrected code
example in chapter 5.3.2 ‘Periodic
tasks’
ESCAN00060804: Added chapter 4.11
Marco Pfalzgraf
2012-10-26
2.02.01
Added chapter 2
Marco Pfalzgraf
2013-05-15
2.02.02
ESCAN00067275: Adapted description
of callback ApplNwmReinitRequest
Marco Pfalzgraf
2015-01-19
2.03.00
ESCAN00080646: Added API
description for context switch support
Marco Pfalzgraf
2015-12-18
2.03.01
ESCAN00069542: Adapted description
about activation of init active VNs
ESCAN00087111: Added limitation to
IlNwmTask API description and chapter
5.3.2.
2015, Vector Informatik GmbH
Version: 2.03.01
2 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Table 1-1   History of the Document
1.2
Reference Documents
No.
Source  Title
Version
[1]
GM
Communication Strategy Specification GMW 3104
1.5
[2]
GM
RSM Fault Detection and Mitigation Algorithm
-
[3]
GM
RSM GMLAN Handler Robustness Changes V2
-
[4]
GM
RSM GMLAN Handler NM Race Condition Resolution
-
[5]
Vector
Technical Reference GMLAN Calibration
2.01.00
Table 1-2   Reference Documents

Please note
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 2.03.01
3 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

2  Component History
This chapter describes the implementation history of the Vector Network Management for
General Motors (since version 4.02.00).
2.1
Nm_Gmlan_Gm Version 4.02.00
In this version robustness changes were implemented according to [3].
2.1.1
What is new?
>  The signal/node supervision timer is not started for a calibrateable time ‘Sleep
Transition Time’ after VN activation.
>  Additional ‘Sleep transition delay time’ was introduced as a calibrateable value.
Please refer to [5] ‘Technical Reference GMLAN Calibration’ for more information about
these new calibrateable values.
2.1.2
What has changed?
>  Initially active VNs are no more activated at power on. They are only activated by a
High Level Voltage Wakeup (HLVW).
2.2
Nm_Gmlan_Gm Version 4.03.00
In this version robustness changes were implemented according to [2] and [4].
2.2.1
What is new?
>  Introduced Fault Detection and Mitigation Algorithm (see chapter 4.11)
2.2.2
What has changed?
>  Removed the possibility that the GMLAN handler enters a loop where it transmits a
HLVW frame every 100ms (according to [4]).
2015, Vector Informatik GmbH
Version: 2.03.01
7 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

3  Introduction
Nowadays cars are growing to become more and more complex systems. The functionality
of a modern car is not dominated by mechanical components anymore. Electrical Control
Units (ECU), sensors and actors became irreplaceable parts of a car. They are responsible
for  the  reasonable  functions  of  the  power  train,  the  chassis  and  the  body  of  a  car.  An
example for some ECUs is shown in Figure 3-1
In  many  ways  the  functionality  of  an  ECU  in  a  car  depends  on  information  provided  by
other ECUs. For example the ECU of the dashboard needs the number of revolutions per
time  of  the  wheels  to  display  the  car’s  speed.  As  a  result  communication  between  the
ECUs is a significant component of a modern vehicle.

Figure 3-1  Example for Some ECU's in a Modern Car
The  communication  between  ECUs  should  essentially  remain  encapsulated.  The
application working on an ECU should not need to know how to transmit or receive data
from  other  ECUs.  Therefore  Vector  Informatik  GmbH  provides  a  set  of  modules  for  the
communication of ECUs by the CAN bus.
These communication modules are called CANbedded. They relieve the application of its
communication  assignment  including  the  exchange  of  simple  data,  diagnostic  data,  NM
data, calibration data and more. This document is concerned with how ECU’s interact via
NM.

2015, Vector Informatik GmbH
Version: 2.03.01
8 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

3.1
Layer Concept
The  implementation  of  the  Network  Management  (NM)  is  intended  to  relieve  the
application  of  communication  tasks.  The  NM  is  one  of  the  communications  modules  of
CANbedded offered by Vector Informatik GmbH. It is adapted to the specific requirements
of  General  Motors. The  CANbedded  communication  modules  are  organized  in  layers  as
shown in Figure 3-2. They consist of the Interaction Layer, the Network Management, the
Transport Protocol, the Diagnosis Layer, the CAN Calibration Protocol and the CAN Driver
(Data Link Layer).

os CAN
Application
Diagnostics
Layer
Universal
Measure-
Interaction
Network
ment
Layer
Management
And
Communication
Calibration
Control
Transport Protocol
Protocol
Layer
CAN Driver
CAN
CAN Controller
Controller
Tr
Tr an
an sc
scee
i iver
ver
CAN Bus

Figure 3-2  Layer model of Vector’s CAN communication modules CANbedded

The  availability  of  the  CAN  bus  is  controlled  by  the  NM.  The  NM  provides  the  following
features:
>  Control the start-up and the shut-down of the IL
>  Control the activation and deactivation of VNs
>  Control the peripheral hardware (CAN Controller and Bus Transceiver)
>  Error recovery after BusOff
2015, Vector Informatik GmbH
Version: 2.03.01
9 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

The Diagnosis Layer handles diagnostic services by CAN. It is used for the  evaluation of
the diagnosis  requests  and for  the  exception  handling  of  invalid  conditions  like unknown
services. To provide the diagnosis state, often rather long data, the Transport Protocol is
used.
The CAN Calibration Protocol is specially designed for calibration and measurement data
acquisition  in  ECUs.  It  has  been  defined  by  the  European  ASAP  task  force  as  a  CAN
based high speed interface for measurement and calibration systems (MCS).
If  any  information  which  has to  be  transmitted by  the  CAN bus  does  not fit  into  a  single
data frame because the data length exceeds 8 bytes, the Transport Protocol splits the data
into several CAN messages using the same identifier.
The  CAN  Driver  provides  a  mostly  hardware  independent  interface  to  the  higher
communication layers. This enables the hardware independent implementation of the latter
modules and the target platform independent reuse of them.

3.2
NM Features
GM’s NM behavior is completely specified in [1].
The  NM  is  used  to  control  the  start-up,  shutdown,  and  error  handling  for  the  ECU.  NM
introduces the concept of a Virtual Network (VN), which is used by the system designer to
divide the signals sent and received by an ECU into related functional groups. Use of VNs
help conserve power and CAN bus bandwidth by permitting transmission and reception of
only the signals and messages that are required at a given time. VNs may be individually
active  or  inactive.  The  state  of  all  VNs  is  communicated  between  ECUs  using  a  Virtual
Network Management Frame (VNMF). If a VN is active, then the ECU will be able to send
and receive the signals associated with the VN. The NM will defer application requests to
send a signal until one of its associated VNs is activated. If all the VNs of an ECU become
inactive, then the ECU application is given the opportunity to go to sleep, thus conserving
power.
The primary responsibilities of the NM are shown below:
>  Keep VNs active on other nodes by sending out VNMF messages at fixed time
intervals
>  Activate relevant VNs upon receipt of VNMFs.
>  Restart VN timer on reception and transmission of VNMF
>  Count down the VN timer and deactivate VN when VN timer expires
>  Respond to and recover from bus failures.

2015, Vector Informatik GmbH
Version: 2.03.01
10 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

3.3
VN Concept
VNs are defined by the platform engineer to associate signals that are distributed among
different ECUs in the CAN network. Every signal that may be exchanged between ECUs is
associated with one or more VNs. The associations are defined using specific attributes in
the  message  database.  The  purpose  of  this  association  is  to  minimize  the  number  of
messages being transmitted on the CAN bus at any given time. If there are no ECUs that
require any signals associated with a VN, then the VN is deactivated, and transmission of
those signals is halted.
ECUs  are  not  required  to  participate  in  all  VNs.  The  VNs  an  ECU  participates  in  are
determined  by  configuration  settings  given  in  the  database.  VN  participation  should  be
configured according to the CTS documentation released by GM.
There  are  four  ways  in  which  an  ECU  may  be  associated  with  a  VN.  The  possible
relationships are:
>  Activator (Network Activated): The ECU, in response to some application related
event, needs to send and/or receive signals. The application directs NM to activate
one or more VNs. The ECU begins transmitting VNMF messages to notify other ECUs
of the activation.
>  Remotely Activated:  The ECU is required respond to VN activations that are initiated
by other ECUs. Remote activations are initiated in response to a received VNMF
message.
>  Shared Local: The ECU responds to an input event common to all modules that
participate in the VN.
>  Initially Active:  The VN is temporarily activated by NM upon reception or transmission
of a HLVW message.
Each  VN  may  be  configured  as  any  combination  of  Activator,  Remotely  Activated,  and
Initially Active. However, if the VN is Shared Local, then the Activator and Remote options
are excluded. The reason is related to how the activation is communicated to other ECUs.
Normally,  the  NM  will  send  a  VNMF  message  on  the  CAN  bus  when  an  application
requests  that a VN be activated. Since ECUs participating in  a Locally Activated VNs all
see the same input event at the same time, there is no need to send or expect a VNMF
message.

2015, Vector Informatik GmbH
Version: 2.03.01
11 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4  Functional Description
4.1
NM States
The behavior of VNs is defined for three primary states: COMM-OFF, COMM-ENABLED,
and COMM-ACTIVE.

Figure 4-1  States of NM
COMM-OFF indicates that all VNs are deactivated, and that the CAN controller has been
disabled.  The  application  developer  has  the  option  to  put  the  ECU  micro-controller  to
sleep. During this state, no messages on the CAN bus can be processed. There are two
ways to wake up the communications kernel: The application activates a  VN, or, another
ECU transmits a HLVW message. The NM responds to both of these events by entering
the COMM-ENABLED state.
COMM-ENABLED is an intermediate state. While in this state, the communications kernel
will process only one message: a VNMF. The VNMF message identifies all of the VNs that
are  remotely active. The  NM examines the contents of  a VNMF to determine if the ECU
participates  in  any  of  the  active  VNs.  If  any  relevant  VNs  are  activated  as  a  result  of  a
VNMF message, or due to an application request, then NM will enter the COMM-ACTIVE
state. If all relevant VNs remain inactive for a configured amount of time, the NM will return
to the COMM-OFF state.
The  NM  will  remain  in  the  COMM-ACTIVE  state  so  long  as  any  VN  that  the  ECU
participates in is active. If the ECU application activates a (network-activated) VN, then NM
will periodically transmit a VNMF message. The NM will continue sending VNMFs until the
application deactivates all of the VNs that it started.
Reception  of  a  VNMF  is  also  used  to  keep  VNs  active.  NM  maintains  a  timer  for  each
remotely  activated  VN.  The  timer  for  a  VN  is  reset  to  a  fixed  value  each  time  a  VNMF
message is received indicating that the VN is active. If the VNMF ceases to indicate that
the VN is active (or if it ceases to arrive), then the VN timer(s) will eventually reach zero.
When a timer reaches zero, NM will stop sending and receiving signals associated with the
VN.
NM  will  transition  from  the  COMM-ACTIVE  state  to  the  COMM-ENABLED  state  when  it
determines that all the VNs relevant to the ECU are inactive.

2015, Vector Informatik GmbH
Version: 2.03.01
12 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.2
Normal Operation
At  power-up,  the  NM  will  initialize  all  VNs  as  inactive.  Afterwards,  NM  will  enter  the
COMM-ENABLED  state.  After  initialization,  the  application  is  free  to  activate  any  VN
configured  as  Activator  or  Locally  Active.  To  activate  a  VN,  the  application  invokes
IlNwmActivateVN(). Deactivation is accomplished using IlNwmDeactivateVN().
Activation  of  a  VN  is  affected  by  several  factors.  VNs  configured  as  Activator  or
Locally-Activated are completely under the control of the application. VNs activated by the
application will remain active until the application requests that the VN be deactivated. For
Locally-Activated  VNs,  transmission  and  reception  of  signals  is  halted  immediately.  VNs
configured  as Activator  are  deactivated  by  NM  8  seconds  after  the  application  requests
deactivation.
When  the  application  requests  activation  of  an Activator  VN,  NM  will  check  to  see  how
much time has elapsed since the last time a HLVW message has been sent. If the interval
is too large, NM will automatically send a HLVW message in order to wake up all the ECUs
on the network. NM will wait a short time (100ms) to give the other ECUs time to initialize,
and then transmit a VNMF to notify the other ECUs of the VN activation.
NM  will  activate  all  VNs  configured  as  Initially  Active  whenever  a  HLVW  message  is
received. The VNs will remain active for 8 seconds and then automatically deactivate. If an
Initially  Active  VN  is  already  active  when  a  HLVW  message  is  received,  the  HLVW  will
reset  the  VN  timers,  allowing  the  Initially  Active  VNs  to  continue for  8  seconds  after  the
HLVW message was received.

2015, Vector Informatik GmbH
Version: 2.03.01
13 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.3
Low Voltage Tolerant Mode
Low Voltage Tolerant (LVT) mode is an optional feature intended to be used in situations
when  it  is  possible to predict  when  the  ECU’s  voltage  level  will  be  low.  In  a  low  voltage
environment, communication errors between ECUs will be more frequent. The purpose of
LVT mode is to reduce the amount of time required to recover from the errors. LVT Mode is
a distributed operation: all active ECUs should be programmed to enter LVT mode when a
“LVT Master” ECU sends an entry request. The NM does not implement all the functions
needed  to  support  LVT  mode.  ECUs  are  required  to  implement  application-specific
behavior to completely support LVT mode. Please consult the CTS documentation for the
ECU to determine if the application is required to support LVT mode.
When  LVT  mode  is  active,  the  NM  will  not  transmit  any  HLVW  messages.  Only  VNMFs
needed to activate VNs will be transmitted (VNMFs needed to maintain active VNs will not
be  transmitted).  In  addition,  the  timers  that  control  deactivation  of  VNs  and  signal
supervision  are  disabled.  As  a  result,  active  VNs  will  remain  active  until  LVT  mode  is
disabled.
LVT mode  is  the  default  at  power-up.  If  CAN-OFF  during  Low-Voltage  Mode  is enabled,
the application must exit Low Voltage mode before any messages can be transmitted.

Entry and exit from LVT mode is controlled by the ECU application via functions in the NM.
LVT mode is automatically in  effect  when NM leaves the COMM-OFF state. This implies
that  the  ECU  responsible  for  LVT  management  (the  “LVT  Master”)  must  exit  LVT  mode
before  activating  the  VN  that  carries  the  LVT  exit  signal.  To  enter  LVT  mode,  call
IlNwmEnterLowVoltageMode().
To
enable
transmission
of
HLVWs,
call
IlNwmExitLowVoltageMode().

The  transmit  path  of  the  IL  can  also  be  disabled  in  LVT  mode.  The  node  will  not  send
messages  associated  with  active  and  activated  VNs  in  that  case.  This  feature  can  be
enabled in the configuration.

LVT mode can be enabled in the configuration tool.
If  enabled,  the  “CAN-Off  during  Low-Voltage  Mode”  option  becomes  available.  The
CAN-Off option modifies the behavior when LVT mode is activated by the application. If the
CAN-Off  option  is  selected,  then  ECU  will  stop  sending  all  messages  (instead  of  just
HLVW messages). This implies that the application will be unable to activate any Network
Activated VNs while LVT+CAN-Off mode is on.
2015, Vector Informatik GmbH
Version: 2.03.01
14 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.4
High Load
Activation  during  High  Load  is  another  optional  feature  of  NM.  If  the  ECU  configuration
includes this, then the application will have the ability to inhibit (and restore) VN activation.
If  the  application  requests  to  activate  a  network  activated  VN  (configured  as Activator),
then  NM  will  defer  activation  until  the  application  informs  NM  to  allow  VN  activation.
Requests  to  deactivate  a  deferred  VN  will  clear  the  activation  request.  All  outstanding
activation requests will be attempted by NM when the application allows activation.
The High Load option is enabled in the configuration tool. To enable this option, select “VN
Activation  during  high  load”  from  the  GMLAN  Options  tab.  To  inhibit  VN  activation,  the
application  should  invoke  IlNwmInhibitActivationVN(),  to  restore  activation,  call
IlNwmAllowActivationVN().

4.5
HighSpeed Mode
HighSpeed  mode  allows  the  ECU  application  to  request  an  alternate  communication
speed  on  the  CAN  bus.  This  is  normally  used  in  response  to  a  diagnostics  request  to
download/flash calibration or program data.
Remote VN activation requests (via a received VNMF message) are ignored in HighSpeed
Mode.
HighSpeed mode is intended to be used only with single-wire CAN networks.
HighSpeed mode is available only if enabled in the configuration
When HighSpeed mode is enabled, the configuration tool provides two CAN initialization
objects  (0=Standard,  1=HighSpeed). The  CAN  settings  of  these  two  initialization  objects
determine  the  used  baudrate  for  each  mode.  These  settings  are  used  to  configure  the
CAN controller hardware when a mode change occurs.
Typical baud rates are 33.333K for standard communication and 83.333K for HighSpeed
communication.
HighSpeed  mode  should  only  be  activated  after  the  application  has  requested
NormalCommunicationHalted mode.
To enter HighSpeed mode, the application calls IlNwmSetHispeedMode().
The standard communications rate is restored by invoking IlNwmResetHispeedMode().
2015, Vector Informatik GmbH
Version: 2.03.01
15 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.6
Normal Communication Halted Mode
NormalCommunicationHalted  (NCH)  mode  is  used  to  support  diagnostics
communications.  The  application  usually  invokes  this  mode  in  response  to  a  diagnostic
service  request  (DisableNormalCommunications).  When  the  application  requests  this
mode,  all  VNs  are  deactivated.  The  diagnostics  VN  (VN  0)  is  activated.  While  in  NCH
mode, all requests to activate a VN are denied.
The  application  should  invoke  IlNwmNormalCommHalted()  to  halt  normal
communications.
Calling
IlNwmReturnToNormalMode()
will
restore
normal
communications. Note that all VNs remain deactivated after returning to normal mode. The
application is responsible for re-activating any required VNs.
See also: GMW3110: GMLAN Enhanced Diagnostic Test Mode Specification
4.7
Bus Off
The  CAN  Data Link  Layer  specification  requires  that  the  CAN  controller  enters  a  BusOff
state in the event of too many transmit errors. The NM is notified of this event by the CAN
driver.  In  response  to  the  first  BusOff,  the  NM  will  re-initialize  the  CAN  controller  and
restart  communications.  Upon  restart,  NM  will  start  the  BusOff  Recovery  Timer.  If  a
subsequent  BusOff  event  occurs  before  the  timer  expires,  then  the  controller  will  be  re-
initialized,  but  the  transmit  path  will  remain  disabled  until  the  timer  reaches  zero.  After
enabling the transmit path, the NM will re-queue any messages pending transmission, and
restart the recovery timer.
After recovering from the BusOff event by re-initialization of the controller, it is possible to
receive signals from other ECUs.
If  the  application  attempts  to  activate  a  Network  Activated  VN  while  NM  is  waiting  to
recover  from  BusOff,  the  activation  request  will  be  deferred.  Upon  recovery,  the  VN
activation will attempted as normal.
If a remotely activated VN times out while waiting for BusOff recovery, then the VN will be
deactivated  as normal.  Deactivation  requests  made by  the  application  during  BusOff  will
be granted, in which case messages associated with the VN that are pending transmission
will be de-queued.
The application can be configured to be notified about a BusOff (ApplNwmBusoff()) and a
BusOff recovery (ApplNwmBusoffEnd)().
The  time  required  to  recover  from  BusOff  is  also  configurable.  The  value  of  “BusOff
recovery time” defines the recovery time in milliseconds. The default value is 3500ms for
body bus (single-wire) applications, and 110ms for powertrain (dual-wire) applications.
4.8
HLVW Failure Handling
On single-wire CAN networks, it is critical for the NM to confirm transmission of the HLVW
message when activating a VN. NM will retry transmission of the HLVW each time the NM
task  is  called for  100ms.  If  it fails,  the  CAN  controller  will  be  reset,  and the activation  is
retried three times.
2015, Vector Informatik GmbH
Version: 2.03.01
16 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.9
VN Activation Failure
The  application  may  be  notified  in  the  event  of  VN  activation  failures.  There  are  two
notifications:  VNMF Confirmation Timeout, and VN Activation Failed.
Activation of a Network Activated VN requires NM to transmit a  VNMF to notify the other
ECUs. If NM is unable to transmit the VNMF over a configured time-period, the application
may  be  notified  via  the  optional  callback  ApplNwmVnmfConfirmationTimeout().  The
timeout time is determined by the value (in milliseconds) of the “VNMF confirmation time”.
In addition to the VNMF Confirmation Timeout, applications may select to be notified when
individual VNs fail to activate. This feature is configurable.
When  enabled,  the  NM  will  invoke  callback  ApplNwmVnActivationFailed()  upon  VN
activation failures.
2015, Vector Informatik GmbH
Version: 2.03.01
17 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

4.10 VNMF Message
The NM communicates with the different ECUs via the VNMF. The composition of the
VNMF message is shown below:
VNMF messages always use an 11 bit CAN ID, defined by GM to be in the range 0x600 to
0x63F. VNMF messages contain 8 data bytes. The first data byte indicates the type of the
message: If bit 0 is set, then the message is a VNMF-Init message. Otherwise, the
message is a VNMF-Continue message. The remaining data bytes indicate which VN(s)
are active.

Figure 4-2 VNMF Message Layout

A VNMF-Init message is sent by NM whenever the application requests activation of one
or more Network-Activated VNs. The initialization message will identify all active VNs
managed by the ECU in addition to the new request(s).
Once the VNMF-Init message has been sent, NM will periodically send VNMF-Continue
messages to keep the other ECUs informed of the active VNs.
Each data byte contains a bit-mask that identifies the active VN. VNs are assigned
numeric values that are associated with a symbolic VN name in the message/signal
database. The configuration tool generates a macro for each VN that the ECU participates
in. The macros are defined in the file nm_cfg.h, and all have names of the form
VN_<virtual network name>. The application should use these macros as the VN
argument to all API functions that require a VN (e.g. IlNwmActivateVN())
4.11 Fault Detection and Mitigation Algorithm
To enhance robustness of the NM, a fault detection and mitigation algorithm as specified in
[2] observes the activation state of each VN and the global NM state of each channel.
There might be conditions that cause the NM to inadvertently keep single VNs or channels
active, although all VNs and therefore the whole channel should not be active. This might
happen e.g. due to single bit flips in NM internal variables. To prevent such situations and
2015, Vector Informatik GmbH
Version: 2.03.01
18 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

resulting  battery  drain  situations,  the  algorithm  performs  consistency  checks  to  detect
inadvertent activation of VNs and NM channels.

Note
To save RAM, ROM and runtime the whole Fault Detection and Mitigation Algorithm
  can be disabled in GENy by the attribute ‘Fault Detection and Mitigation Algorithm’. See
chapter 6.3.2 ‘System-specific Configuration Options’.

In case a faulty activated VN or network has been detected the application will be notified
by  callback  functions  and  the  corresponding  VN  or  network  will  be  deactivated.  In
particular the following faults can be detected:

4.11.1  VN Active Fault
A ‘VN Active Fault’ is detected, if a VN that should be inactive is still active for more than
twice the VN timer time (= 16s).
After the fault has been detected the algorithm will deactivate the corresponding VN and
notify  the  application  by  calling ApplNwmVnActiveFault()  (see  also  chapter  7.4  ‘Callback
Functions’).
4.11.2  Network Active Fault
A ‘Network Active Fault’ is detected, if the NM does not enter COMM-OFF state for more
than twice the COMM-ENABLE timer time (= 16s) after the last VN has been deactivated.
After the fault has been detected the algorithm will start the shut-down sequence for the
channel  and  the  application  is  informed  about  the  fault  by  the  call  of
ApplNwmNetworkActiveFault() (see also chapter 7.4 ‘Callback Functions’).
4.11.3  No Sleep Confirmation Fault
During  shut-down  the  application  has  to  optionally  confirm  the  transition  to  sleep
(ApplNwmSleepConfirmation()  ).  If  a  shut-down  is  started  due  to  the  detection  of  a
‘Network Active Fault’, the algorithm is different:
A ‘No Sleep Confirmation Fault’ will be detected when the application does not confirm the
transition to sleep for more than a configurable threshold value.
The concrete shut-down sequence depends on the following configuration attributes (See
also chapter 6.3.2 ‘System-specific Configuration Options’):
>  Sleep Confirmation: This attribute enables/disables the callback
ApplNwmSleepConfirmation(). The callback informs the application that sleep mode
can be entered and gives the application the control over sleep mode. Depending on
the return value of the callback, sleep mode is directly entered or a time delay is
triggered that results in another callback invocation after 8s.
If this attribute is disabled, the Fault Detection Algorithm will directly shut down after
‘Network Active Fault’ has been detected, i.e. a ‘No Sleep Confirmation Fault’ will
never be detected.
2015, Vector Informatik GmbH
Version: 2.03.01
19 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

>  No Sleep Confirmation Fault Reporting: If this attribute is enabled, the detection of
a ‘No Sleep Confirmation Fault’ will be reported to application by calling
ApplNwmNoSleepConfirmationFault (see also chapter 7.4 ‘Callback Functions’).
>  No Sleep Confirmation Fault Mitigation: If this attribute is enabled, the detection of
a ‘No Sleep Confirmation Fault’ will cause the Fault Detection Algorithm to shut down
the network even if the application still does not confirm sleep. If this attribute is
disabled, the mitigation of ‘No Sleep Confirmation Fault’ has to be handled by
application.
>  Max No Sleep Confirmation: This value defines the threshold for the number of times
the application may not confirm sleep before ‘No Sleep Confirmation Fault’ is detected.
This attribute can be configured for each channel. See chapter 6.3.3 ‘Channel-specific
Configuration Options’.

Note
The configuration options for the Fault Detection and Mitigation Algorithm might be not
  visible in GENy. In this case the attributes a pre-configured by Vector for your delivery.

2015, Vector Informatik GmbH
Version: 2.03.01
20 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

5  Integration
5.1
Involved Files
To integrate the NM in your project, you need the following (static) embedded files:
File
Content
gmnm.c
Source file of the NM. Contains all API and algorithms.
gmnmdef.h
Header file of the NM. Contains all static prototypes for the API and
definitions, such as symbolic constants.
_MemDef.h
Sample file for definitions of memory qualifies which will be used in
gmlcal.c and gmlcal.h.
Table 5-1   Static Files

Additionally  the  following  files  have  to  be  generated  by  the  configuration  tool  (refer  to
chapter 6 ‘Configuration’):
File
Content
nm_cfg.h
Scales the NM and provides constants.
nm_par.c
Dynamic source file of the NM. Contains configuration tables.
nm_par.h
Dynamic header file of the NM.
gmlcal.c
Source file of the NM calibration data.
gmlcal.h
Header file of the NM calibration data
Table 5-2   Dynamic Files

2015, Vector Informatik GmbH
Version: 2.03.01
21 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

5.2
Necessary Steps to Integrate the NM in Your Project
Following steps may be necessary to integrate the NM in your project:
>  Copy the NM-related files into your project.
>  Make these files available in your project settings, e.g. set the correct paths in your
makefile.
>  In order to make the NM available to your application, include the header file il_inc.h
into all files that make use of NM services and functions.
>  Start the configuration tool and configure the NM according to your needs (see chapter
“6 Configuration”).
>  Generate the configuration files (see chapter “6 Configuration”)
>  Implement all necessary callbacks in your application (see chapter “7.4 Callback
Functions”).
>  Build your project (compile & link).
2015, Vector Informatik GmbH
Version: 2.03.01
22 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

5.3
Necessary Steps to Run the NM
The  NM  should  already  have  been  integrated  in  your  project  and  the  building  process
should complete without any errors.
There are two main steps that have to be performed: Initialization and cyclic task calls.
Info
If you are using a CCL within the CANbedded stack, the initialization and the cyclic call
  of the task functions can be handled by the CCL. Please refer to the documentation of
the CCL.

5.3.1
Initialization
The NM needs to be initialized only once after system start. Further calls for example after
canceling  of  sleep  mode  are  not  necessary.  To  initialize  the  IL  and  the  NM  the  function
IlInitPowerOn()  is  provided  by  the  IL.  Please  note  that  it  is  not  allowed  to  call  any
function  of  these  modules  before  they  are  initialized.  Therefore  the  interrupts  should  be
disabled until the module  is initialized.  If CAN driver  will not  be initialized by the  NM,  be
sure that this is done before the first call of a cyclic IL or NM task function.

  DisableAllInterrupts();
  CanInitPowerOn(); /* if not handled by NM */
  IlInitPowerOn(); /* initializes IL and NM */
  ReenableAllInterrupts();

5.3.2
Periodic tasks
Add a cyclic function call of IlNwmTask() to your runtime environment. Ensure that the call
cycle matches the value which is configured in the configuration tool.
The recommend order to call the NM and IL tasks is first NM and then IL:
  IlNwmTask();
  IlRxTask();
  IlTxTask();

Caution
In preemptive systems and when CAN driver operates in polling mode it must be
  assured, that IlNwmTask does not interrupt NmConfirmation(), NmHVConfirmation(),
NmPrecopy() and NmHVPrecopy().

2015, Vector Informatik GmbH
Version: 2.03.01
23 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

5.4
Operating Systems
The  CANbedded  stack  is  designed  and  programmed  to  work  with  or  without  operating
systems. Since the modules have to work without an operating system, resource locking
mechanisms  are  not  handled.  To  lock  critical  resources,  interrupts  will  be  disabled  and
restored. The CAN driver (Data Link Layer) provides functions to fulfill this task.
Each  module  has  one  or  two  functions  (tasks)  which  have  to  be  called  periodically.  For
operating systems it is advisable to create one task and call all the  NM module functions
subsequently. To implement different periods of time, the OS task could have a counter to
implement this.
To ensure data consistency on pre-emptive multi-tasking operating systems or when using
kernel resources on interrupt level, there are two things to keep in mind.
>  The kernel provides mechanisms to keep data consistent within multi-byte signals.
That means, reading multi-byte data is always done while interrupts are locked. In that
case, no task switch can occur. The disadvantage to that mechanism is a longer
interrupt latency time. If your system is critical to long latency times, ensure that your
system works properly in all cases.
>  Bit field manipulation is done by macros. Some compilers and processors realize bit
field manipulation by read-modify-write accesses. If data accesses to bit fields in the
same byte are used on pre-emptive tasks or on interrupt level, a problem could be
caused. Try to avoid this or make resource locking to such accesses.
5.5
Other Aspects
If the CAN controller is not capable to detect a CAN wakeup, the application must call API
NmCanWakeUp() upon detection of a CAN wakeup event.

2015, Vector Informatik GmbH
Version: 2.03.01
24 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

6  Configuration
6.1
Concept
The  embedded  component  is  configured  with  the  help  of  a  PC-based  configuration  tool
named GENy. Settings for the NM can be selected in the GUI. These settings are used to
generate the configuration files, which are needed to compile and run the component.

Some configuration options are based on information from the CAN database (DBC file).
Some other options depend on the OEM and cannot be changed.
6.2
Data base attributes
The following table contains all attributes related to the Nm_Gmlan_Gm1.
Attribute Name
Valid
Type
Value
Description
for
BusOffRecoveryTime
Network  Integer  3500 (*)
This attribute defines the node recovery
time after a BusOff event.
This is an optional attribute.
BusWakeUpDelay
Network  Integer  100 (*)
This attribute defines the time between a
High-Level Voltage Wakeup (HLVW) and
the activation of Initially Active VNs.
This parameter is also used as a delay
time between the Activation of shared-local
input VNs and the actual activation inside
the ECU.
This is an optional attribute.
NetworkType
Network  String
>  Bodybus
This attribute defines the type of the
network.

>  Infotainme
nt
>  Powertrain
NmBaseAddress
Network  Hex
0x620
This attribute defines the base address of
the NM messages (e.g. 0x620).
Only a certain number of nodes can
participate in the NM. The CAN identifiers
of NM messages are kept in a certain
range. This range starts with the ID given
by attribute NmBaseAddress. The size of
the range is given by attribute
NmMessageCount.
NmMessage
Message  Enum
>  no
This attribute defines if the corresponding
message is a NM message (“Yes") or not
>  yes (*)
(“No”). The CAN ID of this message must
be within the range given by

1 Default values are marked with (*).
2015, Vector Informatik GmbH
Version: 2.03.01
25 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

NmBaseAddress and NmMessageCount.
NmMessageCount
Network Integer 32
This attribute defines the maximum
number of nodes within the NM.
The value is required to define the range
precopy-function of the CAN driver’s
precopy function that is used to receive the
NM messages.
There is the requirement that the value of
attribute NmMessageCount is 2^n (where
n is a natural number).
NmNode
Node
Enum
> no
This attribute defines if the corresponding
node uses the NM (“Yes”) or not (“No”).
> yes (*)
NmType
Network String
GMLAN (*)
This attribute defines the OEM-specific
type of the NM. Must be set to “GMLAN”.
NodeSuprvStabilityTim
Node
Integer 0..65535
This attribute defines a delay time between
e
5000 (*)
activation of a VN and start of supervision
of the corresponding signals.
The default value is 5000ms.
The supervision stability time is used to
avoid 'Loss of Communication' DTCs due
to transient conditions after VN activation.
SourceID
Node
Integer 0..255
The Source address of a node is given as
an attribute inside the database. There are
two possibilities to use this attribute:
Instead of initialization of the Source
Address by the application, the handler
could do this in the function IlInit().
This would imply, that the value is always
fixed (MIM-modules will be handled
correctly depending on the pre-selection of
the application, which instant should run).
The transmit messages inside the handler
will already be pre-set with the Source
Address given in this attribute.
This would avoid the runtime effort of the
driver to add the source address every
time a message must be transmitted. The
dynamic setting will only be required for
MIM’s.
VN_<name>
Network Integer 0..55
Bit number (0 to 55) within the VNMF
message Network ID Bit field identifying
the VN associated with the Network Name.
Successive numbers must be given.
“Holes” are not allowed.
VNECU<name>
node
Enum
> None
This attribute defines the VN type for a
specific ECU for the specific VN.
> Activator
> Remoted
> Activator_
Remoted
> SharedLoc
2015, Vector Informatik GmbH
Version: 2.03.01
26 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

al
VNInitAct<name>
network
Enum
> no (*)
This attribute defines whether a VN is
declared as ‘Initially Active’.
> yes
VNSig<name>
Signal
Enum
> no
If yes, indicates that the signal will be
associated with the named virtual network.
> yes (*)
The name of the VN must match one of
those defined for the network attribute
VN_<name>,

2015, Vector Informatik GmbH
Version: 2.03.01
27 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

6.3
GENy
The configuration tool GENy is used to configure the CANbedded components. This tool
generates source code and configuration files to make the CANbedded components run.

6.3.1
General
For a detailed description of the configuration tool and the description of the component-
specific configuration options, please refer to the online-documentation within GENy.
Info
The screen shots in this chapter can differ from your screen because some options
  depend on the system setup.

Figure 6-1  GENy Overview
2015, Vector Informatik GmbH
Version: 2.03.01
28 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

6.3.2
System-specific Configuration Options
This  configuration  page  allows  to  configure  system-specific  settings,  e.g.  the  usage  of
available features of the component.

Figure 6-2  System-specific Configuration Options

2015, Vector Informatik GmbH
Version: 2.03.01
29 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

6.3.3
Channel-specific Configuration Options
This configuration page allows to configure channel-specific settings, e.g. the network type
and the timing for each channel.

Figure 6-3 Channel-specific Configuration Options

2015, Vector Informatik GmbH
Version: 2.03.01
30 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

6.3.4
VN-specific Configuration Options
This  configuration page  gives  an overview  of  the used  VNs and  allows  to  configure  VN-
specific settings, e.g. the LV-susceptible mode.

Figure 6-4  VN-specific Configuration Options
2015, Vector Informatik GmbH
Version: 2.03.01
31 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

7 API Description
7.1
General
The NM uses different API prototypes. The usage depends on the number of channels in
the system. Both prototypes differ in the usage of a channel parameter as the first function
argument:
> The “Standard” prototype is used in single-channel applications. There is no channel
parameter due to optimization.
> The “Indexed” prototype is used in multi-channel applications. The first argument is
always the channel parameter.
7.2
Common Parameter
There are some parameters that are commonly used in multiple APIs.
Parameter
channel
CAN channel handle
vnHndl
VN handle.
Note: The VN handles are defined to symbolic names in nm_cfg.h. The
symbolic name and the handle correspond to the value of the DBC network
attribute named VN_<name>.

2015, Vector Informatik GmbH
Version: 2.03.01
32 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

7.3
Service Functions

NM Handling
>  IlNwmTask
NM status
>  IlNwmGetStatus
LVT mode
>  IlNwmEnterLowVoltageMode
>  IlNwmExitLowVoltageMode
Diagnostic mode
>  IlNwmNormalCommHalted
>  IlNwmReturnToNormalMode
HighSpeed mode
>  IlNwmSetHispeedMode
>  IlNwmResetHispeedMode
VN activation
>  IlNwmActivateVN
>  IlNwmDeactivateVN
>  IlNwmAllowActivationVN
>  IlNwmInhibitActivationVN
VN status
>  IlNwmGetActiveListVN
>  IlNwmIsActiveVN
Context Switch
>  NmGetModuleContext
>  NmSetModuleContext
2015, Vector Informatik GmbH
Version: 2.03.01
33 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

IlNwmActivateVN
Prototype
Standard
Nm_Status IlNwmActivateVN( vuint8 VnHndl )
Indexed
Nm_Status IlNwmActivateVN ( CanChannelHandle channel,
vuint8 VnHndl )
Parameter

see “7.2 Common Parameter”
Return code
Nm_Status
> NM_OK The activation request was accepted.
> NM_ACTIVE The VN is already active
> NM_ERROR The node is in the HighSpeed mode.
> NM_HALTED The node is in the NormalCommHalted mode.
> NM_INACTIVE The application is not permitted to activate the VN
 (The node is neither an Activator nor Local.)
> NM_WRONG_ARG VnHndl is invalid
Functional Description
This function activates a VN given by VN handle <VnHndl>.
This function may only be called for VNs that are meant to be activated (Activator, Local).
When activation is complete, the callback function ApplNwmVnActivated() is executed.
Related API: IlNwmDeactivateVN()
Particularities and Limitations
>

IlNwmAllowActivationVN
Prototype
Standard
void IlNwmAllowActivationVN ( void )
Indexed
void IlNwmAllowActivationVN ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function restores the VN activation. The NM will start all queued VN activation requests.
Related API: IlNwmInhibitActivationVN()
Particularities and Limitations
> Availability of this function can be configured in GENy (“Inhibit VN Activation at Highload”).
> Only available if there are Activator VNs.

IlNwmDeactivateVN
2015, Vector Informatik GmbH
Version: 2.03.01
34 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Prototype
Standard
Nm_Status IlNwmDeactivateVN( vuint8 VnHndl )
Indexed
Nm_Status IlNwmDeactivateVN ( CanChannelHandle channel,
vuint8 VnHndl )
Parameter

see “7.2 Common Parameter”
Return code
Nm_Status
> NM_OK The deactivation request was accepted.
> NM_INACTIVE The VN was already deactivated.
> NM_WRONG_ARG VnHndl is invalid.
Functional Description
This function de-activates a VN given by VN handle <VnHndl>.
Local VNs are immediately de-activated. Activator VNs are deactivated when the VN-specific timeout timer
expires. The NM starts a VN timer for this VN.
May only be called for VNs that are meant to be activated (Activator, Local).
When de-activation is complete, the callback function ApplNwmVnDeactivated() is executed.
Related API: IlNwmActivateVN()
Particularities and Limitations
>

IlNwmEnterLowVoltageMode
Prototype
Standard
void IlNwmEnterLowVoltageMode( void )
Indexed
void IlNwmEnterLowVoltageMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function activates the Low Voltage Tolerant (LVT) Mode.
The transmission of HLVW is disabled.
VN monitoring and signal supervision timers are disabled.
Please refer to “4.3 Low Voltage Tolerant Mode” for details.
Related API: IlNwmExitLowVoltageMode()
Particularities and Limitations
> This function is only available if the LVT mode is enabled.

IlNwmExitLowVoltageMode
2015, Vector Informatik GmbH
Version: 2.03.01
35 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Prototype
Standard
void IlNwmExitLowVoltageMode( void )
Indexed
void IlNwmExitLowVoltageMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function de-activates the Low Voltage Tolerant (LVT) Mode.
VN monitoring and signal supervision timers are re-enabled.
VNs that are LV-susceptible will be initialized and reactivated.
Please refer to “4.3 Low Voltage Tolerant Mode” for details.
Related API: IlNwmEnterLowVoltageMode()
Particularities and Limitations
>  This function is only available if the LVT mode is enabled.

2015, Vector Informatik GmbH
Version: 2.03.01
36 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

IlNwmGetActiveListVN
Prototype
Standard
void IlNwmGetActiveListVN (vuint8 *VnList)
Indexed
void IlNwmGetActiveListVN ( CanChannelHandle channel, vuint8
*VnList)
Parameter
*VnList
pointer to an application-defined array that should contain the VN activation status.
The application should declare the array as:
vuint8 VnList [(<VNs>+7)/8]
VNs = Amount of used VNs in this CAN channel (Remote, Activator and Local VNs).

see “7.2 Common Parameter”
Return code

---
Functional Description
This function retrieves the activation state of all VNs on the current channel.
The array pointed to by VnList is filled with a bit-mask. Each bit represents the status of a VN. If a bit is set,
the corresponding VN is active. Otherwise not.
The most significant bit of the first byte represents VN 0. For example:
Byte 0
Byte 1
Byte
7
6
5
4
3
2
1
0
7
6
5
4
3
2
1
0
Bit
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 VN

Particularities and Limitations
>

2015, Vector Informatik GmbH
Version: 2.03.01
37 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

IlNwmGetStatus
Prototype
Standard
nmStatusType IlNwmGetStatus( void )
Indexed
nmStatusType IlNwmGetStatus( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code
nmStatusType  Flag field that contains the network status.
Functional Description
This function returns information about the NM status. The status is provided by a flag field within the return
value. This return value can be decoded with the macros shown below. Each macro will return true or false.
True indicates that the NM is within the specified mode:
IlNwmStateNormalCommHalted ( status )  NormalCommHalted mode
lNwmStateHispeedMode ( status )        HighSpeed mode
IlNwmStateNoCommunication ( status )
Network communications are disabled. No messages can be
received or transmitted (BusOff or COMM-OFF state)
IlNwmStateSleepModeEntered ( status )  Sleep mode (COMM-OFF state)
IlNwmStateSleepModePending ( status )  Sleep mode is pending (COMM-ENABLE state)
IlNwmStateBusOffOccured ( status )      At least 1 BusOff has occurred since the last activation of the
node.
IlNwmStateNMActive ( status )           NM is active. At least 1 associated VN is active (COMM-ACTIVE
state).
IlNwmStateLowVoltageMode ( status )    LVT mode is active
Particularities and Limitations
>

IlNwmInhibitActivationVN
Prototype
Standard
void IlNwmInhibitActivationVN ( void )
Indexed
void IlNwmInhibitActivationVN ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
VN activation is suspended. All requests to start a VN are queued until VN activation is allowed.
Related API: IlNwmAllowActivationVN().
Particularities and Limitations
>  Only available if enabled in the configuration

2015, Vector Informatik GmbH
Version: 2.03.01
38 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

IlNwmIsActiveVN
Prototype
Standard
vuint8 IlNwmIsActiveVN( vuint8 VnHndl )
Indexed
vuint8 IlNwmIsActiveVN( CanChannelHandle channel, vuint8
VnHndl )
Parameter

see “7.2 Common Parameter”
Return code

Status of the queried VN;
Any non-zero value indicates that the VN is active.
Functional Description
This function returns a flag field that contains the current state of a specific VN (given by VN handle
<VnHndl>).
If the return value is 0, the VN is inactive, otherwise active.
The NM provides function macros that can evaluate the return value to get more information on the VN
state. The macros evaluate to be true or false.
IlNwmIsNmVnActivatorPending(vnState) Application has requested activation of VN
IlNwmIsNmVnActive(vnState) VN is completely activated
IlNwmIsNmVnActivator(vnState) Send out VNMF for this VN
IlNwmIsNmVnLocal(vnState) VN is locally active
IlNwmIsNmVnRxActive(vnState) Indicates Receive-enabled
IlNwmIsNmVnNone(vnState) VN is not active
Particularities and Limitations
>

IlNwmNormalCommHalted
Prototype
Standard
Nm_Status IlNwmNormalCommHalted( void )
Indexed
Nm_Status IlNwmNormalCommHalted( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

> NM_OK Node state was changed to Normal Comm. Halted.
> NM_ERROR Error if the node is in the HighSpeed, Sleep, or LVT mode
Functional Description
This function initiates diagnostic mode communications. All active VNs are deactivated and the diagnostic
VN (VN 0) is activated.
Note: If the node was in HighSpeed mode before this call, the CAN controller and transceiver will be reset
into Normal mode by this function.
Also refer to chapter “4.6 Normal Communication Halted”
Related API: IlNwmReturnToNormalMode()
2015, Vector Informatik GmbH
Version: 2.03.01
39 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Particularities and Limitations
>

IlNwmResetHispeedMode
Prototype
Standard
void IlNwmResetHispeedMode( void )
Indexed
void IlNwmResetHispeedMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function puts the transceiver and CAN controller in normal (low-speed) mode.
The diagnostics VN (VN 0) is deactivated.
After reinitializing the CAN controller, the user-defined function ApplTrcvrNormalMode() will be called, as
the application is responsible for switching the transceiver to normal mode.
After a delay, Rx and Tx functions of the IL are restarted.
Related API: IlNwmSetHispeedMode()
Particularities and Limitations
>

IlNwmReturnToNormalMode
Prototype
Standard
void IlNwmReturnToNormalMode( void )
Indexed
void IlNwmReturnToNormalMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function requests the NM to return to the normal communication mode.
VNs cannot be activated during NormalCommHalted mode.
Note: If the node was in HighSpeed mode before this call, the CAN controller and transceiver will be reset
into normal mode by this function.
Also refer to chapter “4.6 Normal Communication Halted”
Related API: IlNwmNormalCommHalted()
Particularities and Limitations
>

2015, Vector Informatik GmbH
Version: 2.03.01
40 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

IlNwmSetHispeedMode
Prototype
Standard
Nm_Status IlNwmSetHispeedMode( void )
Indexed
Nm_Status IlNwmSetHispeedMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

>  NM_OK        Node state was changed to HighSpeed.
>  NM_ERROR    Error if the node is in the NormalCommHalted or Sleep state
Functional Description
This function requests the NM to switch over to HighSpeed mode.
The transceiver and CAN controller are set to a higher data transmission rate. After switching to HighSpeed
mode, the user-defined function ApplTrcvrHighSpeed() is called (the application is responsible for switching
the transceiver into high-speed mode).
Before calling this function, the application should place the GMLAN handler into the NormalCommHalted
mode.
Note that this function is only available for devices configured for single-wire CAN (Bodybus).
This feature is only available if enabled in the configuration.
Related API: IlNwmResetHispeedMode()
Particularities and Limitations
>

IlNwmTask
Prototype
Standard
void IlNwmTask( void )
Indexed
void IlNwmTask( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This function is the NM cyclic task function. The function is responsible for VN activation/deactivation,
reception/transmission of HLVW messages, mode and state handling.
The user-application is responsible for periodically calling this function at a user-defined timing. This timing
can be configured in GENy.
Particularities and Limitations
>  In preemptive systems and when CAN driver operates in polling mode it must be assured, that
IlNwmTask does not interrupt NmConfirmation(), NmHVConfirmation(), NmPrecopy() and
NmHVPrecopy().

2015, Vector Informatik GmbH
Version: 2.03.01
41 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

NmGetModuleContext
Prototype
void NmGetModuleContext( tNmModuleContextStructPtr pContext )
Parameter
pContext
Pointer to structure which is filled by this function with the current module
context. The type definition is provided in the modules header file.
Return code
-
-
Functional Description
This function copies all internal and global variables of the network management into the passed structure.
Particularities and Limitations
>  The function is usually called by the QNX Mini driver wrapper.
>  The function is only available if the QNX Mini driver wrapper is enabled or
NM_ENABLE_GET_CONTEXT is defined in a user configuration file.
Call context
>  Task level only

NmSetModuleContext
Prototype
vuint8 NmSetModuleContext( tNmModuleContextStructPtr pContext )
Parameter
pContext
Pointer to structure which is filled by this function with the current module
context. The type definition is provided in the modules header file.
Return code

1: The magic number member of the passed structure matches the version of
the module.
0: The magic number does not match. The data from the passed structure is
not copied.
Functional Description
This function initializes all internal and global variables of the network management with the values from
the passed structure.
Particularities and Limitations
>  The function is usually called by the QWrapper module
>  The function is only available if the QWrapper module is enabled or NM_ENABLE_SET_CONTEXT is
defined in a user configuration file.
Call context
>  Task level only

2015, Vector Informatik GmbH
Version: 2.03.01
42 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

7.4
Callback Functions

Transceiver Handling
>  ApplTrcvrHighSpeed
>  ApplTrcvrHighVoltage
>  ApplTrcvrNormalMode
>  ApplTrcvrSleepMode
VN Handling
>  ApplNwmReinitRequest
>  ApplNwmVnActivated
>  ApplNwmVnActivationFailed
>  ApplNwmVnDeactivated
>  ApplNwmVnmfConfirmationTimeout
>  ApplNwmVnRemoteActivateRequest
Wakeup/Sleep Handling
>  ApplNwm100MsgRecv
>  ApplNwmHLVWStart
>  ApplNwmHLVWStop
>  ApplNwmSleep
>  ApplNwmSleepConfirmation
>  ApplNwmWakeup
>  ApplNwmWakeupMsgRecv
BusOff Handling
>  ApplNwmBusoff
>  ApplNwmBusoffEnd
Fault Detection & Mitigation Algorithm
>  ApplNwmVnActiveFault
>  ApplNwmNetworkActiveFault
>  ApplNwmNoSleepConfirmationFault
2015, Vector Informatik GmbH
Version: 2.03.01
43 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwm100MsgRecv
Prototype
Standard
void ApplNwm100MsgRecv ( void )
Indexed
void ApplNwm100MsgRecv ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that a HLVW message was received with the CAN
controller being in an active state.
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_WAKEUP_RECEIVED_FCT
Call context
>  This function is called from task level only.

ApplNwmBusoff
Prototype
Standard
void ApplNwmBusoff ( void )
Indexed
void ApplNwmBusoff ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that the CAN controller has entered BusOff state,
indicating that errors have occurred on the CAN bus.
Transmission and reception of messages are disabled at this time.
The NM starts a recovery timer. The recovery time can be selected in the configuration tool.
When the recovery time elapses, the NM will re-enable the CAN controller.
Related API: ApplNwmBusoffEnd()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_BUSOFF_FCT
>  This callback might be executed in the CAN driver’s ISR. The application should exit this function as
quickly as possible, and should not call any other NM or CAN API functions.
Call context
>  Same as CAN driver error handling

ApplNwmBusoffEnd
2015, Vector Informatik GmbH
Version: 2.03.01
44 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Prototype
Standard
void ApplNwmBusoffEnd ( void )
Indexed
void ApplNwmBusoffEnd ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that the CAN controller has recovered from a BusOff
state. Transmission and reception of messages are re-enabled.
Related API: ApplNwmBusoff()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_BUSOFF_END_FCT
Call context
>  This function is called from task level only.

ApplNwmHLVWStart
Prototype
Standard
void ApplNwmHLVWStart ( void )
Indexed
void ApplNwmHLVWStart ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed just before the transmission of a HLVW message.
Related API: ApplNwmHLVWStop()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_HLVW_INDICATION_FCT
Call context
>  If CAN driver transmit queue is activated this function may be called in interrupt context.

2015, Vector Informatik GmbH
Version: 2.03.01
45 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmHLVWStop
Prototype
Standard
void ApplNwmHLVWStop ( void )
Indexed
void ApplNwmHLVWStop ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed just after the transmission of a HLVW message has completed (and confirmed).
Related API: ApplNwmHLVWStart()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_HLVW_INDICATION_FCT
Call context
>  This function will maybe called in interrupt context.

2015, Vector Informatik GmbH
Version: 2.03.01
46 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmReinitRequest
Prototype
Standard
void ApplNwmReinitRequest ( vuint8 VnHndl,
vuint8 ReinitRequest )
Indexed
void ApplNwmReinitRequest ( CanChannelHandle channel,
vuint8 VnHndl,
vuint8 ReinitRequest )
Parameter
ReinitRequest    Reason for Re-init request
>  0  A VNMF-Continue message was received for an inactive VN.
>  1  A VNMF-Init message was received for an already active VN.
>  2  A VNMF-Init message was transmitted for an already active VN. This is the case
when an Activator VN is (re-)activated and VN is still active and VN timer is less than 4
seconds.

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that a VN is being re-initialized. The reason for the re-
initialization is given as parameter.
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_REINITREQUEST_FCT
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
47 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmSleep
Prototype
Standard
void ApplNwmSleep ( void )
Indexed
void ApplNwmSleep ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

Functional Description
This callback is executed to notify the application that NM is entering the COMM-OFF state.
The sleep indication may be used by the application to suspend network (and other) operations, including
cyclic calls to the NM task functions.
Related API: ApplNwmWakeup()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_SLEEP_FCT
Call context
>  This function is called from task level only.

ApplNwmSleepConfirmation
Prototype
Standard
vuint8 ApplNwmSleepConfirmation ( void )
Indexed
vuint8 ApplNwmSleepConfirmation ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

>  NmSleepOk    Enter Sleep mode
>  NmSleepNo    Stay awake for another 8 seconds.
Functional Description
The callback is executed to let the application decide if the NM can enter Sleep Mode. If the application
returns NmSleepNo from the callback, then the network will stay enabled for another 8 seconds. Unless
other events intervene (such as VN activation), NM will call this function again when the timer expires.
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_SLEEPCONFIRMATION_FCT
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
48 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmVnActivationFailed
Prototype
Standard
vuint8 ApplNwmVnActivationFailed ( vuint8 VnHndl )
Indexed
vuint8 ApplNwmVnActivationFailed ( CanChannelHandle channel,
vuint8 VnHndl )
Parameter

see “7.2 Common Parameter”
Return code

>  0  Deactivate the VN
>  1  Reattempt activation of the VN.
Functional Description
This callback is executed to notify the application that an attempt to activate a VN has failed. The failure is
detected when the VN active timer counts down to 1 second while an activation attempt still pending.
This function gives the application the ability to decide whether to retry or abort the VN activation. The
return value from the function (see above) controls the behavior of NM.
If this callback is not enabled, then NM will deactivate the VN and does not reattempt the activation.
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_VN_ACTIVATION_FAILED_FCT
Call context
>  This function is called from task level only.

ApplNwmVnActivated
Prototype
Standard
void ApplNwmVnActivated (vuint8 VnHndl )
Indexed
void ApplNwmVnActivated ( CanChannelHandle channel, vuint8
VnHndl )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
The callback is executed to notify the application that a VN has been activated.
Related API: ApplNwmVnDeactivated()
Particularities and Limitations
>  Mandatory callback
Call context
>  This function is called from task level only.

ApplNwmVnDeactivated
2015, Vector Informatik GmbH
Version: 2.03.01
49 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

Prototype
Standard
void ApplNwmVnDeactivated (vuint8 VnHndl )
Indexed
void ApplNwmVnDeactivated ( CanChannelHandle channel,
vuint8 VnHndl )
Parameter

see “7.2 Common Parameter”
Return code

Functional Description
The callback is executed to notify the application that a VN has been deactivated.
Related API: ApplNwmVnActivated()
Particularities and Limitations
>  Mandatory callback
Call context
>  This function is called from task level only.

ApplNwmVnRemoteActivateRequest
Prototype
Standard
vuint8 ApplNwmVnRemoteActivateRequest ( vuint8 VnHndl )
Indexed
vuint8 ApplNwmVnRemoteActivateRequest (
CanChannelHandle channel,
vuint8 VnHndl )
Parameter

see “7.2 Common Parameter”
Return code

The application must return a value indicating if the activation request should be accepted
or rejected.
>  1    Accept remote activation.
>  0   Reject remote activation.
Functional Description
This callback is executed when a VN activation request (VNMF-Init) message is received. This allows the
application to be notified of the activation, and to allow the activation request to be denied.
Note: It is not recommended that the application reject activation requests.
If this callback is disabled, the NM will accept the activation request.
Particularities and Limitations
>  The availability of this callback can be configured:
NM_ENABLE_VN_REMOTE_ACTIVATE_REQUEST_FCT
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
50 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmVnmfConfirmationTimeout
Prototype
Standard
void ApplNwmVnmfConfirmationTimeout ( void )
Indexed
void ApplNwmVnmfConfirmationTimeout ( CanChannelHandle
channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that transmission of a VNMF could not be completed
within the configured time limit.
Particularities and Limitations
>  The availability of this callback can be configured:
NM_ENABLE_VNMF_CONFIRMATION_TIMEOUT_FCT
Call context
>  This function is called from task level only.

ApplNwmWakeup
Prototype
Standard
void ApplNwmWakeup ( void )
Indexed
void ApplNwmWakeup ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that the NM is leaving the COMM-OFF state, and
entering either COMM-ENABLED or COMM-ACTIVE.
Note: If the application does not call the cyclic task of the NM while the CAN is in sleep mode, the callback
ApplNwmWakeupMsgRecv() must be activated. If it is called, application has to re-enable the cyclic call.
Related API: ApplNwmSleep()
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_WAKEUP_FCT
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
51 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmWakeupMsgRecv
Prototype
Standard
void ApplNwmWakeupMsgRecv ( void )
Indexed
void ApplNwmWakeupMsgRecv ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed to notify the application that a HLVW message was received when the CAN
controller was asleep. This may be used by the application to restart network activities, such as invoking
the NM task functions periodically, or prevent entering the STOP mode.
Particularities and Limitations
>  The availability of this callback can be configured: NM_ENABLE_WAKEUP_RECEIVED_FCT
>  This callback might be executed in the CAN driver’s ISR. The application should exit this function as
quickly as possible, and should not call any other NM or CAN API functions.
Call context
>  Same as CAN driver wakeup handling.

ApplTrcvrHighSpeed
Prototype
Standard
void ApplTrcvrHighSpeed ( void )
Indexed
void ApplTrcvrHighSpeed ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed when the transceiver has to be set to HighSpeed mode.
The application has to set the transceiver in the corresponding state.
Particularities and Limitations
>  This callback is available if a single-wire transceiver is used and HighSpeed mode is enabled
Call context
>  Same as IlNwmSetHispeedMode.

2015, Vector Informatik GmbH
Version: 2.03.01
52 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplTrcvrHighVoltage
Prototype
Standard
void ApplTrcvrHighVoltage( void )
Indexed
void ApplTrcvrHighVoltage( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed when a HLVW message has to be transmitted.
The application has to set the transceiver in the corresponding state where High-Voltage transmission is
possible.
Particularities and Limitations
>  This callback is available if a single-wire transceiver is used
Call context
>  If CAN driver transmit queue is activated this function will maybe called in interrupt context.

ApplTrcvrNormalMode
Prototype
Standard
void ApplTrcvrNormalMode( void )
Indexed
void ApplTrcvrNormalMode( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

Functional Description
This callback is executed when the transceiver has to be set to normal mode, e.g. after transmission of a
HLVW message.
The application has to set the transceiver in the corresponding state (normal mode).
Particularities and Limitations
>  Mandatory callback: always used
Call context
>  This function may be called in interrupt context.

2015, Vector Informatik GmbH
Version: 2.03.01
53 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplTrcvrSleepMode
Prototype
Standard
void ApplTrcvrSleepMode ( void )
Indexed
void ApplTrcvrSleepMode ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback is executed when the transceiver has to be set to sleep mode, i.e. the NM enters COMM-OFF
state.
The application has to set the transceiver in the corresponding state (sleep mode).
Particularities and Limitations
>  This callback is available if a sleep/wake-able transceiver is used (single-wire, HighSpeed with sleep)
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
54 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmVnActiveFault
Prototype
Standard
void ApplNwmVnActiveFault ( vuint8 vnHndl )
Indexed
void ApplNwmVnActiveFault (  CanChannelHandle channel,
vuint8 vnHndl )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback informs the application about a ‘VN Active Fault’ detected by the ‘Fault Detection and
Mitigation Algorithm’. Please refer to chapter 4.11 for more information.
Particularities and Limitations
>  This callback is available only if ‘Fault Detection and Mitigation Algorithm’ is enabled in GENy.
Call context
>  This function is called from task level only.

ApplNwmNetworkActiveFault
Prototype
Standard
void ApplNwmNetworkActiveFault ( void )
Indexed
void ApplNwmNetworkActiveFault ( CanChannelHandle channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback informs the application about a ‘Network Active Fault’ detected by the ‘Fault Detection and
Mitigation Algorithm’. Please refer to chapter 4.11 for more information.
Particularities and Limitations
>  This callback is only available if ‘Fault Detection and Mitigation Algorithm’ is enabled in GENy.
Call context
>  This function is called from task level only.

2015, Vector Informatik GmbH
Version: 2.03.01
55 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

ApplNwmNoSleepConfirmationFault
Prototype
Standard
void ApplNwmNoSleepConfirmationFault ( void )
Indexed
void ApplNwmNoSleepConfirmationFault ( CanChannelHandle
channel )
Parameter

see “7.2 Common Parameter”
Return code

---
Functional Description
This callback informs the application about a ‘No Sleep Confirmation Fault’ detected by the ‘Fault Detection
and Mitigation Algorithm’. Please refer to chapter 4.11 for more information.
Particularities and Limitations
>  This callback is available only if ‘Fault Detection and Mitigation Algorithm’ and ‘No Sleep Confirmation
Fault Reporting’ is enabled in GENy.
Call context
>  This function is called from task level only.

7.5
Calibration Constants
Please  see  TechnicalReferenceGMLANCalibration.pdf  for  more  details  on  calibrate
constants of the GMLAN handler.
2015, Vector Informatik GmbH
Version: 2.03.01
56 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

8  Glossary and Abbreviations
8.1
Glossary
Term
Description
CAN Driver
The CAN Driver represents an implementation of the Data Link Layer by
Vector Informatik GmbH.
CANbedded
CANbedded stands for a group of products offered by Vector Informatik
GmbH including communication modules for CAN communication and a
configuration tool to configure these modules.
Communication
See Network Database
Database
Data Dictionary
See Network Database
Data Link Layer
The Data Link Layer defines the connection between two network nodes
in the same network. It is responsible for error detection, error correction
and flow control.
Deadline Monitoring
Deadline Monitoring is used to monitor the receipt of periodic messages
related to the ECU. Each time a periodic message is received a timer or
counter will be restarted. If the timer elapses the application will be
notified.
Delay Time
To prevent high bus load the Interaction Layer waits a defined time after
the transmission of a message before transmitting the next message. A
delay time is related to a specific message.
Configuration Tool
Tool to generate parts of the code of the communication modules. The
generated code will be specific for an application and will include the
interface for the signals, messages, flags ...
Interaction Layer
By the Interaction Layer the data is structured. It is responsible for the
consistency of the data offered to the upper layer.
Message
Variable for data exchange of which the length depends on the length of
the frames used by the underlying field bus. CAN for example use 0-8
bytes per data frame.
Message Manager
The Message Manager is a part of the Interaction Layer. By the Message
Manager the messages received by the CAN bus is offered and the state
machine of the Interaction Layer is controlled. It is responsible for the
periodic transmission of messages.
Network Database
Database which contains information about a network, including the
nodes and the data to be exchanged over the network. The Network
Database is used by the Configuration Tool, CANoe, and CANalyzer.
Network
By the NM a set of services for monitor the nodes in a network are
Management
defined. It is responsible for start-up the network, co-ordination of global
operation modes, support of diagnostics, ...
OSEK OS
Specification of an operating system for micro controllers (ECU)
especially designed for cars
OSEK COM
Specification of a communication layer for the use with OSEK
Physical Layer
By the Physical Layer all the electrical, mechanical and functional
parameters of the connections between network nodes are defined. (ISO
2015, Vector Informatik GmbH
Version: 2.03.01
57 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

OSI-Model)
Signal
Variable for data exchange of which the length is defined by the
application developer. One or more signals are mapped to a message.
Signal Interface
The Signal Interface is a part of the Interaction Layer. By the Signal
Interface the messages offered by the Interaction Layer are split into
signals. It is responsible for the combination of signals to messages and
the splitting of messages into signals.
Start Delay Time
Time used to delay the beginning of the transmission of a periodic
message. The start delay time should prevent transmission bursts caused
by interference.
Transmission Mode   Mode to transmit signals or messages. A transmission mode defines
whether a message has to be send out periodically or on an event or
even in both cases. There are several modes defined to satisfy the needs
of the customer’s application.
Transport Protocol
By the Transport Protocol the data longer than a CAN frame is handled. It
is responsible for correct splitting and combining data, error detection and
error correction.
Note: OSEK refers to the “Transport Protocol” as “Network Layer”. They
put it in layer 3, not in layer 4 of the ISO OSI Layer Model.

8.2
Abbreviations
Abbreviation
Description
CAN
Controller Area Network
CTS
Component Technical Specification. Platform specific document provided by the
car manufacturer. Provides technical details for the component.
ECU
Electronic Control Unit
IL
Interaction Layer
NM
Network Management
OSEK
Offene Systeme und deren Schnittstellen für die Elektronik im Kraftfahrzeug
TP
Transport Protocol
VN
Virtual Network
VNMF
Virtual Network Management Frame
HLVW
High-Voltage Wake-Up

2015, Vector Informatik GmbH
Version: 2.03.01
58 / 59
based on template version 3.7

Technical Reference Nm_Gmlan_Gm

9 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 2.03.01
59 / 59
based on template version 3.7

Document Outline

17 - NVRAM Manager

NVRAM Manager

Component Documentation

17.1 - NvM Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. NvM

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. NvM_Vector_Ar4.0.3_05.02.02_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3174

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

17.2 - TechnicalReference_NvM

MICROSAR NVM

17.3 - TechnicalReference_NvM_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79

17.4 - TechnicalReference_NvMs

MICROSAR NVM
Technical Reference

Version 5.03.00

Authors
Christian Kaiser, Tomas Ondrovic
Status
Released

Technical Reference MICROSAR NVM
1  Document Information
1.1
History
Author
Date
Version
Remarks
Christian Kaiser
2007-08-20  1.4
AUTOSAR 2.1,
updated for EAD3.1 usage,
conversion to new template
Christian Kaiser
2007-12-06  3.01.00
Change of the document's versioning
scheme to correspond to the module's
major and minor,
update of parameter description in
chapter 'Graphical Configuration of NvM'
and service port generation description,
remove of DATASET ROM, feature not
supported anymore,
remove of introduction paragraphs from
'Description of Memory Mapping and
Compiler Abstraction', not subject of this
document,
simplified 'Block Management Types'
naming,
formal changes
Christian Kaiser
2008-01-11
3.01.01
New chapter to clarify the dependency on
the CRC library,
stated explicitly that DET is optional,
corrected default values
Manfred Duschinger,
2008-05-23  3.02.00
AUTOSAR 3,
Heike Bischof
conversion to Technical Reference
Manfred Duschinger
2008-12-08  3.03.00
ESCAN00027300: Description of
NvM_ServiceIdType in
SingleBlockCallbackFunction and
MultiBlockCallbackFunction
Description and expected caller context
of NvM_SetBlockLockStatus-API
reworked.
Chapter 4.4.17 ‘Concurrent access to NV
data for DCM’ added.
Chapter 4.4.5.2: Write order at redundant
blocks added.
Expansion of glossary.
Chapter 7.2.2: Description of ‘Dataset
Selection Bits’ added.
Manfred Duschinger
2009-02-25  3.03.01
ESCAN00031177: Manufacturer specific
requirements attribute for traceability
reasons
Manfred Duschinger
2009-03-24  3.03.02
ESCAN00032480: Missing information in
2015, Vector Informatik GmbH
Version: 5.03.00
2 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
documentation:
Chapter 6.4.5: ‘Description of
NvM_RequestResultType added’.
Chapters 6.4.15 and 6.4.16: ‘Services are
multiblock requests’.
Manfred Duschinger
2009-06-03  3.04.00
ESCAN00032480: Update of History of
version 3.03.02: Updated changed
chapters.
Chapter  6.2: ‘Block ID 0 is only allowed
for API NvM_GetErrorStatus()’
ESCAN00033075: Chapter 4.5.1.1:
DataIndex Check in NvM_ReadBlock()
added. DataIndex Check was also added
to NvM_InvalidateNvBlock() and
NvM_EraseNvBlock().
ESCAN00033900: Chapter 4.4.17:
“Priority Handling of DCM-Blocks”
ESCAN00035089: Chapters 4.1, 7.2.2
“Callbacks NvM_JobEndNotification,
NvM_JobErrorNotification implemented”
ESCAN00034073: Chapters 2, 4.4.5.1,
7.2.2 “Crc Handling is configurable: Either
an internal buffer is used or Crc is stored
at the end of RAM Block.”
ESCAN00035891: Chapter 7.1.1
“Integrate SWC-Generation into CFG
Pro's Generation process”
Chapter 3.1: update AUTOSAR
architecture figure.
Christian Kaiser
2010-01-25  3.04.01
ESCAN00039648 – Rebuilt document;
made hyperlinks working. Updated Logo;
No changes in content.
Christian Kaiser
2010-03-26  3.05.00
Updated Component history
Whole document: “EAD”  “DaVinci
Configurator”
Added Ch. 7.3 “Attributes only
configurable using GCE”
Updated Ch. 5.6.1 – “RAM Usage”
ESCAN00040662: Chapter 4.4.3: Added
note about restricted access to RAM
block during job execution.
ESCAN00035134: Chapter 5.1.2
reworked
ESCAN00039749: Ch. 4.4.10, 8.2.4:
Guaranteed CRC values; Ch 6.4.7: note
about asynchronous CRC calculation
ESCAN00031315: added Ch. 4.2.1, Ch
8.2.3; updated Ch. 7.2.5
ESCAN00042745 – corrected Ch. 4.5.2
2015, Vector Informatik GmbH
Version: 5.03.00
3 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Manfred Duschinger
2011-01-25
3.07.00
ESCAN00047171: Ch. 6.4.18:
NvM_KillWriteAll; Abbreviations: ECUM
ESCAN00045141: Ch. 4.4.5.1:
information about names of Block
Handles
Manuela Scheufele
2011-02-03
3.07.01
Minor changes
Manfred Duschinger
2011-07-12
3.08.00
ESCAN00049327: Ch. 4.5.2 DEM errors
inserted into MICROSAR DEM
Christian Kaiser
2012-01-24  3.09.00
ESCAN00053235, ESCAN00051729: Ch.
7.1 – updated PortInterface names
Manfred Duschinger
2013-01-02  5.00.00
Ch. 4.1: supported features added
Ch. 4.4.3 and ch. 4.4.4: added
NvM_CancelJobs
Ch. 4.3.5: error handling updated
Ch. 4.4.20: added explicit synchronization
mechanism
Ch. 5.4.6: updated callback functions
Ch. 5.5: updated initialization process of
memory stack
Ch. 6.4: updated return values of most
synchronous APIs
Ch. 6.4.6: instanceID deleted
Ch. 6.4.16: updated NvM_WriteAll
handling
Ch. 6.4.19: description of API
NvM_CancelJobs
Ch. 6.7.4 and 6.7.5: Callback routines for
explicit synchronization mechanism
Ch. 7: completely reworked
Ch. 9.2: added abbreviations
Ch. 7.2.1 and ch. 7.3 removed
Manfred Duschinger
2013-01-04  5.01.00
Ch. 5.4.8 Interaction with BswM

Manfred Duschinger,
2013-08-23  5.01.01
ESCAN00064110: Ch. 4.4.8 Description
Christian Kaiser
of synchronous Job-End Notification
ESCAN00062895: Ch. 4.4.5.1 Symbolic
name values of Nv Block Handles
updated.
ESCAN00062896: Ch. 4.4.13. 4.4.20,
5.4.8, 6.7.3, 6.7.4 and 6.7.5: Added
information that block is still busy during
invoking callback.
ESCAN00063639: Ch. 4.4.20: Extended
information about explicit synchronization
mechanism
ESCAN00064063: Ch. 6.2 Improve
description of
NvM_RequestResultType
ESCAN00064173: Ch. 5.3: Explanation
of some necessity of memory mapping
2015, Vector Informatik GmbH
Version: 5.03.00
4 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
ESCAN00068239: Ch. 6.4, Ch. 4.4.20:
Limitations Explicit Synchronization
Mechanism
ESCAN00063532 – Ch. 6.4.16 Block
Processing order during NvM_WriteAll
Christian Kaiser
2014-06-17  5.02.00
Internal release; no changes
Christian Kaiser
2014-10-13  5.02.01
Updated Ch. 2. Component history.
ESCAN00073178  –  updated  Ch.  4.1
unsupported features, Ch. 8.1 Deviations
ESCAN00074672
–
Description
of
Redundant Blocks; extended Ch. 4.4.5.2
ESCAN00076366  –  SWCs’  callback
return types – added Ch. 7.1.5
Removed Ch. 4.4.18, 4.4.19
ESCAN00071933
–
Description
of
internal  buffering  and  internal  CRC
storage,  rewording  Ch.  4.4.5.1,  4.4.5.5,
4.4.10, 5.6.1
ESCAN00075284  –  Reworked  Ch.
4.4.17, Ch. 6.4.8
Review  findings  –  Development  Error
Codes in chapter 4.5.1, minor rephrasing,
Glossary (PIM)
Added Chapter 5.7
Christian Kaiser
2015-01-07  5.02.02
Chapters 6.4.8, 8.1
NvM_SetBlockLockStatus – emphasized
deviation from AUTOSAR.
Tomas Ondrovic
2015-02-02  5.03.00
Chapter 4.2.1, 4.5.1 – removed RAM and
ROM block length DET check
Chapter 4.5.3 – describes the new
compile time RAM and ROM block length
checks
Chapter 4.1.1.1– created to describe
feature Block Id check
Chapter 6.4.20 – describes the new
feature “Repair Redundant Blocks”
Tomas Ondrovic
2015-09-28  5.03.01
Only improvements
Table 1-1
History of the document
1.2
Reference Documents
No.
Title
Version
[1]
AUTOSAR_SWS_NVRAMManager.pdf
V 2.2.0
[2]
AUTOSAR_SWS_DET.pdf
V 2.2.0
[3]
AUTOSAR_SWS_DEM.pdf
V 2.2.1
[4]
AUTOSAR_BasicSoftwareModules.pdf
V 1.2.0
Table 1-2
Reference documents
2015, Vector Informatik GmbH
Version: 5.03.00
5 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Please note
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 5.03.00
6 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
2  Component History
Component
New Features
Version
(Implementation)
5.01.xx
Interaction with BswM added.
Defined Block Write Order (descending IDs) during write all
5.xx.xx
AUTOSAR4.0.
  Changed API (return types)
  New service: NvM_CancelJobs
  New DEM Errors
  “Write Block during WriteAll” configurable
  Explicit Synchronization Mechanism
4.xx.xx
Skipped/Reserved.
3.09.xx
Removed AUTOSAR Version Check for DEM
NvM_Mainfunction runnable is always generated into SWC descripion
Generation of SWC Interface Names according to AUTOSAR
3.08.xx
NVM provides information about error codes for MICROSAR Dem to automate
configuration.
3.07.xx
Service NvM_KillWriteAll added.
Significant changes in internal handling (CRC/internal buffer)
3.06.xx
Never released; no new features.
3.05.xx
Calculated CRC32 value does not depend anymore on configuration of
parameter NvmCrcNumOfBytes.
Added RAM and ROM block size checks: The NVM can be configured to check
each RAM block’s and/or each ROM block’s size against the configured NV
block length, considering CRC setting, internal buffering, etc.
3.04.xx
Crc Handling is configurable: Either the internal buffer, available since
component version 3.02, is used or Crc is stored at the end of RAM Block.
3.03.xx
At processing a redundant NVRAM Block NVM determines an appropriate write
order, depending on the NV Block’s current state/content. A defect NV block is
written in preference to a valid one.
NVM provides possibility for DCM to access NV data concurrently with NVM’s
applications.
3.02.xx
Update to AUTOSAR 3 specification.
Additional API NvM_SetBlockLockStatus.
Storing each NVRAM block’s CRC internally: RAM Blocks provided by the
application don’t have to allocate additional space for CRC.
Configurability, whether the NVM shall create the RAM Block associated with the
ConfigID NVRAM Block on its own, or the user creates the RAM block.
Table 2-1
Component history
2015, Vector Informatik GmbH
Version: 5.03.00
13 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
3  Introduction
This  document  describes  the  functionality, API  and  configuration  of  the AUTOSAR  BSW
module NVM as specified in [1].

Supported AUTOSAR Release*:
4
Supported Configuration Variants:
link-time

Vendor ID:
NVM_VENDOR_ID
30 decimal
(=
Vector-Informatik,
according to HIS)
Module ID:
NVM_MODULE_ID
20 decimal
(according to ref. [4])
* For the precise AUTOSAR Release 3.x please see the release specific documentation.

The  module  NVM  is  created  to  abstract  the  usage  of  non-volatile  memory,  such  as
EEPROM  or  Flash,  from  application. All  access  to  NV  memory  is  block  based. To  avoid
conflicts  and  inconsistent  data  the  NVM  shall  be  the  only  module  to  access  non-volatile
memory.
The  NVM  accesses  the  module  MEMIF  (Memory Abstraction  Interface)  which  abstracts
the modules FEE (Flash EEPROM Emulation) and EA (EEPROM Abstraction). Thus, the
NVM is hardware independent. The modules FEE and EA abstract the access to Flash or
EEPROM driver. To select the appropriate device (FEE or EA) the NVM uses a handle that
is provided by the MEMIF.

Caution
MICROSAR FEE and MICROSAR EA are different products that are not part of
  MICROSAR NVM!

2015, Vector Informatik GmbH
Version: 5.03.00
14 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
3.1
Architecture Overview
The following figure shows where the NVM is located in the AUTOSAR architecture.

Figure 3-1
AUTOSAR 4.x Architecture Overview
2015, Vector Informatik GmbH
Version: 5.03.00
15 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
The next figure shows the interfaces to adjacent modules of the NVM. These interfaces
are described in chapter 6.

Figure 3-2
Interfaces to adjacent modules of the NVM
Applications normally do not access the services of the BSW modules directly. They use
the service ports provided by the BSW modules via the RTE. The service ports provided
by the NVM are listed in chapter 6.8 and are defined in [1].
2015, Vector Informatik GmbH
Version: 5.03.00
16 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
4  Functional Description
4.1
Features
The features listed in this chapter cover the complete functionality specified in [1].
The supported and not supported features are presented in the following two tables. For
further information on not supported features also see chapter 8.

The following features described in [1] are supported:
Supported Feature
Complete API
Block Management Types (Native, Redundant, Dataset)
CRC handling (CRC16, CRC32)
Priority handling, including Immediate (Crash) Data write
Job queuing
ROM defaults (ROM defaults block, Init callback)
Config Id handling
RAM block valid/modified handling
Re-Validation of RAM blocks during start up using CRC
Job end notifications
Skipping Blocks during Start-Up
API Configuration Classes
Service Ports – Generation of Software Component Description
Concurrent access to NV data for DCM
Explicit Synchronization mechanism between application and NVM
Interaction with BswM
Table 4-1
Supported SWS features
The following features described in [1] are not supported:
Not Supported Feature
Dataset ROM blocks (Management Type Dataset, multiple ROM blocks)
Disabling Set/Get_DataIndex API
Static Block ID Check during read
Write Verification
Read Retries
Table 4-2
Not supported SWS features

2015, Vector Informatik GmbH
Version: 5.03.00
17 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
4.1.1
Safety Features
4.1.1.1
Block Id check
NvM  provides  a  feature  to  ensure  the  underlying  devices  deliver  data  for  the  currently
processing NvM block – Block Id Check.

Note
Since the Block Id Check is implemented via extension in CRC calculation, the feature
  is only working for NvM block configured with CRC.
Since the feature uses the NvM Block Id, during configuration update the user has to
ensure the Block Id remains the same for each NvM Block. Otherwise the check will fail
though the correct data was read.

To check the data to belong to currently processing NvM Block, the NvM calculates the
NvM Block Id and the current Dataindex into its CRC. That means in fact that the NvM
calculates the CRC over the Block Id (2 bytes), Dataindex (1 byte) and the actual data –
NvM needs one CRC calculation function call more that without the Block Id check.

Caution
The NvM is not able to distinguish between wrong CRC and CRC calculated for
  another NvM Block! In case the underlying modules deliver data belonging to wrong
NvM Block, the NvM behaves in same way as in case of CRC mismatch.

4.2
Initialization
Before the module  NVM can be used  it has to be  initialized. All modules,  NVM depends
on, need to be initialized before. The initialization of all these modules should be done by
the ECU State Manager. If the NVM is not used in an AUTOSAR environment it should be
done by a different entity. Pay attention that the NVM will not initialize the used modules
by its own.
Depending  on  the  configuration  of  the  NVM  stack,  different  modules  might  need  to  be
initialized. It is advised to use a bottom up strategy for initialization:
>  NV device drivers for internal devices (FLS/EEP)
>  Low level driver that an external NV device driver might depend on (e.g. DIO, SPI)
>  Drivers for external NV devices (e.g. external EEP or FLS)
>  NV device abstraction modules (EA/FEE)
>  Non-Volatile Manager (NVM). The NVM initialization is twofold: NvM_Init() and
NvM_ReadAll(). NvM_ReadAll() needs to be the last initialization step!
Initializing the modules in this sequence ensures  that, as soon as a module  is  used,  the
modules it depends on are ready.
4.2.1
Start-up
The  basic  initialization  of  the  NVRAM  Manager  is  done  by  the  request  NvM_Init().  It
shall  be  invoked  e.g.  by  the  ECU  State  Manager  exclusively.  Due  to  strong  constraints
2015, Vector Informatik GmbH
Version: 5.03.00
18 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
concerning  the  ECU  start-up  time  the  NvM_Init()  request  does  not  contain  the  basic
initialization  of  the  configured  NVRAM  blocks.  The  NvM_Init()  request  resets  the
internal variables of the NVM such as the queue and the state machine.
4.2.2
Initialization of the Data Blocks
The initialization of the single blocks is normally also initiated by the ECU State Manager
by calling  NvM_ReadAll(). All blocks  that have no valid RAM data  anymore  and have
Select for ReadAll set will be reloaded from NV memory or from ROM (if available).
Block 1 (the configuration ID) has a special role. It is stored in NV memory and also as a
constant  (NvM_CompiledConfigId_t)  that  is  externally  visible  and  link-time
configurable.  During  NvM_ReadAll()  the  NV  value  of  block  1  is  compared  against  the
constant NvM_CompiledConfigId_t. In case of a match all NV blocks are presumed to
be  valid  and  NVM  tries  to  read  them  from  NV  memory.  In  case  of  a  mismatch  or  if  the
configuration ID cannot be read the system behaves as following:
>  If the configuration switch Dynamic Configuration Handling is OFF, the mismatch is
ignored. It will be tried to read all blocks from NV memory (also called ‘normal runtime
preparation’).
>  If the Dynamic Configuration Handling is ON, the normal runtime preparation is
processed for all blocks having been configured with the option ‘Resistant to Changed
SW’. For all other blocks an ‘extended runtime preparation’ will take place.
>  All blocks that will be processed with the ‘extended runtime preparation’ will be treated
as invalid or blank. Thus, it is possible to rewrite a block having been marked as ‘Write
Once’. If available, ROM defaults are loaded or the initialization callback is invoked.
Non-permanent  RAM blocks, dataset  blocks  or  blocks  that  are  not  selected for  ‘ReadAll’
(configuration  option)  are  skipped.  They  must  be  loaded  manually  by  the  application  by
calling NvM_ReadBlock().
4.3
States
The NVRAM Manager is internally organized with a state machine which is shown in the
following chapters.
4.4
Main Functions
4.4.1
Hardware Independence
The NVRAM Manager is independent from its  underlying memory hardware.  It accesses
the API of the MEMIF (Memory Abstraction Interface). The MEMIF abstracts the modules
FEE  (Flash EEPROM  Emulation)  and  EA  (EEPROM Abstraction) for  the  NVM.  FEE and
EA are used for storing data blocks in Flash or EEPROM devices. For selecting at which
FEE or EA instance a block shall be stored, the NVM uses a device handle (device ID) that
is provided by the MEMIF.
4.4.2
Synchronous Requests
The NVM API services are divided into synchronous and asynchronous requests.
The  synchronous  services  are  executed  immediately  when  called.  They  are  executed  in
the context of the calling task. This means, that behavior depends on the characteristics of
2015, Vector Informatik GmbH
Version: 5.03.00
19 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
the calling task and not on the NVM. For example, if the calling task is a non-preemptive
one, the synchronous NVM request will be executed until it has finished. Otherwise, if the
calling  task  is  a  preemptive  one,  the  synchronous  NVM  request  can  be  preempted  by
another higher prioritized task.
Following NVM API services initiate synchronous requests:
>  NvM_Init()
>  NvM_SetDataIndex()
>  NvM_GetDataIndex()
>  NvM_SetBlockProtection()
>  NvM_SetBlockLockStatus()
>  NvM_SetRamBlockStatus() (for not CRC protected blocks)
>  NvM_GetErrorStatus()
>  NvM_GetVersionInfo()
4.4.3
Asynchronous Requests
Following NVM API services initiate asynchronous requests:
>  NvM_ReadBlock()
>  NvM_WriteBlock()
>  NvM_RestoreBlockDefaults()
>  NvM_EraseNvBlock()
>  NvM_InvalidateNvBlock()
>  NvM_SetRamBlockStatus() (for CRC protected blocks)
>  NvM_ReadAll()
>  NvM_WriteAll()
>  NvM_CancelWriteAll()
>  NvM_CancelJobs()
The API call is handled in the context of the calling task. Here the service is queued and
will be processed asynchronously. The processing of the queued requests is done in the
context of the caller of the cyclic function NvM_MainFunction().

Caution
RAM blocks must not be accessed by any user while a request to its associated
  NVRAM Block is pending!
There are some exceptions to this limitation:
>  NvM_InvalidateNvBlock and NvM_EraseNvBlock don’t access any RAM
blocks. Thus access is still possible without limitations
>  While the NVM processes an NvM_WriteBlock request, the RAM block may still
2015, Vector Informatik GmbH
Version: 5.03.00
20 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
read.
>  Though applications are not expected to be running while NVM processes
NvM_WriteAll, RAM blocks may be read, as during NvM_WriteBlock
processing.

4.4.4
API Configuration Classes and additional API Services
Depending  on  the  needs  of  the  customer,  the  extent  of  the  NVM  can  be  tailored. Three
configuration classes are specified that offer a different amount of functionality/functions of
the NVM:
API configuration class 1:
A minimum set of API services is used. Queuing and job prioritization are not implemented.
Following functions are available:
>  NvM_Init()
>  NvM_GetErrorStatus()
>  NvM_SetRamBlockStatus()
>  NvM_ReadAll()
>  NvM_WriteAll()
>  NvM_CancelWriteAll()
API configuration class 2:
Intermediate set of API services. Queuing and job prioritization are implemented. Following
functions are available additionally according to API configuration class 1:
>  NvM_SetDataIndex()
>  NvM_GetDataIndex()
>  NvM_ReadBlock()
>  NvM_WriteBlock()
>  NvM_RestoreBlockDefaults()
>  NvM_CancelJobs()
API configuration class 3:
All  API  services  are  available.  Following  functions  can  be  used  additionally  to  API
configuration class 2:
>  NvM_SetBlockProtection()
>  NvM_EraseNvBlock()
>  NvM_InvalidateNvBlock()
The  functions  NvM_SetRamBlockStatus()  and  NvM_GetVersionInfo()  can  be
enabled/disabled
additionally
via
the
configuration
tool.
The
function
2015, Vector Informatik GmbH
Version: 5.03.00
21 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
NvM_SetBlockLockStatus() is always available independent of API configuration
class.
4.4.5
Block Handling
4.4.5.1
NV Blocks and Block Handles
Every application’s data packet that is intended for storage in NV memory is seen as a
block. For each block a unique block handle (block ID) is used. For the application the
(RAM) block is just one of its variables associated with the block. To write this variable to
NV memory it calls the NvM_WriteBlock() service with the block handle that is mapped
to this variable. The block handle names are given during configuration of the NVM. They
are published to the application by including NvM.h.

Note
The block handle names are automatically prefixed according to the AUTOSAR
 Specification EcucConfiguration:
<Module Definition>Conf_<Container Definition Short Name>_<Container Instance
Short Name>
The prefixing has no influence on RTE.

Caution
The actual processing of an asynchronous job (such as a write job) is done in
 NvM_MainFunction. Therefore it needs to be called cyclically. Usually this is done by
the Basic Software Scheduler (SCHM).

4.4.5.2
Different Types of NV Blocks
The application data can be stored in different types of blocks in the NV memory.
4.4.5.2.1
Native Blocks
This is the standard block type. The data is stored once in the NV area.
4.4.5.2.2
Redundant Blocks
This type is intended to increase availability of data, in case of errors, i.e. it is not
intended to provide additional error detection. The main focus lies on write aborts,
especially resets due to under-voltage conditions.

Note
It is recommended to configure CRC usage for Redundant Blocks, because CRC
 provides adequate error detection, beyond the scope of aborts.

The user data is stored twice in the NV area. While relying on lower layers’ (FEE/EA)
detection of aborted write accesses, NVM makes sure that a readable data block remains
readable, even in case of write aborts.
For that purpose, before starting a write access, NVM checks primary and secondary NV
blocks to determine the adequate write order (which NV block to write first): If it detects a
defective NV Block, it is written in preference to a valid NV Block. If writing to one single
2015, Vector Informatik GmbH
Version: 5.03.00
22 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
NV Block failed, the NVM reports the error NVM_E_REQ_FAILED (see chapter 4.5.2) to
the  DEM.  If  writing  to  primary  NV  block  failed,  NVM  ends  the  request  always  with  a
negative  job  result.  If the  primary  NV  block  was  written  successfully,  the  request  always
ends with a positive job result, even when the secondary NV block failed.

Expert Knowledge
NVM does not check any data to determine the write order. Rather, it just checks
  whether lower layers would find valid data instances (i.e. whether they successfully
read a block’s first data byte). At this point, NVM relies on lower layers’ abort detection
capabilities.

Note
NVM always attempts writing both NV blocks, regardless of errors reported by lower
  layers.

A read request is successful even if one block is corrupted but the  other block could be
read.  An  erase  or  invalidate  request  is  only  successful  if  both  blocks  could  be  erased
respectively invalidated.

Expert Knowledge
After a write abort, the “age” of data is not defined. NVM may deliver previous or recent
  data; in fact it does not distinguish them. Before NVM completed the result with
NVM_REQ_OK, clients shall make no assumption on “age” of data in NV memory.

4.4.5.2.3
Dataset Blocks
A dataset block can be seen as an array. A configurable number of instances of this block
are stored in NV-memory. In the RAM area there is only one RAM buffer. The appropriate
NV block instance is selected by the so called data index. The data index can be read and
set by synchronous API services NvM_GetDataIndex() and NVM_SetDataIndex().
Concept
Description
Block
General notion of the structure composed of data, state and CRC. It is
spread over RAM, ROM and NVRAM.
NV Block
One block in NVRAM – CRC is optional.
NV Block of
One NV Block of specified type.
>  Native type
>  Redundant type
>  Dataset type
RAM Block
One data Block in RAM. The data is shared by NVRAM Manager and
application. E. g. application writes data to this block and requests
NVRAM Manager to write it into NVRAM.
ROM Block
One data block in ROM. Default data supplied by application.
2015, Vector Informatik GmbH
Version: 5.03.00
23 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
NVRAM Block
A logical composition of one RAM block and its corresponding NV and
ROM Block.
NV = NVRAM
Non-volatile memory. Actually a synonym for Flash or EEPROM devices.
Table 4-3
Block concept
4.4.5.3
Permanent and non-permanent RAM Blocks
The  RAM  block  (application  variable)  can  be  either  permanent  or  non-permanent.  A
permanent RAM block belongs to a NV block that is accessed only by one application. The
address of the RAM block is fixed and is stored in the configuration of the NVM.
It  is  also  possible  to  have  multiple  applications  accessing  the  same  NV  block.  Each
application uses its own RAM block. In this case the RAM block is called non-permanent.
As the RAM address is not stored (and may vary) a pointer must be given for reading and
writing a non-permanent block.

Caution
Asynchronous API functions can be reentered by different tasks. So it is possible that
  several tasks queue for example a write job at the same time (a task with higher priority
might interrupt a lower one). But it is not possible to queue the same block multiple
times (neither by different tasks nor for different jobs). So if for instance a read job for
block 5 is queued, an erase job for this block can’t be queued before the read job is
finished.
If one block is used by multiple tasks, which is a common task for non-permanent RAM
blocks, the application is responsible for synchronization. Of course if, for example, an
erase request is in process the RAM block could be read or written without any effect to
the result of the erase job. The only problem is that the NVM does not offer any
information to an application what service is currently processed for a block. The
application that initiated the service of course does know, but a different application that
also uses the block does not. So the safest way for block access is not to use the RAM
block as long as it is pending. This way RAM inconsistency can be avoided definitively.

4.4.5.4
ROM Defaults
ROM defaults can be assigned to any NVRAM block. The ROM defaults block is provided
by the application. Alternatively, an init callback can be used. These features are selected
during configuration. It is only possible to configure either ROM defaults or an init callback
for a block.
ROM defaults can be read explicit (by a call of NvM_RestoreBlockDefaults()). ROM
defaults  will  also  be  read  implicitly  during  a  read  request,  if  no  valid  data  could  be  read
from  NV-memory,  either  due  to  a  CRC  error  or  because  of  a  failure  reported  by  the
underlying MemHwA via MEMIF.
4.4.5.5
Checksum
For  each  block  an  optional  checksum  can  be  configured.  This  checksum  can  be  either
CRC16 or CRC32. The checksum will be appended to user data; in NV memory they will
be stored consecutively in one single NV block.
If  Internal  Buffer  for  CRC  Handling  is  disabled,  Storage for  CRC  must  be provided  by
every  single  user;  otherwise  NVM  provides  an  internal  buffer.  In  this  case  it  copies  user
2015, Vector Informatik GmbH
Version: 5.03.00
24 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
data (associated with NVRAM blocks configured with CRC) into an internal buffer, instead
of  directly  passing  them  down  to  lower  layers.  Here,  data  gets  appended  with  CRC,  in
order to keep both within one NV block, which requires NVM to pass both down with one
single write request.
If  “Calc  RAM  CRC”  was  additionally  enabled,  NVM  will  internally  store  CRC  values  in
RAM,  in  order  to  check  against  them  during  NvM_ReadAll  processing.  Without  internal
buffering, additional space in RAM block serves for this purpose.
4.4.6
Prioritized or non-prioritized Queuing of asynchronous Requests
As mentioned before, asynchronous services are not processed immediately but queued
and  processed  asynchronously  by  the  NvM_MainFunction().  This  is  necessary  to
decrease the runtime of application tasks and to increase the predictability of their duration
(synchronous  write  jobs  on  an  EEPROM  or  Flash  would  block  your  task  for  multiple
milliseconds up to one second).
Jobs  can  be  queued  either  prioritized  or  non-prioritized,  depending  on  the  user
configuration.
If  job  prioritization  is  configured,  the  priorities  0  (immediate  priority)  until  255  (lowest
priority) can be selected for a block. It is important that the priority depends on the block,
rather than the request. Multi block requests always have a priority value greater than 255,
i.e. their priority is less than the lowest block specific priority; they will be processed after
all single block requests have been completed.
If block prioritization is not selected, the job queue works as a FIFO buffer.
4.4.7
Asynchronous Job-End Polling
As  alluded  before,  asynchronous  requests  are  processed  in  the  background.  The
application  has  the  possibility  to  poll  the  NVM  for  the  end  of  the  service  by  calling
NvM_GetErrorStatus().  NVM_REQ_PENDING  will  be  returned  as  long  as  the  job  is
queued or in  process. Once the job is finished  NvM_GetErrorStatus()  will  return  the
job result.
4.4.8
Asynchronous Job-End Notification
Alternatively  to  poll  for  the  job-end,  a  job-end  notification  can  be  implemented  and
configured  for  every  block.  It  will  be  called  by  the  NVM  whenever  a  single  block  job
completes, independent of success or failure.
4.4.9
Immediate Priority Jobs and Cancellation of current Jobs
If job prioritization is selected, blocks of different priority exist. A new queued, higher prior
job, (e.g. priority 5) does not cancel/suspend a lower prioritized job (e.g. priority 10) if this
job is already processed.
The only  exceptions for this are  immediate priority jobs (priority 0)  which  can suspend a
running  job  that  priority  is  less.  The  suspended  job  will  be  restarted  after  all  jobs  with
higher priority are finished.
2015, Vector Informatik GmbH
Version: 5.03.00
25 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Caution
Pay attention that only blocks with high priority (0) can be erased (by using API
  NvM_EraseNvBlock)!

4.4.10  Asynchronous CRC Calculation
The  (re-)calculation  of  a  block’s  CRC  is  done  asynchronously  by  the
NvM_MainFunction(). A CRC protected block’s CRC value is calculated every time the
block shall be written to NV memory. If a block is read from NV memory the CRC value is
recalculated and compared to the one that was just read from NV memory. If configuration
option  ‘Calculate  RAM  CRC’  was  enabled  for  a  block,  its  recently  calculated  CRC  value
will be stored in RAM for later use.
If NvM_SetRamBlockStatus(TRUE) is called, the re-calculation of the CRC value over
the  RAM block’s  data  will  also  be  initiated,  if  ‘Calculate  RAM  CRC’  was  enabled for  this
block.

Note
The purpose of requesting recalculation of the RAM CRC with every call to
  NvM_SetRamBlockStatus is to provide the possibility to re-use the RAM data even if
a reset (short power-loss, watchdog-reset) occurred.
NvM attempts so during NvM_ReadAll processing for all NVRAM blocks having ‘Read
during ReadAll’ and ‘Calc RAM CRC’ enabled in their configuration: If the block is
internally still marked as VALID, NVM calculates the CRC value over current RAM
block’s contents and compares it with the value stored elsewhere. If thy match it does
not touch RAM contents; rather NVM pretends having successfully read those values
from NV.

The CRC calculation is done in the cyclically called service NvM_MainFunction(). To be
able to split a CRC calculation job, the number of CRC bytes to be calculated during one
cycle can be configured via the configuration tool.

Note
If an AUTOSAR compliant CRC library implementation is used, the NVM ensures for all
  supported CRC types that calculated values do not depend on the number of cycles
needed for calculation, i.e. for any number of calculation steps any CRC value is
guaranteed to be equal to the CRC value calculated over same data with one single
call to the appropriate library function.
For CRC32 this is a feature in NvM, beyond the requirements of AUTOSAR.

4.4.11  Write Protection
The  NVM  supports  write  protection  of  any  NV  Block.  The  API  services
NvM_SetBlockProtection() is used for locking and unlocking a NV block. The initial
write protection (after reset) can be configured. It will be set during NvM_ReadAll().
2015, Vector Informatik GmbH
Version: 5.03.00
26 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
A  block  can  also  be  configured  to  be  written  once. The  write  protection  of  such  a  block
cannot be removed by an API call. Nevertheless, it is possible to rewrite such a block by
using the extended runtime preparation during NvM_ReadAll().

Caution
Pay attention, for a dataset block configured as write once only one dataset can be
  written. The other datasets can’t be written any more. The whole block is protected
after first write.

4.4.12  Erase and Invalidate
There  are  two  services  specified  for  making  a  NV  block  unreadable:
NvM_EraseNvBlock() and NvM_InvalidateNvBlock().
Invalidating  a  block  is  much  faster  than  erasing  the  block  because  only  the  status
information will be invalidated.
4.4.13  Init Callbacks
For  any  block  ROM  defaults  or  an  initialization  callback  can  be  configured.  The  init
callback is called every time the default values of the block are to be loaded, e.g. during a
restore block defaults service.
The return value of the functions is specified but will not be used by the NVM.

Note
During calling init callback related block is still busy. No request for it shall be issued as
  long as block is busy.

4.4.14  Define Locking/ Unlocking Services
In preemptive systems, it is necessary to protect some actions of preemption. That means
that  a  few  NVM  internal  actions  need  to  be  atomic.  So  for  protecting  these  sequences
functions for entering and leaving such a critical section can be configured. By default the
Operating System (OS) services are used.
The  configuration  tool  can  be  used  to  define  or  configure  services  such  as  the  OSEK
services GetResource(…) and ReleaseResource(…) to lock and unlock resources. To
use these services of your Operating System, you must also publish the header file of the
Operating System via configuration tool (in the ‘MyECU’ window and the included tab ‘OS
Services’).
4.4.15  Interrupts
When  interrupts  occur  during  write  accesses,  they  do  not  corrupt  already  saved  data  or
data  to  be  written.  To  ensure  this,  these  critical  sections  have  to  be  locked,  which  is
configurable via configuration tool.
4.4.16  Data Corruption
Write  operations  to  non-volatile  memories  are  non-atomic  operations.  A  power  supply
failure  during  write  accesses  may  lead  to  corrupted/invalid  data. Assuring  that  corrupted
data will not be signaled as valid is no more the task of the NVM but of the FEE or EA.
2015, Vector Informatik GmbH
Version: 5.03.00
27 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
4.4.17 Concurrent access to NV data for DCM
NVM provides possibility to access NV data concurrently with NVM’s applications.
Therefore each configured NVRAM block has an additional alias. Aliases are neither read
at start-up (during NvM_ReadAll processing) nor written at shut-down (during
NvM_WriteAll processing). In fact, they are treated as NVRAM Blocks without
permanent RAM block. Consequently, explicit read or write requests must supply a
reference to a temporary RAM block
For accessing the alias of a NVRAM block, NVM provides the global macro
NvM_GetDcmBlockId(<BlockId>). The macro expects the BlockId of the original
NVRAM block as parameter and returns the block’s alias of type NvM_BlockIdType.
Only one asynchronous request of one alias can be queued at a time. Otherwise the
asynchronous API returns with E_NOT_OK, which indicates that the request has not been
accepted, because of the block pending state check.
All jobs of DCM are always put into Standard Job Queue, even if blocks with immediate
priority are requested and job prioritization was enabled. So cancellation of pending jobs
by an immediate DCM-Block is avoided. The original priority itself is kept.

Note
It is recommended that DCM accesses NVRAM data only via aliases. Otherwise it
 would be responsible for synchronization with every single NVM client (blocks’ owners)

Caution
DCM should lock the block using NvM_SetBlockLockStatus (see chapter 6.4.8)
 before requesting jobs (via the alias, especially write requests). In case of an error
during job processing, DCM should also unlock the block again. If job processing
completes successfully the block should remain locked; it will be automatically
unlocked after next start-up (NvM_ReadAll processing).
A lock itself only affects the original block (i.e. the alias cannot be locked).

4.4.18 Explicit synchronization mechanism between application and NVM
NvM supports an optional explicit synchronization mechanism between application and
NvM. It is realized by a RAM mirror in the NvM module. The data is transferred by the
application in both directions via callback routines, called by the NvM module.
The synchronization mechanism can be configured for every NVRAM block separately. If
the synchronization mechanism is configured NvM uses the internal buffer as RAM mirror
between NvM and application. It is the same internal buffer which is used for Crc
calculation (see chapter 4.4.5.1). The size of the internal buffer is the size of the biggest
configured block plus configured Crc bytes.
2015, Vector Informatik GmbH
Version: 5.03.00
28 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
If  the  synchronization  mechanism  is  configured,  both  NvMWriteRamBlockToNvM  and
NvMReadRamBlockFromNvM must be configured.
It is not useful to configure a permanent RAM block for a block which uses the
synchronization mechanism. In this case the RAM block will be ignored. It is also not
recommended to configure an Init callback for a block using synchronization mechanism.

Note
If Explicit Synchronization was configured for a block, clients may modify RAM contents
  (which are not visible to NVM) while block is pending. In this case take care they may
get overwritten when a pending read completes.

Basic Knowledge
By definition, this mechanism serves as permanent RAM block.

Expert Knowledge
Calculate RAM CRC and related fast re-validation of RAM data during NvM_ReadAll
  processing cannot be used along with explicit synchronization mechanism.

4.4.18.1  Explicit synchronization mechanism during write requests
After application issued NvM_WriteBlock, application might modify the RAM block until
callback  NvMWriteRamBlockToNvM  is  called  by  NvM.  If  NvMWriteRamBlockToNvM  is
called, application has to provide a consistent copy of the RAM block to the internal RAM
mirror.

Note
During calling NvMWriteRamBlockToNvM callback related block is still busy. No
  request for it shall be issued as long as block is busy.

4.4.18.2  Explicit synchronization mechanism during read requests
After  application  issued  NvM_ReadBlock,  application  might  modify  the  RAM  block  until
the
routine
NvMReadRamBlockFromNvM
is
called
by
the
NvM.
If
NvMReadRamBlockFromNvM  is  called,  then  application  has  to  copy  the  data  from  the
internal RAM mirror to the RAM block.
2015, Vector Informatik GmbH
Version: 5.03.00
29 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Note
During calling NvMReadRamBlockFromNvM callback related block is still busy. No
  request for it shall be issued as long as block is busy.

4.5
Error Handling
4.5.1
Development Error Reporting
By  default,  development  errors  are  reported  to  the  DET  using  the  service
Det_ReportError()as  specified  in  [2],  if  development  error  reporting  is  enabled  (i.e.
pre-compile parameter NVM_DEV_ERROR_DETECT == STD_ON).
If another module is used for development error reporting, the function name for reporting
the  error  can  be  configured  by  the  integrator,  but  must  have  the  same  signature  as  the
service Det_ReportError().
The reported NVM ID can be seen here [chapter 3].
The  reported  service  IDs  identify  the  services  which  are  described  in  6.4.  The  following
table presents the service IDs and the related services:
Service ID
Service
0x00
NvM_Init()
0x01
NvM_SetDataIndex()
0x02
NvM_GetDataIndex()
0x03
NvM_SetBlockProtection()
0x04
NvM_GetErrorStatus()
0x05
NvM_SetRamBlockStatus()
0x06
NvM_ReadBlock()
0x07
NvM_WriteBlock()
0x08
NvM_RestoreBlockDefaults()
0x09
NvM_EraseNvBlock()
0x0A
NvM_CancelWriteAll()
0x0B
NvM_InvalidateNvBlock()
0x0C
NvM_ReadAll()
0x0D
NvM_WriteAll()
0x0E
NvM_MainFunction()
0x0F
NvM_GetVersionInfo()
0x10
NvM_CancelJobs()
0x13
NvM_SetBlockLockStatus()
Table 4-4
Mapping of service IDs to services
2015, Vector Informatik GmbH
Version: 5.03.00
30 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
The errors reported to DET are described in the following table:
Error Code
Description
0x14
NVM_E_NOT_INITIALIZED
Every API service, except NvM_Init() and
NvM_GetVersionInfo(), may check if NVM has
already been initialized.
0x15
NVM_E_BLOCK_PENDING
As long as an asynchronous operation on a certain
Block has not been completed, no further requests
belonging to this Block are allowed.
0x18
NVM_E_BLOCK_CONFIG
This service is not possible with this configuration.
0x0A
NVM_E_PARAM_BLOCK_ID
NVM API services may check, whether the passed
BlockId is in the allowed range.
0x0B
NVM_E_PARAM_BLOCK_ TYPE  NvM_SetDataIndex() and
NvM_GetDataIndex() are restricted to Dataset
bocks. If these functions are called with any other
bock type, this error code is produced.
NvM_RestoreBlockDefaults() is restricted to
blocks configured with ROM defaults or an init
callback.
0x0C
NVM_E_PARAM_BLOCK_DATA_
NvM_SetDataIndex() may check the range of the
IDX
passed DataIndex.
0x0D
NVM_E_PARAM_ADDRESS
A wrong pointer parameter was passed. (NULL_PTR
passed in an asynchronous call, e.g.
NvM_WriteBlock() for a non-permanent block)
0x0E
NVM_E_PARAM_DATA
A NULL_PTR was passed in one of the synchronous
functions NvM_GetDataIndex(),
NvM_GetErrorStatus() or
NvM_GetVersionInfo().
Table 4-5
Errors reported to DET
4.5.1.1
Parameter Checking
AUTOSAR requires that API functions check the validity of their parameters. The checks in
Table  4-6  are  internal  parameter  checks  of  the  API  functions.  These  checks  are  for
development error reporting and can be en-/disabled separately. The configuration of en-
/disabling  the  checks  is  described  in  chapter  7.1.5.  En-/disabling  of  single  checks  is  an
addition to the AUTOSAR standard which requires to en-/disable the complete parameter
checking via the parameter NVM_DEV_ERROR_DETECT.

2015, Vector Informatik GmbH
Version: 5.03.00
31 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
The following table shows which parameter checks are performed on which services:
Check

e-
k c
k
g
ng

c
k

k
he
i
d
ck
he
c
n
c
na
k
he
c
he

o
e c
en
c
s
ti
he
c
c
a
Ma
py
P
he
ex
s

e’l z  c
i
s
s
r
l
’
T
’
Id
ndI
a
us
k
k
e c
k
nte
Service
du
nt

ti
tat
ocl
ocl tat
ocl
oi
Mo
nii S
B
me
B
S
B
Data
P
NvM_Init()

NvM_SetDataIndex()



  

NvM_GetDataIndex()






NvM_SetBlockProtection()





NvM_GetErrorStatus()





NvM_GetVersionInfo()


NvM_SetRamBlockStatus()





NvM_SetBlockLockStatus()




NvM_ReadBlock()


    
NvM_WriteBlock()


    
NvM_RestoreBlockDefaults()
  





NvM_EraseNvBlock()
  

  

NvM_CancelWriteAll()
  

NvM_InvalidateNvBlock()
  

  

NvM_ReadAll()
  



NvM_WriteAll()
  



NvM_MainFunction()
  

NvM_CancelJobs()
  



Table 4-6
Development Error Checking: Assignment of checks to services
4.5.2
Production Code Error Reporting
Production  code  related  errors  are  reported  by  default  to  the  DEM  using  the  service
Dem_ReportErrorStatus() as specified in [3].
However, the service to be used (and the appropriate include file) for error reporting may
be configured.
2015, Vector Informatik GmbH
Version: 5.03.00
32 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
The errors reported to DEM are described in the following table:
Error Code
Description
NVM_E_INTEGRITY_FAILED
API request integrity failed
NVM_E_REQ_FAILED
API request failed
NVM_E_WRITE_PROTECTED
NvM_WriteBlock, NvM_EraseNvBlock and
NvM_InvalidateNvBlock check, if the
block with specified BlockId is write-protected,
before it is written (or erased or invalidated).
NVM_E_QUEUE_OVERFLOW
All asynchronous requests can only be en-
queued if the queue is not full.
NVM_E_LOSS_OF_REDUNDANCY
One single block of a redundant block is
invalid.
Table 4-7
Errors reported to DEM
According  to AUTOSAR  component  specific  DEM  errors  must  be  configured  in  DEM.  If
MICROSAR  DEM  is  used,  production  code  errors  are  automatically  inserted  into  DEM
configuration.
If  another  module  is  used  for  production  code  error  reporting,  the  function  name  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Dem_ReportErrorStatus().
Both error codes shall have a value of type Dem_EventIdType (an integer type). It must
be assured, that these two error codes as well as the type are published to the NVM via
the user-specified include file.
4.5.3
Compile-time checks
In case the development error reporting and the corresponding Ram or Rom length checks
are enabled, the NvM checks the configured blocks to have exactly the same, or at least
the same length as the configured NvM block length.

For each check – Ram or Rom lengths – a struct with bitfields will be generated –
one bitfield for each NvM block configured with permanent Ram or Rom block. In case
the  sizeof  delivers  another  length  than  the  configured  NvM  block  length,  the
corresponding  bitfield  will  be  initialized  with  length  0,  which  is  not  allowed  by  C-
Standard. The line will cause a compiler error.
The  compiler  shall  mark  the  corresponding  line  and  the  wrongly  initialized  bitfield
name includes the checked RAM or ROM block’s name.

Note
Whether to check the lengths to match the configured NvM block length exactly or at
  least, the parameter “Block Length Strict Check” has to be set or unset.

2015, Vector Informatik GmbH
Version: 5.03.00
33 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
5  Integration
This chapter gives necessary information for the integration of the MICROSAR NVM into
an application environment of an ECU.
5.1
Scope of Delivery
The delivery of the NVM contains the files which are described in the chapters 5.1.1 and
5.1.2:
5.1.1
Static Files
File Name
Description
NvM.h
This file must not be modified by user.
Defines the interface of NVM. Only this file shall be included by the
application.
NvM_Cbk.h
This file must not be modified by user.
Contains the declarations of the callback functions being invoked by
EEPROM driver
NvM_Types.h
This file must not be modified by user.
Defines general types used by NVM.
NvM.c /
This file must not be modified by user.
NvM.lib/NvM.a
Implementation of NVM, delivered as object library.
NvM_Act /
These are files for internal use of the NvM.
NvM_Crc /
If NVM is delivered as object then this parts are content of NvM.lib.
NvM_JobProc /
NvM_Qry /
NvM_Queue.c *.h
Table 5-1
Static files
5.1.2
Dynamic Files
The  dynamic  files  are  generated  by  the  configuration  tool  DaVinci  Configurator.  Do  not
modify them manually.
File Name
Description
NvM_Cfg.c
It contains configuration parameters of NVM which can be modified after
compilation of NvM.c.
NvM_Cfg.h
Contains public configuration parameters of NVM. They are (or might be)
also important to NvM’s user(s), or they may affect NvM’s API
It contains also public types and symbol declarations to be used by NVM as
well as its user(s).
NvM_PrivateCfg.h  Contains parameters as well as type and symbol declarations, which are
private to the NvM, i.e. they only affect internal behavior.
This file is intended to be included only by NvM’s sources.
Table 5-2
Generated files
2015, Vector Informatik GmbH
Version: 5.03.00
34 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
5.2
Include Structure
The  following  figure  illustrates  the  hierarchy  of  included  files.  It  also  shows  that
Std_Types.h and Nvm.h must be included by the application.

Figure 5-1
The file structure of the NVM sections module
5.3
Compiler Abstraction and Memory Mapping
The  objects  (e.g.  variables,  functions,  constants)  are  declared  by  compiler  independent
definitions  –  the  compiler  abstraction  definitions.  Each  compiler  abstraction  definition  is
assigned to a memory section.
The  following  table  contains  the  memory  section  names  and  the  compiler  abstraction
definitions of NVM and illustrates the relationship among each them.
Compiler Abstraction

T
E
S

T
T

Definitions
S

D
N
AT
E
S
T
A
A

D
N

N
E
S

T

A
A
A
_CO
_CO
_D
T
D
N
T
A
_CO
_D

E
E
E
A
T
T
T
CO
CO
D
_D
C_CO
C_CO
IG
IG

A
A
A
V
V
V
T
LI
LI
L_
L_
L_
S
B
B
P
P
P
NF
NF
Memory Mapping
RI
RI
RI
A
U
U
P
P
P
Sections
_P
_P
_P
_F
_P
_P
_A
_A
_A
_CO
_CO

M
M
M
M
M
M
M
M
M
M
M
NV
NV
NV
NV
NV
NV
NV
NV
NV
NV
NV
NVM_START_SEC_CODE






NVM_START_SEC_




VAR_NOINIT_UNSPECIFIED
2015, Vector Informatik GmbH
Version: 5.03.00
35 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
NVM_START_SEC_VAR_NOINIT_8

  

NVM_START_SEC_VAR_UNSPECIFIED



NVM_START_SEC_VAR_FAST_8

  

NVM_START_SEC_



CONST_UNSPECIFIED
NVM_START_SEC_CONST_8



NVM_START_SEC_CONST_16





NVM_START_SEC_





CONST_DESCRIPTOR_TABLE
NVM_START_SEC_VAR_POWER_ON_I
NIT_UNSPECIFIED


Table 5-3
Compiler abstraction and memory mapping
For  each  start  keyword,  there  is  a  stop  keyword.  As  these  stop  keywords  are  used  to
restore the default section, the stop keywords do not need to be configured.

Caution
The size of the section NVM_START_SEC_CONST_DESCRIPTOR_TABLE depends
  on the configuration settings. It makes sense to create an own section for this item if it
becomes too big to link it into the same page/section as the elements of the
MICROSAR NVM module. In this case the according memory modifier has to be used
in order to address the elements in this section.

Above  listed  section  keywords  are  compiler  dependent.  They  are  set  in  the  files
MemMap.h and Compiler.h/Compiler_Cfg.h. Compiler pragmas may be used to open and
close  a  special  memory  section. As  these  pragmas  are  already  used  when  creating  the
NVM library (object  code) these parameters are  not  link-time configurable. Libraries  with
different settings can be obtained at Vector Informatik GmbH. Please refer to the Software
release notes  (SRN)  (or  to  the delivered  MemMap.h,  Compiler.h/Compiler_Cfg.h) for  the
settings made for your delivery.
NVM_START_SEC_VAR_POWER_ON_INIT_UNSPECIFIED  shall  be  mapped  to  a  section
that  is  guaranteed  to be  zeroed  out  after  Power-On  Reset  (therefore  it  may  be  a  normal
ZERO_INIT  section,  being  zeroed  out  after  any  reset.  Make  sure  this  helds  true  for  all
kinds of variable data (esp. uninitialized). If necessary, create a special section (don’t map
to a common one).
NVM_START_SEC_VAR_UNSPECIFIED  shall  also  be  mapped  to  a  section  that  is
guaranteed  to  be  zeroed  out.  It  holds  the  variable  NvM_TaskState_t  which  has  to  be
zero since NvM is not initialized.

2015, Vector Informatik GmbH
Version: 5.03.00
36 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Note
The integrator has to make sure specific section related settings (#pragmas) cover all
  (intended) variables defined within in a particular specific section. (It might be desired,
and possible with a compiler to further divide variables, e.g. by type/size/alignment
requirements).

Expert Knowledge
It is important to understand that a variable declaration lacking an initializer does not
  actually mean an uninitialized variable (unless the variable has automatic storage
duration).
Instead, according to ANSI/ISO, every object that has static storage duration is not
initialized explicitly (ISO/IEC 9899:1999 chapter 6.7.8 clause 10) shall be initialized
(according to the rules defined there). Technically, they shall be initialized to 0
However, how a compiler achieves it, is beyond the standard. It is also beyond the
standard, how compilers map variables to sections, what default sections they define,
etc.
A compiler may treat a variable explicitly initialized to 0 like an “uninitialized” variable, it
may treat it like an initialized variable, or it may even treat it completely differently (e.g.
some compilers can be setup to emit all explicitly initialized variables to a section
“.zbss”, in contrast to “.data” and “.bss”, used for initialized, and uninitialized variables,
respectively”.
Therefore, any section definition (#pragmas) should consider all variables (regardless
of existence of an explicit initializer, and/or eventually other differentiations a compiler
might provide), unless there’s a good reason to exclude some of them.

Caution
The sections mentioned above have to fit to the linker configuration (linker command
  file) as well as to the memory modifier settings in the Compiler Abstraction!

5.4
Dependencies on SW Modules
5.4.1
OSEK / AUTOSAR OS
An  OS  environment  is  not  necessary  unless  it  is  used  for  interrupt  or  resource  locking
issues.
5.4.2
DEM
NVM depends on an implementation of the DEM. It is used to report errors occurred during
processing. The header file declaring the API must be configured via configuration tool.
5.4.3
DET
Module  DET:  Can  be  used  in  development  mode.  It  records  all  development  errors  for
evaluation  purposes.  Its  usage  can  be  enabled/disabled  via  configuration  tool  by  the
switch Development Error Reporting.
2015, Vector Informatik GmbH
Version: 5.03.00
37 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
5.4.4
MEMIF
The NVM uses configuration parameters defined by the MEMIF.
5.4.5
CRC Library
For  CRC  calculations  the  NVM  uses  the  services  provided  by  an  AUTOSAR  compliant
CRC Library.

Note
Since the Configuration Id Block must be configured with either CRC16 or CRC32;
  you will always need the CRC library.

5.4.6
Callback Functions
MICROSAR  NVM  offers  the  usage  of  notifications  that  can  be  mapped  to  callback
functions  provided  by  other  modules,  in  order  to  inform  them  about  job  completion.  For
each  NVRAM  block  a  separate  callback  function  may  be  defined  by  application.  These
callback function declarations must be made within the application and be included by the
NVM.
5.4.7
RTE
When  at  least  one  Service  Port  is  enabled  and  corresponding  PIM  (see  Technical
Reference  of  RTE)  is  available,  all  additional  necessary  header  files  are  included
automatically. SWC must not include NvM.h.
5.4.8
BSWM
If the switch BSWM Multi Block Job Status Information is enabled the NVM shall inform
the
BSWM
about
the
current
state
of
a
multi
block
job
via
BswM_NvM_CurrentJobMode(). The multi job callback is not called.

Note
During calling BswM_NvM_CurrentJobMode(), if called with status
  NVM_REQ_PENDING, callback related block is still busy. No request for it shall be
issued as long as block is busy.

If  the  switch  BSWM  Block Status  Information  for  a  single  block  is  true,  the  NVM  shall
inform
the
BSWM
about
the
current
state
of
the
block
via
BswM_NvM_CurrentBlockMode().

Note
During calling BswM_NvM_CurrentBlockMode(),if called with status
  NVM_REQ_PENDING, callback related block is still busy. No request for it shall be
issued as long as block is busy.

2015, Vector Informatik GmbH
Version: 5.03.00
38 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
5.5
Integration Steps
To integrate MICROSAR NVM into your system, several steps beginning with configuration
have to be done:
>  Configure MICROSAR NVM and MICROSAR MEMIF according to applications’
requirements using MICROSAR configuration tool or a GCE editor.
>  Generate the configuration files of the modules NVM and MEMIF.
>  Configure and generate the lower modules FEE/EA and the driver modules for
FLS/EEP.
>  If a FEE or EA module is used that is not delivered by Vector, make sure that the
parameters that are exchanged between the two modules are consistent.
>  Each application is responsible to make their RAM and ROM blocks available (do not
use the static modifier!). The MICROSAR NVM includes the file that declares these
blocks and defines memory modifier to address the blocks. This memory modifier can
be changed in the Compiler.h.
>  Make sure all applications using MICROSAR NVM include Std_Types.h and NvM.h
(in that order).
>  Check the initialization of the drivers FLS/EEP, FEE/EA and the MICROSAR NVM
(MICROSAR NVM does not initialize any other module).
>  Make sure that the initialization sequence is correct. FEE/EA and FLS/EEP must be
initialized before any NVM request (usually NvM_ReadAll()) can be used. Take care
initialization sequence of FEE/EA must be finished until FEE/EA is able to accept a job
from NvM. In case Fee_MainFunction calls and/or Fls_MainFunction calls are
necessary to finish initialization process for FEE/EA the calls have to be executed
before NvM requests the first job to FEE/EA.
>  Ensure that the main functions of the NVM, the FEE/EA and the FLS/EEP drivers are
called cyclically. This must be done within an application task running at sufficient
priority (to avoid starving).
>  Ensure that a waiting task frees CPU to make it possible that the action for the task is
waiting for, can be done!
Finally: Compile and link your MICROSAR NVM together with your project.
5.6
Estimating Resource Consumption
Besides resources needed anyway when using NVM, there are some configuration options
influencing  resource  consumption  of  your  system.  In  general  these  options  affect  usage
independently  of  the  number  of  configured  NVRAM  blocks.  Additionally  each  NVRAM
block  requires  resources  in  RAM,  ROM  and  NV,  respectively. The  following  sections  will
summarize the options and give you hints, how to estimate their effects.
5.6.1
RAM Usage
In general, each NVRAM block consumes RAM – for the application-defined RAM-block as
well as for the internal block management structure, which holds information about request
results, blocks’ attributes and its current data index. The amount of RAM occupied by the
2015, Vector Informatik GmbH
Version: 5.03.00
39 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
RAM  block  itself  should  be  equal  to  the  configured  length.  However,  the  actual  size
depends  on  the  size  of  the  object  (variable)  the  application  declares.  The  size  of  each
management area is currently 3 bytes.
However, though they need to be considered when estimating (overall) RAM consumption,
RAM blocks technically belong to the clients of NVM.
The configuration options affecting RAM consumption pertain to size of the  queue(s) and
the option  job prioritization. The  size  of  one  queue  entry  depends  on  the  target  platform
and the compiler options used. It ranges from 8 bytes (16 bit platform, 16bit pointers) to 12
bytes (32bit architectures, aligned structure members).
Additionally the setting Internal Buffer for Crc Handling affects RAM usage: If enabled,
the NVM internally allocates a RAM buffer. Its size is at least the size of largest NVRAM
block configured with CRC, including CRC size. Sizes of NVRAM Blocks configured with
Use  Synchronisation  Mechanism,  will  also  be  considered  in  calculation  of  internal
buffer’s size.
Additionally, each NVRAM block with Calc RAM Block CRC gets a dedicated RAM area
for CRC storage,  exactly matching CRC’s size. As a result,  applications’  RAM blocks  do
not  need  to  provide  additional  space  for  CRC.  Therefore  it  does  not  affect  RAM
consumption.
5.6.2
ROM Usage
Because each NVRAM block’s configuration is compiled into a constant block descriptor,
the  ROM  needed  is  also  affected  by  the  whole  number  of  configured  NVRAM  blocks.
Again, the size of one descriptor varies with the target platform and the compiler options
used.
There are some configuration options affecting NVM code size. The options
>  Development mode
>  API configuration class
>  use Version Info API
>  use Set Ram Block Status API
result in switching on/off complete code sections.
NVM’s  ROM  usage  does  not  depend  on  block  configured  with  ROM  defaults.  ROM
default blocks (defining default data) belong to the clients of NVM, as any callbacks do.
2015, Vector Informatik GmbH
Version: 5.03.00
40 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
5.6.3
NV Usage
The requirements on NV memory space per device are affected by the NVRAM blocks and
their  configuration.  Basically,  each  NV  block  allocates  as many  bytes  as  specified for  its
length,  plus  CRC  bytes  (if  configured).  Underlying  components  (FEE  or  EA)  would  also
add  internal  management  information,  as  well  as  padding  bytes  to  meet  NV  memory
device’s alignment requirements.
According to the management type of the NVRAM block, it consists of one or more blocks
consuming NV space:
>  NATIVE         1 NV Block
>  REDUNDANT  2 NV Blocks
>  DATASET       Count NV Blocks
5.7
How-To: Integrate NVM with AUTOSAR3 SWC’s
Embedded Interface of ASR4 NVM is NOT compatible with ASR3; especially return types
have been changed.
However, RTE encapsulates all of them: If an SWC calls a C/S-Interface’s operation (via
RTE), it always gets Std_ReturnType.
Finally, existing embedded code – SWCs as well as NVM itself – compiles against these
changed interfaces without modifications.
Unfortunately, to achieve this embedded compatibility, SWC-descriptions (which instruct
the RTE generator, how to create compatible code) slightly differ between AUTOSAR
services. Users will have to adapt their clients’ interface references in order to use
AUTOSAR4 BSW along with AUTOSAR3 SWCs.
5.7.1
NVM’s provided Interfaces/Ports.
Every interface used by client SWCs needs to be remapped.
5.7.1.1
NvMAdministration
The only operation – SetBlockProtection – changed from POSSIBLE-ERRORS() to
POSSIBLE-ERRORS(E_NOT_OK).
This definition may be exchanged at R-Port side, because the embedded software already
used Std_ReturnType (and E_OK/E_NOT_OK), due to RTE API. Code should have been
implemented in a defensive way, i.e. it should check return values.
However, this operation can only fail, if development error detection was enabled.
5.7.1.2
NvMService_AC[1|2|3][_SRBS][_Defs]
For information about naming, please refer to 7.1.4
Return types (POSSIBLE-ERRORS) of following operations changed:
>  GetErrorStatus
>  GetDataIndex
>  SetDataIndex
>  SetRamBlockStatus
2015, Vector Informatik GmbH
Version: 5.03.00
41 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Note
NvM_SetDataIndex and NvM_GetDataIndex may fail if “Development Error
  Detection” is disabled.

Similar to NvMAdministration interface, clients’ R-Port Prototypes must be associated with
these new interfaces. The implications on Runnables’ implementations are the same as
above – no changes are necessary.
5.7.2
Callbacks (Ports provided by client SWCs)
Actually, callbacks specifications did not change from AUTOSAR3 to AUTOSAR4.
However,  a  recent  feature  added  to  DaVinci  Developer  and  RTE  Generator  allows  for
more flexibility in modeling and implementing callback’ signatures.  Refer to chapter 7.1.5
for  information  the  relationship  between  modelled  callbacks  (SWC’s  P-Ports)  and  their
RUNNABLEs’ prototypes.
5.7.3
Request Result Types
In AUTOSAR4 new values for NvM_RequestResultType have been defined, namely
NVM_REQ_REDUNDANCY_FAILED and NVM_REQ_RESTORED_FROM_ROM.
However, since their actual usage is not specified, they will not be used by NVM; its
interface description omits them, and clients do not need to deal with them.
Finally, NvM uses the same set of request result values that was specified in AUTOSAR3.
Therefore, this change in specification does not require any actions.

2015, Vector Informatik GmbH
Version: 5.03.00
42 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6  API Description
6.1
Interfaces Overview
For an interfaces overview please see Figure 3-2.
6.2
Type Definitions
Type Name
C-Type  Description
Value Range
NvM_RequestResult
uint8
An asynchronous API
NVM_REQ_OK (see chapter
Type
service can have following  4.5.1)
results or status that can
The last asynchronous request has
be polled by
been finished successfully. This is the
NvM_GetErrorStatus default value after reset. This status
().
has the value 0.
Can be delivered by all asynchronous
APIs.
NVM_REQ_NOT_OK (see
chapter 4.5.1)
The last asynchronous request has
been finished unsuccessfully.
Can be delivered by all asynchronous
APIs.
NVM_REQ_PENDING (see
chapter 4.5.1)
An asynchronous request is currently
being processed by the task.
Can be delivered by all asynchronous
APIs.
NVM_REQ_INTEGRITY_FAILED
(see chapter 4.5.1)
A NV block was supposed to be valid
but it turned out that the data are
corrupted (either CRC mismatch or the
FEE or the EA reported an
inconsistency).
Can be delivered by NvM_ReadBlock
or NvM_ReadAll.
NVM_REQ_BLOCK_SKIPPED (see
chapter 4.5.1)
The block was skipped during a multi
block request.
Can be delivered by NvM_ReadAll and
NvM_WriteAll.
NVM_REQ_NV_INVALIDATED
(see chapter 4.5.1)
The NV block is marked as invalid.
Can be delivered by NvM_ReadBlock
or NvM_ReadAll.
NVM_REQ_CANCELLED (see
chapter 4.5.1)
2015, Vector Informatik GmbH
Version: 5.03.00
43 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Type Name
C-Type  Description
Value Range
The last asynchronous
NvM_WriteAll() has been
cancelled by
NvM_CancelWriteAll().
NvM_BlockIdType
uint16
It is the type of a block
{
[0. .2𝑛[, ]215. . 215 + 2𝑛[,
}
handle that is used by the
𝑛 = 16 − NVM_DATASET_SELECTION_BITS
application in order to

access a NVM block. There  NVM_DATASET_SELECTION_BITS
are two reserved IDs:
is the maximum number of bits that are
needed in order to store the maximum
>  Block ID 0 for multi
block requests (Block  dataset value.
ID 0 is only allowed
The second range describes each
for API
block’s DCM alias. Block ID 0 does not
NvM_GetErrorStatus( have such an alias.
)) and
Example:
The dataset block with the greatest
>  Block ID 1 for the
configuration Id block number of datasets has six of them. So
  it is necessary to store the data index
The block handles are
0…5 to select the appropriate dataset
created as defines in an
block. To store the value five, three bits
ascending define list.
are necessary. So

NVM_DATASET_SELECTION_BITS has

the value 3.
This means that only the block IDs
0 … 8191 are available as block
handles. Additionally NVM provides
access to these IDs’ block aliases via
handles 32768+1 … 32768+8191
NvM_ServiceIdType
uint8
Service Ids of the different  NVM_INIT (0u)
service routines of the
NVM_SET_DATA_INDEX (1u)
NVM.
NVM_GET_DATA_INDEX (2u)
NVM_SET_BLOCK_PROTECTION
(3u)
NVM_GET_ERROR_STATUS (4u)
NVM_SET_RAM_BLOCK_STATUS
(5u)
NVM_READ_BLOCK (6u)
NVM_WRITE_BLOCK (7u)
NVM_RESTORE_BLOCK_DEFAULTS
(8u)
NVM_ERASE_BLOCK (9u)
NVM_CANCEL_WRITE_ALL (10u)
NVM_INVALIDATE_NV_BLOCK
(11u)
NVM_READ_ALL (12u)
NVM_WRITE_ALL (13u)
NVM_MAINFUNCTION (14u)
NVM_GET_VERSION_INFO (15u)
NVM_SET_BLOCK_LOCK_STATUS
(16u)
The single values are applied as
2015, Vector Informatik GmbH
Version: 5.03.00
44 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Type Name
C-Type  Description
Value Range
defines.
See also chapter 4.5.1
Table 6-1
Type definitions
6.3
Global API Constants
These  NVM  specific  constants  are  available  through  the  inclusion  of  NvM.h.  They  are
configurable within DaVinci Configurator Pro.
>  NVM_COMPILED_CONFIG_ID: configured identifier for the NV memory layout
>  NVM_NO_OF_BLOCK_IDS: number of all defined NVRAM Blocks (including reserved
blocks)
>  Name of the NVRAM blocks
6.4
Services provided by NVM
The NVM API consists of services, which are realized by function calls.
6.4.1
NvM_Init
Prototype
void NvM_Init ( void )
Parameter
--
--
Return code
void
--
Functional Description
Service for basic NVM initialization. The time consuming NVRAM block initialization and setup according to
the block descriptor is done by the NvM_ReadAll request.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
Expected Caller Context
>  This service is expected to be called in application context.
>  It is expected to be exclusively called by ECU State Manager (or a comparable component)
Table 6-2
NvM_Init
6.4.2
NvM_SetDataIndex
Prototype
Std_ReturnType NvM_SetDataIndex ( NvM_BlockIdType BlockId,
  uint8 DataIndex )
2015, Vector Informatik GmbH
Version: 5.03.00
45 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Parameter
BlockId
The Block identifier.
DataIndex
Index position of a Block in the NV Block of Dataset type.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. Det error occurred.
Functional Description
The request sets the specified index to associate a dataset NV block (with/without ROM blocks) with its
corresponding RAM block. The DataIndex needs to have a valid value before a read/write/erase or
invalidate request is initiated.
If the dataset block has a set of ROM defaults, this function is used (prior to NvM_ReadBlock()) to select
the appropriate ROM set.
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM manager shall have been initialized before this request is called.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-3
NvM_SetDataIndex
6.4.3
NvM_GetDataIndex
Prototype
Std_ReturnType NvM_GetDataIndex ( NvM_BlockIdType BlockId,
  uint8* DataIndexPtr )
Parameter
BlockId
The Block identifier.
DataIndexPtr
Address where the current DataIndex shall be written to
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. Det error occurred.
Functional Description
The request passes the current DataIndex (association) of the specified dataset block.
2015, Vector Informatik GmbH
Version: 5.03.00
46 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-4
NvM_GetDataIndex
6.4.4
NvM_SetBlockProtection
Prototype
Std_ReturnType NvM_SetBlockProtection ( NvM_BlockIdType BlockId,
  boolean ProtectionEnabled )
Parameter
BlockId
The Block identifier.
ProtectionEnabled
This parameter is responsible for setting the write protection of a selected
NVRAM block:
TRUE: enable protection
FALSE: disable protection
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. Det error occurred.
Functional Description
The request sets the write protection for the NV block. Any further write/erase/invalidate requests to the
NVRAM block are rejected synchronously if the NV block-write protection is set. The data area of the RAM
block remains writable in any case.
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. The protection
cannot be released for a write once block that has already been written.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-5
NvM_SetBlockProtection
2015, Vector Informatik GmbH
Version: 5.03.00
47 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.4.5
NvM_GetErrorStatus
Prototype
Std_ReturnType NvM_GetErrorStatus ( NvM_BlockIdType BlockId,
  uint8* RequestResultPtr )
Parameter
BlockId
The Block identifier.
RequestResultPtr
Pointer where the result shall be written to.
Result is of type NvM_RequestResultType. All possible results are
described in chapter 6.2.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. Det error occurred.
Functional Description
The request reads the block dependent error/status information and writes it to the given address. The
status/error information was set by a former or current asynchronous request.
This API can also be requested with BlockId 0 (multi block). Then the multi block error/status information
will be read to the given address. Only NvM_ReadAll() and NvM_WriteAll() are multi block requests
and change the status/error information of the multi block.
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-6
NvM_GetErrorStatus
6.4.6
NvM_GetVersionInfo
Prototype
void NvM_GetVersionInfo ( Std_VersionInfoType* versioninfo )
Parameter
versioninfo
Pointer to the address where the version info shall be written to.
Return code
void
--
Functional Description
The request writes the version info (Vendor ID, module ID, SW major version, SW minor version, SW patch
version) to the given pointer.
Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is available if the pre-compile switch Use version info API is enabled.
Expected Caller Context
2015, Vector Informatik GmbH
Version: 5.03.00
48 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
>  This service is expected to be called in application context.
Table 6-7
NvM_GetVersionInfo
6.4.7
NvM_SetRamBlockStatus
Prototype
Std_ReturnType NvM_SetRamBlockStatus ( NvM_BlockIdType BlockId,
boolean BlockChanged )
Parameter
BlockId
The block identifier.
BlockChanged
Sets the new status of the RAM block:
TRUE: Validates the RAM block and marks it as changed. If the block has a
CRC and the option NVM_CALC_RAM_BLOCK_CRC is TRUE the CRC
calculation is initiated.
FALSE: Mark the block as unchanged
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. Det error occurred.
Functional Description
The request sets a block’s status to valid/changed respectively to unchanged. Setting a block to changed
marks it for writing it during NvM_WriteAll().
If the block shall be set to changed, it has a CRC and the option NVM_CALC_RAM_BLOCK_CRC is TRUE the
CRC calculation of the RAM block is initiated.

Note
Though this service is defined to operate synchronously, the CRC re-calculation will be
performed asynchronously. However, there is no restriction on accessing RAM block data, or
  on calling other services. Consistency of data and CRC is ensured by WriteBlock/WriteAll,
which will unconditionally recalculate the CRC before writing. Requesting CRC re-calculation,
using NvM_SetRamBlockStatus again, will be recognized in a save way, the calculation
will be re-queued, if necessary..

Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-8
NvM_SetRamBlockStatus

2015, Vector Informatik GmbH
Version: 5.03.00
49 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.4.8
NvM_SetBlockLockStatus
Prototype
void NvM_SetBlockLockStatus ( NvM_BlockIdType BlockId,
  boolean Locked )
Parameter
BlockId
The Block identifier.
Locked
This parameter is responsible for setting the lock protection status of a
selected NVRAM block:
TRUE: Lock shall be enabled
FALSE: Lock shall be disabled
Return code
-

Functional Description
Service for setting/resetting the lock of a NV block.
If locked, the NV contents associated to the NVRAM block identified by BlockId, will not be modified by any
subsequent write request, i.e. the Block will be skipped during NvM_WriteAll; other requests, namely
NvM_WriteBlock, NvM_InvalidateNvBlock, NvM_EraseNvBlock, will be rejected without error
notification to Det or Dem; i.e. they just return E_NOT_OK.
During processing of NvM_ReadAll, a locked NVRAM block shall be loaded from NV memory, regardless
of RAM block’s state (see 4.4.10). After that the lock is disabled again.
If a block gets locked with NvM_SetBlockLockStatus, only the original NVRAM block is locked,
regardless which BlockId was passed - original or DCM (see chapter 4.4.17)

Expert Knowledge
It is allowed to use this service for an already pending block. However, setting a lock
  affects only subsequent requests; an already pending write will be processed.
This is a deviation from AUTOSAR, which prohibits this request for a pending block.

Particularities and Limitations
>  This service is synchronous.
>  This service is re-entrant.
>  This service is always available independent on API configuration class.
>  The NVRAM Manager shall have been initialized before this request is called. The protection
cannot be released for a write once block that has already been written.
>  The service is only usable by BSW components; it is not accessible via RTE.

Expected Caller Context
>  This service is expected to be called by DCM.
Table 6-9
NvM_SetBlockLockStatus

2015, Vector Informatik GmbH
Version: 5.03.00
50 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.4.9
NvM_MainFunction
Prototype
void NvM_MainFunction ( void )
Parameter
--
--
Return code
void
--
Functional Description
This function has to be called cyclically. It is the entry point of the NVRAM Manager. In here the processing
of the asynchronous jobs (read/write/erase/invalidate/CRC calculation…) is handled.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-10
NvM_MainFunction
6.4.10  NvM_ReadBlock
Prototype
Std_ReturnType NvM_ReadBlock ( NvM_BlockIdType BlockId,
uint8* NvM_DstPtr )
Parameter
BlockId
The Block identifier.
NvM_DstPtr
Pointer where the data of a non-permanent RAM block shall be written to. If
the block is permanent NULL_PTR shall be passed.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. because of a list overflow.
Functional Description
Request to copy the data of the NV block to its corresponding RAM block. This function queues the read
request and returns the acceptance result synchronously.
The NVM can notify the application by callback when the service is finished.
2015, Vector Informatik GmbH
Version: 5.03.00
51 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. In development
mode the service will not accept the call if the block is already queued (either for this or for a
different service).

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-11
NvM_ReadBlock
6.4.11  NvM_WriteBlock
Prototype
Std_ReturnType NvM_WriteBlock ( NvM_BlockIdType BlockId,
  const uint8* NvM_SrcPtr )
Parameter
BlockId
The Block identifier.
NvM_SrcPtr
Pointer where the data of a non-permanent RAM block shall be read from. If
the block is permanent, NULL_PTR shall be passed.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. list overflow.
Functional Description
Request for copying data from the RAM block to its corresponding NV block. This function queues the write
request and returns the acceptance result synchronously.
If the block has a CRC, the RAM block CRC will be recalculated before the data and the CRC are written to
the NV memory, even if the service NvM_SetRamBlockStatus was called before and the configuration
was set that within this service, the CRC calculation should be done.
If writing the data to NV memory fails, the NVM will retry writing. The number of write retries is a
configuration option.
The NVM can notify the application by callback when the service is finished.
2015, Vector Informatik GmbH
Version: 5.03.00
52 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. In development
mode the service will not accept the call if the block is already queued (either for this or for a
different service). If the block’s write protection is activated it can’t be written.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-12
NvM_WriteBlock
6.4.12  NvM_RestoreBlockDefaults
Prototype
Std_ReturnType NvM_RestoreBlockDefaults ( NvM_BlockIdType BlockId,
  uint8* NvM_DstPtr )
Parameter
BlockId
The Block identifier.
NvM_DstPtr
Pointer where the data of a non-permanent RAM block shall be written to. If
the block is permanent, NULL_PTR shall be passed.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. list overflow.
Functional Description
Request to copy the ROM block default data to its corresponding RAM block. The selected block needs
either ROM defaults or an initialization callback.
This function queues the restore request and returns the acceptance result synchronously.
The NVM can notify the application by callback when the service is finished.
2015, Vector Informatik GmbH
Version: 5.03.00
53 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. In development
mode the service will not accept the call if the block is already queued (either for this or for a
different service). This function is not intended for reading ROM sets of a dataset ROM block.
Use NvM_ReadBlock instead for these blocks.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-13
NvM_RestoreBlockDefaults
6.4.13  NvM_EraseNvBlock
Prototype
Std_ReturnType NvM_EraseNvBlock ( NvM_BlockIdType BlockId )
Parameter
BlockId
The Block identifier.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. list overflow.
Functional Description
Request to erase a specified NV block. This function queues the erase request and returns the acceptance
result synchronously.
The NVM can notify the application by callback when the service is finished.
2015, Vector Informatik GmbH
Version: 5.03.00
54 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. In development
mode the service will not accept the call if the block is already queued (either for this or for a
different service). If the block’s write protection is activated it also can’t be erased.

Caution
Pay attention that only high priority jobs (priority 0) can be erased!

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-14
NvM_EraseNvBlock
6.4.14  NvM_InvalidateNvBlock
Prototype
Std_ReturnType NvM_InvalidateNvBlock ( NvM_BlockIdType BlockId )
Parameter
BlockId
The Block identifier.
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. list overflow.
Functional Description
Request to invalidate a specified NV block. This function queues the invalidate request and returns the
acceptance result synchronously.
The NVM can notify the application by callback when the service is finished.
2015, Vector Informatik GmbH
Version: 5.03.00
55 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called. In development
mode the service will not accept the call if the block is already queued (either for this or for a
different service). If the block’s write protection is activated it also can’t be invalidated.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This service is expected to be called in application context.
Table 6-15
NvM_InvalidateNvBlock
6.4.15  NvM_ReadAll
Prototype
void NvM_ReadAll ( void )
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 5.03.00
56 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Functional Description
Request to (re)load all RAM blocks that have the option NVM_SELECT_BLOCK_FOR_READALL
selected. The function queues the request that will be processed asynchronously in
NvM_MainFunction.
Before reloading a block’s NV data, it first checks if the RAM block data is still valid. This can only
be assured if the block has a checksum. In case of valid RAM data, the NV data will not be
reloaded.

Caution
Non-permanent blocks and dataset blocks are also skipped during a ReadAll job.

The first block that is read from NV memory is the configuration ID (block 1). The value is
compared to the compiled configuration ID. The result of this check affects the further processing
of the ReadAll job, depending on the setting of Dynamic Configuration Handling: If disabled, all
NVRAM blocks will be processed as described above, regardless of the result of
reading/checking the configuration ID (match/mismatch/block invalid/integrity error/read failure).
If Dynamic Configuration Handling is enabled, the NVM loads all NVRAM blocks as described
above, only if it detected a configuration ID match. Otherwise (including failures) those blocks
having option Resistant to Changed Software set will be loaded as if the configuration ID
matched. The NVRAM blocks having this option cleared will be restored with ROM defaults, if
available, and if Select for ReadAll was configured.
When the last block is reloaded the NVM can notify the application by callback (configurable multi
block callback).
Particularities and Limitations
>  This service is a multi block request.
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new
  requests for a pending block.

Expected Caller Context
>  This function is intended only to be called by the ECU State Manager during startup.
Table 6-16
NvM_ReadAll
6.4.16  NvM_WriteAll
Prototype
void NvM_WriteAll ( void )
Parameter
--
--
2015, Vector Informatik GmbH
Version: 5.03.00
57 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Return code
void
--
Functional Description
Request to write all blocks with changed RAM data that have the option
NVM_SELECT_BLOCK_FOR_WRITEALL selected to the NV memory. The function will queue the WriteAll job
that will be processed asynchronously.

Caution
Non-permanent and dataset blocks will not be written during NvM_WriteAll().

When the last block is written the NVM can notify the application by callback (configurable multiblock
callback).

Note
It is not recommended to make any assumption on the order in which blocks will be
  processed.
It is only ensured that the ConfigID block (ID1) is the final block being processed, in
order to “commit” a Configuration Update and any related activity.

Particularities and Limitations
>  This service is a multi block request.
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.

Note
Usage of Explicit Synchronization, does not permit NvM’s clients to issue new requests for a
pending block.

Expected Caller Context
>  This function is intended only to be called by the ECU State Manager during shutdown.
Table 6-17
NvM_WriteAll
6.4.17  NvM_CancelWriteAll
Prototype
void NvM_CancelWriteAll ( void )
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 5.03.00
58 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Functional Description
Request to cancel a running NvM_WriteAll() request. This call en-queues the request that will be
processed asynchronously.
Particularities and Limitations
>  This service is asynchronous.
>  This service is non re-entrant.
>  This service is always available.
>  The NVRAM Manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-18
NvM_CancelWriteAll
6.4.18  NvM_KillWriteAll
Prototype
void NvM_KillWriteAll ( void )
Parameter
--
--
Return code
void
--
Functional Description
Request to cancel a running NvM_WriteAll() request destructively. To keep required wake-up response
times in an ECU the ECUM has the possibility to time-out a non-destructive NvM_CancelWriteAll()
request.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
>  This service is available if the pre-compile switch NvmKillWriteAllApi (only in Generic Editor
in container Nvm_30_CommonVendorParams) is enabled independent on API configuration
class.
>  The NVRAM Manager shall have been initialized before this request is called.
Expected Caller Context
>  This service is expected to be called by ECUM
Table 6-19
NvM_KilllWriteAll
6.4.19  NvM_CancelJobs
Prototype
Std_ReturnType NvM_CancelJobs ( NvM_BlockIdType BlockId)
Parameter
BlockId
The Block identifier.
2015, Vector Informatik GmbH
Version: 5.03.00
59 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Return code
E_OK
Request has been accepted.
E_NOT_OK
Request has not been accepted, e.g. because of a list overflow.
Functional Description
Request to cancel pending job for a NV Block.
Particularities and Limitations
>  This service is asynchronous.
>  This service is re-entrant.
>  This service is available if API configuration class 2 or 3 is configured.
>  The NVRAM Manager shall have been initialized before this request is called.
>  Was Cancellation successful Block result is set to NVM_REQ_CANCELED.
Expected Caller Context
>  This service is expected to be called in application context.
Table 6-20
NvM_CancelJobs
6.4.20  NvM_RepairRedundantBlocks
Prototype
void NvM_RepairRedundantBlocks (void)
Parameter
-
-
Return code
-
-
2015, Vector Informatik GmbH
Version: 5.03.00
60 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Functional Description
Request to check the redundancy within NV RAM for all configured redundant blocks. Write
protection or lock state does not matter – NvM do not change the data, it always overwrites
blocks with data from NV RAM.

If the NvM recognizes a lost redundancy, it will try to restore it via overwriting the defect block with
data from valid block.

Nothing to repair:
-
Both sub-blocks are readable
-
Both sub-blocks’ Crcs match the recalculates Crc

Repairable blocks:
-
One sub-block isn’t readable, another is
-
One sub-block’s Crc doesn’t match the recalculated one, another sub-block’s Crc does
-
Both sub-blocks’ Crcs match the data, but their do not match each other (first block is
valid)

Non-repairable blocks:
-
Both sub-blocks aren’t readable
-
Block sub-blocks’ Crc does not match the recalculated Crc

NvM will report the error NVM_E_LOSS_OF_REDUNDANCY in case block isn’t stored in NV
RAM redundantly and the NvM could not restore the redundancy.

Particularities and Limitations
>  This service is asynchronous
>  This service is re-entrant
>  This service is suspendable via all single and multi block requests – it will resume after the
requests are done
>  This service can be enabled or disabled via configuration
>  The NVRAM Manager shall have been initialized before this request is called
Call context
>  This service is expected to be called in application context.
Table 6-21
NvM_RepairRedundantBlocks
6.5
Services used by NVM
In the following table services provided by other components, which are used by the NVM
are  listed.  For details about  prototype and functionality refer to the documentation of  the
providing component.
Component
API
DET
Det_ReportError
DEM
Dem_SetEventStatus
MEMIF
MemIf_Read
MEMIF
MemIf_InvalidateBlock
MEMIF
MemIf_GetJobResult
2015, Vector Informatik GmbH
Version: 5.03.00
61 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Component
API
MEMIF
MemIf_Write
MEMIF
MemIf_EraseImmediateBlock
MEMIF
MemIf_GetStatus
MEMIF
MemIf_Cancel
MEMIF
MemIf_SetMode
CRC
Crc_CalculateCRC16
CRC
Crc_CalculateCRC32
EA
Used by MEMIF
FEE
Used by MEMIF
Table 6-22
Services used by the NVM
6.6
Callback Functions
This  chapter  describes  the  callback  functions  that  are  implemented  by  the  NVM  and  can  be
invoked by other modules. The prototypes of the callback functions are provided in the header file
NvM_Cbk.h by the NVM.
6.6.1
NvM_JobEndNotification
Prototype
void NvM_JobEndNotification ( void )
Parameter
-
-
Return code
void
-
Functional Description
Function to be used by the underlying memory abstraction to signal end of job without error.
Particularities and Limitations
>  This service is synchronous.
>  This service is non re-entrant.
Expected Caller Context
  The callback function NvM_JobEndNotification is intended to be used by the underlying
memory abstraction (Fee/Ea) to signal end of job without error.
Table 6-23
NvM_JobEndNotification
6.6.2
NvM_JobErrorNotification
Prototype
void NvM_JobErrorNotification ( void )
Parameter
-
-
2015, Vector Informatik GmbH
Version: 5.03.00
62 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Return code
void
-
Functional Description
Function to be used by the underlying memory abstraction to signal end of job with error.
Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant.
Expected Caller Context
> The callback function NvM_JobErrorNotification is intended to be used by the
underlying memory abstraction (Fee/Ea) to signal end of job with error.
Table 6-24
NvM_JobErrorNotification
6.7
Configurable Interfaces
At its configurable interfaces the NVM defines notifications that can be mapped to callback
functions provided by other modules. The mapping is not statically defined by the BSW
module but can be performed at configuration time. The function prototypes that can be
used for the configuration have to match the signatures described in the following sub-
chapters.
6.7.1
SingleBlockCallbackFunction
Prototype
Std_ReturnType <SingleBlockCallbackFunction> (
NvM_ServiceIdType ServiceId,
NvM_RequestResultType JobResult )
Parameter
ServiceId
The service identifier (see chapter 6.2) of the completed request.
NvM_ServiceIdType is of type uint8.
JobResult
Result of the single block job.
Return code
E_OK
Callback function has been processed successfully
E_NOT_OK
Callback function has not been processed successfully.
Functional Description
Callback routine to notify the upper layer that an asynchronous single block request has been finished.
Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant.

Caution
This description is limited to embedded code; it does not describe RUNNABLES
 implementing a callback’s behavior in an SWC, but it describes the prototype to be
implemented/generated be the RTE or by a BSW component.

2015, Vector Informatik GmbH
Version: 5.03.00
63 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Call Context
> Called from NvM_MainFunction
> Asynchronous block processing completed (except NvM_WriteAll, for NvM_ReadAll it is
configurable)
Table 6-25
SingleBlockCallbackFunction
6.7.2
MultiBlockCallbackFunction
Prototype
void <MultiBlockCallbackFunction> ( NvM_ServiceIdType ServiceId,
 NvM_RequestResultType JobResult )
Parameter
ServiceId
The service identifier (see chapter 6.2) of the completed request.
NvM_ServiceIdType is of type uint8.
JobResult
Result of the multi block job.
Return code
void
--
Functional Description
Common callback routine to notify the upper layer that an asynchronous multi block request has been
finished.
Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant.
Call Context
> Called from NvM_MainFunction.
> Called upon completion of NvM_ReadAll and NvM_WriteAll, respectively
Table 6-26
MultiBlockCallbackFunction
6.7.3
InitBlockCallbackFunction
Prototype
Std_ReturnType <InitBlockCallbackFunction> ( void )
Parameter
--
--
Return code
Std_ReturnType
NVM always returns E_OK.
2015, Vector Informatik GmbH
Version: 5.03.00
64 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Functional Description
Callback routine which shall be called by the NVM module to copy default data to a RAM block if
a ROM block is configured.

Note
During calling init block callback related block is still busy. No request for it shall be
 issued as long as block is busy.

Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant
Call Context
> Called from NvM_MainFunction
> Called during processing of NvM_ReadAll, if application shall copy default values into the
corresponding RAM block.
Table 6-27
InitBlockCallbackFunction
6.7.4
Callback function for RAM to NvM copy
Prototype
Std_ReturnType <NvM_WriteRamBlockToNvm> ( void* NvMBuffer )
Parameter
NvMBuffer
Internal RAM mirror where Ram block data shall be written to
Return code
E_OK
Callback function has been processed successfully
E_NOT_OK
Callback function has not been processed successfully.
Functional Description
Block specific callback routine which shall be called in order to let the application copy data from
RAM block to internal NvM RAM mirror.

Note
During calling NvM_WriteRamBlockToNvM callback related block is still busy. No
 request for it shall be issued as long as block is busy.

Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant
Call Context
> Called from NvM_MainFunction
> Called during processing of NvM write requests, if application shall copy RAM block data into
the internal RAM mirror.
Table 6-28
Callback function for RAM to NvM copy
2015, Vector Informatik GmbH
Version: 5.03.00
65 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.7.5
Callback function for NvM to RAM copy
Prototype
Std_ReturnType <NvM_ReadRamBlockFromNvm> ( const void* NvMBuffer )
Parameter
NvMBuffer
Internal RAM mirror where Ram block data can be read from
Return code
E_OK
Callback function has been processed successfully
E_NOT_OK
Callback function has not been processed successfully.
Functional Description
Block specific callback routine which shall be called in order to let the application copy data from
NvM module’s mirror to RAM block.

Note
During calling NvM_ReadRamBlockFromNvM callback related block is still busy. No
 request for it shall be issued as long as block is busy.

Particularities and Limitations
> This service is synchronous.
> This service is non re-entrant
Call Context
> Called from NvM_MainFunction
> Called during processing of NvM read requests, if application can copy data from internal RAM
mirror to RAM block.
Table 6-29
Callback function for NvM to RAM copy
6.8
Service Ports
Via Service Ports the software components (SWC) have the possibility to execute services
of the NVM with an abstract RTE interface. Hence, the software components are
independent from the underlying basic software stack.
6.8.1
Client Server Interface
A client server interface is related to a Provide Port (Pport) at the server side and a
Require Port (Rport) at client side.
Configuration dependent naming details are described in the chapters 7.1.3 and 7.1.4.
6.8.1.1
Provide Ports on NVM side
At the Pports of the NVM the API functions described in 6.4 are available as Runnable
Entities. The Runnable Entities are invoked via Operations. The mapping from a SWC
client call to an Operation is performed by the RTE. In this mapping the RTE adds Port
Defined Argument Values to the client call of the SWC, if configured.
The following subchapters present the Pports defined for the NVM and their Operations,
the API functions related to those Operations and the Port Defined Argument Values to be
added by the RTE:
2015, Vector Informatik GmbH
Version: 5.03.00
66 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.8.1.1.1
Padmin_<BlockName>
A port of type Padmin is a Pport of one NVRAM block, which is configured to use Service
Ports.
If the SWC setting Long Service Port Names is enabled, the name of the service ports is
Padmin_<BlockName>; if Long Service Port Names is disabled, the name is
Padmin_<BlockId>.
Available if API Config Class = 3
Operation
API Function
Port Defined Argument Values
SetBlockProtection
NvM_SetBlockProtection()
NvM_BlockIdType4 1..n

Table 6-30
Operations of Port Prototype Padmin_<BlockName>
6.8.1.1.2
PS_<BlockName>
A port of type PS is a Pport of one NVRAM block, which is configured to use Service Ports.
If the SWC setting Long Service Port Names is enabled, the name of the service ports is
PS_<BlockName>; if Long Service Port Names is disabled, the name is PS_<BlockId>.
Operation
API Function
Port Defined Argument Values
GetErrorStatus 1
NvM_GetErrorStatus()
NvM_BlockIdType4 1..n

SetRamBlockStatus1
NvM_SetRamBlockStatus()
NvM_BlockIdType4 1..n

SetDataIndex2,5
NvM_SetDataIndex()
NvM_BlockIdType4 1..n

GetDataIndex2,5
NvM_GetDataIndex()
NvM_BlockIdType4 1..n

ReadBlock2
NvM_ReadBlock()
NvM_BlockIdType4 1..n

WriteBlock2
NvM_WriteBlock()
NvM_BlockIdType4 1..n

RestoreBlockDefaults2, 6
NvM_RestoreBlockDefaults() NvM_BlockIdType4 1..n

EraseBlock3
NvM_EraseNvBlock()
NvM_BlockIdType4 1..n

InvalidateNvBlock3
NvM_InvalidateNvBlock()
NvM_BlockIdType4 1..n

Table 6-31
Operations of Port Prototype PS_<BlockName>
1. Always available
2. Available if API Config Class >= 2
3. Available if API Config Class = 3
4. Is derived from the block’s position in the configuration
5. Only available for blocks of Management Type Dataset
6. Only available for blocks with Rom defaults configured
2015, Vector Informatik GmbH
Version: 5.03.00
67 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
6.8.1.2
Require Ports
NVM invokes callbacks using Rports. These Operations have to be provided by the SWCs
by means of Runnable Entities using Pports. These Runnable Entities implement the
callback functions expected by the NVM.
The following subchapters present the Require Ports defined for the NVM, the Operations
that are called from the NVM and the related Notifications, which are described in chapter
6.7.
6.8.1.2.1
NvM_RpNotifyFinished_Id<BlockName>
A port of type NvM_RpNotifyFinished_Id is a Rport of one NVRAM block, which is
configured to use Service Ports.
If the SWC setting Long Service Port Names is enabled, the name of the service ports is
NvM_RpNotifyFinished_Id<BlockName>; if Long Service Port Names is disabled, the
name is NvM_RpNotifyFinished_Id<BlockId>.
Available in all API Config Classes but Use Callbacks must be enabled.
Operation
Notification
JobFinished
SingleBlockCallbackFunction

Table 6-32
Operation of Port prototype NvM_RpNotifyFinished_Id<BlockName>
2015, Vector Informatik GmbH
Version: 5.03.00
68 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
7  Configuration
7.1
Software Component Template
7.1.1
Generation
The definition of the Provide Ports is described in an XML file. This file describes the NVM
as a software component with ports to which other applications can connect. This XML file
is  always  saved  consistent  to  the  current  ECUC  file  when  the  project  in  DaVinci
Configurator is saved. The target directory for SW-C files can be set  in  the  Dpa file. For
more information see documentation of DaVinci Configurator.
7.1.2
Import into DaVinci Developer
For further processing the generated software component template file has to be imported
into DaVinci Developer. This can be done while a DaVinci-project is open by clicking File |
Import XML File.... Choose the correct file for the import.

Figure 7-1
Import a new software component into DaVinci Developer
After  importing  the  NVM  as  software  component  there  is  a  new  component  type  in  the
library  view available. After double  clicking  the  component  NVM,  all configured ports are
presented.
The  DaVinci  tool  suite  lets  you  design  the  complete  architecture  of  a  car,  consisting  of
several ECUs, each with its own NVM. Therefore it is desirable to import several NVM SW-
C  descriptions,  each  containing  the  description  of  an  NVM  to  be  mapped  to  a  particular
ECU.  Using the  ‘Service Component  Name Parameter’  you can give  your configurations
2015, Vector Informatik GmbH
Version: 5.03.00
69 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
meaningful  unique  names.  All  elements  of  the  SW-C  description  are  unique  in  this
particular  configuration  and  are  prefixed  with  this  parameter’s  value.  However,  most
elements  are  common  to  all  SW-C  descriptions,  or  are  at  least  unique  to  the  used
configuration (which is also expressed by the elements’ names) so that some elements are
contained in each different SW-C description. During import, DaVinci will warn you about
these doubled elements. You can ignore them (overwrite the existing elements); they are
identical.
7.1.3
Dependencies on Configuration of NVM Attributes
The configuration of the NVM attributes (described in chapter 7.1.5) highly influences the
resulting  SW-C  Description.  So,  the  value  of  the  parameter  Service  Component  Name
influences  the  names  of  several  elements  in  the  description,  especially  the  name  of  the
Service  Component.  It  is  also  the  prefix  for  several  other  names  that  belong  to  this
particular NVM configuration (and the resulting service component).
There  is  a  couple  of  different  port  interfaces  that  will  be  generated,  depending  on  the
particular configuration. Each generated interface that results from a specific configuration
has a unique name, i.e. in different SW-C descriptions port interfaces with the same name
are compatible; they provide the same operations, each with the same arguments of same
type.
7.1.3.1
Naming of Service Port Interfaces
The  Service  Port  Interface  provides  the  prototypes  of  the  elementary  block  related
services  of  the  NVM,  such  as  read  data  from  NV  memory,  write  data  to  NV  memory.  It
generally contains the string Service.
As  described  above,  port  interfaces  resulting  from different  configurations,  have  different
names. These names are given according to this scheme:
>  Each Interface is prefixed by NvM
>  Set Ram Block Status Api
If enabled, the interface name contains the string ‘SRBS’, and it contains the operation
SetRamBlockStatus.
>  API Configuration Class
The interface name contains a short string that denotes the API configuration class it
belongs to: AC1, AC2 or AC3. The operations the interface describes in that
configuration class are described in Chapter  6.8.1.1.
>  Availability of ROM default data
The interface contains the operation RestoreBlockDefaults; it contains the string Defs.
This interface will be used by all P-Port-Prototypes belonging to a NVRAM block that
was configured with ROM default data.
>  Block Management Type DATASET
The interface provides the operations GetDataIndex and SetDataIndex. Its name
contains DS. This interface will be used by all NVRAM blocks of Management Type
DATASET
The first two possibilities are common within one SW-C Description. Only one combination
of  them  will  occur.  Unless  API  Configuration  Class  1  was  chosen,  Port  Interfaces
describing any combination of the latter two possibilities may be generated.
2015, Vector Informatik GmbH
Version: 5.03.00
70 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
7.1.4
Service Port Prototypes
For each active NVRAM block (including the configuration ID block) that was configured
with Use Service Ports port, prototypes will be generated. The port interfaces they are
based on can differ. The interfaces depend on the block’s configuration, and hence on the
operations that are necessary for current block.
7.1.4.1
Port Prototype Naming
The short name uniquely identifying the prototype is based on the numeric block ID (which,
in turn, is derived from the block’s position in the configuration) and the port interface
class it corresponds to.
Each prototype is prefixed by the String NvM_; the next substring describes the
corresponding port interface, and whether it is a Provide Port (‘Pp’) or a Require Port
(‘Rp’):
> Padmin
Linked with port interface NvMAdministration (only in API Configuration Class 3)
> PS
Linked with Port Interface ‘NvMService_AC{1|2|3}[_SRBS][_Defs][_DS]’. The actual
interface depends on the possibilities described above.
> NvM_RpNotifyFinished
Linked with Port Interface NvMNotifyJobFinished that describes the interface used by
the NVM for single block job end notification
If SWC setting Long Service Port Names is disabled, each port prototype’s name is post
fixed by _Id{BlockId}. If SWC setting Long Service Port Names is enabled, each port
prototype’s name is post fixed by ‘_{BlockName}’.
Additionally each port prototype contains a long name as well as a description, which
describe it in a better, human readable form. They contain the logical block name, as
configured, instead of the block ID, and the used port interface’s short name.
7.1.5
Modelling SWC’s callback functions
According to AUTOSAR, the prototype of a SingleBlockCallbackFunction (Chapter 6.7.1),
differs from that of a RUNNABLE implementing SWC’s behavior of that callback. Therefore
the prototype describes the RTE function called by NVM.
The prototype of the RUNNABLE, which is actually called by RTE, must match model, i.e.
the return type must match the information given in callback’s interface description
(“Application Errors”). The correct modelling would be “no Application Errors”, which
requires a RUNNABLE implementation without return type:
void <init_cbk_runnable_name>(void)
void <jobend_cbk_runnable_name>( NvM_ServiceIdType ServiceId,
NvM_RequestResultType JobResult)
However, DaVinci Developer since Version 3.8 along with MICROSAR RTE version
4.04.00 and later enable NVM to support another different (actually incompatible) function
prototype:
Std_ReturnType <init_cbk_runnable_name>(void)
2015, Vector Informatik GmbH
Version: 5.03.00
71 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
Std_ReturnType <jobend_cbk_runnable_name>( NvM_ServiceIdType
ServiceId,
NvM_RequestResultType JobResult)

Both implementations require slightly different Interface definitions; they may be adapted
using DaVinci Developer. From a modeling point of view, the runnable must be
implemented according to the Interface associated with the related Pport-Prototype.

Figure 7-2 A
“Single Block Job End Notification” with return type Std_ReturnType

2015, Vector Informatik GmbH
Version: 5.03.00
72 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Figure 7-3 A
“Single Block Job End Notification” with return type void.
NVM itself provides interfaces as described by Figure 7-3. To make SWCs independent of
this definition, they may associate their PPort prototype to their own interface definitions,
according to their (planned) RUNNABLEs’ implementations. Of course, the interface must
be compatible according to AUTOSAR’s rules; which limits possible interface definitions to
exactly one of both mentioned here.
7.2
Configuration of NVM Attributes
The NVM attributes can be configured using the DaVinci Configurator. The outputs of the
configuration and generation process are the configuration source files.
The description of each used parameter is set in the NvM bswmd file.
Only additional information is given in this chapter.
2015, Vector Informatik GmbH
Version: 5.03.00
73 / 79
based on template version 3.01

Technical Reference MICROSAR NVM

Caution
Because sizeof-operator cannot be used during configuration in production code
  because sizes also affect lower layers, the exact sizes of your NVRAM blocks, and
hence your data structures must be known at configuration time. Therefore you are
required to determine these values by yourself. This leads to some significant pitfalls:
>  The sizes of basic data types are platform dependent. To handle this problem, you
should use only AUTOSAR data types as defined in Std_Types.h (respectively
Platform_Types.h). They are defined to have the same size on all platforms. The
enumeration type’s size also depends on your platform, the compiler and its options.
Be aware of the size the compiler actually chooses. Usually an enum equals to an
int by default, but you can force it to be the smallest possible type (e.g. char).
>  Be aware of the composition of bit fields. It can be affected by compiler switches.
>  The compiler may rearrange members of structures to save memory. The best
solution would be to arrange members according to their type manually. The
compiler may add unused padding bytes to increase accessibility to the members of
a structure. According to the previous fact, you should order your structure’s
members. Doing so, you should be aware of aligned start addresses for larger
integral data types (e.g. uint16 or uint32) according to the CPU’s requirements
for accessing them.
>  As stated above, some compiler switches influence the sizes of data types. Keep in
mind that changing these ones may result in changed sizes of your data blocks,
leading to a reconfiguration of NVM.
A good way to determine the blocks’ sizes is to extract the required information from
the linker file or from the generated object.

2015, Vector Informatik GmbH
Version: 5.03.00
74 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
8  AUTOSAR Standard Compliance
8.1
Deviations
>  In contrast to AUTOSAR most configuration parameters are link-time parameters.
>  Saving RAM CRC of current block is configuration dependent. Either it is saved behind
the block’s data or it is saved internally by NVM in an own variable.
>  Unified handling of ROM defaults among all block management types is processed.
Rom defaults handling of blocks of type dataset is just like the handling of blocks of the
other management types.
>  NVM is able to provide the Config Id’s RAM block on its own.
>  NvM_WriteAll() does not write unchanged data, even if this would repair (redundant)
NV data.
>  Attempts to write to a locked block (NvM_SetBlockLockStatus) are explicitly not
treated as Development Error; error NVM_E_BLOCK_LOCKED is not defined.
>  NvM_SetBlockLockStatus is allowed for pending Blocks; no related Development
Error Check will be performed.
>  Block CRC type CRC8 is not supported.
>  Write retries can only be globally configured, rather than individually per NVRAM Block
>  Calls to Explicit Synchronization callbacks (see chapter 4.4.18) cannot be limited by
configuration. Rather those functions are expected to succeed within few attempts.
8.2
Additions/ Extensions
8.2.1
Parameter Checking
The  internal  parameter  checks  of  the API  functions  can  be  en-/disabled  separately.  The
AUTOSAR standard  requires en-/disabling of the complete parameter checking only. For
details see chapter 4.5.1.1.
8.2.2
Concurrent access to NV data
NVM provides for DCM possibility to access NV data concurrently with NVM application.
(see chapter 4.4.17)
8.2.3
RAM-/ROM Block Size checks
NVM can be configured to check all RAM and ROM blocks’ lengths against corresponding
NV Block lengths, using sizeof operator; see chapter 4.5.3.
8.2.4
Calculated CRC value does not depend on number of calculation steps
Due to the specified CRC32 algorithm, and missing further requirements on NVM’s CRC
calculation,  a  calculated  CRC32  value  depends  on  the  number  of  necessary  calculation
steps  (defined  by  block  length  and  parameter  CRC  Bytes  per  Cycle).  Unless  the  CRC
can be calculated with one step (i.e. the block is small enough), the CRC32 value will not
match the value resulting from calling the CRC32 library function once for the whole block.
2015, Vector Informatik GmbH
Version: 5.03.00
75 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
The reason is the negation of the result, as specified for CRC32 (which in turn belongs to
standard/widely used Ethernet CRC). This behavior introduces some drawbacks on NVM,
especially:
>  Changing parameter CRC Bytes per Cycle (for run-time optimization), in an existing
(already flashed) project. Data blocks with CRC32 could not be read after the update.
>  CRC32 values cannot be verified outside NVM (e.g. for testing purposes), without
knowing the configuration – each single step would have to be reproduced.
>  Valid data blocks along with their CRC32 cannot be pre-defined using standard CRC
algorithms.
NVM circumvents these restrictions by reverting the final negation of each single CRC32
calculation step, except the last one. This (quite simple) measure guarantees that the CRC
value does NOT depend on the number of calculation steps, as it is originally guaranteed
for CRC16 (since it will not be inverted by the CRC library).
8.3
Limitations
There are no limitations.

2015, Vector Informatik GmbH
Version: 5.03.00
76 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
9  Glossary and Abbreviations
9.1
Glossary
Term
Description
DaVinci Configurator  Configuration and generation tool for MICROSAR.
Pro
DCM
Diagnostic Communication Manager
GCE
Generic Configuration Editor – generic tool for editing AUTOSAR
configuration files.
In DaVinci Configurator, the view can be switch to Generic Editor.
Per Instance Memory  Memory (RAM) to be used by an instance of an Softwar Component,
(PIM)
provide by RTE. It may also be used as permanent or tempary RAM
block.
Such a memory need is usually modeled using a tool like DaVinci
Developer.
Primary NV Block
The first NV block of an NVRAM Block of type Redundant. During reads,
this block will always be tried first. During writes it will be preferred,
unless only secondary is defective.
Secondary NV Block  The second NV block of an NVRAM Block of type Redundant. During
reads and this block will be accessed second; if primary is defective.
Table 9-1
Glossary
9.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
CRC
Cyclic Redundancy Check
DEM
Diagnostic Event Manager
DET
Development Error Tracer
DPA
DaVinci Project Assistant
EA
EEPROM Abstraction Module
ECU
Electronic Control Unit
ECUC
ECU Configuration
ECUM
ECU State Manager
EEP
EEPROM Driver
EEPROM
Electrically Erasable Programmable Read Only Memory
FEE
Flash EEPROM Emulation Module
FIFO
First In First Out
FLS
Flash Driver
2015, Vector Informatik GmbH
Version: 5.03.00
77 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
GCE
Generic Configuration Editor
HIS
Hersteller Initiative Software
ISR
Interrupt Service Routine
MemHwA
Memory Hardware Abstraction Layer
MEMIF
Memory Abstraction Interface Module
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
NVM
NVRAM Manager
NV, NVRAM
Non Volatile Random Access Memory
OS
Operating System
PPort
Provide Port
RAM
Random Access Memory
ROM
Read Only Memory
RPort
Require Port
RTE
Runtime Environment
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
Table 9-2
Abbreviations

2015, Vector Informatik GmbH
Version: 5.03.00
78 / 79
based on template version 3.01

Technical Reference MICROSAR NVM
10  Contact
Visit our website for more information on

>   News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 5.03.00
79 / 79
based on template version 3.01

Document Outline

18 - OS

OS

Component Documentation

18.1 - MicrosarOS_RH850_SafeContext_SafetyManual

MICROSAR OS SafeContext

18.2 - MicrosarOS_RH850_SafeContext_SafetyManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80

18.3 - MicrosarOS_RH850_SafeContext_SafetyManuals

Safety Manual MICROSAR OS SafeContext

MICROSAR OS SafeContext
Safety Manual

RH850 with Green Hills Compiler

Authors
Senol Cendere, Yohan Humbert
Version
1.05
Status
Released
Document ID OS03.00124.10

2015, Vector Informatik GmbH
Version: 1.05 1 / 80

Safety Manual MICROSAR OS SafeContext
Document Information
History
Author
Date
Version  Remarks
Senol Cendere
2014-02-17  1.00
Creation for RH850
Senol Cendere
2014-02-26  1.01
Updated the Requirement IDs
Senol Cendere
2014-05-09  1.02
Adaption for RH850 P1M
Senol Cendere
2014-08-18  1.03
Reworked after Safety Manual Review
Senol Cendere
2014-09-22  1.04
Added reference for Renesas Electronics RH850/P1M
Safety Application Note
Removed CPU derivative specification
Removed compiler options (both are specified in safety
case)
Yohan Humbert
2014-12-03  1.05
Added level support

[END OF HIST ORY]

2015, Vector Informatik GmbH
Version: 1.05                           2 / 80

Safety Manual MICROSAR OS SafeContext

2015, Vector Informatik GmbH
Version: 1.05 3 / 80

Safety Manual MICROSAR OS SafeContext
Reference Documents
No.  Source
Title
Version
[1]
AUTOSAR Operating System Specification1
3.x -
4.x
[2]
OSEK/VDX Operating System Specification2
2.2.3
[3]    Vector Informatik GmbH  User manual of Vector MICROSAR OS
6.03
TechnicalReference_Microsar_Os.pdf
[4]    Vector Informatik GmbH  User manual of Vector MICROSAR OS RH850,   1.04
hardware specific part
TechnicalReference_MICROSAROS_RH850_S
afeContext.pdf
[5]
International Organization for Standardization,

Draft International Standard ISO/DIS 26262
Road Vehicles - Functional Safety (all parts),
2009
[6]    Renesas Electronics
V850E3v5 Architecture Specifications
(4th edition)
[7]    Renesas Electronics
RH850 G3M User’s Manual: Software
Rev. 0.10

r01us0042ej0020_rh850g3m.pdf
Oct. 2012
[8]    Renesas Electronics
RH850/P1x Group User’s Manual: Hardware
Rev. 0.60
r01uh0436ej0041_rh850p1x.pdf
Jul. 2014
[9]    Green Hills Software
MULTI: Building Applications for Embedded
PubID:
V850 and RH850 build_v800.pdf
build_v800-
472243
Date:
September 12,
2012
[10]   Vector Informatik GmbH  Vector MICROSAR OS SafeContext Concept
1.03
[11]   Renesas Electronics
RH850/P1M Safety Application Note
Rev.0.20
September 1,
2014

1 This document is available in PDF-format on the Internet at the Autosar homepage: http://www.Autosar.org
2 This document is available in PDF-format on the Internet at the OSEK/VDX homepage: http://www.osek-vdx.org
2015, Vector Informatik GmbH
Version: 1.05                           4 / 80

Safety Manual MICROSAR OS SafeContext
1
Purpose
1.1
Safety Element out of Context (SEooC)
MICROSAR OS SafeContext is a Safety Element out of Context (SEooC). It is developed
based  on  assumptions  on  the  intended  functionality,  use  and  context,  including  external
interfaces.  To  have  a  complete  safety  case,  the  validity  of  these  assumptions  has  to  be
checked in the context of the actual item after integration of the SEooC.
The application conditions for SEooC provide the assumptions made on the requirements
(including  safety  requirements)  that  are  placed on the  SEooC by  higher  levels  of design
and also on the design external to the SEooC and the assumed safety requirements and
assumptions related to the design of the SEooC.
Information  given  by  this  document  helps  to  check  whether  the  SEooC  fulfills  the  item
requirements,  or  whether  a  change  to  the  SEooC  is  necessary  in  accordance  with  the
requirements of ISO 26262.
1.2
Standards and Legal requirements
Standards followed by the development of MICROSAR OS SafeContext:
>  ISO 262623
>  OSEK OS4
>  AUTOSAR OS5


3 International Standard ISO 26262 Road Vehicles - Functional Safety (all parts), 2011
4 OSEK/VDX Operating System, v2.2.3
5 AUTOSAR Specification of Operating  System
2015, Vector Informatik GmbH
Version: 1.05                           9 / 80

Safety Manual MICROSAR OS SafeContext
2
Concept
This  chapter  provides  a  description  of  the  assumed  safety  requirements  and  the  main
concept.
2.1
SafeContext Is One Part of a Whole
SafeContext  is  part  of  Vector  SafeExecution.  SafeExecution  consists  of  SafeContext  for
prevention from corrupted data and SafeWatchdog for supervision of timing behavior. This
document covers SafeContext only. [SPMF92:0050]
2.2
Safety Goal
The safety goal is to ensure context integrity for all safety critical parts. Whenever a safety
critical  code  is  executed,  it  is  guaranteed  that  the  code  is  executed  with  the  correct
context. After  pre-emption  or  interruption,  execution  is  resumed  with  the  correct  context.
The  integrity  of  the  memory  is  ensured  by  usage  of  hardware  (e.g.  MPU)  and  software
measures.
2.3
Safety Requirements
To  achieve  this  safety  goal,  the  following  assumed  safety  requirements  are  provided  by
SafeContext:
ASA_OS_1:  Non-trusted  software  must  be  prevented  from  overwriting  data  of  safety
relevant software.
ASA_OS_2: A runtime context (Task, Hook, (Non-)Trusted-Function and ISR) must not be
destroyed by a switch (to another runtime context).
ASA_OS_3:  A  runtime  context  shall  be  set  up  according  to  compiler  and  processor
specifications.
ASA_OS_4:  Services  to  prevent  data  inconsistencies  by  racing  conditions  shall  be
provided.
ASA_OS_5: The OS never writes to unintended memory locations.

2015, Vector Informatik GmbH
Version: 1.05                           10 / 80

Safety Manual MICROSAR OS SafeContext

2.4
SafeContext Functionality
MICROSAR OS SafeContext implements the AUTOSAR OS and OSEK OS standards of a
real-time operating system with some restrictions.
The functionality provided by MICROSAR OS is task switching, interrupt handling, memory
protection handling, timer services and others. SafeContext provides an efficient solution
also in respect of safety. Therefore the OSEK/AUTOSAR OS functionality is divided into 3
groups:
1.  Functionality implemented according ISO 26262 to achieve ASIL.
2.  Functionality implemented according to “Silent” principle to prevent from safety data
overwritten by OS code.
3.  Functionality  which  is  not  supported  in  SafeContext.  It  is  assumed  that  this
functionality  is  not  needed  by  a  safety  related ECU  or  it  can  be  reached by  other
existing means.

This chapter describes which of the groups certain functionality falls into.

Basic Knowledge
The idea of “Silent” code is not to disturb other software by means of unintended
  memory writes. To provide high performance, this is not achieved by a hardware
protection mechanism (which would require MPU reconfiguration for each API call) but
by analysis of the OS code.

2015, Vector Informatik GmbH
Version: 1.05                           11 / 80

Safety Manual MICROSAR OS SafeContext
Dispatcher
Scheduler
MPU management
Task management
Interrupt management
Alarm management
Event management
Resource management
Configuration (ASIL)
Configuration (QM)
ASIL
Silent
OS
Figure 2-1  Quality Levels of SafeContext Functionalities
AUTOSAR OS is a statically configured operating system. The configuration uses
configuration editors and code generators to configure the OS. To ease the safety
development the configuration is divided into two parts.
1.  Configuration of Safety relevant functionality. The configuration is stored in the ECU
in a separate configuration block.
2.  Configuration  of  silent  functionality:  This  configuration  is  generated  and  compiled
into the OS code.
Additionally  some  safety  relevant  configuration  parameters  are  generated  and  compiled
into  the  OS  code.  Those  have  to  be  reviewed  by  the  user  according  the  rules  in  this
document.

2015, Vector Informatik GmbH
Version: 1.05                           12 / 80

Safety Manual MICROSAR OS SafeContext

2.4.1  Safety Part
SafeContext provides the following functionality safely:
1.  context switching
2.  MPU management
3.  Interrupt API
4.  no unintended overwriting of memory

The context is defined as:
>  The set of registers, which is used by the compiler
>  The stack pointer
>  CPU mode (including interrupt state and privilege mode)
>  Memory Access Rights

Explanations:
>  A context switch occurs in several situations. These are: Task start/switch, ISR
entry/exit, call of OS services, call of (Non-)Trusted Functions and Hook routines.
Conclusions:
>  If a user program is executed, it will always be executed with the correct context
>  After interruptions it is guaranteed that execution is resumed with the correct context
>  Freedom from interference with respect to memory will be achieved by using memory
protection hardware (e.g. MPU) for non-trusted code.
>  Data inconsistency due to race conditions can be prevented by using the interrupt
API.

Note
Other OS functionality follows the silent principle. For example the sequence of task
  executions (scheduling) including the Task pre-emption is provided on QM level.

2015, Vector Informatik GmbH
Version: 1.05                           13 / 80

Safety Manual MICROSAR OS SafeContext
The  operating  system  provides  safe  switching  of  memory  access  rights  during  context
switches to ensure that non-trusted code does not modify data of other OS-Applications (if
not explicitly allowed). In addition the OS interrupts Tasks or ISRs to execute higher priority
ISRs. By switching to another context the correct context is set up. By switching back to an
interrupted Task or ISR, the correct and unchanged context is restored. To avoid change of
a saved context of an interrupted or waiting task, memory protecting hardware is used.
All points in the OS where context switches are performed or are necessary to perform are
identified and developed according the safety standard.
At each point in time only one context is active. All other contexts are saved and protected
by hardware against accidental alterations.

inactive
inactive
active
inactive
inactive
inactive
time
MPU Protection
now
MPU Protection
Register
Register
Register
Register
Register
Register
Context
Context
Context
Context
Context
Context
Stack
Stack
Stack
Stack
Stack
Stack

Figure 2-2  Stored and active contexts

2015, Vector Informatik GmbH
Version: 1.05                           14 / 80

Safety Manual MICROSAR OS SafeContext
2.4.2  Detailed List of Functionality
2.4.2.1  Safety
The following OS services and there functionality is developed according to ASIL.
Class
Description
OS Service APIs
StartOS
osInitialize
osInitINTC
ShutdownOS
DisableAllInterrupts
EnableAllInterrupts
SuspendAllInterrupts
ResumeAllInterrupts
SuspendOSInterrupts
ResumeOSInterrupts
CallTrustedFunction
CallNonTrustedFunction
osReadPeripheral8
osReadPeripheral16
osReadPeripheral32
osWritePeripheral8
osWritePeripheral16
osWritePeripheral32
osModifyPeripheral8
osModifyPeripheral16
osModifyPeripheral32
osCheckMPUAccess
osGetConfigBlockVersion
GetApplicationID
GetISRID
GetTaskID
osGetStackUsage
osGetSystemStackUsage
osGetISRStackUsage
OS System Hooks
StartupHook
ErrorHook
ProtectionHook
ShutdownHook
Table 2-1   Safety Functionality

2015, Vector Informatik GmbH
Version: 1.05                           15 / 80

Safety Manual MICROSAR OS SafeContext
2.4.2.2  Silent
The  following  API  functions  are  developed  according  to  Silent  principle.  SafeContext
ensures that they do not violate the assumed safety goal mentioned.  Exceptions may be
possible, if one of these features has been explicitly ordered as safety relevant. Read the
hardware specific part of this document if so.
Class
Description
OS service API
ActivateTask
TerminateTask
ChainTask
Schedule
GetTaskState
GetResource
ReleaseResource
SetEvent
ClearEvent
GetEvent
WaitEvent
GetAlarm
SetRelAlarm
SetAbsAlarm
CancelAlarm
GetActiveApplicationMode
CheckObjectAccess
CheckObjectOwnership
StartScheduleTableRel
StartScheduleTableAbs
StopScheduleTable
NextScheduleTable
GetScheduleTableStatus
IncrementCounter
GetElapsedValue/GetElapsedCounterValue
GetCounterValue
Timer handling
The handling of timer hardware is realized as QM software.
Scheduling
The correct sequence of processing application programs is realized with
QM-Software (priority handling, including Resources).
ORTI
ORTI is only supported in Silent part of the OS.
Table 2-2   Silent Functionality

2015, Vector Informatik GmbH
Version: 1.05                           16 / 80

Safety Manual MICROSAR OS SafeContext
2.4.2.3 Not provided
The features listed in the following table are not supported in SafeContext per default.
Exceptions may be possible, if one of these features has been explicitly ordered. Read the
hardware specific part of this document if so.
Class
Description
OS service API
TerminateApplication
CheckISRMemoryAccess
CheckTaskMemoryAccess
> For ShutdownOS the AUTOSAR OS requirement OS054 is not
supported, i.e. non-trusted OS-Applications may successfully call
ShutdownOS.
StartScheduleTableSynchron
SyncScheduleTable
SetScheduleTableAsync
COM
OSEK COM inter task communication with messages is not supported
Interrupt resources Resources are only available at task level.
Protection Reaction The only allowed protection reaction in the ProtectionHook is
PRO_SHUTDOWN. Other reactions will be interpreted as PRO_SHUTDOWN.
[SPMF92:0020]
Killing
Forcible terminating Tasks or Applications is not supported.
OS Hooks
PreTaskHook (only for debugging!)
PostTaskHook (only for debugging!)
ISRHook
PreAlarmHook
OS Application
StartupHook<ApplName>
specific Hooks
ErrorHook<ApplName>
ShutdownHook<ApplName>
Address Parameter In case API functions with out-parameters are called with illegal address,
Check
they do not return with the error code E_OS_ILLEGAL_ADDRESS as
required by the AUTOSAR specification. Instead the out parameter is
written with the access rights of the caller, which may lead to a memory
protection violation in case the given pointer is invalid.
Stack optimization
Single stack model is not supported.
Internal Resources Internal Resources are not supported.
Configuration
The following hooks must be enabled:
Aspects
StartupHook
ErrorHook
ShutdownHook
ProtectionHook
Only SCALABILITYCLASS SC3 or SC4 is supported. Memory protection
must be active.
STACKMONITORING must be enabled.
OSInternalChecks must be configured to Additional.
ORTIVersion = 2.0 is not supported.
ErrorInfoLevel = Modulenames is not supported.
Table 2-3 Functionality – Not provided
2015, Vector Informatik GmbH
Version: 1.05 17 / 80

Safety Manual MICROSAR OS SafeContext

2015, Vector Informatik GmbH
Version: 1.05 18 / 80

Safety Manual MICROSAR OS SafeContext
2.5
Safe State
The  safe  state  in  SafeContext  is  shutdown  (endless  loop  with  interrupts  disabled).  The
safe  state  is  entered  whenever  the  OS  detects  a  violation  of  its  safety  goal  or  even  an
attempt.  Before  the  safe  state  is  entered,  the  ShutdownHook  is  called.  The
ShutdownHook may contain user code which is necessary to reach the defined safe state
of the system. This might lead to a reset in combination with a watchdog.

2015, Vector Informatik GmbH
Version: 1.05                           19 / 80

Safety Manual MICROSAR OS SafeContext
3
Overview of Requirements to the OS User
For  integration  of  the  SafeContext  into  a  particular  context,  the  user  has  the  following
requirements to be fulfilled. They can be seen as steps to integrate the SEooC in the ECU
without harming the assumed safety goal.
The top level requirements are listed in the following table. They are considered in more
detail later. If all sub-requirements are checked, you can check the according top level
requirement too.

Description of requirements to the OS user
Fulfilled
Check that all assumptions made by SafeContext are valid

(see chapter “General SafeContext Assumptions”)
Check code integrity of the used OS sources

(see chapter “OS Source Checksum”)
Add CRC into the configuration block after linkage

(see chapter “Patching the Configuration Block”)
Check general configuration guidelines

(see chapter “General Configuration Guidelines”)
Review the safety relevant configuration data

(see chapter “Review General Part of Configuration Block”)
Review the generated code

(see chapter “Review Generated Code”)
Review your software

(see chapter “Review User Software”)
Execute MICROSAR Safe Silence Verifier (MSSV) on silent OS part

(see chapter “Qualifying Silent OS Part”)
Check specific requirements to the user

(see chapter “Hardware Specific Part”)

Caution
All requirements listed in this document must be checked and fulfilled by the user!

2015, Vector Informatik GmbH
Version: 1.05                           20 / 80

Safety Manual MICROSAR OS SafeContext
OS Configuration
(OIL or ECUC)
OS Generator
Static OS
Generated OS
Sources
Sources

ConfigBlock
OS Source
Checksum
Qualify generated
Sources
Application
(MSSV)
Sources
User Review
Review User
Software
Compiling +
Configuration in
Linking
XML

Executable
Intermediate
Read Back
Format
ConfigBlock

In Human
Patching the
Readable
Configuration Block
Hex Converter
ConfigBlock
Executable
Hex File
Verify ConfigBlock
Flashing
Read Back
ECU

Figure 3-1  Strategy for safety configuration
2015, Vector Informatik GmbH
Version: 1.05                           21 / 80

Safety Manual MICROSAR OS SafeContext
4
General SafeContext Assumptions
All  assumptions  must  be  checked  to  be  true.  Assumptions  concerning  the  focus  of
SafeContext  are  given  by  the  safety  goals  and  related  safety  requirements  described  in
the safety case. Assumptions about the environment are described in this chapter.

Description of requirements to the OS user
Fulfilled
Know the SafeContext concept

The system safety concept must not rely on OS functionality developed according to
the Silent principle. A complete list of API functions and the guarantees they give is
provided in chapter “Detailed List of Functionality”. [SPMF92:0075]
Know your memory configuration

Setup of memory sections must be planned by the system designer. Whether or not
the planned setup is configured correctly must be verified by reading the configuration
back from the ECU and reviewing it against system design and hardware manuals.
Know the OS specifications

The user shall read the OS specifications for OSEK OS and AUTOSAR OS.
Know how to use the OS

The user shall read the OS manuals:
>  General Technical Reference Manual
>  Specific Technical Reference Manual
Versions are listed in the delivered safety case.
Correctness of processor

The  processor  provides  its  functionality  with  sufficient  safety,  so  that  the  OS  needs
not take care about potential hardware failure. This might be assured by usage of a
lockstep processor.
Correctness of memory

The memory works with sufficient safety, so that the OS needs not to take care about
potential hardware failure.
Correctness of MPU

The  MPU  provides  its  functionality  with  sufficient  safety,  so  that  the  OS  needs  not
take care about potential hardware failure.
The  OS  provides  an API  (osCheckMPUAccess)  which  can  be  used  by  the  user  to
check the MPU.
Correctness of hardware manuals

The Hardware manuals and the compiler manuals are sufficiently reliable, so that the
OS  needs  not  take  care  about  potential  deviations  between  hardware  functionality
and its description in the manuals.
Versions of the used hardware manuals are listed in the delivered safety case.
[SPMF92:0017]
Correctness of compiler tool chain

SafeContext assumes that the compiler, assembler and linker generate code with the
required safety level.
Correctness of compiler version and options

2015, Vector Informatik GmbH
Version: 1.05                           22 / 80

Safety Manual MICROSAR OS SafeContext
Description of requirements to the OS user
Fulfilled
The  used  compiler  version  and  options  are  identical  to  them  which  are  used  during
development.
Used compiler version and options are listed in the delivered safety case.
Code integrity

The source code and generated configuration of MICROSAR OS SafeContext is
compiled, linked and downloaded to the ECU correctly and not modified afterwards.
[SPMF92:0043]
Context definition

The user shall not rely on registers, which are not part of the context of the OS.
The context definition is listed in chapter 4.1
Hardware handled by the OS shall not be manipulated by user code

User code shall not handle hardware which is handled by the OS. This may include:
>  Interrupt Controller [SPMF92:0083]
>  MPU [SPMF92:0085]
>  Timer
Don't manipulate short addressing base registers

Do not manipulate registers which are used by the compiler for relative addressing of
code or data. [SPMF92:0084]
Table 4-1   General SafeContext Assumptions
4.1
Context Definition
The context which is used by the OS consists of the following registers:
Register
Size in Byte
R1
4
R2
4
R4
28 * 4 = 112
R5
…
R30
R31
EIPC
4
EIPSW
4
CTPC
4
CTPSW
4
MPLA0
4
MPUA0
4

2015, Vector Informatik GmbH
Version: 1.05                           23 / 80

Safety Manual MICROSAR OS SafeContext
5
OS Source Checksum
The OS is delivered as source code. To assure that source code files are not altered after
the testing and release a checksum is calculated. The user shall calculate the checksum to
verify the correctness of the source code he is using. [SPMF92:0042]
A checksum calculation program (CCodeSafe.exe) is provided to the user. It is called with
the following argument:
 CCodeSafe <config.ini>

This tool calculates a CRC32 checksum over a given list of files given in <config.ini>.

Description of requirements to the OS user
Fulfilled
Use the delivered source files from Vector! Do not use changed copies in a productive
system! Also consider header include order of the compiler.
The <config.ini> shall contain the OS sources listed in the safety case.

The calculated checksum returned by CCodeSafe is identical to the checksum given
in the safety case.

2015, Vector Informatik GmbH
Version: 1.05 24 / 80

Safety Manual MICROSAR OS SafeContext

Example
An example for a <config.ini> file:

# src directory:
<INSTALLATION_DIRECTORY>\BSW\Os\atosappl.c
<INSTALLATION_DIRECTORY>\BSW\Os\atostime.c
<INSTALLATION_DIRECTORY>\BSW\Os\osek.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekasm.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekalrm.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekerr.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekevnt.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekrsrc.c
<INSTALLATION_DIRECTORY>\BSW\Os\oseksched.c
<INSTALLATION_DIRECTORY>\BSW\Os\osekstart.c
<INSTALLATION_DIRECTORY>\BSW\Os\osektask.c
<INSTALLATION_DIRECTORY>\BSW\Os\osektime.c
<INSTALLATION_DIRECTORY>\BSW\Os\osSysCallTable.c

# include directory:
<INSTALLATION_DIRECTORY>\BSW\Os\Os.h
<INSTALLATION_DIRECTORY>\BSW\Os\Os_cfg.h
<INSTALLATION_DIRECTORY>\BSW\Os\osek.h
<INSTALLATION_DIRECTORY>\BSW\Os\osekasrt.h
<INSTALLATION_DIRECTORY>\BSW\Os\osekcov.h
<INSTALLATION_DIRECTORY>\BSW\Os\osekerr.h
<INSTALLATION_DIRECTORY>\BSW\Os\osekext.h
<INSTALLATION_DIRECTORY>\BSW\Os\osekasm.h
<INSTALLATION_DIRECTORY>\BSW\Os\oseksched.h
<INSTALLATION_DIRECTORY>\BSW\Os\emptymac.h
<INSTALLATION_DIRECTORY>\BSW\Os\testmac1.h
<INSTALLATION_DIRECTORY>\BSW\Os\vrm.h
<INSTALLATION_DIRECTORY>\BSW\Os\osSysCallTable.dld

2015, Vector Informatik GmbH
Version: 1.05 25 / 80

Safety Manual MICROSAR OS SafeContext
6
Patching the Configuration Block
Configuration information which is relevant to reach the safety goal is stored in a data
structure called the configuration block. The integrity of this information is checked in
StartOS using a CRC checksum.
The CRC must be calculated after compiling and linking the application. There are two
programs provided to calculate and apply the CRC to the binary file:

> ElfConverter
For patching the CRC into an ELF file and optionally create an
intermediate file for reading back the configuration block.
> ConfigBlockCRCPatch For patching the CRC into an Intel Hex or Motorola SREC file.

The following steps are necessary to patch the configuration block:

1. Compile and link your application
2. Run CRC patch software
3. Write modified executable into flash memory

Description of requirements to the OS user
Fulfilled
Check that CRC is non-zero. If so, change user configuration version to avoid zero
CRC. [SPMF92:0071]

6.1
Using ElfConverter
The program ElfConverter.exe is called with the following parameters:
ElfConverter <ELF File> <ConfigBlock Symbol> --out <Intermediate File>

Parameter
Description
--out <file> Dump the configuration block in intermediate format
--patch_crc Calculate the configuration block's CRC and write it into the ELF file
--print_header Print ELF header
--print_sections Print ELF sections
--print_symbols Print ELF symbols
--print_hexdump
Print a hex dump of the configuration block
--help
Show help
Table 6-1 ElfConverter parameters
2015, Vector Informatik GmbH
Version: 1.05 26 / 80

Safety Manual MICROSAR OS SafeContext

Example
Patching the configuration block in ELF file testappl.out:

ElfConverter.exe testappl.out _osConfigBlock --out testcfg.hex
--patch_crc

6.2
Using ConfigBlockCRCPatch
The program ConfigBlockCRCPatch.exe is called with the following parameters:
ConfigBlockCRCPatch <HEX File> <Output file> <ConfigBlock Address>

Example
Example (convert ELF file prj.out into prj.hex with modified CRC):

ConfigBlockCRCPatch prj.out prj.hex 0x00800000

The address of the configuration block may be taken from symbol osConfigBlock in the
linker generated map file. [SPMF92:0016]

2015, Vector Informatik GmbH
Version: 1.05 27 / 80

Safety Manual MICROSAR OS SafeContext
7
General Configuration Guidelines
Description of requirements to the OS user
Fulfilled
Non-ASIL user code shall be part of Non-Trusted Applications

All non-ASIL user code must be executed by Non-Trusted Applications with no write
access  to  safety  relevant  data  (including  stacks)  and  no  read  or  write  access  to
safety relevant peripherals. [SPMF92:02.0034]
ASIL user code shall not violate the SafeContext safety goal

All user code, which has access to safety relevant data (including stacks, and OS
data) or peripherals, must be implemented on ASIL level. This code shall never
violate the safety goals of SafeContext. [SPMF92:0011]
Code which typically has access to safety relevant data (depending on user
configuration):
>  Trusted Functions [SPMF92:0080] [SPMF92:03.0008]
>  Trusted Tasks
>  Trusted ISRs
>  System Hooks
>  StartupHook [SPMF92:0040] [SPMF92:03.0007]
>  ErrorHook [SPMF92:0012] [SPMF92:03.0006]
>  ProtectionHook [SPMF92:0009] [SPMF92:03.0005]
>  ShutdownHook [SPMF92:0013] [SPMF92:03.0009]
>  Reset handler / Startup Code [SPMF92:0005] [SPMF92:03.0001]
>  Exception Handlers [SPMF92:0087]
>  Category 1 ISRs [SPMF92:0054] [SPMF92:03.0004]
Alignment of data sections

All data sections shall be linked with MPU alignment granularity (e.g. 32 bytes). See
the  controller’s  reference  manual  to  know  what  your  MPU  granularity  is.
[SPMF92:0065]
Consider category 1 ISRs

Category 1 ISRs are completely transparent to the OS. The OS does not perform
stack switching for category 1 ISRs! Consider this during configuration of stack
sizes. [SPMF92:0086]
NMIs shall be category 1 ISRs

Non-maskable Interrupts (NMI) shall be configured to be category 1 ISRs.
[SPMF92:0053] [SPMF92:03.0002]
Link global safety data considering stack growing direction

Link global safety data (all OS data and at least ASIL relevant application data) so
that it cannot be corrupted by stack overflows (see Figure “Linking example” below
for an example). [SPMF92:0091]

2015, Vector Informatik GmbH
Version: 1.05                           28 / 80

Safety Manual MICROSAR OS SafeContext

Figure 7-1 Linking example
2015, Vector Informatik GmbH
Version: 1.05 29 / 80

Safety Manual MICROSAR OS SafeContext
8
Review General Part of Configuration Block
The configuration of MICROSAR OS SafeContext is generated into C-code. The generator
itself  has  not  been  developed  in  accordance  to  ASIL.  Therefore,  the  generated
configuration  information  needs  to  be  reviewed.  The  safety  relevant  configuration  is
generated  into  a  structure  called  configuration  block  (or  ConfigBlock).  This  chapter
describes  how  to  review  this  ConfigBlock. As  the  ConfigBlock  is  simply  a  constant  data
structure in the flash memory of an ECU, humans will have difficulties to read it. Therefore,
the configuration viewer is able to transform the ECU internal representation into a human
readable  format.  The  process  of  reading  the  ConfigBlock  and  transforming  it  into  the
human readable format is described in the following subchapter. [SPMF92:0038]
The setup of the memory protecting hardware depends on the correct configuration of the
OS.  All  configuration  parameters,  which  are  necessary  to  ensure  the  safety  goal,  are
stored in a contiguous memory block (configuration block). The configuration block can be
located  to  a  fix  address  and  can  be  read  back  from  the  ECU,  e.g.  by  XCP  or  a  debug
interface. [SPMF92:0034]
The configuration block is secured by a 16 bit CRC. The way how the configuration block
is read back does not need to be safe. The configuration block is translated into a human
readable format to allow a review against the intended configuration.
8.1
How to Read Back the Configuration
The configuration is read back in two steps:
1.  Create intermediate ConfigBlock file format, by either using
>  ElfConverter with parameter –out
>  Or read back the ECU binary and convert it into the intermediate format (using the
HexConverter)
2.  Conversion of the intermediate format into human readable output (using the
ConfigViewer)
The  configuration  block  format  is  platform  dependent.  Also  this  information  may  be
retrieved in different ways, e.g. as the HEX output of the linker or as an upload from the
ECU via a protocol like XCP. As this may result in various file formats a conversion into an
intermediate format is required.

2015, Vector Informatik GmbH
Version: 1.05                           30 / 80

Safety Manual MICROSAR OS SafeContext

8.1.1 Using HexConverter
The program HexConverter.exe is called with the following parameters:
HexConverter –i <Input File> -o <Output File> -b <Base Address>
-s <ConfigBlock Size>

All parameters are mandatory.
Parameter Value
Description
-i
Input File Path & Name
File containing the HEX data produced by the linker
-o
Output File Path & Name
File with intermediate format generated by
HexConverter
-b
Base Address
Base address of the configuration block as defined in
the linker map file.
It is the address of the symbol ‘osConfigBlock’.
Value has to be given as HEX (e.g. 0x8001f000).
-s
0xFFFF
This value must be at least the size of the configuration
block in byte. Bigger values are also allowed.
E.g. this value can be set to 0xFFFF
Table 8-1 HexConverter parameters

8.1.2 Using ConfigViewer
The program ConfigViewer.exe is called with the following parameters:
ConfigViewer –i <Input File> -o <Output File> -c <XML File>

Parameter Value
Description
-i
Input File Path & Name
File containing the intermediate data produced by the
HexConverter
-o
Output File Path & Name
File with human readable configuration description
generated by ConfigViewer
-c
XML-ConfigFile
XML file, generated by the OS generator describing the
OS configuration
Table 8-2 ConfigViewer parameters
The configuration viewer expects the intermediate format to contain nothing else than the
configuration block.

2015, Vector Informatik GmbH
Version: 1.05 31 / 80

Safety Manual MICROSAR OS SafeContext
8.2
General Configuration Information
The  following  subchapters  concentrate  on  the  output  of  the  configuration  viewer  and  on
the  rules  to  review  it.  The  configuration  viewer  and  the  format  converters  are  described
separately.
To minimize  variants  in  code,  the  OS  generator  introduces dummies for  each  OS  object
type. These dummies can be identified by the prefix “osSystem” and are handled the same
way like other OS objects. None of these objects is active at runtime.
Description of requirements to the OS user
Fulfilled
Check that the listed configuration block address and length is correct and matches
the map file.
Check that the listed configuration block format is 2.00

Check  that  the  listed  version  of  MICROSAR  OS  SafeContext  matches  your
delivered version.
If  you  are  using  the  user  configuration  version,  check  that  the  listed  one  matches
your configured value.
Check  that the  listed  number  of  OS  objects matches  your  configuration.  (Consider
that dummy OS objects are generated, to minimize variants in the OS code.)
Check  number  of  listed  OS  objects  matches  the  elements  in  the  sub  containers.
[SPMF92:0074]
Check that the listed specific stack start and end addresses match your

configuration. (The stack end addresses in the configuration block point to the first
address outside the stack.)

2015, Vector Informatik GmbH
Version: 1.05                           32 / 80

Safety Manual MICROSAR OS SafeContext
9
Review Generated Code
MICROSAR OS is a massively configurable software component. As a result, the analysis
of the OS modules cannot be completely performed until the user’s configuration data is
available. The user shall use MICROSAR Safe Silence Verifier (MSSV) to qualify the
generated part of the OS, which depends on user’s configuration. MSSV is a Vector tool,
which performs checks of potential dangerous code constructs. [SPMF92:0049] For more
information about MSSV see the Technical Reference Manual of MSSV6.
Description of requirements to the OS user
Fulfilled
The user must not modify a generated module configuration code file manually

unless explicitly required by the technical reference manual or explicitly direction
formulated by Vector.
All generated files of a software project shall be generated based on the same

configuration. Generated files of several configurations must not be mixed up unless
explicitly allowed by Vector.
The user shall apply steps for qualifying the generated sources on the final

configuration which is used for the production. If the configuration changes, source
qualification steps shall be reapplied.

9.1
Manual Reviews
Some generated code parts currently cannot be checked automatically. Therefore the user
has to check them manually.

9.1.1 Review generated file tcb.h
Description of requirements to the OS user
Fulfilled
If interrupt level support is supported in your delivery, you shall review the system

level (osdSystemLevel) to be the maximum of all category 2 ISR priorities and
osdSystemLevelMask to be the corresponding value, which has to be stored in
PMR register to mask (disable) all category 2 interrupts. [SPMF92:02.0019]
[SPMF92:04.0017] [SPMF92:02.0033]
#define osdSystemLevel <MAXIMUM_OF_ALL_CAT2_ISR_PRIORITIES>
#define osdSystemLevelMask <PMR_VALUE_MASK_ALL_CAT2_ISR>

Check that osdExceptionDetails is defined = 1

#define osdExceptionDetails 1


6 TechnicalReference_MSSV.pdf, v1.3
2015, Vector Informatik GmbH
Version: 1.05 33 / 80

Safety Manual MICROSAR OS SafeContext
10 Qualifying Silent OS Part
MICROSAR OS is a massively configurable software component. As a result, the analysis
of the OS modules cannot be completely performed until the user’s configuration data is
available. The user shall use MICROSAR Safe Silence Verifier (MSSV) to qualify the
generated part of the OS, which dependent on user’s configuration. MSSV is a Vector tool,
which performs checks of potential dangerous code constructs inside BSW modules which
depend on user configuration data. [SPMF92:0049] For more information about MSSV see
the Technical Reference Manual of MSSV7. [SPMF92:0088]

10.1 Using MICROSAR Safe Silence Verifier (MSSV)
The following chapter tells how you shall apply MSSV on the OS sources.
MSSV is called with the following parameters:
MSSV.exe --inputDir <PATH_TO_TCB> --inputDir <PATH_TO_OS_INCLUDE>
--reportFile <REPORT.html> --define osdNOASM

Parameter
Description
<PATH_TO_TCB>
Path to generated OS files (typically contained in the tcb folder).
<PATH_TO_OS_INCLUDE> Path to OS header files (typically contained in the implementation
folder).
<REPORT.html>
File name which shall be used to save the MSSV report.
--define osdNOASM
Disable assembler parts.

Description of requirements to the OS user
Fulfilled
The MICROSAR Safe Silence Verifier shall only be executed on Windows XP SP3+
(32Bit) or Windows 7 (32Bit or 64Bit).
The user must not modify the MICROSAR Safe Silence Verifier report.

The user shall verify that the used OS sources are checked by verifying the names

and paths of the modules within the report.
The user shall verify that the evaluated report matches to the execution of the

MICROSAR Safe Silence Verifier by verifying the name, creation date and time,
path and folder of the report.
Check that MSSV returns with no errors, no warnings and the final verdict of the

report is “pass”. If MSSV did not pass contact OS support. [SPMF92:0088]


7 TechnicalReference_MSSV.pdf, v1.3
2015, Vector Informatik GmbH
Version: 1.05 34 / 80

Safety Manual MICROSAR OS SafeContext

Example
An example for qualifying generated OS sources:

MSSV.exe -i "tcb" -i"..\..\include" --define osdNOASM
The output of MSSV should look like:
note: MICROSAR Safe Silence Verifier Version 1.01.02
note: Copyright (C) 2012-2013 Vector Informatik GmbH
note: License <CBD0900253> VDO AUTOMOTIVE AG

note: MSSV.exe started at 09:39:55 2014-02-19
…
note: MSSV.exe finished at 09:39:57 2014-02-19
note: 0 Errors
note: 0 Warnings
note: the final verdict of the report is 'pass'

2015, Vector Informatik GmbH
Version: 1.05 35 / 80

Safety Manual MICROSAR OS SafeContext
11  Review User Software
Some  code  parts  run  in  supervisor  mode  without  any  memory  protection  active  or  with
high memory access granted. Therefore, freedom from interference is not  guaranteed by
the OS and the hardware. Trusted software has to guarantee freedom from interference on
its  own.  The  application  programmer  typically  knows  best,  what  is  to  do  in  order  to
guarantee  freedom  from  interference.  Anyhow,  there  are  few  additional  points  to  be
covered when an OS is used.
The  following  requirements  shall  generally  be  fulfilled  by  trusted  software  (also  valid  for
software which runs in supervisor mode or with access to safety relevant memory areas):
Description of requirements to the OS user
Fulfilled
OS code coverage shall be disabled

Check  that  osdEnableCoverage  is  not  defined  when  you  compile  the  OS.
[SPMF92:0077]
FPU usage shall be disabled

Check that osdRH850_FPU is not defined via compiler option –DosdRH850_FPU
Check that osdRH850_FPU is only defined in file osekext.h
Unhandled exception details shall be enabled

Check that osdExceptionDetails is defined = 1 (see tcb.h)
Check that OS attribute EnumeratedUnhandledISRs is set TRUE
No usage of system call instructions in the user software

Any system call causes the CPU to change into supervisor mode. Therefore, the
application (trusted and non-trusted parts) shall not use system calls directly.
Instead, system calls shall only be used by using OS APIs.
User header usrostyp.h

If trusted functions are configured, ensure that usrostyp.h does not endanger
SafeContext safety requirements.
Enabling interrupts where it is not allowed

Interrupts  shall  not  be  enabled  by  the  application  where  Category  2  ISRs  are
disabled by default (e.g. in Hooks). This applies not to ISRs. In ISRs it is allowed to
enable interrupts. [SPMF92:0066]
Use only documented APIs

Trusted  software  shall  only  call  documented  API  functions,  which  are  listed  in
chapter “Detailed List of Functionality”. [SPMF92:0068]
Stack usage measurement is not exact

Stack  usage  measurement  is  implemented  by  counting  magic  patterns
(osdStackCheckPattern)  on  the  stack  which  have  been  written  there  during
startup. The returned value may not be correct, if the magic pattern did not change
(e.g. the user application uses the same value). [SPMF92:0072]
Usage of osCheckMPUAccess API

If  you  are  using  the  osCheckMPUAccess API,  the  destination  address  parameter
shall  point  to  an  address,  where  reading  and  writing  does  not  produce  other
exceptions than MPU exceptions.
2015, Vector Informatik GmbH
Version: 1.05                           36 / 80

Safety Manual MICROSAR OS SafeContext
Description of requirements to the OS user
Fulfilled
Usage of osCheckMPUAccess API

If  you  are using the  osCheckMPUAccess API,  Check  that the API function  is  only
called  with  addresses  which,  reading  and  writing  does  not  have  any  side  effects
(e.g. potentially not true for peripheral registers). [SPMF92:02.0017].
If you have write access to stacks, stack overflows cannot be detected by hardware
The OS cannot safely detect stack overflows in software which has write access to
all stacks. If write access to all stacks is really needed (e.g. for RAM checking), the
user  has  to  ensure  that  the  software  does  not  produce  a  stack  overflow!
[SPMF92:0078]
APIs in exception handlers

Exception handlers must not call any OS API function beside:
>  DisableAllInterrupts
>  EnableAllInterrupts
>  SuspendAllInterrupts
>  ResumeAllInterrupts
>  SuspendOSInterrupts
>  ResumeOSInterrupts
[SPMF92:0067]
Category 1 ISRs shall be transparent

All  ISRs  of  category  1  must  be  implemented  such  that  they  are  transparent  with
respect  to  the  processor  state  for  the  code  they  interrupt.  This  includes  core
registers, MPU settings and the current interrupt priority.
APIs in category 1 ISRs

Category 1 ISRs shall not call any OS API function beside:
>  DisableAllInterrupts
>  EnableAllInterrupts
>  SuspendAllInterrupts
>  ResumeAllInterrupts
[SPMF92:0067] [SPMF92:02.0018]
Check out-parameters in Trusted Functions

Trusted functions which get a pointer shall check the pointer address to be in an
expected range before they write to the pointer address. This shall prevent
overwriting of safety relevant data when writing to the pointer address.
[SPMF92:0001]
Check caller in Trusted Functions

Trusted functions shall validate whether they are called by an authorized caller only.
This may be done by using the API function GetApplicationID.
[SPMF92:0047]
No (Non-)Trusted Functions in Hooks

Hook routines shall not call any trusted function or non-trusted function.
No APIs in NMIs

Non-maskable interrupts shall not use any OS APIs.
2015, Vector Informatik GmbH
Version: 1.05                           37 / 80

Safety Manual MICROSAR OS SafeContext
Description of requirements to the OS user
Fulfilled
[SPMF92:0019], [SPMF92:0067]
Using Interrupt API before calling StartOS

If the user needs to use the interrupt API before he calls StartOS, he shall call
osInitialize and osInitINTC.
After calling these functions interrupt API works only for the straight forward case.
OS error handling and MPU won’t be initialized, so the OS won’t be able to handle
any user errors or detect stack overflows.
2015, Vector Informatik GmbH
Version: 1.05 38 / 80

Safety Manual MICROSAR OS SafeContext
12  Hardware Specific Part
For RH850 SafeContext the following safety relevant requirements must be checked by the user:

  All assembly code (outside the SafeContext) shall be reviewed, not to change the content
of registers of R4 and R5 after StartOS is called  [SPMF92:04.0001]. Check in list files that
only the startup module and the OS modules do modify registers R4 and R5.
  The user has to review that each ISR is called at least once (coverage of application). The
tests shall cover the activation of all ISRs and verify that the correct ISR was started. This
measure  shall  prevent  the  activation  of  wrong  ISRs  because  of  a  mix  up  in  the  interrupt
vector table [SPMF92:0008].
  The user has to review the configuration by means of the ConfigBlock in accordance  to the
review rules which are defined in chapter 12.2 [SPMF92:0014],[SPMF92:05.0008].
  The  user  has to  review  that  all  libraries fit to the  used  compiler  options. All  used  libraries
need  to  be  checked  for  using  the  correct  compiler  options  (e.g.  SDA  usage  need  to  be
identical to the specified options for the OS) [SPMF92:0010].
  The  PreTaskHook  and  the  PostTaskHook  must  not  be  used  in  safety  code  which  is
released for serial production. Pre/PostTaskHook shall only be used for debugging or test
purposes.  Absence  of  Pre/PostTaskHook  must  be  reviewed  in  generated  file  tcb.h:
[SPMF92:02.0022],[SPMF92:02.0023],[SPMF92:05.0011]
The user must check that the following defines are set in the generated file tcb.h:
#define osdPreTaskHook 0
#define osdPostTaskHook 0
  The  complete  config  block  content  must  be  reviewed  by  the  means  of  the  BackReader
[SPMF92:04.0002], [SPMF92:04.0006].
  The address value of the application specific linker symbols for MPU region start and end
address  must  be  checked  that  between  them  only  the  corresponding  application  data
sections are mapped [SPMF92:04.0004], [SPMF92:04.0010], [SPMF92:04.0011].
  The  address  value  of  the  linker  symbols  _osGlobalShared_StartAddr  and
_osGlobalShared_EndAddr  must  be  checked  that  between  them  only  the  global  shared
data sections are mapped [SPMF92:04.0013].
  The CPU must run in supervisor mode when StartOS is called [SPMF92:04.0007].
  The  application  shall  check  the  config  block  version  by  using  OS  API  function
osGetConfigBlockVersion [SPMF92:0045],[SPMF92:05.0010].
  The user has to review that all task stacks, all ISR stacks and the system stack have 4 Byte
alignment [SPMF92:04.0008].
  The user has to review the generated linker include files osdata.dld, osrom.dld, ossdata.dld
osstacks.dld and ostdata.dld if they are used for serial production [SPMF92:04.0014]. See
chapter 12.4.
2015, Vector Informatik GmbH
Version: 1.05                           39 / 80

Safety Manual MICROSAR OS SafeContext
 The user has to review that coverage is disabled [SPMF92:04.0015]. osdEnableCoverage
shall not be defined in header and source files and it shall not be defined via compiler
option –DosdEnableCoverage.
 The user has to consider DMA controller usage. The RH850 P1M series incorporates a
DMA controller (DMAC). The DMA controller has direct access to the data bus. Therefore
DMA access to memory is not controlled by MPU protection. This must be considered
especially for safety OS systems if any DMA access is wanted. [SPMF92:01.0002]
 The user has to review that osInitialize and osInitINTC are called before StartOS is called if
OS interrupt API functions or OS peripheral interrupt API functions are used before StartOS
[SPMF92:0058], [SPMF92:0070].
 Interrupt priority level ceiling is not supported by MICROSAR OS RH850 SafeContext. The
user has to check that before StartOS is called the interrupt priority mask register PMR
must have the value 0x00000000 and it shall not be changed after StartOS.
[SPMF92:0059],[SPMF92:0060]. This is not checked by RH850 SafeContext.
 The user has to review that all generated files belong together [SPMF92:0064]. Each
generated header and source file must start with the following comment block:
/* file: <file_path><file_name> */
/* automatically generated by genRH850SCTX.exe, Version: 6.11 */
/* from: <configuration_file_name> */
/* Generation time: <date> <time> <year> */
/* <license_and_licensee_information> */
/* Implementation: RenesasRH850_P1M */
/* Version of general code: 6.16 */
/* Dcf-file semantic version: 2.00 */
/* Dcf-file content version: 2.01 */

 The user has to review that all generated files are compiled and linked [SPMF92:0064]:
- intvect.c
- osConfigBlock.c
- osStacks.c
- tcb.c
- trustfct.c
 The user has to check that the application does not modify interrupt controller registers
EBASE, INTBP, INTCFG, SCBP and SCCFG after StartOS is called [SPMF92:0069].
 The application shall not modify any register in interrupt controller unit INTC by own
functions or routines after StartOS is called. The application shall only use the OS API
functions for changing registers in unit INTC. [SPMF92:0083]
 The user has to check validity and type of the reference parameter when calling the
following OS API functions [SPMF92:05.0001]:
- GetTaskID
- GetTaskState
- GetEvent
- GetAlarm
- GetScheduleTableStatus
- GetCounterValue
- GetElapsedValue/GetElapsedCounterValue
2015, Vector Informatik GmbH
Version: 1.05 40 / 80

Safety Manual MICROSAR OS SafeContext
 The user has to review that the size of array oskAlarmHeaps is same as
osdNumberOfCounters
and
that
each
entry
of
the
array
looks
like
[SPMF92:05.0002],[SPMF92:05.0004]:
 {
 os<CounterName>Heap,
 &osAlarmHeapCount[<CounterName>]
 },
 The user has to review that the values of the counter defines are an adjoining set from zero
to osdNumberOfCounters-1 in the generated file tcbpost.h [SPMF92:05.0003]:
example
tcb.h:
#define osdNumberOfCounters 8
tcbpost.h:
#define <CounterName0> ((CounterType) 0)
#define <CounterName1> ((CounterType) 1)
#define <CounterName2> ((CounterType) 2)
...
#define <CounterName7> ((CounterType) 7)

 The user has to review that the size of the heap arrays os<CounterName>Heap[ ] must be
equal to 1 plus the number of alarms that are related to the counter <CounterName> plus
the number of schedule tables that are related to the counter <CounterName>.
[SPMF92:05.0005]
 The user has to review that the first parameter of all calls of osSysSetEvent in tcb.c is a
task identifier which must be defined in tcbpost.h and that the value of the define is smaller
than osdNumberOfExtendedTasks. [SPMF92:05.0006]
 The user has to review that all calls of osWorkHeap in Timer ISR look like followed:
[SPMF92:05.0007]
osWorkHeap(&oskAlarmHeaps[<CounterDefineName>], <CounterDefineName>);
 The user has to review that the parameter of each call of osSysActivateTask in tcb.c is a
task identifier which must be defined in tcbpost.h [SPMF92:05.0009].
 The user has to review that the values of the task defines are adjoining set from zero to
osdNumberOfAllTasks-1 in the generated file tcbpost.h [SPMF92:05.0010].
 The user has to review that the size of the task activation arrays
osQTaskActivation_<index> which are listed in oskQActivationQueues is the same value as
oskQMaxActivations+1 [SPMF92:05.0012].
 The user has to review that the values of the Alarm defines are adjoining set from zero to
osdNumberOfAlarms-1 in the generated file tcbpost.h [SPMF92:05.0013].
 The user has to review that the array oskAlarmCounterRef[] contains exactly
osdNumberOfAlarms elements and that each element contains the index of the counter
related to that alarm [SPMF92:05.0014].
 The user has to review that the PMR register is not manipulated by his code
[SPMF92:04.0018].
2015, Vector Informatik GmbH
Version: 1.05 41 / 80

Safety Manual MICROSAR OS SafeContext
12.1 Interrupt Vector Table
Basically the interrupt vector tables must be provided by the application. An example vector table is
generated into file intvect.c. This file is generated by QM software and must not be used directly as
ASIL code. It must be reviewed carefully for compliance to the description below because the code
which is called by the interrupt vector table runs automatically in supervisor mode and therefore
this code must be developed according to ASIL level [SPMF92:0004], [SPMF92:02.0020],
[SPMF92:02.0021], [SPMF92:04.0012].
The file intvect.c consists of the following parts:
 Header Include Section
 Core Exception Vector Table
 EIINT Vector Table
 CAT2 ISR Wrappers
The following subchapters describe these parts and do intentionally not describe any comments.
12.1.1 Header Include Section
This part of the code must be exactly like:
#if defined USE_QUOTE_INCLUDES
#include "vrm.h"
#else
#include <vrm.h>
#endif
#define osdVrmGenMajRelNum 6
#define osdVrmGenMinRelNum 11
#if defined USE_QUOTE_INCLUDES
#include "vrm.h"
#else
#include <vrm.h>
#endif

#if defined USE_QUOTE_INCLUDES
#include "Os.h"
#else
#include <Os.h>
#endif

#if defined USE_QUOTE_INCLUDES
#include "osekext.h"
#else
#include <osekext.h>
#endif

2015, Vector Informatik GmbH
Version: 1.05 42 / 80

Safety Manual MICROSAR OS SafeContext
12.1.2 Core Exception Vector Table
The core exception vector table section starts exactly with the following lines:
#pragma asm
.align 512
.section ”.osExceptionVectortable”, ax
.globl _osExceptionVectorTable
_osExceptionVectorTable:

That part is followed by 32 vector table entries:
.offset <offset_addr>
.globl _osCoreException_<offset_addr>
_osCoreException_<offset_addr>:

jr
<handler_function>

<offset_addr> is the hexadecimal address offset for each exception interrupt vector.
The valid range is 0x0000, 0x0010, 0x0020 ... 0x01F0

<handler_function> is the name of the function which is called when an exception occurs.
If no handler function is configured then osUnhandledCoreException is called.
The sequence of vector table entries starts at vector address 0x0000, increases in steps of 0x0010
and ends with vector address 0x01F0.

The core exception vector table section ends exactly with the following lines:
.globl _osExceptionVectorTableEnd
_osExceptionVectorTableEnd:
#pragma endasm

2015, Vector Informatik GmbH
Version: 1.05 43 / 80

Safety Manual MICROSAR OS SafeContext
12.1.3 EIINT Vector Table
The EIINT vector table section starts exactly with the following lines:
#pragma asm
.align 512
.section ”.osEIINTVectortable”, ax
.globl _osEIINTVectorTable
_osEIINTVectorTable:

For each unused interrupt source the following table entry must be generated:
.word
_osUnhandledEIINT_<index>
<index> is the channel index of the corresponding interrupt source. The valid range is 0 ... 383.

For each interrupt source used as category 1 ISR the following table entry must be generated:
.word
_<cat1_EIINT_handler>
<cat1_EIINT_handler> is the name of the application specific EIINT handler which is called when
an interrupt on the corresponding source occurs.

For each interrupt source used as category 2 ISR the following table entry must be generated:
.word
_<cat2_EIINT_handler>_CAT2
<cat2_EIINT_handler> is the name of the OS ISR wrapper which is called when an interrupt on the
corresponding source occurs. The CAT2 ISR wrapper section is described in the next chapter.

The EIINT vector table section ends exactly with the following lines:
.globl _osExceptionVectorTableEnd
_osExceptionVectorTableEnd:
#pragma endasm

2015, Vector Informatik GmbH
Version: 1.05 44 / 80

Safety Manual MICROSAR OS SafeContext
12.1.4 CAT2 ISR Wrappers
The category 2 ISR wrapper section starts exactly with the following line:
#pragma ghs section text=".os_text"

Each category 2 ISR handler must be generated exactly like the following line [SPMF92:0044]:
osCAT2ISR(<ISR_Function_Name>, <ISR_Priority_Level>)
This macro is defined in osek.h. It defines the CAT2 ISR prologue for each interrupt priority level.
<ISR_Function_Name> is the unique name of the ISR function. This must be the same name as
used in the EIINT vector table at the corresponding channel index position with postfix _CAT2.
<ISR_Priority_Level> is the value of the interrupt priority level which is configured for the
corresponding ISR. The valid range of <ISR_Priority_Level> is 0 ... 15

The category 2 ISR wrapper section ends exactly with the following line:
#pragma ghs section text=default

2015, Vector Informatik GmbH
Version: 1.05 45 / 80

Safety Manual MICROSAR OS SafeContext
12.2  Configuration Block
This chapter defines the rules to review and interpret the entries of the configuration block.
The configuration of MICROSAR OS RH850 SafeContext is generated into C-Code. The generator
itself  has  not  been  developed  in  accordance  to  safety  requirements.  Therefore,  the  generated
configuration information needs to be reviewed. The safety relevant configuration is generated into
a  structure  called  ConfigBlock.  This  chapter  describes  how  to  review  the  ConfigBlock.  As  the
ConfigBlock is simply a constant structure in the memory of an ECU, users will have difficulties to
read it. Therefore, the configuration viewer is able to transform the ECU internal representation into
a user readable format. The process of reading the ConfigBlock and transforming it into the user
readable format is described in the following subchapter.

12.2.1 How to read back the ConfigBlock
The  ConfigBlock  is  internal  information  of  a  program  to  control  an  ECU.  It  might  be  available  in
different formats. Therefore it is difficult to provide one single configuration viewer program to read
the information and transform it into a human readable format.
So the configuration viewer is a console application which reads configuration information from a
proprietary intermediate file and writes it into a text file. Different reader programs are available to
transform  the  ConfigBlock  from  standard  formats  into  the  intermediate  format.  In  addition,  the
intermediate  format  is  quite  simple,  so  it  may  also  be  produced  by  manual  adaptation  of  a
debugger output (hex dump) with any text editor.
The  configuration  viewer  expects  the  intermediate  format  to  contain  nothing  else  than  the
ConfigBlock. Therefore, the transformation programs need the information, where the ConfigBlock
is located. That information is passed to the transformation program by means of the parameter ‘–
b’.
The  address  of  the  ConfigBlock is  easily  taken  out  of the  linker  map file.  It  is the  address  of the
constant osConfigBlock [SPMF92:0016].
The following subchapters concentrate on the output of the configuration viewer and on the rules to
review it. The configuration viewer and the format converters are described separately.
2015, Vector Informatik GmbH
Version: 1.05                           46 / 80

Safety Manual MICROSAR OS SafeContext
12.2.2 Additional Information
The  operating  system  and  therefore  also  the  ConfigBlock  typically  use  indexes  instead  of  the
names of tasks, ISRs, applications and so on. Each index value is related to exactly one object in
the  configuration  of  the  OS.  However,  the  relation  to  the  configured  object  is  typically  not  so
obvious.
Therefore,  the  configuration  viewer  provides  the  possibility  to  add  the  names  of  configuration
objects to its output. That information is taken from the so called XML config-file. The OS-generator
produces this file together with the source files it generates.
The  configuration  viewer  outputs  the  object  names  in  case  a  parameter  is  set  to  use  the
information from the XML config-file. All information taken from the XML config-file is represented
between ‘(‘ and ‘)’ to mark it as unsafe additional information.
The reviewer of the ConfigBlock has the possibility to make use of the information taken from the
XML  config-file  or  to  skip  that  information  completely.  The  review  rules  in  the  chapters  below
describe for both cases how the review shall be performed. The examples of configuration viewer
output below always contain the information from XML config-file.
Although the information taken from the XML config-file (information in parentheses) is unsafe, the
relation  between  index  and  name  of  an  object  is  guaranteed  to  be  fix.  This  means,  once  the
configuration  viewer  has  read  in  the  object  names  from  the  XML  config-file,  it  always  translates
each certain index to the exact same object name. So the relation between object index and object
name  needs  to  be  reviewed  only  once  and  can  be  seen  as  reliable  everywhere  else  in  the
configuration viewer output.
The review rules below already contain rules to validate the information taken from XML config-file,
so that information can safely be used although it is taken from an unsafe source.

2015, Vector Informatik GmbH
Version: 1.05                           47 / 80

Safety Manual MICROSAR OS SafeContext
12.2.3 How to start the review
The configuration viewer starts the output with something like [SPMF92:0063]:
OS Configuration Viewer V3.00 (General) V1.02 (HW Specific) (Apr 24 2014 15:42:59)
(c) 2013 Vector Informatik GmbH

Started at:Tue May 13 16:23:24 2014

Remark: Text between '(' and ')' shall be treated as unsafe additional information

===================================================
Start of Config Block 0x00002000
Length 588
CRC 0x9622
Config Block Format Version 02.00
MICROSAR OS RH850 SafeContext Version 06.05
User Config Version 2
===================================================

The user should start with some consistency checks like:
  Is the date (Started at) equal to the date/time when the configuration viewer was started
  Do the start address (Start of configuration block), length (Length) and CRC fit to the
configuration block which shall be reviewed
  Check  that  the  listed  version  of  MICROSAR  OS  RH850 SafeContext  matches  your
delivered version.
  Review that the user config version represents the number which was configured by means
of the configuration attribute UserConfigurationVersion [SPMF92:0045].
  Is the output complete (see below)?

The output is complete when it ends on:
=======================================================
  End of configuration block reached
=======================================================

2015, Vector Informatik GmbH
Version: 1.05                           48 / 80

Safety Manual MICROSAR OS SafeContext
12.2.3.1 Indexes of applications, task , ISRs, trusted and non-trusted functions

Check indexes of listed applications:
The indexes must begin with 0
The indexes must be consecutive. Gaps are not allowed
The indexes must end at <Number of applications>-1

Check indexes of listed tasks:
The indexes must begin with 0
The indexes must be consecutive. Gaps are not allowed
The indexes must end at <Number of tasks>-1

Check indexes of listed category 2 ISRs:
The indexes must begin with 0
The indexes must be consecutive. Gaps are not allowed
The indexes must end at <Number of category 2 ISRs> - 1

Check indexes of listed trusted functions:
The indexes must begin with 0
The indexes must be consecutive. Gaps are not allowed
The indexes must end at <Number of trusted functions> - 1

Check indexes of listed non-trusted functions:
The indexes must begin with 0
The indexes must be consecutive. Gaps are not allowed
The indexes must end at <Number of non-trusted functions> - 1

Note: The table items in the configuration viewer output may not be sorted by index.

12.2.3.2 Review against User’s Design
The chapters below describe, how the configuration viewer output can be reviewed against the
OS-configuration. However, the review shall be performed against the user’s design of the system.
The reason is that OS developers can only describe, where the respective information can be
found in the configuration but have only limited knowledge about the system design.
2015, Vector Informatik GmbH
Version: 1.05 49 / 80

Safety Manual MICROSAR OS SafeContext
12.2.4 How to review the general information (block 0)
The configuration viewer generates the general information as followed [SPMF92:0063]:
0. General Information
------------------------------------------------------
Property Value Checked?
------------------------------------------------------
Number of Tasks 4 [ ]
Number of Cat2 ISRs      3 [ ]
Number of All ISRs 4 [ ]
Number of Trusted Functions 1 [ ]
Number of Non-Trusted Functions 0 [ ]
Number of Applications 3 [ ]
Number of Peripheral Regions 0 [ ]
Stack Usage Measurement Yes [ ]
Number of MPU Regions 12 [ ]
Number of Dynamic MPU Regions 2 [ ]
Number of Static MPU Regions 4    [ ]
Number of Available Cores 1 [ ]
System Stack Start-Address 0xfedf04b0 [ ]
System Stack End-Address 0xfedf0640 [ ]
------------------------------------------------------

The review shall be performed like this:
  Count the number of configured tasks and compare it against the number of tasks
presented by the configuration viewer in the part about general information
  Check the number of Cat2 ISRs:
o  Count the number of configured ISRs with CATEGORY = 2 and compare it against
the number of Cat2 ISRs presented by the configuration viewer in the part about
general information.
o  Consider that the OS internally uses a further Cat2 ISR for alarm and schedule table
handling. That ISR is only available in case at least one alarm or a schedule table
has been configured that uses the system timer.
  Check the number of all ISRs:
o  Count the number of configured EIINT ISRs with CATEGORY = 1 and 2 and
compare it against the number of all ISRs presented by the configuration viewer in
the part about general information.
  Count the number of configured trusted functions and compare it against the number of
trusted functions presented by the configuration viewer in the part about general
information. Trusted function configurations may be found in the configuration of any OS-
applications with TRUSTED = TRUE.
  Count the number of configured non-trusted functions and compare it against the number of
non-trusted functions presented by the configuration viewer in the part about general
information. Non-trusted function configurations may be found in the configuration of any
OS-applications with TRUSTED = FALSE.
  Count the number of configured OS-applications and compare it against the number of OS-
applications presented by the configuration viewer in the chapter about general information.
  Count the number of peripheral regions configured over all non-trusted applications and
compare it against the number of peripheral regions presented by the configuration viewer.
  Compare the configuration of stack usage measurement against the respective output of
the configuration viewer in the chapter about general information. The configuration of stack
usage measurement is found in the general configuration of the OS.
2015, Vector Informatik GmbH
Version: 1.05                           50 / 80

Safety Manual MICROSAR OS SafeContext
  Check the number of MPU regions which are provided by the used CPU derivative.
  Check the number of dynamic MPU regions which must be same as the number of MPU
regions configured in the application with most dynamic MPU regions.
  Check the number of static MPU regions configured for the OS.
  Check the number of CPU cores which are provided by the used CPU derivative.
  Review of system stack addresses  [SPMF92:0056],[SPMF92:04.0003]:
o  Compare the system stack start address in the configuration viewer output against
the label  _osSystemStack_StartAddr in the linker map-file.
o  Compare the system stack end address in the configuration viewer output against
the label _osSystemStack_EndAddr in the linker map-file.
o  Check that both labels are 4 Byte aligned [SPMF92:04.0002]. This prevents that any
data of other sections is accessible by the same MPU region.
o  Check that only the array variable osSystemStack is located between the labels
described above.
o  Check the difference between the system stack start- and end-address against the
designed (and therefore also configured) system stack size.

2015, Vector Informatik GmbH
Version: 1.05                           51 / 80

Safety Manual MICROSAR OS SafeContext
12.2.5 How to review the task start addresses (block 1)
The configuration viewer generates the task start addresses as followed [SPMF92:0063]:
1. Task start addresses:
------------------------------------------------------
Task-ID Task-Name Value Checked?
------------------------------------------------------
0 (eTask1) 0x000030cc [ ]
1 (osSystemExtendedTask) 0x000059a2 [ ]
2 (bTask1) 0x00003052 [ ]
3 (osSystemBasicTask) 0x000059a0 [ ]
------------------------------------------------------

The review shall be performed like this:
 Check the linker-map-file of the project for a function called <TaskName>func. This
function must be linked to the address value as specified in the configuration viewer output
[SPMF92:02.0025].

2015, Vector Informatik GmbH
Version: 1.05 52 / 80

Safety Manual MICROSAR OS SafeContext
12.2.6 How to review the task trusted information (block 2)
The configuration viewer generates the task trusted information as followed:
[SPMF92:0061],[SPMF92:0063], [SPMF92:02.0027]
2. Task trustedness information:
-------------------------------------------------------
Task-ID Task-Name Value Checked?
-------------------------------------------------------
0 (eTask1) non-trusted [ ]
1 (osSystemExtendedTask) trusted [ ]
2 (bTask1) non-trusted [ ]
3 (osSystemBasicTask) trusted [ ]
-------------------------------------------------------

The review shall be performed like this:
  Check for each task, that the setting of the attribute TRUSTED of the owner application fits
to the value of the task trustedness information. In case the owner application has the
configuration TRUSTED=TRUE, the task must be trusted. In case the owner application
has the configuration TRUSTED=FALSE, the task must be non-trusted.
  osSystemExtendedTask and osSystemBasicTask must always be trusted.

2015, Vector Informatik GmbH
Version: 1.05                           53 / 80

Safety Manual MICROSAR OS SafeContext
12.2.7 How to review the task preemptive information (block 3)
The configuration viewer generates the task preemptive information as followed [SPMF92:0063]:
3. Task preemptiveness information:
-------------------------------------------------------------
Task-ID Task-Name Value Checked?
-------------------------------------------------------------
0 (eTask1) fully-preemptible [ ]
1 (osSystemExtendedTask) fully-preemptible [ ]
2 (bTask1)      fully-preemptible [ ]
3 (osSystemBasicTask) non-preemptible [ ]
-------------------------------------------------------------

The review shall be performed like this:
  Take the task name (as printed) and check whether this respective task preemptive setting
was really configured as printed. If preemptive is printed here, the task configuration must
contain SCHEDULE = FULL, if non-preemptive is printed here, the task configuration must
contain SCHEDULE=NON. The OS generator assures that each task has the attribute
SCHEDULE exactly once with possible values FULL or NON.
2015, Vector Informatik GmbH
Version: 1.05                           54 / 80

Safety Manual MICROSAR OS SafeContext
12.2.8 How to review the task stack start and end addresses (block 4 and 5)
The configuration viewer generates the task stack start addresses as followed [SPMF92:0063]:
4. Task stack lower boundary addresses:
------------------------------------------------------
Task-ID Task-Name Value Checked?
------------------------------------------------------
0 (eTask1) 0xfedf0640 [ ]
1 (osSystemExtendedTask) 0x00000010 [ ]
2 (bTask1) 0xfedf07d0 [ ]
3 (osSystemBasicTask) 0x00000010 [ ]
------------------------------------------------------

The configuration viewer generates the task stack end addresses as followed:
5. Task stack upper boundary addresses:
------------------------------------------------------
Task-ID Task-Name Value Checked?
------------------------------------------------------
0 (eTask1) 0xfedf07d0 [ ]
1 (osSystemExtendedTask) 0x00000000 [ ]
2 (bTask1) 0xfedf0960 [ ]
3 (osSystemBasicTask) 0x00000000 [ ]
------------------------------------------------------

The review shall be performed like this [SPMF92:0056]:
 Check that the difference between stack start and stack end address fits to the configured
size of the task stack
 Check that the stacks do not overlap
 Compare printed address value of each stack with the address given in the linker map file.
 Check that all task stack sizes are a multiple of 4 Bytes [SPMF92:04.0008]. This prevents
that any data of another section is accessible in the same MPU region.
 Check that each defined address region (task stack start address, task stack end address)
only covers exactly one array variable named osTaskStack<StackIndex>.

2015, Vector Informatik GmbH
Version: 1.05 55 / 80

Safety Manual MICROSAR OS SafeContext
12.2.9 How to review the task ownership information (block 6)
The configuration viewer generates the task ownership information as followed [SPMF92:0063]:
6. Task to application mapping:
-------------------------------------------------------------------------------
Task-ID Task-Name Appl-ID Appl-Name Checked?
-------------------------------------------------------------------------------
0 (eTask1) 2 (xyzAppl) [ ]
1 (osSystemExtendedTask) 1 (osSystemApplicationCore0) [ ]
2 (bTask1) 2 (xyzAppl) [ ]
3 (osSystemBasicTask) 1 (osSystemApplicationCore0) [ ]
-------------------------------------------------------------------------------

The review shall be performed like this [SPMF92:0062]:
  The configuration of each application contains a list of the tasks which it owns. Check for
each of the named applications that it owns exactly those tasks listed in the configuration
viewer output. The OS generator assures that each task has exactly one owner application.
2015, Vector Informatik GmbH
Version: 1.05                           56 / 80

Safety Manual MICROSAR OS SafeContext
12.2.10 How to review the category 2 ISR start addresses (block 7)
The configuration viewer generates category 2 ISR start addresses as followed [SPMF92:0063]:
7. Category 2 ISR function start address:
-------------------------------------------------
ISR-ID ISR-Name Value Checked?
-------------------------------------------------
0 (ISR1) 0x000030f4 [ ]
1 (osSystemCat2ISR) 0x000059a4 [ ]
2 (osTimerInterrupt) 0x00009b9c [ ]
-------------------------------------------------

The review shall be performed like this:
 Check the linker map file of the project for symbol _<ISRName>func. This ISR function
must be linked to the address value as specified in the configuration viewer output
[SPMF92:02.0026].
 In case the ISR has a configured SpecialFunctionName, search for the symbol
_<SpecialFunctionName>func instead, which is located at the address, shown in the
configuration block.

2015, Vector Informatik GmbH
Version: 1.05 57 / 80

Safety Manual MICROSAR OS SafeContext
12.2.11  How to review the CAT2 ISR trusted information (block 8)
The  configuration  viewer  generates  CAT2  ISR  trusted  information  as  followed:
[SPMF92:0061],[SPMF92:0063], [SPMF92:02.0027]
8. Category 2 ISR trustedness:
--------------------------------------------------
ISR-ID ISR-Name Value Checked?
--------------------------------------------------
0 (ISR1) non-trusted [ ]
1 (osSystemCat2ISR) trusted [ ]
2 (osTimerInterrupt) trusted [ ]
--------------------------------------------------

The review shall be performed like this:
  Check for each cat2 ISR, that the setting of the attribute TRUSTED of the owner application
fits to the value of the ISR trusted information. In case the owner application has the
configuration TRUSTED=TRUE, the ISR must be trusted. In case the owner application has
the configuration TRUSTED=FALSE, the ISR must be non-trusted. The trustedness of the
system timer ISR osTimerInterrupt cannot be configured and is always a trusted ISR.
2015, Vector Informatik GmbH
Version: 1.05                           58 / 80

Safety Manual MICROSAR OS SafeContext
12.2.12  How to review the CAT2 ISR nested information (block 9)
The configuration viewer generates the CAT2 ISR nested information as followed [SPMF92:0063]:
9. Category 2 ISR nesting:
-------------------------------------------------
ISR-ID ISR-Name Value Checked?
-------------------------------------------------
0 (ISR1) nested [ ]
1 (osSystemCat2ISR) non-nested [ ]
2 (osTimerInterrupt) nested [ ]
-------------------------------------------------

The review shall be performed like this:
  Check for each cat2 ISR, that the setting of the attribute EnableNesting fits to the value of
the ISR nested information [SPMF92:02.0031]. In case the cat2 ISR has the configuration
EnableNesting =TRUE, the ISR must be nested. In case the cat2 ISR has the configuration
EnableNesting =FALSE, the ISR must be not nested. This setting for the system timer ISR
osTimerInterrupt is configured via OS attribute SystemTimerNestable. Check that the
setting of attribute SystemTimerNestable fits to the ISR nested information of ISR
osTimerInterrupt.

2015, Vector Informatik GmbH
Version: 1.05                           59 / 80

Safety Manual MICROSAR OS SafeContext
12.2.13  How to review CAT2 ISR stack start and end addresses (block 10 and 11)
The  configuration  viewer  generates  the  CAT2  ISR  stack  start  addresses  as  followed
[SPMF92:0063]:
10. Category 2 ISR stack start address:
----------------------------
Level Value Checked?
----------------------------
0 0x00000000 [ ]
1 0x00000000 [ ]
2 0x00000000 [ ]
3 0x00000000 [ ]
4 0x00000000 [ ]
5 0x00000000 [ ]
6 0x00000000 [ ]
7 0x00000000 [ ]
8 0x00000000 [ ]
9 0x00000000 [ ]
10 0xfedf0000 [ ]
11 0x00000000 [ ]
12 0xfedf0320 [ ]
13 0x00000000 [ ]
14 0x00000000 [ ]
15 0x00000000 [ ]
----------------------------

The  configuration  viewer  generates  the  CAT2  ISR  stack  end  addresses  as  followed
[SPMF92:0063]:
11. Category 2 ISR stack end address:
----------------------------
Level Value Checked?
----------------------------
0 0x00000000 [ ]
1 0x00000000 [ ]
2 0x00000000 [ ]
3 0x00000000 [ ]
4 0x00000000 [ ]
5 0x00000000 [ ]
6 0x00000000 [ ]
7 0x00000000 [ ]
8 0x00000000 [ ]
9 0x00000000 [ ]
10 0xfedf0320 [ ]
11 0x00000000 [ ]
12 0xfedf04b0 [ ]
13 0x00000000 [ ]
14 0x00000000 [ ]
15 0x00000000 [ ]
----------------------------

The review shall be performed like this [SPMF92:0056]:
  Check that the difference between stack start and stack end address fits to the configured
size of the ISR stack
  Check that the stacks do not overlap
  Compare printed address value of each stack with the address given in the linker map file.
2015, Vector Informatik GmbH
Version: 1.05                           60 / 80

Safety Manual MICROSAR OS SafeContext
 Check that all ISR stack sizes are a multiple of 4 Bytes [SPMF92:04.0008]. This prevents
that any data of another section is accessible in the same MPU region.
 Check that each defined address region (ISR stack start address, ISR stack end address)
only covers exactly one array variable named osIntStackLevel<PriorityLevel>.

2015, Vector Informatik GmbH
Version: 1.05 61 / 80

Safety Manual MICROSAR OS SafeContext
12.2.14  How to review the CAT2 ISR ownership information (block 12)
The  configuration  viewer  generates  the  CAT2  ISR  ownership  information  as  followed
[SPMF92:0063]:
12. Category 2 ISR to application assignment:
--------------------------------------------------------------------------
ISR-ID ISR-Name Appl-ID Appl-Name Checked?
--------------------------------------------------------------------------
0 (ISR1) 2 (xyzAppl) [ ]
1 (osSystemCat2ISR) 1      (osSystemApplicationCore0) [ ]
2 (osTimerInterrupt) 1 (osSystemApplicationCore0) [ ]
--------------------------------------------------------------------------

The review shall be performed like this:
  The configuration of each application contains a list of the cat2 ISRs which it owns. Check
for each of the named applications that it owns exactly those ISRs listed in the configuration
viewer output [SPMF92:02.0028]. The OS generator assures that each ISR has exactly one
owner application. The owner of the ISR osTimerInterrupt is the OS itself.
  Check that category 1 ISRs are not listed in the configuration block. [SPMF92:0055]

2015, Vector Informatik GmbH
Version: 1.05                           62 / 80

Safety Manual MICROSAR OS SafeContext
12.2.15 How to review the trusted functions start addresses (block 13)
The configuration viewer generates trusted functions start addresses as followed [SPMF92:0063]:
13. Trusted function start address:
----------------------------------------------------------
Tfunc-ID Tfunc-Name Value Checked?
----------------------------------------------------------
0 (StartTestStep) 0x000039d8 [ ]
1 (GetTestStep) 0x000039aa [ ]
2 (SetCheckPoint) 0x000039c2 [ ]
3 (TF1) 0x00003006 [ ]
4 (TriggerISR1) 0x000039ee [ ]
5 (TriggerISR2) 0x00003a06 [ ]
6 (osSystemTrustedFunction) 0x00005982 [ ]
----------------------------------------------------------

The review shall be performed like this:
 Check the linker map file of the project for symbol TRUSTED_<FuncName>. This function
must be linked to the address value as specified in the configuration viewer output
[SPMF92:0048],[SPMF92:0057].

2015, Vector Informatik GmbH
Version: 1.05 63 / 80

Safety Manual MICROSAR OS SafeContext
12.2.16 How to review the non-trusted functions start addresses (block 14)
The configuration viewer generates non-trusted functions start addresses as followed
[SPMF92:0063]:
14. Non-trusted function start address:
-----------------------------------------
NTfunc-ID NTfunc-Name Value Checked?
-----------------------------------------
0 (NTF1) 0x00002e6a [ ]
1 (NTF2) 0x00003de0 [ ]
-----------------------------------------

The review shall be performed like this:
 Check the linker map file of the project for symbol NONTRUSTED_<FuncName>. This
function must be linked to the address value as specified in the configuration viewer output
[SPMF92:02.0024].

2015, Vector Informatik GmbH
Version: 1.05 64 / 80

Safety Manual MICROSAR OS SafeContext
12.2.17  How to review the non-trusted functions ownership information (block 15)
The  configuration  viewer  generates  the  non-trusted  functions  ownership  as  followed
[SPMF92:0063]:
15. Non-trusted function to application assignment:
--------------------------------------------------------
NTfunc-ID NTfunc-Name Appl-ID Appl-Name Checked?
--------------------------------------------------------
0 (NTF1) 1 (NonTrustedApplA) [ ]
1 (NTF2) 2 (NonTrustedApplB) [ ]
--------------------------------------------------------

The review shall be performed like this:
  The configuration of each application contains a list of the functions which it owns. Check
for each of the named applications that it owns exactly those functions listed in the
configuration viewer output [SPMF92:02.0029]. The OS generator assures that each
function has exactly one owner application.

2015, Vector Informatik GmbH
Version: 1.05                           65 / 80

Safety Manual MICROSAR OS SafeContext
12.2.18  How to review the application dynamic MPU settings (block 16)
It is necessary to refer the Renesas Electronics user’s manual architecture [6] for exactly
understanding of the Memory Protection Unit (MPU).
The configuration viewer generates the dynamic MPU settings as followed [SPMF92:0063]:
16. Application MPU configuration (dynamic):
------------------------------------------------------------------------------
Appl-ID Appl-Name Region Start-Addr End-Addr Checked?
------------------------------------------------------------------------------
0 (AppTrusted) 1 0x00000010 0x00000000 [ ]
     2 0x00000010 0x00000000 [ ]
------------------------------------------------------------------------------
1 (NonTrustedApplA) 1 0xffe50000 0xffe5fffc [ ]
2 0xfedf0a80 0xfedf0a7f [ ]
------------------------------------------------------------------------------
2 (NonTrustedApplB) 1 0xffe50000 0xffe5fffc [ ]
2 0xfedf0a80 0xfedf0b7f [ ]
------------------------------------------------------------------------------
3 (TraceAppl) 1 0x00000010 0x00000000 [ ]
2 0x00000010 0x00000000 [ ]
------------------------------------------------------------------------------
4 (osSystemApplicationCore0) 1 0x00000010 0x00000000 [ ]
2 0x00000010 0x00000000 [ ]
------------------------------------------------------------------------------

The review shall be performed like this  [SPMF92:0052],[SPMF92:04.0003],[SPMF92:04.0005]:
  Each application must have the same number of rows.
  The number of rows for each application must be same as shown in the output of
configuration block 0: Number of Dynamic MPU Regions
  Trusted applications must always have Start-Addr = 0x00000010
  Trusted applications must always have End-Addr = 0x00000000
  Unused MPU regions in non-trusted applications must have Start-Addr = 0x00000010
  Unused MPU regions in non-trusted applications must have End-Addr = 0x00000000
  Check that values of Start-Addr and End-Addr in row of non-trusted applications are same
as configured in the applications settings
  Check that used MPU regions in non-trusted applications have Start-Addr value smaller
than the End-Addr value
  Check that all trusted and non-trusted applications are listed.
  Check that all Start-Addr values are aligned to 4 Byte boundary [SPMF92:04.0009]
  Check that all End-Addr values point to the last valid byte in the specified area.
  Overlapping of memory regions is not allowed [SPMF92:04.0010].
  The next region after the end address must be aligned at to a 4 Byte boundary.
  Compare  Start-Addr of non-trusted applications that the address value fits to address of
the application specific linker symbol used in configuration settings [SPMF92:0052]
  Compare  End-Addr of non-trusted applications that the address value fits to address of the
application specific linker symbol used in configuration settings [SPMF92:0052]
  If a linker section for application data memory region is empty then the end address is
below the start address. The start or end address may then overlap with other linker
sections. This can be ignored because it does not harm the MPU functionality.

2015, Vector Informatik GmbH
Version: 1.05                           66 / 80

Safety Manual MICROSAR OS SafeContext
12.2.19 How to review the interrupt channel index (block 17)
The configuration viewer generates the interrupt channel index for CAT1 and CAT2 ISRs as
followed [SPMF92:0063]:

17. Category 2 ISR interrupt channel index:
----------------------------------------------
ISR-ID ISR-Name Channel Checked?
----------------------------------------------
0 (ISR1) 137 [ ]
1 (osSystemCat2ISR) 0 [ ]
2 (osTimerInterrupt) 74 [ ]
3 (TestTimer1) 134 [ ]
----------------------------------------------

The review shall be performed like this:
 Check for each cat1 and cat2 ISR that the number is corresponding to the default priority
number listed in the hardware user manual of the used processor derivative (look for
symbol EIINT<Number>).
 Check that the biggest listed number is not greater than 383.
 Channel index of ISR osSystemCat2ISR can be ignored because it is not used at all.

2015, Vector Informatik GmbH
Version: 1.05 67 / 80

Safety Manual MICROSAR OS SafeContext
12.2.20  How to review the ISR interrupt priority level (block 18)
The configuration viewer generates the interrupt priority level for CAT1 and CAT2 ISRs as followed
[SPMF92:0063]:

18. Category 2 ISR priority level:
-----------------------------------------------
ISR-ID ISR-Name Priority Checked?
-----------------------------------------------
0 (ISR1) 10 [ ]
1 (osSystemCat2ISR) 128 [ ]
2 (osTimerInterrupt) 12 [ ]
3 (TestTimer1) 7 [ ]
-----------------------------------------------

The review shall be performed like this [SPMF92:02.0032]:
  Check for each category 1 and category 2 ISR that the setting of the attribute
InterruptPriority fits to the value of the printed ISR information “Priority” from configuration
viewer.
  Interrupt priority level of osSystemCat2ISR can be ignored because it is not used at all. The
priority value must always be 128.


2015, Vector Informatik GmbH
Version: 1.05                           68 / 80

Safety Manual MICROSAR OS SafeContext
12.2.21  How to review the peripheral regions configuration (block 19)
The configuration viewer generates the application peripheral regions as followed [SPMF92:0063]:

19. Peripheral Regions Configuration:
-----------------------------------------------------
Region Appl-Mask Start-Addr End-Addr Checked?
-----------------------------------------------------
0 0x00000005 0xfede0000 0xfede1fff [ ]
1 0x0000000c 0xfede4000 0xfede4fff [ ]
-----------------------------------------------------

The review shall be performed like this:
  Check that the listed peripheral region access rights match your configuration
[SPMF92:02.0030]
  Check for each row that Appl-Mask fits to the accessing applications. Each bit which is set
means that the corresponding application has access rights to this region. E.g. if bit 0 is set
then application with ID=0 has permission to access the region, if bit 1 is set then
application with ID=1 has permission to access the region etc.
  Check that the listed peripheral region start and end addresses matches your configuration
[SPMF92:02.0030]
  Check for each row that Start-Addr fits to the start address value of the configured
peripheral region. Start-Addr must point to the first valid byte in the region.
  Check for each row that End-Addr fits to the end address value of the configured peripheral
region. End-Addr must point to the last valid byte in the region.
  Check that the peripheral region index starts with 0
  Check that the peripheral region index is consecutive with no gaps
  Check that the peripheral region belongs to the printed application.

2015, Vector Informatik GmbH
Version: 1.05                           69 / 80

Safety Manual MICROSAR OS SafeContext
12.2.22  How to review the static MPU regions configuration (block 20)
The configuration viewer generates the static MPU regions configuration as followed:

20. MPU configuration (static):
-----------------------------------------------------
Region Start-Addr End-Addr Attributes Checked?
-----------------------------------------------------
1 0x00000010 0x00000000 0x000000db [ ]
2 0x00000010 0x00000000 0x000000db [ ]
3 0x00000000 0x000ffffc 0x000000fd [ ]
4 0xff000000 0xfffffffc 0x000000d8 [ ]
5 0xfedf0960 0xfee00000 0x000000d9 [ ]
6 0xfedf0000 0xfedf0960 0x000000c9 [ ]
7 0x00000000 0x00000000 0x00000000 [ ]
8 0x00000000 0x00000000 0x00000000 [ ]
9 0x00000000 0x00000000 0x00000000 [ ]
10 0x00000000 0x00000000 0x00000000 [ ]
11 0x00000000 0x00000000 0x00000000 [ ]
-----------------------------------------------------

Start-Addr are the values which are written to MPU registers MPLAn
End-Addr are the values which are written to MPU registers MPUAn
Attributes are the values which are written to MPU registers MPATn

The review shall be performed like this:
  Check that all regions 1 … 11 are listed.
  If Start-Addr=0x00000010, End-Addr=0x00000000 and Attributes=0x000000db then the
MPU region is used dynamic, i.e. it is reprogrammed when the context is switched.
  If Start-Addr=0x00000000, End-Addr=0x00000000 and Attributes=0x00000000 then the
MPU region is not used at all.
  All other regions are user specific MPU region settings.
  Check the user specific MPU region settings that Start-Addr, End-Addr and Attributes fit to
the corresponding configurations.
  Check each user specific MPU region setting that Start-Addr is lower than End-Addr.
  Check each user specific MPU region setting that Attributes contains correct application ID.

2015, Vector Informatik GmbH
Version: 1.05                           70 / 80

Safety Manual MICROSAR OS SafeContext
12.2.23  How to review the application trusted information (block 21)
The configuration viewer generates the application trusted information as followed:
21. Application trustedness information:
-----------------------------------------------------------
Appl-ID Appl-Name Value Checked?
-----------------------------------------------------------
0 (NTAppl) non-trusted [ ]
1 (abcAppl) trusted [ ]
2 (osSystemApplicationCore0) trusted [ ]
3 (xyzAppl) non-trusted [ ]
-----------------------------------------------------------

The review shall be performed like this:
  Check for each application, that the setting of the attribute TRUSTED fits to the value of the
application trustedness information.
  If the application has attribute TRUSTED=TRUE, then Value must be trusted.
  If application has attribute TRUSTED=FALSE, then Value must be non-trusted.
  OS system application osSystemApplicationCore0 must always be trusted.

2015, Vector Informatik GmbH
Version: 1.05                           71 / 80

Safety Manual MICROSAR OS SafeContext
12.2.24  How to review the core control block address information (block 22)
The configuration viewer generates the core control block information as followed:
22. Core control block address:
------------------------------
Core-ID Address Checked?
------------------------------
0 0xfedf0c40 [ ]
------------------------------

The review shall be performed like this:
  Check that Address value is the same value for linker symbol _osCtrlVarsCore0 in the
project map file which is generated by the linker.
2015, Vector Informatik GmbH
Version: 1.05                           72 / 80

Safety Manual MICROSAR OS SafeContext
12.3  Linker Memory Sections
The OS uses specific memory section names for the linker. Check that these section names are
used in the linker file and check that they are used in the assigned area.
The OS uses the linker memory section names described in the following table:
Section Name and Type
Description and Link Requirements
.osExceptionVectorTable
Contains the core exception vector table. It is generated into
section type .text
file intvect.c
.osEIINTVectorTable
Contains the EIINT exception vector table. It is generated into
section type .text
file intvect.c
.os_text
Contains the interrupt handler for category 2 ISRs. It is
section type .text
generated into file intvect.c
Must be linked to program code section.
.os_text
Contains all OS program code, except those which must be
section type .text
placed in special sections (e.g. vector table).
Must be linked to program code section.
.os_rodata
Contains the OS constant data, except those which must be
section type .rodata
placed in special sections (e.g. configuration block
osConfigBlock).
Must be linked to constant data section.
.os_rosdata
Contains all OS constants which are placed in ROSDA area,
section type .rosdata
except those which must be placed in special sections (e.g.
configuration block osConfigBlock).
Must be linked to the constant data in ROSDA section
.osConfigBlock_rodata
Contains the configuration block if SDA optimization is
section type .rodata
disabled.
Must be linked to constant data section.
.osConfigBlock_rosdata
Contains the configuration block if SDA optimization is enabled
section type .rosdata
Must be linked to constant data in ROSDA section.
.os_bss
Contains the uninitialized OS variables
section type .bss
Optional initialized to zero by system startup code.
Must be linked to the data section.
.os_data
Contains the initialized OS variables which must be copied
section type .data
from ROM to RAM by system startup code.
Must be linked to the data section. This section must be empty!
.os_sbss
Contains uninitialized OS variables which are placed in SDA
section type .sbss
area if SDA optimization is enabled.
Optional initialized to zero by system startup code.
Must be linked to the SDA section.
.os_sdata
Contains initialized OS variables which are placed in SDA area
section type .sdata
if SDA optimization is enabled.
Must be linked to the SDA section. This section must be empty!
2015, Vector Informatik GmbH
Version: 1.05                           73 / 80

Safety Manual MICROSAR OS SafeContext
Section Name and Type
Description and Link Requirements
.osTaskStack<TaskIndex>
Contains the uninitialized task specific stack.
section type .bss
Must be linked to the data section.
.osSystemStack
Contains the uninitialized OS system stack.
section type .bss
Must be linked to the data section.
.osIntStackLevel<Priority>
Contains the uninitialized ISR specific stack.
section type .bss
Must be linked to the data section.
.osAppl_<ApplName>_bss
Contains uninitialized application data.
section type .bss
Optional initialized to zero by system startup code.
Must be linked to the data section.
.osAppl_<ApplName>_sbss
Contains uninitialized application data in SDA area if SDA
section type .sbss
optimization is enabled.
Optional initialized to zero by system startup code.
Must be linked to SDA section.
.osAppl_<ApplName>_data
Contains initialized application data.
section type .data
Must be linked to data section.
.osAppl_<ApplName>_sdata
Contains initialized application data in SDA area if SDA
section type .sdata
optimization is enabled.
Must be linked to SDA section.
.osGlobalShared_bss
Contains uninitialized global shared data.
section type .bss
Optional initialized to zero by system startup code.
Must be linked to data section.
.osGlobalShared_sbss
Contains uninitialized shared data in SDA area if SDA
section type .sbss
optimization is enabled.
Optional initialized to zero by system startup code.
Must be linked to SDA section.
.osGlobalShared_data
Contains initialized shared global data.
section type .data
Must be linked to data section.
.osGlobalShared_sdata
Contains initialized shared data in SDA area if SDA
section type .sdata
optimization is enabled.
Must be linked to SDA section.

2015, Vector Informatik GmbH
Version: 1.05 74 / 80

Safety Manual MICROSAR OS SafeContext
12.4 Linker Include Files
The generated linker include files shall be reviewed if they are used for serial production.

12.4.1 Review File osdata.dld
File osdata.dld contains mapping of section types .bss and .data for trusted applications.

For each trusted application the generated lines must look like:
/* trusted application <ApplName> */
.osAppl_<ApplName>_bss align(4) :>.
.osAppl_<ApplName>_data align(4) :>.

The linker include file ends with the section mapping for OS data which must look like:
.os_bss align(4) :>.
.os_data align(4) :>.

2015, Vector Informatik GmbH
Version: 1.05 75 / 80

Safety Manual MICROSAR OS SafeContext
12.4.2 Review File ossdata.dld

The generated example file ossdata.dld contains the mapping of section types .sbss and
.sdata for trusted and non-trusted applications.
For non-trusted applications it also contains the mapping of section types .bss and .data.
This is necessary due to optimization for MPU region settings.

For each trusted application the generated lines must look like:
/* trusted application <ApplName> */
.osAppl_<ApplName>_sbss align(4) :>.
.osAppl_<ApplName>_sdata align(4) :>.

For each non-trusted application the generated lines must look like:
/* non-trusted application <ApplName> */
.osAppl_<ApplName>_bss align(4) :>.
.osAppl_<ApplName>_data align(4) :>.
.osAppl_<ApplName>_sbss align(4) :>.
.osAppl_<ApplName>_sdata align(4) :>.
_<Appl_Section_StartAddr> = addr(.osAppl_<ApplName>_bss);
_<Appl_Section_EndAddr> = endaddr(.osAppl_<ApplName>_sdata)-1;

After the mapping of the application sections the mapping for OS SDA sections must be
generated like the following lines:
.os_sbss align(4) :>.
.os_sdata align(4) :>.

After the mapping of the OS SDA sections the mapping for global shared sections must be
generated like the following lines:
.osGlobalShared_sbss align(4) :>.
.osGlobalShared_sdata align(4) :>.
.osGlobalShared_bss align(4) :>.
.osGlobalShared_data align(4) :>.
_osGlobalShared_StartAddr = addr(.osGlobalShared_sbss);
_osGlobalShared_EndAddr = endaddr(.osGlobalShared_data)-1;

2015, Vector Informatik GmbH
Version: 1.05 76 / 80

Safety Manual MICROSAR OS SafeContext
12.4.3 Review File osstacks.dld
File osstacks.dld contains mapping of all stack sections.

Each stack section mapping for used interrupt priority levels must look like:
.osIntStackLevel<PrioLevel> align(4) :>.
_osIntStackLevel<PrioLevel>_StartAddr = addr(.osIntStackLevel<PrioLevel>);
_osIntStackLevel<PrioLevel>_EndAddr = endaddr(.osIntStackLevel<PrioLevel>);

<PrioLevel> is the interrupt priority level 0 … 15

The mapping for the system stack section must look like:
.osSystemStack align(4) :>.
_osSystemStack_StartAddr = addr(.osSystemStack);
_osSystemStack_EndAddr = endaddr(.osSystemStack);

The system stack section is followed by the OS task stack sections which must look like:

.osTaskStackosSystemApplicationCore00 align(4) :>.
_osTaskStackosSystemApplicationCore00_StartAddr =
addr(.osTaskStackosSystemApplicationCore00);
_osTaskStackosSystemApplicationCore00_EndAddr =
endaddr(.osTaskStackosSystemApplicationCore00);

.osTaskStackosSystemApplicationCore01 align(4) :>.
_osTaskStackosSystemApplicationCore01_StartAddr =
addr(.osTaskStackosSystemApplicationCore01);
_osTaskStackosSystemApplicationCore01_EndAddr =
endaddr(.osTaskStackosSystemApplicationCore01);

The OS task stack sections are followed by the application task stack sections.
Each application task stack section mapping must look like:
.osTaskStack<applname><index> align(4) :>.
_osTaskStack<applname><index>_StartAddr = addr(.osTaskStack<applname><index>);
_osTaskStack<applname><index>_EndAddr = endaddr(.osTaskStack<applname><index>);

<applname> is the name of the owner application
<index> is the index number of the task stack: 0 … number of tasks per application

2015, Vector Informatik GmbH
Version: 1.05 77 / 80

Safety Manual MICROSAR OS SafeContext
12.4.4 Review File osrom.dld
File osrom.dld contains the sections used for initialized variables.

For each application which has data to be initialized during startup code the following lines must be
generated:
.ROM_osAppl_<ApplName>_data ROM(.osAppl_<ApplName>_data) :>.
.ROM_osAppl_<ApplName>_sdata ROM(.osAppl_<ApplName>_sdata) :>.
.ROM_osAppl_<ApplName>_tdata ROM(.osAppl_<ApplName>_tdata) :>.

File osrom.dld ends with the global shared initialized data sections which must look like:
.ROM_GlobalShared_data ROM(.osGlobalShared_data) :>.
.ROM_GlobalShared_sdata ROM(.osGlobalShared_sdata) :>.
.ROM_GlobalShared_tdata ROM(.osGlobalShared_tdata) :>.

12.4.5 Review File ostdata.dld
File ostada.dld contains the mapping for application data in TDA section.

For each application which has data in TDA section the following line must be generated:
.osAppl_<ApplName>_tdata align(4) MAX_SIZE(0x0100) :>.

File ostdata.dld ends with the mapping for global shared data in TDA section which must look like:
.osGlobalShared_tdata align(4) MAX_SIZE(0x0100) :>.

2015, Vector Informatik GmbH
Version: 1.05 78 / 80

Safety Manual MICROSAR OS SafeContext
12.5  Stack Size Configuration
The size of task stacks, ISR stacks and the system stack is configured by the user. The application
code  must  not  use  more  stack  then  configured.  Before  trusted  or  non-trusted  application  code
(tasks,  ISRs,  trusted  and  non-trusted  functions)  is  executed  the  OS  always  reprogramms  MPU
region 0 in order to protect the stack memory areas.
The following table provides an overview of the stacks and which code parts need to be considered
for the analysis of the required stack sizes.
Stack
Usage
System Stack
StartupHook
ErrorHook
ProtectionHook [SPMF92:0082]
ShutdownHook [SPMF92:0081]
Task Stacks
the corresponding task function and its call tree
ISRs of category 1 (when interrupting a task)
ErrorHook
Storing a context (144 Byte)
ISR Stacks
the corresponding category 2 ISR function and its call tree
ISRs of category 1 (when interrupting an ISR)
ErrorHook
Storing a context (144 Byte)

If  no  static  analysis  for  the  stack  requirement  is  made,  the  stack  usage  may  be  measured  by
means
of
the
API
functions
osGetStackUsage,
osGetISRStackUsage
and
osGetSystemStackUsage,  when  StackUsageMeasurement  is  configured.  Measurement  has  to
consider  the  maximum  stack  usage  of  the  code  under  measure.  It  has  to  be  ensured,  that  all
directly and indirectly called functions are executed and use the maximum possible stack.
Stack  Usage  measurement  is  implemented  by  filling  the  stack  with  a  pattern  on  startup  and
counting the number of continuous patterns which have not been overwritten with another value.
This may lead to a too small measured value in case the function under measure uses this pattern
as value on its stack.
As  the  hardware  allows  to  enable  interrupts  even  in  non-trusted  code,  any  non-trusted  ISR  may
enable  nesting.  Therefore,  the  user  shall  expect  that  interrupt  nesting  can  always  occur  when
defining the system stack size [SPMF92:0089].
The  stack  usage  must  be  measured  after  the  maximum  call  depth  has  been  reached
[SPMF92:0090].
12.6  Stack Monitoring
The stack memory area is write protected via MPU region 0. Trusted and non-trusted applications
and the OS cannot write to stack areas which belong to other applications.
This  hardware  based  stack  monitoring  does  not  detect  all  stack  errors  [SPMF92:0076].  Stack
overflow  cannot  be  detected  if  the  task  or  ISR  stack  is  mapped  immediately  after  the
corresponding application data or global shared section. Stack underflow cannot be detected if the
task  or  ISR  stack  is  mapped  immediately  before  the  corresponding  application  data  or  global
shared section.

2015, Vector Informatik GmbH
Version: 1.05                           79 / 80

Safety Manual MICROSAR OS SafeContext
12.7  Usage of MPU Regions
MPU region 0 is always used for stack area protection. It is always reprogrammed when
the context is switched. Therefore MPU region 0 cannot be configured by the user.
Each MPU region 1 … 11 can be configured for static or dynamic usage:
  If a MPU region is configured for static usage, then it is initialized in StartOS and not
changed any more. For static MPU regions the user must specify the access attributes.
  If a MPU region is configured for dynamic usage, then it is initialized in StartOS and not
always reprogrammed when the context is switched. The access attributes for dynamic
MU regions are configured by the OS.
All  stack  sections  must  be  mapped  to  a  consecutive  memory  area. A  static  MPU  region
must be configured for this memory area so that trusted and non-trusted application have
only read access to it. That means in supervisor and in user mode only reading is possible.
Write access to dedicated stack is achieved at runtime via reprogrammed MPU region 0
when a task or ISR is started.
A static MPU region must be configured for the applications data area so that in supervisor
mode read and write is possible and in user mode only reading is possible. Write access to
the dedicated application data  area  is  achieved  via  dynamic  MPU  region  which  must  be
configured for each non-trusted application.
A static MPU region must be configured for the code and const area (i.e. ROM/FLASH) so
that  in  supervisor  mode  (trusted applications)  read,  write  and  execute  is  possible  and  in
user mode (non-trusted applications) only read and execute is possible in that area.

12.8  Usage of Peripheral Interrupt API
The OS provides functions which allow write access to EI level interrupt control registers
EICn and to EI level interrupt mask registers IMRn in user mode. Non-trusted applications
can enable or disable peripheral interrupt sources by means of this functions. Call of the
OS peripheral interrupt API functions must be checked in every application that only valid
interrupt sources are modified [SPMF92:04.0016].

2015, Vector Informatik GmbH
Version: 1.05                           80 / 80

Document Outline

18.4 - Os Integration Manual

Integration Manual

For

Os

VERSION: 1

DATE: 01/08/16

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	01/08/16

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

2 Os & High-Level Description 6

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

void NxtrOsErrHndlg(StatusType Error)

This function is expected to be called in both the Os Error Hook (ErrorHook) and the Os Protection Hook (ProtectionHook). The Os will generate these stub functions in the generated file “OS_Callout_Stubs.c”. The integrator will need to add the appropriate call to NxtrOsErrHndlg in these stub functions.

Configuration REQUIREMeNTS

Configuration of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger
NxtrOsErrHndlg	See section 3.2	Os Error and Protection Hooks

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

<This section is for appendix>

18.5 - Os Module Design Document

Module Design Document

For

Os

1/6/16

Prepared For:

Software Engineering

Nexteer Automotive,

Saginaw, MI, USA

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA
Change History

Description	Author	Version	Date
Initial Version	Lucas Wendling	1	1/6/16

Table of Contents

1 Introduction 5

1.1 Purpose 5

1.2 Scope 5

3 Design details of software module 7

3.1 Graphical representation of Os 7

3.2 Data Flow Diagram 7

3.2.1 Component level DFD 7

3.2.2 Function level DFD 7

4 Constant Data Dictionary 8

4.1 Program (fixed) Constants 8

4.1.1 Embedded Constants 8

5 Software Component Implementation 9

5.1 Sub-Module Functions 9

5.1.1 Init: Os_Init<n> 9

5.1.1.1 Design Rationale 9

5.1.1.2 Module Outputs 9

5.1.2 Per: Os_Per<n> 9

5.1.2.1 Design Rationale 9

5.1.2.2 Store Module Inputs to Local copies 9

5.1.2.3 (Processing of function)……… 9

5.1.2.4 Store Local copy of outputs into Module Outputs 9

5.2 Server Runables 9

5.2.1 <Server Runable Name> 9

5.2.1.1 Design Rationale 9

5.2.1.2 (Processing of function)……… 10

5.3 Interrupt Functions 10

5.3.1 Interrupt Function Name 10

5.3.1.1 Design Rationale 10

5.3.1.2 (Processing of the ISR function)….. 10

5.4 Module Internal (Local) Functions 10

5.4.1 Local Function #1 10

5.4.1.1 Design Rationale 10

5.4.1.2 Processing 10

5.5 GLOBAL Function/Macro Definitions 10

5.5.1 GLOBAL Function #1 10

5.5.1.1 Design Rationale 11

5.5.1.2 processing 11

6 Known Limitations with Design 12

7 UNIT TEST CONSIDERATION 13

Appendix A Abbreviations and Acronyms 14

Appendix B Glossary 15

Appendix C References 16

Introduction

Purpose

This design document will capture the design of the Nexteer Os Error Handling (NxtrOsErrHndlg) functionality. This is the only portion of this component that is designed by Nexteer rather than a 3^rd party.

Scope

The following definitions are used throughout this document:

Shall: indicates a mandatory requirement without exception in compliance.
Should: indicates a mandatory requirement; exceptions allowed only with documented justification.
May: indicates an optional action.

High-Level Description

The Nexteer designed portions of the Os component consist of the Os error processing. This Nexteer specific design was embedded within the Os component itself since this functionality is specifically tied to the errors and names that this particular Os supports. This error handling is expected to be called by the Os protection and error callout functions in any given project. It interfaces with the Exception Handler that is created to react to the different categories of Os errors.

Design details of software module

<The Data Flow Diagrams should be created in the absence of this representation with the FDD.>

Graphical representation of NxtrOsErrHndlg (Expected External Intefaces)

Data Flow Diagram

Component level DFD

Function level DFD

Constant Data Dictionary

Program (fixed) Constants

Embedded Constants

Local Constants

Constant Name	Resolution	Units	Value
None

Software Component Implementation

Sub-Module Functions

Init:

None

Per:

None

Server Runables

NxtrOsErrHndlg

Design Rationale

This runnable will parse through the different Os errors that can be detected and interface into the Exception Handler component for handling of the different categories of errors. This runnable is expected to be called by both the Os ErrorHook and the Os ProtectionHook as it handles all categories of Os errors.

Processing

switch (OSErrorGetosCANError())

case osdErrUEUnhandledException:

case osdErrUEUnhandledCoreException:

case osdErrUEUnhandledDirectBranch:

/* Unhandled Exceptions */

ProcUkwnExcpnErr(OSErrorGetosCANError())

break

case osdErrEXMemoryViolation:

/* MPU Violations */

ProcMpuExcpnErr(OSErrorGetosCANError());

break

case osdErrEXPrivilegedInstruction:

/* Privileged Instruction Exceptions */

ProcPrvlgdInstrExcpnErr(OSErrorGetosCANError());

break

case osdErrATWrongTaskPrio:

case osdErrTTNotActivated:

case osdErrTTNoImmediateTaskSwitch:

case osdErrTTWrongActiveTaskID:

case osdErrHTNotActivated:

case osdErrHTNoImmediateTaskSwitch:

case osdErrHTWrongActiveTaskID:

case osdErrSHScheduleNotAllowed:

case osdErrSHWrongActiveTaskID:

case osdErrGSOddInvocation:

case osdErrGIOddInvocation:

case osdErrMTMissingTerminateTask:

case osdErrEAIntAPIWrongSequence:

case osdErrDAIntAPIDisabled:

case osdErrSDWrongCounter:

case osdErrREWrongCounter:

case osdErrSGWrongCounter:

case osdErrRGWrongCounter:

case osdErrGRPriorityOccupied:

case osdErrGRNoAccessRights:

case osdErrGRWrongTaskID:

case osdErrRRCeilingPriorityNotSet:

case osdErrRRWrongTask:

case osdErrRRNoReadyTaskFound:

case osdErrRRWrongTaskID:

case osdErrRRWrongHighRdyPrio:

case osdErrSEWrongTaskPrio:

case osdErrGEOddInvocation:

case osdErrCAAlarmInternal:

case osdErrWAWrongIDonHeap:

case osdErrWAHeapOverflow:

case osdErrWAUnknownAction:

case osdErrWAWrongCounterID:

case osdErrSOStackOverflow:

case osdErrSUWrongTaskID:

case osdErrCLWrongLibrary:

case osdErrEHInterruptsEnabled:

case osdErrSTMemoryError:

case osdErrSTNoImmediateTaskSwitch:

case osdErrSTWrongAppMode:

case osdErrSTConfigCRCError:

case osdErrSTConfigMagicNrError:

case osdErrSTInvalidMajorVersion:

case osdErrSTInvalidMinorVersion:

case osdErrSTInvalidSTCfg:

case osdErrQIWrongTaskPrio:

case osdErrQRInterruptsEnabled:

case osdErrQRWrongTaskID:

case osdErrQRWrongTaskPrio:

case osdErrQRWrongHighRdyPrio:

case osdErrQSInterruptsEnabled:

case osdErrQSNoReadyTaskFound:

case osdErrQSWrongPriority:

case osdErrQOWrongTaskID:

case osdErrSPUnknownCase:

case osdErrSGOddInvocation:

case osdErrWSUnknownAction:

case osdErrWSUnknownReaction:

case osdErrWSWrongID:

case osdErrGCOddInvocation:

case osdErrBMResAlreadyMeasured:

case osdErrBMInvalidProcessInStart:

case osdErrBMInvalidProcessInStop:

case osdErrBMInvalidResource:

case osdErrETNoCurrentProcess:

case osdErrASOddInvocation:

case osdErrTAInvalidTaskState:

case osdErrRSWrongTaskPrio:

case osdErrPAInvalidAreaIndex:

case osdErrPANoAccessRight:

case osdErrPAInvalidAddress:

case osdErrYOSystemStackOverflow:

case osdErrYOTaskStackOverflow:

case osdErrYOISRStackOverflow:

case osdErrSCWrongSysCallParameter:

case osdErrDPStartValidContext:

case osdErrDPResumeInvalidContext:

case osdErrDPInvalidTaskIndex:

case osdErrDPInvalidApplicationID:

case osdErrSUInvalidTaskIndex:

case osdErrSUInvalidIsrIndex:

case osdErrSUInvalidIsrPrioLevel:

case osdErrCIInvalidIsrIndex:

case osdErrCIInvalidIsrPrioLevel:

case osdErrCIInvalidApplicationID:

case osdErrCIMissingIntRequest:

case osdErrCIInterruptIsMasked:

case osdErrCIWrongIntPriority:

case osdErrPIGetIMRInvalidIndex:

case osdErrPISetIMRInvalidIndex:

case osdErrPIClearIMRInvalidIndex:

case osdErrPIWriteIMR8InvalidAddr:

case osdErrPIWriteIMR16InvalidAddr:

case osdErrPIWriteIMR32InvalidAddr:

case osdErrPISetICRMaskInvalidAddr:

case osdErrPIClearICRMaskInvalidAddr:

case osdErrPISetICRReqInvalidAddr:

case osdErrPIClearICRReqInvalidAddr:

case osdErrPIWriteICR8InvalidAddr:

case osdErrPIWriteICR16InvalidAddr:

case osdErrPIWriteICRxLoInvalidIndex:

case osdErrPIWriteICRxHiInvalidIndex:

case osdErrPIWriteICRx16InvalidIndex:

case osdErrCRInvalidSettingOSTM:

case osdErrCRInvalidSettingMPU:

/* Fatal OS fault for assertion / syscheck errors - set data for reset cause */

ProcPrmntOsErr(OSErrorGetosCANError())

break

default:

/* Assumed to be a non-fatal OSEK fault - Set data for periodic sweep up */

ProcNonCritOsErr(OSErrorGetosCANError())

break

Interrupt Functions

None

Module Internal (Local) Functions

Local Function #1

Function Name	Type	Min	Max
Arguments Passed

Return Value

Design Rationale

Processing

GLOBAL Function/Macro Definitions

GLOBAL Function #1

Function Name	Type	Min	Max
Arguments Passed

Return Value

Design Rationale

Processing

Known Limitations with Design

UNIT TEST CONSIDERATION

Abbreviations and Acronyms

Abbreviation or Acronym	Description

Glossary

Note: Terms and definitions from the source “Nexteer Automotive” take precedence over all other definitions of the same term. Terms and definitions from the source “Nexteer Automotive” are formulated from multiple sources, including the following:

ISO 9000
ISO/IEC 12207
ISO/IEC 15504
Automotive SPICE® Process Reference Model (PRM)
Automotive SPICE® Process Assessment Model (PAM)
ISO/IEC 15288
ISO 26262
IEEE Standards
SWEBOK
PMBOK
Existing Nexteer Automotive documentation

Term	Definition	Source
MDD	Module Design Document
DFD	Data Flow Diagram

References

Ref. #	Title	Version
1	AUTOSAR Specification of Memory Mapping (Link:AUTOSAR_SWS_MemoryMapping.pdf)	v1.3.0 R4.0 Rev 2
2	MDD Guideline	EA4 01.00.00
3	Software Naming Conventions.doc	1.0
4	Software Design and Coding Standards.doc	2.0

18.6 - Os Peer Review Checklists

Overview

Summary Sheet
Synergy Project
Source Code
MDD
PolySpace

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Os

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Os_Vector_Ar4.0.3_01.06.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3175

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

Yes

MDD

Yes

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

Yes

Comments:

Project contains the correct version of subprojects

Yes

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Source Code

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

NxtrOsErrHndlg.c

Source File Revision:

1

Header File Name:

NxtrOsErrHndlg.h

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. 1

MDD Name:

Os Module Design Document.docx

Revision:

1

FDD/SCIR/DSR/FDR/CM Name:

N/A

Revision:

N/A

Quality Check Items:

Rationale is required for all answers of No

for variable names

N/A

Comments:

for constant names

N/A

Comments:

for function names

Yes

Comments:

for other names (component, memory

Yes

Comments:

mapping handles, typedefs, etc.)

All paths assign a value to outputs, ensuring

N/A

Comments:

all outputs are initialized prior to being written

Requirements Tracability tags in code match the requirements tracability in the FDD

N/A

Comments:

requirements tracability in the FDD

All variables are declared at the function level.

N/A

Comments:

Synergy version matches change history

kzshz2: Intended Use: Indicate that the the versioning was confirmed by the peer reviewer(s). Rationale: There have been many occassions where versions were not updated in files and as a result Unit Test were referencing wrong versions. This often time leads to the need to re-run of batch tests.

Yes

Comments:

and Version Control version in file comment block

Change log contains detailed description of changes

Yes

Comments:

Initial version

and Work CR number

Code accurately implements FDD (Document or Model)

N/A

Comments:

Verified no Compiler Errors or Warnings

KMC: Intended Use: To confirm no compiler errors or warnings exist for the code under review (warnings from contract header files may be ignored). Rationale: This is needed to ensure there will be no errors discovered at the time of integration. A Sandox project should be used; QAC can find compiler errors but not warnings.

Yes

Comments:

No sandbox available for BSW components

Test was done manually on an integration project.

Component.h is included

Yes

Comments:

All other includes are actually needed. (System includes

Yes

Comments:

only allowed in Nexteer library components)

Software Design and Coding Standards followed:

Version:

Code comments are clear, correct, and adequate

Yes

Comments:

and have been updated for the change: [N40] and

all other rules in the same section as rule [N40],

plus [N75], [N12], [N23], [N33], [N37], [N38],

[N48], [N54], [N77], [N79], [N72]

Source file (.c and .h) comment blocks are per

Yes

Comments:

standards and contain correct information: [N41], [N42]

Function comment blocks are per standards and

Yes

Comments:

contain correct information: [N43]

Code formatting (indentation, placement of

Yes

Comments:

braces, etc.) is per standards: [N5], [N55], [N56],

[N57], [N58], [N59]

Embedded constants used per standards; no

Yes

Comments:

"magic numbers": [N12]

Memory mapping for non-RTE code

No

Comments:

is per standard

All execution-order-dependent code can be

N/A

Comments:

recognized by the compiler: [N80]

All loops have termination conditions that ensure

N/A

Comments:

finite loop iterations: [N63]

All divides protect against divide by zero

N/A

Comments:

if needed: [N65]

All integer division and modulus operations

N/A

Comments:

handle negative numbers correctly: [N76]

All typecasting and fixed point arithmetic,

N/A

Comments:

including all use of fixed point macros and

timer functions, is correct and has no possibility

of unintended overflow or underflow: [N66]

All float-to-unsiged conversions ensure the.

N/A

Comments:

float value is non-negative: [N67]

All conversions between signed and unsigned

N/A

Comments:

types handle msb==1 as intended: [N78]

All pointer dereferencing protects against

N/A

Comments:

null pointer if needed: [N70]

Component outputs are limited to the legal range

N/A

Comments:

defined in the FDD DataDict.m file : [N53]

All code is mapped with FDD (all FDD

N/A

Comments:

subfunctions and/or model blocks identified

with code comments; all code corresponds to

some FDD subfunction and/or model block): [N40]

Review did not identify violations of other

Yes

Comments:

coding standard rules

Anomaly or Design Work CR created

N/A

Comments: List Anomaly or CR numbers

for any FDD corrections needed

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 4: MDD

Rev 1.2

8-Jun-15

Peer Review Meeting Log (MDD Review)

MDD Name:

Os Module Design Document.docx

MDD Revision:

1

Source File Name:

NxtrOsErrHndlg.c

Source File Revision:

1

Source File Name:

Source File Revision:

Source File Name:

Source File Revision:

Quality Check Items:

Rationale is required for all answers of No

Synergy version matches document

Yes

Comments:

Change log contains detailed description of changes

Yes

Comments:

Changes Highlighted (for Unit Tester)

N/A

Comments:

Initial Version

Diagrams have been included per MDD Guideline

Yes

Comments:

and reviewed

All Design Exceptions and Limitations are listed

Yes

Comments:

Design rationale given for all global

N/A

Comments:

data not communicated through RTE ports, per

Design and Coding Standards rules [N9] and [N10].

All implementation details that differ from the FDD are

N/A

Comments:

No FDD

noted and explained in Design Rationale

All Unit Test Considerations have been described

Yes

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 5: PolySpace

Rev 1.2

8-Jun-15

Peer Review Meeting Log (QAC/PolySpace Review)

Source File Name:

NxtrOsErrHndlg.c

Source File Revision:

1

Source File Name:

Source File Revision:

Source File Name:

Source File Revision:

EA4 Static Analysis Compliance Guideline version:

01.01.00

Poly Space version:

Windows User: eg. 2013b 2013B

Polyspace sub project version:

Windows User: eg. TL108a_PolyspaceSuprt_1.0.0 NA

QAC version:

Windows User: eg 8.1.1-R N/A

QAC sub project version:

Windows User: eg. TL108a_PolyspaceSuprt_1.0.0 NA

Quality Check Items:

Rationale is required for all answers of No

Contract Folder's header files are appropriate and

kzshz2: Intended Use: Identify that the contract folder contains only the information required for this component. All other variables, constants, function prototypes, etc. should be removed. Rationale: This will help avoid unit testers having to considers object not used. It will also avoid having other files required for QAC.

Yes

Comments:

Copy of NxtrOsErrHndlg.h moved

function prototypes match the latest component version

to contract folder to avoid analysis of 3rd party headers

100% Compliance to the EA4 Static Analysis

Yes

Comments:

Compliance Guideline

Are previously added justification and deviation

Yes

Comments:

comments still appropriate

Do all MISRA deviation comments use approved

N/A

Comments:

deviation tags

Cyclomatic complexity and Static path count OK

Creager, Kathleen: use Browse Function Metrics, STCYC and STPTH

Yes

Comments:

for all functions in the component per Design

and Coding Standards rule [N47]

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

18.7 - ProductInformation_2_Restrictions-for-MSR-OS-SafeContext-SC3

Restrictions for MICROSAR OS SafeContext

18.8 - ProductInformation_2_Restrictions-for-MSR-OS-SafeContext-SC3_ind

Outline
Page 1
Page 2

18.9 - ProductInformation_2_Restrictions-for-MSR-OS-SafeContext-SC3s

Product Information Restrictions for MICROSAR OS SafeContext
1 Purpose
This document describes the restrictions of MICROSAR OS SafeContext compared with
the AUTOSAR specification and the Vector OS feature set.
2 Application area
All projects with operating system MICROSAR OS SC3 or MICROSAR OS SafeContext.
Normally these projects are safety relevant ECUs (ISO 26262).
3 Target
Due to safety aspects, not all requirements of the AUTOSAR specification are
implemented. This document describes the restrictions.
4 Supported Use Cases
Only applications based on OS scalability class SC3 or SC4 will be supported.
5 Features not supported
Class
Description
OS service API
TerminateApplication
CheckISRMemoryAccess
CheckTaskMemoryAccess
GetAlarmBase
StartScheduleTableSynchron
SyncScheduleTable
SetScheduleTableAsync
Internal Resources Internal Resources are not supported.
Killing
“Killing” of Tasks or Applications is not supported.
The only allowed protection reaction in the ProtectionHook is
PRO_SHUTDOWN. Other reactions will be interpreted as PRO_SHUTDOWN.
A missing TerminateTask error always causes shutdown.
OS Hooks
ISRHook
PreAlarmHook
OS Application
StartupHook<Applicationname>
specific Hooks
ErrorHook<Applicationname>

ShutdownHook<Applicationname>
2014, Vector Informatik GmbH
Version: 1.0.0
1 / 2
based on template version 4.7.2

Product Information Restrictions for MICROSAR OS SafeContext
Class
Description
Address Parameter  In case API functions with out-parameters (parameter passed by
Check
reference, e.g. GetEvent, GetAlarm, …) are called with illegal address-
parameter, they do not return with the error code
E_OS_ILLEGAL_ADDRESS as required by the AUTOSAR
specification. Instead the out-parameter is written with the access
rights of the caller, which may lead to a memory protection violation in
case the given pointer is invalid.
Stack optimization
Stack sharing is not supported.
Single stack model is not supported.
Internal trace
The “Internal Trace” feature is not supported.
COM
OSEK COM inter task communication with messages is not supported.
ORTI
ORTIVersion = 2.0 is not supported.
Error Hook
ErrorInfoLevel = Modulenames is not supported.
Table 5-1   Not supported Features
6  Features with restricted usage
Class
Description
Interrupt resources  Resources are only available at task level, not in interrupt service
routines.
OS Hooks
The following hook functions are limited:
PreTaskHook is available for debugging only and must not be used in
final code.
PostTaskHook is available for debugging only and must not be used
in final code.
Address Parameter  In case API functions with out-parameters (parameter passed by
Check
reference, e.g. GetEvent, GetAlarm, …) are called with illegal address-
parameter, they do not return with the error code
E_OS_ILLEGAL_ADDRESS as required by the AUTOSAR
specification. Instead the out-parameter is written with the access
rights of the caller, which may lead to a memory protection violation in
case the given pointer is invalid.
Configuration
The following hooks must be always enabled:
Aspects
StartupHook
ErrorHook
ShutdownHook
ProtectionHook
For SCALABILITYCLASS only the settings SC3 or SC4 are supported.
Memory protection must be active always.
STACKMONITORING must be enabled.
OSInternalChecks must be configured to Additional.
Table 6-1   Supported Features with restricted usage
2014, Vector Informatik GmbH
Version: 1.0.0
2 / 2
based on template version 4.7.2

Document Outline

18.10 - TechnicalReference_MICROSAROS_RH850

MICROSAR OS RH850

18.11 - TechnicalReference_MICROSAROS_RH850_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57

18.12 - TechnicalReference_MICROSAROS_RH850s

MICROSAR OS RH850
Technical Reference

Authors
Senol Cendere, Yohan Humbert
Version
1.09
Status
Released

Technical Reference MICROSAR OS RH850
Document Information
History
Author
Date
Version  Remarks
S. Cendere
2014-01-21  1.00
Creation
S. Cendere
2014-02-03  1.01
Release for RH850 SafeContext
S. Cendere
2014-04-24  1.02
Release for RH850 P1M
S. Cendere
2014-09-30  1.03
Added error numbers for interrupt consistency checks
Y. Humbert
2014-10-14  1.04
Update
Y. Humbert
2015-01-29  1.05
Added ASID support
Y. Humbert
2015-02-26  1.06
Added D1M, E1L, E1M and F1M
Y. Humbert
2015-06-10  1.07
Added Multicore chapter
S. Cendere
2015-06-29  1.08
Added Timing Protection chapter
S. Cendere
2015-08-20  1.09
Removed core exception attributes

Reference Documents
Ref.  Source
Title
Version
[1]
AUTOSAR
AUTOSAR Operating System Specification
3.0.x
(downloadable from www.Autosar.org)
4.0.x
4.1.x
[2]
OSEK
OSEK/VDX Operating System Specification
2.2.3
(downloadable from www.osek-vdx.org)
[3]
Vector Informatik GmbH
Technical Reference MICROSAR OS
8.00

2015, Vector Informatik GmbH
Version: 1.09                                2 / 57

Technical Reference MICROSAR OS RH850
Scope of the Document
This  technical  reference  describes  the  specific  use  of  the  MICROSAR  OS  for  Renesas
RH850. It supplements the general technical reference for MICROSAR OS [3].

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

Overview
This  document  describes  the  implementation  specific  part  of  the  AUTOSAR  operating
system for the Renesas RH850 microcontroller family. In this document a processor of the
family may be referred as RH850.
The common part of all MICROSAR OS implementations is described in document [3].
The implementation is based on the OSEK-OS-specification 2.2.3 and on AUTOSAR OS
specifications 3.0.x/4.0.x/4.1.x. This document assumes that the reader is familiar with the
OSEK and AUTOSAR OS specifications.
OSEK/VDX  is  a  registered  trademark  of  Continental  Automotive  GmbH  (until  2007:
Siemens AG).
2015, Vector Informatik GmbH
Version: 1.09                                3 / 57

Technical Reference MICROSAR OS RH850
14.2
Header Files .................................................................................................... 56
15 Contact ........................................................................................................................ 57

2015, Vector Informatik GmbH
Version: 1.09 7 / 57

Technical Reference MICROSAR OS RH850
1  Overview of MICROSAR OS
1.1
Overview of Properties
Property Class
Version / Range / Support
AUTOSAR OS specification
3.0.x, 4.0.x, 4.1.x
SC1
Scalability Classes supported
SC3 (SafeContext)
SC4 (SafeContext)
SC1: BCC1, BCC2, ECC1, ECC2
Conformance Classes supported
SC3 and SC4: ECC2
SC1: full-, non- and mixed-preemptive
Scheduling policy
SC3 and SC4: full- and mixed-preemptive
Scheduling points
depending on scheduling policy
Maximum number of tasks
65535
Maximum number of events per task
32
Maximum number of activations per task  255
Maximum number of priorities
8192
Maximum number of counters
256
Maximum number of alarms
32767
Maximum number of resources
8192
Maximum number of resources locked
255
simultaneously
Maximum number of schedule tables
65535
65535 (cyclical expiry points counted by their
Maximum number of expiry points
multiplicity)
Maximum number of ISRs
depending on derivative
SC1: STANDARD and EXTENDED
Status Levels
SC3: EXTENDED
SC4: EXTENDED
Nested Interrupts
supported
SC1: supported
Interrupt level resource handling
SC3: not supported
SC4: not supported
SC1: 2.1 Standard and 2.1 Additional
         2.2 Standard and 2.2 Additional
ORTI support
SC3: 2.2 Additional
SC4: 2.2 Additional
Library Version
not supported
FPU support
supported (if provided by derivative)
Table 1
OS Properties
2015, Vector Informatik GmbH
Version: 1.09                                8 / 57

Technical Reference MICROSAR OS RH850
2  Installation
The general installation is described in the common document [3].
The RH850 specific files are described below.
2.1
OIL-Configurator
The  OIL-configurator  is  a  general  tool  for  different  AUTOSAR  implementations.  The
implementation specific parts are the code generator and the OIL-implementation files for
the code generator.
  OIL-Configurator            root\OILTOOL
  OIL-Implementation files    root\OILTOOL\GEN
  Code Generator             root\OILTOOL\GEN

2.1.1  OIL-Implementation Files
The implementation specific files will be copied onto the local hard disk. The OIL-tool has
knowledge  about  these  files  through  the  file  OILGEN.INI  (the  correct  path  is  set  by  the
installation program).
CPU
Implementation file
Standard object file
Description
D1L
RH850_D1L.i41
RH850_D1L.s41
Source code version
D1M
RH850_D1M.i41
RH850_D1M.s41
Source code version
E1L
RH850_E1L.i41
RH850_E1L.s41
Source code version
E1M
RH850_E1M.i41
RH850_E1M.s41
Source code version
F1H
RH850_F1H.i41
RH850_F1H.s41
Source code version
F1L
RH850_F1L.i41
RH850_F1L.s41
Source code version
F1M
RH850_F1M.i41
RH850_F1M.s41
Source code version
P1M
RH850_P1M.i41
RH850_P1M.s41
Source code version
Table 2
OIL implementation Files

2015, Vector Informatik GmbH
Version: 1.09                                9 / 57

Technical Reference MICROSAR OS RH850
3  Configuration
Before an application can be compiled all static MICROSAR OS objects have to be defined
in  a  configuration  file.  The  OS  generator  generates  code  in  accordance  to  this
configuration file.
The  configuration  can  be  done  either  in  XML  language  (AUTOSAR  ECU  configuration
format) or in OIL (OSEK implementation language).
Chapter 4 shows the program flow of a configuration / generation / compilation process in
detail.
There  are  configuration  attributes  which  are  standard  for  all  MICROSAR  OS
implementations. These are described in [3].
Platform  specific  attributes  (which  only  apply  to  this  implementation  of  MICROSAR  OS)
are described hereafter.
3.1
XML Configuration
An XML configuration of the OS must conform to the AUTOSAR XML schema. To edit such
a configuration the DaVinci configurator of Vector Informatik GmbH can be used.
3.2
OIL Configuration
MICROSAR OS systems for RH850 can also be described using OIL. The OIL configurator
tool is capable of reading and writing OIL files. The finished OIL file is passed to the code
generator which generates the configuration files of the OS.
2015, Vector Informatik GmbH
Version: 1.09                                10 / 57

Technical Reference MICROSAR OS RH850
3.3
OS Attributes
The OS object controls general aspects of the operating system. The following attributes
are provided for scalability class SC1, SC3 and SC4:
Attribute Name
Values
Description
Default  value  is
OIL
XML
written in bold
Compiler
OsOSCompiler
GHS
Selects the supported compiler.
SystemStackSize
OsOSSystemStackSize
0 … 0xFFFC  Size of the system stack in bytes.
EnumeratedUnhandl
OsOSEnumeratedUnhandl
TRUE
This attribute determines handling
edISRs
edISRs
FALSE
of unused interrupt sources.
If set TRUE then variable
ossUnhandledExceptionDetail is
set to the exception number before
calling osUnhandledException.
ORTIDebugSupport
OsOSORTIDebugSupport
TRUE
The RH850 implementation
FALSE
supports ORTI debug information if
this attribute is selected.
ORTIDebugLevel
OsOSORTIDebugLevel
ORTI_22_Ad
Support ORTI 2.2 with additional
ditional
features which require some
additional runtime and memory.
UserConfigurationVe
OsOSUserConfigurationVer
0 ... 0xFFFF
This value specifies the current
rsion
sion
user specific version of the OS
configuration. It can be read back
by the user for validation.
SupportFPU
OsOSSupportFPU
TRUE
Switches on the support for FPU.
FALSE
(if provided by derivative)
TimingProtectionTim
OsOSTimingProtectionTime 0 … 999999
Only SC4: peripheral clock of timer
erClock
rClock
No default
unit TAUJ0 specified in [kHz]
Table 1: RH850 specific attributes of OS

2015, Vector Informatik GmbH
Version: 1.09                                11 / 57

Technical Reference MICROSAR OS RH850
For scalability class SC3 and SC4 the following additional attributes are provided:
Attribute Name
Values
Description
Default  value
OIL
XML
is  written  in
bold
CheckIntAPIStatus
OsOSCheckIntAPIStatus
TRUE
If set to TRUE then the OS API functions
FALSE
CallTrustedFunction and
CallNonTrustedFunction do not
check the interrupt status.
PeripheralRegion
OsOSPeripheralRegion
No default
List of peripheral regions.
A peripheral region defines an address
range where access is allowed for
selected applications (trusted or non-
trusted).
The access is granted by means of the
API functions.
MemoryProtection
OsOSMemoryProtection
TRUE
Enables memory protection via MPU.
FALSE
Mandatory for SC3 and SC4.
MpuRegion
OsOSMpuRegion
Enable
Configures static MPU regions

2015, Vector Informatik GmbH
Version: 1.09                                12 / 57

Technical Reference MICROSAR OS RH850
3.3.1 MpuRegion Sub-Attributes (SC3 and SC4)
If a static MPU region is enabled then the memory area is specified by the following sub-
attributes:
Sub-Attribute Name
Values
Description
(default value is
OIL
XML
written in bold)
StartAddr
OsOSStartAddr
string
Start address of static MPU region
No default
hexadecimal value:
StartAddr = 0x…
or
memory area specific linker symbol:
StartAddr = <linker_start_symbol>
EndAddr
OsOSEndAddr
string
End address of static MPU region
No default
hexadecimal value:
EndAddr = 0x…
or
memory area specific linker symbol:
EndAddr = <linker_end_symbol>
AccessRights
OsOSAccessRights uint32
MPU region access configuration
No default
ASID
OsOSASID
TRUE
Specifies, whether ASID matching is enabled
FALSE
for this MPU region.
Identifier
OsOSIdentifier
0 ... 0x3FE
ASID value to be used as area match
0x3FF
condition. The maximum value 0x3FF is used
as default value.

Value of StartAddr must always point to the first valid Byte in the specified memory area.
Value of EndAddr must always point to the last valid Byte in the specified memory area.
Up to 11 static MPU regions can be configured:
MpuRegion = Enable
{

StartAddr = 0x... ;

EndAddr = 0x… ;

AccessRights = 0x…;

ASID = TRUE;

Identifier = 0x01;
};

2015, Vector Informatik GmbH
Version: 1.09 13 / 57

Technical Reference MICROSAR OS RH850
3.3.2 PeripheralRegion Sub-Attributes (SC3 and SC4)
Sub-Attribute Name
Values
Description
(default value
OIL
XML
is written in
bold)
StartAddress
OsOSStartAddress
uint32
Numeric value.
No default
Specifies the start address of the peripheral region
which shall be configured.
Any 32 bit value can be used.
EndAddress
OsOSEndAddress
uint32
Numeric value.
No default
Specifies the end address of the peripheral region
which shall be configured.
Any 32 bit value can be used.
Identifier
OsOSIdentifier
string
C-String
No default
Must be a unique C Identifier which can be used in
an application or BSW module to access the
peripheral region.
ACCESSING_
OsOSAccessing
Application
Application reference.
APPLICATION Application
Type
Defines access rights of an application for this
PeripheralRegion.
This attribute can be defined multiple times, so that
different applications might have access right to the
same PeripheralRegion.

Caution
The application is allowed to access memory addresses in the interval of StartAddress
 <= memory to be accessed <= EndAddress
The “EndAddress” value is included! All bytes of a peripheral access must fit into the
peripheral region.

2015, Vector Informatik GmbH
Version: 1.09 14 / 57

Technical Reference MICROSAR OS RH850
3.4
Counter Attributes
Platform specific attributes are located within the container “DRIVER”.
Sub-Attribute Name
Values
Description
(default value is
OIL
XML
written in bold)
Timer
OsCounterTimer  OSTM
Selects the timer hardware which drives the
OSTM_HIRES  hardware counter.
No default
OSTM: OSTM timer is used and generates cyclic
interrupts.
OSTM_HIRES: OSTM timer is used and runs in
high resolution timer mode.
Which interrupt channel is used for a specific
derivative can be found in chapter 8.1.

3.4.1  OSTM Sub-Attributes
Sub-Attribute Name
Values
Description
(default value is
OIL
XML
written in bold)
EnableNesting
OsCounterEnabl
TRUE
Specifies whether the timer interrupt which drives
eNesting
FALSE
the hardware counter can be interrupted by
No default
higher priority interrupts.
InterruptPriority
OsCounterInterr
0 ... 15
The priority of the timer ISR which drives the
uptPriority
0 ... 7 (F1L)
hardware counter.
StackSize
OsCounterStack
0 … 0xFFFC
Stack size of the timer ISR which drives the
Size
hardware counter.

3.4.2  OSTM_HIRES Sub-Attributes
Sub-Attribute Name
Values
Description
(default value is
OIL
XML
written in bold)
EnableNesting
OsCounterEnabl
TRUE
Specifies whether the timer interrupt which drives
eNesting
FALSE
the hardware counter can be interrupted by
No default
higher priority interrupts.
InterruptPriority
OsCounterInterr
0 ... 15
The priority of the timer ISR which drives the
uptPriority
0 ... 7 (F1L)
hardware counter.
StackSize
OsCounterStack
0 … 0xFFFC
Stack size of the timer ISR which drives the
Size
hardware counter.
MinTimeBetween
OsCounterMinTi
uint32
Defines the number of timer ticks which at least
TimerIrqs
meBetweenTim
0
must be between two timer interrupts (shortest
erIrqs
possible time between two timer interrupts).

Detailed description how to configure software and hardware counter can be found in [3].

2015, Vector Informatik GmbH
Version: 1.09                                15 / 57

Technical Reference MICROSAR OS RH850
3.5
ISR Attributes
Attribute Name
Values
Description
Default value is written in bold
OIL
XML
ExceptionType
OsOSExceptionType  GENERAL_EXCEPTION
Select EIINT for EI level interrupts.
EIINT
Select GENERAL_EXCEPTION for
core exceptions.
EnableNesting
OsOSEnableNesting
TRUE
Must be set FALSE if the
FALSE
configured CAT2 ISR shall not be
interrupted by CAT1 or CAT2 ISRs
with higher priority level. This
attribute is ignored for CAT1 ISRs.
UseSpecialFunc
OsOSUseSpecialFun
TRUE
This is a feature for mapping
tionName
ctionName
FALSE
different interrupt / exception
sources to one interrupt handler.
This feature is supported as
described in [3].
Table 2: RH850 specific ISR attributes

3.5.1  ExceptionType Sub-Attributes

ExceptionType = GENERAL_EXCEPTION
Attribute Name
Values
Description
OIL
XML
ExceptionAddress
OsOSExceptionAddress
No default
Interrupt vector address offset.
Table 3: Sub-attributes of ExceptionType=GENERAL_EXCEPTION

ExceptionType = EIINT
Attribute Name
Values
Description
OIL
XML
IntChannel
OsOSIntChannel
0 … 511
Channel index of EI level
No default
interrupt.
Max channel number depends
on used CPU derivative.
InterruptPriority
OsOSInterruptPriority
SC1 and SC3: 0…15
Defines the interrupt priority
SC4: 1…15
level of the ISR. Lower value
No default
means higher priority.
InterruptStackSize
OsOSInterruptStackSize
0 … 0xFFFC
Size of the ISR stack
No default
Table 4: Sub-attributes of ExceptionType=EIINT

2015, Vector Informatik GmbH
Version: 1.09                                16 / 57

Technical Reference MICROSAR OS RH850
3.6
Application Attributes
The following specific attributes are provided for SC3 and SC4:
Attribute Name
Values
Description
Default value is
OIL
XML
written in bold
ASID
OsApplicationASID
0 … 0x3FE
Value to be written to ASID register
0x3FF
on application switch. The
maximum value 0x3FF is used as
default value.
MpuRegion
OsApplicationMpuRegion
Enable
Configures application specific
dynamic MPU region
Table 5: RH850: Application specific attributes
3.6.1 Attribute MpuRegion
Attribute MpuRegion must be configured for non-trusted applications which need write
access to application specific memory areas. If dynamic MPU region is enabled then the
memory area is specified by following sub-attributes:
Sub-Attribute Name
Values
Description
(default value
OIL
XML
is written in
bold)
StartAddr
OsApplication
string
Start address of application specific MPU region
StartAddr
No default
hexadecimal value:
StartAddr = 0x…
or application specific linker symbol:
StartAddr = <appl_linker_start_symbol>
EndAddr
OsApplication
string
End address of application specific MPU region
EndAddr
No default
hexadecimal value:
EndAddr = 0x…
or application specific linker symbol:
EndAddr = <appl_linker_end_symbol>
Value of StartAddr must always point to the first valid Byte in the specified memory area.
Value of EndAddr must always point to the last valid Byte in the specified memory area.
MpuRegion = Enable
{

StartAddr = 0x... ;

EndAddr = 0x... ;
};

The total number of used dynamic MPU regions depends on the application which has the
most number of dynamic regions.
Example: if an application has 3 dynamic regions and other application has 5 dynamic
regions then the total number of used dynamic MPU regions is 5.
2015, Vector Informatik GmbH
Version: 1.09 17 / 57

Technical Reference MICROSAR OS RH850
3.7
Event Attributes
Events in the MICROSAR OS operating system are always implemented as bits in bit
fields. The user could use bit masks like ‘0x00000001’ but to achieve portability between
different MICROSAR OS implementation he should use event names which are mapped
by the code generator to the defined bits. The MICROSAR OS RH850 implementation
allows up to 32 events per task. The required size of the event masks is calculated
automatically by the code generator. Possible event mask sizes are 8, 16 and 32 Bits.
3.8
Linker Include Files (SC3 and SC4)
The  generated  linker  include  files  osdata.dld,  osrom.dld,  ossdata.dld,  osstacks.dld  and
ostdata.dld are example files which can be used for mapping the OS and application data.
osdata.dld
Include file osdata.dld contains mapping for application and OS data. It should be included
immediately after the default .data section.
osrom.dld
Include osrom.dld contains the mapping of initialized data which is copied by the  start-up
code from ROM to RAM area. It should be included at end of ROM section.
ossdata.dld
Include file ossdata.dld contains the mapping of application and OS data in SDA section.
Due to limited number of MPU protection areas the SDA section of non-trusted application
contain SDA and non-SDA data. This affects also the global shared data sections. This file
must be included after the .sdata section.
osstacks.dld
Include file osstacks.dld contains the mapping of system stack, all task and all ISR stacks.
This file should be included before application specific data sections.
ostdata.dld
Include  file  ostdata.dld  contains  mapping  for  application  data  in  TDA  section.  This  file
should be included after the .zdata section.
2015, Vector Informatik GmbH
Version: 1.09                                18 / 57

Technical Reference MICROSAR OS RH850
4  System Generation
The system generation process is described in the document  [3] which  is common to all
implementation. The following section describes the RH850 specific parts of the generating
process.

Code
AUTOSAR XML
XML
generator
Configuration Tool
OIL
alternative
Configuration
OIL
Files *.c, *.h
Configurator
Compile   and
link
Application
OS source Files *.c, *.h
+
Files *.c, *.h
executable

Figure 4-1  System Generation
2015, Vector Informatik GmbH
Version: 1.09                                19 / 57

Technical Reference MICROSAR OS RH850
4.1
Code Generator
The following files are generated by the code generator genRH850SCTX.exe
  config.xml          configuration information in XML-format
  intvect_c0.c        interrupt vector tables
  tcb.c                applications and OS configuration
  tcb.h
  tcbpost.h
  trustfct.h
  trustfct.c            trusted function stubs
  osConfigBlock.c    contains the configuration block
  osStacks.h
  osStacks.c          stack definitions
  Os_MemMap.h    contains definitions for MemMap usage
  OILFileName.ort
  OILFileName.htm

For SC3 and SC4 the following additional files are generated:
  osdata.dld             example linker include file for application data
  osrom.dld          example linker include file for application data initialization
  ossdata.dld         example linker include file for application data in SDA
  osstacks.dld        example linker include file for stacks
  ostdata.dld         example linker include file for application data in TDA
  nontrustfct.h

For multicore systems the following additional files are generated:
 ioc.h           Header for IOC related functions
 ioc.c            IOC related functions
 ccb.h          Header for multicore related attributes
 ccb.c           Multicore related attributes
 intvect_c1.c    Interrupt vector tables for second core

The files tcb.c, tcb.h, trustfct.c, trustfct.h and nontrustfct.h are described in document [3].
The module intvect_c0.c contains the interrupt vector tables for the Green Hills compiler.
The module OILFileName.ort is only generated if the configuration attribute
ORTIDebugSupport is selected.
OILFileName.htm is containing information about the configuration settings.
2015, Vector Informatik GmbH
Version: 1.09                                20 / 57

Technical Reference MICROSAR OS RH850
5  Stack Handling
5.1
Task Stacks
Each task runs on an own separate task stack. Tasks might share a stack as described in
[3]. The PreTaskHook function always uses the system stack. The PostTaskHook function
uses the system stack or in case of a task termination, it uses the task stack of the task
that is terminated. Note that all task stacks must provide sufficient size for the maximum
nesting  level  of  ISR  category  1.  Therefore  it  is  recommended  to  use  ISR  category  2  if
possible.
The size of  each task stack is determined by the configuration attribute StackSize of  the
configuration object TASK.
5.2
ISR Stacks
An interrupt stack is defined for each interrupt priority level which is assigned to a CAT2
ISR. Each CAT2 ISR runs on the interrupt stack which is assigned to its priority level.
5.3
System Stack
The system stack is used by the dispatcher and by the hook wrappers.
5.4
Startup Stack
In function osStartOSasm the stack pointer is initialized to point to the system stack.
The system stack can be used as start-up stack.
The following linker symbol is provided to use the system stack as start-up stack:
_osSystemStack_EndAddr
5.5
Stack Usage Size
The OS offers the possibility to determine the maximum stack usage of the OS stacks.
Please be aware, that the function stack usage determination for system stacks depends
heavily on the positions in the code, where an ISR is interrupted by another ISR.
In the single stack model, the measured value for the system stack usage also depends
heavily on the position in the code, where a basic task is preempted by another task. For
this  reason,  it  is  extremely  difficult,  to  find  a  conclusion  for  the  worst  case  system  stack
usage from the measured stack usage.
NOTE: The API functions for determination of the stack usage are only available with the
following configuration settings:
STACKMONITORING = TRUE
StackUsageMeasurement = TRUE

2015, Vector Informatik GmbH
Version: 1.09                                21 / 57

Technical Reference MICROSAR OS RH850
5.5.1  Task Stack Usage
API function osGetStackUsage is described in [3].

5.5.2  System Stack Usage
The usage of the system stack since the start of the OS can be determined by using the
function osGetSystemStackUsage.
Prototype:
typedef osuint16 osStackUsageType;

osStackUsageType osGetSystemStackUsage(void);

Argument:
  none
Return value:   Maximum stack usage (bytes) of the system stack since StartOS().

5.5.3  ISR Stack Usage
The  usage  of  the  ISR  stacks  since  the  start  of  the  OS  can  be  determined  by  using  the
function osGetISRStackUsage.
Prototype:
typedef osuint16 osStackUsageType;

osStackUsageType osGetISRStackUsage(ISRType IsrIndex);

Argument:
    Index of the ISR
Return value:     Maximum stack usage (bytes) of the ISR stack since StartOS().
2015, Vector Informatik GmbH
Version: 1.09                                22 / 57

Technical Reference MICROSAR OS RH850
6 Interrupt Handling

Note
This implementation supports interrupt handling according to the RH850 “expanded
 specifications” with a separate vector table for EIINT interrupts.

6.1
Interrupt Vectors
The code generator generates the interrupt vector tables. Therefore, all interrupt-service-
routines have to be defined in the configuration. The interrupt vector tables are generated
into the file intvect_c<X>.c for the Green Hills compiler, where X is the corresponding core
ID.
The interrupt vector tables are generated into three sections:
 ". osExceptionVectorTable_c<X>"
contains the core exception vector table

 ". osEIINTVectorTable_c<X>"
contains the EIINT exceptions vector table

 ".os_text"
Contains the ISR prologue for CAT2 ISR wrappers

The length of the mentioned vector tables depends on the concrete derivative.

6.1.1 Reset Vector
The user can specify an own reset vector. For this the user must configure a category 1
ISR which has the vector address 0x0, i.e. attribute ExceptionAddress=0x0.
If a category 1 ISR is configured for vector 0x0, this vector is generated as a jump to the
specified address.
If this vector is not configured in the configuration, the vector 0x0 is generated as a jump to
the startup code, delivered with the compiler.
Please note that all examples use the start-up module which is delivered with the compiler.
For the Green Hills compiler this module is crt0.o
6.1.2 Level Initialization
The user has to configure an interrupt priority level for all ISRs. MICROSAR OS initializes
the appropriate interrupt control register with the level, configured by the user. The
application is not allowed to change the interrupt priority level after StartOS is called.
2015, Vector Informatik GmbH
Version: 1.09 23 / 57

Technical Reference MICROSAR OS RH850
6.2
Interrupt Level and Category
The  RH850  controllers  support  interrupt  levels.  ISRs  with  lower  level  have  priority  over
those with higher level. ISRs of lower level might therefore be nested into ISRs of higher
level. Interrupt levels cannot be chosen independently from the category.
Because ISRs of category 2 can activate tasks, the exit code  of a non-nested category 2
ISR has to check, if a task has been activated by the ISR itself or by any nested ISRs. If
so, a task switch has to be set off. As category 1 ISRs have no such exit code, they must
not  be  interrupted  by  category  2  ISRs.  For  this  reason,  MICROSAR  OS  checks,  that  all
category 1 ISRs have lower or equal level value than the category 2 ISR with lowest level.
Note: Scalability class SC4 does not allow use of category 2 ISRs with priority level 0
6.3
Interrupt Category 1
For interrupts of category 1 no MICROSAR OS API functions can be used. Note that the
category 1 ISR with highest priority value must have lower or equal priority value than the
category 2 ISR with lowest priority value.
Example: if category 2 ISRs have priority levels  8, 10, 11 and 12 then category 1 cannot
use priority levels 8 ... 15. Category 1 ISRs must then use priority levels 0 ... 7
Note: Scalability class SC4 does not allow use of category 1 ISRs for EIINT exceptions
6.3.1  Interrupt Processing in C
Using  the  Green  Hills  compiler,  category  1  interrupt  functions  written  in  C  must  be
implemented as described in the compiler manual:
You can use either of the following methods to declare a function as an interrupt routine:

Place #pragma ghs interrupt immediately before the function.

Prepend the __interrupt keyword to the function definition.
Independently from the compiler, the user should not provide the interrupt vector number
to the compiler, as the compiler would generate an interrupt vector in this case. Interrupt
vector generation is always done by the operating system.
6.3.2  Unhandled Exception Determination
If an unexpected interrupt occurs which is caused by an unused interrupts source then the
ErrorHook and ShutdownHook are called and the system shutdown is requested.
The error type is reported to the application via error code E_OS_SYS_ABORT.
If  an  unhandled    core  exception  has  occurred  then  the  error  reason  is  reported  to  the
application  via  error  number  osdErrUEUnhandledCoreException.  The  global  variable
ossUnhandledCoreExceptionDetail  contains  the  content  of  register  FEIC  and  the  global
variable ossUnhandledExceptionDetail contains the offset of the core exception.
If  an  unhandled    EIINT  exception  has  occurred  then  the  error  reason  is  reported  to  the
application  via  error  number  osdErrUEUnhandledEIINTException.  The  global  variable
ossUnhandledEIINTDetail  contains  the  content  of  register  EIIC  and  the  global  variable
ossUnhandledExceptionDetail contains the index of the EIINT exception.
2015, Vector Informatik GmbH
Version: 1.09                                24 / 57

Technical Reference MICROSAR OS RH850
6.4
Interrupt Category 2
6.4.1  Interrupt Entry
The  entry  code  of  category  2  ISRs  is  automatically  generated  by  MICROSAR  OS.  This
code stores the GPR registers onto stack and calls the CAT2 ISR wrapper.
SC1  and  SC3:  The  CAT2  ISR  wrapper  clears  the  global  interrupt  disable  flag  if  the
attribute EnableNesting is set for this ISR before calling the corresponding ISR function. If
this  attribute  is  not  set  then  the  CAT2  ISR  wrapper  does  not  clear  the  global  interrupt
disable flag.
SC4:  The  CAT2  ISR  wrapper  sets  register  PMR  to  system  level  and  clears  the  global
interrupt  disable  flag  if  the  attribute  EnableNesting  is  set  for  this  ISR  before  calling  the
corresponding  ISR  function.  If  this  attribute  is  not  set  then  the  CAT2  ISR  wrapper  sets
register PMR to task level and then clears the global interrupt disable.

6.4.2  Interrupt Exit
The necessary return from exception is implemented in the CAT2 ISR wrapper exit code.
The application is not allowed to issue a return from exception instruction.

6.4.3  CAT2 ISR Function
For category 2 ISRs, the user has to use the ISR-macro provided by MICROSAR OS. The
name which is given to this macro must be identical to the name in the configuration.
ISR( myISR )
{
… /* ISR function body */
}
6.5
Disabling Interrupts

Caution
It is not allowed to disable interrupts longer than the tick time SECONDSPERTICK of the
  hardware counter (timer). If interrupts are disabled longer than the tick time the alarm
management  could  be  handled  wrong.  This  error  is  not  detected  by  the  operating
system.

Only  when  compiling  the  operating  system  with  the  extended  status  additional  error
checking is performed.

2015, Vector Informatik GmbH
Version: 1.09                                25 / 57

Technical Reference MICROSAR OS RH850
7  MPU Handling (SC3 and SC4)
7.1
MPU Region Usage
MPU  region  0  is  used  for  stack  area  protection  and  all  other  MPU  regions  can  be
configured by the user to be static or dynamic (reprogrammed).
The total number of available MPU regions depends on the derivative group:
Derivative group
Number of MPU regions
D1L and D1M
12
E1L and E1M
12
F1H and F1M
16
F1L
4
P1M
12

7.1.1  MPU Region 0
MPU region 0 is used for stack area protection and cannot be configured by the user. It is
always reprogrammed by the OS when the context is switched. Therefore trusted and non-
trusted  applications  can  only  write  to  the  task  and  ISR  stacks  which  belong  to  the
application.

7.1.2  Static MPU Regions
If a MPU region shall be static, i.e. it is only initialized in StartOS and not reprogrammed
when  context  is  switched  then  it  has  to  be  configured  in  the  OS  specific  section.  The
region  number  is  not  required.  The  OS  generator  assigns  a  region  number  for  each
configured static MPU region.
The  user  must  specify  start  address,  end  address  and  region  attributes  of  the  memory
area.
If a MPU region is configured to be static then it is initialized in StartOS with settings from
the configuration block.

2015, Vector Informatik GmbH
Version: 1.09                                26 / 57

Technical Reference MICROSAR OS RH850
7.1.3  Dynamic MPU Regions
If a MPU region shall be dynamic, i.e. it is always reprogrammed when context is switched
then  it  has  to  be  configured  in  each  corresponding  non-trusted  application  section.  The
region  number  is  not  required.  The  OS  generator  assigns  a  region  number  for  each
configured  dynamic  MPU  region.  Trusted  applications  cannot  be  configured  with  MPU
regions.
The user must specify start and end address of the memory area. The region attributes are
configured by the OS.
If a MPU region is configured to be dynamic then it is initialized in StartOS to be unused.
After  StartOS  it  is  always  reprogrammed  when  a  non-trusted  application  is  started  or
terminated.
Non-trusted applications can have different number of MPU regions. The total number of
reprogrammed  MPU  regions  depends  on  the  application  which  has  the  most  dynamic
regions.  Example:  If  a system has 2 non-trusted applications,  one  application  configured
with 2 MPU regions and the other application configured with 3 MPU regions, then the total
number  of  dynamic  MPU  regions  is  3.  During  runtime  when  context  is  switched  then
always 3 MPU regions are reprogrammed.
Non-trusted application Appl1:
 MPU region 1 used
 MPU region 2 used
Non-trusted application Appl2:
 MPU region 1 used
 MPU region 2 used
 MPU region 3 used
When  application  Appl1  is  started  then  MPU  regions  1  and  2  are  reprogrammed  with
application specific settings and MPU region 3 is set to unused.
When  application Appl2  is  started  then  MPU  regions  1,  2  and  3  are  reprogrammed  with
application specific settings.
2015, Vector Informatik GmbH
Version: 1.09                                27 / 57

Technical Reference MICROSAR OS RH850
8  RH850 Peripherals
8.1
Supported System Timer
MICROSAR  OS  RH850  uses  the  timer  unit  OSTM  as  driver  for  a  configured  hardware
counter (see 3.4). The corresponding interrupt channel depends on the derivative group:
Derivative
Used Interrupt Channel
Used Hardware Unit
group
D1L / D1M
125
OSTM0
E1L / E1M
25
OSTM0
F1H / F1M
84
OSTM0

OSTM5 for second core in multicore system
F1L
76
OSTM0
P1M
74
OSTM0
Table 3
RH850 driver for hardware counter
8.2
Supported Time Monitoring Timer
MICROSAR OS RH850 uses the timer unit TAUJ0 for SC4 timing protection:
Derivative
Used Interrupt Channels
Used Hardware Unit
group
D1L / D1M
121, 122, 123
TAUJ0
E1L / E1M
Timing Protection not supported
-
F1H / F1M
80, 81, 82
TAUJ0
F1L
72, 73, 74
TAUJ0
P1M
133, 134, 135
TAUJ0
Table 4
RH850 timer units for timing protection
8.3
Initialization
The OS initializes the interrupt controller INTC before the StartupHook is called.
Register SCBASE and SCCFG are initialized to use the OS syscall table (SC3 and SC4).
The OS initializes the timer OSTM after the StartupHook is called.
In  case  of  SC3  and  SC4,  the  OS  initializes  the  memory  protection  unit  MPU  before  the
StartupHook is called.
In case of SC4, the OS initializes the timer unit TAUJ0 before the StartupHook is called.

2015, Vector Informatik GmbH
Version: 1.09                                28 / 57

Technical Reference MICROSAR OS RH850
9  Implementation Specifics
9.1
API Functions
9.1.1  DisableAllInterrupts
SC1 and SC3: The function DisableAllInterrupts disables all interrupts. This is achieved by
setting the ID-Bit in register PSW. The old value of the ID-Bit is stored for later restore.
SC4: The function DisableAllInterrupts disables interrupts up to priority level 1. Interrupts
with priority level 0 stay enabled. This is performed by setting bits 1…15 in register PMR.
The  old  value  of  the  register  is  stored  for  later  restore.  Interrupts  of  priority  level  0  stay
enabled so that timing protection exceptions can still occur.
Remark: Nested calls are not possible.
9.1.2  EnableAllInterrupts
SC1  and  SC3:  The  function  EnableAllInterrupts  restores  the  content  of  the  ID-Bit  which
was stored by DisableAllInterrupts.
SC4:  The  function  EnableAllInterrupts  restores  the  content  of  register  PMR  which  was
stored by DisableAllInterrupts.
Remark: Nested calls are not possible.
9.1.3  SuspendAllInterrupts
SC1 and SC3: The function SuspendAllInterrupts disables all interrupts. This is achieved
by setting the ID-Bit in register PSW. The old value of the ID-Bit is stored for later restore.
SC4: The function SuspendAllInterrupts disables interrupts up to priority level 1. Interrupts
with priority level 0 stay enabled. This is performed by setting bits 1…15 in register PMR.
The  old  value  of  the  register  is  stored  for  later  restore.  Interrupts  of  priority  level  0  stay
enabled so that timing protection exceptions can still occur.
Remark: Nested calls are possible.
9.1.4  ResumeAllInterrupts
SC1 and SC3: The function ResumeAllInterrupts restores the content of the ID-Bit which
was stored by SuspendAllInterrupts.
SC4:  The  function  ResumeAllInterrupts  restores  the  content  of  register  PMR  which  was
stored by SuspendAllInterrupts.
Remark: Nested calls are possible.
9.1.5  SuspendOSInterrupts
The function SuspendOSInterrupts disables all category 2 interrupts. This is  achieved by
setting  the  PMR  register  to  system  level  (highest  interrupt  priority  of  all  category  2
interrupts). The old value of the PMR register is stored for later restore.
Remark: Nested calls are possible.
9.1.6  ResumeOSInterrupts
The function ResumeOSInterrupts restores the content of register PMR which was stored
by SuspendOSInterrupts.
Remark: Nested calls are possible.
2015, Vector Informatik GmbH
Version: 1.09                                29 / 57

Technical Reference MICROSAR OS RH850
9.1.7  GetResource
MICROSAR OS RH850 SC3/SC4 does not support the extension of the resource concept
for interrupt levels.
9.1.8  ReleaseResource
MICROSAR OS RH850 SC3/SC4 does not support the extension of the resource concept
for interrupt levels.
9.1.9  GetAlarmBase
MICROSAR OS RH850 SC3/SC4 does not support API function GetAlarmBase.
9.1.10  osInitialize
Function  osInitialize  is  used  for  initializing  OS  global  variables  which  are  used  by
osDispatcher and interrupt handling API. It is called by the OS in StartOS.
Prototype: void osInitialize(void)
9.1.11  osInitINTC
Function osInitINTC initializes the interrupt controller INTC and some core registers:

EBASE = &osExceptionVectorTable

INTBP = &osEIINTVectorTable

INTCFG = 0

SCBP = &osSysCallTable (SC3 and SC4)

SCCFG = osdNumberOfSysCallFunctions (SC3 and SC4)

set table mode and priority level for each configured EIINT interrupt source
osInitINTC is called by the OS in StartOS.
Prototype: void osInitINTC(void)
Remark:  If  OS  API  functions  are  used  before  StartOS  then  osInitialize  and  osInitINTC
must be called before any OS API function is called.

2015, Vector Informatik GmbH
Version: 1.09                                30 / 57

Technical Reference MICROSAR OS RH850
9.2
Peripheral Region API
In  a  safety  application  there  is  the  need  to  access  peripheral  components  from  QM
software (non-trusted).
For  QM  software,  which  runs  in  restricted  mode  (e.g.  user  mode)  the  peripheral  access
must be granted by the MPU. Sometimes there are peripheral registers which cannot be
written at all in restricted mode.
Therefore the OS offers the concept of the peripheral region API.
The peripheral regions are defined in the configuration. Access rights are also configured
on application level.
With an API any Software (also non trusted) is capable to write to peripheral registers even
if the access is not granted by the MPU.
9.2.1.1
Read Functions
There are three reading functions.
Prototype
osuint8 osReadPeripheral8 ( osuint16 area, osuint32 address )
osuint16 osReadPeripheral16( osuint16 area, osuint32 address )
osuint32 osReadPeripheral32( osuint16 area, osuint32 address )
Parameter
area
Identifier of peripheral regions to the read from
address
Address to be read from
Return code

The content of “address” interpreted as 8 bit, 16 bit or 32 bit value
Functional Description
>  reads either an 8 bit, or a 16 bit or a 32 bit value from “address”
>  The function performs accessing checks (whether the caller has accessing rights to the
peripheral region and whether the address to be read from is within the configured range of
the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled

2015, Vector Informatik GmbH
Version: 1.09                                31 / 57

Technical Reference MICROSAR OS RH850
9.2.1.2
Write Functions
There are three writing functions.
Prototype
void osWritePeripheral8 ( osuint16 area, osuint32 address, osuint8 value)
void osWritePeripheral16( osuint16 area, osuint32 address, osuint16 value)
void osWritePeripheral32( osuint16 area, osuint32 address, osuint32 value)
Parameter
area
Identifier of peripheral regions to the read from
address
Address to write to
value
Value to be written
Return code
None

Functional Description
>  Writes to either an 8 bit, or a 16 bit or a 32 bit value
>  The function performs accessing checks (whether the caller has accessing rights to the
peripheral region and whether the address to be read from is within the configured range of
the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled

2015, Vector Informatik GmbH
Version: 1.09                                32 / 57

Technical Reference MICROSAR OS RH850

9.2.1.3
Modify Functions
There are three modifying functions.
Prototype
void osModifyPeripheral8 ( osuint16 area, osuint32 address, osuint8 clearmask,
osuint8 setmask)
void osModifyPeripheral16( osuint16 area, osuint32 address, osuint16 clearmask,
osuint16 setmask)
void osModifyPeripheral32( osuint16 area, osuint32 address, osuint32 clearmask,
osuint32 setmask)
Parameter
area
Identifier of peripheral regions to the read from
address
Address to be modified
clearmask
Bitmask which is bitwise “ANDed” to “address”
setmask
Bitmask which is bitwise “ORed” to “address”
Return code
None

Functional Description
>  The function performs accessing checks (whether the caller has accessing rights to the
peripheral region and whether the address to be read from is within the configured range of
the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
>  After the access checks has passed first the “clearmask” is ANDed to “address” and
afterwards the “setmask” is ORed to it.
Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled

2015, Vector Informatik GmbH
Version: 1.09                                33 / 57

Technical Reference MICROSAR OS RH850
9.3
Peripheral Interrupt API Functions (SC3 and SC4)
The  OS  provides  functions  which  can  be  used  to  perform  write  access  to  the  interrupt
controller INTC control registers in user mode.
If read access to SFR registers is enabled in user mode then the following macros can be
used to read from interrupt controller INTC registers.
#define osReadICR8(addr) (*((osuint8*)(addr)))
#define osReadICR16(addr) (*((osuint16*)(addr)))

This chapter describes API functions which can be used to access the interrupt control
registers within the corresponding address range:

Derivative group  Address range
D1L/D1M
FFFE EA00 - FFFE EA3E (EIC0 to EIC31)
FFFF B040 - FFFF B1FE (EIC32 to EIC255)
E1L/E1M
FFFE EA00 - FFFE EA3E (EIC0 to EIC31)
FFFF B040 - FFFF B3FE (EIC32 to EIC511)
F1H
FFFE EA00 - FFFE EA3E (EIC0 to EIC31)
FFFF B040 - FFFF B2BC (EIC32 to EIC350)
F1L
FFFF 9000 - FFFF 903E (EIC0- EIC31)
FFFF A040 - FFFF A232 (EIC32- EIC281)
F1M
FFFE EA00 - FFFE EA3E (EIC0 to EIC31)
FFFF B040 - FFFF B25C (EIC32 to EIC297)
P1M
FFFE EA00 - FFFE EA3E (EIC0 to EIC31)
FFFF B040 - FFFF B2FE (EIC32 to EIC383)

2015, Vector Informatik GmbH
Version: 1.09                                34 / 57

Technical Reference MICROSAR OS RH850
9.3.1 Write to Interrupt Control Register
Writing 1 or 2 Byte to the interrupt controller INTC control register is achieved by
osWriteICR8/osWriteICR16 and osWriteICRxLo/ osWriteICRxHi/ osWriteICRx16:

osWriteICR8
This function writes 1 Byte at specified destination address. Before writing the address
parameter is checked to be in valid range.
Prototype
void osWriteICR8(uint32 addr, uint8 val);
Parameter
addr
destination address
val
value to be written at destination address
Return Code
void
-
Functional Description
*(uint8*)addr = (uint8)val;

osWriteICR16
This function writes 2 Bytes at specified destination address. Before writing the address
parameter is checked to be in valid range.
Prototype
void osWriteICR16(uint32 addr, uint16 val);
Parameter
addr
destination address
val
value to be written at destination address
Return Code
void
-
Functional Description
*(uint16*)addr = (uint16)val;

2015, Vector Informatik GmbH
Version: 1.09 35 / 57

Technical Reference MICROSAR OS RH850
osWriteICRxLo
This function writes the lower Byte of the control register of the specified interrupt number.
Before writing the index is checked to be in valid range.
Prototype
void osWriteICRxLo(uint32 index, uint8 val);
Parameter
index
interrupt number
val
value to be written to control register
Return Code
void
-
Functional Description
*(uint8*)addr = (uint8)val;
osWriteICRxHi
This function writes the upper Byte of the control register of the specified interrupt number.
Before writing the index is checked to be in valid range.
Prototype
void osWriteICRxHi(uint32 index, uint8 val);
Parameter
index
interrupt number
val
value to be written to control register
Return Code
void
-
Functional Description
*(uint8*)addr = (uint8)val;
osWriteICRx16
This function writes both Bytes of the control register of the specified interrupt number.
Before writing the index is checked to be in valid range.
Prototype
void osWriteICRx16(uint32 index, uint16 val);
Parameter
index
interrupt number
val
value to be written to control register
Return Code
void
-
Functional Description
*(uint8*)addr = (uint8)val;

2015, Vector Informatik GmbH
Version: 1.09 36 / 57

Technical Reference MICROSAR OS RH850
9.3.2 Set or Clear Mask Flag
The mask flag of the interrupt control register can be set or cleared by osSetICRMask and
osClearICRMask.
osSetICRMask
This function sets the mask flag at specified destination address which must be even.
Before writing the address parameter is checked to be in valid range. The address
parameter is not checked to be even. The user must take care about it.
Prototype
void osSetICRMask(uint32 addr);
Parameter
addr
destination address
Return Code
void
-
Functional Description
*(uint8*)addr |= (uint8)0x80;
osClearICRMask
This function clears the mask flag at specified destination address which must be even.
Before writing the address parameter is checked to be in valid range. The address
parameter is not checked to be even. The user must take care about it.
Prototype
void osClearICRMask(uint32 addr);
Parameter
addr
destination address
Return Code
void
-
Functional Description
*(uint8*)addr &= (uint8)0x7F;

2015, Vector Informatik GmbH
Version: 1.09 37 / 57

Technical Reference MICROSAR OS RH850
9.3.3  Set or Clear ICR Request Flag
The request flag of the interrupt control register can be set and cleared by calling the
functions osSetICRReq and osClearICRReq:

osSetICRReq
This function sets the interrupt request flag at specified destination address. Before writing
the address parameter is checked to be in valid range. The destination address is
automatically made an odd address by the function.
Prototype
void osSetICRReq(uint32 addr);
Parameter
addr
destination address
Return Code
void
-
Functional Description
*(uint8*)(addr | 0x01) |= (uint8)0x10;

osClearICRReq
This function clears the interrupt request flag at specified destination address. Before
writing the address parameter is checked to be in valid range. The destination address is
automatically made an odd address by the function.
Prototype
void osClearICRReq(uint32 addr);
Parameter
addr
destination address
Return Code
void
-
Functional Description
*(uint8*)(addr | 0x01) &= (uint8)0xEF;

2015, Vector Informatik GmbH
Version: 1.09                                38 / 57

Technical Reference MICROSAR OS RH850
9.3.4 Read, Set or Clear Mask Bit in Registers IMRm
The mask bits in IMRm registers can be read, set and cleared by calling functions
osGetIMRmEI, osSetIMRmEI and osClearIMRmEI.
osGetIMRmEI
This function returns the current value of the mask bit specified by index (interrupt
number). Before read access the index parameter is checked to be in the valid range.
Prototype
void osGetIMRmEI(uint16 index);
Parameter
index
mask register index
Return Code
uint8
return mask flag IMRmEIMK<index>
Functional Description
return (uint8)(IMRmEIMK<index>);
osSetIMRmEI
This function sets the mask bit specified by index (interrupt numer). Before write access
the index parameter is checked to be in the valid range.
Prototype
void osSetIMRmEI(uint16 index);
Parameter
index
mask register index
Return Code
void
-
Functional Description
IMRmEIMK<index> = 1;
osClearIMRmEI
This function clears the mask bit specified by index (interrupt number). Before write access
the index parameter is checked to be in the valid range.
Prototype
void osClearIMRmEI(uint16 index);
Parameter
index
mask register index
Return Code
void
-
Functional Description
IMRmEIMK<index> = 0;

2015, Vector Informatik GmbH
Version: 1.09 39 / 57

Technical Reference MICROSAR OS RH850
9.3.5 Write to Registers IMRm
The registers IMRm can be written with 1 Byte, 2 Byte and 4 Byte value by calling functions
osWriteIMR8, osWriteIMR16 and osWriteIMR32.
osWriteIMR8
Function osWriteIMR8 writes 1 Byte to register IMRm specified by address. Before write access
the address parameter is checked to be in the valid range.
Prototype
void osWriteIMR8(uint32 addr, uint8 val);
Parameter
addr
destination address
val
value to be written at destination address
Return Code
void
-
Functional Description
*(uint8*)addr = (uint8)val;
osWriteIMR16
This function writes 2 Bytes to register IMRm specified by address. Before write access the
address parameter is checked to be in the valid range.
Prototype
void osWriteIMR16(uint32 addr, uint16 val);
Parameter
addr
destination address
val
value to be written at destination address
Return Code
void
-
Functional Description
*(uint16*)addr = (uint16)val;
osWriteIMR32
This function writes 4 Bytes to register IMRm specified by address. Before write access the
address parameter is checked to be in the valid range.
Prototype
void osWriteIMR32(uint32 addr, uint32 val);
Parameter
addr
destination address
val
value to be written at destination address
Return Code
void
-
Functional Description
*(uint32*)addr = (uint32)val;

2015, Vector Informatik GmbH
Version: 1.09 40 / 57

Technical Reference MICROSAR OS RH850
9.4
Hook Routines
The MICROSAR OS specification [3] allows implementation specific additional parameters
in hook routines. The prototypes of the hook routines are described in [1].
The  contexts  where  hook  routines  are  called  are  implementation  specific  and  are
described below. All hook routines are called with disabled interrupts.
9.4.1  ErrorHook
The ErrorHook is called if an error is detected in an API-function and if a system error is
detected. The  ErrorHook  runs on  the  task  or  ISR  stack  if  an API  error  is  reported  and  it
runs  on  the  system  stack  if  an  unrecoverable  system  error  is  reported.  Interrupts  are
disabled and CPU runs in supervisor mode.
9.4.2  StartupHook
The StartupHook runs always on the system stack. Interrupts are disabled and CPU runs
in supervisor mode.
9.4.3  ShutdownHook
SC1:  The  ShutdownHook  runs  on  the  stack  of  the  task  or  ISR  which  has  called
ShutdownOS(). EI level interrupts are disabled.
SC3 and SC4: The ShutdownHook runs always on the system stack. EI level interrupts are
disabled and the CPU runs in supervisor mode.
9.4.4  PreTaskHook
The PreTaskHook runs always on the system stack. Interrupts are disabled and CPU runs
in supervisor mode.
9.4.5  PostTaskHook
The PostTaskHook runs on the task stack or on the system stack. Interrupts are disabled
and CPU runs in supervisor mode.
9.4.6  PreAlarmHook (SC1 only)
When  entering  the  ISR  “osTimerInterrupt”  there  is  a  call  of  the  PreAlarmHook  when  the
corresponding configuration switch is set. The user has to take care for the implementation
of this routine. Please implement this hook routine as follows:
void PreAlarmHook(void)
{
/* user specific code */
}
The Hook Routine is called before incrementing the system counter and before handling
all alarms! The Hook Routine runs on system stack.
2015, Vector Informatik GmbH
Version: 1.09                                41 / 57

Technical Reference MICROSAR OS RH850
9.4.7  ISRHooks (SC1 only)
The  ISRHooks  –  UserPreISRHook  and  UserPostISRHook  –  run  on  the  system  stack.  If
EnableNesting  is  set  to  TRUE  for  the  respective  ISR,  these  hooks  run  with  interrupts
enabled;  otherwise  they  run  with  interrupts  disabled..  For  a  more  detailed  description  of
these hooks see [3].

9.4.8  Callbacks (SC1 only)
Callbacks run on the stack of the entity that led to their activation. E.g. if an alarm callback
is activated through a call to IncrementCounter() by a task, it runs on this tasks stack.  If
IncrementCounter()    was    called    by    an    interrupt    (for    example    the    system    timer
interrupt), the Callback runs onthe corresponding ISR stack.
9.4.9  ProtectionHook (SC3 and SC4)
The ProtectionHook is called if a memory protection or privileged instruction violation was
detected.  It  runs  always  on  the  system  stack.  Interrupts  are  disabled  and  CPU  runs  in
supervisor mode.

2015, Vector Informatik GmbH
Version: 1.09                                42 / 57

Technical Reference MICROSAR OS RH850
9.5 Functions for MPU functionality checks
The OS provides 2 functions which can be called to check the functionality of the MPU.

9.5.1  Function osCheckMPUAccess
Function osCheckMPUAccess can be called to check the current MPU protection settings.
Prototype
uint8 osCheckMPUAccess(const uint8* addr)
Parameter
addr
The address to be checked for read and write access
Return Type
0 = E_OK: read and write access to given address is possible
uint8
1 = E_OS_ACCESS: access to given address has caused memory protection violation
Functional Description
  disable interrupts
  call internal function osAsmCheckMPU to check read and write access to destination address
  store the return value of internal function osAsmCheckMPU into local variable
  restore previous interrupt state
  return with given return value
Particularities and Limitations
The internal function osAsmCheckMPU first reads 1 byte from the destination address and then writes
this value back to the destination address. If read and write access is possible the value on the given
destination address is not changed. If read or write access is not possible then an access violation is
detected by the MPU and a protection exception occurs. The protection exception handler returns to
internal function osAsmCheckMPU with return value = 1. This return value is returned to the caller of
function osCheckMPUAccess to signal the access violation.
Call Context
Not allowed before call of StartOS()
Table 5: Function osCheckMPUAccess

2015, Vector Informatik GmbH
Version: 1.09                                43 / 57

Technical Reference MICROSAR OS RH850
9.5.2  Function osCheckAndRefreshMPU
Function  osCheckAndRefreshMPU  can  be  called  to  check  and  re-initialize  all  MPU
registers which are not reprogrammed during runtime.
Prototype
StatusType osCheckAndRefreshMPU(void)
Parameter
-
-
Return Type
StatusType  E_OK:                                   all MPU registers have expected content
E_OS_SYS_API_ERROR:   invalid content was detected in MPU registers
Functional Description
  checks all MPU registers which are not reprogrammed
  re-initialize all MPU registers which are not reprogrammed
  returns E_OK if all MPU registers have expected content
  returns E_OS_SYS_API_ERROR if invalid content was detected in MPU registers
Particularities and Limitations
-
Call Context
  Call is only allowed after StartOS()
  Call is only allowed by trusted applications
Table 6: Function osCheckAndRefreshMPU

2015, Vector Informatik GmbH
Version: 1.09                                44 / 57

Technical Reference MICROSAR OS RH850
10  Non-Trusted Functions (SC3 and SC4)
Non-trusted functions are a VECTOR extension to the AUTOSAR OS specification. This concept
allows  non-trusted  applications to provide  interface functions  which might  be  called  by  trusted  or
non-trusted tasks and ISRs.
10.1  Functionality
Non-trusted functions can be used to provide service functions by non-trusted applications. Non-
trusted functions are called with memory access rights and service protection rights of the owner
application, independent from the access rights of the caller. These functions can access local data
of the owner application without the possibility to overwrite data of other applications.
The  caller  might  be  a  task  of  a  trusted  application  with  global  memory  access,  developed
according to high safety standards. The called non-trusted function might be developed according
to lower standards but is not able to access any other memory than limited accessible memory of
the  non-trusted  owner  application.  During  the  call,  the  non-trusted  function  is  executed  on  a
separate stack, isolated from the caller stack by the MPU.
2015, Vector Informatik GmbH
Version: 1.09                                45 / 57

Technical Reference MICROSAR OS RH850
10.2 API
Prototype
StatusType osCallNonTrustedFunction(NonTrustedFunctionIndexType FunctionIndex,
NonTrustedFunctionParameterRefType FunctionParams);
Parameter
FunctionIndex
Index of the function to be called.
FunctionParams
Pointer to the parameters for the function to be called. If no parameters are provided,
a NULL pointer has to be passed.
Return code
E_OK
No error
E_OS_SERVICEID No function defined for this index
Functional Description
Executes the non-trusted function referenced by FunctionIndex and passes argument FunctionParams.
The non-trusted function must conform to the following C prototype:
void NONTRUSTED_<name of the non-trusted function(NonTrustedFunctionIndexType,
NonTrustedFunctionParameterRefType);
The arguments are the same as the arguments of CallNonTrustedFunction.
Particularities and Limitations
> The non-trusted function is called in user mode with memory protection enabled
> The function has memory access rights of the owner application
> The function has the service protection rights of the owner application
Call context
> Task, CAT2 ISR, trusted function, non-trusted function
Table 7 API CallNonTrustedFunction

Note
Vector MICROSAR OS implementations offer the possibility of stub function generation
 for trusted functions. This mechanism is not available for non-trusted functions.

2015, Vector Informatik GmbH
Version: 1.09 46 / 57

Technical Reference MICROSAR OS RH850
10.3  Call Context
The following table shows the API functions callable from non-trusted functions.
API Functions
Call allowed
API Functions
Call allowed
ActivateTask
X
GetTaskID
X
TerminateTask
DC
GetTaskState
X
ChainTask
DC
StartOS
-
Schedule
DC
ShutdownOS
-
DisableAllInterrupts
P
GetApplicationID
X
EnableAllInterrupts
P
GetActiveApplicationMode
X
SuspendAllInterrupts
P
GetISRID
X
ResumeAllInterrupts
P
CallTrustedFunction
X
SuspendOSInterrupts
P
CallNonTrustedFunction
X
ResumeOSInterrupts
P
CheckObjectAccess
X
GetResource
X
CheckObjectOwnership
X
ReleaseResource
X
StartScheduleTableRel
X
SetEvent
X
StartScheduleTableAbs
X
ClearEvent
DC
StopScheduleTable
X
GetEvent
X
NextScheduleTable
X
WaitEvent
DC
StartScheduleTableSynchron
X
GetAlarm
X
SyncScheduleTable
X
SetRelAlarm
X
GetScheduleTableStatus
X
SetAbsAlarm
X
SetScheduleTableAsync
X
CancelAlarm
X
IncrementCounter
X

Abbreviations:

X:
Allowed

DC:  Dependent on caller. Allowed if called from task, not allowed from ISR
  P:
Pairwise,  when  interrupts  are  disabled  within  the  (trusted/non-trusted)  function,
they need to be re-enabled within the same function
2015, Vector Informatik GmbH
Version: 1.09                                47 / 57

Technical Reference MICROSAR OS RH850
10.3.1  Example
Non-trusted functions have to be defined and called as followed:

Example for calling a non-trusted function (configured function name = MyNTF used as index
number):

TASK(Task1)
{
MyNTFParametersStruct callArg;
   callArg.a = 2;
   CallNonTrustedFunction( MyNTF, (NonTrustedFunctionParameterRefType)
(&callArg));
}

Definition and prototype of the non-trusted function must have the prefix NONTRUSTED_ :

void NONTRUSTED_MyNTF (NonTrustedFunctionIndexType idx,
NonTrustedFunctionParameterRefType  param)
{
    if( ((MyNTFParametersStruct *) param)->a == 2)
    {
       /* do something */
  }
}

The non-trusted function parameters must be declared via typedef struct:

typedef struct
{
    unsigned char a;
} MyNTFParametersStruct;

2015, Vector Informatik GmbH
Version: 1.09                                48 / 57

Technical Reference MICROSAR OS RH850
11  Multicore
This OS implements the Autosar OS Multi Core feature according to Autosar specification
4.0.3.
11.1  Configuration
Each application has to be assigned to a core. This is done with the application attribute
“CORE”.
Since each configuration object has to be assigned to an application the core assignment
of the object is implicitly done with the application assignment.

11.1.1  Core IDs
The  physical  core  ID  which  is  provided  in  hardware  register  HTCFG0  differs  from  the
logical core ID used by the OS internally, which is returned by GetCoreID().

CPU1 (PE1)  CPU2 (PE2)
Physical core ID
1
2
Logical core ID
0
1
Table 8: Mapping of physical and logical core ID

11.2  Multi-Core start-up
As immediately after reset both cores begin execution, the master-slave startup behavior is
emulated  in  software.  Therefore,  a  handshake  synchronization  is  performed  by  calling
osInitMultiCoreOS()  on  PE1  and  calling  osInitSlaveCore()  on  PE2.  It  is  not
allowed to use any other API function before this initial synchronization step is done.
By calling osInitMultiCoreOS() PE1 initializes the multi-core OS related variables and
synchronizes with PE2. By calling osInitSlaveCore() PE2 synchronizes with PE1 and
resides  in  a  busy  waiting  state,  until  it  is  started  by  StartCore()  or
StartNonAutosarCore(). If only PE2 should be controlled by the OS, then PE2 has to
call osInitMultiCoreOS() after osInitSlaveCore().

Caution
The hardware register OSTM0_CMP  is used for synchronization purpose.
  Therefore, OSTM0_CMP must not be modified before initial synchronization.

The following chapters provide code examples for the multi-core startup.
2015, Vector Informatik GmbH
Version: 1.09                                49 / 57

Technical Reference MICROSAR OS RH850
11.2.1  Both PEs controlled by OS
void main()
{

[…]

switch(GetCoreID())

{

case OS_CORE_ID_0:

[…]

osInitMultiCoreOS();

StartCore(OS_CORE_ID_1);

StartOS(OSDEFAULTAPPMODE);

break;

case OS_CORE_ID_1:

[…]

osInitSlaveCore();

StartOS(OSDEFAULTAPPMODE);

break;

default:

[…]

break;

}

[…]
}

11.2.2  Only PE1 controlled by OS
void main()
{

[…]

switch(GetCoreID())

{

case OS_CORE_ID_0:

[…]

osInitMultiCoreOS();

StartNonAutosarCore(OS_CORE_ID_1);    /* may be called later */

StartOS(OSDEFAULTAPPMODE);

break;

case OS_CORE_ID_1:

[…]

osInitSlaveCore();

[…]

break;

default:

[…]

break;

}

[…]
}

2015, Vector Informatik GmbH
Version: 1.09                                50 / 57

Technical Reference MICROSAR OS RH850
11.2.3  Only PE2 controlled by OS
void main()
{

[…]

switch(GetCoreID())

{

case OS_CORE_ID_0:

[…]

osInitMultiCoreOS();

StartCore(OS_CORE_ID_1);

[…]

break;

case OS_CORE_ID_1:

[…]

osInitSlaveCore();

osInitMultiCoreOS();

StartNonAutosarCore(OS_CORE_ID_0);    /* adjusts the state of PE1*/

StartOS(OSDEFAULTAPPMODE);

break;

default:

[…]

break;

}

[…]
}

2015, Vector Informatik GmbH
Version: 1.09                                51 / 57

Technical Reference MICROSAR OS RH850
12  Timing Protection (SC4)
MICROSAR OS RH850 SC4 provides timing protection by using timer unit TAUJ0:
TAUJ0  timer channel 0 is used for inter arrival time monitoring.
TAUJ0 timer channel 1 is used for execution time monitoring.
TAUJ0 timer channel 2 is used for blocking time monitoring.
TAUJ0 timer channel 3 is not used and therefore disabled.
TAUJ0 timer channels 0, 1 and 2 are initialized with interrupt priority level 0.

12.1  Configuration Attributes
The common SC4 attributes are described in the general MICROSAR OS manual.
RH850 specific SC4 attributes
OS attribute TimingProtectionTimerClock must be specified in [kHz] by user:
Example: If the peripheral clock of TAUJ0 is 20 MHz then set
TimingProtectionTimerClock = 20000

12.2  Restrictions for SC4 Configurations
MICROSAR OS RH850 has the following restrictions for SC configurations:

It is not allowed to use category 1 ISRs

It is not allowed to configure category 2 ISRs with priority level 0

It is not allowed to modify any register of unit TAUJ0 after calling StartOS

2015, Vector Informatik GmbH
Version: 1.09                                52 / 57

Technical Reference MICROSAR OS RH850
13  Error Handling
13.1  MICROSAR OS RH850 Error Numbers
In  addition  to  the  AUTOSAR  OS  error  numbers  all  MICROSAR  OS  implementations
provide unique error numbers for an exact error description. All error numbers are defined
as  a  16  bit  value.  The  error  numbers  are  defined  in  the  header  file  osekerr.h  and  are
defined according to the following syntax:
0xgfee
  ||+--- consecutive error number
  |+---- number of function in the function group
  +----- number of function group

Error numbers common for all MICROSAR OS implementations are described in [3].

13.1.1  RH850 specific Error Numbers
The RH850 implementation specific error numbers have a function group number starting
at 0xA101 and are described in the following table:
Name
Error
Type
Reason
osdErrYOSystemStackOverflow
0xA101  SysCheck  system stack overflow is detected
osdErrYOTaskStackOverflow
0xA102  SysCheck  task stack overflow is detected
osdErrYOISRStackOverflow
0xA103  SysCheck  ISR stack overflow is detected
osdErrSCWrongSysCallParameter
0xA201  SysCheck  invalid syscall parameter is  used
osdErrDPStartValidContext
0xA401  SysCheck  new task is started with valid
context
osdErrDPResumeInvalidContext
0xA402  SysCheck  preempted task is resumed with
invalid context
osdErrDPInvalidTaskIndex
0xA403  SysCheck  invalid active task index
osdErrDPInvalidApplicationID
0xA404  SysCheck  invalid active application ID
osdErrEXMemoryViolation
0xA501  SysCheck  memory protection violation
osdErrEXPrivilegedInstruction                0xA502  SysCheck  privileged instruction violation
osdErrSUInvalidTaskIndex
0xA601  SysCheck  invalid task index used in
osGetStackUsage
osdErrSUInvalidIsrIndex
0xA602  SysCheck  invalid ISR index used in
osGetISRStackUsage
osdErrSUInvalidIsrPrioLevel
0xA603  SysCheck  invalid ISR priority level used in
osGetISRStackUsage
osdErrCIInvalidIsrIndex
0xA701  SysCheck  CAT2 ISR wrapper called with
invalid ISR ID
osdErrCIInvalidIsrPrioLevel
0xA702  SysCheck  invalid ISR priority level used in
CAT2 ISR wrapper
osdErrCIInvalidApplicationID
0xA703  SysCheck  invalid application ID used in
CAT2 ISR wrapper
2015, Vector Informatik GmbH
Version: 1.09                                53 / 57

Technical Reference MICROSAR OS RH850
Name
Error
Type
Reason
osdErrCIMissingIntRequest
0xA704  SysCheck  Missing interrupt request
osdErrCIInterruptIsMasked
0xA705  SysCheck  Interrupt is masked
osdErrCIWrongIntPriority
0xA706  SysCheck  Wrong interrupt priority
osdErrPIGetIMRInvalidIndex
0xA801  SysCheck  invalid IMR index used in
osGetIMR
osdErrPISetIMRInvalidIndex
0xA802  SysCheck  invalid IMR index used in
osSetIMR
osdErrPIClearIMRInvalidIndex
0xA803  SysCheck  invalid IMR index used in
osClearIMR
osdErrPIWriteIMR8InvalidAddr
0xA804  SysCheck  invalid IMR address used in

osWriteIMR8
osdErrPIWriteIMR16InvalidAddr
0xA805  SysCheck  invalid IMR address used in

osWriteIMR16
osdErrPIWriteIMR32InvalidAddr
0xA806  SysCheck  invalid IMR address used in
osWriteIMR32
osdErrPISetICRMaskInvalidAddr
0xA807  SysCheck  invalid ICR address used in
osSetICRMask
osdErrPIClearICRMaskInvalidAddr
0xA808  SysCheck  invalid ICR address used in
osClearICRMask
osdErrPISetICRReqInvalidAddr
0xA809  SysCheck  invalid ICR address used in
osSetICRReq
osdErrPIClearICRReqInvalidAddr
0xA80A  SysCheck  invalid ICR address used in
osClearICRReq
osdErrPIWriteICR8InvalidAddr
0xA80B  SysCheck  invalid ICR address used in
osWriteICR8
osdErrPIWriteICR16InvalidAddr
0xA80C  SysCheck  invalid ICR address used in
osWriteICR16
osdErrPIWriteICRxLoInvalidIndex
0xA80D  SysCheck  invalid ICR index used in
osWriteICRxLo
osdErrPIWriteICRxHiInvalidIndex
0xA80E  SysCheck  invalid ICR index used in
osWriteICRxHi
osdErrPIWriteICRx16InvalidIndex
0xA80F  SysCheck  invalid ICR index used in
osWriteICRx16
osdErrCRInvalidSettingOSTM
0xA901  SysCheck  invalid register content found in
osCheckAndRefreshTimer
osdErrCRInvalidSettingMPU
0xA902  SysCheck  invalid register content found in
osCheckAndRefreshMPU
osdErrUEUnhandledCoreException
0xAA01  SysCheck  unhandled core exception
occurred
osdErrUEUnhandledDirectBranch
0xAA02  SysCheck  unhandled direct branch
exception occurred
Table 9
RH850 specific Error Numbers
2015, Vector Informatik GmbH
Version: 1.09                                54 / 57

Technical Reference MICROSAR OS RH850
14  Modules
MICROSAR OS RH850 source and header files depend on the scalability class:
14.1  Source Files
Module Name
Description
SC1
SC3
SC4
atosappl.c
Memory protection related functions

●
●
atostime.c
Schedule table related functions
●
●
●
atosTProt.c
Timing protection related functions

●
osek.c
System initialisation, scheduler, interrupt control
●
●
●
osekalrm.c
Alarm related functions
●
●
●
osekasm.c
Compiler specific assembler functions and syscalls
●
●
●
osekerr.c
Error handling
●
●
●
osekevnt.c
Event handling
●
●
●
osekrsrc.c
Resource handling
●
●
●
oseksched.c
Schedule table related functions
●
●
●
osekstart.c
OS start-up related functions
●
●
●
osektask.c
Task management
●
●
●
osektime.c
Timer interrupt routine and alarm management
●
●
●
osSysCall.c
Compiler specific syscall table

●
●
osOstmHiRes.c
Timer specific functions
●
●
●
osMultiCore.c
Multicore related functions
MC 1

Table 10
List of source files

1 Only for multi core systems
2015, Vector Informatik GmbH
Version: 1.09                                55 / 57

Technical Reference MICROSAR OS RH850
14.2  Header Files
Module Name
Description
SC1  SC3  SC4
Os.h
This header has to be included by the application
●
●
●
Included by Os.h, includes the Autosar Header files if
Os_Cfg.h
●
●
●
selected by the attribute TypeHeaderInclude
osek.h
Included by Os_cfg.h, basic OS header
●
●
●
osekasm.h
Compiler specific header for assembler code
●
●
●
Included by osek.h, macro-definitions for assertion-
osekasrt.h
●
●
●
handling
osekcov.h
Coverage macros
●
●
●
osekerr.h
Included by osek.h, definitions of all error-numbers
●
●
●
osekext.h
Header file for OS internal functions
●
●
●
oseksched.h
Header for schedule table related functions
●
●
●
emptymac.h
Empty API hook macros
●
●
●
User API hook macros (contains macros for ORTI
testmac1.h
●
●
●
debug support)
User API hook macros (contains macros for ORTI
testmac3.h

●
●
debug support)
testmac4.h
User API hook macros (contains macros for ORTI

●
●
debug support)
Included by all headers and system modules, Vector
vrm.h
●
●
●
release management
Linker specific symbols for the syscall table. This file
osSysCallTable.dld

●
●
must be included into the global project linker file.
File for including the necessary derivative dependent
osDerivatives.h
●
●
●
header.
osRH850_D1L.h
RH850 D1L specific header file.
●
●
●
osRH850_D1M.h
RH850 D1M specific header file.
●
●
●
osRH850_E1L.h
RH850 E1L specific header file.
●
●

osRH850_E1M.h
RH850 E1M specific header file.
●
●

osRH850_F1H.h
RH850 F1H specific header file.
●
●
●
osRH850_F1L.h
RH850 F1L specific header file.
●
●
●
osRH850_F1M.h
RH850 F1M specific header file.
●
●
●
osRH850_P1M.h
RH850 P1M specific header file.
●
●
●
osINTC2.h
Contains specific code for the interrupt controller.
●
●
●
osMultiCore.h
Header for multicore related functions
MC

Table 11
List of header files
2015, Vector Informatik GmbH
Version: 1.09                                56 / 57

Technical Reference MICROSAR OS RH850
15  Contact
Visit our website for more information on

  News
  Products
  Demo software
  Support
  Training data
  Addresses

www.vector.com

In case of OSEK / MICROSAR OS related problems you may write an email to
osek-support@vector.com
2015, Vector Informatik GmbH
Version: 1.09                                57 / 57

Document Outline

18.13 - TechnicalReference_Os

YourTopic

18.14 - TechnicalReference_Os_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136

18.15 - TechnicalReference_Oss

MICROSAR OS SafeContext
Technical Reference

Version 9.01

Status
Released
Document ID
OS01.0280

Technical Reference MICROSAR OS SafeContext

Document Information
History
Author
Date
Version
Remarks
Rmk
2012-06-26
6.00
creation based on AUTOSAR 3.0 version
Shk
2013-09-18
6.01
SingleSource template applied and
variants for ASR3.x, ASR4.x, SafeContext
and non-SafeContext prepared
Biv
2014-02-04
6.02
MultiCore references corrected
Zfa
2014-05-05
6.03
Updated timer description
Asl
2014-08-14
8.00
Examples chapter excluded
TimingAnalyzer removed
Updated counter related macros and
configuration
Asl
2014-10-16
8.01
Added PeripheralRegion API
Added Non-Trusted Function API
Added CheckMPUAccess API
Asl
2015-01-29
9.00
Updated interpretation of
OsSecondsPerTick and
OsCounterTicksPerBase
Rk
2015-06-17
9.01
Added MICROSAR OS Timing Hooks
Added table of terms to the glossary
Added the information that forcible
termination is currently not supported

2015, Vector Informatik GmbH
Version: 9.01
2 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Reference Documents
No.
Title
Version
[1]   AUTOSAR_SWS_OS.pdf
V5.0.0
AUTOSAR OS specification; This document is available in PDF-format on the
internet a the AUTOSAR homepage (http://www.autosar.org)
[2]   AUTOSAR_TR_BSWModuleList.pdf
1.6.0
[3]   OSEK/VDX Operating System Specification
2.2.3
This document is available in PDF-format on the Internet at the OSEK/VDX
homepage (http://www.osek-vdx.org)
[4]   TechincalReference_Microsar_Os_Multicore.pdf
1.00
[5]   TechnicalReference_MicrosarOS_xxxx.pdf
--
Technical reference of Vector MICROSAR OS; Hardware specific part
[6]   OIL: OSEK Implementation Language
2.3
This document is available in PDF-format on the Internet at the OSEK/VDX
homepage (http://www.osek-vdx.org)
[7]   Tutorial_osCAN.pdf
1.00
Tutorial for the MICROSAR OS OSEK/AUTOSAR Realtime Operating System
[8]   autosar.xsd
4.0.3
AUTOSAR XML schema
[9]   MicrosarOS_xxxx_SafeContext_SafetyManual.pdf
--
Application Conditions for SEooC; Implementation specific document
Scope of the Document
MICROSAR  OS  is  an  operating  system,  compliant  with  the  AUTOSAR  OS  and  OSEK
standards. The  general  aspects  of  all  SafeContext  implementations  are  described  in  this
document. For each implementation, the hardware specific part is described in a separate
document [4].
The implementation is based on the AUTOSAR OS specification [1].
It is also based on the OSEK OS specification 2.2 described in the document [3].
As a SEooC, it is further based on assumptions regarding safety requirements. Details can
be found in [9].
This  documentation  assumes  that  the  reader  is  familiar  with  both  the  OSEK  OS
specification and the AUTOSAR OS specification.
This documentation describes only the operating system and the code generation tool.
OSEK  is  a  registered  trademark  of  Continental  Automotive  GmbH  (until  2007:  Siemens
AG).
2015, Vector Informatik GmbH
Version: 9.01
3 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Caution
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 9.01
4 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
This  chapter  is  included  in  any  MICROSAR  component  documentation.  For  the  OS,  the
history on the intended level is not relevant as MICROSAR OS implements all mandatory
requirements of AUTOSAR OS.
2015, Vector Informatik GmbH
Version: 9.01
14 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

2  Introduction
This document describes the functionality, API and configuration of the general part of the
AUTOSAR BSW module OS as specified in [1].

Supported AUTOSAR Release:
4.0.3
Supported Configuration Variants:
pre-compile
Vendor ID:
OS_VENDOR_ID
30  decimal  (= Vector-
Informatik,  according  to
HIS)
Module ID:
OS_MODULE_ID
1 decimal  (according to
ref. [2])

2.1  Architecture Overview
The following figure shows where the OS is located in the AUTOSAR architecture.

Figure 2-1
AUTOSAR 3.x Architecture Overview
Figure 2-2
AUTOSAR architecture
2015, Vector Informatik GmbH
Version: 9.01
15 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

The MICROSAR OS is an operating system based on the AUTOSAR OS standard V5.0.0
(ref. [1]) and on OSEK OS standard 2.2.3 (ref. [3]).
This  MICROSAR  OS  operating  system  is  a  real  time  operating  system,  which  was
specified  for  the  usage  in  electronic  control  units  on  a  range  of  small  to  large
microprocessors.  MICROSAR  OS  has  attributes  which  differ  from  commonly  known
operating systems and which  allow a very  efficient  implementation even on systems with
low resources of RAM and ROM.
As a requirement, there is no dynamic creation of new tasks at runtime; all tasks have to
be  defined  before  compilation.  The  operating  system  has  no  dynamic  memory
management and there is no shell for the control of tasks by hand.
The  operating  system  and  the  application  are  compiled  and  linked  together  to  one  file,
which is loaded into an emulator or is burned into an EPROM or Flash EEPROM.

2015, Vector Informatik GmbH
Version: 9.01
16 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3  Functional Description
3.1
Features
The features listed in this chapter cover the complete functionality specified in [1].
The  "supported"  and  "not  supported"  features  are  presented  in  the  following  two  tables.
For further information of not supported features, also see chapter 9.

The following features described in [1] are supported:
Supported Feature
The Vector MICROSAR OS implements all mandatory features described in the chapter about
System Scalability within [1]. However, some minor restrictions apply, see chapter 9 in this
document.
Table 3-1
Supported SWS features
The  following  features  described  in  [1]  are  supported  in  MultiCore  implementations.
However,  they  are  currently  not  described  in  this  document,  but  in  the  additional
documentation [4].
Conditionally Supported Feature
MultiCore
Inter OSApplication Communication (IOC)
Table 3-2
Not supported SWS features
The  OSEK  /  AUTOSAR  OS  specifications  leave  many  points  open  on  implementation.
Every  OSEK  / AUTOSAR  OS  implementation  for  a  specific  microcontroller  has  to  define
the open points to achieve an optimal solution for the processor. The operating system has
to  fit  the  target  microprocessor  and  the  C-compiler.  The  programming  model  of  the  C-
compiler is as important as the hardware of the processor.
3.2
Main Functions
The operating system is started by the application. The startup module (which is not part of
the operating system) calls the function main. In the main function, the user has to call the
API  function  StartOS.  StartOS  will  initialize  the  operating  system,  install  the  interrupt
routine  for  the  alarm  handling,  and  then  call  the  scheduler.  StartOS  will  never  return  to
the main function.
The function of the scheduler is to evaluate the task with the highest priority in the  READY
state  and  call  this  task.  If  the  task  was  previously  pre-empted  by  another  higher  priority
task, the scheduler resumes the task.
2015, Vector Informatik GmbH
Version: 9.01
17 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

The operating system is controlled by external events. External events can be events from
interrupt  routines,  from  the  alarm  management,  or  from  schedule  tables  (Alarms  and
schedule  tables  are  also  driven  by  interrupt  service  routines).  Therefore,  any  external
event will result in the change of task states.

Figure 3-1
Functional parts
Interrupt routines are under the control of the application programmer. An OSEK operating
system  allows  a  fast  and  efficient  interrupt  handling,  so  interrupts  have  a  short  latency
time.  It is possible  to call certain  system functions from interrupt  routines.  It is necessary
that the operating system has knowledge of any existing interrupt routines.
3.2.1
Timer and Alarms
All  time-based  actions  are  performed  in  OSEK  using  counters,  alarms,  and  schedule
tables.  Counters  are  part  of  the  kernel  and  are  incremented  by  a  specific  hardware
resource  or  by  means  of  the  system  service  IncrementCounter.  In  case  of  a  time-
based  counter,  the  counter  is  incremented  periodically. Alarms and  schedule  tables  have
fixed references to counters. MICROSAR OS supports up to 256 counters.
An  alarm,  if  activated,  has  a  certain  value.  If  the  referenced  counter  reaches  the  given
value,  a  defined  action  is  performed.  The  action  to  each  alarm  is  defined  by  the  OIL
Configurator and is compiled into the ROM. The alarm value is passed as a parameter to
the functions SetRelAlarm or SetAbsAlarm.
A schedule table, if activated, has a certain starting value. If the referred counter reaches
the  given  value,  the  first  defined  action  is  performed.  The  further  actions  are  defined
relative to this first action. These relative starting times are defined together with the action
by  the  OIL  Configurator  and  compiled  into  ROM.  The  starting  value  is  passed  as  a
parameter to the functions StartScheduleTableRel or StartScheduleTableAbs.
2015, Vector Informatik GmbH
Version: 9.01
18 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.2.1.1
Time Base
3.2.1.1.1
Counter Macros
To support the portability of OSEK, application alarm related functions, for example
SetRelAlarm, should be called using macros for the calculation of ticks based on
millisecond or seconds:
SetRelAlarm (Alarm1, OS_xx2TICKS_<CounterName> (1200), OS_xx2TICKS_<CounterName>
(1200));
The macros OS_TICKS2xx_<CounterName>() (whereas xx denotes NS, US, MS or SEC;
described by the AUTOSAR standard) may be used to convert tick values (as returned for
example by GetElapsedTime() and GetCounterValue() ) to into a second based
timer
unit.
Additionally,
MICROSAR
OS
provides
the
inverse
macros
OS_xx2TICKS_<CounterName>() for conversion into the opposite direction (see Figure
2-2).

Figure 3-2
Counter Macros

Caution
Depending on the hardware settings, certain nanosecond times may not be
 representable accurately.

Therefore, if large times, very small times or very high precision is needed, use
AUTOSAR OS OsTimeConstant instead (see 7.3.3).

3.2.1.1.2
Temporal Range of Alarms
The temporal range of an alarm depends on the Counter, which drives the alarm. The
important
configuration
attributes
here
are
OsSecondsPerTick
and
OsCounterMaxAllowedValue (see 7.3.3).
3.2.1.2
Timer Interrupt Routine
The timer interrupt routines are category 2 ISRs and are part of the operating system. The
configuration is done automatically by the OS using information that has to be defined in
the OIL Configurator.
3.2.1.2.1
Counter API
To obtain the counter specific limits (e.g. maxallowedvalue) the function
GetAlarmBase can be used.
2015, Vector Informatik GmbH
Version: 9.01
19 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

1.1.1.1.1.1 Initialization
Former versions of osCAN and MICROSAR OS provided the API functions:
StatusType InitCounter<CounterName>(TickType ticks);
These functions have been removed, as they do not conform to the standardized counter
API described in [1]. Instead, counters are always initialized to 0 during StartOS().
1.1.1.1.1.2 Read Counter
MICROSAR OS provides the API functions GetCounterValue and GetElapsedValue as
defined by [1].
Former versions of osCAN and MICROSAR OS provided the API functions:
TickType GetCounterValue<CounterName>(void);
These functions have been removed, as they do not conform to the standardized counter
API described in [1]. It is recommended to use the API function GetCounterValue defined
by AUTOSAR Standard instead.
1.1.1.1.1.3 Increment Counter
StatusType IncrementCounter(CounterType CounterName);
This function is the AUTOSAR OS standardized function to trigger a counter.

Example
The ISR that triggers the counter must be of category 2.
 ISR(MyCounterISR)
{
IncrementCounter(MyCounter);
}

Former versions of osCAN and MICROSAR OS provided the API function
void CounterTrigger<CounterName>(void);
These functions have been removed, as they do not conform to the standardized counter
API described in [1]. It is recommended to use the API function IncrementCounter defined
by AUTOSAR Standard instead.
3.2.2
Stack Handling
3.2.2.1
Task Stack
Each task has its own stack. The task stack holds all local data and return addresses of
the task. In addition, the register context of the task is saved onto the stack if the task is
preempted. If the task is transferred to the running state again, the register context is
removed from the task stack to restore the previously saved registers.
3.2.2.2
Interrupt Stack
The implementation of interrupt stacks depends on the hardware, and is described in ref.
[4].
2015, Vector Informatik GmbH
Version: 9.01
20 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.2.2.3
Stack Monitoring
MICROSAR OS SafeContext always initializes the last useable bytes of each stack with an
indicator value.
This indicator is then checked with each task switch or ISR exit. A change of the element
value  indicates  a  stack  overflow  by  the  task  or  ISR.  In  this  case,  the  system  calls  the
ErrorHook (if configured), the ShutdownHook (if configured) and enters the shutdown
state.

Note
MICROSAR OS checks the indicator value only at task switches and on a return from
  an ISR. Therefore, stack overflows are not detected immediately. Detection might be
delayed arbitrary in case of a stack overflow in a hook routine. Some implementations
of MICROSAR OS implement additional checks of the indicator value, see [4]. If
memory protection is configured, stack overflows in tasks and ISRs of non-trusted
applications are found immediately by the memory protection if the stack is followed by
an area with no access rights.

In case a  stack fault is detected by memory protection,  the ProtectionHook is called with
parameter  E_OS_PROTECTION_MEMORY.  If  a  stack  fault  is  detected  by  stack
monitoring, MICROSAR OS goes into shutdown after the ProtectionHook.

3.2.2.4
Stack Usage
If  StackUsageMeasurement  is  set  to  TRUE,  the  OS  fills  all  available  stacks  with  the
indicator value 0xAA during StartOS (startup times will be slower). This allows measuring
the  amount  of  stack  used  since  StartOS  by  counting  the  amount  of  bytes  that  have  not
been overwritten yet.
The following function is available to determine the amount of used stack:
osuint16 osGetStackUsage(TaskType taskId)
>  Argument: Task number
>  Return value:  Maximum stack usage (bytes) by task since call of StartOS()
Additional implementations specific functions may be available. Please see the hardware
specific part of the documentation of this implementation [4].

Caution
Dependent on the stack size, the measurement operation can take a long time.

3.2.3
Interrupt Handling
Implementation  specific  details  about  interrupt  handling  are  described  in  the  hardware
specific part of this implementation [4].
2015, Vector Informatik GmbH
Version: 9.01
21 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Caution
Knowledge about the interrupt handling is very important. If interrupt routines are used
  it is essential to read this chapter.

3.2.3.1
Interrupt Categories
The OSEK OS specification defines two groups of interrupts.
3.2.3.1.1
Category 1:
Interrupts  of  category  1  are  in  general  not  allowed  to  use API  functions;  as  such,  these
routines can be programmed without restrictions and are completely independent from the
kernel. The programming conventions depend on the utilized compiler and assembler.
Category 1 interrupts can be enabled before call of StartOS(). If interrupts of category 1
and 2 cannot be disabled separately, all interrupts must be disabled.
Interrupts  of  category  1  are  allowed  to  call  the  interrupt API  as  an  exception  to  the  rule
presented  above.  If  the  interrupt  API  is  used  and  the  category  1  interrupts  are  enabled
before  the  call  of  StartOS,  the  user  has  to  take  care  about  variable  initialization  of  the
interrupt API, as described in chapter 3.2.3.2.
1.1.1.1.1.4 Exceptions and SC2, SC3, SC4
According to the AUTOSAR-Standard,  category 1 interrupts should be avoided with SC2,
SC3  and  SC4.  MICROSAR  OS  does  not  allow  category  1  interrupts  with
TimingProtection.  Because  non-maskable  interrupts  need  to  be  configured  to
category  1,  some  MICROSAR  OS  implementations  allow  exceptions  even  with  timing
protection.
The  user  may  write  "normal"  interrupt  code  in  an  exception  routine,  which  returns  to  the
application.  Please  note  that  this  sort  of  exception  routines  will  cause  the  exception
handler to add runtime to the account of the interrupted task or ISR.
3.2.3.1.2
Category 2:
Interrupts  of  category  2 may  use  certain  restricted API functions.  Interrupts of  category  2
can be programmed as normal C functions using the macro  ISR(name). The C function
is  called  by  the  operating  system.  The  necessary  preparation  for  the  interrupt  routine  is
done automatically by a generated function.
ISR (AnInterruptRoutine)
{

/* code with API calls */

}

Caution
Category 2 interrupts must be disabled until call of StartOS()! This also applies for
  the timer interrupts, i.e. this interrupt must be stopped by the user at a software reset.
2015, Vector Informatik GmbH
Version: 9.01
22 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

To ensure data consistency, the operating system needs to disable category 2
interrupts during critical sections of code. Therefore, applications must not use non-
maskable interrupts as category 2 interrupts.

3.2.3.2
Usage of the Interrupt API before StartOS
The usage of the interrupt API functions is in general allowed before the operating system
is started. The affected functions are:
>  DisableAllInterupts, EnableAllInterrupts
>  SuspendAllInterrupts, ResumeAllInterrupts
>  SuspendOSInterrupts, ResumeOSInterrupts
However,  these  functions  use  some  internal  variables  that  have  to  be  initialized  to  zero
before  the  first  call  of  the  interrupt  API.  Typically,  this  initialization  is  performed  by  the
startup code (which might be delivered with the compiler). In case no startup code is used,
the  function  osInitialize()  needs  to  be  called.  osInitialize  initializes  the
variables which are used in the interrupt API.
2015, Vector Informatik GmbH
Version: 9.01
23 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.2.4
Timing Protection
The  timing  protection  is  implemented  in  the  Scalability  Classes  2  and  4.  This  chapter
provides some hints on the functionality according to the AUTOSAR OS standard [1] and
describes additional functionality provided by Vector MICROSAR OS. To enable the timing
protection of a task or ISR, the OIL-attribute TIMING_PROTECTION of the respective task
or ISR needs to be configured, as described in chapters  7.3.2.2 and 7.3.7.2 . (AUTOSAR
XML: OsTaskTimingProtection/OsIsrTimingProtection).

Caution
The runtime of all tasks and ISRs is observed, however parts of the time for task switch
  and interrupt entry/exit cannot be monitored by the timing protection. Therefore, some
extra time for task switches and interrupt entry/exit needs to be considered in the
configuration of the timing protection.

Caution
Timing Protection is implemented with interrupts. If the application manually disables
  interrupts anywhere, the timing protection cannot work as expected. In order to enable
and disable interrupts, the application must use the following API functions:
>  DisableAllInterupts, EnableAllInterrupts
>  SuspendAllInterrupts, ResumeAllInterrupts
>  SuspendOSInterrupts, ResumeOSInterrupts

Caution
The timing protection works very precise. However, if an OS API function is called by a
  task/ISR, the OS may enter a critical section; if a timing protection violation is detected
while the system is in a critical section, the call of the protection hook may be delayed
until the end of the critical section. Note, that critical sections in AUTOSAR OS are very
short.

3.2.4.1
Reaction on Protection Failure
The AUTOSAR  specification  describes  different  possibilities  how  to  react  to  a  protection
violation.  In  SafeContext  implementations,  reaction  to  such  a  situation  is  limited  to
Shutdown.
3.2.4.2
Timing Measurement
MICROSAR  OS  is  not  only  able  to  provide  timing  protection  but  allows  using  the  same
functionality  for  timing  measurement.  If  timing  measurement  is  performed  for  a  specific
task or ISR, the OS measures the following times for that task or ISR:
>  the maximum run time since StartOS
>  the maximum locking times for resources and interrupts since StartOS
2015, Vector Informatik GmbH
Version: 9.01
24 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

>  the minimum time distance between two arrivals since StartOS
The debugger can read the result of the timing measurement  via  ORTI. Alternatively,  the
application may use the timing measurement API as described in chapter 6.4.
The OS attribute TimingMeasurement and the task/ISR attribute TIMING_PROTECTION
are provided to setup timing protection and measurement.
The  hardware  timers  and  internal  data  structures  to  store  measured  times  are  limited  in
size.  When  this  limit  is  exceeded  by  any  measured  time  (e.g.  of  a  resource  or  interrupt
lock), the ErrorHook function is called and the system goes into shutdown state.
3.2.4.2.1
Timing measurement configuration for a specific task/ISR
Timing  measurement  can  be  configured  individually  for  each  task  and  ISR.  As  timing
protection  requires  the  OS  to  measure  the  timing  values,  timing  measurement  is
performed  for  all  tasks  and  ISRs  that  have  timing  protection  configured  by  means  of  the
attribute  TIMING_PROTECTION.  By  selecting  the  sub  attribute  OnlyMeasure,  the  OS
disables  the  timing  protection  but  still  measures  the  timing  values.  Please  note  that  this
configuration  might  be  overridden  by  means  of  the  global  configuration,  described  in  the
next chapter.
3.2.4.2.2
Global configuration of timing measurement
In order to save configuration time, the timing measurement can be configured globally for
all  tasks  and  ISRs.  MICROSAR  OS  provides  the  OIL-attribute  TimingMeasurement
(AUTOSAR  XML:  OsOSTimingMeasurement)  for  that  purpose.  That  attribute  provides
the possibilities to:
>  Disable the timing measurement globally. This is an optimization to save memory and
runtime of the timing measurement. Please set the attribute TimingMeasurement to
FALSE (deselect it) for this configuration.
>  Collect timing data for all tasks and ISRS. The collected timing values can be used to
perform scheduleability analysis and to set up the timing protection later on. For this
configuration, please set the attribute TimingMeasurement to TRUE (select it) and
choose OnlyMeasureAll for the value of the sub attribute GlobalConfig.
>  Perform timing measurement as configured for the task or ISR. Set the attribute
TimingMeasurement to TRUE (select it) and select AsSelected for the value of the
subattribute GlobalConfig to achieve this.
>  Ignore the task/ISR attribute OnlyMeasure (perform timing measurement and protection
as if this attribute was set to FALSE). For this configuration, please set the attribute
TimingMeasurement to TRUE (select the attribute) and select
ProtectAndMeasureAll for the value of the subattribute GlobalConfig.
The chapter 7.3.2.2 provides a description of the attribute TIMING_PROTECTION for tasks
while  chapter  7.3.7.2  provides  the  respective  description  for  ISRs.  Chapter  7.3.1.4
provides a description of the attribute TimingMeasurement. The table below documents
the  interdependence  between  the  OS-attribute  TimingMasurement  and  the  task/ISR-
Attribute TIMING_PROTECTION.
2015, Vector Informatik GmbH
Version: 9.01
25 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

OS
TASK/ISR

                   TIMING_PROTECTION
Timing-
Global-
FALSE
TRUE
Measuremen
Config

OnlyMeasure
t

FALSE
TRUE
FALSE1

No timing protection,
Timing protection but no
Timing protection but no
no timing
timing measurement
timing measurement, warning
measurement,
as the sub attribute
OnyMeasure is overridden
TRUE
Only-
No timing protection
No timing protection but
No timing protection but
Measure-
but timing
timing measurement,
timing measurement
All
measurement
warning as the sub
attribute OnlyMeasure is
overridden
AsSelecte No timing protection
Timing protection and
No Timing protection but
d
and no timing
measurement
timing measurement
measurement
ProtectAn No timing protection
Timing protection and
Timing protection and
d-
but timing
measurement
measurement, warning as the
MeasureAl measurement
sub attribute OnlyMeasure is
overridden.
l
Table 3-3
Interdependence between the OS attribute TimingMeasurement and the task/ISR attribute TIMING_PROTECTION
3.2.4.3
Hook functions
The  runtime  of  the  hook  functions  PreTaskHook  and  PostTaskHook  (Chapters  6.6.2  and
6.6.3) is considered to belong to the runtime of the currently active task.

Caution
Depending on the implementation, the execution of the ProtectionHook might be
  delayed until the PreTaskHook or PostTaskHook has finished. In case of a protection
violation during the PostTaskHook while a task state change into the states
SUSPENDED or WAITING, the call of the ProtectionHook gets lost.
Therefore, the PreTaskHook and the PostTaskHook are allowed for debugging
purposes only. They must be disabled in production code, see [9].

The  runtime  of  the  hook functions  UserPreIsrHook  and  UserPostIsrHook  (Chapters  6.6.7
and 6.6.8) is considered to belong to the runtime of the currently active ISR.
3.2.5
Memory Protection
MICROSAR OS uses the MPU of the microcontroller to implement memory protection as
described  in  [1].  Former  versions  of  MICROSAR  OS  fulfilled  the AUTOSAR  requirement
OS195  and  prevented  write  access  to  Task/ISR  private  data  areas  even  within  an

1 Optimization: The timing measurement API is unavailable
2015, Vector Informatik GmbH
Version: 9.01
26 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

OSApplication. This behaviour is defined as optional by AUTOSAR and not implemented in
most current versions of MICROSAR OS. It is explicitly mentioned in [5] if supported.
3.2.6
Schedule Tables
MICROSAR  OS  implements  schedule  tables  as  defined  by  the AUTOSAR  standard. The
document  [1]  provides  the  base  description  of  schedule  tables  and  their  usage.  This
chapter is meant as an extension that clarifies and corrects some points, provides details
about points left open and describes corrections and extensions by MICROSAR OS.
AUTOSAR  defines  schedule  tables  for  all  scalability  classes,  but  synchronization  to  a
global time only for SC2 and SC4. MICROSAR OS offers some additional error checking
to the AUTOSAR standard.
3.2.6.1
Synchronization
In  SC2  and  SC4  or  the  High-Resolution  Schedule  Tables  option,  it  is  possible  to
synchronize a schedule table to a global time source. The schedule table must be marked
with the OIL attribute LOCAL_TO_GLOBAL_TIME_SYNCHRONIZATION.
3.2.6.1.1
Starting a synchronizable Schedule Table
One  way  to  start  a  synchronizable  schedule  table  is  to  use  the  functions
StartScheduleTableRel(Tablename, TimeOffset)
and
StartScheduleTableAbs(Tablename, Time). The time parameters refer to the local
time and not to the global time. It is assumed that the schedule table will not have an offset
to  global  time:  when  synchronization  starts,  the  start  of  the  schedule  table  is  moved  to
global time zero. Note that the schedule table always starts at the stated start time. A call
of  SyncScheduleTable  does  not  influence  this  start  time.  Synchronization  starts  after
execution of the first expiry point.
The recommended way to start a synchronizable schedule table is to use the combination
of StartScheduleTableSynchron(Tablename) and SyncScheduleTable(). The
first expiry point is executed at global time 0. The schedule table starts execution after a
global time is available, i.e. after calling SyncScheduleTable() for the schedule table. If
SyncScheduleTable() is never called for the schedule table, the schedule table is
never executed. The following algorithm describes a possibility to set up a timeout:
Set
up
an
alarm
to
the
timeout
time.
When
the
alarm
expires
and
GetScheduleTableStatus()  indicates  that  the  schedule  table  is  still  waiting,  call
SyncScheduleTable()
with
an
arbitrary
time.
Note:
if
the
call
to
SyncScheduleTable() is done in an interrupt, it may occur between the two API calls,
and thus gets overridden by the arbitrary time.
3.2.6.1.2
Autostart
For an automatic start of a schedule table on startup of the OS, the attribute AUTOSTART
must  be  set. The  sub-attribute  TYPE  defines  how  the  start  is  performed. The possibilities
are:  ABSOLUT,  RELATIVE  and  SYNCHRON.  These  types  of  autostart  are  similar  to  the
normal
start
of
a
schedule
table
using
StartScheduleTableAbs,
StartScheduleTableRel  or  StartScheduleTableSynchron.  For  ABSOLUT  and
RELATIVE, an absolute or relative start time needs to be provided. In case of SYNCHRON,
2015, Vector Informatik GmbH
Version: 9.01
27 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

the schedule table starts after SynchScheduleTable has been called and the global time
reaches zero.
Note,  that  just  like for  StartScheduleTableSynchron(),  the  schedule  table  will  wait
forever if SyncScheduleTable() is never called.
3.2.6.1.3
Suspending a Schedule Table and keeping its Synchronization
The AUTOSAR  standard  does  not  define  a  way  to  suspend  the  execution  of  a  schedule
table  and  keep  its  synchronization  for  later  restart.  The  suggested  approach  is  to  use
NextScheduleTable() to append a schedule table that effectively does nothing.
Currently,  AUTOSAR  does  not  define  a  way  to  retrieve  the  internal  schedule  table  time
(neither the currently estimated global time nor the time relative to the first expiry point of
the schedule table).
3.2.6.1.4
Providing a Global Time
The current global time is handed to the schedule table via SyncScheduleTable(). If a
deviation  of  the  schedule  table  to  the  global  time  is  found,  the  schedule  table  starts  to
synchronize at the next expiry point that allows synchronization.
The  global  time  must  be  a  continuous  range  of  integers:  So  e.g.  FlexRay’s  time  tuple
(cycle, macroticks) cannot directly be used as global time, but must be converted.
The  provided  global  time must  have  the  same  resolution as  the  local  time and  the  same
period as the schedule table time (i.e. the LENGTH of the schedule table). If this is not the
case, it must be converted before being handed to SyncScheduleTable().

Example
Converting the FlexRay time:
  Be gMacroPerCycle the number of macroticks per cycle, cycle the current
cycle number, macroticks the current macrotick number and f is the factor to
convert the FlexRay tick length the HW counter tick length:

GlobalTime = (gMacroPerCycle * cycle + macroticks) * f

3.2.6.1.5
Exact Synchronization
There  is  always  a  time  span  between  reading  the  global  time  and  handing  it  to  the
operating system. Therefore, synchronization is never absolutely exact.
If  an  interrupt  interferes,  the  time  span  may  be  unexpectedly  large.  While  this  may  be
ignorable  if  the  resolution  is  large  compared  with  the  interrupt  running  times,  it  is
noticeable  when  using  a  fine  grained  global  time,  for  example  in  conjunction  with  High-
Resolution Schedule Tables, or if some (higher prior) interrupts have long running times. It
is desirable to be undisturbed by (higher prior) interrupts during synchronization.
The  AUTOSAR  Standard  demands,  that  calling  any  API  functions  is  not  allowed  in
between function pairs
2015, Vector Informatik GmbH
Version: 9.01
28 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

DisableAllInterrupts/EnableAllInterrupts,
SuspendAllInterrupts/ResumeAllInterrupts,
SuspendOSInterrupts/ResumeOSInterrupts.
MICROSAR
OS
makes
an
exception
from
the
standard
in
this
point:
SyncScheduleTable() can be called in between these function pairs.
Therefore, a Sync procedure may look like the following example:
DisableAllInterrupts();
now=getCurrentGlobalTime();
SyncScheduleTable(MyScheduleTable, now);
EnableAllInterrupts();

Caution
This is unnecessary if SyncScheduleTable() is called from an interrupt which does
  not allow nesting.
Also note, that SuspendAllInterrupts()/DisableAllInterrupts() still allow
timing protection interrupts (if timing protection is used).

3.2.6.1.6
Limits of the Synchronization Algorithm
The  synchronization  algorithm  as  described  by  the  AUTOSAR  standard  only  corrects
deviations of the past – it does not make assumptions about deviations of the present or
the  future.  Differences  in  clock  speed  (between  local  time  and  global  time)  are  not
completely compensated.
Simplified  synchronization  algorithm:  When  SyncScheduleTable  is  called,  the
difference between the local schedule table time and the provided global time is computed
and stored internally. Nothing more happens until an expiry point expires. Then, the times
between subsequent expiry points are adapted. The adaptation stops once the computed
deviation  is  compensated  or  a  new  global  time  is  provided.  In  case  new  deviations
between  the  global  and  local  time  occur,  they  are  considered  after  the  next  call  of
SyncScheduleTable in the same way as just described.
As a result of this algorithm, a permanent deviation in the speed of global and local clock
might not be compensated completely.

Example
The local schedule table time2 runs 10 % slower then the global time. Whenever the
  global time reaches a multiple of 100, the function SyncScheduleTable is called to
provide the global time to the schedule table. Both times start simultaneously at zero.
When the global time reaches 100, the local time is 90 because of the 10 % difference.
SyncScheduleTable is called, and computes a difference of 10. We assume now
that the difference is compensated until the next call of SyncScheduleTable occurs.
The local time is then: 90+10+90=190 while the global time is 200. Again we have the
same difference, so 10 needs to be corrected. The same occurs for all subsequent
calls of SyncScheduleTable, too.

2 The local time is based on the MCU’s internal clock.
2015, Vector Informatik GmbH
Version: 9.01
29 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Although the computed difference between current time values of global and local time is
corrected,  the  same  difference  occurs  in  the  next  synchronization  step.  However,  using
synchronization  the  deviation  stays  constant.  Without  synchronization,  it  would
accumulate.
3.2.6.1.7
Details about using NextScheduleTable
The AUTOSAR standard leaves open certain details of using  NextScheduleTable with
synchronizable  schedule  tables.  The  following  describes  the  implementation  of
NextScheduleTable MICROSAR OS.
If  two  schedule  tables  are  chained  using  the API  function  NextScheduleTable(),  the
second  schedule  table  takes  over  the  synchronized  schedule  table  time  of  the
predecessor3.
When  switching  to  a  schedule  table  that  does  not  allow  synchronization,  the  remaining
difference  to  the  global  time  is  saved:  upon  switching  to  a  schedule  table  that  allows
synchronization it will immediately start to synchronize.
3.2.6.1.8
Concurrent Actions
If a task is activated at an expiry point, and an event for this task is set at the same expiry
point,  always  all  tasks  will  be  activated  before  events  are  set.  However,  if  two  schedule
tables are using the same counter; one of these schedule tables activates a task and the
other  schedule  table  sets  an  event  for  this  task  at  the  same  time,  the  behaviour  is
undefined.
3.2.6.2
High-Resolution Schedule Tables
AUTOSAR schedule tables are driven by a counter (hardware or software), and thus offer
the  same  resolution.  While  it  is  possible  to  configure  a  higher  resolution  for  the  counter,
this  increases  also  the  interrupt  load.  High-Resolution  Schedule  Tables  offer  a
microsecond  resolution  or  better4  without  unnecessary  additional  interrupt  load:  At  each
expiry  point,  a  timer  interrupt  is  reprogrammed  so  it  will  be  reactivated  exactly  at  the
following expiry point5.
Note  that  high  resolution  schedule  tables  are  not  supported  by  all  MICROSAR  OS
implementations.
It is possible to use standard schedule tables and High-Resolution Schedule Tables at the
same  time.  High-Resolution  Schedule  Tables  support  the  full  AUTOSAR  API,  including
synchronization (see 3.2.5.1) and are particularly suited for FlexRay.

3 Therefore, if the two schedule tables have a different LENGTH, switching from one to the other is undefined: it may work, but may
also lead to unexpected results. This is not checked at runtime (and cannot be checked at generation time).
4 The actually achievable best resolution depends on the hardware, hardware settings and application
5 while the activation of the schedule table handler is done as exact as the underlying counter (the hardware) allows it, a certain time
span will expire until the expiry point is actually processed. Interrupts, non-preemptive tasks and interrupt disabling times impose
an additional jitter.
2015, Vector Informatik GmbH
Version: 9.01
30 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.2.6.2.1
Setup
To create a High-Resolution Schedule Table, create a Schedule Table and choose any
High-Resolution Counter as the underlying counter. This counter is available only on the
MICROSAR OS implementations that support high resolution schedule tables; it is
automatically available if supported.
3.2.6.3
Cyclical Expiry Point Actions
Cyclical expiry point actions are a Vector specific extension of the AUTOSAR Standard to
ease the configuration of schedule table actions. In case an expiry point action shall be
executed cyclicly within a schedule table, the user may select the sub-attribute Cyclic.
This allows him to define a cycle time in the sub-attribute CycleTime. This informs the
generator that the expiry point action shall occur repeatedly with the configured cycle time
starting at the offset of the expiriy point, the action belongs to.
In case, the sub-attributes Cyclic and CycleTime have been configured, the generator
of the OS copies the expiry point actions to the configured locations within the schedule
table before it generates the schedule table. In case, there is already an expiry point at a
location where a cyclical expiry point action shall occur, the cyclical action is simply added
to the actions of that expiry point. In case there is no expiry point configured at the location
where a cyclical expiry point action schall occur, the generator invents an expiry point.
Please note that generator invented expiry points do not allow synchronization as there is
no configuration of the synchronization step width possible.

3.2.7
Trusted Functions
MICROSAR OS OSEK/AUTOSAR provides two possibilities to call trusted functions: by
direct call of API function CallTrustedFunction or by using generated stub functions.
It is possible to mix applications using direct calls and applications using generated stub
functions.

Caution
Inside trusted functions there is full access to all memory. Therefore, each trusted
 function with address arguments for return values must check the access rights of the
caller before writing results through an address argument. The API provides the
functions CheckTaskMemoryAccess and CheckISRMemoryAccess for address
checking.

3.2.7.1
Generated Stub Functions
The generation of stubs for trusted functions is a Vector specific extension of the
AUTOSAR OS standard to ease the usage of trusted functions.
To enable stub generation for an application, the TRUSTED attribute of this application and
the sub-attribute GenerateStub must be set to TRUE.
In this case, a caller stub with the name Call_<name> is generated for each trusted
function of the application, where <name> is the name of the trusted function. The
generated stub function Call_<name> packs its parameters into a structure as needed by
2015, Vector Informatik GmbH
Version: 9.01
31 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

the  standard  API  function  CallTrustedFunction  and  calls  that  API  function.  Another
generated  stub  function  performs  an  unpacking  of  the  parameters  so  that  the  user's
trusted function does not need to get all the parameters via one pointer, but can have a set
of parameters and a return value like any legal C-function.
In  case  the  sub-attribute  GenerateStub  is  set  to  TRUE,  the  user  has  to  define  the
parameters and the return value of the trusted function as well. The sub-attribute Params
shall contain a comma-separated list of type and parameter name (as they would occur in
a  function  definition  in  C).  The  sub-attribute  ReturnType  shall  define  the  return  type  of
the function.
The stubs are generated into the file trustfct.c.
See 10.8 for an example using generated stub functions for trusted applications.

Caution
The generator does not produce prototypes for the trusted functions to be called by the
  trusted function stubs. The prototypes shall be provided by the writer of these functions
and included into the file usrostyp.h. Parameter types and the return type need to be
defined there also in case they are no simple types of the C-language. The file
usrostyp.h is described in chapter 5.2.

2015, Vector Informatik GmbH
Version: 9.01
32 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.3
Error Handling
3.3.1
Error Messages
If  the  kernel  detects  errors,  the  OSEK  error  handling  is  called.  The  hook  routine
ErrorHook is called if selected.
Depending on the situation in which an error was detected the error handling will return to
the current active task or the system will be shut down.
3.3.2
OSEK / AUTOSAR OS Error Numbers

The  OSEK  specification  defines  several  error  numbers  that  are  returned  by  the  API
functions. A  certain  error  number  has  different  meanings  for  different API  functions.  The
user has to know the API function to interpret the error number correctly.
With  the  AUTOSAR  OS  specification,  the  range  of  error  numbers  was  extended.  The
following table shows all specified error numbers.
Error Code
Description
0
E_OK
Service executed successfully
1
E_OS_ACCESS
Several APIs: general access of object failure
2
E_OS_CALLEVEL
Several APIs: service accessed from wrong context
3
E_OS_ID
Several APIs: service called with wrong ID
4
E_OS_LIMIT
Several APIs: service called too often
5
E_OS_NOFUNC
Several APIs: (warning) service not executed
6
E_OS_RESOURCE
Several APIs: service called with occupied resource
7
E_OS_STATE
Several APIs: object is in wrong state
8
E_OS_VALUE
Several APIs: passed parameter has wrong value
9
E_OS_SERVICEID
Several APIs: service can not be called
10
E_OS_ILLEGAL_ADDRESS
Several APIs: invalid address passed
11
E_OS_MISSINGEND
Several APIs: task terminated without TerminatTask
12
E_OS_DISABLEDINT
Several APIs: service called with disabled interrupts
13
E_OS_STACKFAULT
Stack monitoring detected fault
14
E_OS_PROTECTION_MEMORY
Memory access violation
15
E_OS_PROTECTION_TIME
Execution time budget exceeded
16
E_OS_PROTECTION_ARRIVAL
Arrival before the timeframe expired
17
E_OS_PROTECTION_LOCKED
Task/ISR blocked too long (e.g. by disabled interrupts)
18
E_OS_PROTECTION_EXCEPTION  A trap occurred
Table 3-4
OSEK/AUTOSAR OS error numbers
The additional implementation specific error numbers are defined as:
2015, Vector Informatik GmbH
Version: 9.01
33 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description
20
E_OS_SYS_ASSERTION
This error is generated if the kernel detects an
internal inconsistency. The reason and an exact
explanation is described below.
21
E_OS_SYS_ABORT
This error is generated if the kernel has to shut down
the system but the reason was not an API function.
22
E_OS_SYS_DIS_INT
This error number is no longer used. It is replaced by
the AUTOSAR OS conformant number
E_OS_DISABLEDINT.
23
E_OS_SYS_API_ERROR
This error is generated if an error occurs in an API
function and there is no error code specified in the
OSEK specification. The reason and an exact
explanation is described below.
24
E_OS_SYS_ALARM_MANAGEMENT  A general warning issued in certain cases involving
the alarm management. Detailed description
in the implementation specific manual
25
E_OS_SYS_WARNING
A general warning issued in certain cases. Detailed
description in the implementation specific manual.
Table 3-5
Implementation specific error numbers

More implementation specific errors may be described in ref. [4].
3.3.3
MICROSAR OS Error Numbers
In  addition  to  the  OSEK  error  numbers,  all  MICROSAR  OS  implementations  provide
unique error numbers for an exact error description. All error numbers are defined as a 16-
bit  value.  The  error  numbers  are  defined  in  the  header  file  osekerr.h  and  are  defined
according to the following syntax:
0xgfee
  ||+--- consecutive error number
  |+---- number of function in the function group
  +----- number of function group
The error numbers common to all MICROSAR OS implementations are described below.
The implementation specific error numbers have a function group number >= 0xA000 and
are described in the document [4].
To access these error numbers the ERRORHOOK has to be enabled. The numbers are then
accessible via the macro OSErrorGetosCANError().
Error Types:
Error Type
Description
OSEK
OSEK / AUTOSAR error. After calling the ErrorHook, the program is
continued.
assertion
System assertion error. After calling the ErrorHook the operating system
is shut down. Assertion checking is always enabled in SafeContext
implementations.
2015, Vector Informatik GmbH
Version: 9.01
34 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Type
Description
syscheck
System error. After calling the ErrorHook the operating system is shut
down. Refer to the specific error for a description how to enable or disable
error checking.
Table 3-6
Error types
3.3.3.1
Error Numbers of Group Task Management / (1)
Group (1) contains the functions:
API Function
Abbreviation  Function
Number
ActivateTask
AT
1
TerminateTask
TT
2
ChainTask
HT
3
Schedule
SH
4
GetTaskState
GS
5
GetTaskID
GI
6
osMissingTerminateError
MT
7
Table 3-7
API functions of group Task Management / (1)
Error numbers of group (1):
Error Code
Description

Error Type  Reason
0x1101
osdErrATWrongTaskID
OSEK
Called with invalid task ID
0x1102
osdErrATWrongTask
assertion
Task has wrong priority level
Prio
0x1103
osdErrATMultiple
OSEK
number of activation of activated task
Activation
exceeds limit
0x1104
osdErrATIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x1105
osdErrATAlarm
OSEK
Number of activation of activated task
MultipleActivation
exceeds limit (task activation is performed
by alarm-expiration or expiry point action)
0x1106
osdErrATNoAccess
OSEK
Calling application has no access rights for
this task
0x1107
osdErrATCallContext
OSEK
Called from invalid call context
0x1108
osdErrATWrongAppState  OSEK
Referenced object is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x1201
osdErrTTDisabled
OSEK
TerminateTask called with disabled
Interrupts
interrupts
0x1202
osdErrTTResources
OSEK
TerminateTask called with occupied
2015, Vector Informatik GmbH
Version: 9.01
35 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
Occupied
resources
0x1203
osdErrTTNotActivated  assertion
TerminateTask attempted for a task with
activation counter == 0 (not activated)
0x1204
osdErrTTOnInterrupt
OSEK
TerminateTask called from an interrupt
Level
service routine
0x1205
osdErrTTNoImmediate
assertion
TerminateTask has tried to start the
TaskSwitch
Scheduler without success.
0x1206
osdErrTTCallContext
OSEK
Called from invalid call context
0x1208
osdErrTTWrongActiveTa assertion
Task index is not valid during call of
skID
TerminateTask
0x1301
osdErrHTInterrupts
OSEK
ChainTask called with disabled interrupts
Disabled
0x1302
osdErrHTResources
OSEK
ChainTask called with occupied
Occupied
resources
0x1303
osdErrHTWrongTaskID
OSEK
New task has invalid ID
0x1304
osdErrHTNotActivated  assertion
Tried to terminate a task which have an
activation counter which is zero
0x1305
osdErrHTMultiple
OSEK
Number of activation of new task exceeds
Activation
limit
0x1306
osdErrHTOnInterrupt
OSEK
ChainTask called on interrupt level
Level
0x1307
osdErrHTWrongTask
assertion
ChainTask was called from wrong priority
Prio
level
0x1308
osdErrHTNoImmediate
assertion
ChainTask has tried to activate the
TaskSwitch
Scheduler without success.
0x1309
osdErrHTCallContext
OSEK
Called from invalid call context
0x130A  osdErrHTNoAccess
OSEK
Calling application has no access rights for
this task
0x130B  osdErrHTWrongAppState  OSEK
Referenced object is owned by an
OSApplication which was terminated.
0x130D  osdErrHTWrongActiveTa assertion
Task index is not valid during call of
skID
ChainTask
0x1401
osdErrSHInterrupts
OSEK
Schedule called with disabled interrupts
Disabled
0x1402
osdErrSHOnInterrupt
OSEK
Schedule called on interrupt level
Level
0x1403
osdErrSHScheduleNot
assertion
Schedule called from task with enabled
Allowed
stack sharing by setting
NotUsingSchedule in the OIL
Configurator
0x1405
osdErrSHResources
OSEK
Called with an occupied resource
Occupied
2015, Vector Informatik GmbH
Version: 9.01
36 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x1406
osdErrSHCallContext
OSEK
Called from invalid call context
0x1409
osdErrSHWrongActiveTa assertion
Task index is not valid during call of
skID
Schedule
0x1501
osdErrGSWrongTaskID
OSEK
Called with invalid task ID
0x1502
osdErrGSIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x1503
osdErrGSIllegalAddr
OSEK
Caller has no write access rights for
address argument
0x1504
osdErrGSCallContext
OSEK
Called from invalid call context
0x1505
osdErrGSNoAccess
OSEK
Calling application has no access rights for
this task
0x1506
osdErrGSWrongAppState  OSEK
Referenced object is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x1507
osdErrGSOddInvocation  assertion
Invocation of internal function
osGetTaskState detected although
ReducedStatusChecks was enabled
0x1601
osdErrGIIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x1602
osdErrGIIllegalAddr
OSEK
Caller has no write access rights for
address argument.
0x1603
osdErrGICallContext
OSEK
Called from invalid call context
0x1604
osdErrGIOddInvocation  assertion
Invocation of internal function
osGetTaskID detected although
ReducedStatusChecks was enabled
0x1701
osdErrMTMissing
syscheck
Exit of task without the call of
TerminateTask
TerminateTask or ChainTask. This
error is detected in EXTENDED STATUS
only.
Table 3-8
Error numbers of group Task Management / (1)
3.3.3.2
Error Numbers of Group Interrupt Handling / (2)
Group (2) contains the functions:
API Function
Abbreviation  Function
Number
EnableAllInterrupts
EA
4
DisableAllInterrupts
DA
5
ResumeOSInterrupts
RI
6
SuspendOSInterrupts
SI
7
osUnhandledException
UE
8
2015, Vector Informatik GmbH
Version: 9.01
37 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

API Function
Abbreviation  Function
Number
osSaveDisableLevelNested
SD
9
osRestoreEnableLevelNested
RE
A
osSaveDisableGlobalNested
SG
B
osRestoreEnableGlobalNested  RG
C
ResumeAllInterrupts
RA
D
SuspendAllInterrupts
SA
E
GetISRID
II
2
Interrupt Exit (SC3 only)
IX
3
Table 3-9
API functions of group Interrupt Handling / (2)
Error numbers of group (2):
Error Code
Description

Error Type  Reason
0x2401
osdErrEAIntAPIWrong
assertion
DisableAllInterrupts not called
Sequence
before
0x2501
osdErrDAIntAPI
assertion
Interrupts are disabled with functions
Disabled
provided by OSEK

0x2801
osdErrUEUnhandled
syscheck
An unhandled exception or interrupt was
Exception
detected. This error check is always
enabled.
0x2901
osdErrSDWrongCounter  assertion
Wrong counter value detected
0x2A01  osdErrREWrongCounter  assertion
Wrong counter value detected
0x2B01  osdErrSGWrongCounter   assertion
Wrong counter value detected
0x2C01  osdErrRGWrongCounter   assertion
Wrong counter value detected
0x2201
osdErrIIIntAPI
OSEK
GetISRID was called with interrupts
Disabled
disabled.
0x2202
osdErrIICallContext
OSEK
Called from invalid call context
0x2301
osdErrIXResources
OSEK
An ISR of category 2 was left with
Occupied
resources still occupied.
0x2302
osdErrIXIntAPI
OSEK
An ISR of category 2 was left with
Disabled
interrupts disabled by
DisableAllInterrupts,
SuspendAllInterrupts or
SuspendOSInterrupts
Table 3-10   Error numbers of group Interrupt Handling / (2)

2015, Vector Informatik GmbH
Version: 9.01
38 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.3.3.3
Error Numbers of Group Resource Management / (3)
Group (3) contains the functions:
API Function
Abbreviation  Function
Number
GetResource
GR
1
ReleaseResource
RR
2
Table 3-11   API functions of group Resource Management / (3)
Error numbers of group (3):
Error Code
Description

Error Type  Reason
0x3101
osdErrGRWrongResource OSEK
Invalid resource ID
ID
0x3102
osdErrGRPriority
assertion
Ceiling priority of the specified resource
Occupied
already in use
0x3103
osdErrGRResource
OSEK
Resource already occupied
Occupied
0x3104
osdErrGRNoAccess
assertion
Task has no access to the specified
Rights
resource
0x3105
osdErrGRWrongPrio
OSEK
Specified resource has a wrong priority.
Possible reason: the task has no access
rights to this resource.
0x3106
osdErrGRIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x3107
osdErrGRNoAccess
OSEK
Calling application has no access rights for
this resource
0x3108
osdErrGRCallContext
OSEK
Called from invalid call context
0x3109
osdErrGRISRNoAccess
OSEK
Calling ISR has no access rights for this
Rights
resource
0x310B  osdErrGRWrongTaskID
assertion
Task index is not valid during call of
GetResource
0x3201
osdErrRRWrongResource OSEK
Invalid resource ID
ID
0x3202
osdErrRRCeiling
assertion
Ceiling priority of the resource not found in
PriorityNotSet
the ready bit field
0x3203
osdErrRRWrongTask
assertion
Resource occupied by a different task
0x3204
osdErrRRWrongPrio
OSEK
Specified resource has a wrong priority.
Possible reason: the task has no access
rights to this resource.
0x3206
osdErrRRNotOccupied
OSEK
The specified resource is not occupied by
the task
0x3207
osdErrRRWrongSequence  OSEK
At least one other resource must be
released before
2015, Vector Informatik GmbH
Version: 9.01
39 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x3208
osdErrRRIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x3209
osdErrRRNoAccess
OSEK
Calling application has no access rights for
this resource
0x320A  osdErrRRCallContext
OSEK
Called from invalid call context
0x320B  osdErrRRISRNoAccess
OSEK
Calling ISR has no access rights for this
Rights
resource
0x320D  osdErrRRNoReadyTaskFo assertion
No valid priority found when calling
und
ReleaseResource
0x320E  osdErrRRWrongTaskID
assertion
Task index is not valid during call of
ReleaseResource
0x320F  osdErrRRWrongHighRdyP assertion
No valid high ready priority task index
rio
during call of ReleaseResource
Table 3-12   Error numbers of group Resource Management / (3)

3.3.3.4
Error Numbers of Group Event Control / (4)
Group (4) contains the functions:
API Function
Abbreviation  Function
Number
SetEvent
SE
1
ClearEvent
CE
2
GetEvent
GE
3
WaitEvent
WE
4
Table 3-13   API functions of group Event Control / (4)
Error numbers of group (4):
Error Code
Description

Error Type  Reason
0x4101
osdErrSEWrongTaskID
OSEK
Invalid task ID
0x4102
osdErrSENotExtended
OSEK
Cannot SetEvent to basic task
Task
0x4103
osdErrSETaskSuspended  OSEK
Cannot SetEvent to task in SUSPENDED
state. The error code might occur in case
of API call SetEvent or in case of
alarm/schedule table action to set an
event.
0x4104
osdErrSEWrongTask
assertion
Wrong task priority detected
Prio
2015, Vector Informatik GmbH
Version: 9.01
40 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x4105
osdErrSEIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x4106
osdErrSECallContext
OSEK
Called from invalid call context
0x4107
osdErrSENoAccess
OSEK
Calling application has no access rights for
this task
0x4108
osdErrSEWrongAppState  OSEK
Referenced task is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x4201
osdErrCENotExtended
OSEK
A basic task cannot clear an event
Task
0x4202
osdErrCEOnInterrupt
OSEK
ClearEvent called on interrupt level
Level
0x4203
osdErrCEIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x4204
osdErrCECallContext
OSEK
Called from invalid call context
0x4301
osdErrGEWrongTaskID
OSEK
Invalid task ID
0x4302
osdErrGENotExtended
OSEK
Cannot GetEvent from basic task
Task
0x4303
osdErrGETaskSuspended  OSEK
Cannot GetEvent from a task in
SUSPENDED state
0x4304
osdErrGEIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x4305
osdErrGEIllegalAddr
OSEK
Caller has no write access rights for
address argument
0x4306
osdErrGECallContext
OSEK
Called from invalid call context
0x4307
osdErrGENoAccess
OSEK
Calling application has no access rights for
this task
0x4308
osdErrGEWrongAppState  OSEK
Referenced task is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x4309
osdErrGEOddInvocation  assertion
Invocation of internal function
osGetEvent detected although
ReducedStatusChecks was enabled
0x4401
osdErrWENotExtended
OSEK
WaitEvent called by basic task
Task
0x4402
osdErrWEResources
OSEK
WaitEvent called with occupied
Occupied
resources
0x4403
osdErrWEInterrupts
OSEK
WaitEvent called with disabled interrupts
Disabled
0x4404
osdErrWEOnInterrupt
OSEK
WaitEvent called on interrupt level
Level
0x4405
osdErrWECallContext
OSEK
Called from invalid call context
2015, Vector Informatik GmbH
Version: 9.01
41 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Table 3-14   Error numbers of group Event Control / (4)

3.3.3.5
Error Numbers of Group Alarm Management / (5)
Group (5) contains the functions:
API Function
Abbreviation  Function
Number
GetAlarmBase
GB
1
GetAlarm
GA
2
SetRelAlarm
SA
3
SetAbsAlarm
SL
4
CancelAlarm
CA
5
osWorkAlarm
WA
6
Table 3-15   API functions of group Alarm Management / (5)
Error numbers of group (5):
Error Code
Description

Error Type  Reason
0x5101
osdErrGBWrongAlarmID  OSEK
Invalid alarm ID
0x5102
osdErrGBIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x5103
osdErrGBIllegalAddr
OSEK
Caller has no write access rights for
address argument
0x5104
osdErrGBCallContext
OSEK
Called from invalid call context
0x5105
osdErrGBNoAccess
OSEK
Calling application has no access rights for
this alarm
0x5106
osdErrGBWrongAppState  OSEK
Referenced object is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x5201
osdErrGAWrongAlarmID  OSEK
Invalid alarm ID
0x5202
osdErrGANotActive
OSEK
Alarm not active
0x5203
osdErrGAIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x5204
osdErrGAIllegalAddr
OSEK
Caller has no write access rights for
address argument
0x5205
osdErrGACallContext
OSEK
Called from invalid call context
0x5206
osdErrGANoAccess
OSEK
Calling application has no access rights for
this alarm
0x5207
osdErrGAWrongAppState  OSEK
Referenced alarm is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
2015, Vector Informatik GmbH
Version: 9.01
42 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x5301
osdErrSAWrongAlarmID  OSEK
Invalid alarm id
0x5302
osdErrSAAlreadyActive  OSEK
Alarm already active
0x5303
osdErrSAWrongCycle
OSEK
Specified cycle is out of range
0x5304
osdErrSAWrongDelta
OSEK
Specified delta is out of range
0x5305
osdErrSAIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x5306
osdErrSAZeroIncrement  OSEK
SetRelAlarm was called with the
parameter increment set to zero. (This is
no longer allowed with AUTOSAR OS)
0x5307
osdErrSACallContext
OSEK
Called from invalid call context
0x5308
osdErrSANoAccess
OSEK
Calling application has no access rights for
this alarm
0x5309
osdErrSAWrongAppState  OSEK
Referenced alarm is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x5401
osdErrSLWrongAlarmID  OSEK
Invalid alarm ID
0x5402
osdErrSLAlreadyActive  OSEK
Alarm already active
0x5403
osdErrSLWrongCycle
OSEK
Specified cycle is out of range
0x5404
osdErrSLWrongStart
OSEK
Specified start is out of range
0x5405
osdErrSLIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x5406
osdErrSLCallContext
OSEK
Called from invalid call context
0x5407
osdErrSLNoAccess
OSEK
Calling application has no access rights for
this alarm
0x5408
osdErrSLWrongAppState  OSEK
Referenced alarm is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x5501
osdErrCAWrongAlarmID  OSEK
Invalid alarm ID
0x5502
osdErrCANotActive
OSEK
Alarm not active
0x5503
osdErrCAIntAPI
OSEK
Interrupts are disabled with functions
Disabled
provided by OSEK
0x5504
osdErrCAAlarmInternal  syscheck
Internal error detected while alarm was
cancelled. This error is only detected when
OSInternalChecks is set to
Additional.
0x5505
osdErrCACallContext
OSEK
Called from invalid call context
0x5506
osdErrCANoAccess
OSEK
Calling application has no access rights for
this alarm
0x5507
osdErrCAWrongAppState  OSEK
Referenced alarm is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
2015, Vector Informatik GmbH
Version: 9.01
43 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x5601
osdErrWAWrongIDonHeap  assertion
Wrong alarm ID in heap data structure for
alarm management
0x5602
osdErrWAHeapOverflow  assertion
Overflow in internal data structure for
alarm management
0x5603
osdErrWAUnknownAction  assertion
Invalid alarm action type during processing
of an expired alarm
0x5604
osdErrWAWrongCounterI assertion
Invalid counter ID during processing of an
D
expired alarm with
OsAlarmAction=OsAlarmIncrementC
ounter.
Table 3-16   Error numbers of group Alarm Management / (5)

3.3.3.6
Error Numbers of Group Operating System Execution Control / (6)
Group (6) contains the functions:
API Function
Abbreviation  Function
Number
osCheckStackOverflow
SO
1
osSchedulePrio
SP
2
osGetStackUsage
SU
3
osCheckLibraryVersionAndVariant  CL
4
osErrorHook
EH
5
StartOS
ST
6
osSchedInsertTask
QI
7
osSchedRemoveRunningTask
QR
8
osSchedOnHomePrio
QS
9
osSchedOccupyInternalResource
QO
A
Table 3-17   API functions of group Operating System Execution Control / (6)
Error numbers of group (6):
Error Code
Description

Error Type  Reason
0x6101
osdErrSOStackOverflow  syscheck
Task stack overflow detected. This error is
only detected when the OIL attribute
WithStackCheck is set to TRUE.
0x6201
osdErrSPInterrupts
assertion
Scheduler called with enabled interrupts
Enabled
0x6301
osdErrSUWrongTaskID
assertion
Called with invalid task ID
2015, Vector Informatik GmbH
Version: 9.01
44 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x6401
osdErrCLWrongLibrary  syscheck
Wrong library linked to application. This
error check is always enabled.
0x6501
osdErrEHInterrupts
assertion
ErrorHook called with enabled interrupts
Enabled
0x6601
osdErrSTMemoryError
assertion
StartOS failed while initializing memory.
0x6602
osdErrSTNoImmediate
assertion
StartOS tried to activate the Scheduler
TaskSwitch
without success.
0x6603
osdErrSTWrongAppMode  syscheck
StartOS was called with an invalid
parameter value. This error is only
detected if the attribute STATUS is set to
EXTENDED.
0x6604
osdErrSTConfigCRCErro assertion
Configuration CRC mismatch detected
r
during StartOS
0x6606
osdErrSTConfigMagicNr assertion
Error reading the magic number from
Error
config block during StartOS
0x6607
osdErrSTInvalidMajorV assertion
Error reading the major version number
ersion
from config block during StartOS
0x6608
osdErrSTInvalidMinorV assertion
Error reading the minor version number
ersion
from config block during StartOS
0x6609
osdErrSTInvalidSTCfg  assertion
Schedule table has an invalid autostart
type value.
0x6701
osdErrQIWrongTaskPrio  assertion
Wrong Task Priority in
osSchedInsertTask
0x6801
osdErrQRInterruptsEna assertion
Interrupts are enabled during
bled
osSchedRemoveRunningTask
0x6802
osdErrQRWrongTaskID
assertion
Task index not valid in
osSchedRemoveRunningTask
0x6803
osdErrQRWrongTaskPrio  assertion
Priority not valid in
osSchedRemoveRunningTask
0x6804
osdErrQRWrongHighRdyP assertion
High ready task priority not valid in
rio
osSchedRemoveRunningTask
0x6901
osdErrQSInterruptsEna assertion
Interrupts are enabled during
bled
osSchedOnHomePrio
0x6902
osdErrQSNoReadyTaskFo assertion
No High ready task has been found in
und
osSchedOnHomePrio
0x6903
osdErrQSWrongPriority  assertion
Priority not valid in osSchedOnHomePrio
0x6A01  osdErrQOWrongTaskID
assertion
Task index not valid in
osSchedOccupyInternalResource
Table 3-18   Error numbers of group Operating System Execution Control / (6)

2015, Vector Informatik GmbH
Version: 9.01
45 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.3.3.7
Error Numbers of Schedule Table Control / (7)
Group (7) contains the functions:
API Function
Abbreviation  Function
Number
StartScheduleTableRel
SR
1
StartScheduleTableAbs
SS
2
StopScheduleTable
SP
3
GetScheduleTableStatus
SG
4
NextScheduleTable
SN
5
osWorkScheduleTable
WS
6
SyncScheduleTable (SC2 and SC4)
SY
7
SetScheduleTableAsync (SC2 and SC4)
AY
8
StartScheduleTableSynchron (SC2 and SC4)  TS
C
Table 3-19   API functions of group Schedule Table Control / (7)
Error numbers of group (7):
Error Code
Description

Error Type  Reason
0x7101
osdErrSRWrongID
OSEK
StartScheduleTableRel was called
with an invalid schedule table ID.
0x7102
osdErrSRAlready
OSEK
StartScheduleTableRel was called for
RunningOrNext
a schedule table that is already running or
next.
0x7103
osdErrSRZeroOffset
OSEK
StartScheduleTableRel was called
with the parameter Offset set to zero.
0x7104
osdErrSROffsetTooBig  OSEK
StartScheduleTableRel was called
with the parameter Offset bigger than
MAXALLOWEDVALUE of the respective
counter.
0x7105
osdErrSRIntAPI
OSEK
StartScheduleTableRel was called
Disabled
with disabled interrupts.
0x7106
osdErrSRCallContext
OSEK
Called from invalid call context
0x7107
osdErrSRNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7109
osdErrSRImplicite
OSEK
StartScheduleTableRel was called for
Sync
an implicitly synchronized ScheduleTable
0x710a
osdErrSRWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7201
osdErrSSWrongID
OSEK
StartScheduleTableAbs was called
with an invalid schedule table ID.
0x7202
osdErrSSAlready
OSEK
StartScheduleTableAbs was called for
2015, Vector Informatik GmbH
Version: 9.01
46 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
RunningOrNext
a schedule table, which is already running
or next.
0x7203
osdErrSSTickvalueToo   OSEK
StartScheduleTableAbs was called
Big
with the parameter TickValue bigger than
MAXALLOWEDVALUE of the respective
counter.
0x7204
osdErrSSIntAPI
OSEK
StartScheduleTableAbs was called
Disabled
with disabled interrupts.
0x7205
osdErrSSCallContext
OSEK
Called from invalid call context
0x7206
osdErrSSNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7207
osdErrSSWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7301
osdErrSPWrongID
OSEK
StopScheduleTable was called with an
invalid schedule table ID.
0x7302
osdErrSPNotRunning
OSEK
StopScheduleTable was called for a
schedule table, which is in stopped or next
state.
0x7303
osdErrSPIntAPI
OSEK
StopScheduleTable was called with
Disabled
disabled interrupts.
0x7304
osdErrSPCallContext
OSEK
Called from invalid call context
0x7305
osdErrSPNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7306
osdErrSPUnknownCase
Assertion
An internal error occured
0x7307
osdErrSPWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7401
osdErrSGWrongID
OSEK
GetScheduleTableStatus was called
with an invalid schedule table ID.
0x7402
osdErrSGIntAPI
OSEK
GetScheduleTableStatus was called
Disabled
with disabled interrupts
0x7403
osdErrSGCallContext
OSEK
Called from invalid call context
0x7404
osdErrSGNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7405
osdErrSGIllegalAddr
OSEK
Caller has no write access rights for
address argument
0x7406
osdErrSGWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7407
osdErrSGOddInvocation  assertion
Invocation of internal function
osGetScheduleTableStatus detected
although ReducedStatusChecks was
2015, Vector Informatik GmbH
Version: 9.01
47 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
enabled
0x7501
osdErrSNWrongCurrent  OSEK
NextScheduleTable was called with an
ID
invalid schedule table ID for the parameter
ScheduleTableID_current.
0x7502
osdErrSNWrongNextID
OSEK
NextScheduleTable was called with an
invalid schedule table ID for the parameter
ScheduleTableID_next.
0x7503
osdErrSNNotRunning
OSEK
NextScheduleTable was called to chain
a schedule table after another schedule
table, that is currently not running.
0x7504
osdErrSNAlready
OSEK
NextScheduleTable was called to chain
RunningOrNext
a running schedule table after another
schedule table.
0x7505
osdErrSNDifferent
OSEK
NextScheduleTable was called to chain
Counters
two schedule tables, which are driven by
different counters.
0x7506
osdErrSNIntAPI
OSEK
NextScheduleTable was called with
Disabled
interrupts disabled.
0x7507
osdErrSNCallContext
OSEK
Called from invalid call context
0x7508
osdErrSNNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7509
osdErrSNWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7601
osdErrWSUnknownAction  assertion
An invalid action was found in a schedule
table
0x7602
osdErrWSUnknown
assertion
An internal error occured
Reaction
0x7603
osdErrWSWrongID
assertion
No valid schedule table index in
osWorkScheduleTable
0x7701
osdErrSYCallContext
OSEK
Called from invalid call context
0x7702
osdErrSYWrongID
OSEK
Called with wrong schedule table ID
0x7703
osdErrSYNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7704
osdErrSYIntAPI
OSEK
Called with interrupts disabled
Disabled
0x7705
osdErrSYSTNotRunning  OSEK
The Schedule table is currently not running
0x7706
osdErrSYGlobalTimeToo OSEK
The Global Time is larger than the LENGTH
Big
of the schedule table
0x7707
osdErrSYSyncKindNot
OSEK
SyncScheduleTable was called for a
Explicit
Schedule table that is not explicitly
synchronized.
2015, Vector Informatik GmbH
Version: 9.01
48 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x7708
osdErrSYWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7801
osdErrAYCallContext
OSEK
Called from invalid call context
0x7802
osdErrAYWrongID
OSEK
Called with wrong schedule table ID
0x7803
osdErrAYNoAccess
OSEK
Calling application has no access rights for
this schedule table
0x7804
osdErrAYIntAPI
OSEK
Called with interrupts disabled
Disabled
0x7805
osdErrAYWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x7C01  osdErrTSCallContext
OSEK
Called from invalid call context
0x7C02  osdErrTSWrongID
OSEK
  Called with invalid schedule table id.
0x7C03  osdErrTSNoAccess
OSEK
  Calling application has no access rights for
this schedule table
0x7C04  osdErrTSIntAPI
OSEK
Called with interrupts disabled
Disabled
0x7C05  osdErrTSSTAlready
OSEK
The schedule table is already running or
Running
scheduled to run after a currently running
schedule table
0x7C06  osdErrTSGlobalTimeToo OSEK
The offset to Global Time is larger than the
Big
LENGTH of the schedule table
0x7C08  osdErrTSSyncKindNot
OSEK
StartScheduleTableSynchron was
Explicit
called for a Schedule table that is not
explicitly synchronized.
0x7C09  osdErrTSWrongAppState  OSEK
Referenced schedule table is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
Table 3-20   Error numbers of group Schedule Table Control / (7)
3.3.3.8
Error Numbers of Group Counter API / (8)
Group (8) contains the functions:
API Function
Abbreviation  Function
Number
IncrementCounter
IC
1
GetCounterValue
GC
3
GetElapsedValue
GV
4
Table 3-21   API functions of group Counter API / (8)
Error numbers of group (8):
2015, Vector Informatik GmbH
Version: 9.01
49 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x8101
osdErrICWrongCounter  OSEK
IncrementCounter was called for an
ID
invalid counter or a hardware counter.
0x8102
osdErrICIntAPI
OSEK
IncrementCounter was called with
Disabled
interrupts disabled.
0x8103
osdErrICCallContext
OSEK
Called from invalid call context
0x8104
osdErrICNoAccess
OSEK
Calling application has no access rights for
this counter
0x8105
osdErrICWrongAppState  OSEK
Referenced counter is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x8301
osdErrGCCallContext
OSEK
Called from invalid call context.
0x8302
osdErrGCIntAPIDisabled  OSEK
Called with disabled interrupts
0x8303
osdErrGCWrongID
OSEK
Parameter CounterID is invalid
0x8304
osdErrGCNoAccess
OSEK
Counter not accessible by the caller
0x8305
osdErrGCIllegalAddr
OSEK
Location the reference parameter Value
points to is not writable for the calling
application
0x8306
osdErrGCWrongAppState  OSEK
Referenced ISR is owned by an
OSApplication that is not in state
APPLICATION_ACCESSIBLE
0x8307
osdErrGCOddInvocation  assertion  Invocation of internal function
osGetCounterValue detected although
ReducedStatusChecks was enabled
0x8401
osdErrGVCallContext
OSEK
Called from invalid call context.
0x8402
osdErrGVIntAPIDisabled  OSEK
Called with disabled interrupts
0x8403
osdErrGVWrongID
OSEK
Parameter CounterID is invalid
0x8404
osdErrGVNoAccess
OSEK
Counter not accessible by the caller
0x8405
osdErrGVIllegalAddr
OSEK
Location a reference parameter points to is
not writable for the calling application
0x8406
osdErrGVWrongAppState  OSEK
Referenced ISR is owned by an
OSApplication that is not in state
APPLICATION_ACCESSIBLE
0x8407
osdErrGVIllegalValue
OSEK
The passed value is illegal
0x8408
osdErrGVIllegalPointer OSEK
The pointers for out parameters Value and
s
Elapsed Value are identical.
0x8409
osdErrGVOddInvocation  assertion  Invocation of internal function
osGetElapsedValue detected although
ReducedStatusChecks was enabled
Table 3-22   Error numbers of group Counter API / (8)

2015, Vector Informatik GmbH
Version: 9.01
50 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

3.3.3.9
Error Numbers of Group Timing Protection and Timing Measurement / (9)
Group (9) contains the functions:
API Function
Abbreviation
Function
Number
GetTaskMinInterArrivalTime
TM
0
BlockingTimeMonitoring
BM
7
GetTaskMaxExecutionTime
TE
8
GetISRMaxExecutionTime
IE
9
GetTaskMaxBlockingTime
TB
A
GetISRMaxBlockingTime
IB
B
ExecutionTimeMonitoring
ET
D
GetISRMinInterArrivalTime
MI
F
Table 3-23   API functions of group Timing Protection and Timing Measurement / (9)

Error numbers of group (9):
Error Code
Description

Error Type  Reason
0x9001
osdErrTMWrongTaskID
OSEK
Called with wrong TASK ID
0x9002
osdErrTMNoAccess
OSEK
The calling application has no access
rights for the TASK
0x9003
osdErrTMIllegalAddr
OSEK
The caller has no access rights for the
memory region
0x9004
osdErrTMWrongAppState  OSEK
Referenced task is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x9702
osdErrBMResAlready
assertion
A blocking time measurement was started
Measured
that is already running. This might happen
if timing protection is active and
SuspendAllInterrupts is called after
DisableAllInterrupts has already
been called.
0x9703
osdErrBMInvalidProces assertion
Internal error: attempt to start Block Timing
sInStart
Protection with an invalid task or ISR
0x9704
osdErrBMInvalidProces assertion
Internal error: attempt to stop Block Timing
sInStop
Protection with an invalid task or ISR
0x9705
osdErrBMInvalidResour assertion
Attempt to monitor blocking time for an
ce
invalid resource detected.
0x9801
osdErrTEWrongTaskID
OSEK
GetTaskMaxExecutionTime was called
with an invalid task identifier
0x9802
osdErrTENoAccess
OSEK
The calling application has no access
2015, Vector Informatik GmbH
Version: 9.01
51 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
rights for this task
0x9803
osdErrTEIllegalAddr
OSEK
The caller has no access rights for this
memory region
0x9804
osdErrTEWrongAppState  OSEK
Referenced task is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x9901
osdErrIEWrongISRID
OSEK
GetISRMaxExecutionTime was called
with an invalid ISR identifier
0x9902
osdErrIENoAccess
OSEK
The calling application has no access
rights for this ISR
0x9903
osdErrIEIllegalAddr
OSEK
The caller has no access rights for this
memory region.
0x9904
osdErrIEWrongAppState  OSEK
Referenced ISR is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x9A01  osdErrTBWrongTaskID
OSEK
Called with wrong Task ID
0x9A02  osdErrTBWrongBlock
OSEK
Called with wrong blocking type
Type
0x9A03  osdErrTBWrongResource OSEK
Called with wrong resource ID
ID
0x9A04  osdErrTBNoAccessTo
OSEK
The calling application has no access
Task
rights for the task
0x9A05  osdErrTBNoAccessTo
OSEK
The calling application has no access
Resource
rights for the resource
0x9A06  osdErrTBIllegalAddr
OSEK
The caller has no access rights for this
memory region
0x9A07  osdErrTBWrongAppState  OSEK
Referenced task is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
0x9B01  osdErrIBWrongISRID
OSEK
Called with wrong ISR ID
0x9B02  osdErrIBWrongBlock
OSEK
Called with wrong blocking type
Type
0x9B03  osdErrIBWrongResource OSEK
Called with wrong resource ID
ID
0x9B04  osdErrIBNoAccessToISR  OSEK
The calling application has no access
rights for the ISR
0x9B05  osdErrIBNoAccessTo
OSEK
The calling application has no access
Resource
rights for the resource
0x9B06  osdErrIBIllegalAddr
OSEK
The caller has no access rights for the
memory region
0x9B07  osdErrIBWrongAppState  OSEK
Referenced ISR is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
2015, Vector Informatik GmbH
Version: 9.01
52 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error Type  Reason
0x9D01  osdErrETNoCurrent
assertion
Execution Time Monitoring has detected
Process
an invalid process ID
0x9F01  osdErrMIWrongISRID
OSEK
Called with wrong ISR ID
0x9F02  osdErrMINoAccess
OSEK
The calling application has no access
rights for the ISR
0x9F03  osdErrMIIllegalAddr
OSEK
The caller has no access rights for the
memory region
0x9F04  osdErrMIWrongAppState  OSEK
Referenced ISR is owned by an
OSApplication which is not in state
APPLICATION_ACCESSIBLE
Table 3-24   Error numbers of group Timing Protection and Timing Measurement / (9)
3.3.3.10  Platform specific error codes (A)
Group (A) contains platform specific error numbers. Please refer to [5] for further detail.
3.3.3.11  Error Numbers of Group Application API (B)
Group (B) contains the functions:
API Function
Abbreviation  Function
Number
GetApplicationState
AS
1
AllowAccess
AA
2
TerminateApplication
TA
4
Table 3-25   API functions of group Application API / (B)
Error numbers of group (B):
Error Code
Description

Error
Reason
Type
0xB101  osdErrASCallContext
OSEK
Called from invalid call context.
0xB102  osdErrASIntAPIDisabled  OSEK
Called with disabled interrupts
0xB103  osdErrASWrongAppID
OSEK
Called with invalid OSApplication ID
0xB104  osdErrASOddInvocation
assertion  Invocation of internal function
osGetApplicationState detected
although ReducedStatusChecks was
enabled
0xB201  osdErrAACallContext
OSEK
Called from invalid call context.
0xB202  osdErrAAIntAPIDisabled  OSEK
Called with disabled interrupts
0xB203  osdErrAAWrongState
OSEK
Currently active application is not in state
APPLICATION_RESTARTING
2015, Vector Informatik GmbH
Version: 9.01
53 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error
Reason
Type
0xB401  osdErrTAWrongRestart
OSEK
Invalid restart option
Option
0xB402  osdErrTACallContext
OSEK
Called from invalid call context
0xB403  osdErrTAIntAPI
OSEK
Called with interrupts disabled
Disabled
0xB404  osdErrTAWrongAppID
OSEK
Called with wrong OSApplication ID.
0xB405  osdErrTANoAccess
OSEK
Caller has not sufficient access rights to
terminate the given OSApplication.
0xB406  osdErrTAWrongAppState
OSEK
Referenced application is in wrong state.
0xB407  osdErrTAInvalidTaskSta
assertion  Task state corrupt in TerminateApplication
te
Table 3-26   Error numbers of group Application API / (B)
3.3.3.12  Error Numbers of Group Semaphores (C)

Note
This group is only available for implementations that have been ordered with the
  feature Semaphores.

Group (C) contains the functions:
API Function
Abbreviation  Function
Number
osGetSemaphore
GM
1
osReleaseSemaphore
RS
2
Table 3-27   API functions of group Semaphores / (C)
Error numbers of group (C):
Error Code
Description

Error
Reason
Type
0xC101  osdErrGMWrongSemaphore
OSEK
GetSemaphore called with wrong
ID
Semaphore ID
0xC102  osdErrGMOnInterruptLev
OSEK
Called on Interrupt Level
el
0xC103  osdErrGMNotExtendedTas
OSEK
Called from a Basic Task
k
0xC104  osdErrGMResourcesOccup
OSEK
Called while resources are occupied
2015, Vector Informatik GmbH
Version: 9.01
54 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error
Reason
Type
ied
0xC105  osdErrGMInterruptsDisa
OSEK
Interrupts are disabled with functions
bled
provided by OSEK
0xC201  osdErrRSWrongSemaphore
OSEK
ReleaseSemaphore called with wrong
ID
Semaphore ID
0xC203  osdErrRSAlreadyRelease
OSEK
Tried to release a semaphore that is not
d
occupied
0xC204  osdErrRSWrongTaskPrio
assertion  Task has wrong priority level
0xC205  osdErrRSInterruptsDisa
OSEK
Interrupts are disabled with functions
bled
provided by OSEK
Table 3-28   Error numbers of group Semaphores / (C)
3.3.3.13  Error Numbers of Group MultiCore related functions (D)
Group (D) is reserved for MultiCore implementations. MultiCore specific detail is currently
contained in the additional documentation. Please refer to [4] for further detail.
3.3.3.14  Error Numbers of Group (Non-)TrustedFunctions (E)
Group (E) contains the functions:
API Function
Abbreviation  Function
Number
CallTrustedFunction
CT
3
CallNonTrustedFunction
NT
4
PeripheralAPI functions
PA
5
Table 3-29   API functions of group (Non-)TrustedFunctions (E)
Error numbers of group (E):
Error Code
Description

Error
Reason
Type
0xE301  osdErrCTWrongFctIdx
OSEK
Invalid function index for trusted function
0xE302  osdErrCTCallContext
OSEK
Called from invalid call context
0xE303  osdErrCTIntAPI
OSEK
Called with interrupts disabled
Disabled
0xE404  osdErrNTWrongFctIdx
OSEK
Invalid function index for non-trusted
function
0xE405  osdErrNTCallContext
OSEK
Called from invalid call context
0xE406  osdErrNTIntAPI
OSEK
Called with interrupts disabled
Disabled
2015, Vector Informatik GmbH
Version: 9.01
55 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Error Code
Description

Error
Reason
Type
0xE501  osdErrPAInvalidAreaInd
assertion  Not a valid peripheral region ID used within
ex
the API
0xE502  osdErrPANoAccessRight
assertion  The current caller does not have access
rights to the peripheral region
0xE503  osdErrPAInvalidAddress  assertion  The address which is accessed is not
included within the passed peripheral
region
Table 3-30   Error numbers of group (Non-)TrustedFunctions (E)
3.3.3.15  Error Numbers of Group IOC (F)
Group (F) is reserved for implementations supporting IOC. IOC specific detail is currently
contained in the platform specific documentation. Please refer to [5] for further detail.
3.3.4
Reactions on Error Situations
Depending on the error that has occurred, different reactions are performed:
>  Errors detected from wrong usage of API functions: Call of ErrorHook and return to
the calling task or interrupt routine.
>  Errors detected in the kernel: Call of ErrorHook and call of ShutdownOS (which calls
ShutdownHook).

2015, Vector Informatik GmbH
Version: 9.01
56 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

4  Installation
The  MICROSAR  OS  package  might  be  delivered  together  with  other  MICROSAR
embedded software. In this case, the OS is already included in the delivered package, and
no separate installation is necessary. If MICROSAR OS is delivered stand alone, it comes
up  with  an  installation  program,  which  installs  the  operating  system  source  files  and  the
OIL  Configurator.  To  use  the  OS  with  ARXML  configurations,  the  DaVinci  configurator
must be installed in addition.
4.1
Installation Requirements
The installation program and the OIL Configurator are 32-bit Windows programs.
Requirements:
>  Microsoft Windows95, Windows98, Windows NT, Windows 2000, Windows XP,
Windows Vista, Windows 7
>  64 MByte of free disk space (for a complete installation)
4.2
Installation Disk
All parts of the OSEK system, the OIL Configurator, and the code generator are delivered
with a Windows installation program. The installation program copies all files onto the local
hard disk and sets all paths in the INI files. The installation program asks the user for an
installation path; this path is the root path for all installed components. The selected path is
referred to in the following as root. The delivered installation uses the path  C:\OSEK as
the default root path.
There are two possible installation styles than can be selected:
>  MICROSAR style: compatible with Vector AUTOSAR stack
>  osCAN style: compatible with osCAN
The installation paths are determined depending on the selected style
The installed components are:

Components
osCAN style
MICROSAR style
OIL Configurator
root\OILTOOL
root\Generators\Tools\OilTool
OSEK system
root\HwPlatform
root\BSW\Os
Table 4-1
Installed components
2015, Vector Informatik GmbH
Version: 9.01
57 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

4.3
OIL Configurator

Info
Please note that 'OIL Configurator' and 'OIL Tool' are used as synonyms in this
  document.

The  OIL  Configurator  is  a  common  tool  for  different  OSEK  implementations.  The
implementation specific parts are the code generator and the OIL implementation files for
the code generator.

Components
osCAN style
MICROSAR style
OIL Configurator
root\OILTOOL
root\Generators\Tools\OilTool
OIL implementation files
root\OILTOOL\GEN
root\Generators\Os
Code generator
root\OILTOOL\GEN
root\Generators\Os
Table 4-2
System configuration and generation tools
4.3.1
INI Files of the OIL Tool
The OIL Configurator has two INI files, which are in the directory of the OIL Configurator:
>  OILGEN.INI
>  OILCFG.INI
4.3.2
OIL Implementation Files
The  implementation  files  are  copied  onto  the  local  hard  disk  by  the  installation  program.
The OIL tool has knowledge about these files through the INI file OILGEN.INI (the correct
path is set by the installation program).
The implementation files are described in the hardware specific part of this manual [4].
4.3.3
Code Generator
The  code  generator  GENxxxx.EXE  is  copied  onto  the  local  hard  disk  by  the  installation
program.  The  code  generator  is  defined  in  the  INI-file  OILGEN.INI.  (‘xxxx’  has  to  be
replaced by a hardware dependent abbreviation)
4.4
OSEK Operating System
4.4.1
Installation Paths
The delivered operating system parts are organized in different subdirectories.
The following structure is used by osCAN style installations:
>  root\HwPlatform\APPL\Compiler\Derivative
Sample applications
>  root\HwPlatform\BIN
executable files (e.g. make tool)
>  root\HwPlatform\bswmd_files
XML parameter descrption files
2015, Vector Informatik GmbH
Version: 9.01
58 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

> root\HwPlatform\DOC
Documentation
> root\HwPlatform\INCLUDE
OSEK include files
> root\HwPlatform\LIB
OSEK library (only if a library is available)
> root\HwPlatform\SRC
OSEK sources (C and Assembler)

The following structure is used by MICROSAR style installations:
> root\Demo\Os
Sample applications
> root\Generators\Os
executable files (e.g. make tool)
> root\Generators\Components\_Schemes\
XML parameter descrption files
Os_<platform and derivate>_bswmd \bswmd
> root\Doc\TechnicalReferences
Documentation
> root \Doc\UserManuals
> root\BSW\Os
OSEK include files
> root\BSW\Os
OSEK library (only if a library is available)
> root\BSW\Os
OSEK sources (C and Assembler)

4.5
XML Configurations
AUTOSAR uses for configuration files the XML format. An XML Schema (ref. [8]) defines
the structure. For each derivative there is an ECU Parameter Definition File (file extension
is arxml) which defines all attributes (standard attribute and vendor/platform specific
attributes).
The Vector implementation of AUTOSAR OS uses the OIL [6] configuration file format or
ECU Configuration files. A conversion of ECUC files to OIL, as it was necessary in former
versions of MICROSAR OS, is not required any more.
4.5.1
Parameter Definition Files
Parameter Definition Files for the implementation can be found in the directory
root\HwPlatform\BSWMD_files (osCAN style) or
root\Generators\Components\_Schemes\Os_<platform and
derivate>_bswmd\bswmd (MICROSAR style).
The files have the name OS_<platform and derivate>_bswmd.arxml.
2015, Vector Informatik GmbH
Version: 9.01
59 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

5 Integration
This chapter gives necessary information for the integration of the MICROSAR OS into an
application environment of an ECU.
5.1 Scope of Delivery
The delivery of the OS contains the files that are described in the chapters 5.1.1 and 5.1.2:
5.1.1
Static Files
The static file list is described in the platform specific technical reference [4]
5.1.2
Dynamic Files
The dynamic files are generated by the code generator GENxxxx (xxxx is replaced by
hardware platform name).
5.1.2.1
Code Generator GENxxxx
File Name
Description
tcb.c
tcb contains the task control block and other OS object
tcb.h
task and other OS object related information, like task Ids – definitions
required by static include files (e.g. array sizes)
tcbpost.h
task and other OS object related information, like task Ids – declarations
that require static include files (e.g. typedef's)
trustfct.h
Header containing trusted function information
trustfct.c
Trusted function data and generated stubs
libconf
Information for usage in makefiles, not available on all platforms, see
chapter 5.1.2.1.1
<OILFileName>.ort Generated if kernel aware debugging with the ORTI interface is enabled,
Table 5-1
Files generated by code generator GENxxxx
In addition to the files listed in Table 5-1, some hardware dependent files are generated
which are described in the hardware specific technical reference [4].
5.1.2.1.1
Generated file libconf
The file libconf is meant for the inclusion into makefiles. It sets some variables in
accordance to general configuration settings of MICROSAR OS to inform the make
process about them. Dependent on the platform, the file may contain more information or
be even unavailable, so please see the hardware specific technical reference [4].
The table below describes the generated variables.

2015, Vector Informatik GmbH
Version: 9.01
60 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Variable
Meaning
LIB
Always 0, because MICROSAR OS SafeContext cannot be configured to library
variant.
STATUS_LEVEL
Reflects the setting of the configuration attribute STATUS of MICROSAR OS.
Possible values:
EXTENDED_STATUS = 1
DEBUG_SUPPORT
Always 1, because ORTIDebugSupport is always enabled for MICROSAR OS
SafeContext.
Table 5-2
Variables generated into the file libconf

5.1.2.2
Application Template Generator GENTMPL
Former  versions  of  MICROSAR  OS  and  osCAN  came  with  a  template  code  generator
which generates a main.c template file with empty implementations for the objects defined
in the configuration. This is not supported any more in newer implementations.
5.2  Include Structure
The  header  files  tcb.h  and  tcbpost.h  are  included  into  the  file  os.h.  The  user  must
include os.h in every module of his application. The headers tcb.h and tcbpost.h are
included  automatically.  Always  recompile  all  files  after  a  new  generation  of  tcb.h  and
tcbpost.h.
If  an  application  is  using  trusted  functions  and  the  Vector  extension  “GenerateStubs”,  an
include file named usrostyp.h must be present in the include path. This file must contain
all user specific data types used for trusted functions.
2015, Vector Informatik GmbH
Version: 9.01
61 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6  API Description
6.1  Standard API - Overview
This  chapter  gives  an  overview  of  all  standard  API  functions  defined  for  the  OS.  The
following synonyms present the standard specifications:
>  ASR: AUTOSAR standard, reference [1]
>  OSEK: OSEK standard, reference [3]
These standard specifications contain the detailed API descriptions. In case part of an API
function  is  implementation  specific,  the  detailed  API  description  is  given  in  a  further
subchapter in this document.
API Function Prototype
Standard
Scalability
Specification  Class
OSEK  ASR
1  2  3  4
Task Handling
StatusType ActivateTask  (TaskType TaskID)


      
StatusType TerminateTask (void)


      
StatusType ChainTask      (TaskType TaskID)


      
StatusType Schedule       (void)


      
StatusType GetTaskID      (TaskRefType TaskID)


      
StatusType GetTaskState  (TaskType TaskID,


      
                                  TaskStateRefType State)
Event Control
StatusType SetEvent   (TaskType TaskID,


      
                              EventMaskType Mask)
StatusType ClearEvent (EventMaskType Mask)


      
StatusType GetEvent   (TaskType TaskID,


      
                              EventMaskRefType Mask)
StatusType WaitEvent  (EventMaskType Mask)


      
Interrupt Handling
The behavior of the interrupt handling functions is implementation specific. For a detailed
description see hardware specific technical reference [4].
void EnableAllInterrupts   (void)


      
void DisableAllInterrupts (void)


      
void ResumeAllInterrupts   (void)


      
void SuspendAllInterrupts (void)


      
void ResumeOSInterrupts    (void)


      
void SuspendOSInterrupts   (void)


      
2015, Vector Informatik GmbH
Version: 9.01
62 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

API Function Prototype
Standard
Scalability
Specification  Class
OSEK  ASR
1  2  3  4
Resource Management
The behaviour of the resource management functions is implementation specific
StatusType GetResource       (ResourceType ResID)


      
StatusType ReleaseResource  (ResourceType ResID)


      
Alarms
StatusType GetAlarmBase  (AlarmType AlarmID,


      
                                AlarmBaseRefType Info)
StatusType GetAlarm       (AlarmType AlarmID,


      
                                TickRefType Tick)
StatusType SetRelAlarm   (AlarmType AlarmID,


      
                                TickType Increment,
                                TickType cycle)
StatusType SetAbsAlarm   (AlarmType AlarmID,


      
                                TickType Start,
                                TickType cycle)
StatusType CancelAlarm   (AlarmType AlarmID)


      
Execution Control
void           StartOS     (AppModeType Mode)


      
void           ShutdownOS (StatusType Error)


      
ISRType       GetISRID   (void)


      
AppModeType GetActiveApplicationMode(void)


      
ApplicationType  GetApplicationID     (void)



  
StatusType   CallTrustedFunction



  
  (TrustedFunctionIndexType FunctionIndex,
  TrustedFunctionParameterRefType FunctionParams)
StatusType   GetApplicationState



  
  (ApplicationType Application,
ApplicationStateRefType Value)
Hook Routines
The context for called hook routines is implementation specific. For a detailed description see
see hardware specific technical reference [4].
void   ErrorHook              (StatusType Error)


void   PreTaskHook           (void)


void   PostTaskHook          (void)


void   StartupHook           (void)


void   ShutdownHook          (StatusType Error)


ProtectionReturnType ProtectionHook



    
                                  (StatusType Fatalerror)
2015, Vector Informatik GmbH
Version: 9.01
63 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

API Function Prototype
Standard
Scalability
Specification  Class
OSEK  ASR
1  2  3  4
Schedule Tables
StatusType   StartScheduleTableRel


      
      (ScheduleTableType ScheduleTableID,
        TickType Offset)
StatusType   StartScheduleTableAbs


      
      (ScheduleTableType ScheduleTableID,
        TickType Start)
StatusType   StopScheduleTable


      
      (ScheduleTableType ScheduleTableID)
StatusType   NextScheduleTable


      
      (ScheduleTableType ScheduleTableID_From,
        ScheduleTableType ScheduleTableID_To)
StatusType   StartScheduleTableSynchron



    
      (ScheduleTableType ScheduleTableID)
StatusType   SyncScheduleTable



    
      (ScheduleTableType ScheduleTableID,
        TickType Value)
StatusType   SetScheduleTableAsync



    
      (ScheduleTableType ScheduleTableID)
StatusType   GetScheduleTableStatus


      
      (ScheduleTableType ScheduleTableID,
        ScheduleTableStatusRefType ScheduleStatus)
Counters
StatusType   IncrementCounter


      
      (CounterType CounterID)
StatusType   GetCounterValue


      
      (CounterType CounterID, TickRefType Value)
StatusType   GetElapsedValue


      
      (CounterType CounterID, TickRefType Value,
        TickRefType ElapsedValue)
Access Rights Management
AccessType   CheckISRMemoryAccess



  
      (ISRType ISRID,
        MemoryStartAddressType Address,
        MemorySizeType Size)
AccessType   CheckTaskMemoryAccess



  
      (TaskType TaskID,
        MemoryStartAddressType Address,
        MemorySizeType Size)
ObjectAccessType CheckObjectAccess



  
      (ApplicationType ApplID,
        ObjectTypeType ObjectType, …)
2015, Vector Informatik GmbH
Version: 9.01
64 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

API Function Prototype
Standard
Scalability
Specification  Class
OSEK  ASR
1  2  3  4
ApplicationType CheckObjectOwnership



  
      (ObjectTypeType ObjectType, …)
Table 6-1
Standard API functions
6.2  API Functions defined by Vector - Overview
This chapter gives an overview of all API functions defined for the OS by Vector.  Further
chapters contain detailed descriptions of these API functions.
API Function Prototype
Scalability
Class
1  2  3  4
Measurement API
For a detailed description see chapter 6.4.
StatusType   GetTaskMaxExecutionTime

    
        (TaskType TaskID, osTPTimeRefType MaxTime)
StatusType   GetISRMaxExecutionTime

    
        (ISRType TaskID, osTPTimeRefType MaxTime)
StatusType   GetTaskMaxBlockingTime

    
        (TaskType TaskID, BlockTypeType BlockType,
          ResourceType ResourceID, osTPTimeRefType MaxTime)
StatusType   GetISRMaxBlockingTime

    
        (ISRType ISRID, BlockTypeType BlockType,
          ResourceType ResourceID, osTPTimeRefType MaxTime)
StatusType osGetISRMinInterArrivalTime

    
         (ISRType ISRID, osTPTimeStampRefType MinTime)
StatusType osGetTaskMinInterArrivalTime

    
         (TaskType ISRID, osTPTimeStampRefType MinTime)
Non-Trusted Functions
Calling service functions from Non-Trusted Applications. The complement part of the AUTOSAR
API CallTrustedFunction.
StatusType   osCallNonTrustedFunction

  
  (NonTrustedFunctionIndexType FunctionIndex,
  NonTrustedFunctionParameterRefType FunctionParams)
Peripheral Region API

API to access memory mapped hardware registers, which are only accessible in
privileged mode.
osuint8 osReadPeripheral8(osuint16 area, osuint32 address)

  
osuint16 osReadPeripheral16(osuint16 area, osuint32 address)

  
osuint32 osReadPeripheral32(osuint16 area, osuint32 address)

  
2015, Vector Informatik GmbH
Version: 9.01
65 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

API Function Prototype
Scalability
Class
1  2  3  4
void osWritePeripheral8(osuint16 area, osuint32 address, osuint8

  
value)
void osWritePeripheral16(osuint16 area, osuint32 address, osuint16

  
value)
void osWritePeripheral32(osuint16 area, osuint32 address, osuint32

  
value)
void osModifyPeripheral8(osuint16 area, osuint32 address, osuint8

  
clearmask, osuint8 setmask)
void osModifyPeripheral16(osuint16 area, osuint32 address, osuint16

  
clearmask, osuint16 setmask)
void osModifyPeripheral32(osuint16 area, osuint32 address, osuint32

  
clearmask, osuint32 setmask)
MPU Access Checking API

Check whether you have read/write access to a given address.
uint8 osCheckMPUAccess(uint8* DestinationAddress)

  
Table 6-2
Vector API functions
6.3
Timing Measurement API
6.3.1
GetTaskMaxExecutionTime
Prototype
StatusType GetTaskMaxExecutionTime ( TaskType TaskID, osTPTimeRefType MaxTime )
Parameter
TaskID
The task to be questioned
MaxTime
Maximum execution time, measured in all finished time frames.
Return code
E_OK
No errors
E_OS_ID
The TaskID is not valid.
Functional Description
The maximum execution time of finished executions of the questioned task since StartOS. The value is in
ticks of the ExecutionTime hardware timer. The number of ticks per ms of this timer is printed into the HTML
list file.
Particularities and Limitations
>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
2015, Vector Informatik GmbH
Version: 9.01
66 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Expected Caller Context
>  task or cat2 ISR
Table 6-3
GetTaskMaxExecutionTime
6.3.2
GetISRMaxExecutionTime
Prototype
StatusType GetISRMaxExecutionTime ( ISRType TaskID, osTPTimeRefType MaxTime )
Parameter
TaskID
The task to be questioned
MaxTime
Maximum execution time of the respective ISR for all finished ISR activations.
Return code
E_OK
No errors
E_OS_ID
The ISRID is not valid.
Functional Description
The maximum execution time of finished executions of the questioned ISR since StartOS. The value is in
ticks of the ExecutionTime hardware timer. The number of ticks per ms of this timer is printed into the HTML
list file.
Particularities and Limitations
>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
Expected Caller Context
>  task or cat2 ISR
Table 6-4
GetISRMaxExecutionTime
6.3.3
GetTaskMaxBlockingTime
Prototype
StatusType GetTaskMaxBlockingTime (
  TaskType TaskID,
  BlockTypeType BlockType,
  ResourceType ResourceID,
  osTPTimeRefType MaxTime )
Parameter
TaskID
The task to be questioned
BlockType
OS_ALL_INTERRUPTS, OS_OS_INTERRUPTS or OS_RESOURCE
ResourceID
If BlockType == OS_RESOURCE, ResourceID specifies the Resource
2015, Vector Informatik GmbH
Version: 9.01
67 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

MaxTime
Maximum of all measured times.
Return code
E_OK
No errors
E_OS_ID
The TaskID, the BlockType or the ResourceID are invalid.
Functional Description
The maximum blocking time of finished locking sequences of the questioned task and the resource or
interrupt lock type since StartOS. The value is in ticks of the BlockingTime hardware timer. The number of
ticks per ms of this timer is printed into the HTML list file.
Particularities and Limitations
>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
Expected Caller Context
>  task or cat2 ISR
Table 6-5
GetTaskMaxBlockingTime
6.3.4
GetISRMaxBlockingTime
Prototype
StatusType GetISRMaxBlockingTime (
  ISRType ISRID,
  BlockTypeType BlockType,
  ResourceType ResourceID,
  osTPTimeRefType MaxTime )
Parameter
ISRID
The ISR to be questioned
BlockType
OS_ALL_INTERRUPTS, OS_OS_INTERRUPTS or OS_RESOURCE
ResourceID
If BlockType == OS_RESOURCE, ResourceID specifies the Resource
MaxTime
Maximum of all measured times.
Return code
E_OK
No errors
E_OS_ID
The TaskID, the BlockType or the ResourceID are invalid.
Functional Description
The maximum blocking time of finished locking sequences of the questioned ISR and the resource or
interrupt lock type since StartOS. The value is in ticks of the BlockingTime hardware timer. The number of
ticks per ms of this timer is printed into the HTML list file.
Particularities and Limitations
2015, Vector Informatik GmbH
Version: 9.01
68 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
Expected Caller Context
>  task or cat2 ISR
Table 6-6
GetISRMaxBlockingTime
6.3.5
GetTaskMinInterArrivalTime
Prototype
StatusType GetTaskMinInterArrivalTime( TaskType TaskID, osTPTimeStampRefType
MinTime )
Parameter
TaskID
The task to be questioned
MinTime
Minimum time between two task arrivals
Return code
E_OK
No errors
E_OS_ID
The TaskID is not valid.
E_OS_ACCESS
No access rights to task (SC4 only)
E_OS_ILLEGAL_ADDRESS  Memory address of MinTime not writeable (SC4 only)
Functional Description
Returns the minimum time span between two arrivals of a task (see [1]) as measured since StartOS. The
value is in ticks of the InterArrivalTime hardware timer. The number of ticks per ms of this timer is printed
into the HTML list file.
Particularities and Limitations
>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
2015, Vector Informatik GmbH
Version: 9.01
69 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Expected Caller Context
>  task or cat2 ISR
Table 6-7
GetTaskMinInterArrivalTime
6.3.6
GetISRMinInterArrivalTime
Prototype
StatusType GetISRMinInterArrivalTime ( ISRType IsrID, osTPTimeStampRefType
MinTime )
Parameter
IsrID
The ISR to be questioned
MinTime
Minimum time between two ISR arrivals
Return code
E_OK
No errors
E_OS_ID
The ISRID is not valid.
E_OS_ACCESS
No access rights for this ISR (SC4 only)
E_OS_ILLEGAL_ADDRESS
Memory address of MinTime not writeable (SC4 only)
Functional Description
Returns the minimum time span between two arrivals of an ISR (see [1]) as measured since StartOS. The
value is in ticks of the InterArrivalTime hardware timer. The number of ticks per ms of this timer is printed
into the HTML list file.
Particularities and Limitations
>  Available in Scalability Classes 2 and 4.
>  This function is synchronous.
>  This function is reentrant.
>  This function is only available if the attribute TimingMeasurement is set to TRUE (is selected)
Expected Caller Context
>  task or cat2 ISR
Table 6-8
GetISRMinInterArrivalTime
6.4
Implementation specific Behavior
The behaviour of the functions listed in this chapter is implementation specific.
6.4.1
Interrupt Handling
In general the usage of the interrupt API functions is allowed before the operating system
is started. The affected functions are:
>  DisableAllInterupts
>  EnableAllInterrupts
2015, Vector Informatik GmbH
Version: 9.01
70 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

>  SuspendAllInterrupts
>  ResumeAllInterrupts
>  SuspendOSInterrupts
>  ResumeOSInterrupts
The implementation specific behaviour is of these functions is described in [5].
6.4.1.1
EnableAllInterrupts
Prototype
void EnableAllInterrupts ( void )
Parameter
--
--
Return code
void
--
Functional Description
This service restores the state saved by DisableAllInterrupts.

This service is a counterpart of DisableAllInterrupts service, which has to be called before, and its
aim is the completion of the critical section of code. No API service calls are allowed within this critical
section.

The implementation should adapt this service to the target hardware providing a minimum overhead.
Usually, this service enables recognition of interrupts by the central processing unit.

This function might be implemented using a global interrupt flag or an interrupt level register.
Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
Expected Caller Context
>  --
Table 6-9
EnableAllInterrupts

2015, Vector Informatik GmbH
Version: 9.01
71 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.4.1.2
DisableAllInterrupts
Prototype
void DisableAllInterrupts ( void )
Parameter
--
--
Return code
Void
--
Functional Description
This service disables all interrupts for which the hardware supports disabling. The state before is saved for
the EnableAllInterrupts call.
This service is intended to start a critical section of the code. This section shall be finished by calling the
EnableAllInterrupts service. No API service calls are allowed within this critical section.
The implementation should adapt this service to the target hardware providing a minimum overhead.
Usually, this service disables recognition of interrupts by the central processing unit.
Note that this service does not support nesting. If nesting is needed for critical sections e.g. for libraries
SuspendOSInterrupts/ResumeOSInterrupts or SuspendAllInterrupt/ResumeAllInterrupts
should be used.
This function might be implemented using a global interrupt flag or an interrupt level register.
Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
Expected Caller Context
>  --
Table 6-10   DisableAllInterrupts
6.4.1.3
ResumeAllInterrupts
Prototype
void ResumeAllInterrupts ( void )
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 9.01
72 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
This service restores the recognition status of all interrupts saved by the SuspendAllInterrupts
service.

This service is the counterpart of SuspendAllInterrupts service, which has to have been called
before, and its aim is the completion of the critical section of code. No API service calls beside
SuspendAllInterrupts/ResumeAllInterrupts pairs and
SuspendOSInterrupts/ResumeOSInterrupts pairs are allowed within this critical section.

The implementation should adapt this service to the target hardware providing a minimum overhead.
SuspendAllInterrupts/ResumeAllInterrupts can be nested. In case of nesting pairs of the calls
SuspendAllInterrupts and ResumeAllInterrupts the interrupt recognition status saved by the first
call of SuspendAllInterrupts is restored by the last call of the ResumeAllInterrupts service.

This function might be implemented using a global interrupt flag or an interrupt level register.
Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
Expected Caller Context
>  --
Table 6-11   ResumeAllInterrupts
6.4.1.4
SuspendAllInterrupts
Prototype
void SuspendAllInterrupts ( void )
Parameter
--
--
Return code
void
--
2015, Vector Informatik GmbH
Version: 9.01
73 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
This service saves the recognition status of all interrupts and disables all interrupts for which the hardware
supports disabling.

This service is intended to protect a critical section of code from interruptions of any kind. This section shall
be finished by calling the ResumeAllInterrupts service. No API service calls beside
SuspendAllInterrupts/ResumeAllInterrupts pairs and
SuspendOSInterrupts/ResumeOSInterrupts pairs are allowed within this critical section.
The implementation should adapt this service to the target hardware providing a minimum overhead.

This function might be implemented using a global interrupt flag or an interrupt level register.
Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
Expected Caller Context
>  --
Table 6-12   SuspendAllInterrupts
6.4.1.5
ResumeOSInterrupts
Prototype
void ResumeOSInterrupts ( void )
Parameter
--
--
Return code
void
--
Functional Description
This service restores the recognition status of interrupts saved by the SuspendOSInterrupts service.

This service is the counterpart of SuspendOSInterrupts service, which has to have been called before,
and its aim is the completion of the critical section of code. No API service calls beside
SuspendAllInterrupts/ResumeAllInterrupts pairs and
SuspendOSInterrupts/ResumeOSInterrupts pairs are allowed within this critical section.
The implementation should adapt this service to the target hardware providing a minimum overhead.
SuspendOSInterrupts/ResumeOSInterrupts can be nested. In case of nesting pairs of the calls
SuspendOSInterrupts and ResumeOSInterrupts the interrupt recognition status saved by the first
call of SuspendOSInterrupts is restored by the last call of the ResumeOSInterrupts service.

This function might be implemented using a global interrupt flag or an interrupt level register
2015, Vector Informatik GmbH
Version: 9.01
74 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
Expected Caller Context
>  --
Table 6-13   ResumeOSInterrupts
6.4.1.6
SuspendOSInterrupts
Prototype
void SuspendOSInterrupts ( void )
Parameter
--
--
Return code
void
--
Functional Description
This service saves the recognition status of interrupts of category 2 and disables the recognition of these
interrupts.

This service is intended to protect a critical section of code. This section shall be finished by calling the
ResumeOSInterrupts service. No API service calls beside
SuspendAllInterrupts/ResumeAllInterrupts pairs and
SuspendOSInterrupts/ResumeOSInterrupts pairs are allowed within this critical section.

The implementation should adapt this service to the target hardware providing a minimum overhead.
It is intended only to disable interrupts of category 2. However, if this is not possible in an efficient way
more interrupts may be disabled.

This function might be implemented using a global interrupt flag or an interrupt level register.
Particularities and Limitations
>  When using before StartOS, the function osInitialize must be called first to initialize the variables
which are used in the interrupt API.
>  The function must not be used within handlers of non-maskable interrupts as this can violate the
consistancy of internal variables.
2015, Vector Informatik GmbH
Version: 9.01
75 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Expected Caller Context
>  --
Table 6-14   SuspendOSInterrupts
6.4.2
Resource Management
The affected functions are:
>  GetResource
>  ReleaseResource
The implementation specific behaviour is of these functions is described in [4].
6.4.2.1
GetResource
Prototype
StatusType GetResource ( ResourceType ResID )
Parameter
ResID
Reference to resource
Return code
E_OK
No error
E_OS_ID
Resource ResID is invalid
E_OS_ACCESS
Attempt to get a resource which is already occupied by any task or ISR, or the
statically assigned priority of the calling task or interrupt routine is higher than
the calculated ceiling priority.
2015, Vector Informatik GmbH
Version: 9.01
76 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
This call serves to enter critical sections in the code that are assigned to the resource referenced by
ResID. A critical section shall always be left using ReleaseResource.

Nested resource occupation is only allowed if the inner critical sections are completely executed within the
surrounding critical section (strictly stacked, Restrictions when using resources). Nested occupation of one
and the same resource is also forbidden!

It is recommended that corresponding calls to GetResource and ReleaseResource appear within the
same function.

It is not allowed to use services which are points of rescheduling for non preemptable tasks
(TerminateTask, ChainTask, Schedule and WaitEvent) in critical sections. Additionally, critical
sections are to be left before completion of an interrupt service routine.

Generally speaking, critical sections should be short.
The service may be called from an ISR and from task level.

Depending on the possibility to manipulate interrupt levels, this function may be used on interrupt level or
not and may be implemented differently.
If used on task level, the behavior and functionality is always the same (according to the specification).
Particularities and Limitations
>  --
Expected Caller Context
>  Task level or cat2 ISR
Table 6-15   GetResource
6.4.2.2
ReleaseResource
Prototype
StatusType ReleaseResource ( ResourceType ResID )
Parameter
ResID
Reference to resource
Return code
E_OK
No error
E_OS_ID
Resource ResID is invalid
E_OS_NOFUNC
Attempt to release a resource which is not occupied by any task or ISR, or
another resource shall be released before.
E_OS_ACCESS
Attempt to release a resource that has a lower ceiling priority than the
statically assigned priority of the calling task or interrupt routine.
2015, Vector Informatik GmbH
Version: 9.01
77 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
ReleaseResource is the counterpart of GetResource and serves to leave critical sections in the code that
are assigned to the resource referenced by ResID.

For information on nesting conditions, see particularities of GetResource.

The service may be called from an ISR and from task level.

Depending on the possibility to manipulate interrupt levels, this function may be used on interrupt level or
not and may be implemented differently.
If used on task level, the behavior and functionality is always the same (according to the specification).
Particularities and Limitations
>  --
Expected Caller Context
>  Task level or cat2 ISR
Table 6-16   ReleaseResource
6.4.3
Execution Control
The affected functions are:
>  StartOS
>  ShutdownOS
The implementation specific behavior is of these functions is described in [4].
6.4.3.1
StartOS
Prototype
void StartOS ( AppModeType Mode )
Parameter
Mode
application mode
Return code
void
--
Functional Description
The user can call this system service to start the operating system in a specific mode.

Only allowed outside of the operating system, therefore implementation specific restrictions may apply.

After calling StartOS the program never returns to the call level of StartOS.
Particularities and Limitations
>  --
2015, Vector Informatik GmbH
Version: 9.01
78 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Expected Caller Context
>  C main function
Table 6-17   StartOS

6.4.3.2
ShutdownOS
Prototype
void ShutdownOS ( StatusType Error )
Parameter
Error
error occurred
Return code
void
--
Functional Description
The user can call this system service to abort the overall system (e.g. emergency off). The operating
system also calls this function internally, if it has reached an undefined internal state and is no longer ready
to run.

If a ShutdownHook is configured the hook routine ShutdownHook is always called (with Error as
argument) before shutting down the operating system.

If ShutdownHook returns, further behaviour of ShutdownOS is implementation specific.

In case of a system where OSEK OS and OSEKtime OS coexist, ShutdownHook has to return.

Error needs to be a valid error code supported by OSEK OS. In case of a system where OSEK OS and
OSEKtime OS coexist, Error might also be a value accepted by OSEKtime OS. In this case, if enabled by
an OSEKtime configuration parameter, OSEKtime OS will be shut down after OSEK OS shutdown.

After this service the operating system is shut down.
Allowed at task level, ISR level, in ErrorHook and StartupHook, and also called internally by the
operating system.
If the operating system calls ShutdownOS it never uses E_OK as the passed parameter value.

After the call of ShutdownHook MICROSAR OS disables all interrupts and will never return to the call
level. The ShutdownHook is called with disabled interrupts.
Particularities and Limitations
>  --
2015, Vector Informatik GmbH
Version: 9.01
79 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Expected Caller Context
> --
Table 6-18 ShutdownOS
6.5
Hook Routines
MICROSAR OS calls several hook routines. These may be hook routines as described in
the OSEK or Autosar standard. Additionally, MICROSAR provides Hook routines for ISR
entry/exit, Alarm time and timing supervision (MICROSAR OS Timing Hooks).
These hook routines are described in the subchapters below.
The subchapters describe the prototypes of the called hook routines and their calling
contexts. The current stack in the hook routines is implementation specific and described
in [4].
6.5.1
Standard Hooks
The hook routines described in the subchapters are defined by the OSEK and Autosar
standards.
All these hook routines need to be implemented by the user if they are enabled in the
configuration. The OS calls these hook routines with interrupts disabled (if not stated
otherwise).
6.5.1.1
StartupHook
Prototypes
void StartupHook ( void ) /* general startup hook */
void StartupHook_<App> ( void ) /* application specific startup hook */
Parameter
--
--
Return code
void
--
Functional Description
The user may call the initialization routines for hardware drivers.
Particularities and Limitations
> --
Call Context
> interrupt or task context
> The StartupHook routine is called while the operating system is initialized.
Table 6-19 StartupHook
2015, Vector Informatik GmbH
Version: 9.01
80 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.5.1.2
PreTaskHook
Prototype
void PreTaskHook ( void )
Parameter
--
--
Return code
void
--
Functional Description
The user can use the API function GetTaskID to determine the new task.
Particularities and Limitations
>  The PreTaskHook may only be configured for debugging purpose in MICROSAR OS SafeContext, see
[9].
Call Context
>  interrupt or task context
>  PreTaskHook is called after a task is set into the RUNNING state (not into the READY state).
>  For particularities of using PreTaskHook when using timing protection, please see [4]
Table 6-20   PreTaskHook
6.5.1.3
PostTaskHook
Prototype
void PostTaskHook ( void )
Parameter
--
--
Return code
void
--
Functional Description
The user can use the API function GetTaskID to determine the currently left task.
Particularities and Limitations
>  The PostTaskHook may only be configured for debugging purpose in MICROSAR OS SafeContext, see
[9].
Call Context
>  interrupt or task context
>  PostTaskHook is called before a task is taken out of the RUNNING state.
>  For particularities of using the PostTaskHook when using timing protection, please see [4]
Table 6-21   PostTaskHook

2015, Vector Informatik GmbH
Version: 9.01
81 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.5.1.4
ErrorHook
Prototype
void ErrorHook ( StatusType ErrorCode ) /* general error hook */
void ErrorHook_<App> ( StatusType ErrorCode ) /* appl. spec. error hook */
Parameter
ErrorCode
Error code of API which detected the error and called the error hook
Return code
void
--
Functional Description
The user may use the error number parameter to decide how to react on the error.

Additional error information is available in the error hook if the attributes USEGETSERVICEID and
USEPARAMETERACCESS are set to TRUE. This information can be accessed by access macros; for details
refer to the OSEK specification [3]. All possible access macros are supported by MICROSAR OS.

If EXTENDED_STATUS is enabled and ErrorInfoLevel is set to Modulnames, additional error
information is available in the ErrorHook. The variable osActiveTaskModule is a pointer to the module
name and the variable osActiveTaskLineNumber is the line number in the C module where the API
function was called. Inspecting these two variables allows the user to locate the source code that caused
the error message.

Particularities and Limitations
> --
Call Context
> interrupt or task context
> ErrorHook is called every time an API function is called with wrong parameters or if the system detects
an error (e.g. stack overflow).
Table 6-22 ErrorHook
6.5.1.5
ShutdownHook
Prototype
void ShutdownHook ( StatusType ErrorCode ) /* general shutdown hook */
void ShutdownHook_<App> (StatusType ErrorCode) /* appl. spec. shutdown hook */
Parameter
ErrorCode
Error code of API that detected the error and called the shutdown hook, or the
parameter that was passed to ShutdownOS.
Return code
void
--
2015, Vector Informatik GmbH
Version: 9.01
82 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
The ShutdownHook is called by ShutdownOS
Particularities and Limitations
>  --
Call Context
>  interrupt or task context
>  The system calls the ShutdownHook routine if the function ShutdownOS was called.
Table 6-23   ShutdownHook
6.5.1.6
ProtectionHook
Prototype
ProtectionReturnType ProtectionHook ( StatusType Fatalerror )
Parameter
Fatalerror
depending on the detected protection error
Return code
ProtectionReturnType
The return value determines the strategy of further operation
Functional Description
Called on occurrence of a protection error. The application code has to decide about the recovery strategy
and pass an appropriate return value to the OS.
Particularities and Limitations
>  In the scalability class SC1, no call of the ProtectionHook is supported.
Call Context
>  interrupt or task context
>  The ProtectionHook is called if a TimingProtection failure (SC2, SC4), a memory protection failure
(SC3, SC4), or processor exception (e.g. division by zero, illegal instruction etc.) is detected by
MICROSAR OS.
Table 6-24   ProtectionHook
6.5.2
ISR Hooks
6.5.2.1
UserPreISRHook
Prototype
Void UserPreISRHook ( ISRType isr )
Parameter
Isr
The identifier of the ISR that is about to be entered
Return code
Void
--
2015, Vector Informatik GmbH
Version: 9.01
83 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
Called just before entering an ISR routine of a category 2 interrupt.
This Hook is intended to be used as a development aid. For example, it may be used to measure interrupt
run times.
This Hook is only available if the attribute CallISRHooks is set to TRUE. Note that this is allowed only for
debugging purpose in MICROSAR OS SafeContext, see [9].
Particularities and Limitations
>  Only API functions that are allowed in cat2 ISRs are allowed to be called in the UserPreISRHook.
Call Context
>  The UserPreISRHook runs in the exact same context as the ISR that is executed afterwards. This
includes settings for interrupt nesting, timing protection, timing measurement and memory protection.
>  All OS API functions, incl. GetISRID(), GetApplicationID(), CheckObjectAccess() etc, work just as if
called from within the ISR
Table 6-25   UserPreISRHook
6.5.2.2
UserPostISRHook
Prototype
Void UserPostISRHook ( ISRType isr )
Parameter
Isr
The identifier of the ISR that was just left
Return code
Void
--
Functional Description
Called just after leaving an ISR routine of a category 2 interrupt.
This Hook is intended to be used as a development aid. For example, it may be used to measure interrupt
run times.
This Hook is only available if the attribute CallISRHooks is set to TRUE. Note that this is allowed only for
debugging purpose in MICROSAR OS SafeContext, see [9].
Particularities and Limitations
The UserPostISRHook is called only after a regular return from the ISR routine. In particular:
>  If an ISR is interrupted by a higher priority ISR, the UserPostISRHook is not called before entering the
new ISR.
>  If an ISR is killed, the UserPostISRHook is not called.
>  Only API functions that are allowed in cat2 ISRs are allowed to be called in the UserPostISRHook.
Call Context
>  The UserPreISRHook runs in the exact same context as the ISR that was just executed. This includes
settings for interrupt nesting, timing protection, timing measurement and memory protection.
>  All OS API functions, incl. GetISRID(), GetApplicationID(), CheckObjectAccess() etc, work just as if
called from within the ISR
Table 6-26   UserPostISRHook
2015, Vector Informatik GmbH
Version: 9.01
84 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.5.3
Alarm Hook
6.5.3.1
PreAlarmHook (currently not supported)
Prototype
void PreAlarmHook_<CounterName> (void)
Parameter
void
--
Return code
void
--
Functional Description
Called in the timer ISR just before the alarm handling of the OS.
This Hook is only available if the timer attribute PreAlarmHook is set to TRUE
Particularities and Limitations
> Note that this feature is currently not supported. It will be available in future releases.
> Only API functions that are allowed in cat2 ISRs are allowed to be called in the PreAlarmHook.
> The execution time of the PreAlarmHook is not considered by the timing protection.
Call Context
> The PreAlarmHook runs in the same context as the system timer ISR. If an owner application is
configured, the system timer ISR and the PreAlarmHook is executed with the application rights of this
owner application.
> Interrupts of category 2 are disabled during the execution of the PreAlarmHook.
Table 6-27 PreAlarmHook
6.5.4
MICROSAR OS Timing Hooks
MICROSAR OS supports timing measurement and analysis by external tools. Therefor it
provides timing hooks. Timing hooks inform the external tools about several events within
the OS:

Activation (arrival) of a task or ISR

Context switch

Locking of interrupts, resources or spinlocks
This documentation presents the respective hook routines in separate subchapters below.
The OS calls Timing hooks only if the user has configured them as described in Table 7-1,
attribute TimingHooks. The user shall implement the hooks as macros in the configured
header file. The OS provides empty definitions of these hooks. It uses the empty definition
of a hook in case of an unavailable definition by the user. Because of the empty definition,
the user needs not to implement all hooks.
2015, Vector Informatik GmbH
Version: 9.01
85 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.5.4.1
Hooks for arrival
MICROSAR OS prvides hooks that allow an external tool to trace all activations of task as
well  as  further  arrivals  like  the  setting  of  an  event  or  the  release  of  a  semaphore  with
transfer to another task.
This shall allow the external tool to visualize the arrivals and to measure the time between
them in order to allow a schedulability analysis.
Mind that  schedulability analysis requires  the minimum time between arrivals while these
hooks only provide measured values.
6.5.4.1.1
OS_VTH_ACTIVATION
Prototype
OS_VTH_ACTIVATION( TaskId, DestCoreId, CallerCoreId)
Parameter
TaskId
Identifier of the task which is activated
DestCoreId
Identifier of the core on which the task is activated
CallerCoreId
Identifier of the core which performs the activation (has called ActivateTask,
has called TerminateTask or has performed an alarm/schedule table action to
activate a task)
Return code
-
-
Functional Description
This hook is called on the caller core when that core has successfully performed the activation of TaskId on
the destination core. On single core systems both core IDs are always identical.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-28   OS_VTH_ACTIVATION
6.5.4.1.2
OS_VTH_SETEVENT
Prototype
OS_VTH_SETEVENT( TaskId, EventMask, StateChange, DestCoreId, CallerCoreId)
Parameter
TaskId
Identifier of the task which receives this event
EventMask
A bit mask with the events which shall be set
2015, Vector Informatik GmbH
Version: 9.01
86 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

StateChange
TRUE: The task state has changed from WAITING to READY
FALSE: The task state hasn’t changed
DestCoreId
Identifier of the core on which the task receives the event
CallerCoreId
Identifier of the core which performs the event setting (has called SetEvent or
performed an alarm/schedule table action to set an event)
Return code
-
-
Functional Description
This hook is called on the caller core when that core has successfully performed the event setting on the
destination core. On single core systems both core IDs are always identical.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-29   OS_VTH_SETEVENT
6.5.4.1.3
OS_VTH_TRANSFER_SEMA
Prototype
OS_VTH_TRANSFER_SEMA( FromThreadId, ToTaskId, SemaId, DestCoreId, CallerCoreId)
Parameter
FromThreadId
Identifier of the thread (task; ISR) which releases the semaphore
ToTaskId
Identifier ot the task which receives the semaphore
SemaId
Identifier of the semaphore to be transferred
DestCoreId
Identifier of the core on which the task igets the semaphore
CallerCoreId
Identifier of the core which releases the semaphore
Return code
-
-
Functional Description
This hook is called on the caller core when that core has successfully performed release of the semaphore
while a task was waiting for that semaphore. On single core systems both core IDs are always identical.
2015, Vector Informatik GmbH
Version: 9.01
87 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The semaphore feature is optional, so this macro may not be necessary on all implementations of
MICROSAR OS.
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-30   OS_VTH_TRANSFER_SEMA
6.5.4.2
Hook for context switch
MICROSAR  OS  provides  a  hook  routine  allowing  external  tools  to  trace  all  context
switches  from  task  to  ISR  and  back  as  well  as  between  tasks.  So  external  tools  may
visualize the information or measure the execution time of tasks and ISRs.
Mind that measured values may not reflect the worst case, which would be necessary for
schedulability analysis.
6.5.4.2.1
OS_VTH_SCHEDULE
Prototype
OS_VTH_SCHEDULE( FromThreadId, FromThreadReason,
ToThreadId, ToThreadReason,
CallerCoreId )
Parameter
FromThreadId
Identifier of the thread (task, ISR) which has run on the caller core before the
switch took place
FromThreadReason
OS_VTHP_TASK_TERMINATION: The thread is a task, which has just been
terminated.
OS_VTHP_ISR_END: The thread is an ISR, which has reached its end.
OS_VTHP_TASK_WAITEVENT: The thread is a task, which waits for an
event.
OS_VTHP_TASK_WAITSEMA: The thread is a task, which waits tor the
release of a semaphore.
OS_VTHP_THREAD_PREEMPT: The thread is interrupted by another one,
which has higher priority.
ToThreadId
The identifier of the thread, which will run from now on
2015, Vector Informatik GmbH
Version: 9.01
88 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

ToThreadReason
OS_VTHP_TASK_ACTIVATION: The thread is a task, which was activated.
OS_VTHP_ISR_START: The thread is an ISR, which will now start execution.
OS_VTHP_TASK_SETEVENT: The thread is a task, which has just received
an event it was waiting for. It resumes execution right behind the call of
WaitEvent.
OS_VTHP_GOTSEMA: The thread is a task, which has just got the
semaphore it was waiting for.
OS_VTHP_THREAD_RESUME: The thread is a task or ISR, which was
preempted before and becomes running again as all higher priority tasks and
ISRs do not run anymore.
CallerCoreId
Identifier of the core which performs the thread switch
Return code
-
-
Functional Description
This hook is called on the caller core when that core in case it performs a thread switch (from one task or
ISR to another task or ISR). On single core systems both core IDs are always identical.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
Call context
>  The hook routine is called from within operating system internal functions with interrupts disabled.
Table 6-31   OS_VTH_SCHEDULE

6.5.4.3
Hooks for locking
MICROSAR  OS  provides  hooks,  which  allow  an  external  tool  to  trace  locks.  This  is
important  as  locking  times  of  tasks  and  ISRs  influence  the  exectution  of  other  tasks  and
ISRs.  The  kind  of  influence  is  different  for  different  locks  and  is  presented  below  in  the
functional description of the respective hooks.
Please keep in mind that measured times for locking may not reflect the worst case.
6.5.4.3.1
OS_VTH_GOT_RES
Prototype
OS_VTH_GOT_RES( ResId, CallerCoreId)
Parameter
ResId
Identifier of the resource which has been taken
CallerCoreId
Identifier of the core where GetResorce was called
2015, Vector Informatik GmbH
Version: 9.01
89 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Return code
-
-
Functional Description
The OS calls this hook on a successful call of the API function GetResource. The priority of the calling task
or ISR has been increased so that other tasks and ISRs on the same core may need to wait until they can
be executed.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-32   OS_VTH_GOT_RES
6.5.4.3.2
OS_VTH_REL_RES
Prototype
OS_VTH_REL_RES( ResId, CallerCoreId)
Parameter
ResId
Identifier of the resource which has been released
CallerCoreId
Identifier of the core where ReleaseResorce was called
Return code
-
-
Functional Description
The OS calls this hook on a successful call of the API function ReleaseResource. The priority of the calling
task or ISR has been decreased so that other tasks and ISRs on the same core may become running as a
result.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-33   OS_VTH_REL_RES
6.5.4.3.3
OS_VTH_REQ_SPINLOCK
Prototype
OS_VTH_REQ_SPINLOCK( SpinlockId, CallerCoreId)
2015, Vector Informatik GmbH
Version: 9.01
90 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Parameter
SpinlockId
Identifier of the spinlock which has been requested
CallerCoreId
Identifier of the core where GetSpinlock was called
Return code
-
-
Functional Description
The OS calls this hook on an unsuccessfull attempt to get a spinlock. The calling task or ISR enters a busy
waiting state. Tasks or ISRs of lower priority have to wait until this task or ISR has taken and released the
spinlock.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The hook is not called for optimized spinlocks
>  The hook is not called for operating system internal spinlocks
>  The hook is called only on multicore operating system implementations
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-34   OS_VTH_REQ_SPINLOCK

6.5.4.3.4
OS_VTH_GOT_SPINLOCK
Prototype
OS_VTH_GOT_SPINLOCK( SpinlockId, CallerCoreId)
Parameter
SpinlockId
Identifier of the spinlock which has been taken
CallerCoreId
Identifier of the core where GetSpinlock or TryToGetSpinlock were called
Return code
-
-
Functional Description
The OS calls this hook whenever a spinlock has successfully been taken. If the task or ISR was not
successful immediately (entered busy waiting state), this hook means that it leaves the busy waiting state.
From now on no other task or ISR may get the spinlock until the current task or ISR has released it.
2015, Vector Informatik GmbH
Version: 9.01
91 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The hook is not called for optimized spinlocks
>  The hook is not called for operating system internal spinlocks
>  The hook is called only on multicore operating system implementations
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-35   OS_VTH_GOT_SPINLOCK

6.5.4.3.5
OS_VTH_REL_SPINLOCK
Prototype
OS_VTH_REL_SPINLOCK( SpinlockId, CallerCoreId)
Parameter
SpinlockId
Identifier of the spinlock which has been released
CallerCoreId
Identifier of the core where ReleaseSpinlock was called
Return code
-
-
Functional Description
The OS calls this hook on a release of a spinlock. Other tasks and ISR may take the spinlock now.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The hook is not called for optimized spinlocks
>  The hook is not called for operating system internal spinlocks
>  The hook is called only on multicore operating system implementations
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-36   OS_VTH_REL_SPINLOCK
2015, Vector Informatik GmbH
Version: 9.01
92 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

6.5.4.3.6
OS_VTH_TOOK_SEMA
Prototype
OS_VTH_TOOK_SEMA( TaskId, SemaId, CallerCoreId)
Parameter
TaskId
Identifier of the task which has taken the semaphore
SemaId
Identifier of the semaphore which has been taken
CallerCoreId
Identifier of the core where GetSemaphore was called
Return code
-
-
Functional Description
The OS calls this hook in the API function GetSemaphore if the semaphore was free before the call. If the
semaphore was held by another task, the current task is transferred to the waiting state, which is signaled
to the external tool by means of the OS_VTH_SCHEDULE hook as described in chapter 6.5.4.2.1.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The semaphore feature is optional, so this macro may not be necessary on all implementations of
MICROSAR OS.
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-37   OS_VTH_TOOK_SEMA

6.5.4.3.7
OS_VTH_REL_SEMA
Prototype
OS_VTH_REL_SEMA( ThreadId, SemaId, CallerCoreId)
Parameter
ThreadId
Identifier of the task or ISR which has released the semaphore
SemaId
Identifier of the semaphore which has been released
CallerCoreId
Identifier of the core where ReleaseSemaphore was called
Return code
-
-
2015, Vector Informatik GmbH
Version: 9.01
93 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Functional Description
The OS calls this hook in the API function ReleaseSemaphore if the semaphore becomes free after the
call. If a task is currently waiting for the semaphore, the API function GetSemaphore calls
OS_VTH_TRANFER_SEMA instead, as described in chapter 6.5.4.1.3.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The semaphore feature is optional, so this macro may not be necessary on all implementations of
MICROSAR OS.
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-38   OS_VTH_REL_SEMA
6.5.4.3.8
OS_VTH_DISABLEDINT
Prototype
OS_VTH_DISABLEDINT( IntLockId, CallerCoreId)
Parameter
IntLockId
OS_VTHP_CAT2INTERRUPTS: Interrupts have been disabled by means of
the current interrupt level. That interrupt level has been changed in order to
disable all category 2 interrupts, which also prevents task switch and
alarm/schedule table management.
OS_VTHP_ALLINTERRUPTS: Interrupts have been disabled by means of the
global interrupt enable/disable flag. Additionally to the effects described above,
also category 1 interrupts are disabled.
CallerCoreId
Identifier of the core where interrupts are disabled
Return code
-
-
Functional Description
The OS calls this hook if the application has called an API function to disable interrupts. The parameter
IntLockId describes whether category 1 interrupts may still occur.
Mind that the two types of interrupt locking (as described by the IntLockId) are independent from each other
so that the hook may be called twice before the hook OS_VTH_ENABLEDINT is called, dependent on the
application.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The hook is not called for operating system internal interrupt locks
2015, Vector Informatik GmbH
Version: 9.01
94 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-39   OS_VTH_DISABLEDINT
6.5.4.3.9
OS_VTH_ENABLEDINT
Prototype
OS_VTH_ENABLEDINT( IntLockId, CallerCoreId)
Parameter
IntLockId
OS_VTHP_CAT2INTERRUPTS: Interrupts had been disabled by means of the
current interrupt level until this hook was called. The OS releases this lock
right after the hook has returned.
OS_VTHP_ALLINTERRUPTS: Interrupts had been disabled by means of the
global interrupt enable/disable flag before this hook was called. The OS
releases this lock right after the hook has returned.
CallerCoreId
Identifier of the core where interrupts are disabled
Return code
-
-
Functional Description
The OS calls this hook if the application has called an API function to enable interrupts.
Mind that the two types of interrupt locking (as described by the IntLockId) are independent from each other
so that interrupts may still be disabled by means of the other locking type after this hook has returned.
Particularities and Limitations
>  The hook is expected to be implemented as a macro.
>  Reentrancy is possible on multicore systems with different caller core IDs
>  Call of any operating system API function is prohibited in this hook routine
>  The hook is not called for operating system internal interrupt locks
Call context
>  The hook routine is called from within operating system API functions with interrupts disabled.
Table 6-40   OS_VTH_ENABLEDINT
6.6
Non-Trusted Functions
Non-trusted functions  are  a  VECTOR  extension to  the AUTOSAR OS  specification. This  concept
allows non-trusted applications to provide service functions, which are callable by trusted or non-
trusted tasks and ISRs, comparable to the AUTSAR OS API CallTrustedFunction.
6.6.1
Functionality
The  OS  executes  Non-trusted  functions  with  the  memory  access  rights  and  service  protection
rights  of  the  owner  application.  These  functions  can  access  local  data  of  the  owner  application
2015, Vector Informatik GmbH
Version: 9.01
95 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

without the possibility to overwrite private data of other applications. Non-trusted functions have no
access to the data on the callers stack.
6.6.2
API
Prototype
StatusType osCallNonTrustedFunction(NonTrustedFunctionIndexType FunctionIndex,
NonTrustedFunctionParameterRefType FunctionParams);
Parameter
FunctionIndex
Index of the function to be called.
FunctionParams
Pointer to the parameters for the function to be called. If no parameters are provided,
a NULL pointer has to be passed.
Return code
E_OK
No error
E_OS_SERVICEID No function defined for this index
Functional Description
Executes the non-trusted function referenced by FunctionIndex and passes argument FunctionParams.
The non-trusted function must conform to the following C prototype:
void NONTRUSTED_<name of the non-trusted function(NonTrustedFunctionIndexType,
NonTrustedFunctionParameterRefType);
The arguments are the same as the arguments of CallNonTrustedFunction.
Particularities and Limitations
> The non-trusted function is called in user mode with memory protection enabled
> The function has memory access rights of the owner application
> The function has the service protection rights of the owner application
Call context
> Task, CAT2 ISR, trusted function, non-trusted function
Table 6-41 API osCallNonTrustedFunction

Note
Vector MICROSAR OS implementations offer the possibility of stub function generation
for trusted functions. This mechanism is not available for non-trusted functions.

6.7
MPU Access Checking API
MISCROSAR OS provides API, which returns whether the caller has access to a given
adderss.
Prototype
uint8 osCheckMPUAccess(uint8* DestinationAddress)
2015, Vector Informatik GmbH
Version: 9.01
96 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Parameter
DestinationAddress
The address to be checked for access
Return code
uint8
0: Current Software part has write access
1: Current Software part has no write access
Particularities and Limitations
>  The value of DestinationAddress may be temporarly altered within this function (depending on the
platform).
>  Due to data consistency, the function should not be used on addresses, which are shared among cores.
>  A protection violation may occur during this function. But this protection violation does not lead to a
shutdown of the OS
>  This function cannot be called prior to StartOS
Call context
>  ProtectionHook
>  Task trusted/non-trusted
>  ISR Cat2 trusted/non-trusted
>  ErrorHook
>  ShutdownHook,
>  trusted function
>  non trusted function
>  StartupHook
Table 6-42   osCheckMPUAccess API
6.8
Peripheral Regions
On  some  platforms,  there  are  memory  mapped  hardware  registers,  which  are  only
accessible  in  privileged  mode.  To  access  this  kind  of  registers  even  in  non-trusted
applications (i.e. non-privileged mode), MICROSAR OS provides Peripheral Regions.
To access such registers you have to configure a Peripheral Region and pass it’s ID to the
Peripheral  Region API.  The  OS  checks  whether  the  caller  has  access  to  this  region  and
performs the requested access operation.
The OS provides access functions for the following access types: 8, 16, and 32 bit.
6.8.1
Reading functions
Prototype
osuint8 osReadPeripheral8(osuint16 area, osuint32 address)
osuint16 osReadPeripheral16(osuint16 area, osuint32 address)
osuint32 osReadPeripheral32(osuint16 area, osuint32 address)
2015, Vector Informatik GmbH
Version: 9.01
97 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Parameter
area
Identifier of peripheral regions to the read from
address
Address to be read from
Return code

The content of “address” interpreted as 8 bit, 16 bit or 32 bit value
Functional Description
>  reads either an 8 bit, or a 16 bit or a 32 bit value from “address”
>  The function performs accessing checks (whether the caller has accessing rights to the peripheral
region and whether the address to be read from is within the configured range of the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled
Table 6-43   ReadPeripheral API
6.8.2
Writing functions
Prototype
void osWritePeripheral8(osuint16 area, osuint32 address, osuint8 value)
void osWritePeripheral16(osuint16 area, osuint32 address, osuint16 value)
void osWritePeripheral32(osuint16 area, osuint32 address, osuint32 value)
Parameter
area
Identifier of peripheral regions to the read from
address
Address to write to
Value
Value to be written
Return code
None

Functional Description
>  Writes to either an 8 bit, or a 16 bit or a 32 bit value
>  The function performs accessing checks (whether the caller has accessing rights to the peripheral
region and whether the address to be read from is within the configured range of the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
2015, Vector Informatik GmbH
Version: 9.01
98 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled
Table 6-44   WritePeripheral API
6.8.3
Modifying functions
Prototype
void osModifyPeripheral8(osuint16 area, osuint32 address, osuint8 clearmask,
osuint8 setmask)
void osModifyPeripheral16(osuint16 area, osuint32 address, osuint16 clearmask,
osuint16 setmask)
void osModifyPeripheral32(osuint16 area, osuint32 address, osuint32 clearmask,
osuint32 setmask)
Parameter
area
Identifier of peripheral regions to the read from
address
Address to be modified
clearmask
Bitmask which is bitwise “ANDed” to “address”
setmask
Bitmask which is bitwise “ORed” to “address”
Return code
None

Functional Description
>  The function performs accessing checks (whether the caller has accessing rights to the peripheral
region and whether the address to be read from is within the configured range of the peripheral region)
>  The error hook is raised in case of an error
>  A shutdown is not issued in case of an error
>  After the access checks has passed first the “clearmask” is ANDed to “address” and afterwards the
“setmask” is ORed to it.
Particularities and Limitations
>  These functions may not be called from OS hooks
Call context
>  These functions may be called from Task context
>  These functions may be called from category 2 ISR context
>  These functions can be called with interrupts enabled or with interrupts disabled
Table 6-45   ModifyPeripheral API
2015, Vector Informatik GmbH
Version: 9.01
99 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

7  Configuration
Since  AUTOSAR  OS  3.0.0  specification,  XML  is  used  to  define  and  describe  an  OS
configuration.  However,  OIL  is  still  supported  as  an  alternative  description  language,
especially  if  the  OS  shall  be  used  stand-alone  without  any  other  AUTOSAR  software
modules.
All  OSEK  objects  and  their  attributes  have  to  be  defined  by  one  of  these  description
languages.
7.1
Configuration and generation process
AUTOSAR XML
Code
OIL
Configuration Tool
.xml
Generator
.oil
Configurator
OS source
.c
.c
Configuration
.c
Application
files
.h
.h
files
.h
files
Compile and Link
Executable

Figure 7-1
System overview of software parts
The figure above shows the complete configuration process of a MICROSAR OS. First all
OS  objects  have  to  be  defined.  This  can  be  done  either  by  an  AUTOSAR  XML
configuration tool or by the OIL Configurator (in OIL).
An  OIL or  XML  file  is the  base of  the  code generation process. After  code  generation  all
files  (OS  source  files,  application  files  and  generated  OS  configuration  files)  have  to  be
compiled and linked to an executable.
7.1.1
XML Configuration
A configuration which is based on XML must conform to the AUTOSAR XML schema[8].
To  edit  a  MICROSAR  OS  XML  configuration  the  DaVinci  Configurator  Pro  or  Base  of
Vector  Informatik  GmbH  can  be  used.  Other  tools  that  are  able  to  edit  AUTOSAR
configurations may also be used.
The XML file that the tool produces has to be passed to the code generator to generate the
configuration files.
2015, Vector Informatik GmbH
Version: 9.01
100 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

7.1.2
OIL Configurator
The OIL specification is based on the document "OIL: OSEK Implementation Language –
Version: 2.3” (ref. [6]). Additional Attributes are defined by Vector Informatik GmbH; the
resulting version of OIL is 4.0.
The OIL Configurator is a Windows based program that is used to configure an OSEK
application. The OIL Configurator reads and writes OIL files (OSEK Implementation Lan-
guage). The usage of the OIL Configurator is described in the online help of the OIL Con-
figurator.
The OIL Configurator has separate property tabs for each OSEK object type. Each object
has several standard attributes that are defined in the OIL specification. Additional
attributes that are implementation specific are described in the hardware specific
document [4].
7.2
Configuration Variants
The OS supports the configuration variants
> VARIANT-PRE-COMPILE
The MICROSAR OS system is typically delivered with the source code. The kernel is
implemented in several optimized variants, which are enabled from the OIL Configurator
using C defines. The source code of the operating system has to be compiled if the
configuration has changed. For some implementations, a library version of the operating
system is also supplied. For different configurations, different libraries have to be linked to
the application.
The configuration classes of the OS parameters depend on the supported configuration
variants.
For
their
definitions
please
see
the
OS_<platform
and
derivate>_bswmd.arxml file.
7.3 Configuration of the XML / OIL Attributes
Some of the attributes of an OSEK object are standard for all OSEK implementations, and
some are specific for each implementation.
This chapter describes the attributes the user can set for each OSEK object. Please note
that setting an attribute to TRUE is used as a synonym for selecting it and setting to FALSE
is used as a synonym for deselecting it. The reason is that a selection in the OIL
Configurator corresponds to setting the attribute to TRUE in the OIL file (this can be
checked by opening the OIL file with a normal text editor).

Caution
If a library version of the operating system is used, some attributes or attribute values
 are not available or predefined.
1.

2015, Vector Informatik GmbH
Version: 9.01
101 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

7.3.1
OS
The  OS  object  can only  be  defined  once. The  OS  object  controls  general  aspects  of  the
operating system.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
n.a.
--
>  OIL: Freely selectable name, not used by
the code generator.
>  XML: Not available in XML
Comment
n.a.
--
Any comment.
CC
OsOSCC
ECC2, AUTO  MICROSAR OS SafeContext must always be
configured to support Conformance class
ECC2.
STATUS
OsStatus
EXTENDED
MICROSAR OS SafeContext must always be
configured to support extended status (error)
messages.
SCALABILITY
OsScalabilityClass  SC3, SC4,
MICROSAR OS SafeContext can be ordered in
CLASS
AUTO.
Scalability classes SC3 or SC4. It must be
configured with the ordered Scalability class.
SCHEDULE
OsOSSchedule
MIXED,
MICROSAR OS SafeContext always supports
AUTO
preemptive and non-preemptive tasks, thus
scheduling policy must be configured to mixed
preemptive.
n.a.
OsHooks
hook
>  XML: Used as a container to store hook
routines as
routine information.
stated below  >  OIL: not available
(as
Booleans)
STARTUPHOOK
OsStartupHook
TRUE
The StartupHook is always called at system
startup of a MICROSAR OS SafeContext.

>  XML: This attribute is placed in container
OsHooks
ERRORHOOK
OsErrorHook
TRUE
The ErrorHook is always called if an error
occurs in a MICROSAR OS SafeContext.

>  XML: This attribute is placed in container
OsHooks
SHUTDOWNHOOK  OsShutdownHook  TRUE
The ShutdownHook is always called at
system shutdown of a MICROSAR OS

SafeContext.
>  XML: This attribute is placed in container
OsHooks
PRETASKHOOK
OsPreTaskHook
FALSE
The PreTaskHook is not supported by
MICROSAR OS SafeContext. However, there is
a debug switch to turn it on during
development, see 6.5.1.2 and [9].
>  XML: This attribute is placed in container
OsHooks
2015, Vector Informatik GmbH
Version: 9.01
102 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
POSTTASKHOOK
OsPostTaskHook
FALSE
The PostTaskHook is not supported by
MICROSAR OS SafeContext. However, there is
a debug switch to turn it on during
development, see 6.5.1.3 and [9].
>  XML: This attribute is placed in container
OsHooks
PROTECTIONHOO
OsProtectionHook  TRUE
The ProtectionHook is always called when a
K
protection error is detected in a MICROSAR OS

SafeContext.
>  XML: This attribute is placed in container
OsHooks
CallISRHooks
OsOSCallISRHook FALSE
The UserPreISRHook and
s
UserPostISRHook are not supported by
MICROSAR OS SafeContext. However, there is
a debug switch to turn them on during
development, see 6.5.2.1, 6.5.2.2 and [9].
USEGET
OsUseGetService
TRUE
Access macros for the service ID information
SERVICEID
Id
are always available in the error hook.

USEPARAMETER-
OsUseParameter
FALSE
Access macros for the context related
ACCESS
Access
information in the error hook are not supported
in MICROSAR OS SafeContext.
USERES
OsUseRes
TRUE,
This parameter is available, as the AUTOSAR
SCHEDULER
Scheduler
standard requires it. Since AUTOSAR 4 the
FALSE
resource RES_SCHEDULER was removed as
special case, therefore this attribute is silently
ignored by MICROSAR OS.
STACK
OsStackMonitoring  TRUE
A stack check is performed with each task
MONITORING
switch. See also chapter 3.2.2.3 for details.

StackUsageMeasure OsStackUsageMe
TRUE,
If selected, the stacks are filled with an indicator
ment
asurement
value during StartOS. This allows measuring
FALSE,
the stack usage of tasks and ISRs. See also
AUTO
chapter 3.2.2.5. If AUTO is selected,
StackUsageMeasurement uses the same
setting as STACKMONITORING.
ErrorInfoLevel
OsOSErrorInfo
STANDARD
MICROSAR OS SafeContext will report
Level
standard OSEK error codes and unique error
numbers, but no additional information about
the error location.
OSInternalChecks
OsOSInternal
ADDITIONAL  MICROSAR OS SafeContext will always
Checks
perform all available runtime error checks.
Compiler
OsOSCompiler
Implementatio The compiler can be chosen. If there is only
n specific
one compiler this attribute is also set by default.

ORTIDebug Support  OsOSORTIDebug
TRUE
The OS generator always produces an ORTI.
Support

2015, Vector Informatik GmbH
Version: 9.01
103 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ORTIDebugLevel
OsOSORTIDebug

MICROSAR OS SafeContext will always
Level
ORTI_22_Add support version 2.2 of the ORTI standard with
itional
all available features.
UserConfigurationV
OsOSUserConfigu
1...65535
Version number of the OS configuration. This
ersion
rationVersion
numeric value is not used by the OS, but
enables the user to track changes in the
configuration and validate the configuration
version actually used in the ECUC. Therefore, it
is suggested to increment this value each time
the OS configuration is modified.
ProtectionHook
OsOSProtection
SELECTED
MICROSAR OS SafeContext does not support
Reaction
HookReaction
forcible termination, thus requires this
parameter to be set to SELECTED.
See chapter 7.3.1.3 for information about the
sub-attributes and required values for
MICROSAR OS SafeContext.
Timing
OsOSTiming
TRUE
MICROSAR OS SafeContext will always
Measurement
Measurement
perform Timing measurement if delivered in

Scalability class SC4.

See chapter 7.3.1.4 for information about the
sub-attributes. Chapter 3.2.4.2 provides more
detailed information about configuration of
timing measurement.
TypeHeader Include OsOSTypeHeader TRUE,
If selected, the AUTOSAR type headers are
Include
included in the file os_cfg.h. This is included in
FALSE
the file os.h, which has to be included in all
source files that use API functions of
MICROSAR OS OSEK/AUTOSAR. The
AUTOSAR type headers are not necessary for
the usage of MICROSAR OS
OSEK/AUTOSAR, so it is safe to deselect this
attribute.
EnumeratedUnhandl OsOSEnumerated
TRUE,
Determines the handling of unassigned
edISRs
UnhandledISRs
interrupt sources. The default of this attribute is
FALSE
FALSE.
FALSE: This is the normal handling for
unassigned interrupt sources. If no interrupt
service routine is defined in OIL for an interrupt
source the corresponding interrupt vector will
be directed to one common unhandled
exception handler. This setting must be chosen
for the final application software.
TRUE: During application development, there
may be interrupts issued by unassigned
interrupt sources. In such case it could be a big
effort to determine the interrupt source. If this
attribute is set to TRUE the interrupt vector of
each unassigned interrupt source will be
directed to an unhandled exception routine. If
an unhandled exception occurs in that case, the
2015, Vector Informatik GmbH
Version: 9.01
104 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
interrupt source which causes this exception
can easily be determined by the variable
“osISRUnhandledException_Number“. The
corresponding interrupt source can be
distinguished by having a look into the interrupt
vector table which normally is generated to
intvect.c. This is a debug feature only and is not
permitted for the final application software
running on a MICROSAR OS SafeContext.
This feature is optional. Please refer to [5] to
find out whether a specific implementation of
MICROSAR OS supports this feature.
ConditionalGenerati
/MICROSAR/Boar
TRUE,
Determines whether the OS code generator
ng
d/BoardGeneral/B
creates the files only if the relevant
FALSE
oardConditionalGe
configuration has been modified since the last
nerating
generator run (ConditionalGenerating = TRUE).
If ConditionalGenerating = FALSE, the OS files
are always generated.
For details about this attribute, see chapter
8.1.3.
Table 7-1
OS attributes
7.3.1.1 ProtectionHookReaction / OsOSProtectionHookReaction
>  MICROSAR OS SafeContext requires this attribute to be set to SELECTED with the
following subattributes:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
KILLTASKISR
OsOSKILLTASK
FALSE
MICROSAR OS SafeContext does not support
ISR
the return value PRO_TERMINATETASKISR.
KILLAPPL
OsOSKILLAPPL
FALSE
MICROSAR OS SafeContext does not support
the return value PRO_TERMINATEAPPL.
KILLAPPL_
OsOSKILLAPPL_
FALSE
MICROSAR OS SafeContext does not support
RESTART
RESTART
the return value
PRO_TERMINATEAPPL_RESTART.
SHUTDOWN
OsOS
TRUE
PRO_SHUTDOWN is the only return value
SHUTDOWN
supported by MICROSAR OS SafeContext.
Table 7-2
Sub-attributes of ProtectionHookReaction = SELECTED

Caution
Currently MICROSAR OS does not support killing. So only SHUTDOWN should be
  selected!

2015, Vector Informatik GmbH
Version: 9.01
105 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Caution
If the Protection hook returns a value that is not configured by means of the sub-
  attributes of ProtectioHookReaction, the OS performs a Shutdown.

Note
MICROSAR OS allows to use the return values

  PRO_KILLTASKISR,
  PRO_KILLAPPL and
  PRO_KILLAPPL_RESTART
In the protection hook as synonyms for
  PRO_TERMINATETASKISR,
  PRO_TERMINATEAPPL and
  PRO_TERMINATEAPPL_RESTART
as long as no macro OS_SUPPRESS_PROTHOOK_OLD_RET_VALS is defined.

7.3.1.2 TimingMeasurement / OsOSTimingMeasurement
This  Attribute  must  be  set  to  TRUE  for  a  MICROSAR  OS  SafeContext  that  has  been
delivered in Scalability class SC4.
Please see also 3.2.4.2 and 7.3.2.2.
>  If this attribute is set to TRUE, the subattribute GlobalConfig allows to globally override
theTask/ISR settings for Timing Protection and Timing Measurement:
Attribute Name
Values
Description
The default value is written in
OIL
XML
bold
GlobalConfig
OsGlobalConfig  ProtectAndMeasureAll  >  ProtectAndMeasureAll: The OS
AsSelected
provides timing measurement for all tasks
and ISRs regardless of their setting in the
OnlyMeasureAll
attribute TIMING_PROTECTION. Timing
protection however is provided only for all
tasks and ISRs that have the attribute
TIMING_PROTECTION set to TRUE. In
case the subattribute OnlyMeasure is set
to TRUE, that setting is ignored with a
warning. In case the attribute
TIMING_PROTECTION of a task or ISR is
set to FALSE, the OS provides no timing
protection.
>  AsSelected: The os provides timing
protection for a task or ISR if that is
configured, the attribute OnlyMeasure is
honored.
>  OnlyMeasureAll: The OS does not
provide timing protection for any Task or
ISR. Instead, it provides timing
2015, Vector Informatik GmbH
Version: 9.01
106 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value is written in
OIL
XML
bold
measurement for all tasks and ISRs. In
case a task or ISR is configured to have
timing protection and has the subattribute
OnlyMeasure set to FALSE, that setting is
overridden with a warning.
Table 7-3
Sub-attributes of TimingMeasurement = TRUE
7.3.1.3
PeripheralRegion / OsOSPeripheralRegion
OIL Name
XML Name
Values Description
StartAddress
OsOSStartAddress
-
Numeric value
Specifies the start address of the
peripheral region, which shall be
configured.
EndAddress
OsOSEndAddress
-
Numeric value
Specifies the end address of the
peripheral region, which shall be
configured.
Identifier
OsOSIdentifier
-
Area name
Must be a unique C-identifier, which can
be used in an application or BSW module
to access the peripheral region.
ACCESSING_
OsOSAccessingApplication -
Grants access for this Peripheral Region.
APPLICATION
Multiple applications can be defined for
the same Peripheral Region.
Table 7-4
Sub-attributes of PeripheralRegion

Caution
The application is allowed to access memory addresses in the interval of StartAddress
 <= memory to be accessed <= EndAddress
The “EndAddress” value is included! All bytes of a peripheral access must fit into the
peripheral region.

7.3.2
Task
In the section Task all tasks and their attributes have to be defined.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the task. This name is used as an
argument to all task-related OSEK API
2015, Vector Informatik GmbH
Version: 9.01
107 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
functions (e.g. ActivateTask). The task
function (or task body) has to be defined using
the C macro TASK() (which appends the suffix
func to the task name).
Comment
n.a.
--
Any comment.
TYPE
OsTaskTYPE
BASIC,
Type of the task: either BASIC or EXTENDED.
If set to AUTO, the type is calculated based on
EXTENDED,
the settings for events and the activation count.
AUTO
SCHEDULE
OsTaskSchedule
NON,
Scheduling policy for this task.
FULL
PRIORITY
OsTaskPriority
-
The priority of the task. A higher number
represents a higher priority (according to the
OSEK specification). The priority may be set
with gaps, though the gaps will be eliminated by
the code generator. Several tasks may be set
on the same priority level.
ACTIVATION
OsTaskActivation
-
The number of activations that are recorded in
the kernel while the task is possibly running or
delayed by higher priority tasks.
If ACTIVATION is set to a value bigger than 1,
no events can be received.
AUTOSTART
OsTaskAutostart
-
If set to TRUE, the task will be activated at
startup of the operating system. See chapter
7.3.2.1 for details about the sub-attributes.
EVENT
OsTaskEventRef
-
Reference to an event that is used by this task.
This attribute can only be used for extended
tasks (the attribute TYPE might be set to
EXTENDED or AUTO). This attribute can be used
multiply if more than one EVENT has to be
assigned.
If events are used with this task, the attribute
ACTIVATION cannot be bigger than 1.
RESOURCE
OsTaskResource
-
Reference to a resource that is occupied by this
Ref
task. This attribute can be used multiply if more
than one RESOURCE shall be assigned.
StackSize
OsTaskStackSize
-
Task stack size in byte. This attribute is only
available if the implementation supports
configurable task stacks.
TIMING_PROTECTI OsTaskTiming
-
Selects timing protection for the task. See
ON
Protection
chapter 7.3.2.2 for information about the sub-
attributes.
ACCESSING_
OsTaskAccessing
-
Defines access rights of an application for this
APPLICATION
Application
task. This attribute can be defined multiply, so
different applications might have access right to
the same task. This attribute can be used in
2015, Vector Informatik GmbH
Version: 9.01
108 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
scalability classes SC3 and SC4 only.
Table 7-5
Task attributes
7.3.2.1 AUTOSTART / OsTaskAutostart
>  OIL: If attribute set to FALSE:
No sub-attributes.
>  XML: If this container is not present:
AUTOSTART switched off.
>  If attribute is set to TRUE:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
APPMODE
OsTaskAppMode
-
Defines an application mode in which the task
Ref
is started in automatically. This attribute might
be defined several times to start the task in
different application modes.
Table 7-6
Sub-attributes of TASK->AUTOSTART=TRUE
7.3.2.2 TIMING_PROTECTION / OsTaskTimingProtection
Please  note  that  TIMING_PROTECTION  =  TRUE  can  only  be  selected  for  a  MICROSAR
OS SafeContext that has been delivered in Scalability class SC4.
>  If attribute is set to FALSE:
No sub-attributes.
>  If this attribute is not defined in XML:
Timing protection is switched off.
The value of this attribute might be overridden by the OS attribute TimingMeasurement,
as described in chapters 7.3.1.4 and 3.2.4.2
>  If attribute is set to TRUE:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
EXECUTION
OsTaskExecution
-
Defines the maximum execution time for the
BUDGET
Budget
task
TIMEFRAME
OsTaskTimeFrame  -
Defines the minimum time between task
activations
MAXOS
OsTaskOsInterrupt -
Maximum time OS interrupts are locked (by
2015, Vector Informatik GmbH
Version: 9.01
109 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
INTERRUPT
LockBudget
SuspendOSInterrupts)
LOCKTIME
MAXALL
OsTaskAllInterrupt
-
Maximum time ALL interrupts are locked (by
INTERRUPT
LockBudget
SuspendAllInterrupts or
LOCKTIME
DisableAllInterrupts)
LOCKINGTIME =
OsTaskResource
-
Is intended to be a container for sub-attributes
RESOURCELOCK
Lock
concerning the locking time of resources
LOCKINGTIME =
Inside the
-
The resource for which the locking time is
RESOURCELOCK/
container
specified.
RESOURCE
OsTaskResource
Lock:
OsTaskResource
LockResourceRef
LOCKINGTIME =
Inside the
-
Maximum time the resource is locked (by
RESOURCELOCK/
container
GetResource)
RESOURCELOCK
OsTaskResource
TIME
Lock:
OsTaskResource
LockBudget
OnlyMeasure
OsOnlyMeasure
TRUE
If set to FALSE, timing values of this task are
measured and violations against the configured
FALSE
values lead to a call of the ProtectionHook. If
set to TRUE, the timing values are still
measured but no call of the ProtectionHook
occurs.
Table 7-7
Sub-attributes of TASK-> TIMING_PROTECTION=TRUE
7.3.2.3
Task attributes concerning the timing analyzer
The following attributes have to be used when working with the timing analyzer tool. They
are used as input for this tool.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ComputationTime
OsTask
-
The worst case execution time (in
ComputationTime
nanoseconds)
Period
OsTaskPeriod
-
The minimum activation period of the task (in
nanoseconds)
Deadline
OsTaskDeadline
-
The deadline of the task (in nanoseconds)
PRIORITY
OsTaskPriority
-
Priority of the task
UseResource
OsTaskUse
-
If set to TRUE the occupation of resources can
Occupation
Resource
be taken into consideration by the analysis tool.
Occupation
UseResource
OsTaskUse
-
Reference to the resource that is occupied.
Occupation=TRUE/
Resource
2015, Vector Informatik GmbH
Version: 9.01
110 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Resource
Occupation
=TRUE/OsTask
Resource
UseResource
OsTaskUse
-
Maximum
resource
occupation
time
(in
Occupation=TRUE/
Resource
nanoseconds)
OccupationTime
Occupation
=TRUE/OsTask
OccupationTime
Table 7-8
Task attributes concerning the timing analyzer
7.3.3
Counter
The Counter container provides the following configuration attributes.
Attribute Name
Values
Description
The default
OIL
XML
value is written
in bold
Name
Short-Name
-
Name of the counter. This name is used
for the Alarm configuration.
Comment
n.a.

Any comment.
MINCYCLE
OsCounterMinCycle
-
This attribute specifies the minimum
allowed number of ticks for a cyclic
alarm linked to the counter.
MAXALLOWED
OsCounterMaxAllowedValue  -
Maximum value, which is reachable by
VALUE
the counter in counter ticks.
TICKSPERBASE
OsCounterTicksPerBase
-
This attribute specifies the number of
hardware timer ticks required to reach a
counterspecific unit. E.g. if you have a
periodic tick timer, which is running with
16MHz and it is configured to trigger a
timer interrupt with 1kHz. You have
16000 ticks per base.
TYPE
OsCounterType
SOFTWARE,  Defines the type of the counter.
Possible settings are SOFTWARE or
HARDWARE  HARDWARE. SOFTWARE means the
counter is incremented by means of the
system service IncrementCounter,
which has to be called by the
application. HARDWARE means the
counter is incremented by MICROSAR
OS internally.
DRIVER
OsDriver
-
This Container contains the information
who will drive the counter. This
configuration is only valid if the counter
has OsCounterType set to HARDWARE.
Sub-Attributes are hardware dependent
(see [5]).
2015, Vector Informatik GmbH
Version: 9.01
111 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default
OIL
XML
value is written
in bold
TIMECONSTANT
OsTimeConstant
-
This Container allows the user to define
constants, to be used e.g. to compare
physical time values with timer tick
values.
TIMECONSTANT/
OsConstName
-
The name, to be used by the application
CONSTNAME
to get OsTimeValue in counter units.
TIMECONSTANT/
OsTimeValue
-
This attribute contains the value of the
VALUE
constant in seconds.
SECONDSPERTICK  OsSecondsPerTick
-
This attribute contains the time of one
counter tick in seconds.
ACCESSING_
OsCounter Accessing
-
Defines access rights of an application
APPLICATION
Application
for this counter. This attribute can be
used multiply, so different applications
might have access rights to this counter.
This attribute can only be used in
scalability classes SC3 and SC4.
Table 7-9
Attributes of COUNTER

Figure 7-2
Relation between Physical Units, Counter Units and Driver Units

Note
If the OS supports High-Resolution, there is no periodic counter tick. The OS programs
  the driver to interrupt on demand (e.g. next Alarm, next Expiry Point, etc.). Therefore,
the counter has the same resolution as the driver (OsCounterTicksPerBase is 1).

7.3.4
Alarm
The action of an alarm has to be defined statically.
2015, Vector Informatik GmbH
Version: 9.01
112 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value is
OIL
XML
written in bold
Name
Short-Name
-
Name of the alarm. This name is used as an
argument to all alarm related OSEK API
functions (e.g. SetRelAlarm).
Comment
n.a.
--
Any comment
COUNTER
OsAlarmCounter
Reference to the counter that drives the
Ref
alarm.
ACTION
OsAlarmAction
>  OIL:
See chapter 7.3.4.1 for more information.
SETEVENT,
ACTIVATETASK,
INCREMENTCOU
NTER

>  XML:
Choice container:
OsAlarmActivateT
ask,
OsAlarmIncrement
Counter,
OsAlarmSetEvent
AUTOSTART
OsAlarmAutostart  TRUE
>  OIL: If set to TRUE, the alarm will be
activated at startup of the system.
FALSE
>  XML: If attribute is present, the alarm will
be activated at startup of the system.
See chapter 7.3.4.2 for more information
about the sub-attributes and chapter 3.2.1.3
for more information about static alarms.
ACCESSING_
OsAlarmAccessin
Defines access rights of an application for
APPLICATION
gApplication
this alarm. This attribute can be used
multiply, so different applications might have
access rights to this alarm. This attribute can
be used in scalability classes SC3 and SC4
only.
Table 7-10   Attributes of ALARM
7.3.4.1 ACTION / OsAlarmAction
>  Attribute / ChoiceContainer is set to ACTIVATETASK / OsAlarmActivateTask:
2015, Vector Informatik GmbH
Version: 9.01
113 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TASK
OsAlarmActivate
-
Task to be activated
TaskRef
Table 7-11   Sub-attributes of ACTION = ACTIVATETASK
>  Attribute / ChoiceContainer is set to SETEVENT / OsAlarmSetEvent:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TASK
OsAlarmSetEvent
-
Task to which the event should be sent
TaskRef
EVENT
OsAlarmSetEvent

Event to be sent to the specified task
Ref
Table 7-12   Sub-attributes of ACTION = SETEVENT

>  Attribute / ChoiceContainer is set to INCREMENTCOUNTER /
OsAlarmIncrementCounter:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
COUNTER
OsAlarmIncrement -
Name of the counter to be incremented
CounterRef
Table 7-13   Sub-attributes of ACTION = ALARMCALLBACK

7.3.4.2 AUTOSTART / OsAlarmAutostart
>  OIL: This attribute can be either TRUE or FALSE. Depending on the value, there may be
different sub-attributes.
>  XML: This attribute can be present in the configuration or it can be omitted. In case this
container is present, it has sub-attributes, which are described below.
>  If AUTOSTART is set to TRUE (OIL) or if the container is present (XML):
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ALARMTIME
OsAlarmAlarmTim
-
The relative or absolute tick value when the
e
alarm expires for the first time. Note that for an
alarm which is RELATIVE the value should be
bigger than 0.
2015, Vector Informatik GmbH
Version: 9.01
114 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TYPE
OsAlarmAutostar
ABSOLUTE
The value corresponds to a call of the API-
tType
Functions SetRelAlarm or SetAbsAlarm
RELATIVE
CYCLETIME
OsAlarmCycleTim

This atttibute defines the cycle time of a cyclic
e
alarm in counter units.  A zero value indicates
that the alarm is not cyclic.
APPMODE
OsAlarmAppMode

Reference to the application modes for which
Ref
the AUTOSTART shall be performed.
Table 7-14   Sub-attributes of AUTOSTART = TRUE

7.3.5
Resource
Resources have to be defined with the following attributes:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the resource. This name is used as an
argument to all resource related OSEK API
functions (e.g. GetResource).
Comment
n.a.
--
Any comment
RESOURCE
OsResource
STANDARD,
This attribute can take the following values:
PROPERTY
Property
LINKED
>  STANDARD: A normal resource that is not
linked to another resource and is not an
internal resource.
>  LINKED: A resource that is linked to another
resource with the property STANDARD or
LINKED.
Internal resources are not supported by
MICROSAR OS SafeContext.
ACCESSING_
OsResource

Defines access rights of an application for this
APPLICATION
Accessing
resource. This attribute can be used multiply, so
Application
different applications might have access rights
to this resource. This attribute can only be used
in scalability classes SC3 and SC4.
RESOURCE
OsResourceLinked
>  OIL: If the resource property is set to
PROPERTY
ResourceRef
LINKED, the LINKEDRESOURCE attribute
holds a reference to a resource.
=LINKED / LINKED
RESOURCE
>  XML: This attribute holds a reference to a
resource.
2015, Vector Informatik GmbH
Version: 9.01
115 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Table 7-15   Attributes of RESOURCE
7.3.6
Event
Events  in  the  OSEK  operating  system  are  always  implemented  as  bits  in  bit-fields.  The
user could use bit-masks like ‘0x0001’, but to achieve portability between different OSEK
implementations, the user should use event  names, which are mapped to defined bits by
the code generator.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the event. This name is used as an
argument to all event related OSEK-API-
functions (e.g. SetEvent).
Comment
n.a.
--
Any comment
MASK
OsEventMask
-
>  OIL: Eventmask or AUTO
>  XML: If EventMasks shall be defined
automatically this attribute shall be omitted
Table 7-16   Sub-attributes of EVENT

Caution
If the user selects AUTO for the mask, the code generator will search for free bits in the
  bit mask of the receiving task. It is important to specify each task that receives an
event, otherwise the code generator will generate wrong bit-masks.

7.3.7
ISR
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the interrupt service routine.
Comment
n.a.
--
Any comment
CATEGORY
OsIsrCategory
-
>  OIL: Number of category for the interrupt
service routine (1-2)
>  XML: this attribute can be CATEGORY_1 or
CATEGORY_2
RESOURCE
OsIsrResourceRef  -
Resource management for ISRs is not
supported by MICROSAR OS SafeContext.
TIMING_
OsIsrTiming
-
Selects timing protection for the ISR. See
PROTECTION
Protection
chapter 7.3.7.2 for information about the sub-
attributes.
EnableNesting
OsIsrEnable
-
If set to TRUE the OS will call the user ISR in a
Nesting
way that interrupts will be enabled again during
user ISR. Thus, it is possible that the user ISR
can be interrupted by other ISRs.
2015, Vector Informatik GmbH
Version: 9.01
116 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
UseSpecialFunction
OsIsrUseSpecial
-
Normally the attribute Name/Short-Name
Name
FunctionName
defines the C-Name of the ISR. Since this
name must be unique, it would not be possible
to map different interrupt Sources to a single
ISR. This can be done by this attribute.
If this attribute is set to TRUE, it is possible to
define the function name of the ISR in a
separate sub-attribute. These names do not
have to be unique.
ACCESSING_
OsIsrAccessing
-
Defines access rights of an application for this
APPLICATION
Application
ISR. This attribute can be used multiply, so
different applications might have access rights
to this alarm.
Table 7-17   Attributes of ISR
7.3.7.1 UseSpecialFunctionName / OsIsrUseSpecialFunctionName
If  this  attribute  is  set  to  TRUE  a  function  name  can  be  specified  which  is  taken  as  ISR
name instead of the Name (OIL) / Short-Name (XML) attribute.
This can be used to map several interrupt sources to one ISR routine.

Attribute Name
Values
Description
The default
OIL
XML
value is written
in bold
FunctionName
OsIsrFunctionName  -
Name of the ISR routine.
Table 7-18   Sub-attributes of UseSpecialFunctionname / OsIsrUseSpecialFunctionName

Example
Given  two  Interrupts  MyISR1  and  MyISR2.  Both  shall  trigger  the  same  ISR  routine.
  Activate  SpecialFuntionName  for  MyISR2,  and  set  FunctionName  to  “MyISR1”.  Now,
MyISR2 is mapped onto the MyISR1 routine, which is implemented as usual:
ISR(MyISR1)
{
  …
}

2015, Vector Informatik GmbH
Version: 9.01
117 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Note
The ISR() macro MUST be used for the definition of category 2 ISR handlers. If this
  is not possible, a wrapper using this macro can be used to call the respective ISR
handler:

ISR(MyISR1) /* “MyISR1” is the configured */
{ /* FunctionName in OIL or XML */
  MyISRHandlerFunction(); /* “MyISRHandlerFunction” is  */
} /* the name of the actual ISR */
/* handler provided by the */
/* application */

7.3.7.2 TIMING_PROTECTION / OsIsrTimingProtection
>  OIL: This attribute has to be set to TRUE to switch on timing protection. The sub-
attributes are only visible if TIMING_PROTECTION is TRUE.
>  XML: This attribute has to be present to switch on timing protection.
Please  note  that  timing  protection  can  only  be  switched  on  for  a  MICROSAR  OS
SafeContext that has been delivered in Scalability class SC4.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
EXECUTIONTIME
OsIsrExecution
-
The parameter contains the maximum allowed
Budget
execution time of the interrupt.
>  OIL: the times are given in nanoseconds.
>  XML: the times are given in seconds.
TIMEFRAME
OsIsrTimeFrame
-
This parameter contains the minimum inter-
arrival time between successive interrupts
>  OIL: the times are given in nanoseconds.
>  XML: the times are given in seconds.
MAXOSINTERRUP
OsIsrOsInterrupt
-
This parameter contains the maximum time for
TLOCKTIME
LockBudget
which the ISR is allowed to lock all Category 2
interrupts (via SuspendOSInterrupts()).
>  OIL: the times are given in nanoseconds.
>  XML: the times are given in seconds.
MAXALLINTERRUP OsIsrAllInterrupt
-
This parameter contains the maximum time for
TLOCKTIME
LockBudget
which the ISR is allowed to lock all interrupts
(via SuspendAllInterrupts() or
DisableAllInterrupts())
2015, Vector Informatik GmbH
Version: 9.01
118 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
>  OIL: the times are given in nanoseconds.
>  XML: the times are given in seconds.
LOCKINGTIME
OsIsrResource
-
>  OIL: This is a (empty) list of all lock times, in
Lock
nanoseconds
>  XML: This container holds resource lock
times, in seconds.
Resource lock times are the maximum times an
ISR is allowed to hold a resource.
OnlyMeasure
OsOnlyMeasure
TRUE
If set to FALSE, timing values of this ISR are
measured and violations against the configured
FALSE
values lead to a call of the ProtectionHook. If
set to TRUE, the timing values are still
measured but no call of the ProtectionHook
occurs. The value of this attribute might be
overridden by the OS attribute
TimingMeasurement, as described in
chapters 7.3.1.4 and 3.2.4.2.
Table 7-19   Sub-attributes of TIMING_PROTECTION / OsIsrTimingProtection
7.3.7.2.1
LOCKINGTIME / OsIsrResourceLock
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
LOCKINGTIME=
OsIsrResource
-
The parameter contains the maximum allowed
RESOURCELOCK/
LockBudget
time an ISR is allowed to hold a resource
RESOURCELOCK
>  OIL: the times are given in nanoseconds.
TIME
>  XML: the times are given in seconds.
LOCKINGTIME=
OsIsrResource

Holds the reference to this resource
RESOURCELOCK/
LockResourceRef
RESOURCE
Table 7-20   Sub-attributes of LOCKINGTIME / OsIsrResourceLock

7.3.7.3
ISR Attributes concerning the Timing Analyzer
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ComputationTime
OsIsrComputation
-
The worst case execution time (in
Time
nanoseconds)
Period
OsIsrPeriod

The minimum activation period of the ISR (in
nanoseconds)
2015, Vector Informatik GmbH
Version: 9.01
119 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Deadline
OsIsrDeadline

The deadline of the ISR (in nanoseconds)
AnalysisPriority
OsIsrAnalysis

The AnalysisPriority corresponds to the
Priority
Task attribute PRIORITY / osTaskPriority.

The AnalysisPriority is an extension of
the priority values from tasks to ISRs, so all ISR
priorities must have higher values as all task
priorities to get correct analysis results. (Some
OS Implementations use an attribute similar to
priority for the hardware interrupt level.
Therefore to the timing analysis an own
attribute was introduced).
UseResource
OsIsrUseResource
If set to TRUE the occupation of resources can
Occupation
Occupation
be taken into consideration by the analysis tool.
UseResource
OsIsrUseResource
Reference to the resource that is occupied.
Occupation=
Occupation=TRUE
TRUE/Resource
/OsIsrResource
UseResource
OsIsrUseResource
Maximum resource occupation time (in
Occupation= TRUE/  Occupation=TRUE
nanoseconds)
OccupationTime
/OsIsrOccupation
Time
Table 7-21   ISR attributes concerning the timing analyzer

7.3.8
COM
The section COM is not used by MICROSAR OS.

7.3.9
NM
The section NM is not used with the current MICROSAR OS implementation.

7.3.10  APPMODE / OsAppMode
Application modes have to be defined with the following attributes:
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the application mode. This name is
used as an argument to all related OSEK-API-
functions and for the definition of the
AUTOSTART functionality of tasks and alarms.
Comment
n.a.
--
Any comment
2015, Vector Informatik GmbH
Version: 9.01
120 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
n.a.
OsAppModeId

Internal ID of an Appmode. The value of this
attribute is ignored by MICROSAR OS.
Table 7-22   Attributes of Appmode / OsAppMode

7.3.11  Application / OsApplication
The object APPLICATION is meant for the usage with scalability classes SC3 and SC4.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
--
Freely selectable name, not used by the code
generator.
Comment
n.a.
--
Any comment.
n.a.
OsApplication
FALSE
MICROSAR OS SafeContext does not support
Hooks
any application specific Hook routines.
STARTUPHOOK
OsAppStartup
FALSE
MICROSAR OS SafeContext does not support
Hook
any application specific Hook routines.
(XML: is contained in OsApplicationHooks)
ERRORHOOK
OsAppErrorHook
FALSE
MICROSAR OS SafeContext does not support
any application specific Hook routines.
(XML: is contained in OsApplicationHooks)
SHUTDOWNHOOK  OsAppShutdown
FALSE
MICROSAR OS SafeContext does not support
Hook
any application specific Hook routines.
(XML: is contained in OsApplicationHooks)
TRUSTED
OsTrusted
TRUE,
>  OIL: Defines whether the application is
trusted or not. See chapter 7.3.11.1 for
FALSE
information about the sub-attributes.
>  XML: This is only a boolean which marks the
Application as trusted application
HAS_RESTART
n.a.
FALSE
>  OIL: MICROSAR OS SafeContext does not
TASK
support terminating or restarting an
application.
TASK
OsAppTaskRef
-
Reference to all tasks belonging to this
application.
ISR
OsAppIsrRef
-
Reference to all ISRs belonging to this
application.
ALARM
OsAppAlarmRef
-
Reference to all alarms belonging to this
application.
SCHEDULETABLE
OsAppSchedule
-
Reference to all schedule tables belonging to
TableRef
this application.
2015, Vector Informatik GmbH
Version: 9.01
121 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
COUNTER
OsAppCounterRef  -
Reference to all counters belonging to this
application.
n.a.
OsApplication
-
Container that is used to define trusted
TrustedFunction
functions.
NonTrusted_Functio OsApplicationNon
-
List of non-trusted functions provided by this
n
Trusted_Function
application (only for non-trusted applications).
Table 7-23   Attributes of Application / OsApplication
7.3.11.1  Trusted Functions
>  OIL: trusted functions are defined as sub-attributes of 'TRUSTED=TRUE'.
>  XML: there are containers for trusted functions.
The
preconditions
for
editing
the
sub-attributes
in
the
next
table
are
TRUSTED=TRUE/TRUSTED_FUNCTION=TRUE  for  OIL  and  the  existence  of  (at  least  one)
OsApplicationTrustedFunction container.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TRUSTED_
OsTrustedFunction -
List of trusted functions provided by this
FUNCTION
Name
application.
=TRUE/TRUSTED
FUNCTION
=TRUE/NAME
TRUSTED_
OsApplication
-
Parameter (arguments) of trusted function.
FUNCTION
Params
Empty string means void. Used for stub
=TRUE/TRUSTED
generation only. See attribute GenerateStub.
FUNCTION
=TRUE/Params
TRUSTED_
OsApplication
-
Return value data type of trusted function.
FUNCTION
ReturnType
Empty string means void. Used for stub
=TRUE/TRUSTED
generation only. See attribute GenerateStub.
FUNCTION
=TRUE/ReturnType
TRUSTED_
OsApplication
-
If set to TRUE, stub functions are generated for
FUNCTION
GenerateStub
all trusted functions of this application.
=TRUE/Generate
Stub
Table 7-24   Sub-attributes for trusted functions

2015, Vector Informatik GmbH
Version: 9.01
122 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

7.3.12  Scheduletable
Schedule tables have to be defined with the following attributes.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
Name
Short-Name
-
Name of the SCHEDULETABLE. This name is
used as an argument to all related OSEK API
functions.
Comment
n.a.
--
Any comment
COUNTER
OsScheduleTable
-
Defines the counter used as time basis for this
CounterRef
schedule table.
REPEATING
OsScheduleTable
-
If selected, the schedule table is performed
Repeating
periodically after it is started. If deselected, the
schedule table is performed once per activation.
DURATION
OsScheduleTable
-
Defines the length of the schedule table in ticks,
Duration
based on the underlying counter. This is the
time from the first expiry point to the end of the
schedule table or in the case of a periodic
schedule table, between two subsequent first
expiry points. The length is defined in units of
ticks of the underlaying counter.
AUTOSTART
OsScheduleTable
-
>  OIL: If set to TRUE, the schedule table is
Autostart
activated at startup of the operating system.
>  XML: If attribute is present, the schedule
table is activated at startup of the operating
system.
See chapter 7.3.13.1 for more information
about the sub-attributes.
LOCAL_TO_
OsScheduleTable
-
Defines, whether the schedule table shall be
GLOBAL_TIME_SY
Sync
synchronized to a global time source. This
NCHRONIZATION
attribute is only supported in scalability class
SC4. Sub-attributes are described in chapter
7.3.13.6.
EXPIRY_POINT
OsScheduleTable
-
Defines an expiry point for this schedule table
ExpiryPoint
ACCESSING_
OsSchTbl
-
Defines access rights of an application for this
APPLICATION
Accessing
schedule table. This attribute can be used
Application
multiply, so different applications might have
access rights to this schedule table.
Table 7-25   Attributes of SCHEDULETABLE
7.3.12.1  AUTOSTART / OsScheduleTableAutostart
>  OIL: If this attribute is set to TRUE sub-attributes are visible and the schedule table is
auto started.
>  XML: If this container is present in the configuration the schedule table is auto started
2015, Vector Informatik GmbH
Version: 9.01
123 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
APPMODE
OsScheduleTable
-
Defines an application mode in which the
AppModeRef
schedule table is started automatically. This
attribute might be defined several times to start
the schedule table in several application
modes.
TYPE
OsScheduleTable
ABSOLUTE
Defines the method how the schedule table is
AutostartType
autostarted.
RELATIVE

SYNCHRON
TYPE=ABSOLUT/
OsScheduleTable
-
Absolute autostart tick value when the schedule
ABSVALUE
StartValue
table starts. Only used if the
OsScheduleTableAutostartType is
ABSOLUTE.
TYPE=RELATIVE/
OsScheduleTableS -
Relative offset in ticks when the schedule table
RELOFFSET
tartValue
starts. Only used if the
OsScheduleTableAutostartType is
RELATIVE.
Table 7-26   Sub-attributes for auto start of a schedule table

7.3.12.2  EXPIRY_POINT / OsScheduleTableExpiryPoint
An expiry point consists of a sequence of actions which are performed on a given tick time
of the schedule table. There are the following sub-attributes. Some of them also have sub-
attributes.

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ACTION
n.a.
>  OIL :
>  OIL: a list of actions
ACTIVATETA

SK
SETEVENT
ADJUST
OFFSET
OsScheduleTbl
-
Defines the time at which the defined actions
ExpPointOffset
occur in ticks based on the underlying counter.
The time is absolute to the start of the schedule
table and is given in ticks of the underlying
counter.
ACTION=ADJUST
OsScheduleTbl
-
>  XML: containers for holding the sub-
AdjustableExp
attributes in case of expiry point action
Point
ADJUST
ACTION
OsScheduleTable
-
>  XML: containers for holding the sub-
=ACTIVATETASK
TaskActivation
attributes in case of expiry point action
2015, Vector Informatik GmbH
Version: 9.01
124 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
ACTIVATESTASK
ACTION
OsScheduleTable
-
>  XML: containers for holding the sub-
=SETEVENT
EventSetting
attributes in case of expiry point action
SETEVENT
Table 7-27   Sub-attributes of expiry points
7.3.12.3  Expiry point action ADJUST
>  OIL: the following attributes are visible if the expiry point action is ADJUST
>  XML: the following attributes are located in the container
OsScheduleTblAdjustableExpPoint
Those attributes are only relevant in SC2 or SC4 if synchronization mechanisms are used.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
MAXLENGTHEN
OsScheduleTable

The maximum positive adjustment that can be
MaxLengthen
made to the expiry point offset to achieve
synchronizationin ticks based on the underlying
counter.
MAXSHORTEN
OsScheduleTable
-
The maximum negative adjustment that can be
MaxShorten
made to the expiry point offset to achieve
synchronization in ticks based on the underlying
counter.
Table 7-28   Sub-attributes of expiry point action ADJUST
7.3.12.4  Expiry point action ACTIVATETASK
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TASK
OsScheduleTable

Reference to the task to be activated.
ActivateTaskRef
Cyclic
OsScheduleTable
TRUE,
>  OIL: If set to TRUE, this action is repeatedly
Cyclic
added to the schedule table.
FALSE
>  XML: This is a choice container. If set to
TRUE the action will be repeatedly added to
the schedule table.
The cycle time is located in a sub-attribute. See
chapter 3.2.6.3 for more details.
Cyclic=TRUE/Cycle
OsScheduleTable

If the action is declared as cyclic, this attribute
Time
CycleTime
holds the cycle time in counter ticks.
Table 7-29   Sub-attributes of expiry point action ACTIVATETASK
2015, Vector Informatik GmbH
Version: 9.01
125 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

7.3.12.5  Expiry point action SETEVENT
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
TASK
OsScheduleTable
-
Task to which the event should be sent
SetEventTaskRef
EVENT
OsScheduleTable
-
Event to be sent to the specified task
SetEventRef
Cyclic
OsScheduleTable
TRUE,
>  OIL: If set to TRUE, this action is repeatedly
Cyclic
added to the schedule table.
FALSE
>  XML: This is a choice container. If set to
TRUE the action will be repeatedly added to
the schedule table.
The cycle time is located in a sub-attribute. See
chapter 3.2.6.3 for more details.
Cyclic=TRUE/Cycle
OsScheduleTable
-
If the action is declared as cyclic, this attribute
Time
CycleTime
holds the cycle time in counter ticks.
Table 7-30   Sub-attributes of expiry point action SETEVENT

7.3.12.6  LOCAL_TO_GLOBAL_TIME_SYNCHRONIZATION / OsScheduleTableSync
>  OIL: If set to TRUE, the synchronization of this schedule table is switched on and the
sub-attributes will be visible.
>  XML: If this attribute is present in the configuration the synchronization is used for this
schedule table.
This is only relevant in SC4.
Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
SYNC_STRATEGY
OsScheduleTbl
EXPLICIT
Defines the synchronization strategy of this
SyncStrategy
schedule table.
IMPLICIT
>  EXPLICIT: The schedule table is driven by
NONE
an OS counter, but processing needs to be
synchronized with a different counter, which
is not an OS counter object.
>  IMPLICIT: The counter driving the schedule
table is the counter with which
synchronisation is required
>  NONE: no synchronization is applied at all
SYNC_STRATEGY
OsScheduleTbl
-
Defines the synchronization tolerance (in ticks)
=EXPLICIT/PRECIS ExplicitPrecision
for this schedule table.
ION
If the absolute value of the deviation between
the schedule table counter and the
synchronization counter is smaller than this
2015, Vector Informatik GmbH
Version: 9.01
126 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Attribute Name
Values
Description
The default value
OIL
XML
is written in bold
value schedule table state is set to
SCHEDULETABLE_RUN-
NING_AND_SYNCHRONOUS
Table 7-31 Sub-attributes SCHEDULETABLE-> LOCAL_TO_GLOBAL_TIME_SYNCHRONIZATION = TRUE

2015, Vector Informatik GmbH
Version: 9.01
127 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

8 System Generation
This chapter describes the generation of the executable program. The definition of the OIL
/ XML file was described in the chapter 7 Configuration. The general steps programming
an application using the OSEK operating systems are illustrated in chapter 7.1
Configuration and generation process.
The dependencies on include files are described in chapter 5.2 Include Structure.
8.1
Code Generator
The code generator GENxxxx.EXE is delivered with the MICROSAR OS package (xxxx is
replaced by the hardware platform name). The code generator is implemented as a 32-bit
Windows console application and can be started from the OIL Configurator or directly from
the command line.
The code generator has different command-line options. When started without any
parameters, a list of all parameters is printed:
GENxxxx.EXE, Version: 6.00, Vector Informatik GmbH, 2012
Usage: GENxxxx.EXE [options] <Filename>
-s : print symboltable
-r <Filename> : write errors into file
-g : generate code
-d <Pathname> : path to write generated code
-m : prints list of known implementations
-i <Pathname>: include path for implementation files
-x : include path equals to generator exe path
-f <Filename>: read options and filename from command file
-y : perform a syntax check on OIL file

8.1.1
Generated Files
The code generator generates several files as described in chapter 5.1.2 Dynamic Files.
The files always have the same name. They are written to the generation path specified in
the OIL Configurator or with the command line option -d.
The '.c' modules have to be compiled and linked to the application.
8.1.2
Automatic Documentation
Automatic documentation of the generation process is provided by two list files, which are
generated by the code generator. A basic list file is generated in text format. The more
detailed list file is generated in HTML format and can be used to publish a system design
in the internet or an intranet. Both files have the same name as the OIL file, i.e.:
> <OILFileName>.lst (basic list file in text format)
> <OILFileName>.htm (extended list file in HTML format)
The files are located in the directory of the OIL file.
2015, Vector Informatik GmbH
Version: 9.01
128 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

8.1.3
Conditional Generation
If  MICROSAR  OS  is  configured  using  an  OIL  file,  the  OS  object  provides  the  attribute
ConditionalGenerating. If AUTOSAR ECUC files are used for configuration, the parameter
for conditional generation is not located in the OS configuration but in the BSWMD file of
the Board, as other modules also use this parameter.
If  conditional  generation  is  selected,  the  generated  files  are  overridden  only  if  the  OS
configuration  has  changed  since  the  last  generator  run.  This  allows  using  the  file
modification date of the generated files to decide which modules need recompilation after
configuration changes. Compile times of a complete AUTOSAR stack may be dramatically
reduced with this setting in the development cycle.
Setting  ConditionalGenerating  =  FALSE  forces  the  MICROSAR  OS  code  generator  to
generate  the  files  newly  on  each  run.  This  is  the  recommended  setting  for  the  final,
productive build.
8.1.4
Generated files backup
To avoid a mixed set of generated files from various runs of the generator, already existing
files are either deleted or renamed before the new generation starts.
Before previously generated files are overwritten in a new run of a generator, the complete
file set is renamed to files with the original name plus a “.bak” suffix (backup file set). This
file set contains the last valid generated file set even if a consecutive generator run fails for
any reason.
8.2
Application Template Generator
The application template generator is not available in current versions of MICROSAR OS.
8.3
Compiler
The supported compiler package has to be installed, and the search path of the compiler,
assembler and linker has to be set. If special options are  required, they are described in
the hardware specific manual.
8.3.1
Include Paths
The  operating  system  is  delivered  with  include  files  in  the  subdirectory
root\HwPlatform\include (osCAN style) or root\BSW\Os (MICROSAR style).
2015, Vector Informatik GmbH
Version: 9.01
129 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

9  AUTOSAR Standard Compliance
9.1  Deviations
Currently no known deviations
9.2  Limitations
9.2.1
API Function OS_GetVersionInfo
The function
void OS_GetVersionInfo(Std_VersionInfoType *version info)
is  not  supported  by  MICROSAR  OS.  The  version  information  can  be  collected  by  the
following #defines:
Vendor ID
OS_VENDOR_ID
Module ID
OS_MODULE_ID
Major version number
OS_SW_MAJOR_VERSION
Minor version number
OS_SW_MINOR_VERSION
Patch version number
OS_SW_PATCH_VERSION
9.2.2
Forcible Termination
MICROSAR OS does currently not support forcible termination. The only possible reaction
on a protection error is to shutdown the system.
9.2.3
AUTOSAR Debug support
MICROSAR  OS  does  not  provide  any  variables  and  type  definitions  for  AUTOSAR
Debugging (See requirements OS549-551 in [1]). The suggested way to gather information
about the internals of the OS is to use the ORTI feature supported by MICROSAR OS.
9.2.4
Port Interface
The  Port  interface  described  by  requirements  OS560,  OS561  in  [1]  is  not  supported  by
MICROSAR OS.
9.2.5
NULL Pointer Checks
Null  pointer  checks  described  by  requirements  OS566  is  [1]  are  not  implemented  in
MICROSAR OS.
9.2.6
SafeContext specific limitations
In  order  to  achieve  a  safe  execution  environment  and  fulfill  the  requirement  for  reduced
complexity of ISO26262, the following OSEK/AUTOSAR OS features are not implemented
in MICROSAR OS SafeContext.
>  Pre- and PostTaskHook as well as ISRHooks are only supported as a debug feature
and not released for use in safety environments.
2015, Vector Informatik GmbH
Version: 9.01
130 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

>  Application specific hook routines are not supported.
>  Forcible termination of Tasks, ISRs or OS-Applications is neither supported through the
service TerminateApplication, nor as a reaction to a protection violation.
>  All checks of the OS must be turned on any time (StackMonitoring, OSInternalChecks).
>  ORTI Debug information is always recorded and cannot be turned off.
>  Internal resources are not supported.
>  StartupHook, ErrorHook, ShutdownHook and ProtectionHook cannot be turned off in the
configuration.
Further restrictions may be found in [5] and/or [9].
On  the  other  hand,  there  are  additional  features  and  measures  implemented  in
MICROSAR OS SafeContext to increase safety:
>  StartOS is protected against calls from non-trusted code to avoid unintended reboot.
>  An API is provided to allow protected access to peripherals (either by peripheral
protection subsystem if provided by the hardware, or by memory protection, see [5] for
details). However, trusted applications are always granted full access to all peripherals.
>  A global Shared Memory Area allows quick exchange of non-critical data between OS-
Applications.
>  Non-trusted functions allow a safe execution of non-trusted code triggered by trusted
code.
>  A user configuration version can be freely assigned and read via an API
(osGetConfigBlockVersion), allowing verification that the correct configuration is used
during runtime.
2015, Vector Informatik GmbH
Version: 9.01
131 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

10  Debugging Support
10.1  Kernel aware Debugging
All  implementations  of  MICROSAR  OS  support  kernel-aware  debugging  according  to  the
ORTI specification. On some platforms, proprietary solutions are available.
Refer to the hardware specific documentation [4] for details.
10.2  Version and Variant Coding
The version and the variant are coded into the generated binary or HEX file. The user has
the possibility to read version and variant using an emulator, or if the electronic control unit
is accessible via the CCP protocol via the CAN bus.
The generator writes version and variant information into a structure, defined in osek.h.
typedef struct
{
osuint8 ucMagicNumber1; /* magic number:   */
osuint8 ucMagicNumber2; /* defined as uint8 for independency of */
osuint8 ucMagicNumber3; /* byte order */
osuint8 ucMagicNumber4;

osuint8 ucSysVersionMaj; /* version of operating system, Major   */
osuint8 ucSysVersionMin; /* version of operating system, Minor   */
osuint8 ucGenVersionMaj; /* version of code generator   */
osuint8 ucGenVersionMin; /* version of code generator   */
osuint8 ucSysVariant1; /* general variant coding 1    */
osuint8 ucSysVariant2; /* general variant coding 2    */
   osuint8 ucOrtiVariant; /* ORTI version and variant   */

… /* implementation specific variant coding */

} osVersionVariantCodingType;

The  structure  contains  the  version  of  the  operating  system  (major  and  minor  version
number),  the  version  of  the  code  generator  used  (major  and  minor  version  number),
information  about  the  OS  configuration  bit-encoded  into  8-bit  values  (ucSysVariantX)
and information about usage of the OSEK runtime interface (ORTI):
The  magic  number  is  defined  as  0xAFFEDEAD  and  may  be  used  for  an  identification  of
the version in hex or binary files.
Bits
Meaning
Possible Values
0..1
Conformance Class
3: ECC2
2
Status Level
1: EXTENDED STATUS
3..4
Scheduling policy
2: mixed preemptive
5
Stack Check
1: enabled
2015, Vector Informatik GmbH
Version: 9.01
132 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

Bits
Meaning
Possible Values
6
Error information level
0 STANDARD
7
OS internal checks
1 Additional
Table 10-1   Bit-definitions of the variant coding, ucSysVariant1
Bits
Meaning
Possible Values
0..1
Scalability Class
2: SC3   3: SC4
2
Usage of Schedule tables
0: no schedule tables in system
1: schedule tables are used
3
Usage of high resolution
0: no high resolution tables in system
schedule tables
1: high resolution schedule tables are used
4
Schedule table
0: synchronization is not used
synchronization
1: synchronization is used
5
Timing protection
0: timing protection is used
1: timing protection is switched off
Table 10-2   Bit-definitions of the variant coding, osSysVariant2

Bits
Meaning
Possible Values
0..6
ORTI version
0x22: ORTI 2.2 used
7
ORTI additional information
1: The full set of ORTI information is provided by the
OS
Table 10-3   Bit definitions of the variant coding, osOrtiVariant
The data for the structure is located in the constant oskVersionVariant and specified in the
OS module osek.c.
The  structure  also  contains  implementation  specific  variant  coding  which  is  described  in
the separate documentation [4].

2015, Vector Informatik GmbH
Version: 9.01
133 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

11  Glossary and Abbreviations
11.1  Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
CCP
CAN Calibration Protocol
COM
Communication (= module COM in AUTOSAR/MICROSAR)
CPU
Central Processing Unit
ECU
Electronic Control Unit
EPROM
Erasable Programmable Read Only Memory
EEPROM
Electrically Erasable Programmable Read Only Memory
HIS
Hersteller Initiative Software
IRQ
Interrupt ReQuest
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
NM
Network Management (= module NM in AUTOSAR/MICROSAR)
NMI
Non Maskable Interrupt
OIL
OSEK Implementation Language
ORTI
OSEK RunTime  Debugging Interface
OS
Operating System
OSEK
Abbreviation of the German term "Offene Systeme und deren
Schnittstellen für die Elektronik im Kraftfahrzeug" - Open Systems and
the Corresponding Interfaces for Automotive Electronics
RAM
Random Access Memory
ROM
Read-Only Memory
SC1, SC2, SC3, SC4  Scalability Class 1, -2, -3, -4
SEooC
Safety Element out of Context; a safety related element, which is not
developed for a specific item
SRS
Software Requirement Specification
SWC
Software Component
SWS
Software Specification
WCET
Worst Case Execution Time
XML
Extensible Markup Language
Table 11-1   Abbreviations
2015, Vector Informatik GmbH
Version: 9.01
134 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

11.2  Terms

Terms
Description
Forcible Termination
Forcible termination means that a task, an ISR or even a whole OS
application is terminated before it has reached its end. This may be
caused by a call of the API function TerminateApplication or by returning
certain values in the protection hook.
Killing
The term ‘killing’ is used as a synonym for forcible termination within this
document.
Process
The term ‘process’ is used within this document as a short form of ‘task or
ISR’.
Thread
The term ‘thread’ is used as a synonym of the term ‘process’ within this
document.
Table 11-2   Terms

2015, Vector Informatik GmbH
Version: 9.01
135 / 136
based on template version 4.3

Technical Reference MICROSAR OS SafeContext

12  Contact
Visit our website for more information on

>   News
>   Products
>   Demo software
>   Support
>   Training data
>   Addresses

www.vector.com

For support requests you may write to osek-support@vector.com

2015, Vector Informatik GmbH
Version: 9.01
136 / 136
based on template version 4.3

Document Outline

19 - Port Driver

Port Driver

Component Documentation

19.1 - AUTOSAR_PORT_Component_UserManual

AUTOSAR MCAL R4.0 User's Manual

19.2 - AUTOSAR_PORT_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58

19.3 - AUTOSAR_PORT_Component_UserManuals

AUTOSAR MCAL R4.0.3
User’s Manual

PORT Driver Component Ver.1.0.5

Embedded User’s Manual

Target Device:
RH850\P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.02 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.

   3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.

  11.
This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

3

4

Abbreviations and Acronyms

Abbreviation / Acronym Description
ADC
Analog to Digital Converter
ANSI
American National Standards Institute
API
Application Programming Interface
ARXML
AutosaR eXtensible Mark-up Language
AUTOSAR
AUTomotive Open System ARchitecture
BUS
BUS Network
BSW
Basic SoftWare
CAN
Controller Area Network
DEM
Diagnostic Event Manager
DET
Development Error Tracer
DIO
Digital Input Output
ECU
Electronic Control Unit
EEPROM
Electrically Erasable Programmable Read-Only Memory
GNU
GNU is Not Unix
GPT
General Purpose Timer
HW
HardWare
ICU
Input Capture Unit
id/ID
Identifier
I/O
Input Output
ISR
Interrupt Service Routine
KB
Kilo Bytes
LIN
Local Interconnect Network
MCAL
Microcontroller Abstraction Layer
MCU
MicroController Unit
MHz
Mega Hertz
NA
Not Applicable
OS
Operating System
PDF
Parameter Definition File
PLL
Phase Locked Loop
PWM
Pulse Width Modulation
RAM
Random Access Memory
ROM
Read Only Memory
RTE
Runtime Environment
SCI
Serial Communication Interface
SPI
Serial Peripheral Interface
SWS
Software Requirements Specification
TAU
Timer Array Unit
WDT
Watchdog Timer
5

Definitions

Term
Represented by
PORT channel
Numeric identifier linked to a hardware PORT
PORT Idle State
The idle state represents the output state of the PORT channel after the
call of

PORT Output State
Defines the output state for a PORT signal. It
could be: High
Low
PORT period
Defines the period of the PORT signal.
PORT Polarity
Defines the starting output state of each PORT channel
Sl. No.
Serial Number
6

10

Introduction

            Chapter 1

Chapter 1
Introduction

The purpose of this document is to describe the information related to
PORT Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of PORT Driver
Component for P1M Device. The information specific to P1M Device
channel mapping, ISR handler, compiler, linker, assembler, integration
and build process for application along with the memory consumption and
throughput information are provided.
The users of PORT Driver Component shall use this document as
reference. This document describes the common features of PORT Driver
Component.
This document is intended for the developers of ECU software using
Application Programming Interfaces provided by AUTOSAR. The PORT Driver
Component provides the following services:

• PORT Driver Component initialization

• De-initialization

• Reading the internal state of PORT Output signal

• Setting the PORT Output to Idle state

• Disabling/Enabling the PORT signal edge notification

• Synchronous start between the TAU units

The following diagram shows the system overview of the AUTOSAR
Architecture. The PORT Driver initializes all the channels that are required
for producing PORT outputs.



Application Layer

AUTOSAR  RTE

System  Services

On board Device Abstraction

                                                    PORT Driver

Microcontroller

Figure 1-1  System Overview Of AUTOSAR Architecture

The PORT Driver Component comprises of two sections that is,
embedded software and the configuration tool to achieve scalability and
configurability. The PORT Driver Component Code Generation Tool is a
command line tool that accepts ECU configuration description files as
input and generates C Source and C Header files. The configuration
description is an ARXML file that contains information about the
11

Chapter 1

Introduction

configuration for PORT channels. The tool generates Port_Cfg.h and
Port_PBcfg.c files.

The Figure in the following page depicts the PORT Driver as part of layered
AUTOSAR MCAL Layer:

Microcontroller Drivers
Memory Drivers
   Communication Drivers                    I/O Drivers

in
e
in
te

x
t
t
r
e
e
n
S

W
r
r
a
P
F
n
n
l
at

GP
MC
a
a
EEP
H
CA
l
LI
e
c
C
RA
l
l
x

a

N

h
o
F
F
R
n
N Dr
T
U
d
re
P
M
la
l

a
d
D
a
I
P
CU

RO
A

D
o
D
D
O
g

s
s
le
y
W
r

DC
r
T
T
r
h
h
i

r
v
D
i
I
RT

i

O
v
D
iv
e
e

Dr
D
M
Dr
er
v

M
r
Dr
e
e

r
e
st
s
i

v

r

i

r
D
Dr
Dr
Dr
r
i

v
r

i
i
D
v

er
i
v
v
v
r
er
er
i
i

er
er
r
e
i

v
i
v
v
v

r
e
e
e
ve

e

r
r
r
r

r

M
G
WDT
& C
C P
U
Micro-
Ex
F
EEP
t.
la
P
P
M
L
S
SC
I
CA
IC
W
A
DI
n
l
B
T
it
o
o
s
R

N
DC

ck
w
Controller  u
h

O
P

N
U
M
O

s

e

I
I
or


r

Figure 1-2  System Overview Of The PORT Driver In AUTOSAR MCAL Layer

12

Introduction

            Chapter 1

1.1.
Document Overview

The document has been segmented for easy reference. The table below
provides user with an overview of the contents of each section:

Section
Contents
Section 1 (Introduction)
This section provides an introduction and overview of PORT Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure for PORT Driver Component
Process)
along with a sample application.
Section 4 (Forethoughts)
This section provides brief information about the PORT Driver
Component, the preconditions that should be known to the user before it
is used, data consistency details and deviation list.
Section 5 (Architecture Details)
This section describes the layered architectural details of the PORT
Driver Component.
Section 6 (Register Details)
This section describes the register details of PORT Driver Component.
Section 7 (Interaction Between
This section describes interaction of the PORT Driver Component with
The User And PORT Driver
the upper layers.
Component)
Section 8 (PORT Driver
This section provides information about the PORT Driver Component
Component Header And Source
source files is mentioned. This section also contains the brief note on the
File Description)
tool generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the PORT Driver Component Code
Generation Tool.
Section 10 (Application
This section mentions all the APIs provided by the PORT Driver
Programming Interface)
Component.
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13 (P1M Specific
This section describes the P1M specific information like channel
Information)
mapping, the details of the P1M Sample Application and it’s folder
structure and the information about RAM/ROM usage, stack depth
and throughput details.
Section 14 (Release Details)
This section provides release details with version name and base
version.
13

Chapter 1

Introduction

14

Reference Documents
Chapter 2

Chapter 2
Reference Documents

Sl. No.
Title
Version
1.
AUTOSAR_SWS_PortDriver.pdf
  3.2.0
2.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
-
Note: AUTOSAR BUGZILLA is a database, which contains concerns raised
against information present in AUTOSAR Specifications.
3.
  r01uh0436ej0070_rh850p1x.pdf
  0.70
4.
AUTOSAR_SWS_CompilerAbstraction.pdf
  2.2.0
5.
AUTOSAR_SWS_MemoryMapping.pdf
  1.2.1
6.
AUTOSAR_SWS_PlatformTypes.pdf
  2.5.0
7.
AUTOSAR_BSW_MakefileInterface.pdf
  0.3

15

Chapter 2 Reference Documents

16

Integration And Build Process
Chapter 3

Chapter 3
Integration and Build Process

In this section the folder structure of the PORT Driver Component is
explained. Description of the Makefiles along with samples is provided in this
section.

Remark The details about the C Source and C Header files that are generated by the
PORT Driver Generation Tool are mentioned in the
“AUTOSAR_PORT_Tool_UserManual.pdf”.

3.1.
PORT Driver Component Makefile

The Makefile provided with the PORT Driver Component consists of the GNU
Make compatible script to build the PORT Driver Component in case of any
change in the configuration. This can be used in the upper level Makefile (of
the application) to link and build the final application executable.

3.1.1.
Folder Structure

The files are organized in the following folders:

Remark Trailing slash ‘\’ at the end indicates a folder

X1X\common_platform\modules\port\src
\Port.c
\Port_Ram.c
\Port_Version.c

X1X\common_platform\modules\port\include
\Port.h
\Port_PBTypes.h
\Port_Ram.h
\Port_Version.h
\Port_Debug.h
\Port_Types.h

X1X\P1x\modules\port\sample_application\<SubVariant>\make\<Compiler>
\App_PORT_P1M_Sample.mak

X1X\P1x\modules\port\sample_application\<SubVariant>\obj\<Complier>

X1X\common_platform\modules\port\generator\Port_X1x.exe

X1X\P1x\common_family\generator
\Sample_Application_P1x.trxml
\P1x_translation.h

X1X\P1x\modules\port\user_manual
(User manuals will be available in this folder)

X1X\P1x\modules\port\generator
\R403_PORT_P1x_BSWMDT.arxml

 Note: 1. <Complier> can be ghs.
 2. <AUTOSAR_version> should be 4.0.3.
 3. <SubVariant> can be P1M.

17

Chapter 3 Integration And Build Process

18

Forethoughts

Chapter 4

Chapter 4
Forethoughts

4.1.
General

Following information will aid the user to use the PORT Driver Component
software efficiently:

•
The PORT Driver Component does not enable or disable the ECU or
Microcontroller power supply. The upper layer should handle this
operation.
•
Start-up code is not implemented by the PORT Driver Component.
•
PORT Driver Component does not implement any callback
notification functions.
•
PORT Driver Component does not implement any scheduled functions.
•
The PORT Driver Component is restricted to Post Build only.
•
The authorization of the user for calling the software triggering of a
hardware reset is not checked in the PORT Driver Component. This will
be the responsibility of the upper layer.
•
The PORT Driver Component supports setting of Analog and Digital
Noise Elimination. To figure out the different port filter arrangements the
device User Manual should be taken as reference. If no configuration of a
certain port filter is done within this Port Module, the device specific
default settings will take effect on this filter.
•
The value of unused pins in Port registers is undefined.
•
All development errors will be reported to DET by using the
API Det_ReportError provided by DET.
•
All production errors will be reported to DEM by using the
API Dem_ReportErrorStatus provided by DEM.
•
The PORT Driver does not have the API support to read the status of
Port pins or Port registers. Hence PORT Driver will not support ‘Read
back’ feature.
•
The file Interrupt_VectorTable.c provided is just a Demo and not all
interrupts will be mapped in this file. So the user has to update the
Interrupt_VectorTable.c as per his configuration.

4.2.
Preconditions

Following preconditions have to be adhered by the user, for proper
functioning of the PORT Driver Component:

•
The Port_PBcfg.c and Port_Cfg.h files generated by the PORT Driver
Component Code Generation Tool must be compiled and linked along with
PORT Driver Component source files.
•
The application has to be rebuilt, if there is any change in the Port_Cfg.h
file generated by the PORT Driver Component Generation Tool.
•
File Port_PBcfg.c generated for single configuration set or multiple
configuration sets using PORT Driver Component Code Generation Tool
should be compiled and linked independently.
•
Symbolic names for all Port Pins are generated in Port_Cfg.h file which
can be used as parameters for passing to PORT Driver Component APIs.
•
The PORT Driver Component needs to be initialized for all Port Pins
before doing any operation on Port Pins. The Port_Init () API shall also be
called after a reset in order to reconfigure the Port Pins of the
microcontroller. If PORT Driver Component is not initialized properly, the
behavior of Port Pins may be undetermined.
•
The user should ensure that PORT Driver Component API requests are
invoked with correct input arguments.
•
The other modules depending on PORT Driver Component should ensure
that the PORT Driver Component initialization is successful before doing
19

Chapter 4 Forethoughts

any operation on Port Pins.
•
Input parameters are validated only when the static configuration
parameter PORT_DEV_ERROR_DETECT is enabled. Application should
ensure that the right parameters are passed while invoking the APIs when
PORT_DEV_ERROR_DETECT is disabled.
•
Values for production code Event Id’s should be assigned externally by the
configuration of the DEM.
•
A mismatch in the version numbers of header and the source files will
result in a compilation error. User should ensure that the correct versions
of the header and the source files are used.
•
The PORT Driver Component APIs, except Port_GetVersionInfo API,
which are intended to operate on Port Pins shall be called only after PORT
Driver Component is initialized by invoking Port_Init() API. Otherwise Port
Pin functions will exhibit undefined behavior.
•
All Port Pins and their functions should be configured by the Port
configuration tool. It is the User/Integrator responsibility to ensure that the
same Port/Port Pin is not being accessed/configured in parallel by different
entities in the same system.

4.3.
User Mode and Supervisor Mode

The below table specifies the APIs which can run in user mode, supervisor
mode or both modes:


Table 4-1
Supervisor mode and User mode details

Sl.No
API Name
User Mode
Supervisor mode Known limitation in
User mode
1 Port_Init
x
x
-
2 Port_SetPinDirection
x
x
-
3 Port_RefreshPortDirection
x
x
-
4 Port_SetPinMode
x
x
-
5 Port_SetToDioMode
x
x
-
6 Port_SetToAlternateMode
x
x
-

4.4.
Data Consistency

To support the re-entrance and interrupt services, the AUTOSAR PORT
component will ensure the data consistency while accessing its own RAM
storage or hardware registers. The PORT component will use
SchM_Enter_Port_<Exclusive Area> and SchM_Exit_Port_<Exclusive Area>
functions. The SchM_Enter_Port_<Exclusive Area> function is called before
the data needs to be protected and SchM_Exit_Port_<Exclusive
Area>function is called after the data is accessed.

The following exclusive areas along with scheduler services are used to
provide data integrity for shared resources:
•
SET_PIN_MODE_PROTECTION

The functions SchM_Enter_Port_<Exclusive Area> and
SchM_Exit_Port_<Exclusive Area> can be disabled by disabling the
configuration parameter ‘PortCriticalSectionProtection’.

20

Forethoughts

 Chapter 4

4.5.
Deviation List

 Table 4-2
PORT Driver Deviation List

Sl. No.
Description
AUTOSAR
Bugzilla
1.
The Port Pin specific containers (PortPin0, PortPin1, PortPin2 and so on …) are -
added as sub containers of PortGroup<n> containers, having the parameters
‘PortPinDirection’, ‘PortPinDirectionChangeable’, ‘PortPinLevelValue’ and
‘PortPinInitialMode’ are added. AUTOSAR specified container ‘PortPin’ and all
its parameters are considered as unused.
2.
PortPinMode configuration parameter is not used for implementation as all
-
possible modes of a pin can be used in the Port_SetPinMode function.
3.
The Port_GetVersionInfo API is implemented as macro without DET error
-
 PORT_E_PARAM_POINTER

4.
[ecuc_sws_2108] requirement is not applicable to port module since
-
implementation of PORT module is vendor specific.
5.
Digital Noise Filter to calculate time delay for following scenarios is not
-
implemented in PORT driver.
a. When digital filter output signal is input for alternative function
b. When an event output signal of the digital filter is used as an interrupt
21

Chapter 4

Forethoughts

22

Architecture Details Chapter 5

Chapter 5
Architecture Details

The PORT Driver Component accesses the microcontroller Port Pins that are
located in the On-Chip hardware. The basic architecture of the PORT Driver
Component is illustrated below:

Initialization

Direction Refreshing
Direction Switching

Runtime Mode Change

Figure 5-1
PORT Driver Architecture

The PORT Driver Component consists of the following sub modules based on
the functionality:

•
Port Initialization.
•
Port Direction Refreshing.
•
Port Pin Direction Switching.
•
Port Pin Mode Change.

Port Initialization

This sub module provides the Port initialization functionality by providing the
Port_Init() API. This API should be invoked before the usage of any other APIs
of PORT Driver Component. Port Initialization includes initializing Port Pin
mode, Port Pin direction, Port Pin Level value, Port Pin driven value (Normal /
Open Drain), Activation of internal pull-ups and Port Filter configuration.

Port Direction Refreshing

This sub module provides the Port Direction Refreshing functionality by
providing the Port_RefreshPortDirection() API. In this functionality the PORT
Driver Component refreshes the direction of all configured Port Pins except
those Port Pins that are configured as ‘Port Pin Direction Changeable during
runtime’.

In this functionality only Direction of Port Pins is refreshed.

Port Pin Direction Switching

This sub module provides the Port Direction switching functionality at run time
by providing the Port_SetPinDirection() API. In this functionality the PORT
driver Component allows the user to change the direction of Port Pins during
runtime.

Port Pin Mode changing

This sub module provides the Port Mode change functionality at run time by
providing the Port_SetPinMode() API. In this functionality the PORT driver
Component allows the user to change the mode of Port Pins during runtime.

This sub module provides the Port Mode change functionality at run time by
23

Chapter 5

Architecture Details

providing the Port_SetToDioMode() API. In this functionality the PORT
driver Component allows the user to change the mode of Port Pin to DIO
mode during runtime.

This sub module provides the Port Mode change functionality at run time by
providing the Port_SetToAlternateMode() API. In this functionality the PORT
driver Component allows the user to change the mode of Port Pin to alternate
mode during runtime.
24

   Registers Details                                                                                                              Chapter 6

Chapter 6
Registers Details

This section describes the register details of PORT Driver Component.

Table 6-1
Register Details

Register

Access
API Name
Registers
Config Parameter
Macro/Variable
8/16/32
bits

-
-
-
-
  Port_Init
Port_SetPinDirection
32 bit
PSRn
PortPinLevelValue
usChangeableConfi
gV
al
32 bit
PMSRn
-
usOrMask
16 bit
PFCEn
-
usOrMask
16 bit
PFCn
-
usOrMask
16 bit
PFCAEn
-
usOrMask
32 bit
PMCSRn
-
usOrMask
16 bit
PINVn
PortOutputLevelInversi
usPortinversionVal
on
Port_RefreshPortDirect
-
-
-
-
ion
Port_SetPinMode
32 bit
PSRn
PortPinLevelValue
usInitModeRegVal
32 bit
PMSRn
-
usOrMask
16 bit
PFCEn
-
usOrMask
16 bit
PFCn
-
usOrMask
16 bit
PFCAEn
-
usOrMask
32 bit
PMCSRn
-
usOrMask
16 bit
PIPCn
-
usOrMask
Port_SearchMode
-
-
-
-
ChangeablePin
Port_InitConfig
32 bit
PSRn
PortPinLevelValue
usInitModeRegVal

16 bit
PISn
PortInputSelection
usInitModeRegVal

16 bit
PIBCn
PortInputBufferControl
usInitModeRegVal
16 bit
PIPCn
PortIpControl
usInitModeRegVal
16 bit
PUn
PullUpOption
usInitModeRegVal
16 bit
PDn
PullDownOption
usInitModeRegVal
16 bit
PBDCn
PortBiDirectionControl
usInitModeRegVal
32 bit
PODCn
PortOpenDrainControl
usInitModeRegVal
32 bit
PDSCn
PortDriveStrengthCont
usInitModeRegVal
rol
16 bit
PFCEn
PortPinInitialMode
usInitModeRegVal
16 bit
PFCn
PortPinInitialMode
usInitModeRegVal
16 bit
PFCAEn
PortPinInitialMode
usInitModeRegVal
PortOutputLevelInversi
16 bit
PINVn
usInitModeRegVal
on
PortOpenDrainControl
16 bit
PODCEn
usInitModeRegVal
Expansion
25

  Chapter 6

     Registers Details

Register

Access
API Name
Registers
Config Parameter
Macro/Variable
8/16/32
bits
PortUnlimitedCurrentC
16 bit
PUCCn
usInitModeRegVal
ontrol
32 bit
PMSRn
PortPinDirection
usInitModeRegVal
32 bit
PMCSRn
PortPinInitialMode
usInitModeRegVal
8 bit
PPROTSn
-
PORT_ONE
32 bit
PPCMDn
-
PORT_WRITE_ER
RO R_CLEAR_VAL
32 bit
PWSn
-
PORT_IOHOLD_S
ET
32 bit
JPSRn
PortPinLevelValue
usInitModeRegVal
8 bit
JPISn
PortInputSelection
usInitModeRegVal
8 bit
JPIBCn
PortInputBufferControl
usInitModeRegVal
16 bit
JPIPCn
PortIpControl
usInitModeRegVal
8 bit
JPUn
PullUpOption
usInitModeRegVal
8 bit
JPDn
PullDownOption
usInitModeRegVal
8 bit
JPBDCn
PortBiDirectionControl
usInitModeRegVal
32 bit
JPODCn
PortOpenDrainControl
usInitModeRegVal
PortDriveStrengthCont
32 bit
JPDSCn
usInitModeRegVal
rol
8 bit
JPFCEn
PortPinInitialMode
usInitModeRegVal
8 bit
JPFCn
PortPinInitialMode
usInitModeRegVal
32 bit
JPMCSRn
PortPinInitialMode
usInitModeRegVal
32 bit
JPMSRn
PortPinDirection
usInitModeRegVal
32 bit
JPPROTS
-
PORT_ONE
PortOpenDrainControl
16 bit
JPODCEn
usInitModeRegVal
Expansion
PortUnlimitedCurrentC
16 bit
JPUCCn
usInitModeRegVal
ontrol
Port_RefreshPortIntern
al
32 bit
PMSRn
-
ulMaskAndConfigV
alue
32 bit
JPMSRn
-
ulMaskAndConfigV
alue
Port_GetVersionInfo
-
-
-
Port_GetVersionInf
o
Port_SetToDioMode
32 bit
PMCSRn
-
usOrMask
Port_SetToAlternateMo
de
32 bit
PMCSRn
-
usOrMask
Port_SetToDioOrAltMo
de
-
-
-
-
Port_SearchDirChange
ablePin
-
-
-
-
Port_FilterConfig
  PortSameLevelSamples
ucDNFACTL
  PortDigitalFilterEnable
8 bit
DNFAnCTL
  PortSamplingClockFre
  Quency
26

Registers Details Chapter 6

Register

Access
API Name
Registers
Config Parameter
Macro/Variable
8/16/32
bits

PortAnalogFilterBypass
8 bit
FCLAnCTL
ucFCLACTL
PortEdgeOrLevelControl
PortDigitalFilterEnable
16 bit
DNFAnEN
usDNFAEN
Input
PortClockSource
32 bit
DNFCKSnC
ulDNFCKS
PortDigitalFilterEnableI
DNFP02nED
8 bit
nput
ucDNFEDC
Cm
PortEdgeDetectControl

27

Chapter 6

Registers Details

28

Interaction Between The User And PORT Driver Component
Chapter 7

Chapter 7
Interaction Between The User And PORT

Driver Component

The details of the services supported by the PORT Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

7.1. Services Provided By PORT Driver Component To
User

The PORT Driver provides following functionalities to the upper layers:
•
To initialize the PORT channels through channel configuration.
•
To De-initialize the PORT channels.
•
To set the PORT channel output to its configured idle state.
•
To read the output state of a PORT channel.
•
To read the version information of the PORT module.
•
To support the diagnostic functionality for PORT channel.

29

Chapter 7 Interaction Between The User And PORT Driver Component

30

PORT Driver Component Header And Source File Description
Chapter 8

Chapter 8
PORT Driver Component Header And

Source File Description

This section explains the PORT Driver Component’s C Source and C Header
files. These files have to be included in the project application while
integrating with other modules.

The C header file generated by PORT Driver Generation Tool:
•
Port_Cfg.h

The C source file generated by PORT Driver Generation Tool:
•
Port_PBcfg.c

The PORT Driver Component C header files:
•
Port.h
•
Port_PBTypes.h
•
Port_Ram.h
•
Port_Version.h
•
Port_Debug.h
•
Port_Types.h

The PORT Driver Component source files:
•
Port.c
•
Port_Ram.c
•
Port_Version.c

The port specific C header files:
•
Compiler.h
•
Compiler_Cfg.h
•
MemMap.h
•
Platform_Types.h
31

  Chapter 8

  PORT Driver Component Header And Source File Description

  The description of the PORT Driver Component files is provided in the table below:

Table 8-1  Description of the PORT Driver Component Files

File
Details
Port_Cfg.h
This file contains various PORT Driver Pre-compile time parameters, macro
definitions for the ISRs, channel notifications used by PORT Driver, PORT channel
handles.
Port_PBcfg.c
This file contains the post-build configuration data. The structures related to PORT
initialization, PORT Timer channel configuration and the timer related structures are
also provided in this file.
Port.h
This file provides extern declarations for all the PORT Driver Component APIs. This
file provides service Ids of APIs, DET Error codes and type definitions for Port
initialization structure. This header file shall be included in other modules to use the
features of PORT Driver Component.
Port_PBTypes.h
This file contains the data structures related to Port initialization, Port Refresh,
Direction changeable Pins at run time and Mode Changeable at run time.
Port_Types.h
This file provides data structure and type definitions for initialization of MCU Driver.
Port_Debug.h
This file is used for version check.
Port_Ram.h
This file contains the extern declarations for the global variables defined in
Port_Ram.c file.
Port_Version.h
This file contains the macros of AUTOSAR version numbers of all modules that are
interfaced to PORT Driver.
Port.c
This file contains the implementation of all APIs.
Port_Ram.c
This file contains the global variables used by PORT Driver Component.
Port_Version.c
This file contains the code for checking version of all modules that are interfaced to
PORT Driver.
Compiler.h
Provides compiler specific (non-ANSI) keywords. All mappings of keywords, which
are not standardized, and/or compiler specific are placed and organized in this
compiler specific header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
MemMap.h
This file allows to map variables, constants and code of modules to individual
memory sections. Memory mapping can be modified as per ECU specific needs.
Platform_Types.h
This file provides provision for defining platform and compiler dependent types.
32

Generation Tool Guide
Chapter 9

Chapter 9
Generation Tool Guide

For more information on the PORT Driver Component Generation Tool,
please refer “AUTOSAR_PORT_Tool_UserManual.pdf”.

33

Chapter 9 Generation Tool Guide

34

  Application Programming Interface

    Chapter 10

Chapter 10  Application Programming Interface

This section explains the Data types and APIs provided by the PORT Driver
Component to the Upper layers.

10.1. Imported Types

This section explains the Data types imported by the PORT Driver
Component and lists its dependency on other modules.

10.1.1 Standard Types

In this section all types included from the Std_Types.h are listed:
Std_VersionInfoType

10.1.2 Other Module Types

In this chapter all types included from the Dem_types.h are listed:
Dem_EventIdType

10.2. Type Definitions

This section explains the type definitions of PORT Driver Component
according to AUTOSAR Specification.
10.2.1 Port_ConfigType

Name:
Port_ConfigType
Type:
struct
  Element:
Type
Name
Explanation

uint32
ulStartOfDbToc
Database start

value.

Port_Regs
pPortNumRegs
Pointer to the

address of

Numeric port

registers

configuration.

Port_FuncCtrlRegs
pPortNumFuncCtrlRegs
Pointer to the

address of the

Numeric function

control registers

configuration.
Port_PMSRRegs
pPortNumPMSRRegs
Pointer to the
address of the
Numeric PMSR
registers
configuration.
Port_Regs
pPortAlphaRegs
Pointer to the
address of the
Alphabetic port
registers
configuration.
35

  Chapter 10                                                                                   Application Programming Interface

Name:
Port_ConfigType
Type:
struct
Port_FuncCtrlRegs
pPortAlphaFuncCtrlRegs
Pointer to the
address of
Alphabetic
function control
registers
configuration.

Port_PMSRRegs
pPortAlphaPMSRRegs
Pointer to the
address of the
Alphabetic
PMSR registers
configuration.
Port_Regs
pPortJRegs
Pointer to the
address of JTAG
port registers
configuration
Port_FuncCtrlRegs
pPortJFuncCtrlRegs
Pointer to the
address of JTAG
function control
registers
configuration
Port_PMSRRegs
pPortJPMSRRegs
Pointer to the
address of JTAG
PMSR registers
configuration.
Port_PinsDirChangeable
pPinDirChangeable
Pointer to the
address of
runtime direction
changeable pins
structure.
Port_PinModeChangeableGroups
pPinModeChangeableGrou  Pointer to the
ps
address of
runtime mode
changeable pin
group details
structure.
Port_PinDioAltChangeableDetails
pPinDioAltModeDetails
Pointer to the
address of run
time mode
changeable pins
structure.
Port_PinModeChangeableDetails
pPinModeChangeableDetai  Pointer to the
ls
address of run
time mode
changeable pins
structure.
Port_DNFARegs
pPortDNFARegs
Pointer to the
DNFA registers
structure.
Port_FCLARegs
pPortFCLARegs
Pointer to the
FCLA registers
structure.
Port_EDCRegs
pPortEDCRegs
Pointer to the
EDC registers
structure
36

  Application Programming Interface

    Chapter 10

Name:
Port_ConfigType
Type:
struct
Port_DNFCKSRegs
pPortDNFCKSRegs
Pointer to the
DNFCKS
registers
structure
uint8
ucNoOfPinsDirChangeable  Total number of
Pins configured
for Direction
Changeable at
run time
uint8
ucNoOfPinsModeChangea
Total number of
ble
Pins configured
for mode
Changeable at
run time
uint8
ucNoOfPinsDioAltModeCha  Total number of
ngeable
Pins configured
for mode
Changeable at
run time
uint8
ucNoOfDNFARegs
The total number
of DNFA noise
elimination
registers
uint8
ucNoOfEDCRegs
The total number
of EDC registers
uint8
ucNoOfFCLARegs
The total number
of FCLA noise
elimination
registers
uint8
ucNoOfNumRestoredRegs  The total number
of Numeric
Restored
registers
uint8
ucNoOfAlphaRestoredRegs  The total number
of Alphabetic
Restored
registers
uint8
  ucNoOfAnalogRestoredRe
The total number
gs
of Analog
Restored
registers

This is the type of the external data structure containing the initialization data for the

PORT Driver Component.
Description:
The user shall use the symbolic names defined in the PORT Driver Configuration Tool.
The configuration of each Port Pin is Microcontroller specific.

10.2.2 Port_PinType

Name:
Port_PinType
Type:
uint16
Range:
0 to 65535

Description:
The user shall use the symbolic names defined in the PORT Driver Configuration Tool.
The configuration of each Port Pin is Microcontroller specific.
37

  Chapter 10                                                                                   Application Programming Interface

10.2.3 Port_PinDirection Type

Name:
Port_PinDirectionlType
Type:
Enumeration

PORT_PIN_OUT
Output Direction
Range:
PORT_PIN_IN
Input Direction
Description:
These are the possible directions; a port pin can have for both input and output.

10.2.4 Port_PinModeType

Name:
Port_PinModeType
Type:
uint8
Range:
PIPC=0
0
PORT_DIO_OUT
(Port_PinModeType)0x00
1
PORT_DIO_IN
(Port_PinModeType)0x01
2
APP_ALT1_OUT
(Port_PinModeType)0x02
3
APP_ALT1_IN
(Port_PinModeType)0x03
4
APP_ALT2_OUT
(Port_PinModeType)0x04
5
APP_ALT2_IN
(Port_PinModeType)0x05
6
APP_ALT3_OUT
(Port_PinModeType)0x06
7
APP_ALT3_IN
(Port_PinModeType)0x07
8
APP_ALT4_OUT
(Port_PinModeType)0x08
9
APP_ALT4_IN
(Port_PinModeType)0x09
A
APP_ALT5_OUT
(Port_PinModeType)0x0A
B
APP_ALT5_IN
(Port_PinModeType)0x0B
C
APP_ALT6_OUT
(Port_PinModeType)0x0C
D
APP_ALT6_IN
(Port_PinModeType)0x0D
E
APP_ALT7_OUT
(Port_PinModeType)0x0E
F
APP_ALT7_IN
(Port_PinModeType)0x0F
Range:
PIPC=1
0
APP_ALT1_OUT_SET_PIPC  (Port_PinModeType)0x82
1
APP_ALT1_IN_SET_PIPC
(Port_PinModeType)0x83
2
APP_ALT2_OUT_SET_PIPC  (Port_PinModeType)0x84
3
APP_ALT2_IN_SET_PIPC
(Port_PinModeType)0x85
4
APP_ALT3_OUT_SET_PIPC  (Port_PinModeType)0x86
5
APP_ALT3_IN_SET_PIPC
(Port_PinModeType)0x87
6
APP_ALT4_OUT_SET_PIPC  (Port_PinModeType)0x88
7
APP_ALT4_IN_SET_PIPC
(Port_PinModeType)0x89
8
APP_ALT5_OUT_SET_PIPC  (Port_PinModeType)0x8A
9
APP_ALT5_IN_SET_PIPC
(Port_PinModeType)0x8B
A
APP_ALT6_OUT_SET_PIPC  (Port_PinModeType)0x8C
B
APP_ALT6_IN_SET_PIPC
(Port_PinModeType)0x8D
C
APP_ALT7_OUT_SET_PIPC  (Port_PinModeType)0x8E
38

  Application Programming Interface

    Chapter 10

D
APP_ALT7_IN_SET_PIPC
(Port_PinModeType)0x8F
Description:
These  are the possible modes; a port pin can have for  both  input and
output.

10.3. Function Definitions

Table 10-1
Function Definitions

SI.No
API’s
API’s specific

1
Port_Init
-
2
Port_SetPInDirection
-
3
Port_RefreshPortDirection
-
4
Port_SetPinMode
-
5
Port_GetVersionInfo
-
6
Port_SetToDioMode
-
7
Port_SetToAlternateMode
-
8
Port_SetPinDefaultDirection
-
9
Port_SetPinDefaultMode
-

39

Chapter 10 Application Programming Interface

40

Development And Production Errors
                                  Chapter 11

Chapter 11  Development And Production Errors

In this section the development and production errors that are reported by the
PORT Driver Component are tabulated. The development errors will be
reported only when the pre compiler option PORT_DEV_ERROR_DETECT is
enabled in the configuration.

11.1.  PORT Driver Component Development Errors

The following table contains the DET errors that are reported by PORT Driver
Component. These errors are reported to Development Error Tracer Module
when the PORT Driver Component APIs are invoked with wrong input
parameters or without initialization of the driver.

Table 11-1
DET Errors of PORT Driver Component

Sl. No.
1
Error Code
PORT_E_PARAM_CONFIG
Related API(s)
Port_Init
Source of Error
API is invoked with NULL Pointer
Sl. No.
2
Error Code
PORT_E_INVALID_DATABASE
Related API(s)
Port_Init
Source of Error
Invalid database is found
Sl. No.
3
Error Code
PORT_E_UNINIT
Related API(s)
Port_RefreshPortDirection, Port_SetPinDirection, Port_SetPinMode,
Port_SetToDioMode, Port_SetToAlternateMode
Source of Error
APIs are invoked without the initialization of the PORT Driver Component.
Sl. No.
4
Error Code
PORT_E_PARAM_PIN
Related API(s)
Port_SetPinMode, Port_SetPinDirection, Port_SetToDioMode,
Port_SetToAlternateMode
Source of Error
API is invoked with invalid Pin
Sl. No.
5
Error Code
PORT_E_PARAM_INVALID_MODE
Related API(s)
Port_SetPinMode
Source of Error
API is invoked with invalid mode
Sl. No.
6
Error Code
PORT_E_DIRECTION_UNCHANGEABLE
Related API(s)
Port_SetPinDirection
Source of Error
API is invoked with Pin which is not configured as ‘Direction Changeable during run
time’.
Sl. No.
7
Error Code
PORT_E_MODE_UNCHANGEABLE
Related API(s)
Port_SetPinMode, Port_SetToDioMode, Port_SetToAlternateMode
Source of Error
API is invoked with Pin which is not configured as ‘Mode Changeable during run time’.

41

Chapter 11

Development And Production Errors

11.2. PORT Driver Component Production Errors

The following table contains the DEM errors that are reported by PORT
software component.

Table 11-2
DEM Errors of PORT Driver Component

Sl. No.
1
Error Code
PORT_E_WRITE_TIMEOUT_FAILURE
Related API(s)
Port_Init ,Port_SetPinDirection
Source of Error
When writing to a write-protected register fails.
42

Memory Organization
Chapter 12

Chapter 12  Memory Organization

Following picture depicts a typical memory organization, which must be met
for proper functioning of PORT Driver Component software.

PORT Driver Component
ROM Section
RAM Section
Library / Object Files

Global RAM of unspecific size required for Port
Port Driver code related to API’s are placed in
Driver functioning.
this memory.

X1
Segment Name:
Y1
   PORT_PUBLIC_CODE_ROM
Segment Name:
   NOINIT_RAM_UNSPECIFIED

Port Driver code related to Internal Functions
Global 1-bit RAM to be initialized by start-up
are placed in this memory
code.
X2
Segment Name:
Y2
Segment Name:
RAM_1BIT

PORT_PRIVATE_CODE_ROM


      Tool Generated Files

The const section in the file Port_PBcfg.c is
placed in this memory.

Segment Name:
X3
PORT_CFG_DBTOC_UNSPECIFIED

The const section in the file Port_PBcfg.c is
placed in this memory.

X4
Segment Name:
PORT_CFG_DATA_UNSPECIFIED

Figure 12-1
PORT Driver Component Memory Organization
43

Chapter 12 Memory Organization

ROM Section (X1, X2, X3 and X4):

PORT_PUBLIC_CODE_ROM (X1): API(s) of PORT Driver Component,
which can be located in code memory.

PORT_PRIVATE_CODE_ROM (X2): Internal functions of PORT Driver
Component code that can be located in code memory.

PORT_CFG_DBTOC_UNSPECIFIED (X3): This section consists of PORT
Driver Component database table of contents generated by the PORT Driver
Component Generation Tool. This can be located in code memory.

PORT_CFG_DATA_UNSPECIFIED (X4): This section consists of PORT
Driver Component constant configuration structures. This can be located in
code memory.

RAM Section (Y1 and Y2):

NOINIT_RAM_UNSPECIFIED (Y1): This section consists of the global RAM
variables that are used internally by PORT Driver Component. This can be
located in data memory.

RAM_1BIT (Y2): This section consists of the global RAM variables of 1-bit
size that are used internally by PORT Driver Component. This can be located
in data memory.

44

P1M Specific Information
Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:
•  R7F701304
•  R7F701305
•  R7F701310
•  R7F701311
•  R7F701312
•  R7F701313
•  R7F701314
•  R7F701315
•  R7F701318
•  R7F701319
•  R7F701320
•  R7F701321
•  R7F701322
•  R7F701323

13.1.  Interaction between the User and PORT Driver
Component

The details of the services supported by the PORT Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

13.1.1.
Translation Header File

The translation header file supports following devices:

•  R7F701304
•  R7F701305
•  R7F701310
•  R7F701311
•  R7F701312
•  R7F701313
•  R7F701314
•  R7F701315
•  R7F701318
•  R7F701319
•  R7F701320
•  R7F701321
•  R7F701322
•  R7F701323
13.1.1.
Parameter Definition File
Parameter definition files support information for P1M
Table 13-1  PDF information for P1M

PDF Files
Devices Supported
R403_PORT_P1M_04_05
701304, 701305
R403_PORT_P1M_10_11_14_15
701310, 701311, 701314, 701315
45

Chapter 13                                                  P1M Specific Information

R403_PORT_P1M_12_13
701312, 701313
R403_PORT_P1M_18_19_22_23
701318, 701319, 701322, 701323
R403_PORT_P1M_20_21
701320, 701321

13.1.2.
Services Provided By PORT Driver Component to the User

The PORT Driver Component provides the following functionalities to the
upper layers or users:

•  To initialize the Port and set according Port filter functions.
•  To refresh the direction of Port.
•  To switch the Port pin direction at run time.
•  To change the mode of a Port pin at run time.
•  To read the PORT Driver Component version information.

13.2.  Sample Application

13.2.1.
Sample Application Structure

The Sample Application is provided as reference to the user to understand
the method in which the PORT APIs can be invoked from the application.

Generic

AUTOSAR TYPES
COMPILER
RH850 TYPES

Devices

P1x PO R T
STUB
STUB
STUB

Sample
DET
DEM
SchM

application

Figure 13-1
Overview of PORT Driver Sample Application

The Sample Application of the P1M is available in the path

X1X\P1x\modules\port\sample_application

The Sample Application consists of the following folder structure:
46

P1M Specific Information
Chapter 13

X1X\P1x\modules\port\definition\<AUTOSAR_version>\<SubVariant>\
R403_PORT_P1M_04_05.arxml
 R403_PORT_P1M_10_11_14_15.arxml
 R403_PORT_P1M_12_13.arxml
 R403_PORT_P1M_18_19_22_23.arxml
 R403_PORT_P1M_20_21.arxml

X1X\P1x\modules\port\sample_application\<SubVariant>\
 <AUTOSAR_version>\
\src\Port_PBcfg.c
\include\Port_Cfg.h

 \config\App_PORT_P1M_701304_Sample.arxml
 \config\App_PORT_P1M_701304_Sample.html
 \config\App_PORT_P1M_701304_Sample.one

 \config\App_PORT_P1M_701305_Sample.arxml
 \config\App_PORT_P1M_701305_Sample.html
 \config\App_PORT_P1M_701305_Sample.one

 \config\App_PORT_P1M_701310_Sample.arxml
 \config\App_PORT_P1M_701310_Sample.html
 \config\App_PORT_P1M_701310_Sample.one

 \config\App_PORT_P1M_701311_Sample.arxml
 \config\App_PORT_P1M_701311_Sample.html
 \config\App_PORT_P1M_701311_Sample.one

 \config\App_PORT_P1M_701312_Sample.arxml
 \config\App_PORT_P1M_701312_Sample.html
 \config\App_PORT_P1M_701312_Sample.one

 \config\App_PORT_P1M_701313_Sample.arxml
 \config\App_PORT_P1M_701313_Sample.html
 \config\App_PORT_P1M_701313_Sample.one

 \config\App_PORT_P1M_701314_Sample.arxml
 \config\App_PORT_P1M_701314_Sample.html
 \config\App_PORT_P1M_701314_Sample.one

 \config\App_PORT_P1M_701315_Sample.arxml
 \config\App_PORT_P1M_701315_Sample.html
 \config\App_PORT_P1M_701315_Sample.one

 \config\App_PORT_P1M_701318_Sample.arxml
 \config\App_PORT_P1M_701318_Sample.html
 \config\App_PORT_P1M_701318_Sample.one

 \config\App_PORT_P1M_701319_Sample.arxml
 \config\App_PORT_P1M_701319_Sample.html
 \config\App_PORT_P1M_701319_Sample.one

 \config\App_PORT_P1M_701320_Sample.arxml
 \config\App_PORT_P1M_701320_Sample.html
 \config\App_PORT_P1M_701320_Sample.one

 \config\App_PORT_P1M_701321_Sample.arxml
 \config\App_PORT_P1M_701321_Sample.html
 \config\App_PORT_P1M_701321_Sample.one
47

Chapter 13                                                  P1M Specific Information

                                \config\App_PORT_P1M_701322_Sample.arxml
                                \config\App_PORT_P1M_701322_Sample.html
                                \config\App_PORT_P1M_701322_Sample.one

                                \config\App_PORT_P1M_701323_Sample.arxml
                                    \config\App_PORT_P1M_701323_Sample.html
                                \config\App_PORT_P1M_701323_Sample.one

In the Sample Application all the PORT APIs are invoked in the following
sequence:

•
Port_GetVersionInfo:  The  API  Port_GetVersionInfo  is invoked  to  get  the
version of the PORT Driver module with a variable of Std_VersionInfoType
after the call of this API the past parameter will get updated with the PORT
Driver version details.

•
Port_RefreshPortDirection: The API refreshes the direction of all ports to
the configured direction. It excludes those port pins from refreshing that
are configured as ‘pin direction changeable during runtime’  by invoking
internal API Port_RefreshPortInternal().

•
Port_SetPinMode: This service sets the Port Pin mode during runtime.

•
Port_SetToDioMode: This function used to set the mode of a port pin to
DIO mode during runtime.

•
Port_SearchModeChangeablePin: This function searches the given PIN Id
in the existing list of PIN IDs which are mode changeable in run time
through Binary Search algorithm.

•
Port_Init: The API Port_Init is invoked with a valid database address for the
proper initialization of the PORT Driver, all the PORT Driver control
registers and RAM variables will get initialized after this API is called.

•
The API Port_GetOutputState is invoked to get the channel output state
and provides the service to read the internal state of a PORT output signal
of a channel.

•
Port_InitConfig: This function initializes all ports and port pins with the
configuration set pointed by ConfigPtr.

•
Port_FilterConfig: This Function used to initialize all the registers of filter
configuration.

•
Port_SearchDirChangeablePin: This function searches the given PIN Id in
the existing list of PIN Id’s which are direction changeable in run time
through Binary Search algorithm.

•
Port_RefreshPortInternal: The API refreshes the direction of all ports to the
configured direction. It excludes those port pins from refreshing that are
configured as ‘pin direction changeable during runtime.

48

P1M Specific Information
Chapter 13

13.2.2.
Building Sample Application

13.3.2.1. Configuration Example

This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details.

Configuration Details: App_PORT_P1M_701310_Sample.html

13.3.2.2. Debugging the Sample Application

Remark GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete
the build process using the delivered sample files.

Open a Command window and change the current working directory to “make”
directory present as mentioned in below path:

“X1X\P1x\common_family\make\<Compiler>”

Now execute the batch file SampleApp.bat with following parameters:

SampleApp.bat Port 4.0.3 <Device_name>

•
After this, the tool output files will be generated with the configuration
as mentioned in App_PORT_P1M_701310_Sample.html file available
in the path:

“X1X\P1x\modules\port\sample_application\<SubVariant>\<AUTOSAR_ve
rsion>\config\App_PORT_P1M_701310_Sample.html”

•
After this, all the object files, map file and the executable file
App_PORT_P1M_Sample.out will be available in the output folder:
(“X1X\P1x\modules\port\sample_application\<SubVariant>
\obj\<Compiler>”)

•
The executable can be loaded into the debugger and the sample application
can be executed.

•
The initialization function initializes all ports and port pins with the
configuration set pointed by ConfigPtr by invoking internal API
Port_InitConfig(). This function should be called first in order to initialize the
port for use otherwise no operation can occur on the MCU ports and port
pins. This function is also called after reset, in order to reconfigure the ports
and port pins of the MCU.

•
Port Set Pin Mode: This API will change the pin mode to the requested
mode.

•
Port_SetToDioMode: This API will set the mode of a pin to DIO mode.

•
Port_SetToAlternateMode: This API will set the mode of a port pin to
Alternate mode.

•
Port SetPinDirection: This API will change the direction of the pin to the
requested direction.

•
Port RefreshPortDirection: This API will refresh all the port pins to the
configured value except the pins that are configured as pin direction
49

Chapter 13 P1M Specific Information

changeable during runtime.

Note: The <Device_name> indicates the device to be compiled, which can be
701304 or 701305 or 701310 or 701311 or 701312 or 701313 or 701314
or 701315 or 701318 or 701319 or 701320 or 701321 or 701322 or
701323 .

Remark Executable files with ‘*.out’ extension can be downloaded into the target
hardware with the help of Green Hills debugger.

•
If any configuration changes (only post-build) are made to the ECU
Configuration Description files

“X1X\P1x\modules\port\sample_application\<SubVariant>
\<AUTOSAR_version>\config\App_PORT_P1M_701310_Sample.arxml”

•
The database alone can be generated by using the following commands.
make –f App_PORT_P1M_Sample.mak generate_port_config
make –f App_PORT_P1M_Sample.mak App_PORT_P1M_Sample.s37
•
After this, a flash able Motorola S-Record file
App_PORT_P1M_Sample.s37 is available in the output folder.

13.3. Memory and Throughput

13.3.1.
ROM/RAM Usage

The details of memory usage for the typical configuration, with DET disabled
as provided in Section 13.3.2.1 Configuration Example are provided in this
section.

 Table 13-2
ROM/RAM Details without DET

Sl. No. ROM/RAM Segment Name
Size in bytes for Size in bytes for
701312
701310
1
ROM
PORT_PUBLIC_CODE_ROM
-
 1278

PORT_PRIVATE_CODE_ROM
-
2142

PORT_CFG_DATA_UNSPECIFIED
-
548

PORT_CFG_DBTOC_UNSPECIFIED
-
48
2
RAM
RAM_1BIT
-
0

NOINIT_RAM_UNSPECIFIED
-
4

The details of memory usage for the typical configuration, with DET enabled
and all other configurations as provided in 13.3.2.1 Configuration Example
are provided in this section.

50

P1M Specific Information
Chapter 13

                                      Table 13-3
ROM/RAM Details with DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes
Size in bytes
for 701312
for 701310
1
ROM
PORT_PUBLIC_CODE_ROM
-
1828

PORT_PRIVATE_CODE_ROM
-
2166

PORT_CFG_DATA_UNSPECIFIED
-
532

PORT_CFG_DBTOC_UNSPECIFIED
-
48
2
RAM
RAM_1BIT
-
1

NOINIT_RAM_UNSPECIFIED
-
4

13.3.2.
Stack Depth

The  worst-case  stack  depth  for  PORT  Driver  Component  for  the  typical
configuration provided in Section 13.3.2.1 is 92 bytes.

13.3.3.
Throughput Details

The  throughput  details  of  the  APIs  for  the  configuration  mentioned  in  the
Section 13.3.2.1 Configuration Example will be provided in the next release.
The clock frequency used to measure the throughput is 80 MHz for all APIs.

            Table 13-4
Throughput Details of the APIs

Sl. No.
API Name
Throughput in
Throughput in
Remarks
microseconds
microseconds
for 701310
for 701312
1
Port_Init
45.9
-
-
2
Port_RefreshPortDirection
2.52
-
-
3
Port_SetPindirection
3.24
-
-
4
Port_GetVersionInfo
0.45
-
-
5
Port_SetPinMode
3.69
-
-
6
Port_SetToDioMode
1.98
-
-
7
Port_SetToAlternateMode
1.62
-
-
8
Port_SetPinDefaultDirection
1.8
-
-
9
Port_SetPinDefaultMode
3.15
-
-

51

Chapter 13 P1M Specific Information

52

Release Details

Chapter 14

Chapter 14 Release Details

PORT Driver Software

Version: 1.5.0

53

Chapter 14

Release Details

54

Revision History

Sl.No.
Description
Version
Date
1.
Initial Version
1.0.0
9-Oct-2013
2.
Following changes are made:
1.0.1
21-Nov-2013
1. Sample application is regenerated for the change in parameter
definition file.
2. Section 10.2.4 is updated for Port_PinModeType.
3.
Following changes are made:
1.0.2
31-Jan-2014

1.  Chapter 2 is updated for referenced documents version.
2.  Section 13.1.1 is updated for adding the device names.
3.  Section 13.2 is updated for compiler, assembler and linker
details.
4.  Section 13.3 is updated to add parameter definition file and
sample application configuration files for all P1M devices.
5.  Chapter 14 is updated for PORT driver component version
information.
4.
Following changes are made:
1.0.3
03-Sep-2014
1.  Chapter 2 is updated for referenced documents version.
2.  Section 13.1.1 is updated for adding the device names.
3.  Section 13.2 is updated for compiler, assembler and linker
details.
4.  Section 13.3 is updated to add parameter definition file and
sample application configuration files for all P1M devices.
5.  Chapter 14 is updated for PORT driver component version
information.
6.  Deviation list is updated to add PORT_E_PARAM_POINTER
error foe Port_GetVersioInfo API and AUTOSAR requirement.
7.  Memory and Throughput details are updated.
8.  Section 10.2.1 is updated to add new structure element.
5.
Following changes are made:
1.0.4
05-Sep-2014
1. Section 13.4.3 updated for Throughput details.
2. Page alignment is updated.
3. Table of contents updated.
6.
  Following changes are made:
1.0.5
29-Apr-2015
1.  Section 1.1 Document Overview is updated.
2.  Chapter 2 Reference documents are updated for version
change.
3.  Chapter 4 is updated for information regarding Interrupt vector
table.
4.  Chapter 6 Port_SetPinMode is updated.
5.  Section 10.2.4  Port_PinModeType is updated.
6.  Section 13.1.1 is updated for adding new devices.
7.  Section 13.2 Compiler, Linker and Assembler section is
removed.
8.  Section 13.2 is updated for parameter definition file and sample
application configuration files of all P1M devices.
9.  Section 13.3 Memory and Throughput details are updated.

55

AUTOSAR MCAL R4.0.3 User's Manual
PORT Driver Component Ver.1.0.5
Embedded User’s Manual

Publication Date: Rev.0.02, April 29, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  d
etailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User’s Manual

Document Outline

19.4 - Port Peer Review Checklists

Overview

Summary Sheet
Synergy Project
Source Code

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Port

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Port_Renesas_Ar4.0.3_01.05.00_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3176

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

20 - Renesas Mcal Support

Renesas Mcal Support

Component Documentation

20.1 - GettingStarted_MCAL_Drivers_X1x

AUTOSAR MCAL R3.2 and R4.0 User's Manual

20.2 - GettingStarted_MCAL_Drivers_X1x_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66

20.3 - GettingStarted_MCAL_Drivers_X1xs

Getting Started Document for
X1x MCAL Driver

User’s

Manual
Version 1.0.5

Target Device:
RH850/X1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Aug 2014

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is

subject to change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please

confirm the latest product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to

additional and different information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights

of third parties by or arising from the use of Renesas Electronics products or technical information described in this document.

No license, express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights

of Renesas Electronics or others.

3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software,

and information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control

laws and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas

Electronics products or the technology described in this document for any purpose relating to military applications or use by

the military, including but not limited to the development of weapons of mass destruction.  Renesas Electronics products and

technology may not be used for or incorporated into any products or systems whose manufacture, use, or sale is prohibited

under any applicable domestic or foreign laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics

does not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages

incurred by you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades: "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as

indicated below.  You must check the quality grade of each Renesas Electronics product before using it in a particular

application.  You may not use any Renesas Electronics product for any application categorized as "Specific" without the prior

written consent of Renesas Electronics.  Further, you may not use any Renesas Electronics product for any application for

which it is not intended without the prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way

liable for any damages or losses incurred by you or third parties arising from the use of any Renesas Electronics product for an

application categorized as "Specific" or for which the product is not intended where you have failed to obtain the prior written

consent of Renesas Electronics.  The quality grade of each Renesas Electronics product is "Standard" unless otherwise

expressly specified in a Renesas Electronics data sheets or data books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti-

crime systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or

damages arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have

specific characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further,

Renesas Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to

guard them against the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire

control and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because

the evaluation of microcomputer software alone is very difficult, please evaluate the safety of the final products or system

manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental

compatibility of each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable

laws and regulations that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS

Directive.  Renesas Electronics assumes no liability for damages or losses occurring as a result of your noncompliance with

applicable laws and regulations.

11.
This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority-

owned subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.
3
                                                                                                                                                                                                                        3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
ARXML/arxml
AUTOSAR xml
AUTOSAR
Automotive Open System Architecture
BSWMDT
Basic Software Module Description Template
<MSN>
Module Short Name
ECU
Electronic Control Unit
GUI
Graphical User Interface
MB
Mega Bytes
MHz
Mega Hertz
RAM
Random Access Memory
xml/XML
eXtensible Markup Language
<MICRO_VARIANT>
F1x, R1x, P1x, E1x etc.
<MICRO_SUB_VARIANT>
F1L, R1L, P1L, E1L, E1MS etc.
AUTOSAR_VERSION
3.2.2 or 4.0.3
DEVICE_NAME
Example :701205EAFP

Definitions

Terminology
Description
.xml
XML File.
.one
Project Settings file.
.arxml
AUTOSAR XML File.
.trxml
Translation XML File.
ECU Configuration
The ECU Configuration Parameter Definition is of type XML, which contains the
Parameter Definition File
definition for AUTOSAR software components i.e. definitions for Modules,
Containers and Parameters. The format of the XML File will be compliant with
AUTOSAR ECU specification standards.
ECU Configuration
The ECU Configuration Description file in XML format, which contains the
Description File
configured values for Parameters, Containers and Modules. ECU Configuration
Description XML File format will be compliant with the AUTOSAR ECU
specification standards.
BSWMDT File
The BSWMDT File in XML format, which is the template for the Basic Software
Module Description. BSWMDT File format will be compliant with the AUTOSAR
BSWMDT specification standards.
Translation XML File
Translation XML File is in XML format which contains translation and device
specific header file path.
Configuration XML File
Configuration XML File is in XML format which contains command line options
and options for input/output file path.
5

6

10

Introduction

Chapter 1

Chapter 1
Introduction

The document describes the information about installation, usage of ECU
Configuration Editor (ECU Spectrum), Generation Tool and references to
Sections in the Component User Manuals that the user needs to refer to build
the executable.

ECU Spectrum is a tool that dynamically generates GUI controls for specified
AUTOSAR components according to ECU Configuration Parameter Definition
File and generates ECU Configuration Description file complying with
AUTOSAR standards.

Generation Tool is a command line tool that accepts ECU Configuration
Description File(s), BSWMDT File, Translation XML File and Configuration
XML File as input and generates the C source and header files based on the
configuration of the module.
11

Chapter 1

Introduction

12

ECU Configuration Editor (ECU Spectrum)

Chapter 2

Chapter 2
ECU Configuration Editor (ECU

Spectrum)

2.1.
Installation Of ECU Configuration Editor (ECU

Spectrum)

The Following procedure is to be followed for proper installation of the
software:

Copy all the files from the installation disk to a separate folder on to the hard
disk of the computer on which the application is to be installed (recommended
but not mandatory). Initialize the ‘setup.exe’ file (This can also be done by
directly clicking on the same file in the installation disk).

An Install Shield application is invoked which guides the user throughout the
installation of the software.

The ECU Spectrum installation Disk1 consists of the following files:

•
data1.cab

•
data1.hdr

•
data2.cab

•
engine32.cab

•
layout.bin

•
setup.bmp

•
setup.exe

•
setup.ibt

•
setup.ini

•
setup.inx

•
setup.skin

The user is recommended to take backup of the installation disk before
proceeding with the actual installation. Due to certain reasons if the installation
procedure is aborted, the backup can be used.

The installation procedure is divided into ten steps. The details of all the steps
are given below.
13

Chapter 2

ECU Configuration Editor (ECU Spectrum)

Step 1:

Figure 2-1
Installation Initiation

Run ‘setup.exe’ by double clicking on the setup.exe icon. This operation shows
the progress indication dialog as shown in the above Figure 2-1. After
displaying above Figure 2-1, for few minutes ECU Spectrum splash screen will
appear.

Figure 2-2
Splash Screen

14

ECU Configuration Editor (ECU Spectrum)

Chapter 2

After displaying splash screen for few seconds following 'Preparing Setup'
dialog box appears (Refer Figure 2-3).

Figure 2-3
ECU Spectrum installation step 1

Step 2:

Figure 2-4
ECU S pectrum installation step 2

After completion of the above operation, another dialog box is displayed (Refer
Figure 2-4) in order to get confirmation from the user to proceed with the
installation. The user can cancel the installation of software by selecting
‘Cancel’ button’. To proceed with the installation select ‘Next’ button.
15

Chapter 2

ECU Configuration Editor (ECU Spectrum)

Step 3:

Figure 2-5
ECU Spectrum installation step 3

On selecting ‘Next’ button in Step 2, a dialog box is invoked displaying the
license agreement. If the terms and conditions of the agreement are
acceptable then select ‘Yes’ button else select ‘No’ button to abort the
installation. The user can select ‘Back’ button in order to modify previously
made settings. (Refer Figure 2-5)

Step 4:




Figure 2-6
ECU Spectrum installation step 4
16

ECU Configuration Editor (ECU Spectrum)

Chapter 2

Step 5:

‘Customer Information’ dialog is displayed. Enter the User Name, Company
Name and Serial Number and click on ‘Next’ button to proceed for further
installation procedure. (Refer Figure 2-6)

Figure 2-7
ECU Spectrum installation step 5

Dialog box is displayed for user registration confirmation. Check the appeared
user registration information, if yes click on ‘Yes’ button. (Refer Figure 2-7). If
not click on ‘No’ and re-enter the user registration information.

Step 6:

17

Chapter 2

ECU Configuration Editor (ECU Spectrum)

Figure 2-8
ECU Spectrum installation step 6

Next, a dialog box allowing the user to select the destination folder is
displayed (Refer Figure 2-8). The default directory for installation selected by
the Install shield is C:\Program Files\ECU Spectrum R3.0. However the user
can select the folder for installation of his/her choice using the ‘Browse’
button. The user can cancel the installation of software by selecting 'Cancel'
button and click on 'Next' button to proceed for further installation procedure.

Step 7:

Figure 2-9
ECU Spectrum installation step 7

Next, a dialog box allowing the user to select the program folder is displayed.
By default, the name of the folder is ‘ECU Spectrum R3.0’ and the user is
allowed to change the folder name. (Refer Figure 2-9)

Select ‘Next’ button to continue the installation and ‘Cancel’ button to abort the
installation.
18

ECU Configuration Editor (ECU Spectrum)

Chapter 2

Step 8:

Figure 2-10  ECU Spectrum installation step 8

After selecting the appropriate folder for installation, the install wizard will
display a dialog box displaying the status of the files being copied. (Refer
Figure 2-10).

The user is allowed to abort the installation by pressing ‘Cancel’ button.

Step 9:

Figure 2-11  ECU Spectrum installation step 9

After confirmation from the user for copying the files mentioned in Step 8, the
install wizard will automatically install the ECU Spectrum application, based on

19

Chapter 2

ECU Configuration Editor (ECU Spectrum)

the selections made by the user. After completion of the installation procedure,
a dialog gets displayed to intimating the user about completion of the
installation process. (Refer Figure 2-11).

Step 10: Click on ‘Finish’ button to complete the installation process.

2.2.
ECU Spectrum Input and Output Files

ECU Spectrum takes ECU Configuration Parameter Definition File(s) as input.
It reads the definitions, provides a generic interface to edit values for all the
configuration parameters and generates the ECU Configuration Description
file(s) in XML format. It resolves relatively simple dependencies explicitly
defined in the ECU Configuration Parameter Definition file. On the Plug-In
side, the user can choose the Generation Tool executable for the individual
components that takes ECU Configuration Description File as input and
generates the required ‘C’ source and header files.

. ONE
AUTOSAR

X L
M   AUTOSAR

XML

ECU SPECTRUM
PROJECT SETTING
ECU

FILE
CONFIGURATION

PARAMETER

DEFINITION

AUTOSAR
X L
M

AUTOSAR
XML

GENERATION
ECU
TOOLS

DESCRIPTION

C FILE
C FILE

HEADER AND
SOURCE FILES

Figure 2-12  ECU Spectrum Overview

20

Configuration Using ECU Configuration Editor (ECU Spectrum)                                         Chapter 3

Chapter 3
Configuration Using ECU Configuration

Editor (ECU Spectrum)

This section gives details about procedure for creating a new project,
configuring the parameters, saving a project, validating the current GUI
configuration and generating ECU Configuration Description file of ECU
Spectrum.

3.1.
Creating New Project

Creating a ‘New Project’ loads the modules from specified ECU Configuration
Parameter Definition File into the Software. New Project is created using “File -
> New Project” from the main menu.

Steps to be followed:

1.  Select “File -> New Project”.

2.  Select the AUTOSAR Version. Default AUTOSAR version is 4.0.x.

3.  Browse a valid Project Settings file name (of type ‘.one’).

4.  Browse a valid ECU Configuration Parameter Definition File name (of type
                      ‘*.xml /*.arxml’).

5.  Click on ‘OK’ button.

6.  Follow step 4 to load more than one definition file.

The modules available in the selected files get loaded into the software and it
is saved in the specified Project Settings file location. Specified Project
Settings File name is displayed on the title bar of the ECU Spectrum along with
the respective AUTOSAR version.

21

Chapter 3

  Configuration Using ECU Configuration Editor (ECU Spectrum)

Figure 3-1
Creating New Project

The modules available in the selected files get loaded into the Software and it
is saved in the specified Project Settings location. Specified Project Settings
file name is displayed on the Title bar of the Software.

3.2.
Configuration

Right click on the module in the 'Left Selection View', a popup menu having
'New Module’ option is displayed. On selecting this option, the instance of the
module is created. The ECU Spectrum will assign a short name to the newly
created module automatically. On selecting the newly created module, controls
are displayed in the 'Right Configuration View' for configuration. Edit the data
and validate the current GUI configuration. Errors/Warnings/Messages is
displayed in the ‘Message Info’ window, if any.

The user can configure any number of modules, containers, parameters, and
references depending on the Multiplicity specified in the ECU Configuration
Parameter Definition File.

Right clicking on the instance of the module in 'Left Selection View', a popup
menu having ‘Insert Copy’ ,‘Delete’ ,’Expand’ and ’Collapse’ option is
displayed. Using ’Insert Copy’, the copy of selected element with configured
values is inserted. ‘Insert Copy’ option is displayed in the pop up menu based
on the multiplicity.  Using ‘Delete’, user can delete the selected element.
‘Expand’ is used to expand the selected element and ‘Collapse’ is used to
collapse the selected element.

Existing Project Settings can be configured in following ways:

1.  Right Click on the module and add an instance of the module.
  22

Configuration Using ECU Configuration Editor (ECU Spectrum) Chapter 3

Figure 3-2
Adding New Module Instance

2.Click on the instance of the module, user will find a grid on right view for
configuration.

Figure 3-3
GUI for Configuration
23

Chapter 3

  Configuration Using ECU Configuration Editor (ECU Spectrum)

3.2.1.  Parameter Configuration

Short Name, Definition Type, Lower multiplicity, Upper multiplicity, Minimum
value, Maximum value, Implementation config class, Implementation config
variant,  Default value and Long Name are displayed in ‘Attributes’ grid  and
Description of the parameter is displayed in the ’Description’ display area on
click of the parameter in the ‘Right Configuration View’ as shown in the
following figure. Configure the parameter and press ‘ENTER’ button. Following
are the types of the parameters:

Figure 3-4
Parameter Configuration

3.2.2.  Distinguish Between Containers

On selecting the newly created module in the ‘Left Selection View’, controls are
displayed in the 'Right Configuration View' for configuration. Name of the
containers gets displayed at the top of the ‘Right Configuration View’ as shown
in the following figure. On selecting the container, Parameters and sub-
containers gets displayed in the grid control as shown in the following figure.
24

Configuration Using ECU Configuration Editor (ECU Spectrum)                                         Chapter 3

Figure 3-5
Distinguish Between Containers

3.2.3.  Save Project

Using “File-> Save Project” menu item, current GUI configuration can be saved
with specified Project Settings file name.

3.2.4.  Validation

The modules configuration can be checked for correctness and completeness
in validation. Before generation of ECU Configuration Description, validate the
configured values of the modules. Select “Project -> Validate” or press ‘F8’ key,
25

  Chapter 3

  Configuration Using ECU Configuration Editor (ECU Spectrum)

a current GUI configuration is validated and list of Errors/Warnings/Messages
is displayed in the ‘Message Info’ window, if any.

Figure 3-6
Validation

3.3.
Generate ECU Configuration Description

This generates the ECU Configuration Description File, which contains the
configured values for Parameters, Containers and Modules. The generated
ECU Configuration Description File format will be compliant with the
AUTOSAR ECU specification standards. After validation of the configured
values, to generate the ECU Configuration Description follow the below steps:

1.  Select “Generate -> ECU Configuration Description”.

2.  Check the ‘Select all’ Check box.

3.  Specify the ECU Configuration Description File name (of type '*.xml/
                                               *.arxml’).

4.  Click ‘Generate’ button

26

Configuration Using ECU Configuration Editor (ECU Spectrum) Chapter 3

Figure 3-7
Description File Generation

Successful generation message is displayed in the ‘Result’ display area. The
ECU Configuration Description data for all modules is generated at the
specified location.
27

Chapter 3

Configuration Using ECU Configuration Editor (ECU Spectrum)

28

Generation Tool

     Chapter 4

Chapter 4
Generation Tool

Generation Tool is a command line tool that provides scalability and
configurability for the component. It accepts ECU Configuration Description
File(s), BSWMDT File, Translation XML File and Configuration XML File as
input and generates the C Header and C Source files. However Configuration
XML File is optional.

ECU Configuration

Output Folder  -O or
Description Fil e(s )

-OUTPU T
(.arxml),  BSWMDT
Generation  Tool
‘Folder_Name’
File and Translation

XML Fi le (.trxml)

Label to be searched
inc
src

Configuration XML
Translation Header

File (.cfgxml)
File (.h)

*.h
*.c

Mapped Label to be searched

Address to be generated
Device Specific
Header File (.h)

Figure 4-1
Generation Tool Overview

4.1.
Translation XML File

Generation Tool accepts ECU Configuration Description File(s) (.arxml),
BSWMDT File (.arxml) and Translation XML File (.trxml) as an input.
Translation XML File is in XML format which contains translation and device
specific header file path. For the syntax of the contents of Translation XML
File, please refer the Chapter 8 Appendix.

If mapped device specific address label is changed/updated then only
respective mapping in Translation Header File needs to be updated. In this
case there will not be any impact on Generation Tool for the generation of
address in tool generated output file(s).
29

Chapter 4



Generation Tool

4.1.1. Translation Header File

This file is look-up table (mapping in the form of definitions) for the device
specific address labels. Based on the configuration in ECU Configuration
Description File, the mapped device specific address labels will be searched
in Device Specific Header File by Generation Tool to generate associated
address in tool generated output file(s). For the Translation Header File path,
the value of ‘<Msn>DeviceName’ parameter from the container
‘<Msn>General’ container should be present as child tag of TRANSLATION-
FILE-PATH in Translation XML File. Both ‘Absolute’ and ‘Relative’ paths are
supported by generation tool however default path is ‘Relative’ path.

E.g.

<TRANSLATION-FILE-PATH>

<Value_Of_MsnDeviceName>..\DF_Timer.h
..\DF_Timer_ISR.h</ Value_Of_MsnDeviceName>

</TRANSLATION-FILE-PATH>

4.1.2. Device Specific Header File

This file contains device specific labels and associated address. Based on the
configuration in ECU Configuration Description File, the mapped device
specific address labels will be used to generate associated address in tool
generated output file(s). For the Device Specific Header File path, the value of
‘<Msn>DeviceName’ parameter from the container ‘<Msn>General’ container
should be present as child tag of DEVICE-FILE-PATH in Translation XML File.
Both ‘Absolute’ and ‘Relative’ paths are supported by generation tool however
default path is ‘Relative’ path.

If multiple Device Specific Header Files need to be provided for the same
device (value of ‘<Msn>DeviceName’ parameter) in Translation XML File, then
each Device Specific Header File path should be separated with ‘space’.

E.g.

<DEVICE-FILE-PATH>

<Value_Of_MsnDeviceName>..\DF_Timer.h ..\DF_Timer_ISR.h</
Value_Of_MsnDeviceName>

</DEVICE-FILE-PATH>

Remark Generation Tool will searches the mapped labels in Device Specific Header
File by using Translation Header File for the respective address generation in
tool generated output file(s).

4.2.
Configuration XML File

Configuration XML File is in XML format which contains command line options
and input/output path. For the syntax of the contents of Configuration XML File,
please refer the Chapter 8 Appendix.
30

Generation Tool


 Chapter 4

E.g.

<LOG>ON/OFF</LOG>

<HELP>ON/OFF</HELP>

4.3.
Usage

This section provides the information regarding usage of the Generation Tool.
It also provides the syntax of the command line arguments (input filenames
and options).

Generation Tool executable is invoked as shown below.

{<Component_Name>_X1x.exe} <Options> <Input Filename(s)>

Where,

<Component_Name>_X1x.exe: Name of the Generation Tool Executable

Options: [-H/-Help -C/-Config -O/-Output -Osrc -Oinc -L/-Log -D/-Dryrun]

Input Filename(s): {ECU Configuration Description File(s), BSWMDT File and
Translation XML File [optional]}

Notations:

{data} represents compulsory data

<data> represents the actual data that will be specified on command line
during tool usage.

[data] represents optional data.

Table 4-1 Options and Description

Option
Description
-H/-Help
To display help regarding usage of the tool. Gets the
highest priority when used with other options.
-C/-Config
To execute tool with the options provided in the
Configuration XML File. Command line options get the
higher priority than the options provided in Configuration
XML File.
31

Chapter 4



Generation Tool

Table 4-1 Options and Description

Option
Description
-O/-Output
By default, the tool generates output files in the
‘<Component_Name>_Output’ folder in the path where
executable is present. The user can use the -O option
followed by the folder name, to generate the output files in
the specified folder. Either absolute path or relative path
can be provided to specify the folder name.
The C Source and C Header files are generated in the sub
folders ‘src’ and ‘inc’ within the output folder.
-Osrc
The user can use the -Osrc option followed by the folder
name, to generate the C Source files in the specified
folder.
-Oinc
The user can use the -Oinc option followed by the folder
name, to generate the C Header files in the specified
folder.
–L/-Log
To log the output to the <Component_Name>.log file.
-D/-Dryrun
To execute tool in validation mode. The tool will not
generate output files even though the input file provided is
error free.

Remark
• If Translation XML File is not provided on the command line then
‘<Component_Name>_X1x.trxml’ which is present in the same location of
‘<Component_Name>_X1x.exe’ is considered as ‘default’ Translation XML
File by the Generation Tool.

• If Configuration XML File is not provided on the command line then
‘<Component_Name>_X1x.cfgxml’ which is present in the same location of
‘<Component_Name>_X1x.exe’ is considered as ‘default’ Configuration
XML File by the Generation Tool.

• The Generation Tool should not be executed more than five times in parallel

4.4.
Sample Usage

Sample usage of the generation tool is given below. “<Msn>_X1x.exe” is taken
as example. Similar usage is applicable for other MCAL Generation Tools.

<Msn>_X1x

<Msn> Driver Generation Tool usage is displayed on the terminal. Generation
Tool accepts Configuration XML File as default and performs the execution,
based on the settings provided in Configuration XML File.

<Msn>_X1x -H

Displays <MSN> Driver Generation Tool help information on the terminal,
where <MSN> Driver Generation Tool executable is present.

<Msn>_X1x -L -O output Sample.arxml BSWMDT.arxml

Generation Tool logs the output to the <Msn>.log file. <Msn>_PBcfg.c file is
generated in ‘src’ folder. <Msn>_Cfg.h file is generated in ‘include’ folder.
32

Generation Tool


 Chapter 4

 <Msn>_X1x -D Sample.arxml BswMd.arxml

Generation Tool validates an input file and displays error/warning/information
messages if any on the command line. Output files are not generated since –D
option is provided in the command line.

<Msn>_X1x -O output Sample.arxml BswMd.arxml

Output files are generated in folder “output”. <Msn>_PBcfg.c is generated in
‘src’ folder. <Msn>_Cfg.h file is generated in ‘inc’ folder.

<Msn>_X1x C:\Input\Sample.arxml C:\Input\BswMd.arxml -O output

Generation Tool accepts input file (Sample.arxml) from absolute directory path
“C:\Input”. Output files are generated in folder “output”. <Msn>_PBcfg.c is
generated in ‘src’ folder. <Msn>_Cfg.h file is generated in ‘inc’ folder.

<Msn>_X1x Sample.arxml BswMd.arxml -O C:\Output

Output files are generated in folder “C:\Output”. <Msn>_PBcfg.c is generated
in ‘src’ folder. <Msn>_Cfg.h file is generated in ‘inc’ folder.

<Msn>_X1x Sample.arxml BswMd.arxml Sample.trxml

Generation Tool accepts ECU Configuration Description File (Sample.arxml),
BSWMDT File (BswMd.arxml) and Translation XML File (Sample.trxml) from
the current working directory. Output files are generated in the default folder
“<Msn>_Output”, since –O option is not provided in the command line.
<Msn>_PBcfg.c is generated in ‘src’ folder. <Msn>_Cfg.h file is generated in
‘inc’ folder.

<Msn>_X1x -C Sample.cfgxml

Generation Tool accepts ECU Configuration Description File (Sample.arxml),
BSWMDT File (BswMd.arxml) and Configuration XML File (Sample.cfgxml)
from the current working directory. Tool accepts options provided in the
Configuration XML File. If Configuration XML File name is not provided as
input with -C option, Generation Tool errors out.

Remark
• If Translation XML File is not provided on the command line,
<Msn>_X1x.exe considers <Msn>_X1x.trxml as ‘default’ Translation
XML File from the same directory where the tool is located.

• If Configuration XML File is not provided on the command line,
<Msn>_X1x.exe considers <Msn>_X1x.cfgxml as ‘default’ Configuration
XML File from the same directory where the tool is located.

• If any filename/directory name related argument on the command line
contain the ‘space’, then the same argument on the command line should
be provided in double quotes “” as followed by standard command line
feature. E.g. if file name is ‘Sample Description.arxml’, then on the
command line the same name should be provided in double quotes “” as
“Sample Description.arxml”.

• The ‘include’ and ‘src’ directories are generated inside the output directory
provided on the command line or in the default output directory
33

Chapter 4



Generation Tool

<Msn>_Output.\

• BSWMDT file should not be updated manually since it is “Static
 Configuration” file.

4.5.
Tool Installation Requirements

The minimum hardware and software requirements for proper installation of
Module Specific Generation Tool are listed below. This ensures optimal
performance of the Tool.

4.5.1. Hardware Requirements

Processor
Pentium/equivalent processor @ 500 MHz or greater

Memory
RAM 64MB or greater

Hard Disk Drive
500 MB or greater storage capacity

4.5.2. Software Requirements

Operating System
Microsoft Windows Platform

4.5.3. Limitations

Command Line characters are limited to 128 depending upon the operating
system.

4.6.
Tool Installation

The installation procedure of Module Specific Generation Tool is provided in
the section below.
34

Generation Tool


 Chapter 4

4.6.1. Pre Requisite

Module Specific Generation Tool executable runs on Windows platforms only.

4.6.2. Installation Steps

Copy the Module Specific Generation Tool executable file to the local hard
disk.

Run the executable with -H option to get help on usage of the tool.

<Msn>_X1x.exe -H

This command generates usage of Module Specific Driver Generation Tool on
the command line.

4.7.
Tool Un-Installation

There is no specific method for un-installing the Module specific Generation
Tool. To un-install, delete the Module specific Generation Tool executable from
the existing directory.

4.8.
Common Messages

This section contains the list of error/warning/information messages

which is common for AUTOSAR Renesas R3.2.2 and R4.0.3 X1x MCAL Driver
module that will be generated by the Generation Tool.

4.8.1. Error Messages

ERR000001: File <File_Name> does not exist.

This error occurs, if the input <File_Name> is not found.

ERR000002: Name of the Generation Tool Configuration XML File is not
given along with <-C/-CONFIG> option.

This error occurs, if the name of the Generation Tool Configuration XML File is
not given along with <-C/-CONFIG> option.
35

Chapter 4



Generation Tool

ERR000003: File <File name> is not as per XML standard.

This error will occur, if the input <File name> is not as per XML standard.

ERR000004: Cannot open the <Log file name> file.

This error will occur, if unable to open the <Log file name> file.

ERR000005: Name of output directory is not given along with <-O/-
OUTPUT> option.

This error will occur, if the output directory name is not given along with <-O/-
OUTPUT> option.

ERR000006: Name of output directory is not given in OUTPUT-PATH tag
in <File name>.

This error will occur, if the output directory is not given in OUTPUT-PATH tag in
configuration file.

ERR000007: The Generation Tool expects inputs.

This error will occur, if the no option is provided in the command line and none
of the option in the configuration file is set.

ERR000008: The option <option> is not supported by the Generation
Tool. The Generation Tool supports <-O/-OUTPUT, -Osrc , -Oinc, -H/-HELP, -
L/-LOG, -C/-CONFIGFILE and -D/-DRYRUN>" options.

This error will occur, if the invalid <option> is provided to the tool.

ERR000009: Invalid output directory name <output directory name> as
the file with same name exists.

This error will occur, if the <output directory name> already exists.

ERR000010: Invalid output directory name <output directory name>
Directory name should not contain any of \*\?\"\|\: characters.

This error will occur, if the <output directory name> path contains junk
character.

ERR000011: ECU Configuration Description File is not provided as input
to the Generation Tool.

This error will occur, if the ECU Configuration Description File is not given in
the command line or in configuration file.

ERR000012: The input <File name> is not as per XML standard. Provide
the ECU Configuration Description File as input on the command line.

This error will occur, if the ECU Configuration Description File is not as per
XML standard.
36

Generation Tool


 Chapter 4

ERR000013: <File name> should contain the TRANSLATION-FILE-PATH'
and 'DEVICE-FILE-PATH' tags.

This error will occur, if the translation <File name> doesn’t have
‘TRANSLATION-FILE-PATH’ and 'DEVICE-FILE-PATH' tags.

ERR000014: 'TRANSLATION-FILE-PATH' tag in <File name> is empty.

This error will occur, if the translation <File name> doesn’t have
‘TRANSLATION-FILE-PATH’ tags.

ERR000015: The 'device_name' tag should be present as child of
'TRANSLATION-FILE-PATH'' tag in <File name>.

This error will occur, if the device mentioned in ECU Configuration Description
File is not present in

'TRANSLATION-FILE-PATH’ tag in the <File name>.

ERR000016: ‘DEVICE-FILE-PATH’ tag in <File name> is empty.

This error will occur, if the translation file <File name> doesn’t have ‘DEVICE-
FILE-PATH’ tags.

ERR000017: The 'device_name’ tag should be present as child of
‘DEVICE-FILE-PATH' tag in <File name>.

This error will occur, if the device mentioned in ECU Configuration Description
File is not present in

‘DEVICE-FILE-PATH’ tag.

ERR000018: Cannot create directory <output directory name>.

This error will occur, if unable to create output directory <output directory
name>.

ERR000019: Cannot open <File name>.

This error will occur, if unable to open <File name>.

ERR000020: The macro label <macro label> should be unique in
<translation file name> translation C Header File.

This error will occur, if macro label is not unique in translation C Header File.

ERR000021: The macro definition for <macro label> macro is not found
in <translation file name> translation C Header File. The macro label
format should be <label format>.

This error will occur, if macro definition is not found in translation C Header
File.

37

Chapter 4

Generation Tool

ERR000022: The macro value for <macro label> macro is empty in
<translation file name> translation C Header File.

This error will occur, if macro label value is empty in translation C Header File.

ERR000023: The macro definition for <macro value> macro is not found
in input device specific C Header File(s).

This error will occur, if macro definition is not found in input device specific C
Header File(s).

ERR000024: The macro value for <macro value> macro is empty in input
device specific C Header File(s).

This error will occur, if macro value is empty in input device specific C Header
File(s).

ERR000025: Path <Configured Reference Path> provided for Bsw Module
is incorrect.

This error will occur, if the reference provided for Bsw Module Component is
incorrect.

ERR000026: BSWMDT content is not present in the input file(s) for
‘<Module Name>’ module.

This error will occur, if the module specific BSWMDT content is not present in
the input files.

ERR000027: <MSN> BSWMDT File of either AUTOSAR R3.2 or R4.0
should be given as input.

This error will occur, if the both R3.2 and R4.0 BSWMDT file given to the input
to the generation tool.

ERR000028: 'MODULE-DESCRIPTION-REF' element should be present in
the description file of '<Module Name>' module.

This error will occur, if the MODULE-DESCRIPTION-REF element is not
present module specific description file.

ERR000029: AUTOSAR version of BSWMDT File and Module Description
File is different.

This error will occur, if the AUTOSAR version of the BSWMDT File and module
description file is different.

38

Generation Tool


 Chapter 4

4.8.2. Warning Messages

WRN000001: As per AUTOSAR ECU Configuration Description File
naming convention, the file extension should be '.arxml' for file.

This warning will occur, if ECU Configuration Description file having an
extension other than ’.arxml’.

4.8.3. Information Messages

INF000001: Tool Version:

This is to display Tool Version for each execution of the tool.

INF000002: Command line arguments:

This is to display the command line arguments for each execution of the tool.

INF000003: The valid inputs are provided below.

This information will occur, if the command line option is not given.

INF000004: Opened file <filename> at <time>.

This information will occur, during opening the file.

INF000005: Error(s) and Warning(s) detected.

This information will display the number of errors and warnings.

INF000006: Execution completed successfully.

This information will occur, if the execution completed successfully.

INF000007: Execution completed successfully with warnings.

This information will occur, if the execution completed successfully with
warnings.

INF000008: Execution terminated due to command line errors.

This information will occur, if the execution terminated due to command line
errors.

INF000009: Execution terminated due to error in the input file.

This information will occur, if the execution terminated due to error in the input
file.

INF000010: Execution terminated due to error, during the structure
generation in the output file.

This information will occur, if the execution terminated during structure
generation in output file.
39

Chapter 4



Generation Tool

4.9.
R3.2.2 Messages

This section contains the list of error/warning/information messages which is
specific to AUTOSAR Renesas R3.2.2 X1x MCAL Driver module that will be
generated by the Generation Tool.

4.9.1.  Error Messages

ERR000030: The 'parameter tag name' tag should be configured in
BSWMDT File.

This error will occur, if any of the configuration parameter(s) mentioned below
is (are) not configured in BSWMDT File.

The list of mandatory parameters with respect to container is listed below:

Table 4-2  Mandatory Parameters

Container
Parameters
BswImplementation
SW-MAJOR-VERSION
SW-MINOR-VERSION
SW-PATCH-VERSION
AR-MAJOR-VERSION
AR-MINOR-VERSION
AR-PATCH-VERSION
VendorApiInfix
BswModuleDescription
ModuleId

Note: VendorApiInfix parameter is mandatory for only some modules.

4.9.2.  Warning Messages

None.

4.9.3.  Information Messages

None.

4.10.  R4.0.3 Messages

This section contains the list of error/warning/information messages which is
specific to AUTOSAR Renesas R4.0.3 X1x MCAL Driver module that will be
generated by the Generation Tool.
40

Generation Tool


    Chapter 4

4.10.1. Error Messages

ERR000030: The 'parameter tag name' tag should be configured in
BSWMDT File.

This error will occur, if any of the configuration parameter(s) mentioned below
is (are) not configured in BSWMDT File.

The list of mandatory parameters with respect to container is listed below:

Table 4-3  Mandatory Parameters

Container
Parameters
BswImplementation
SwVersion
VendorId
ArReleaseVersion
VendorApiInfix
BswModuleDescription
ModuleId

Note: VendorApiInfix parameter is mandatory for only some modules.

4.10.2. Warning Messages
None.

4.10.3. Information Messages

None.

4.11.  BSWMDT File

The BSWMDT File is the template for the Basic Software Module Description.
Module specific Generation Tool uses “Common Published Information” from
module specific BSWMDT file. BSWMDT file should not be updated manually
since it is “Static Configuration” file.

The required elements from BSWMDT File by module specific Generation
Tool are as follows:

BSW-MODULE-DESCRIPTION

•
MODULE-ID

41

Chapter 4

Generation Tool

BSW-IMPLEMENTATION

•
SW-VERSION
•

•
VENDOR-ID

•
AR-RELEASE-VERSION

•
VENDOR-API-INFIX

In case of multiple driver support implementation, VENDOR-API-INFIX is
mandatory. In case of single driver support implementation, VENDOR-
API- INFIX is not used.

42

Application Example Chapter 5



Chapter 5
Application Example

5.1.
Folder Structure

Refer Section “Integration and Build Process” in the respective component
User Manuals.

5.2.
Makefile Description

Makefile is available in the folder “X1X\< MICRO_VARIANT
>\modules\<msn>\sample_application\< MICRO_SUB_VARIANT
>\make\<compiler>”.
The Makefiles with the guidelines provided in AUTOSAR BSW Makefile
Interface Specification, which enables easy integration with other components
and the application.

The files is:

• A p p _<Msn>_<MICRO_SUB_VARIANT>_<DEVICE_NAME>Sample.mak
(Contains the device specific instructions).

5.2.1. App_<Msn>_<variant>_Sample.mak

##############################################################

# Makefile to compile and build the Sample application with the AUTOSAR
<MSN> #

# Driver Component (For Test purposes only)
#

# Compatible with GNU Make 3.81 for Win32. #

##############################################################

##############################################################

# Definitions of global environment variables
#

##############################################################

#Get name of the current application

CURRENT_APPL = App_<Msn>

# Get the project directory into variable "PROJECT_ROOT"

43

Chapter 5 Application Example


PROJECT_ROOT = $(shell cd)\..\..\..\..\..\..

COMMON_SAMPLE_CORE_PATH =
$(PROJECT_ROOT)\$(MICRO_FAMILY)\common_platform
 \modules\<Msn>\sample_application

# Get the current working directory into variable "SAMPLE_ROOT_PATH"
SAMPLE_ROOT_PATH =
$(PROJECT_ROOT)\$(MICRO_FAMILY)\$(MICRO_VARIANT)\modules
<Msn>\sample_application\$(MICRO_SUB_VARIANT)

# Get the current working directory into variable "STUBS"
STUBS_PATH =
$(PROJECT_ROOT)\$(MICRO_FAMILY)
 \common_platform\generic
 \stubs\$(AUTOSAR_VERSION)

# Get current configuration path

<MSN>_CONFIG_PATH =
$(SAMPLE_ROOT_PATH)\$(AUTOSAR_VERSION)

# Get TRXML path

 TRXML_CONFIG_PATH = $(PROJECT_ROOT)
 \$(MICRO_FAMILY)\$(MICRO_VARIANT)
 \common_family\generator

# Get BSWMDT path

<MSN>_BSWMDT_CONFIG_PATH = $(PROJECT_ROOT)
 \$(MICRO_FAMILY)
 \$(MICRO_VARIANT)
 \modules\<Msn>
\generator

# Get current configuration file path

<MSN>_CONFIG_FILE = $(MSN_CONFIG_PATH) \config
 \App_<MSN>_$(MICRO_SUB_VARIANT)_
 $(DEVICE_NAME)_Sample.arxml

# Path to TRXML Configuration File which is required for this module

TRXML_CONFIG_FILE =
"$(TRXML_CONFIG_PATH)\Sample_Application_$(MICRO
_VARIANT).trxml""

 # Path to ECUM Configuration File which is required for this module
ECUM_CONFIG_PATH = $(STUBS_PATH)\EcuM

ifeq ($(AUTOSAR_VERSION), 3.2.2)
ECUM_CONFIG_FILE = "$(ECUM_CONFIG_PATH)\xml\EcuM.arxml"
else
44

Application Example Chapter 5



ECUM_CONFIG_FILE = "$(ECUM_CONFIG_PATH)\xml\EcuM_Icu.arxml"
endif

 # Path to TRXML Configuration File which is required for Test Application
 TRXML_CONFIG_FILE =
"$(TRXML_CONFIG_PATH)\Sample_Application_$(MICRO_VARIANT).trxml"

# Path to BSWMDT Configuration File which is required for MSN Sample
Application

 ifeq ($(AUTOSAR_VERSION), 3.2.2)
 MSN_BSWMDT_CONFIG_FILE =
"$(MSN_BSWMDT_CONFIG_PATH)\R322_$(MODULE_NAME)_$(MICRO_V
ARIANT)_BSWMDT.arxml"
 else
 ICU_BSWMDT_CONFIG_FILE =
"$(MSN_BSWMDT_CONFIG_PATH)\R403_$(MODULE_NAME)_$(MICRO_V
ARIANT)_BSWMDT.arxml"
 endif

 # Version check for inter modules required
 MSN_VERSION_CHECK_REQ = yes

# Database to be linked together with the current application

# Define 'no' to isolate database from the application

<MSN>_DBASE_REQ = yes

# Get the name of the SRECORD file

 CURRENT_APPL_SRECORD =
 $(CURRENT_APPL)_$(MICRO_SUB_VARIANT)_Sample

# Name of the database if generated separately

<MSN>_DB = <Msn>_PBcfg

##############################################################

# Final executable
#

##############################################################

EXE = $(CURRENT_APPL)_ MICRO_
<SUB_VARIANT>_Sample.$(EXE_FILE_SUFFIX)
LIBRARIES_TO_BUILD =
OBJECTS_LINK_ONLY =

OBJECT_OUTPUT_PATH = $(SAMPLE_ROOT_PATH)\obj\ghs
GENERATED_SOURCE_FILES =
CC_FILES_TO_BUILD =
45

Chapter 5 Application Example



CPP_FILES_TO_BUILD =
ASM_FILES_TO_BUILD =

CC_INCLUDE_PATH =
CPP_INCLUDE_PATH =
ASM_INCLUDE_PATH =

PREPROCESSOR_DEFINES =

LIBRARIES_LINK_ONLY =
DIRECTORIES_TO_CREATE =
DEPEND_GCC_OPTS =

MAKE_CLEAN_RULES =
MAKE_GENERATE_RULES =
MAKE_COMPILE_RULES =
MAKE_DEBUG_RULES =
MAKE_CONFIG_RULES =
MAKE_ADD_RULES =

MAKE_DEBUG_RULES =
MAKE_ CONFIG_RULES =
MAKE_ADD_RULES =

MAKE_DEBUG_RULES += debug_base_make

STD_LIBRARY =

LNKFILE =
$(PROJECT_ROOT)\$(MICRO_FAMILY)\$(MICRO_VARIANT)\modules\<msn
>\sample_application\$(MICRO_SUB_VARIANT)\make\ghs\$(CURRENT_APP
L)_$(MICRO_SUB_VARIANT)_$(DEVICE_NAME)_Sample.ld

LNKFILE_DB =
$(PROJECT_ROOT)\$(MICRO_FAMILY)\$(MICRO_VARIANT)\modules\<ms
n>\sample_application\$(MICRO_SUB_VARIANT)\make\ghs\$(CURRENT_A
PPL)_$(MICRO_SUB_VARIANT)_$(DEVICE_NAME)_Sample_db.ld

 .PHONY: MAKE_CLEAN_RULES MAKE_GENERATE_RULES
 MAKE_COMPILE_RULES \
 MAKE_DEBUG_RULES MAKE_CONFIG_RULES MAKE_ADD_RULES

##############################################################

# Modules to be included in the project
#

##############################################################
46

Application Example                                                                                                                Chapter 5



##############################################################
# Sample Application

#

include
$(COMMON_SAMPLE_CORE_PATH)\make\$(CURRENT_APPL)_Common_S
ample_Defs.mak

include
$(COMMON_SAMPLE_CORE_PATH)\make\$(CURRENT_APPL)_Common_S
ample_rules.mak

SAMPLE_CORE_PATH = $(SAMPLE_ROOT_PATH)

include
$(SAMPLE_CORE_PATH)\make\$(CURRENT_APPL
_$(MICRO_SUB_VARIANT)_Sample_defs.mak
include
$(SAMPLE_CORE_PATH)\make\$(CURRENT_APPL
_$(MICRO_SUB_VARIANT)_Sample_rules.mak

##############################################################

##############################################################

##############################################################

# DET Module Core Path

#

#DET_CORE_PATH = $(STUBS_PATH)\Det

#include $(DET_CORE_PATH)\make\det_defs.mak

#include $(DET_CORE_PATH)\make\det_rules.mak

##############################################################

##############################################################

# OS Module Core Path

#

OS_CORE_PATH = $(STUBS_PATH)\os
include $(OS_CORE_PATH)\make\os_defs.mak
include $(OS_CORE_PATH)\make\ os_rules.mak
#############################################################



                 ##############################################################
                 # ECUM Module Core Path
                 #
                 ECUM_CORE_PATH = $(STUBS_PATH)\EcuM
                 include $(ECUM_CORE_PATH)\make\ecum_defs.mak
                 include $(ECUM_CORE_PATH)\make\ecum_rules.mak
                 ##############################################################

##############################################################
47

Chapter 5 Application Example



# Scheduler Manager Module Core Path

#

ifeq ($(AUTOSAR_VERSION), 3.2.2)
SCHM_CORE_PATH = $(STUBS_PATH)\SchM
include $(SCHM_CORE_PATH)\make\schm_defs.mak
else
RTE_CORE_PATH = $(STUBS_PATH)\SchM
include $(RTE_CORE_PATH)\make\rte_defs.mak
endif
#############################################################

# <MSN> Driver Component

#

<MSN>_CORE_PATH =
$(PROJECT_ROOT \$(MICRO_FAMILY)\ common_platform
\modules\<msn>
include $(<MSN>_CORE_PATH)\make\renesas_<msn>_defs.mak
include $(<MSN>_CORE_PATH)\make\renesas _<msn>_check.mak
include $(<MSN>_CORE_PATH)\make\renesas_<msn>_rules.mak

#############################################################

##############################################################

# Command to generate standalone database
#

$(MSN_DB).$(S_RECORD_SUFFIX):$(MSN_DB).$(OBJ_FILE_SUFFIX)
$(LNKFILE_DB)
@echo *********************************************************************
 @echo Building the standalone database ...
 $(DBLINKER) $(LNKFILE_DB) \
 "$(OBJECT_OUTPUT_PATH)\$(ICU_DB).$(OBJ_FILE_SUFFIX)" \
-map="$(OBJECT_OUTPUT_PATH)\$(ICU_DB).$(MAP_FILE_SUFFIX)" \
-o "$(OBJECT_OUTPUT_PATH)\$(MSN_DB).$(EXE_FILE_SUFFIX)"
 @echo Generating Motorola S-Record file...
 $(CONVERTER) $(SFLAGS)

"$(OBJECT_OUTPUT_PATH)\$(ICU_DB).$(EXE_FILE_SUFFIX)" \

 -o "$(OBJECT_OUTPUT_PATH)\$(ICU_DB).$(S_RECORD_SUFFIX)"
 @echo Done ...

##############################################################
##################

$(<MSN>_DB).$(S_RECORD_SUFFIX):$(<MSN>_DB).$(OBJ_FILE_SUFFIX
) $(LNKFILE_DB)

@echo *********************************************************************

@echo Building the standalone database ...

$(DBLINKER) $(LNKFILE_DB) \
"$(OBJECT_OUTPUT_PATH)\$(<MSN>_DB).$(OBJ_FILE_SUFFIX)" \
-map="$(OBJECT_OUTPUT_PATH)\$(<MSN>_DB).$(MAP_FILE_SUFFIX)" \
48

Application Example Chapter 5



-o "$(OBJECT_OUTPUT_PATH)\$(<MSN>_DB).$(EXE_FILE_SUFFIX)"

@echo Generating Motorola S-Record file...

$(CONVERTER) $(SFLAGS)
"$(OBJECT_OUTPUT_PATH)\$(<MSN>_DB).$(EXE_FILE_SUFFIX)" \

-o "$(OBJECT_OUTPUT_PATH)\$(<MSN>_DB).$(S_RECORD_SUFFIX)"

@echo Done ...



###############################################################

# End of the Base Make script #
###############################################################

5.3.
Integrating The <MSN> Driver Component With

Other Components

This section explains the procedure to integrate the <MSN>Driver Component
with other BSW components and the application.

Depending on the various configurations, the following modules are required to
be integrated with the <MSN>Driver Component:

•
<MSN>Interface (Folder ‘Sample_Application’ where the sample
application for <MSN> exists. The variable ‘<MSN>_CORE_PATH’
and the corresponding module Makefile names must be suitably
changed in the base Makefile)

•
Development Error Tracer (Folder ‘Det’ where the DET module files exist.
The variable ‘DET_CORE_PATH’ and the corresponding module
Makefile names must be suitably changed in the base Makefile)

•
Scheduler Manager (Folder ‘SchM’ where the SCHM module exists.
The variable ‘RTE_CORE_PATH’ and the corresponding module
Makefile names must be suitably changed in the base Makefile)

•
MCU Interface (Folder ‘Mcu’ in the give example. The variables
‘MCU_CONFIG_PATH’ and ‘MCU_CONFIG_FILE’ must be suitably
changed in the module Makefile
(Software_Source_Code\ssc\mak\renesas_<MSN>_rules.mak) and
the base Makefile).

All the above folders are given only as examples and they have to be
replaced with actual component folders. It is assumed that every component
has the corresponding module Makefiles.

Apart from the above BSW components, few other folders are provided as
mentioned below:

•
AUTOSAR Type definition Files (Folder ‘common\include’, where the
header files containing standard definitions that are common to all
components are placed. The variable ‘STUB_CORE_PATH’ and the
corresponding module Makefile names must be suitably changed in the
base Makefile)
49

Chapter 5 Application Example

•
RH850 specific Files (Folder ‘X1X\common_platform\generic\include’,where
the header files that are common to all components but specific to Renesas
V850 microcontroller are placed. The variable ‘
GENERIC_PLATFORM_PATH’ and the corresponding module Makefile
names must be suitably changed in the base Makefile)

Compiler specific Files (Folder ‘compiler’, where the header files that are
common to all components but specific to GreenHills Compiler are placed.
The variable ‘COMPILER_PATH’ and the corresponding module Makefile
names must be suitably changed in the base Makefile).

5.4.
Building The <MSN> Driver Component

This section explains the procedure to build the <MSN>Driver Component for
any given configuration.

The <MSN> Driver Configuration Description file (.arxml) has to be given as
input to the <MSN> Driver Generation Tool. The tool generates output files
namely <Msn>_Lcfg.c, <Msn>_PBcfg.c, <Msn>_Cbk.h and <Msn>_Cfg.h.

Following variables must be defined in the base Makefile described in
Section 5.2.1 (Makefile Description)

•
PROJECT_ROOT: Root directory where the projects for all components
exist.

•
SPECIFIC_APPL_ROOT_PATH: Directory where the <MSN> sample
application exists.

•
OBJECT_OUTPUT_PATH: Directory where the module specific output
files are generated.

•
STARTUP_<family>_CORE_PATH: Core path for the variant specific
statup files exist.

•
STUB_CORE_PATH: Core path for the stub files exist.

•
COMPILER_PATH: Directory where the compiler files exist.

•
DEVICE_FILE_PATH: Directory where the device files exists.

•
MSN_CORE_PATH: Core path for the <MSN> Driver Component
folder.

•
MSN_TOOL_PATH: Directory where the module specific tool exe exist.

•
CC_INCLUDE_PATH: Path variable where all the header files can be
found by the compiler.

•
CC_FILES_TO_BUILD: Variable that contains the list of source files, to
be compiled and linked.

•
<MSN>_clean_generated_files: This target can be used to clean the
configuration source and header files generated by the <MSN> Driver
Generation Tool.

•
debug_<MSN>_makefile: This target can be used to print the debug
information such as paths used by <MSN> Driver Component.

•
generate_<MSN>_config: This target can be used to invoke the <MSN>
Driver Generation Tool which in turn takes the ECU Configuration
Description files (App_<MSN>_<DEVICE_NAME>_Sample.arxml) as
an input and generates the configuration source and header files.

50

Application Example Chapter 5



Following variables must be defined in the Module Makefile described in
Section 5.2.1 (Makefile Description):

•
PROJECT_ROOT: Root directory where the projects for all components
exist.

•
MSN_CONFIG_PATH: Configuration path for description file of the
<MSN> Driver Component.

•
MSN_CONFIG_FILE: Name of the <MSN> Driver Component description
file.

•
STUB_CONFIG_PATH: Configuration path for description file of the stub.

•
MCU_CONFIG_FILE: Name of the MCU Driver Component description
file.

•
TRXML_CONFIG_PATH: TRXML Configuration file path used for the

 <MSN> Driver Component.

•
TRXML_CONFIG_FILE: TRXML Configuration file used for the <MSN>
 Driver Component.

•
BSWMDT_CONFIG_PATH: Path for <MSN> BSWMDT file.

•
BSWMDT_CONFIG_FILE: Name of the <MSN> BSWMDT file.

•
GENERIC_STUB_PATH: Directory where the generic stub exist.

•
GENERIC_PLATFORM_PATH: Directory where the generic platform
files exist.

•
CC_INCLUDE_PATH: Path variable where all the header files can be
found by the compiler.

•
CC_FILES_TO_BUILD: Variable that contains the list of source files, to
be compiled and linked.

•
<MSN>_DB: Name of the Post-build configuration file.

The above mentioned variables must be used by the user to build the base
Makefile.

A sample base Makefile (App_<MSN>_ <MICRO_SUB_VARIANT>
_Device_Sample.mak) has been provided with the product for reference.
This file can be modified to suit the developer’s needs.

The targets that are supported in the base Makefile enable the user in build
and cleanup activities during/after the build process. They are listed below:

5.4.1. Targets Supported By The Sample Base Makefile

5.4.1.1. debug_base_make

Invoking the Make utility and passing “debug_base_make” as a parameter
prints all the variables that are used in the base Makefile. This can be used to
print various paths and file names to see if they are correct.

5.4.1.2. clean_objs

Invoking the Make utility and passing “clean_objs” as a parameter deletes all
the object files from the output folder
(“X1X\<MICRO_VARIANT>\modules\<msn>\Sample_application\<
MICRO_SUB_VARIANT >\obj” in this case).

51

Chapter 5 Application Example


5.4.1.3. clean

Invoking the Make utility and passing “clean” as a parameter deletes tool
generated files in the configuration output folders
(“X1X\<MICRO_VARIANT>\modules\<msn>\sample_application\<
MICRO_SUB_VARIANT>\src” and

“X1X\<MICRO_VARIANT>\modules\<msn>\Sample_application\<
MICRO_SUB_VARIANT>\include”in this case)

.
5.4.1.4. clean_all

Invoking the Make utility and passing “clean_all” as a parameter deletes all
files such as object file, list files and map files from the output folder
(“X1X\< MICRO_VARIANT >
 \modules\<msn>\sample_application\< MICRO_SUB_VARIANT
>\obj” in this case).

5.4.1.5. generate_<msn>_config

Invoking the Make utility and passing “generate_<MSN>_config” as a
parameter invokes the <MSN> Driver Generation Tool. The tool takes the
ECU Configuration Description File(s) (“X1X\< MICRO_VARIANT
>\modules\<msn>\Sample_application\<MICRO_SUB_VARIANT>
\ AUTOSAR_VERSION

config\<MSN>_Sample_ <MICRO_SUB_VARIANT>\.arxml” as input and
generates the output files in folders

“X1X\< MICRO_VARIANT >\modules\<msn>\Sample_application\<
MICRO_SUB_VARIANT>\ AUTOSAR_VERSION \src” and

“X1X\< MICRO_VARIANT >1\modules\<msn>\Sample_application\<
MICRO_SUB_VARIANT>\ AUTOSAR_VERSION \include”).

5.4.1.6.
App_<MSN>_< MICRO_SUB_VARIANT >_Sample.out

Invoking the Make utility and passing “Sample.out” as a parameter invokes the
compiler and linker sequentially. Then it generates the executable
“App_<MSN>_< MICRO_SUB_VARIANT >_Sample.out”.

5.4.1.7. <Msn>_PBcfg.s37

Invoking the Make utility and passing “<Msn>_PBcfg.s37” as a parameter
invokes
the compiler and linker sequentially and generates the Motorola S-Record file
“<Msn>_PBcfg.s37” in the output folder.
This scenario typically arises when post-build parameters are modified and
only the database needs to be flashed into the device without disturbing the
other ROM contents.

52

Support For Different Interrupt Categories

 Chapter 6


Chapter 6 Support For Different Interrupt Categories

The <MSN> Driver supports CAT1 and CAT2 interrupt categories:

CAT1

In CAT1 type of interrupt ISR does not use an operating system service. In
practice, the OS does not handle these interrupts, and the interrupt handler is
implemented in the driver code, with the only restriction that OS services
cannot be called. Typically, these are the fastest highest priority interrupts.

CAT2

In CAT2 type of interrupt wherein the ISR is handled by the system and OS
calls can be called from the handler.

For CAT1 and CAT2, the selection of interrupt category is for each interrupt in
the module. Individual MCAL module does not contain any option for interrupt
category configuration. The user has to configure the ISR category in OS and
also to use the right MCAL specified name and MCAL expects
"ISR(INTERRUPT_NAME)" keyword defined in OS in case of CAT2.

Notes 1. The understanding is Os module does not publish short name handles for
CAT1 OsIsr container. But it should be defined in the interrupt vector table
by the OS.

2. The understanding is that Os module should publish short name handles
for CAT2 OsIsr container according to ecuc_sws_2108 requirement by
adding the Os_" pefix to the configured interrupt name.

Reference between the <MSN> module and OS:

<Msn> module's <Module>_Irq.c/h files include "Os.h" header file to obtain the
interrupt category information configured in the OS. Therefore following pre-
processor definitions are expected to be published in Os.h file by the OS in
case of CAT2 or to be used in the interrupt vector table in case of CAT1.

Table 6-1 CAT1 and CAT2 Naming Convention

Interrupt Category
Naming Convention
CAT1
<MCAL_INTERRUPT_NAME>_ ISR
CAT2
<MCAL_INTERRUPT_NAME>_CAT2_ISR
CAT2 (In case the handles of
Os_<MCAL_INTERRUPT_NAME>_CAT2_ISR
the OsIsr container are
generated without ‘Os_’ prefix
by Os generation tool)

53

Chapter 6

 Support For Different Interrupt Categories


MCAL in Stand Alone:

In case if the MCAL modules are to be used stand alone without having
standard Autosar Os module, the user has to prepare an Os.h stub file with the
published handles only for those interrupt names which are to be used as
CAT2.

Table 6-2
List of ISR Names that need to be configured and published in Os.h
(CAT2) or used in the interrupt vector table (CAT1) for <MSN> Driver

CAT2(In case the handles of the

Sl.
OsIsr container are generated
CAT1
CAT2
No.
without ‘Os_’ prefix by Os
generation tool)
1
<MSN>n_SGm_ISR
<MSN>n_SGm_CAT2_ISR
Os_<MSN>n_SGm_CAT2_ISR
2
<MSN>_DMA_CHxy_ISR
<MSN>_DMA_CHxy_CAT2_ISR
Os_<MSN>_DMA_CHxy_CAT2_IS
R

Where

‘n’ indicate HW Unit number

‘m’ indicate SG Unit number

‘xy’ indicate DMA channel Id number

54

GNU MAKE Environment

Chapter 7

Chapter 7
GNU MAKE Environment

Every component is delivered with the necessary Make scripts that are
required to integrate the component with the application. The scripts are
compatible with GNU Make version 3.81.

All the delivered Makefiles have to be included in the project level base
Makefile in order to build the component together with the application. Refer
section “Integration and Build Process” of the respective component User
Manuals for more information on the Makefile variables and their usage.

7.1.
Build Process With GNUMAKE

When the batch file of certain application is built, the GNU Make utility will be
searched by batch file. The GNU Make utility should be present in the default
path specified by GNUMAKE\PATH variable. By making use of the GNU Make
utility the batch file will be compiled.

7.2.
Build Process Without GNUMAKE

If GNU Make utility is not present at the default path or present in some other
directory the following procedure is followed to set the Environmental variable
GNUMAKE\PATH.

1. Right click on “My Computer” select properties, user will find System
Properties.

55

Chapter 7

GNU MAKE Environment

2.   In System Properties select “Advanced” option, user will find
“Environmental Variables” at the bottom side of window.

3.   Click on “Environmental Variables”, user will find “Environment Variables”
window in that, select “New”.

56

GNU MAKE Environment

Chapter 7

4.   After step 3, user can find “New User Variable” window with “Variable
name” and “Variable path” options which needs to be set, Variable name
will be set as GNUMAKE and Variable path is the path of the directory
where GNU Make utility is present and click ok.

5.   After step 4, in “System Properties” window click “Apply” and then “Ok”.

Remark  GNU Make utility version 3.81 must be separately downloaded and installed to
use the Makefiles delivered along with the component. More information on the
utility can be found at http://www.gnu.org/

57

Chapter 7

GNU MAKE Environment

58

Load Binaries Chapter 8

Chapter 8
Load Binaries

Once the Executable or S-Record is generated using the project level base
Makefile, it needs to be downloaded into the target using a Flash programmer.

The user has to read the instructions provided in the Flash programmer’s User
Manual thoroughly before using it.

59

Chapter 8

Load Binaries



60

Appendix

 Chapter 9


Chapter 9
Appendix

9.1. Translation XML File

Translation XML File content format shall be given as mentioned below:

<?xml version="1.0" encoding="UTF-8"?>

<PATH-DETAILS>

<TRANSLATION-FILE-PATH>
<value_of_<MSN>DeviceName>Path</value_of_<MSN>DeviceName>
</TRANSLATION-FILE-PATH>

<DEVICE-FILE-PATH>
<value_of_<MSN>DeviceName>Path</value_of_<MSN>DeviceName>
</DEVICE-FILE-PATH>
</PATH-DETAILS>

9.2. Configuration XML File

Configuration XML File content format shall be given as mentioned below:

<?
xml version="1.0" encoding="UTF-8"?>
<!--
61

Chapter 9

 Appendix

None of the tag from this XML should be renamed or deleted.
-->
<XML>

<OPTION>

<HELP>ON/OFF</HELP>


<LOG>ON/OFF</LOG>


<DRYRUN>ON/OFF</DRYRUN>


<OUTPUT>OFF</OUTPUT>


<OUTPUT-PATH>Path</OUTPUT-PATH>
</OPTION>


<INPUT-FILE>Path</INPUT-FILE>
</XML>
62

Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
31-Jan-2013
2.
Following changes are made:
1.0.1
16-Oct-2013
1. -Osrc and -Oinc options are added at section 4.3. Usage.
2.  Error message ERR000008 is updated at section 4.8.1. Error
Messages.
3. F1x is renamed to X1x in all relevant places.

3.
Following changes are made:
1.0.2
24-Jan-2014
1. Chapter 5 is updated for paths.
2. F1x and F1L names are removed.
3. Makefile location is updated.
4. Name of executable is updated.

4.
Following changes are made:
1.0.3
08-April-2014
1. Page Number alignment is corrected.
2. R- Number is added for document.
5.
Following changes are made:
1.0.4
17-July-2014
1. Copyright year information is corrected.
2. R- Number is added for document.
6.
Following changes are made:
1.0.5
09-Aug-2014
1. Document is updated as per template.

63

Getting Started Document for X1x MCAL Driver User's Manual
Version 1.0.5

Publication Date: Rev.0.01, August 09, 2014

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for  the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2014 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

Getting Started Document for X1x MCAL Driver

User’s Manual

R20UT2979EJ0001

Document Outline

20.4 - KnownIssues_P1x_R403_2015_CW23

KnownIssues_P1x_R403_2015_CW23

20.5 - KnownIssues_P1x_R403_2015_CW23_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42

20.6 - KnownIssues_P1x_R403_2015_CW23s

ID
Category
Summary
Description
ASR_TicketType
Status
22712
General
Usage of value INF not according ASR
Problem description:
BUG
OPEN
requirements
According AUTOSAR_TPS_ECUConfiguration the value 'inf' derived from standard module definition STMD must be used as follows:
ISSUE
• [ecuc_sws_6045] If the min value equals -inf or the max value equals inf in
the StMD the min/max values in the VSMD shall be replaced with the actually
supported min/max values for this implementation.

Expected behavior:
INF shall not be used, but instead the actual MIN/MAX values shall be available in PDFs

Current behavior:
See problem description field.
26927
General
[Port]
Problem description:
BUG
OPEN
AUTOSAR_PORT_Component_UserManual. Lack of information about Exclusives areas in AUTOSAR_PORT_Component_UserManual.pdf. As a result user is facing difficulty during integration.
ISSUE
pdf is lacking information about Exclusives Source Package: AUTOSAR_RH850_P1x_MCAL_E4.03
areas for CRITICAL SECTION PROTECTION

Expected Behavior:
The user manual should contain information about INIT_CONFIG_PROTECTION, REFRESH_PORT_INTERNAL_PROTECTION and SET_TO_DIO_ALT_PROTECTION.

Actual behaviour:
UM only describes SET_PIN_MODE_PROTECTION in chapter 4.4, but SET_PIN_DIR_PROTECTION, INIT_CONFIG_PROTECTION, REFRESH_PORT_INTERNAL_PROTECTION and
SET_TO_DIO_ALT_PROTECTION, SET_PIN_DEFAULT_MODE_PROTECTION, SET_PIN_DEFAULT_DIR_PROTECTION are not mentioned.
26988
General
CAN and LIN modules not following
Problem description:
BUG
OPEN
Autosar requirement BSW00347
As per AUTOSAR requirement BSW00347, the driver modules shall be named as per <MSN>_<VendorId>_<VendorSpecificName>_<ServiceName>.
ISSUE
For Example : 'Can_Init()' will become 'Can_59_Renesas_Init()'.
It shall be followed for File Names, Public APIs, Published Parameters, Memory allocation Keywords and Public data types. But this is not followed in CAN and LIN modules which support
multiple instance as per autosar base definition file.

Expected behaviour:
The driver modules shall be named as per <MSN>_<VendorId>_<VendorSpecificName>_<ServiceName>.

Actual behaviour:
The driver modules(CAN and LIN) are not named as per <MSN>_<VendorId>_<VendorSpecificName>_<ServiceName>.

The following MCAL modules have the tag 'UPPER-MULTIPLICITY-INFINITE' is set to 'true' in Autosar Base Definition file AUTOSAR_MOD_ECUConfigurationParameters.arxml and hence
support multiple instance.
1. CAN
2. Ethernet
3. FLS
4. Flexray
5. ICU
6. LIN
7. PWM
8. WDG
But for Ethernet, FLS, ICU, and PWM modules, the requirement BSW00347 is moved to NA requirements in the Traceability section.

27639
General
PRAGMA define inconsistent to device
Problem Description:
BUG
OPEN
header file package
PRAGMA define differs between io_macros_v2.h from device header file packages and compiler.h in MCAL package.
ISSUE

In Compiler.h:
#define PRAGMA(x) _Pragma(x)

In io_macros_v2.h:
#define PRAGMA(x) _Pragma(#x)

Current Behaviour:
In customer application this might cause a compilation warning due to a macro redefinition if both header files are used.

Expected Behaviour:
Consistent define used in both header files.
27721
General
Command line option -F not working
Problem description:
BUG
OPEN
The -F/FILEVERSION option of generation tool is not working. Instead of listing the version of tool code files, the tool is throwing error 'ERR000011:ECU Configuration Description File is
ISSUE
not provided as input to the Generation Tool'.

Expected behavior:
On the usage of -F/FILEVERSION option, generation tool must list the version of tool code files.

Actual behaviour:
See Problem description.
27747
General
Makefiles use invalid include paths for GHS Problem Description:
BUG
OPEN
builder
The GHS makefiles for sample applications use invalid include paths parameters.
ISSUE
This behaviour has currently no effect to GHS builder but this might change.
It lengthens the command lines without any use.

Actual behaviour:
GHS builder is called with invalid options like
-I\4.0.3
-I\common

Expected behaviour:
Only valid include path parameters shall be used.
27766
General
Functional codes are executing Even after Problem Description:
BUG
OPEN
DEM is reported.

ISSUE
Even after DEM error is reported, functional codes are getting executed, which may result in unexpected behavior of driver.

Similar issue is found in SPI while doing functional testing for E1x V4.00.04 release, And an issue is reported in mantis # bug:26731.

Decided to create new ticket to start investigation for similar issues in all other module (see note:181849).

Expected behavior:
Functional codes shall not execute after reporting DEM Error.

Actual behavior:
Functional codes are executed even after reporting DEM Error.

27974
General
Makefiles specify irrelevant folders for
Problem description:
BUG
OPEN
header search
The -I parameter is used to specify folders where the GHS builder shall search for header files. But also source folders are given.
ISSUE

Actual behaviour:
Many irrelevant folders are given as parameter to GHS builder. When project becomes large the maximum command line length (8k) is exceeded.

Expected behaviour:
Only relevant folders shall be given with -I parameter.
28478
General
CAN-ENTER-EXCLUSIVE-AREA-REF tag is
canEnterExclusiveArea is required inside the entity in BSWMDT, if the referenced exclusive area is used in the entity's code.
BUG
OPEN
missing in the BSWMDT
The entity can be BswCalledEntity, BswSchedulableEntity or BswInterruptEntity.
ISSUE

Actual behaviour:

<BSW-INTERNAL-BEHAVIOR UUID="ECUS:951843a9-6848-4a8d-869a-7b29a87158fa">
<SHORT-NAME>BswInternalBehavior_0</SHORT-NAME>
<EXCLUSIVE-AREA UUID="ECUS:1b965de4-5e4a-49d8-a4cb-e7782386f347">
<SHORT-NAME>VARIABLE_PROTECTION</SHORT-NAME>
</EXCLUSIVE-AREA>
</EXCLUSIVE-AREAS>
<ENTITYS>
<BSW-INTERRUPT-ENTITY UUID="ECUS:8d9d01cd-59a4-4f9d-a0c5-a46966e1b2ad">
<SHORT-NAME>BswInterruptEntity_1</SHORT-NAME>
<IMPLEMENTED-ENTRY-REF DEST="BSW-MODULE-ENTRY">/ArPackage_0/MCU_FEINT_ISR</IMPLEMENTED-ENTRY-REF>
<INTERRUPT-CATEGORY>CAT-1</INTERRUPT-CATEGORY>
<INTERRUPT-SOURCE>INTLVI</INTERRUPT-SOURCE>
</BSW-INTERRUPT-ENTITY>

Expected behaviour:

<BSW-INTERNAL-BEHAVIOR UUID="ECUS:951843a9-6848-4a8d-869a-7b29a87158fa">
<SHORT-NAME>BswInternalBehavior_0</SHORT-NAME>
<EXCLUSIVE-AREA UUID="ECUS:1b965de4-5e4a-49d8-a4cb-e7782386f347">
<SHORT-NAME>VARIABLE_PROTECTION</SHORT-NAME>
</EXCLUSIVE-AREA>
</EXCLUSIVE-AREAS>
28534
General
Wrong upper multiplicity definition for
Problem description:
BUG
OPEN
Configuration container.
In PDF of some MCAL modules the upper multiplicity is defined as
ISSUE
<UPPER-MULTIPLICITY-INFINITE>XX</UPPER-MULTIPLICITY-INFINITE>

The above definitions are not correct according to ASR ecuc_sws_2011.

Actual behavior:
Multiple configuration is not possible due to the above problem.

Expected behavior:
The correct definitions must be as follows:
<UPPER-MULTIPLICITY>XX</UPPER-MULTIPLICITY>

26812
ADC
Unexpected DET ADC_E_IDLE is been raised Problem Description:
BUG
OPEN
from Adc_DisableHardware Trigger
Unexpected DET ADC_E_IDLE is being raised when Adc_DisableHardwareTrigger is invoked for an already enabled group (using the api Adc_EnableHardwareTrigger)whose status is
ISSUE
ADC_STREAM_COMPLETED.

Expected Behaviour :
As per requirement ADC304, the DET ADC_E_IDLE should not be reported when Adc_DisableHardwareTrigger is called for a group that has already been enabled using
Adc_EnableHardwareTrigger.

Actual Behaviour :
The DET ADC_E_IDLE is reported when Adc_DisableHardwareTrigger is called for a group that has already been enabled using Adc_EnableHardwareTrigger.
27492
ADC
HW triggered One-shot conversion in
Problem Description:
BUG
OPEN
Circular Streaming is not working as
As per AUTOSAR specification, one HW trigger should trigger only one ADC channel group conversion stream. The conversion must finish once it receives the HW trigger that is equal to
ISSUE
expected
number of streams configured for the group.

But in the current design single trigger executes the whole stream of conversions.

Expected Behavior:
Only one ADC channel Group conversion stream should happen per H/W trigger.

Actual Behavior:
Streaming conversion is getting completed with single H/W trigger
27505
ADC
'ucGroupSettings' element of
Problem Description:
BUG
OPEN
Adc_GstGroupConfig[] is not generated
LSB of 'ucGroupSettings' element decides whether a group is one-shot or continuous.
ISSUE
properly
'0' means continuous group and
'1' means one-shot group.
But code generator is not generating this properly.
For one-shot mode and circular streaming group it generates '1' and
for continuous mode and linear streaming group it generates '0'

Expected Behavior:
LSB of 'ucGroupSettings' must be '0' for continuous group and '1' for one-shot group.

Actual Behavior:
Code generator is generating the below values,
For one-shot mode and circular streaming group it is generates '1' and
for continuous mode and linear streaming group it generates '0'
27592
ADC
DMA enabled ADC conversion gives wrong Problem description:
BUG
OPEN
conversion result if DTFRRQn register

ISSUE
signals a pending transfer request
Conversion of an ADC group with 'AdcResultAccessMode' => 'ADC_ISR_ACCESS' (Group without DMA) leads to the flagging of DTFRRQn.DRQ bit.

Conversion of an ADC group with 'AdcResultAccessMode' => 'ADC_DMA_ACCESS' (DMA enabled group) when DTFRRQn.DRQ bit already set leads to the return of converted value from
previous cycle.

Therefore DTFRRQn.DRQ bit must be cleared each time when DMA enabled ADC groups conversion is started.

Expected Behavior:
DMA enabled ADC Groups should return the converted result of the current input voltage.

Actual Behavior:
DMA enabled ADC Groups are not returning the converted result of the current input voltage because of already set DTFRRQn.DRQ bit.

27603
ADC
Conversion of a DMA enabled one-shot
Problem description:
BUG
OPEN
ADC group is happening only for the first
One-shot ADC groups with DMA as result access mode is getting converted only for the first trigger and not for the consecutive triggers.
ISSUE
HW trigger and not for the next triggers

Note that if the result access mode is selected as interrupt then it is working as expected.

Expected Behavior:
One-shot ADC groups with DMA as result access mode should convert the group channels for every HW trigger until it is stopped explicitly by Adc_DisableHardwareTrigger()

Actual Behavior:
One-shot ADC groups with DMA as result access mode is getting converted only for the first trigger and not for the consecutive triggers after enabling the group via
Adc_EnableHardwareTrigger()
27613
ADC
HW triggered ADC group with DMA circular Problem description:
BUG
OPEN
streaming access should convert one
Current behaviour of the driver is, HW triggered ADC group with DMA and circular streaming access mode is converts more than one sample per H/W trigger.
ISSUE
sample per one trigger
Sample conversion continues until the group is stopped by calling Adc_DisableHardwareTrigger().

As per the AUTOSAR specification only one sample conversion must be initiated for one HW trigger.

Expected Behavior:
As per the AUTOSAR specification only one sample conversion must be initiated for one HW trigger.

Actual Behavior:
Stream conversion continues with a single HW trigger.
27624
ADC
Adc_GetStreamLastPointer() API does not Problem description:
BUG
OPEN
return the valid sample count when the
Adc_GetStreamLastPointer() API does not return correct number of valid samples when the status of the circular streaming group is ADC_STREAM_COMPLETED. This API must return the
ISSUE
status of the group is
value equal to the configured 'AdcStreamingNumSamples' parameter of that group.
ADC_STREAM_COMPLETED

Expected Behavior:
Adc_GetStreamLastPointer() API must return the maximum sample value when the status of the circular streaming group is ADC_STREAM_COMPLETED.

Actual Behavior:
Adc_GetStreamLastPointer() API is returning random value when the status of the group is ADC_STREAM_COMPLETED.

28094
ADC
Value assigned to register (ADCDnTHGSR) is Problem Description:-
BUG
OPEN
not correct in API Adc_HwInit().
In Private API Adc_HwInit() value assigned to register (ADCDnTHGSR) usADCXnTHGSR is not correct, assignment to this register is as mentioned below.
ISSUE

 LpAdcRegisters->usADCXnTHGSR = (uint16)(LpHwUnitConfig->ucGroupSelectMask); 

Generated value in structure element "ucGroupSelectMask" is not correct, Thereby selection of T&H group B will not work properly.

In tool code value for structure element "ucGroupSelectMask" is as mentioned below. Here final value in "ucGroupSelectMask" is the value in local variable $grp_mask,
Understanding is that for register ADCDnTHGSR bit positions are in even number, as mentioned in section 30.3.23 of Device manual R01UH0436EJ0070 Rev.0.70, But in Generation Tool
code its considered that ADCDnTHGSR register bit positions are continues, As mentioned in Actual Behavior.

Please check and do needful.

Actual Behavior:-
@Line No 749 of BswPbIm.pm file, SVN Revision $185322
Looping below mentioned code for each channel.
# Fill ucGroupSelectMask
$grp_mask = 0;
$BswPbIm::Dbrom_PbImage{Adc_GstHWUnitConfig}{$index}
{ucGroupSelectMask} = $grp_mask;
if ($chn_trck eq "ADC_TH_GROUPB")
{
$grp_mask = $grp_mask | (1 << $ch_id); 
$BswPbIm::Dbrom_PbImage{Adc_GstHWUnitConfig}{$index}
{ucGroupSelectMask} = $grp_mask;
}

28109
ADC
Limit check implementation is not proper
Problem description:
BUG
OPEN
for Polling mode
In the case of Polling, Adc_ReadGroup API is called multiple times in a Loop. From Adc_PollingReadGroup function(called form Adc_ReadGroup API), Adc_ErrIsr is called. In Adc_ErrIsr the
ISSUE
following errors are being cleared by writing 0x0E to ADCDnECR register.
1. Upper Limit/Lower Limit Error.
2. Overwrite Error.
3. Parity Error Clear.

In next polling(calling Adc_ReadGroup), even if the value is beyond Limit/Lower limit, ADC group notification is called and the conversion status is changed to ADC_STREAM_COMPLETED.

Expected Behavior:
ADC driver should trigger the next conversion even if it is configured for one-shot conversion.

Actual Behaviour:
Further conversion is not triggered for one-shot groups.
ADC group notification is called and the conversion status is changed to ADC_STREAM_COMPLETED.

28111
ADC
Conversion is not happening for TH groups Problem Description:
BUG
OPEN
when parameter 'AdcSuspendMode' is
Conversion is happening for ADC groups which contains Track and Hold enabled channels when the configuration parameter 'AdcSuspendMode'
ISSUE
'ADC_ASYNCHRONOUS_SUSPEND' and the in container 'AdcHwUnit' is configured as 'ADC_ASYNCHRONOUS_SUSPEND' and the parameter 'AdcGroupTriggSrc' is 'ADC_TRGG_SRC_SW'.
Trigger is SW

The track and hold functionality is working fine for HW triggered groups even if the parameter 'AdcSuspendMode' is 'ADC_ASYNCHRONOUS_SUSPEND'.
Also, it is working properly for both SW and HW triggered groups if the parameter 'AdcSuspendMode' is 'ADC_SYNCHRONOUS_SUSPEND'

But if the parameter 'AdcSuspendMode' is configured as 'ADC_SYNCHRONOUS_SUSPEND' the generator tool produces the following warning.
"The parameter 'AdcSuspendMode' should be configured as <ADC_ASYNCHRONOUS_SUSPEND> when the channels are enabled for Track and hold feature."

Expected Behavior:
conversion should be happened for both SW and HW triggered groups if parameter 'AdcSuspendMode' is 'ADC_ASYNCHRONOUS_SUSPEND'

Actual Behaviour:
Conversion is not happening if parameter 'AdcSuspendMode' is 'ADC_ASYNCHRONOUS_SUSPEND' for SW triggered groups.
28118
ADC
Critical section protection for global
Problem Description :
BUG
OPEN
structure array "Adc_GpGroupRamData" is
ISSUE
not implemented.
Critical section protection for global structure array "Adc_GpGroupRamData" is not implemented, even though the values of the structure "Adc_GpGroupRamData" is modified in most of
the APIs.

In most of the private API, address of global structure array "Adc_GpGroupRamData" is assigned to a local pointer and then the elements values are changed / modified / read.
Even though the values are changed using local pointer, the value in global structure array "Adc_GpGroupRamData" also gets changed.

Example :

The value of structure element "ddGroupStatus" of "Adc_GpGroupRamData" global structure is being modified in Adc_GroupCompleteMode()
private API called from Adc_Isr().

/* Set group status as conversion completed */
LpGroupData->ddGroupStatus = ADC_STREAM_COMPLETED;

Consider a situation in which API Adc_StopGroupConversion() is called from a high priority task ( say Timer Isr) than that of Adc_Isr(), And if Adc_StopGroupConversion() is called ( for
same group) just after start exciting Adc_Isr(), but not reached above mentioned code.

In this case the status Group Status remain ADC_STREAM_COMPLETED, even after calling Adc_StopGroupConversion().

To avoid such issues, critical sections need to be implemented properly.

Required MO suggestion on same.

Actual Behavior :
Critical section protection not implemented.

28120
ADC
Autosar requirement ADC413 is not taken Problem Description :
BUG
OPEN
care.

ISSUE
As per AUTOSAR requirement ADC413 all API functions, except Adc_Init, Adc_DeInit and Adc_GetVersionInfo are re-entrant. But in current implementation it is not taken care. If the
functions are called
for different channel groups, in current implementation these re-entrant API will not work properly.

Example:-
Consider that SW triggered ADC channel group 0 is already in queue.

Considered that we call Adc_ReadGroup() for ADC group 1 and API Adc_DisableHardwareTrigger() is invoked for ADC Channel group 1 form a interrupt (Like Timer ISR) when only DET
check in Adc_ReadGroup() API is completed. Then execution of Adc_ReadGroup() is pushed to stack and start execution of Adc_DisableHardwareTrigger() API.

When Adc_DisableHardwareTrigger() API complete execution, it pops the ADC channel group 0 from queue, trigger its conversion, and when Adc_ReadGroup() start execution, it will give
unexpected behavior.

similar issues exist in most of the API's,

Requesting MO suggestions on same.

Expected Behavior :
Requirement should be taken care properly and API's except above mentioned should be re-entrant.

Actual Behavior :
Requirement is not taken care.
28121
ADC
Memory section mapping used for global
Probable Description:-
BUG
OPEN
variable "Adc_GaaHwUnitIndex[]" and
1.The global variable "Adc_GaaResultGroupRamData[]" is mapped to memory section "CONFIG_DATA_UNSPECIFIED_SEC_STARTED" (ADC_START_SEC_CONFIG_DATA_UNSPECIFIED), But
ISSUE
"Adc_GaaResultGroupRamData[]" is not
this global variable is not initialized in Adc_PBcfg.c (Generated file).
correct.

Declaration of this variable is as mentioned below.

extern VAR(Adc_ValueGroupType, ADC_NOINIT_DATA) Adc_GaaResultGroupRamData[];
of Adc_Ram.c file.

2. The global variable "Adc_GaaHwUnitIndex[]" is mapped to memory section "VAR_NOINIT_UNSPECIFIED_SEC_STARTED" (ADC_START_SEC_CONFIG_VAR_NOINIT_UNSPECIFIED), But
this global variable is of type const and initialized in Adc_PBcfg.c (Generated file).

Declaration of this variable is as mentioned below.

extern CONST(uint8, ADC_CONST) Adc_GaaHwUnitIndex[];
of Adc_Ram.c file.

Suggested Solution:

1.Adc_GaaResultGroupRamData[] global variable needs to mapped to Uninitialized variable section.

2.Adc_GaaHwUnitIndex[] global variable needs to mapped to initialized constant variable section.

Expected Behavior:- NA

Actual Behavior:- NA

28125
ADC
Register ADCDnTHSTPCR
Problem Description :
BUG
OPEN
(ucADCXnTHSTPCR) needs to use instead of Register ADCDnTHSTPCR (ucADCXnTHSTPCR) needs to use instead of ADCDnTHSMPSTCR (ucADCXnTHSMPSTCR) to stop TRACK & HOLD in following mentioned Line of code.
ISSUE
ADCDnTHSMPSTCR (ucADCXnTHSMPSTCR)
to stop T&H.
As per device manual R01UH0436EJ0070 Rev.0.70 section 30.3.15 ADCDnTHSMPSTCR register is used for starting T&H.

As per device manual R01UH0436EJ0070 Rev.0.70 section 30.3.16 ADCDnTHSTPCR register is used for stop T&H.

1. LpAdcRegisters->ucADCXnTHSMPSTCR = ADC_ZERO;
of Adc_Private_ADCD_ADCB.c file in Private API Adc_HwDeInit().
2. LpAdcRegisters->ucADCXnTHSMPSTCR = ADC_BYTE_ZERO;
of Adc_Private_ADCD_ADCB.c file in Private API Adc_HwStopGroupConversion().
3. Also Adc_Init() needs to update to stop T&H by setting this register.

Actual Behavior :
Register use ADCDnTHSMPSTCR (ucADCXnTHSMPSTCR) to stop TRACK & HOLD.

Expected Behavior :
Register ADCDnTHSTPCR (ucADCXnTHSTPCR) needs to be use to stop TRACK & HOLD.
28134
ADC
Implementation of MRS requirement
Problem Description:
BUG
OPEN
"AR_PN0076_FR_0201" is not proper.
If we call Adc_EnableChannel() API before calling Adc_DisableChannel() API, illegal memory access will occur.
ISSUE
Because when we call Adc_EnableChannel() API internally private API Adc_IntDisableEnableChannel() will call as mentioned below.

Adc_IntDisableEnableChannel(Group, ChannelId, ADC_TRUE)

and in private API Adc_IntDisableEnableChannel(),
if LblApiType( 3rd argument) == ADC_TRUE,
then, decrement the number of channels to disabled,as mentioned in below code

LpGroupData->ucNoofChDisabled--;

Initial value of "ucNoofChDisabled" is zero, so after decrement it become 255, which is not correct result in
illegal memory access or unexpected behavior in API Adc_ReadGroup(), Adc_GetStreamLastPointer(), Adc_ConfigureGroupForConversion() and Adc_IsrConfigureGroupForConversion().

Expected Behavior:
N/A

Actual Behavior:
N/A

Suggested solution:
Add a DET check if particular channel is trying to enable before it is disabled.
28135
ADC
Version check for Dem.h file is not present. Problem description:
BUG
OPEN
As per autosar requirement ADC124 The ADC module shall perform Inter Module Checks to avoid integration of incompatible files.
ISSUE

But version check for Dem.h file is not present in the above mentioned file.

FILE : Adc_Private_ADCD_ADCB.c

Expected Behavior :
Version check should be done.

Actual Behavior :
No version check is performed.

28143
ADC
General requirement
Problem description :
BUG
OPEN
"AR_PN0034_FR_0025" is not considered.
The DMA related registers are not initialized in Adc_init().
ISSUE

The same issue is there with following registers also:

1. ADCDnTHBCR (ucADCXnTHBCR),
2. ADCDnSGCRx (ucADCXnSGCRx),
3. ADCDnSGVCSPx (ucADCXnSGVCSPx)
4. ADCDnSGVCEPx (ucADCXnSGVCEPx)
5. ADCDnSGMCYCRx (ucADCXnSGMCYCRx)
6. ADCDnULLMSRx (ucADCXnULLMSRx)
7. ADCDnADTIPRy (ulADCXnADTIPRy)
8. ADOPDIGn (ulADOPDIGn)
9. ADCDnTHACR
10. ADCDnTHCR
11. ADCXnULLMTBR 0 to 2

are not initialized in Adc_Init().

But as per General MRS "AR_PN0034_FR_0025" :
The <MSN>_Init API shall ensure that the related peripheral is running correctly, even if the peripheral was previously configured by another Application that changed the registers' default
values.
Thereby this General requirement "AR_PN0034_FR_0025" is not considered for above mentioned registers.

Expected Behavior:
The general MRS requirement "AR_PN0034_FR_0025" should be taken care for all above mentioned registers and DMA related registers and all should be initialized in Adc_init().

Actual Behavior:
28151
ADC
AUTOSAR requirement ADC077 is not
Problem Description:
BUG
OPEN
taken care while implementing Adc_Init().
As per this requirement,
ISSUE
[ADC077] The function Adc_Init shall disable the notifications and hardware trigger capability (if statically configured as active).

Configured HW triggers are not disabled in Adc_Init(). If we consider General MRS requirement "AR_PN0034_FR_0025", it needs to be corrected accordingly.
As per this requirement:- "The <MSN>_Init API shall ensure that the related peripheral is running correctly, even if the peripheral was previously configured by another Application that
changed the registers' default values. "

Expected Behavior:
Configured HW triggers to be disabled in Adc_Init()

Actual Behavior:
Configured HW triggers are not disabled in Adc_Init().

28158
ADC
The Cautions mentioned in Device manual Problem Description:
BUG
OPEN
are not implemented.
For example
ISSUE
As per Caution[1]: section 30.3.9
To prevent malfunctions, make ADCDnADCR1 settings after making or confirming the following settings.
(1) HLDTE of T&H group A and B are 0.
(2) ADSTARTE of all scan groups are 0 and TRGMD of all scan groups are 0H.
(3) SGACT of all scan groups are 0 (before scan groups are started).]

Before setting value to ADCDnADCR1 (ucADCXnADCR1) Register in Adc_Private_ADCD_ADCB.c file in Adc_HwInit() API, we are not setting the bits or values of these register bits
mentioned in Caution are unknown to the driver. So based on General MRS requirement "AR_PN0034_FR_0025" this is to be implemented.

Same type of issues are applicable for following registers also. Please check all applicable Cautions.

1. ADCDnADCR2 (ucADCXnADCR2)
2. ADCDnSFTCR (ucADCXnSFTCR)
3. ADCDnTDCR (ucADCXnTDCR)
4. ADCDnODCR (ucADCXnODCR)
5. ADCDnTHACR (ucADCXnTHACR)
6. ADCDnTHER (ucADCXnTHER)
7. ADCDnTHGSR(usADCXnTHGSR)
8. ADCDnSGVCSPx (ucADCXnSGVCSPx)
9. ADOPDIGn (ulADOPDIGn)

Expected Behavior:
none

Actual Behavior:
28165
ADC
DEM error is not reported for Overwrite
Problem description:
FEATURE
OPEN
Error in error ISR Adc_ErrIsr()
In the API Adc_ErrIsr(), ucADCXnOWER register is only used to calculate Physical channel ID. Understanding is that DEM error of Overwrite Error also needs to be reported. Also add
ISSUE
similar DEM error report to other errors like Parity Error, Upper / lower limit error and ID Error.

Expected Behavior:
DEM error needs to be reported.

Actual Behavior:
DEm error is not reported.

28179
ADC
Device manual CAUTION is not considered Problem Description:
BUG
OPEN
for implementation in Adc_HwInit() and
CAUTION mentioned in section 7.10.2.13 of R01UH0436EJ0070 Rev.0.70, is not considered for implementation .
ISSUE
Adc_HwDeInit()
As per device manual Caution
"DTFR.REQSEL can be changed while DTFR.REQEN is 0."

But in current implementation both bits REQSEL and REQEN of DTFRn Register are updating simultaneously as mentioned in below code snippet.

In Adc_HwInit():
LpDmaRegisters->ulDTFRn = LpSGmDmaConfig->ulDmaDtfrRegValue;
ulDmaDtfrRegValue is generated value contain value of both bits REQSEL and REQEN of DTFRn Register.
In Adc_HwDeInit():
LpDmaRegisters->ulDTFRn = ADC_DOUBLE_WORD_ZERO;

Understanding is that before changing the value of DTFR.REQSEL, needs to clear bit DTFR.REQEN.

Expected Behavior:
Please update the design as below.
In Adc_HwInit()
1. Reset: DTFRRQn register (0x00)
2. Clear bits LpDmaRegisters->ulDCENn = ADC_DMA_DTE_DISABLE;
3. LpDmaRegisters->ulDTFRn = LpSGmDmaConfig->ulDmaDtfrRegValue;

For Adc_HwDeInit()
Make similiar changes

Actual Behavior:
In Adc_HwInit():
LpDmaRegisters->ulDTFRn = LpSGmDmaConfig->ulDmaDtfrRegValue;
28184
ADC
Clearing of ID Error is not correct.
Problem Description :
BUG
OPEN
Clearing of Error flags are not correct, In current implementation ADCDnIER.IDE error flag for ID Error is not clearing.
ISSUE

LpAdcRegisters->ucADCXnECR = ADC_CHKCLR_ERROR_FLAG;
of Adc_Private_ADCD_ADCB.c file in Adc_ErrIsr() Private API is used to clear all the error flag.

As per device manual R01UH0436EJ0070 Rev.0.70 Section 30.3.29, register ADCDnECR (Error Clear Register) last 4 digits should be set to clear all error flag.

In Adc_PBTypes_ADCD_ADCB.h file ADC_CHKCLR_ERROR_FLAG value of this macro is 0x0E. So last ADCDnIER.IDE bit is not clear.

Suggested Solution :
Adc_PBTypes_ADCD_ADCB.h file ADC_CHKCLR_ERROR_FLAG value of this macro should be 0x0F to clear all the flag.

Actual Behavior : ID error is not getting clear when all the error flags are made clear.

Expected Behavior : ID error should also getting clear when all the error flags made clear.

28187
ADC
Implementation of MRS requirement
problem Description :
BUG
OPEN
AR_PN0076_FR_0087 and
1.MRS requirement "AR_PN0076_FR_0087" is needs to be take care in Tool code, But in current implementation its not taken care. As per Device manual R01UH0436EJ0070 Rev.0.70
ISSUE
AR_PN0076_FR_0089 is not proper.
section 30.3.28, number of ADCDnULLMTBRx register is 3 (x = 0, 1, 2). In current implementation tool code will not give any error even if we configure channel having limit check more
than 2, when value of parameter "AdcPriorityImplementation" = ADC_PRIORITY_NONE.

2.MRS requirement "AR_PN0076_FR_0089" is needs to be take care in Tool code, But in current implementation its not taken care. As per Device manual R01UH0436EJ0070 Rev.0.70
section 30.3.28, number of ADCDnULLMTBRx register is 3 (x = 0, 1, 2). In current implementation tool code will not give any error even if we configure channel having limit check more
than 2, when value of parameter "AdcPriorityImplementation" = ADC_PRIORITY_HW_SW or ADC_PRIORITY_HW.

Actual Behavior :

For both case generation tool code is not generating validation error, if limit check enabled for more than 3 channel Group with different Limit check setting. Understating is that, it will
not work properly when these groups are queued.

Expected Behavior :
For both case proper validation needs to add in Tool code.

Required MO suggestion on same.
28188
ADC
Register "ADCDnECR" (ucADCXnECR) is not Problem description:
BUG
OPEN
handled properly in Adc_DeInit and
In private API Adc_Init() register "ADCDnECR" (ucADCXnECR) is not implemented.
ISSUE
Adc_Init() API's.

and also in private API Adc_DeInit() register "ADCDnECR" (ucADCXnECR) is upated with zero as mentioned below :

LpAdcRegisters->ucADCXnECR = ADC_ZERO;

Understanding is that to clear error flags ADCDnOWER.OWE, ADCDnPER.PE and ADCDnIER.IDE, we need to set ( write 1) to respective bits of the "ADCDnECR" (ucADCXnECR) register in
Adc_DeInit() and Adc_Init() API.

We can also consider general MRS requirement "AR_PN0034_FR_0025", As per this requirement,

The Adc_Init API shall ensure that the related peripheral is running correctly, even if the peripheral was previously configured by another Application that changed the registers' default
values.

and autosar requirement ADC110 :

The function Adc_DeInit shall return all ADC HW Units to a state
comparable to their power on reset state. Values of registers which are not writeable are excluded. It’s the responsibility of the hardware design that this state does not lead to undefined
activities in the µC.

Expected Behavior :
Register ADCDnECR" (ucADCXnECR) should be updated correctly in Adc_Init and Adc_DeInit APIs as per requirements.

Actual Behavior :
Register ADCDnECR" (ucADCXnECR) is not handled as per the requirements.

28214
ADC
AUTOSAR Requirement ADC091 and
1. as per ADC091 requirement :
BUG
OPEN
ADC277 is not taken care.
"The ADC module’s configuration shall be such that an ADC Channel group contains at least one ADC Channel"
ISSUE

In current implementation AUTOSAR Requirement ADC091 is not taken care, in generation tool.
As per current implementation, tool code is not giving any proper error even if no channel is configured under a ADC Group and tool code will crash by giving error "ERR123001", which is
not correct.

2. As per ADC277 Requirement,
"The ADC module’s configuration shall be such that all channels
contained in one ADC Channel group shall belong to the same ADC HW Unit."

Its found that this SWS requirement is not mapped properly in TSDD, Traceability and TSTP, that's needs to fix accordingly.

Most of the requirement are not tracked properly in Traceability sheet.

Expected Behavior :
point 1. Tool code should give a error message stating no channel is configured for particular ADC group.

point 2. Update TSDD, TSTP, Traceability

Actual Behavior :
point 1. Tool code crash if no channel is configured for a ADC group.
point 2. Requirements are not tracked properly in Traceability sheet.
26442
Can
Transmission History List issues
1) CanIf (CanIf_TxConfirmation) is being called while looping by the Can_TxConfirmationProcessing function.
BUG
OPEN
Any processing isn't being done by hardware, so I'm thinking the time-out isn't being confirmed.
ISSUE
So don't we have to check the time out handling here?

2) It's written on "CLEARING OF ALL TRANSMIT MESSAGE BUFFERS" and a comment in the Can_StartMode function, but how is a transmission history buffer initialized?
RSCAN0THLACCm and RSCAN0TXQPCTRm resister weren't being read, so I didn't understand how to be initialized.
26903
Can
PBcfg file Generation operation terminated Problem description:
BUG
OPEN
due to Illegal division by zero
Generation terminated due to Illegal division by zero at /PerlApp/BswConfigValidate.pm line 561.
ISSUE

can_X1X.exe Can.arxml Sample_Application_F1x.trxml R403_can_F1x_BSWMDT.arxml EcuM.arxml Mcu.arxml Os.arxml Dem.arxml
INF000001: Tool Version: 1.2.3
INF000002: Command line arguments: Can_X1x.exe Can.arxml
Sample_Application_F1x.trxml R403_can_F1x_BSWMDT.arxml EcuM.arxml
Mcu.arxml Os.arxml Dem.arxml
Illegal division by zero at /PerlApp/BswConfigValidate.pm line 561.

Expected behavior:
PBcfg file Generation operation should not be terminated. If any error occurred Generator tool should throw out error with ambiguous error message.

Actual behavior:
PBcfg file Generation operation is terminated due to Illegal division.If any error occurred Generator tool is throwing out error with unambiguous error message.

27020
Can
Walking 0 pattern is not implemented in
Problem description:
BUG
OPEN
Can_RamTst_WalkPath_Algorithm() API
As per Renesas requirement AR_PN0069_FR_0023,the RAM is checked by using data patterns (checker pattern, walking-0 and walking-1 pattern).
ISSUE
But in the current implementation walking-0 pattern is not implemented. This shall be implemented as an enhancement, but it is not a bug since Walking "0"'s pattern and Walking "1"'s
pattern is similar.

Expected behaviour:
As per requirement walking-0 pattern shall be implemented.

Actual behaviour:
In the current code, walking-0 pattern is not implemented.
27183
Can
Can_SelfTestChannel API executes in
Problem description:
BUG
OPEN
modes other than STOPPED

ISSUE
If the controller is not in STOPPED state, the function 'Can_SelfTestChannel' shall be aborted and returns E_NOT_OK. But as per the current implementation, this check is not provided and
the code try to set the operation mode as Halt mode.

Expected behavior:

The function shall be aborted and returns E_NOT_OK, if the controller is not in the STOPPED state.

Actual behavior:

Please see the problem description.
27647
Can
Transmission occurs even if the return of
Problem description:
BUG
OPEN
Can_write() API is CAN_BUSY
If cancellation is enabled, cancellation has to be initiated for the lower priority ID/Identical ID (if identical Id cancellation is also enabled) request when the write request came with the
ISSUE
higher priority ID / identical ID for the same HTH. The TX request for the new L-PDU shall be repeated by the CanIf module, inside the notification function CanIf_CancelTxConfirmation -
requirement [CAN288].

If cancellation is disabled, the new Can_Write() request for the same HTH shall not be accepted and returned with CAN_BUSY. The first write request shall be transmitted which was in
pending state.

The same information is covered with the requirements [CAN213], [CAN214], [CAN215] and [CAN434]

Expected Behaviour:
1. The transmission shall not be there for the Can_Write() request when its return value is CAN_BUSY.
2. The cancellation of the pending transmission has to happen properly, when transmission cancellation is enabled.

Actual Behaviour:
In different scenarios the transmission of the frame happens even after returning the reply as CAN_BUSY for the Can_Write() API call.

EX:
1. When the cancellation is OFF (In polling mode), however the return value of the Can_Write() request for the same HTH is CAN_BUSY, the transmission of the frame is observed on the
CANAlyzer and also Tx confirmation is received.

2. When Identical ID cancellation is ON, however the return for the Can_Write() request for the same HTH with identical ID is CAN_BUSY as expected and cancel confirmation is received,
the transmission is happening without re-requested as stated in requirement [CAN288]. Also complete frame data is '0' and Tx confirmation is received as well.

3. When cancellation is ON, however the return for the Can_Write() request for the same HTH with higher priority ID is CAN_BUSY as expected and cancel confirmation is received, the
transmission is happening without re-requested as stated in requirement [CAN288] and also Tx confirmation is received .

27649
Can
Hth Cancellation is not notifed correctly to Problem description:
BUG
OPEN
the upper layer (CanIf) in case of multiple
There is no while loop, but unnecessarily LucArrPosition incremented and wrong comment provided.
ISSUE
Hth to cancel
uint8_least LucArrPosition;
--code----
if (LblTxCancelFlag == CAN_TRUE)
{
/* Set the BasicCAN HTH count to maximum to exit the while loop */
LucArrPosition = LpPBController->ucNoOfBasicCanHth;
/* Set the TX Cancellation Status flag of the HTH */
Can_RSCAN_GaaTxCancelStsFlgs[(LucArrPosition >> CAN_THREE)] =
(Can_RSCAN_GaaTxCancelStsFlgs[(LucArrPosition >> CAN_THREE)]) |
((uint8)(CAN_ONE << (LucCount % CAN_EIGHT)));
/* Increment the array position to point to next
* BasicCAN HTH of the controller */
LucArrPosition++;
}
else
{
/* No action required */
}

Expected behavior:
None

Actual behavior:
None
27650
Can
Multiple DET error reporting from one API Description:
BUG
OPEN
not compliant with AUTOSAR requirement According to CAN091 from AUTOSAR 4.0.3 CAN SWS - a function that reports a development error shall return immediately after.
ISSUE
In many CAN driver APIs multiple errors are checked and reported, before the function returns. Examples:
* Can_Init() may report CAN_E_TRANSITION, CAN_E_PARAM_POINTER before it returns
* Can_Can_InitController() may report e.g. CAN_E_UNINIT and CAN_E_PARAM_POINTER before it returns)

Expected behaviour:
Every CAN driver API should return immediately with not action after a development error is detected is reported

Actual behaviour:
In some case in CAN APIs multiple development errors can be reported, like for Can_Init(), Can_InitController()
27654
Can
DEM version Check is missing
Problem Description:
BUG
OPEN
As per the requirement [CAN111](BSW004), the AUTOSAR major and minor release version needs to be checked for all the external modules. But the version check for the DEM module is
ISSUE
missing.

Expected Behaviour:
The compilation error shall be reported when the DEM module with different AUTOSAR release version is integrated.

Actual behaviour:
The compilation is happening successfully even when the DEM module with different AUTOSAR release version is integrated.
27742
Can
The MCAL CAN driver shall clear the
Problem Description: The MCAL CAN driver will not clear the corresponding WUF flag in the ISR if the precompile configuration parameter CanWakeUpFactorClearIsr is set to TRUE.
BUG
OPEN
corresponding WUF flag in the ISR
Default value should be FALSE. PDF is reviewed and found that the parameter CanWakeUpFactorClearIsr is not implemented.
ISSUE
(AR_PN0069_FR_0025)

Expected Behavior: AR_PN0069_FR_0025 shall be implemented.

Actual Behavior: AR_PN0069_FR_0025 is not implemented properly

27874
Can
Autosare requirment CAN065_Conf is not
Problem Description:
BUG
OPEN
taken care
As per Autosare SWS CAN065_Conf, CanIdType shall support ID's of type STANDARD, MIXED and EXTENDED. In the current implementation only STANDARD and EXTENDED types are
ISSUE
taken care.

Expected Behavior: MIXED ID type shall also be supported by the PDF.

Actual Behavior: NA
27880
Can
Additional API to cancel Tx is not available Problem Description: The internal function “Can_TxCancel” is available as private API. As per the requirement description, the API shall be available as public API such that CanIf AUTOSAR BUG
OPEN
for CanIf / Upper layer.
module can have corresponding call to this API in order to use it.
ISSUE

Expected Behavior: The internal function “Can_TxCancel” shall be available as additional API (public)

Actual Behavior: NA
27882
Can
CAN_E_DATALOST development error is
Problem description:
BUG
OPEN
not reported
According to AUTOSAR 4.0.3 CAN SWS CAN395: "If the development error detection for the Can module is enabled, the Can module shall raise the error CAN_E_DATALOST in case of
ISSUE
“overwrite” or “overrun” event detection."

This DET error CAN_E_DATALOST is declared in Can.h but it is not used in the code.

Expected behaviour:
Development error CAN_E_DATALOST should be reported if overwrite or overrun events are detected in the reception buffers.

Actual behaviour:
CAN_E_DATALOST development error reporting is nowhere encountered in CAN driver code
27934
Can
Unexpected Behavior of in Can wake up
Problem description: CAN wake up shows unexpected behavior. Wake up ISR is getting triggered, even if wake up is not initiated.
BUG
OPEN

ISSUE
Expected Bahavior: Wake up shall be triggered only on occurance of a wake up event

Actual Behavior: Undefined behavior of CAN wake up
27945
Can
Can_Write request returns CAN_OK when Problem Description: Can_Write request returns CAN_OK when HTH is busy to process another transmit request. Can transmission shall only be initiated after getting tx confirmation on BUG
OPEN
HTH is busy
the last transmitted message.
ISSUE

Expected Behavior: Can_Write request shall return CAN_BUSY when HTH is busy to process another transmit request

Actual Behavior: NA
27965
Can
Can module is malfunctioning on HW Tx
Problem description:
BUG
OPEN
Cancellation.
Can module is malfunctioning when HW Tx Cancellation support is enabled and a Transmit abort request was not successful (the CAN frame was transmitted).
ISSUE
It this particular case, once the Tx Cancellation is initiated inside the Can module source code the global transmit cancel flag “Can_GblTxCancelIntFlg” is set to CAN_TRUE. Later this flag
“Can_GblTxCancelIntFlg” is cleared inside the source code invoked when the "INTCnWUP" interrupt is serviced. But in the current use case, since the Transmit abort request was not
successful, the "INTCnWUP" interruupt is not activated. Instead, the "INTCnTRX" interrupt is activated (frame successfully transmitted from message buffer m), but the source code
invoked when "INTCnTRX" interrupt is serviced (ex. CAN_CONTROLLER0_TX_ISR) does not clear the “Can_GblTxCancelIntFlg” flag.
The flag remains set and this causes subsequent calls to "Can_Write()" to fail and return "CAN_BUSY" result. This renders the Can module incapable to transmit CAN frames any more
(until being re-initialized).

Actual behavior: N/A

Expected behavior: N/A
28070
Can
[X1x][CAN]
Problem Description: While updating ECODE for merging the changes done as part of F1H E4.00.01 release to trunk, in Can_RAMTest API call of 'Can_RamTst_WalkPath_Algorithm' was
BUG
OPEN
Can_RamTst_WalkPath_Algorithm is not
replaced by 'Can_RamTest_Checker_Algorithm'. So now instead of calling Can_RamTst_WalkPath_Algorithm, Can_RamTest_Checker_Algorithm is called second time.
ISSUE
called from Can_RAMTest API
Work Around: Repeated call of 'Can_RamTest_Checker_Algorithm' has to be replaced with 'Can_RamTst_WalkPath_Algorithm'.

Expected behavior: Can_RamTst_WalkPath_Algorithm should be called from Can_RAMTest API.

Actual behavior: Can_RamTst_WalkPath_Algorithm is not called from Can_RAMTest API.

28503
Can
CAN_E_DATALOST development error is
Problem description:
BUG
OPEN
not reported
According to AUTOSAR 4.0.3 CAN SWS CAN395: "If the development error detection for the Can module is enabled, the Can module shall raise the error CAN_E_DATALOST in case of
ISSUE
“overwrite” or “overrun” event detection."

This DET error CAN_E_DATALOST is declared in Can.h but it is not used in the code.

Expected behaviour:
Development error CAN_E_DATALOST should be reported if overwrite or overrun events are detected in the reception buffers.

Actual behaviour:
CAN_E_DATALOST development error reporting is nowhere encountered in CAN driver code
28505
Can
Multiple polling period for Tx and Rx (valid Problem Description:
BUG
OPEN
for R3.2and R4.x) is not supported
This is a task to verify the possibility to configure and handle multiple transmission or reception in polling mode based on SWS R3.2 ID: CAN356,CAN436 (Rx) and CAN358, CAN345 (Tx).
ISSUE

The solution to this issue is to update the CAN code generator to count how many instances of the parameter CanMainFunctionWritePeriod and CanMainFunctionReadPeriod are
configured
and based on this to generate the opportune number of macro

#defines Can_MainFunction_Write_0
#define Can_MainFunction_Read_0
for the 1st instance,

#define Can_MainFunction_Write_1
#define Can_MainFunction_Read_1 for the 2nd instance

The generated code should look like this:

/*Polling Period 0 for Write*/
#define Can_MainFunction_Write_0() Can_MainFunction_Write()

/*Polling Period 1 for Write*/
#define Can_MainFunction_Write_1() Can_MainFunction_Write()
...etc.

Expected behaviour:
N/A

Actual Behaviour:
N/A
28541
Can
Restrict the baudrate to only a limited
Restrict the baudrate to only a limited range is wrong. There are other buadrate like 50K or 25K that can be realized.
BUG
OPEN
range is wrong.

ISSUE
Actually the generator impelementation is to occur error, if the value of the parameter CanControllerBaudRate is other than 33, 83,100,125,250,500 or 1000Kbps for the particular
controller.

Actual Behaviour: Error occurs, if the value of the parameter CanControllerBaudRate is other than 33,83,100,125,250,500 or 1000Kbps for the particular controller.

Expected Behaviour:Error should not occur, if the value of the parameter CanControllerBaudRate is other buadrate like 50K or 25K.

28601
Can
Correct typo in error ERR080034.
Problem Description:
BUG
OPEN

ISSUE
Correct typo in error ERR080034 in BswConfigValidate.pm

Expected behavior:

The description of the ERR shall be "The calculated 'Time Quanta' should be in the range of <8- 25>"

Actual Behavior:

The description of the error is currently

The calculated 'DBT (Data Bit Time)' should be in the range of <8- 25>.

Initialization Check is not performed for
Problem Description:
OPEN
Dio_MaskedWritePort() API In the DIO
Dio_MaskedWritePort() API is not checked whether DIO Is initialized or not.
ISSUE
driver.

Expected behavior:
FUNC(void, DIO_PUBLIC_CODE) Dio_MaskedWritePort
(Dio_PortType PortId,
Dio_PortLevelType Level,
Dio_PortLevelType Mask)
{
------variable declaraiton ----------
/* Check whether DIO_DEV_ERROR_DETECT is enabled */
#if (DIO_DEV_ERROR_DETECT == STD_ON)
/*START of DIO_AR_VERSION */
#if (DIO_AR_VERSION == DIO_AR_HIGHER_VERSION)
if (Dio_GblDriverStatus == DIO_UNINITIALIZED)
{
/* Report Error to DET */
(void)Det_ReportError(DIO_MODULE_ID, DIO_INSTANCE_ID,
DIO_MASKED_WRITE_PORT_SID, DIO_E_UNINIT);
LenDetErrFlag = E_OK;
}
else
{
/* No action required */
}
#endif
24131 DIO

BUG
---------
26249
DIO
The channel group not validated correctly Problem Description:
BUG
OPEN
in
Functional argument pointer 'ChannelGroupIdPtr' is checked only against NULL_PTR in Dio_ReadChannelGroup/Dio_WriteChannelGroup APIs and it is not validated properly to report
ISSUE
Dio_ReadChannelGroup/Dio_WriteChannel DIO_E_PARAM_INVALID_GROUP.
Group APIs

Currently, if wrong or out-of-bound address is passed (Ex: If Dio_GstChannelGroupData[] size is 4 i.e. 0-3 and if &Dio_GstChannelGroupData[4] is passed by mistake), the NULL_PTR
condition check is unable to catch this and the API proceeds for further processing instead of reporting DET DIO_E_PARAM_INVALID_GROUP.

While doing further processing the behaviour might be un-predictable.

Expected Behavior:
The channel group needs to be validated to report DET and it shall not do any further processing detecting DET.

Actual Behavior:
The channel group is not validated to report DET and it shall do further processing even during development error condition.

26251
DIO
Global variable
Problem Description:
BUG
OPEN
(Dio_GusNoOfChannelGroups) and config
The global variable 'Dio_GusNoOfChannelGroups' which is initialised with the value of the config structure member 'usNoofChannelGroups' is used as offset for accessing the channel
ISSUE
structure member (usNoofChannelGroups) group structure when multi config set comes into picture. But the name suggests that it holds the value of "number of channel groups configured" which misleading.
names are misleading

E.g.: If 8 channel groups are configured with two config sets (each), the handles will be generated as,

#define DioConf_DioChannelGroup_DioChannelGroup1 (&Dio_GstChannelGroupData[0])
#define DioConf_DioChannelGroup_DioChannelGroup2 (&Dio_GstChannelGroupData[1])
#define DioConf_DioChannelGroup_DioChannelGroup3 (&Dio_GstChannelGroupData[2])
#define DioConf_DioChannelGroup_DioChannelGroup4 (&Dio_GstChannelGroupData[3])
#define DioConf_DioChannelGroup_DioChannelGroup5 (&Dio_GstChannelGroupData[4])
#define DioConf_DioChannelGroup_DioChannelGroup6 (&Dio_GstChannelGroupData[5])
#define DioConf_DioChannelGroup_DioChannelGroup7 (&Dio_GstChannelGroupData[6])
#define DioConf_DioChannelGroup_DioChannelGroup8 (&Dio_GstChannelGroupData[7])

It shall generate 8 handles pointing 8 channel group structures and the channel structures 9-16 which is applicable for second config set shall be accessed with the help of same handles
with offset value in 'Dio_GusNoOfChannelGroups'. i.e. When config set 0 is initialised its value will be 0. When config set 1 is initialised its value will be 8 for the above case.

Expected Behavior:
The name of this global variable and respective config structure member has to be corrected with meaningful name which is near to it usage. Ex: 'Dio_GusChannelGroupsOffset' and
'usChannelGroupsOffset' respectively.

Actual Behavior:
Variable names are misleading
26572
DIO
Optimize the execution time of RSR register Problem description:
BUG
OPEN
setting sequence
Check the pin direction and prepare the value and write to psr register will take less time to execute when the pin direction check is failed(beginning check itself it will come out). As per
ISSUE
current method Even the pin direction check is failed, Prepare the value to set to the register operation is performed.

Expected behavior:
1.Check the pins direction.(Check the PMSR register.)
2.Prepare the value to set to the register.
3.Write the PSR register.
Source : Please refer to the attached file.(Proposed amendments)
Dio_WriteChannel 168-191
Dio_WriteChannelGroup 407-415
Dio_MaskedWritePort 584-591

Actual behavior:
1.Prepare the value to set to the register.
2.Check the pins direction.(Check the PMSR register.)
3.Write the PSR register.
Function : Dio_WriteChannel, Dio_WriteChannelGroup, Dio_MaskedWritePort
Line : Dio_WriteChannel 931-956
Dio_WriteChannelGroup 1573-1583
Dio_MaskedWritePort 1714-1721

27729
DIO
Unreachable code present in Dio.c
In API Dio_ReadChannelGroup and API Dio_WriteChannelGroup, In the below code if the first condition got true, code will not go inside else part. If the first condition fails the second
BUG
OPEN
condition would also be false. So the code inside the second if block is unreachable that is dead code. The issue is found during UT.
ISSUE

if (ChannelGroupIdPtr == NULL_PTR)
{
/* TRACE [R3, DIO140][R4, DIO140] */
/* TRACE [R4, DIO178] */
/* Report Error to DET */
(void)Det_ReportError(DIO_MODULE_ID, DIO_INSTANCE_ID,
DIO_WRITE_CHANNEL_GROUP_SID, DIO_E_PARAM_POINTER);
LenDetErrFlag = E_OK;
}
else
{
/* Get the pointer to corresponding index in the
array Dio_GstChannelGroupData */
/* MISRA Violation: START Msg(4:0492)-6 */
LpChannelGroupPtr = &ChannelGroupIdPtr[Dio_GusNoOfChannelGroups];
/* END Msg(4:0492)-6 */
if (NULL_PTR == LpChannelGroupPtr)
{
/* Report Error to DET */
(void)Det_ReportError(DIO_MODULE_ID, DIO_INSTANCE_ID,
DIO_WRITE_CHANNEL_GROUP_SID, DIO_E_PARAM_INVALID_GROUP);
LenDetErrFlag = E_OK;
}
else
{
26594
FLS
[F1L][FLS] Mismatch in memory mapping of Problem descripaon:
BUG
OPEN
Fls_MainFunction
There is a mismatch in the memory mapping of Fls_MainFunction.
ISSUE

In Fls.h, Fls_MainFunction is mapped to FLS_START_SEC_PUBLIC_CODE:(See the code below)

254 : #define FLS_START_SEC_PUBLIC_CODE
255 : #include "MemMap.h"

280 : extern FUNC(void, FLS_PUBLIC_CODE) Fls_MainFunction(void);

In Fls.c, Fls_MainFunction is mapped to FLS_START_SEC_SCHEDULER_CODE(See the code below)

1689 : define FLS_START_SEC_SCHEDULER_CODE
1690 : #include "MemMap.h"
1691 :
1692 : FUNC(void, FLS_PUBLIC_CODE)Fls_MainFunction(void)

And in MemMap.h, both FLS_START_SEC_PUBLIC_CODE and FLS_START_SEC_SCHEDULER_CODE are defined as ".FLS_PUBLIC_CODE_RAM".

Expected behaviour:
Memory mapping in both declaration and definition of function shall be unique.

Actual behaviour:
There is difference in the memory mapping of declaration and definition of function Fls_MainFunction.

26925
FLS
Length calculation for misaligned access
Description:
BUG
OPEN
fails
Length calculation in Fls_Internal leads to invalid values.
ISSUE

Actual behaviour:
Resulting length is around 4 billion which causes other function to be in endless loop.

Expected behaviour:
Correct length calculation
27581
FLS
Fls_GVar structure is not initialised
Problem description:
BUG
OPEN
properly according to C89/C90 (ISO/IEC
The initialization of Fls_GVar in Fls_Ram.c is not according to C90 standard. A structure that contains pointers, variables and further structures is simply initialized with "0".
ISSUE
9899:1990)
This is possible in C99 (ISO/IEC 9899:1999, chapter 6.7.8.21), but MCAL shall be implemented according to C89/C90 (ISO/IEC 9899:1990).

In Coding Guidelines EAAR-GL-0084.pdf, EAAR_PN0084_NR_0065 an example is given:
/* Usage and initialization in a C file: */
MyModule_Vector_tst Vector1_st = { 0, 0, 0 };

Expected behaviour:
Each element in the structure shall be initialised properly.

Actual behaviour:
Structure is initialised as VAR(Fls_GVarProperties, FLS_INIT_DATA) Fls_GVar = {FLS_ZERO};
27819
FLS
Fls_Resume cannot interrupt the FLS
Problem Description:
BUG
OPEN
ISR(JOB END).(AR_PN0072_FR_0046)
As per current implementation in Fls_Resume() API, If FLS_DEV_ERROR_DETECT = STD_ON and FLS_TIMEOUT_MONITORING = STD_ON then after waiting for FLS_ISR_TIMEOUT_VALUE, It
ISSUE
starts FLS Resume process without checking whether FLS ISR is serviced (Check whether Fls_GVar.Fls_MutexFlag == FLS_ZERO). In current implementation, It will also not report any DET if
timeout occurred after waiting for FLS ISR is serviced.

This issue exist in file Fls.c V1.3.6.

As per requirement AR_PN0072_FR_0046:-

<Fls_Suspend cannot interrupt the FLS ISR(JOB END). It means when FLS ISR(JOB END) has already entered critical section (protected by semaphore/mutex) the upcoming Fls_Suspend
must wait until ISR(JOB END) exits critical section. until ISR(JOB END) exits critical section.>

Understanding is that above mentioned point in MRS is not correct. As per our understanding correct one is as mentioned below.

<Fls_Resume cannot interrupt the FLS ISR(JOB END). It means when FLS ISR(JOB END) has already entered critical section (protected by semaphore/mutex) the upcoming Fls_Resume must
wait until ISR(JOB END) exits critical section. until ISR(JOB END) exits critical section.>

Expected Behavior: MRS requirement AR_PN0072_FR_0046 needs to implement properly.

Actual Behavior: MRS requirement AR_PN0072_FR_0046 is not implemented properly.

27829
FLS
Fls_Suspend cannot interrupt the FLS
Problem Description:
BUG
OPEN
ISR(JOB END).(AR_PN0072_FR_0045)
As per current implementation in Fls_Suspend() API, If FLS_DEV_ERROR_DETECT = STD_ON and FLS_TIMEOUT_MONITORING = STD_ON then after waiting for FLS_ISR_TIMEOUT_VALUE, It
ISSUE
starts FLS Suspend process without checking whether FLS ISR is serviced (Check whether Fls_GVar.Fls_MutexFlag == FLS_ZERO). In current implementation, It will also not report any DET if
timeout occurred after waiting for FLS ISR is serviced.

This issue exist in file Fls.c V1.3.6.

As per requirement AR_PN0072_FR_0045:- Fls_Suspend cannot interrupt the FLS ISR(JOB END). It means when FLS ISR(JOB
END) has already entered critical section (protected by semaphore/mutex) the upcoming Fls_Suspend must wait until ISR(JOB END) exits critical section.

Expected Behavior: MRS requirement AR_PN0072_FR_0045 needs to implement properly.

Actual Behavior: MRS requirement AR_PN0072_FR_0045 is not implemented properly.
27839
FLS
Fls_Cancel cannot interrupt the FLS ISR(JOB Problem Description:
BUG
OPEN
END).(AR_PN0072_FR_0011)
As per current implementation in Fls_Cancel() API if FLS_DEV_ERROR_DETECT = STD_ON and FLS_TIMEOUT_MONITORING = STD_ON then after waiting for FLS_ISR_TIMEOUT_VALUE, It
ISSUE
starts FLS Cancel process without checking whether FLS ISR is serviced (Check whether Fls_GVar.Fls_MutexFlag == FLS_ZERO). In current implementation, It will also not report any DET if
timeout occurred after waiting for FLS ISR is serviced.

This issue exist in file Fls.c V1.3.6.

As per requirement AR_PN0072_FR_0011:- Fls_Cancel cannot interrupt the FLS ISR(JOB END). It means when FLS ISR(JOB END) has already entered critical section (protected by
semaphore/mutex) the upcoming Fls_Cancel must wait until ISR(JOB END) exits critical section.

Expected Behavior: MRS requirement AR_PN0072_FR_0011 needs to implement properly.
Actual Behavior: NA
27867
FLS
Pre compile switch required to partition
Problem description:
BUG
OPEN
FCL and FDL in source code

ISSUE
(AR_PN0072_FR_0027)
As per AR_PN0072_FR_0027, The source code of FLS module must be partitioned in FCL part and FDL part by
using pre-compile switches.
The Flash library files, in this case FCL/FDL files, shall be included in build process as per FLS module configuration for respective use-cases. Redundant library files shall be excluded from
build process

Expected behavior: The requirement AR_PN0072_FR_0027 shall be implemented

Actual Behavior: NA
27890
FLS
Flash library status mapping
Problem description:
BUG
OPEN
Internal status of underlying libraries, ie. FCL and FDL shall be mapped to FLS driver status accordingly and shall lead to proper job processing result of FLS driver.
ISSUE

In case of critical internal errors, notification must be given and user can decide to take necessary remedy.

Expected behavior:
MRS requirement AR_PN0072_FR_0042 needs to implement.

Actual behavior:
MRS requirement AR_PN0072_FR_0042 is not implemented properly.

28459
FLS
Incomplete linker directive file for FLS
Problem Description:
BUG
OPEN
sample application
The linker directive file of FLS sample application does not contain the entries for
ISSUE
copying the initial variable values from ROM to RAM during startup.
This is typically done by e.g. <pre>.romdata ROM(.data)</pre>

Expected Behaviour:
Variables are initialized by GHS startup as required by C standard.

Actual Behaviour:
Variables are uninitialized, typically at 0 after power on, at any undefined value after reset.
Application might show strange behaviour.
28514
FLS
Negative test cases required to verify the
In Fls.c,in section
BUG
OPEN
boundary check of FLS_CF_OFFSET_VALUE
ISSUE
#if (FLS_FLASH_ACCESS == FLS_CODEFLASH_ACCESS)
/* Virtual address is mapped to physical address */
TargetAddress = TargetAddress - FLS_CF_OFFSET_VALUE;

There shall be a check for TargetAddress against FLS_CF_OFFSET_VALUE before doing subtraction.

Further, it requires negative test cases to verify the boundary check.
28515
FLS
Fls_GulTimeout to be removed from
In Fls_Internal.c, Fls_GulTimeout is actually not used in functions Fls_CFProcessReadCommand and Fls_CFProcessCompareCommand.
BUG
OPEN
functions Fls_CFProcessReadCommand and
ISSUE
Fls_CFProcessCompareCommand
So it should be removed from above mentioned two subfunctions.
28516
FLS
Setting of variable job notification to True In Fls_Internal.c, in API Fls_EndJobProcess(), 'LblJobNotification' variable is set to true irrespective of the condition check "if (R_FDL_OK == Fls_GstVar.GucDFStatus)".
BUG
OPEN
is actually not depending on data flash

ISSUE
status or code flash status
Similar is the case with the check "if (R_FCL_OK == Fls_GstVar.GucCFStatus)".

So the redundant code can be merged in these cases.
28517
FLS
DEM error report should be added
In Fls_Irq.c, Dem_ReportErrorStatus(FLS_E_ERASE_FAILED, DEM_EVENT_STATUS_FAILED) and Dem_ReportErrorStatus(FLS_E_WRITE_FAILED, DEM_EVENT_STATUS_FAILED) should be
BUG
OPEN
depending on the Erase/Write operations. added depending on the Erase/Write operations.
ISSUE
28518
FLS
Tool shall throw error message when
If interrupt is supported (FlsUseInterrupt = ON) and the call back functions are not mapped (NULL), the program will hang.
BUG
OPEN
'FlsUseInterrupt = ON' and the call back

ISSUE
functions are not mapped
The tool code shall be updated to throw error message for above mentioned user configuration.
28520
FLS
Default value of LenReturnValue shall be
In Fls.c,
BUG
OPEN
E_NOT_OK

ISSUE
Default value of LenReturnValue shall be E_NOT_OK. In this way, FLS job request will be rejected in the first place when driver state is busy. This logic is not dependent on DET settings.
28521
FLS
The logic for updating
In Fls_Irq.c, at end of job processing, the logic for updating Fls_GVar.Fls_GenState, Fls_GVar.Fls_GenJobResult and triggering JobEnd or JobError notifications shall be in line with the logic BUG
OPEN
Fls_GVar.Fls_GenState and
in Fls_EndJobProcess function in Fls_Internal.c.
ISSUE
Fls_GVar.Fls_GenJobResult shall be in line
with the logic in Fls_EndJobProcess
In the current implementation, Fls_Erase and Fls_Write support interrupt based job processing. And Fls_EndJobProcess is not required at end of interrupt based job processing.

28522
FLS
JobEnd and JobErrorNotification should
In Fls_Irq.c, Fls_GpConfigPtr->pJobEndNotificationPointer() and Fls_GpConfigPtr->pJobErrorNotificationPointer() should be depending on both (FLS_JOB_NOTIF_CONFIG == STD_ON) &&  BUG
OPEN
depend on both (FLS_JOB_NOTIF_CONFIG  (FLS_INTERRUPT_MODE == STD_ON).
ISSUE
== STD_ON) && (FLS_INTERRUPT_MODE ==
STD_ON)
Actual Behaviour :

if (R_FDL_OK == Fls_GstVar.GucDFStatus)
{
/* Set the job Result to OK */
Fls_GVar.Fls_GenJobResult = MEMIF_JOB_OK;
/* If job ended with success and call the job end call back
* function.
*/
Fls_GpConfigPtr->pJobEndNotificationPointer();
}
else
{
/* Set the job Result to Failed */
Fls_GVar.Fls_GenJobResult = MEMIF_JOB_FAILED;
/* If job ended with error and call the job error call back
* function.
*/
Fls_GpConfigPtr->pJobErrorNotificationPointer();
}

Expected Behaviour :

if (R_FDL_OK == Fls_GstVar.GucDFStatus)
{
28523
FLS
Improvement in PDF of P1x
The following points should be taken care in the Parameter Definition File of P1x.
BUG
OPEN

ISSUE
a. The upper bound/maximum value of FlsFclRamAddress shall be 4276092927 (0xFEDF_FFFF) for P1x.

b. The parameters used in each of the following containers should be re-ordered to give a better overview of parameters.
1. FlsDataFlash
2. FlsCodeFlash
3. FlsPublishedInformation

c. Parameter "FlsDFTotalSize" in 'FlsDataFlash' container should be renamed as "FlsDataFlashSize".

d. The statement in the description of following parameters shall be updated as mentioned.
1. FlsMaxWriteNormalMode : add into description - This parameter is not used for implementation.
2. FlsMaxEraseNormalMode : add into description - This parameter is not used for implementation.
3. FlsTotalSize : improve description - This parameter specifies the total amount of flash memory in bytes that is accessible by FLS driver.
4. FlsNumberOfSectors : add into description - This parameter setting shall be in line with FlsSectorStartaddress.
5. FlsFclRamAddress : add into description - This parameter is not used for implementation.
6. FlsDFTotalSize : improve description - This parameter indicates the physical total size of Data Flash memory.
28545
FLS
Safe exit from while-loop for
In Fls.c,
BUG
OPEN
R_FDL_Handler in Fls_Init shall be realized
ISSUE
as per general requirement
Safe exit from while-loop for R_FDL_Handler in Fls_Init shall be realized as per general requirement.

Timeout monitoring can be considered here.
28546
FLS
DEM error should be reported for transient  FLS Initialization (Fls_Init) can fail during driving cycle of ECU, due to eg. operation voltage change, clock frequency change, etc. (transient failures).
BUG
OPEN
failures
Such kind of fault must be notified and afterwards the upper layer can, for example, retry with init procedure until succeeds, or the system can be switched to a safety state if required.
ISSUE
DEM error should be reported here.
28547
FLS
R_FDL_Handler() call in Fls_MainFunction
In Fls.c, R_FDL_Handler() call in Fls_MainFunction and Fls_Init should be protected with critical section.
BUG
OPEN
and Fls_Init should be protected with
ISSUE
critical section

28587
FLS
Unexpected Interrupt pending bit is set in Problem description:
FEATURE
OPEN
Fls_Write and Fls_Erase APIs
In Fls_Write and Fls_Erase APIs, interrupt processing is enabled as follows:
ISSUE
#if (FLS_INTERRUPT_MODE == STD_ON)
/* Enable interrupt processing */
RH850_SV_MODE_IMR_AND(16, (Fls_GpConfigPtr->pFlEndImrAddress),
(Fls_GpConfigPtr->usFlEndImrMask));
#endif

At that point SW nearly always had the interrupt pending bit set, so a first unwanted interrupt occurs quite fast there.

Pending interrupts are not properly handled in the code so that this will cause some confusion because of a pending interrupt from the previous operation.

There is a chance of setting interrupt pending bit from the previous Read operation, which have inbuilt blank check.

Expected behaviour:
Before enabling interrupts, interrupt pending bit shall be cleared.

Actual behaviour:
Interrupt pending bit is set when interrupt processing is enabled in Fls_Write and Fls_Erase APIs
28507
FlsTst
As per Autosar requirement, FlsTst.h
According to Autosar requirement specification, the include of Std_Types.h should be done in FlsTst.h
BUG
OPEN
should include Std_Types.h directly.

ISSUE
But in FlsTst, Std_Types.h is included through FlsTst_PBTypes.h and FlsTst_Types.h in the current implementation. The files can be found in the following svn path -

/trunk/external/X1X/common_platform/modules/flstst/include

Expected behaviour :
FlsTst.h should include Std_Types.h directly.

Actual behaviour :
Std_Types.h is included through FlsTst_PBTypes.h and FlsTst_Types.h
28511
FlsTst
FlsTst_GenLastFgndResult and
FlsTst_GenLastFgndResult and FlsTst_GenOverallBgndResult shall be declared as FLSTST_INIT_DATA, so as to match with memory section FLSTST_START_SEC_VAR_UNSPECIFIED.
BUG
OPEN
FlsTst_GenOverallBgndResult shall be
But in the current implementation FlsTst_GenLastFgndResult and FlsTst_GenOverallBgndResult are declared as FLSTST_NOINIT_DATA. This can be found in the path -
ISSUE
declared as FLSTST_INIT_DATA
\trunk\external\X1X\common_platform\modules\flstst\src\FlsTst_Ram.c

Expected Behaviour :
/* Variable to store the fgnd test result */
VAR(FlsTst_TestResultFgndType, FLSTST_INIT_DATA)FlsTst_GenLastFgndResult
= FLSTST_NOT_TESTED;
/* TRACE [R4, FlsTst154] */
/* Variable to store the overall Bgnd test result */
VAR(FlsTst_TestResultType, FLSTST_INIT_DATA)FlsTst_GenOverallBgndResult
= FLSTST_RESULT_NOT_TESTED;

Actual Behaviour :
/* Variable to store the fgnd test result */
VAR(FlsTst_TestResultFgndType, FLSTST_NOINIT_DATA)FlsTst_GenLastFgndResult
= FLSTST_NOT_TESTED;
/* TRACE [R4, FlsTst154] */
/* Variable to store the overall Bgnd test result */
VAR(FlsTst_TestResultType, FLSTST_NOINIT_DATA)FlsTst_GenOverallBgndResult
= FLSTST_RESULT_NOT_TESTED;

27528
Fr
[P1x][Fr] While doing QAC Static Analysis,
Problem Description:
BUG
OPEN
Some of the Misra violations are not
While running QAC Static Analysis for the Fr_59.c file and Fr_59_Internal.c, QAC Misra rules violations are occuring.Some of the violations are justified and some violations are not
ISSUE
justified.
justified.(For example: The messages such as 4:1843, 4:1863, 4:2985 etc. are not justified.).
Common code change is not in the scope of V4.00.04 P1x release.

Expected Behaviour:
NA

Actual Behaviour:
NA
27727
Fr
[P1x][V4.00.04][FR] The test cases related Problem Description:
BUG
OPEN
to
The test cases related to Dem_ReportErrorStatus(FrDemCtrlTestResultRef, DEM_EVENT_STATUS_FAILED) - FR_ETC_065, Dem_ReportErrorStatus (FrIfDemFTSlotStatusRef,
ISSUE
Dem_ReportErrorStatus(FrDemCtrlTestRes DEM_EVENT_STATUS_FAILED) - FR_ETC_066 and FR_ETC_067 are failing.
ultRef, DEM_EVENT_STATUS_FAILED) -

FR_ETC_06
FR_ETC_065:
In the ESTS, in the Tested functionality, Dem_ReportErrorStatus(FR_E_ACCESS, DEM_EVENT_STATUS_FAILED) is tested.But in the expected test result,
Dem_ReportErrorStatus(FrDemCtrlTestResultRef, DEM_EVENT_STATUS_FAILED) is checked for the APIs Fr_ReceiveRxLPdu, Fr_CheckTxLPduStatus, Fr_TransmitTxLPdu, Fr_CancelTxLPdu.
The test cases FR_ETC_065 is not tested because the Dem_ReportErrorStatus (FrDemCtrlTestResultRef, DEM_EVENT_STATUS_FAILED) is not implemented in the following APIs
Fr_ReceiveRxLPdu, Fr_CheckTxLPduStatus, Fr_TransmitTxLPdu, Fr_CancelTxLPdu.

FR_ETC_066 and FR_ETC_067:
In the ESTS, in the Tested functionality, Dem_ReportErrorStatus(FR_E_ACCESS, DEM_EVENT_STATUS_FAILED) is tested.But in the expected test result,Dem_ReportErrorStatus
(FrIfDemFTSlotStatusRef, DEM_EVENT_STATUS_FAILED) is checked for the APIs Fr_TransmitTxLPdu, Fr_ReceiveRxLPdu.
The test cases FR_ETC_066 and FR_ETC_067 are not tested because the Dem_ReportErrorStatus (FrIfDemFTSlotStatusRef, DEM_EVENT_STATUS_FAILED) is not implemented in the
following APIs Fr_TransmitTxLPdu, Fr_ReceiveRxLPdu.

Expected Behaviour:
FR_ETC_065:
As per the Autosar R4.03 FlexRay SWS requirement,
if any hardware error occurs while running the APIs Fr_ReceiveRxLPdu[FR232], Fr_CheckTxLPduStatus[FR243] , Fr_TransmitTxLPdu[FR223], Fr_CancelTxLPdu[FR613], then it should call
Dem_ReportErrorStatus (FrDemCtrlTestResultRef, DEM_EVENT_STATUS_FAILED) and return E_NOT_OK.

FR_ETC_066 and FR_ETC_067:
As per the Autosar R4.03 FlexRay SWS requirement,
In the API Fr_ReceiveRxLPdu, [FR605]If the optional configuration parameter FrIfDemFTSlotStatusRef exists and a single slot status error bit (vSS!SyntaxError, vSS!ContentError,
vSS!Bviolation) is set, then the slot status information shall be reported to DEM as Dem_ReportErrorStatus (FrIfDemFTSlotStatusRef, DEM_EVENT_STATUS_FAILED).

Actual Behaviour:
27728
[P1x][V4.00.04][FR] the functional
Problem Description:
OPEN
testcases related to Transmit Queue and
In ESTS the functional testcases related to Transmit Queue and Receive Queue functionality (FR_ETC_098, FR_ETC_099, FR_ETC_100, FR_ETC_101, FR_ETC_102, FR_ETC_103) are failing.
ISSUE
Receive Queue functionality are failing.

Expected Behaviour:
After transmitting the Data by invoking Fr_TransmitQueue_Table() it is returning E_OK as per the Expected Test result and when Fr_ReceiveQueue_Table() is invoked, it should E_OK and
also the transmitted data should be received by the controller.

Actual Behaviour:
After transmitting the Data by invoking Fr_TransmitQueue_Table() it is returning E_OK as per the Expected Test result and when Fr_ReceiveQueue_Table() is invoked, it is returning E_OK
as per the expected Test Result but the data is not received.
Fr
BUG
28147
Fr
[P1x][Fr][R4.0]
Problem Description:
BUG
OPEN
Fr_User_Request_Output_Transfer and
Fr_User_Request_Output_Transfer and Fr_User_Request_Input_Transfer API's are returning E_OK but no transmit/receive functionality is happening.
ISSUE
Fr_User_Request_Input_Transfer API's are
not working.
Expected Behaviour:
Transmit/receive functionality should happen in this Fr_User_Request_Output_Transfer and Fr_User_Request_Input_Transfer API's .

Actual Behaviour:
Transmit/receive functionality is not happen in this Fr_User_Request_Output_Transfer and Fr_User_Request_Input_Transfer API's .

28326
[P1x][FR]Some Ecode lines are more than Problem Description:
OPEN
80 characters and trailing spaces are
1.More than 80 characters in following lines :
ISSUE
present.
Fr_59_Internal.c : @L1332 , L1352, 1405,1424,1519,1591,1620,1632,1774,1905,2101
Fr_59.c : @L1909,2561
Fr_59_Debug.h : @L83
Fr_59_GeneralTypes.h:@L277,286
Fr_59_Internal.h : @L71, @L97
Fr_59_Version.h: @L86
Fr_59.h : @L436, L70

2. Trim trailing space not done in following files:
Fr_59.h, Fr_59_Ram.h, Fr_59_PBTypes.h, Fr_59_Internal.h, Fr_59.c, Fr_59_Ram.c, Fr_59_Internal.c

Actual Behavior:
NA

Expected Behavior:
NA
Fr
BUG
28474
Fr
[P1x][Fr][R4.0] Null pointer checking is not Problem Description:
BUG
OPEN
performing.
Null pointer checking is not performing in the following API's
ISSUE

1.Fr_59_ReceiveRxLPdu
line: 3053 (*Fr_LPduStatusPtr = FR_59_NOT_RECEIVED;)
line: 3058 (*Fr_LSduLengthPtr = FR_59_ZERO;)
2.Fr_59_CheckTxLPduStatus
line: 8485 (*Fr_TxLPduStatusPtr = FR_59_NOT_TRANSMITTED;)

Actual behaviour:
When dereference a NULL pointer thereby raising a NullPointerException. It will cause the controller to reset.

Expected behaviour:
Null pointer checking should be performed in the API Fr_59_ReceiveRxLPdu, Fr_59_CheckTxLPduStatus

28397
GPT
Wake up disabled channels are giving DET Description
BUG
OPEN
after GPT_MODE_SLEEP to
-----------
ISSUE
GPT_MODE_NORMAL mode transition.
While Running ATF test case "GPT_FTC_142" its observed that unexpected DET with
ApiId = 0X2 => Service Id of Gpt_DeInit API.
ErrorId = 0XB => DET code to report Timer is already running.

is occurring when calling Gpt_DeInit(), here all channels are expected be in "stopped" state.

We tested as mentioned below, in ATF configuration "ATF_cfg01".

Test Scenario
-------------

1. Call Gpt_Init(&GPT_CONFIG_01) to initialize the driver with [GPT_CONFIG_01].

2. Call Gpt_EnableNotification() for channel 0.
3. Call Gpt_EnableNotification() for channel 1.
4. Call Gpt_EnableNotification() for channel 3.

5. Call Gpt_EnableWakeup() for channel 0.
6. Call Gpt_DisableWakeup() for channel 1.
5. Call Gpt_DisableWakeup() for channel 3.

6. Call Gpt_StartTimer() for channel 0.
7. Call Gpt_StartTimer() for channel 1.
8. Call Gpt_StartTimer() for channel 3.

9. Wait for 1 Seconds.
28405
GPT
Timer is starting automatically when call
While testing ATF test case "App_Gpt_Sample" its observed that notification is occurring when call Gpt_EnableWakeup() in GPT_MODE_SLEEP mode before starting the timer.
BUG
OPEN
Gpt_EnableWakeup() in GPT_MODE_SLEEP
ISSUE
mode.
We tested as mentioned below, in ATF configuration "ATF_cfg05".

1. Call Gpt_Init(&GPT_CONFIG_01) to initialize the driver with [GPT_CONFIG_01].
2. Call Gpt_EnableNotification() for channel 0.
3. Start timer for channel 0.
4. Wait for 200 (ms).
5. call Gpt_GetTimeElapsed() for channel 0.
6. Check whether Time Elapsed > 0 , and it's obtained as expected.
7. Wait for 10 (ms).
8. call Gpt_GetTimeRemaining() for channel 0.
9. Check whether Time Remaining > 0 , and it's obtained as expected.
10. Wait for 5 Seconds.
11. Check whether notification obtained is > 0 , and it's obtained as expected.
12. call Gpt_DisableWakeup() for channel 0.
13. Set GPT mode to 'GPT_MODE_SLEEP' by calling "Gpt_SetMode(GPT_MODE_SLEEP)".
14. Wait for 1 Seconds.
15. Clear The Notification Count.
16. Wait for 2 Seconds.
17. Check whether notification obtained is = 0 , and it's obtained as expected.
18. Set GPT mode to 'GPT_MODE_NORMAL' by calling "Gpt_SetMode(GPT_MODE_NORMAL)".
19. Wait for 2 Seconds.
20. Check whether notification obtained is = 0 , and it's obtained as expected.
21. Set GPT mode to 'GPT_MODE_SLEEP' by calling "Gpt_SetMode(GPT_MODE_SLEEP)".
22. call Gpt_EnableWakeup() for channel 0.
23. Set GPT mode to 'GPT_MODE_NORMAL' by calling "Gpt_SetMode(GPT_MODE_NORMAL)".
24. Wait for 5 Seconds.

25856
ICU
Obsolete code in Icu_HW_Init() function.
Problem description:
BUG
OPEN
At line 754 in Icu_LLDriver.c the following loop is present:
ISSUE
for (LucCnt = ICU_MAX_TIMER_CHANNELS_CONFIGURED; LucCnt < ICU_MAX_CHANNEL;
LucCnt++)
{

This "for" loop is used for external interrupts only and not for timer channels initialization.

Inside the loop you have checks for timer channels, which will always fail, since the loop is only for channels configured with external interrupts.

It seems that everything above the "switch" at line 823 in this loop is obsolete code.

Expected behavior:
N/A

Actual behavior:
N/A
Interrupts(IMR) are enabled All Channel
Problem Description:
OPEN
After calling Icu_SetMode() Api form
As per Autosar4.0.3 ICU requirement says that ICU194 ICU_MODE_NORMAL: Normal operation, all used interrupts are enabled according to the notification requests. ICU_MODE_SLEEP:
ISSUE
ICU_MODE_SLEEP to ICU_MODE_NORMAL. Reducedpower mode. In sleep mode only those notifications are available which are configured as wakeup capable.

Current implementation is
In Icu_SetMode(ICU_MODE_NORMAL) Api called after Icu_SetMode(ICU_MODE_SLEEP) Api.
All interrupts are enabled with out considering Current notification status.

Ver4.01.06 -- release Icu_LLDriver.c
1765: /* Enable Interrupt */
1766: RH850_SV_MODE_IMR_AND(16, (LpImrIntpCntrlReg),
(LpChannelConfig->usImrMaskValue));

Expected Behaviour:
All used interrupts are enabled according to the notification requests

Actual Behaviour:
27622 ICU
All interrupts are enabled with out considering notification status.
BUG
28585
ICU
Component User Manual - Unimplemented Problem Description:
BUG
OPEN
APIs and Not supported features
1. The functionalities which are not supported by the hardware are present in the component user manual.Icu_CheckWakeup, Icu_DisableWakeup and Icu_EnableWakeup should be
ISSUE
removed from user manual.

2. If a feature is not supported please mention "Not supported" in Table 5-1

Expected Behaviour:
NA

Actual Behaviour:
Wakeup functionalities(Icu_CheckWakeup, Icu_DisableWakeup and Icu_EnableWakeup) which are not implemented are mentioned in the user manual, which misleads the user.

27490
MCU
McuResetReason could not be accessed By  Problem Description:
BUG
OPEN
EcuMResetReason from
The contents of McuPublishedInformation0/McuResetReasonConf0/McuResetReason could not be accessed from EcuMResetReason since the implementation methodology in
ISSUE
McuPublishedInformation0/McuResetReas McuPublishedInformation dont seem to be according to what AUTOSAR has prescribed
onConf0 container

Note: Why is the P1x McuResetReason implementation different from F1x (The McuResetReason implemented in different way for F1x and P1x devices )

Expected Behavior:
None

Actual Behavior:
None
28160
MCU
GetVersionInfo() API of each module shall  Problem Description:
BUG
OPEN
also return “instanceID” as one of the

ISSUE
parameter in Std_VersionInfoType
This ticket is created to track the pre-release review done on P1x MCU work products as part of V4.00.04 release.

Requirement: AR_PN0034_FR_0017

Finding: As per the requirement GetVersionInfo() API of each module shall also return “instanceID” as one of the
parameter in Std_VersionInfoType pointed by the output parameter versioninfo. In the current implementation only moduleid, and vendorid are returned. Instance id is not returned

Expected Behavior:
GetVersionInfo() API of each module shall return moduleid, vendorid and instanceID

Actual Behavior:
GetVersionInfo() API of each module shall return moduleid and vendorid
28170
MCU
Dummy read to register must be
Problem Description:
BUG
OPEN
performed after writing to register.

ISSUE
This ticket is created to track the pre-release review done on P1x MCU work products as part of V4.00.04 release.

Requirement: AR_PN0034_FR_0068

Finding: Synchronizing peripherals register write operation by dummy read. As per this requirement, Dummy read to register must be performed after writing to register. The requirement
is not taken care in Mcu source code.

Expected Behavior:
NA

Actual Behavior:
NA

28202
MCU
APIs Mcu_GetResetReason() and
Problem Description:
BUG
OPEN
Mcu_GetResetRawValue() shall return the
ISSUE
same result in case they are called multiple This ticket is created to track the pre-release review done on P1x MCU work products as part of V4.00.04 release.
times

Requirement: EAAR_PN0079_FR_0086

The APIs Mcu_GetResetReason() and Mcu_GetResetRawValue() shall return the
same result in case they are called multiple times after a reset or a power on
event.

Finding: Add test case to test the requirement.

Expected behaviour:
NA

Actual behaviour:
NA
28382
MCU
McuResetReason added in Mcu schema
In Mcu Schema several reset reason was added in McuPublishedInformation container.
BUG
OPEN
cannot be referenced by EcuM

ISSUE
According with ECUM128_Conf Mcu Reset Reason should be in McuResetReasonConf container so this can be referenced by EcuM module .
28421
MCU
In definition file Mandatory parameter's
Problem Description:
BUG
OPEN
Lower and Upper multiplicity values are not In definition .arxml file Mandatory parameter's Lower and Upper multiplicity value should be one.
ISSUE
taken care properly
parameters are McuLoopCount and McuPbusWaitCount.

example:
In Mcu_PBTypes.h MCU_PBUSWAITCOUNT is define with MCU_PBUSWAITCOUNT_VALUE and is used in Mcu.c file
If McuPbusWaitCount value is not set, In Mcu_Cfg.h for MCU_PBUSWAITCOUNT_VALUE will not be generated any value:
In PBcfg.h file
/* Pbus Count Value for the MCU_PBUSWAITCOUNT */
#define MCU_PBUSWAITCOUNT_VALUE

Expected Behavior:

<ECUC-INTEGER-PARAM-DEF UUID="ECUS:dbeafba1-bfaf-4ca0-8572-235f3c9b9b35">
<SHORT-NAME>McuPbusWaitCount</SHORT-NAME>
<DESC>
<L-2 L="EN">The parameter represents the PBus access wait time.The loop can be minimum 1 to maximum 65535</L-2>
</DESC>
<LOWER-MULTIPLICITY>1</LOWER-MULTIPLICITY>
<UPPER-MULTIPLICITY>1</UPPER-MULTIPLICITY>

Actual Behavior:

<ECUC-INTEGER-PARAM-DEF UUID="ECUS:dbeafba1-bfaf-4ca0-8572-235f3c9b9b35">
<SHORT-NAME>McuPbusWaitCount</SHORT-NAME>
<DESC>
<L-2 L="EN">The parameter represents the PBus access wait time.The loop can be minimum 1 to maximum 65535</L-2>
28444
MCU
Reset reson handling depending on
What is the difference between "McuResetReasonConfPowerOnReset" and "McuResetReasonConfPowerOnFlagReset" ?
BUG
OPEN
POF.POF bit

ISSUE
The implementation seems to be wrong as POF.POF bit seems to be set in both cases mentioned, which means only McuResetReasonConfPowerOnFlagReset is reported and
McuResetReasonConfPowerOnFlagReset is never reported.

28473
MCU
App_MCU_Device_Sample.h Which is not
Problem Description:
BUG
OPEN
as per AR_PN0034_FR_0039.

ISSUE
App_MCU_Device_Sample.h Which is not as per AR_PN0034_FR_0039.

Expected Behavior:
NA

Actual Behavior:
NA
25132
Port
When changing port pin to a DIO mode,
Problem Description:
BUG
OPEN
handling of PSRn(Pn) is different by API.
The port pin can be changed to a DIO mode at API Port_SetPinMode, Port_SetToDioMode and Port_SetPinDefaultMode.Among these the Port_SetToDioMode doesn't set to PSR
ISSUE
register.Is this what Development Team intended?

DIO output level change should be performed in DIO Driver and the user can also decide at the timing of change in the DIO output level.I'm thinking this specification is simplest and is
without mistakes.

Could you tell me why it's such specification?

Expected Behavior :
It is necessary to unify these specifications

Actual Behavior :
the Port_SetToDioMode doesn't set to PSR register.
26487
Port
When Port_SetPinDirection() change
PortPinDirectionChangeable = True
BUG
OPEN
direction from o/p to o/p (refeshing) for
PortPinModeChangeable = True
ISSUE
JTAG pins, the o/p level will set to default
PortPinLevelValue = PORT_PIN_LEVEL_LOW
state.
PortPinInitialMode = DIO_SUPP_PFC_PMCSR
PortPinDirection = PORT_PIN_OUT

Test case:
Port_Init(PortConfigSet0);
while(1)
{
/* This API will initilize all the registers to the initial values */
Port_Init(PortConfigSet0);
/* Set Port Pin level of for JP0_6 to High. */
JPSR0 = 0xFFFF0040;
/* Refresh the pin. */
Port_SetPinDirection (Port_PortGroupJtag00_PortPin60, PORT_PIN_OUT);
}

Expected result:
JP0_6 remains High.

Actual result:
JP0_6 sets to Low.

26852
Port
Local variables may remain not initialized in Problem description:
BUG
OPEN
Port_SetToDioOrAltMode API.
If we have a configuration with the following generated code
ISSUE

/* Availability of numeric port groups */
#define PORT_NUM_PORT_GROUPS_AVAILABLE STD_OFF

/* Availability of alphabetic port groups */
#define PORT_ALPHA_PORT_GROUPS_AVAILABLE STD_OFF

/* Availability of jtag port groups */
#define PORT_JTAG_PORT_GROUPS_AVAILABLE STD_OFF

then in Port_SetToDioOrAltMode() API the local variables LpFuncCtrlReg and LulBaseAddress will be used without being initialized.

Expected result:
N/A

Actual result:
N/A
27039
Port
Port Group 4 Pin 6 MUX appears to be mis- Problem description:
BUG
OPEN
labeled in the Parameter defitnition file.
Port Group 4 Pin 6 MUX appears to be mis-labeled in the Parameter definition file. It is labeled as TAUD202_ALT6_OUT, while according to the HW user manual "2.4.1.7 Port 4 (P4)" it is
ISSUE
related to TAUD2O3.

Expected behavior:
Port Group 4 Pin 6 MUX must be labeled as TAUD2O3_ALT6_OUT.

Actual behavior:
Port Group 4 Pin 6 MUX is labeled as TAUD2O2_ALT6_OUT.
27079
Port
Port Generator throwing unwanted error
Problem description:
BUG
OPEN
If PortIpControl is enabled for e.g. CSI pins as recommended in description of PortIpControl, then error 124018 is raised.
ISSUE
Pin names in description of PortIpControl do not match to available options in PortPinInitialMode.
This issue is valid for 701011 device, but not for 701035.

Expected behaviour:
No error should occur.

Actual behaviour:
ERR124018 Error occurs that is in contradiction to description.
27676
Port
Fail to initialize the PFCAE registers
Problem Description:
BUG
OPEN
correctly
The register initialization sequence in Port_InitConfig() api is not as mentioned in r01uh0436ej0070_rh850p1x.pdf(v0.70) at page 122 Section 2.3.4.6.
ISSUE

Expected Behavior :

PFCAE register along with PFC and PFCE should be initialized after initializing
PINV register.

Actual Behavior :

The function control registers(PFC,PFCE,PFCAE) are initialized before PINV register initialization

28391
Port
PINVn register is not setting properly in API  Problem description:
BUG
OPEN
Port_SetPinDirection()
Value updating to PINVn — Port Output Level Inversion Register write protection is not implemented as in device User Manual.
ISSUE

Expected behavior:
Needs to follow the write protection sequence mentioned in device User Manual.

Actual behavior:
Register write protection is not implemented properly.
28447
Port
PMSR register access is not correct
Problem description:
BUG
OPEN
PMSR register is accessing without checking whether PMSR register is present for that particular Port group.
ISSUE

Expected behavior: Before accessing PMSR register check whether PMSR register is exist is required.
/*Check for PMSR register availability */
if (PORT_REG_NOTAVAILABLE != LpSetPinModeGroupStruct->ucPMSRRegIndex)
{
...
}

Actual behavior:
This check is not present result in illegal memory access.
28539
Port
Pre compiler Macro is surrounded code at  Problem description:
BUG
OPEN
wrong place in Port_FilterConfig()

ISSUE
Pre compiler Macro "PORT_DNFA_REG_CONFIG" is surrounded code at wrong place in Port_FilterConfig().

#if ((PORT_DNFA_REG_CONFIG == STD_ON) || (PORT_FCLA_REG_CONFIG == STD_ON))
#define PORT_START_SEC_PRIVATE_CODE
#include "MemMap.h"
STATIC FUNC(void, PORT_PRIVATE_CODE) Port_FilterConfig(void)
{
/* Pointer to digital filter DNFA register data structure */
#if (PORT_DNFA_REG_CONFIG == STD_ON)
P2CONST(volatile Port_DNFARegs, AUTOMATIC, PORT_CONFIG_DATA) LpDNFAReg;

/* Pointer to Edge control EDC register data structure */
#if (PORT_EDGE_DETECT_CONTROL == STD_ON)
P2CONST(volatile Port_EDCRegs, AUTOMATIC, PORT_CONFIG_DATA) LpEDCReg;
#endif /* End of PORT_EDGE_DETECT_CONTROL == STD_ON */

-----code-----
#endif /* End of PORT_DNFA_REG_CONFIG == STD_ON */

-----code----

Port_FilterConfig() API is enabled by PORT_DNFA_REG_CONFIG is STD_ON or PORT_FCLA_REG_CONFIG is STD_ON,
In side variable declaration is done for PORT_DNFA_REG_CONFIG is STD_ON, When PORT_DNFA_REG_CONFIG is STD_OFF and PORT_FCLA_REG_CONFIG is STD_ON it will corrupted.

Expected behavior:
Pre compiler Macro should be surrounded the E-code at appropriate places.

25724
PWM
Det PWM_E_PARAM_CHANNEL is not
Problem description:
BUG
OPEN
reporting for Pwm_SetTriggerDelay().
For the current PWM driver implementation we face the problem that it is not reporting Det PWM_E_PARAM_CHANNEL for Pwm_SetTriggerDelay() when configured for PWM TAU
ISSUE
channel.

Expected behavior:
Det PWM_E_PARAM_CHANNEL should report for Pwm_SetTriggerDelay() when configured for PWM TAU channel.

Actual behavior:
DET is not occuring.
26874
PWM
Pwm_SelectChannelClk is starting the PWM Problem Description:
BUG
OPEN
diag channels configured for sync start
If you configure 2 channels 1 on TAU and one PWM diag in sync start mode. If after Pwm_SynchronousInit() API, Pwm_SelectChannelClk() is called, the pwm diag channel will start even
ISSUE
before calling Pwm_SynchronousStart().

Expected behavior:
Channels marked as synchronous shall start only after Pwm_SynchronousStart() API is called.

Current behavior:
Check the problem description
28292
PWM
[P1x][PWM] PWM notification is not
Problem Description:
BUG
OPEN
handled properly
1. PWM notification null pointer checking is not performing on Pwm_HW_Callback ISR
ISSUE
2. Notification will send for wrong PWM channels/channels which are not configured.

Actual behaviour:
With in Pwm_HW_Callback ISR, channel id is incrementing with in a for loop. Notification checking and sending is doing outside this for loop. After the execution of that for loop channel id
will be, exact channel id + 1 + number of slave channels. So the notification will send for wrong channels or try to send notification for the channels which are not configured.

Example: we have configured 7 channels out of which 3 are slave channels.
and the interrupt is coming for 4th master channel.
So at the end of the 'for' loop, channel id will be 8. This will cause out of array access and if the value of that memory location is one, it will try to send notification, which is not configured.
This will cause the controller to reset.

Expected behaviour:
1.PWM notification null pointer checking should be performed in Pwm_HW_Callback ISR
2.PWM notification checking should be with proper channel id.
25663
RamTst
[P1x][RAMTST][R4.0] The test result is not RamTst_GetTestResultPerBlock() does not return RAMTST_RESULT_UNDEFINED, when March test on the specific block is running.
BUG
OPEN
RAMTST_RESULT_UNDEFINED, if a March
ISSUE
Test on this block is running.
25664
RamTst
[P1x][RAMTST][R4.0] RamTst_FillPattern
When the configuration parameter RamTstTestPolicy for a block is set to RAMTEST_DESTRUCTIVE, the test algorithm does not fill the tested cells after the test with the bit pattern defined BUG
OPEN
not getting updated in the RAM location
for this block by parameter RamTst_FillPattern except for the test algorithm RAMTST_ABRAHAM_TEST_APP.
ISSUE
when RamTstTestPolicy is
RAMTEST_DESTRUCTIVE.

26482
RamTst
Dem event parameter name not generated Problem Description:
BUG
OPEN
correctly
If the short name of DemEventParameter in file Dem_RamTst.arxml is not appended with any number then the Dem event parameter name is not getting generated correctly.
ISSUE

Expected Behaviour:
DEM event parameters should generated correctly as follows

#define RAMTST_E_RAM_FAILURE \
DemConf_DemEventParameter_DemEventParameter

Actual Behaviour:
DEM event parameters are generated as follows

#define RAMTST_E_RAM_FAILURE \
DemConf_DemEventParameter_

This results in compilation issues as "the identifier "DemConf_DemEventParameter_" is undefined"
28604
RamTst
Issues in EUM.
Problem Description:
BUG
OPEN
This ticket is to report the defects found in EUM.
ISSUE

1.In Section 8 "Software Generation Tool" and "Driver Generation Tool" are used in parallel, which is misleading.
[Driver Generation Tool] should be used here.

2.In Revision History SI. No. 4 "As part of P1x V4.00.04 activity following changes are made:" should be removed.

3.In Section 4.5 'X' is not marked for user mode for RamTst APIs, even with known limitations listed in Table 4-1. This is not in line with other MCAL modules.User mode is supported by
RamTst_RunFullTest, RamTst_RunPartialTest, RamTst_MainFunction, but with precondition that the critical section should be disabled.

Expected behavior
N/A

Actual behavior
N/A
28605
RamTst
RamTst_Ram.c and RamTst_Ram.h files are Problem Description :
BUG
OPEN
missing.

ISSUE
Unlike other MCAL modules there are no dedicated files, ie. RamTst_Ram.c and RamTst_Ram.h, to address global variables.

In other MCAL modules <MSN>_Ram.c and <MSN_Ram.h> used to address global variables.

Actual Behavior :
No dedicated file is exist to address global variables.

Expected Behavior :
To maintain consistent file structures across all the MCAL modules these files should be added to address global variables.

28607
RamTst
Autosar requirement RamTst033 is not
Problem Description :
BUG
OPEN
implemented properly.

ISSUE
As per AUTOSAR requirement RamTst033 :
"If the DET is enabled and the execution status of the RAM Test is
not RAMTST_EXECUTION_RUNNING or RAMTST_EXECUTION_SUSPENDED, the
function RamTst_Stop shall report the error value RAMTST_E_STATUS_FAILURE to
the DET, and then immediately return."

Actual Behavior :
In the current implementation execution status is checked against STOPPED as below:
else if (RAMTST_EXECUTION_STOPPED == RamTst_ExecutionStatus) in RamTst_Stop API.

Expected Behavior :
N/A
28608
RamTst
Autosar requirement RamTst003 is not
Problem Description :
BUG
OPEN
implemented properly.

ISSUE
As per this requirement RamTst.h shall include Std_Types.h directly.

In current implementation Std_Types.h is included via RamTst_Types.h.

Actual Behavior :
Std_Types.h is included RamTst_Types.h and RamTst_Types.h is included RamTst.h which is not correct as per Autosar requirement RamTst003.

Expected Behavior :
RamTst.h shall include Std_Types.h directly.
25109
SPI
SpiJobEndNotification functions are not
Problem description:
BUG
OPEN
generated correctly, when two or more
SpiJobEndNotification functions are not generated correctly, when two or more Jobs have the same JobEndNotification function.
ISSUE
Jobs have the same JobEndNotification
Some JobEndNotifications functions are NULL after the generation, in spite they are not configured as NULL.
function.
There is no information or warning in the generator's manual, that this configuration would not be allowed.

Expected behavior:
If the following SpiJobEndNotifications are in one configuration:

TswSpi_AsyncJobEndNotif
TswSpi_AsyncJobEndNotif
NULL
NULL
TswSpi_PrioCheckJob1EndNotif
TswSpi_PrioCheckJob2EndNotif
TswSpi_PrioCheckJob3EndNotif
TswSpi_PrioCheckJob4EndNotif
TswSpi_PrioCheckJob5EndNotif
NULL
NULL

the same should be expected to be generated in Spi_BPcfg.c

Actual behavior:
Instead in Spi_BPcfg.c we have the following:

NULL_PTR
TswSpi_AsyncJobEndNotif
NULL_PTR

26389
SPI
Short name, File name and Path generated Problem Description:
BUG
OPEN
for error id ERR083058 is incorrect
ERR083058 message is generating as follows
ISSUE
The reference path </AUTOSAR/EcucDefs/Dem0/DemConfigSet0/DemEventParamete> provided for the parameter 'SPI_E_HARDWARE_ERROR' in the container
'SpiDemEventParameterRefs', having shortname <HASH(0x31829ac){ShortName}> is incorrect.
File Name: HASH(0x31829ac) {FileName}
Path: HASH(0x31829ac){ShortName}

Expected Behaviour:
Correct Short name, File name and Path should be generated for error id ERR083058.

Actual Behaviour:
Short name, File name and Path generated for error id ERR083058 are wrong.
26420
SPI
Execution stuck in Spi_HWTransmitSyncJob Problem Description:
BUG
OPEN
function

ISSUE
When a sequence is transmitted synchronously, the execution hangs in Spi_HWTransmitSyncJob.

Expected Behaviour:
Sequence should be transmitted without hang.

Actual Behaviour:
Calling Spi_SyncTransmit API results hanging in Spi_HWTransmitSyncJob API .
26764
SPI
The SPI driver does not change its status in Problem description:
BUG
OPEN
case of data consistency error occurs
In case of data consistency error flag (CSIHnDCE) is set during SPI sync transmission, the ongoing sequence is aborted.
ISSUE
during sync transmission.
The problem is that after the ongoing sequence was aborted, the global variable Spi_GusHwStatus is not changed by the Spi_SyncTransmit API. This blocks all the next SPI communication.

Expected result:
In case of consistency error detection during SPI Sync transmission, the ongoing sequence must be cancelled.

Actual result:
After consistency error detection during SPI Sync transmission, whole further communication is blocked.

A workaround is not to enable the CSIHnCTL1.CSIHnDCS bit, until this issue is not fixed.
27688
SPI
Illegal Memory access in Spi_Driver.c in API Problem description:
BUG
OPEN
Spi_TransmitISR()
If the if condition:
ISSUE
if (SPI_FIFO_BUFFER_FULL != Spi_GucHWFifoBufferSts[SPI_FIFO_RX_INDEX])) fails,
the pointer LpPBChannelConfig will not be initialised (since it is written in the if condition at Line 5618)
This would lead to an illegal memory access (at Line:5707) where LpPBChannelConfig is used.

Expected Behavior:
The variable LpPBChannelConfig shall be initialized before used

Actual behavior:
If the if condition ((if (SPI_FIFO_BUFFER_FULL != Spi_GucHWFifoBufferSts[SPI_FIFO_RX_INDEX]))) fails, LpPBChannelConfig is not initialized.

27707
SPI
Illegal Memory access in Spi_Driver.c
Problem Description: In Spi_Driver.c, API Spi_TransmitISR(), the local variable LpJobConfig is initialized in the part of code as below.
BUG
OPEN

ISSUE
if (SPI_FIFO_BUFFER_UNINIT == Spi_GucHWFifoBufferSts[SPI_FIFO_RX_INDEX])
{
..............;
...............;
LpJobConfig = Spi_GpFirstJob + LddJobIndex;
}

If the condition SPI_FIFO_BUFFER_UNINIT is not equal to Spi_GucHWFifoBufferSts[SPI_FIFO_RX_INDEX]), the variable LpJobConfig will not be initialized. This could lead to illegal memory
access since the variable is also used elsewhere. Eg: In the do while loop below the if loop mentioned in the description,

#if (SPI_DMA_MODE_ENABLE == STD_ON)
/* MISRA Violation: START Msg(4:2962)-18 */
if ((SPI_INTERRUPT_MODE == Spi_GddAsyncMode) &&
(SPI_INVALID_DMAUNIT == LpJobConfig->ucRxDmaDeviceIndex))
/* END Msg(4:2962)-18 */
#endif

Expected Behavior: None

Actual Behavior: Illegal Memory access could happen if the if condition mentioned in the problem description fails.
27978
SPI
Spi_SyncTransmit API is not working
Problem Description:
BUG
OPEN
properly.

ISSUE
when calling Spi_SyncTransmit() an exception is occurring from private API Spi_HWTransmitSyncJob(). On analysis we found that this is because of improper handling of a while loop exit
criteria, resulting in illegal memory access.

Expected behavior:
Spi_SyncTransmit() execute with out any exception.

Actual behavior:
An exception is occurring while execution of Spi_SyncTransmit() API.
28233
SPI
Improper pre-compiler switch for the
Problem Description:
BUG
OPEN
Spi_Mainfunction_Handling function
Spi_Mainfunction_Handling function should be invoked only when polling mechanism is selected by Spi_SetAsyncMode API. This mode can be set only when the SPI_LEVEL_DELIVERED is
ISSUE
definition
two. but the pre compiler switch for the function definition is as follows
#if (((SPI_LEVEL_DELIVERED == SPI_ONE) || (SPI_LEVEL_DELIVERED == SPI_TWO)) \
&& (SPI_HWUNIT_ASYNCHRONOUS == STD_ON))

#define SPI_START_SEC_PUBLIC_CODE
#include "MemMap.h"

FUNC(void, SPI_PUBLIC_CODE) Spi_MainFunction_Handling (void)
{
...

Expected Behaviour:
Spi_Mainfunction_Handling function shall be available in Level 2 only.

Actual Behaviour:
Spi_Mainfunction_Handling function is available in Level 1 and 2 also.
28249
SPI
SpiFifoTimeOut parameter is mandatory
Problem description:
BUG
OPEN
SpiFifoTimeOut parameter is made mandatory but it is only valid for CSIH
ISSUE

Expected behaviour:
SpiFifoTimeOut parameter should be optional (multiplicity 0..1) and additionally there should be a generator error check in case it is not configured for CSIH HW units in FIFO mode.

28251
SPI
The information provided about user mode Problem Description:
BUG
OPEN
and supervisor mode is not correct in the
In the user manual Table 4-5, it indicates that Spi_MainFunction_Handling() requires Supervisor mode access when Interrupt mode is active (SI. No. 14), though
ISSUE
user manual
Spi_MainFunction_Handling() is not necessary in interrupt mode.
Also, Spi_AsyncTransmit(), SI. No. 4 in Table 4-5, is missing any mark in the Interrupt Mode/user mode column..

Expected Behaviour:
Spi_MainFunction_Handling shall be removed in interrupt mode and Spi_AsyncTransmit() shall be corrected for applicable modes.

Actual Behaviour:
Spi_MainFunction_Handling is marked for both interrupt and Polling modes. and Spi_AsyncTransmit() is missing any mark in the Interrupt Mode/user mode column.
28364
SPI
Error ERR083120 is generated when
Problem Description:
BUG
OPEN
SpiEnableCs is configured as false
When the Parameter SpiEnableCs is configured as false SpiPortPinSelect should not be configured. But when SpiPortPinSelect is not configured tool is generating error ERR083120- the
ISSUE
parameter 'SpiPortPinSelect' value in the container 'SpiJob<x>', should be configured as CSL<n> since 'CSIH<x>' is configured.

Expected Behaviour:
Tool should not generate error.

Actual Behaviour:
ERR083120 is generated.
28456
SPI
Variables are uninitialized when the certain Problem description:
BUG
OPEN
condition does not meet.
Some of the Variables are uninitialized when the following conditions are not met.
ISSUE
when the SPI_DIRECT_ACCESS_MODE is STD_OFF

Expected behavior:
Before using the variables, Variables should be initialized.

Actual behavior:
Before using the variables, Variables are not initialized when SPI_DIRECT_ACCESS_MODE is STD_OFF
28676
SPI
Calling of Spi_MainFunction_Handling
Description:
BUG
OPEN
possible in interrupt mode
If interrupt mode is selected (Spi_SetAsyncMode(SPI_INTERRUPT_MODE))
ISSUE
a call to Spi_MainFunction_Handling() is possible. Functions Spi_TransmitISR and Spi_ReceiveISR are called there without further checks. This can cause
corrupted data transmission.

Actual Behavior:
No error but corrupted data.

Expected Behavior:
In interrupt mode a call to Spi_MainFunction_Handling shall be rejected, e.g. by DET.

28199
WDG
Wdg_SetMode function reports DEM error Problem description:
BUG
OPEN
if WDGIF_OFF_MODE is selected
As per AUTOSAR specification [WDG160], Wdg_SetMode function supports WDGIF_OFF_MODE.
ISSUE
And the user sets WdgDisableAllowed parameter 'true' in Configuration tool.
However, in code Wdg_59_DriverA_SetMode function reports a Dem Error in case WDGIF_OFF_MODE is selected.

Wdg_59_DriverA_SetMode function in Wdg_59_DriverA.c:
if (Mode == WDGIF_OFF_MODE)
{
/* Report Error to DEM */
Dem_ReportErrorStatus(WDG_59_DRIVERA_E_DISABLE_REJECTED,
DEM_EVENT_STATUS_FAILED);

WDG driver does not allow Wdg_SetMode function to translate the state into OFF by "4.4 WDG State Diagram" in WDG Driver Component Embedded User's Manual Rev.0.01 Nov 2013.

Customer need to know the background for this.

Expected behaviour:
Wdg_SetMode function shall report DEM error only if required mode is 'WDGIF_OFF_MODE' and 'WdgDisableAllowed' is false.

Actual behaviour:
Wdg_SetMode function is reporting DEM error only if required mode is 'WDGIF_OFF_MODE' and 'WdgDisableAllowed' is true.

20.7 - Releasenotes_P1x_FULL_R403_Ver4.00.04

1

20.8 - Releasenotes_P1x_FULL_R403_Ver4.00.04_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42

20.9 - Releasenotes_P1x_FULL_R403_Ver4.00.04s

Renesas Electronics

Release Date: 08/06/2015

Release Notes for RENESAS RH850/P1x:
RENESAS_SW-AUTOSAR-P1x: MCAL Ver4.00.04
QM Beta Quality
1.1  Purpose:
To deliver AUTOSAR R4.0.3 MCAL software for P1x V4.00.04 release using the following inputs.

        Device Manual:                    r01uh0436ej0070_rh850p1x.pdf

        Device File:
                DF-RH850P1M-EE_V100.zip

        Operating Precautions:    R01TU0069ED0200_RH850.pdf

        Flash Libraries:
        RENESAS_FCL_RH850_T01E_V2.00.exe
                                              RENESAS_FDL_RH850_T01E_V2.00.exe

        Modules supported:          ADC, CAN, DIO, FLS, FLSTST, FR, GPT, ICU, MCU, PORT, PWM,
                                                          RAMTST, SPI, WDG.
Page 1 of 42

Renesas Electronics

Release Date: 08/06/2015

1.2  Package information
Product
RH850/P1x
Variant
P1M
Product Release Version
Ver4.00.04
AUTOSAR Specification Version
4.0.3
Device tested on
P1M - R7F701310
Devices supported
R7F701304
R7F701305
R7F701310
R7F701311
R7F701312
R7F701313
R7F701314
R7F701315
R7F701318
R7F701319
R7F701320
R7F701321
R7F701322
R7F701323
Release Date
08-June-2015

Page 2 of 42

Renesas Electronics

Release Date: 08/06/2015

1.3  Tools
1.3.1  GHS
Tool
Version
Options
GreenHills
Green Hills Multi
-Ospace -g -cpu=rh850g3k -gsize
Multi IDE –
V6.1.4 Compiler
-prepare_dispose -sda=all -passsource
compiler
Version 2013.5.5
-Wundef -no_callt -reserve_r2
+
--short_enum -fsoft --prototype_errors
Patches :
--diag_error 193 -dual_debug -large_sda
P2, P9, P12, P13,
--no_commons -shorten_loads
P14
-shorten_moves -Wshadow -nofloatio
-ignore_callt_state_in_interrupts -delete
-inline_prologue
1.3.2  Configuration code generator
Tool
Version
Options
ECU Spectrum
4.0.14
-
1.3.3  Additional software
Tool
Version
Options
NA
-
-

Page 3 of 42

Renesas Electronics

Release Date: 08/06/2015

1.4  Generic Information
1.4.1  Release Target
Processor
P1M - R7F701310
Module
Generic
Date
08-June-2015
1.4.2  Release Items
Filename
Version
Change Description
P1x_translation.h
1.0.6
File updated for FLS and CAN macros.
ComStack_Types.h
1.0.1
No change
Std_Types.h
1.0.1
No change
rh850_Types.h
1.0.4
No change
Platform_Types.h
1.0.1
No change
Compiler.h
1.0.3
No change
Compiler_Cfg.h
1.0.5
No change
MemMap.h
1.0.6
No change
NvM_Types.h
1.0.1
No change
Os.h
1.0.1
No change
Os.c
1.0.2
No change
GettingStarted_MCAL_Drivers_X1x.
1.0.5
No change
pdf
AUTOSAR_Modules_Overview.pdf
1.0.7
No change
1.4.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 4 of 42

Renesas Electronics

Release Date: 08/06/2015

1.5 Module Index

ADC

CAN

DIO

FLS

FLSTST

FR

GPT

ICU

MCU

PORT

PWM

RAMTST

SPI

WDG

Page 5 of 42

Renesas Electronics

Release Date: 08/06/2015

2  ADC
2.1  Target Info
Processor
P1M - R7F701310
Module
ADC
Date
08-June-2015
2.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_ADC_P1M_04_05_12_13_20
1.0.5
As part of Px4 V4.00.04 Release, following changes
_21.arxml
are made
1. As per mantis #24237, Parameter
AdcUseHwContiScanMode is added in AdcGroup container.
2. As per mantis #27411, PDF name is modified.
3. Copyright information is updated.
R403_ADC_P1M_10_11_14_15_18
1.0.6
As part of Px4 V4.00.04 Release, following changes
_19_22_23.arxml
are made
1. As per mantis #24237, Parameter
AdcUseHwContiScanMode is added in AdcGroup container.
2. As per mantis #27411, PDF name is modified.
3. Copyright information is updated.
BSWMDT
R403_ADC_P1x_BSWMDT.arxml
1.0.4
As part of P1x V4.00.04 Release, following changes are made:
1. Software version is updated.
2. As per mantis #26305, critical section name
'RAMDATA_PROTECTION' is changed to
'ADC_RAMDATA_PROTECTION'.
3. Copyright information is updated.
Source Code
Adc.c
1.7.7
As part of P1x V4.00.04 Release, following changes are made:
1. NULL check is added for 'PtrToSamplePtr' in
Adc_GetStreamLastPointer() API.
2. As per mantis #26305, critical section name
'RAMDATA_PROTECTION' is changed to
'ADC_RAMDATA_PROTECTION'.
3. MISRA violation is updated.
Adc_Irq.c
1.3.4
No change
Page 6 of 42

Renesas Electronics

Release Date: 08/06/2015

Adc_Private_ADCD_ADCB.c
1.0.7
As part of P1x V4.00.04 Release, following changes are made:
1. As per mantis #24936 Redundant compilation switches are
corrected in Adc_GroupCompleteMode() API.
2. As per mantis #25801, 'Track and Hold'    implementation is
corrected to match with the flow diagram in the HW User
manual.
3. As per mantis #26305, critical section name
'RAMDATA_PROTECTION' is changed to
'ADC_RAMDATA_PROTECTION'.
4. As per mantis #25842, position of critical section exit is
corrected in Adc_GroupCompleteMode API.
5. As per mantis #24237, software re-triggering is implemented
for continuous conversion for software triggered groups.
6. As per mantis #27488, HW triggered One-shot conversion is
corrected to avoid conversion of more than one stream in one
HW trigger.
7. As per mantis #26324, volatile declaration    is added for
variables storing register values.
8. MISRA violation is updated.
9. As per mantis #27334, redundant variables and double
assignments are removed.
10. As per mantis #27186, index calculation of the array
'Adc_GpRunTimeData' is corrected to avoid out of bound
access.
Adc_Ram.c
1.5.3
No change
Adc_Version.c
1.1.3
No change
Adc.h
1.5.5
No change

Adc_Debug.h
1.0.2
No change
Adc_Irq.h
1.0.9
No change
Adc_PBTypes_ADCD_ADCB.h
1.0.5
As part of P1x V4.00.04 Release, following changes are made:
1. As per mantis #25801, 'Track and Hold' implementation is
corrected to match with the flow diagram in the HW Usermanual.
2. As per mantis #26331, element names are corrected in union
'UInt'.
3. As per mantis #26324, volatile declaration is added for
variables storing register values.
Adc_Private.h
1.4.6
As part of P1x V4.00.04 Release, following changes are made:
1. Compiler switches are corrected for the API
Adc_SearchnDelete().
Page 7 of 42

Renesas Electronics

Release Date: 08/06/2015

Adc_Ram.h
1.5.3
No change
Adc_Types.h
1.7.4
No change
Adc_Version.h
1.1.1
No change
Tool Executable
Adc_ADCD_ADCB.exe
1.3.2
Tool exe updated for tool code changes.
Adc_ADCD_ADCB.cfgxml
1.0.1
No change
X1x Common Sample Application Source file
App_ADC_Common_Sample.c
1.1.9
No change for P1x V4.00.04 release.
X1x Common Sample Application Header file
App_ADC_Common_Sample.h
1.0.4
No change for P1x V4.00.04 release.
P1x Sample Application P1M Source file
App_ADC_P1M_Sample.c
1.0.1
No change for P1x V4.00.04 release.
P1x Sample Application P1M Header file
App_ADC_Device_Sample.h
1.0.2
No change for P1x V4.00.04 release.
P1x User Manual
AUTOSAR_ADC_Component_Use
1.0.4
The following changes are done.
rManual.pdf
1. Chapter 2 is updated for reference document.
2. Section 3.1 is updated for folder section.
3. Section 4.1 is updated for usage guidelines.
4. In chapter 13, P1M supported devices are added.
5. Section 13.1 is updated for translation header file and
parameter definition files.
6. Section 13.2 is updated for sample application structure and
building sample application.
7. Section 13.3 is updated for memory and throughput details.
8. Chapter 14 is updated for version of ADC Driver component.
9. Range of ChannelId is corrected in sections 10.3.1 and 10.3.2.
10. Channel Mapping is corrected in section 10.3.3.
11. Table 13-2 is updated for CAT-2 ERROR ISR.
AUTOSAR_ADC_Tool_UserManu
1.0.4
1. Error message ERR123140 is added.
al.pdf
2. Section 2.1 Reference Documents are updated to add PDF
reference.
3. List of mandatory parameters is updated in section 8.1.
2.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 8 of 42

Renesas Electronics

Release Date: 08/06/2015

3  CAN
3.1  Target Info
Processor
P1M - R7F701310
Module
CAN
Date
08-June-2015
3.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_CAN_P1M_04_05_10_to_15.arxml
1.0.4
As part of P1x V4.00.04 release, following changes are

made.

1. As per mantis #27411, renamed file.

2. Updated File version and copyright information.
3. As per mantis #24428, added a parameter
'CanWakeupFunctionalityAPI' under CanGeneral
container.
R403_CAN_P1M_18_to_23.arxml
1.0.2
As part of P1x V4.00.04 release, following changes are

made.

1. As per mantis #27411, renamed file.

2. Updated File version and copyright information.

3. As per mantis #24428, added a parameter
'CanWakeupFunctionalityAPI' under CanGeneral
container.
BSWMDT
R403_CAN_P1x_BSWMDT.arxml
1.0.4
As part of V4.00.04 P1x release, following changes are
made
1. Device Support Added for R7F701304, R7F701305,
R7F701313, R7F701318, R7F701319, R7F701320,
R7F701321, R7F701322, and R7F701323.
2. Software version information is updated.
3. Copyright information is updated.
Source Code
Can.c
  1.2.12
As part of P1x V4.00.04 release, following changes are
made,
1. As per mantis #27644,
RH850_SV_MODE_IMR_WRITE_ONLY (16,
LpWupIntMaskReg, (LpPCController->usWupIntMask));
is changed to RH850_SV_MODE_IMR_AND (16,
Page 9 of 42

Renesas Electronics

Release Date: 08/06/2015

LpWupIntMaskReg, (LpPCController->usWupIntMask));
for the proper masking of IMR register.
Can_Int.c
  1.1.6
No change
Can_Irq.c
  1.1.8
No change
Can_MainServ.c
  1.2.8
No change
Can_ModeCntrl.c
  1.2.9
No change
Can_Ram.c
1.1.2
No change
Can_RamTest.c
1.0.4
No change
Can_Version.c
1.0.6
No change
Can_Wakeup.c
1.0.14
As part of P1x V4.00.04 release, Following change is
made
1. Access to Can_CheckWakeup() API is made under the
compiler switch condition
#if(CAN_CHECKWAKEUP_API == STD_ON).
Can_Write.c
1.0.17
No change
Can_Wakeup_Int.c
1.0.1
As part of P1x V4.00.04 release, following changes are
made,
1. As per mantis #27642, removed unused parameter
'LucController' from 'CanEnableWakeUp' function
definition.
2. As per mantis #27641, 'DNFA2EN' register handling
modified.
Can.h
1.0.11
No change
Can_Debug.h
1.0.3
No change
Can_Init.h
1.0.2
No change
Can_Int.h
1.0.2
No change
Can_Irq.h
1.0.8
No change
Can_MainServ.h
1.0.3
No change
Can_ModeCntrl.h
1.0.5
No change
Can_PBTypes.h
1.0.9
No change
Can_PCTypes.h
1.0.11
No change
Can_Ram.h
1.0.6
No change
Can_RamTest.h
1.0.3
No change
Can_RegStruct.h
1.0.3
No change
Can_Tgt.h
1.0.12
No change
Can_Types.h
1.0.9
No change
Can_Version.h
1.0.7
No change
Can_Wakeup.h
1.0.5
As part of P1x V4.00.04 release, Following change is
made
Page 10 of 42

Renesas Electronics

Release Date: 08/06/2015

1. Can_CheckWakeup() API is made under the compiler
switch condition #if(CAN_CHECKWAKEUP_API ==
STD_ON).
Can_Write.h
1.0.3
No change
Tool Executable
Can_X1x.exe
1.2.11
As per mantis #24579 and #24428 BswConfigValidate.pm,
BswIm.pm, BswHdr.pm, BswConfig.pm are updated.
Can_X1x.cfgxml
1.0.0
No Change
X1x Sample Application Source file
App_CAN_Common_Sample.c
1.0.11
As part of P1x V4.00.04 release, Following change
is made
1. Can_CheckWakeup() call is made under pre compiler
switch #if(CAN_CHECKWAKEUP_API == STD_ON).
X1x Sample Application header file
App_CAN_Common_Sample.h
1.0.2
No change
P1x Sample Application P1M Source file
App_CAN_P1M_Sample.c
1.0.1
No change
P1x Sample Application P1M header file
App_CAN_Device_Sample.h
1.0.0
No change
P1x User Manual
AUTOSAR_CAN_Component_UserMa
1.0.3
Following changes are made.
nual.pdf
1. Updated ‘Chapter 2 Reference Documents’.
2. Added a ‘Note’ in Chapter 4 , Forethoughts.
3. Chapter 13 is updated for adding new devices support.
4. Chapter 14 is updated for Release Details.
5. Section 13.3 is updated with Memory, Stack Usage and
Throughput details for 144 pin device 701310.
6. Added ISR Throughput details in section 13.3.
7. Chapter 13, section 13.2 compiler, linker, and assembler
options removed.
AUTOSAR_CAN_Tool_UserManual.pdf
1.0.2
Following change is made

1. Updated ‘Section 2.1 Reference documents’.
2. In Section 8.1, ERR080075 to ERR080080 are added.
3. In Section 8.3, INF080007 to INF080010 are added.
3.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 11 of 42

Renesas Electronics

Release Date: 08/06/2015

4  DIO
4.1  Target Info
Processor
P1M - R7F701310
Module
DIO
Date
08-June-2015
4.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_DIO_P1M_04_05_12_13_20_
1.0.3
Following changes are made :
21.arxml
1. File renamed from R403_DIO_P1M_701304_701305_
701312_701313_701320_701321.arxml to
R403_DIO_P1M_04_05_12_13_20_21.arxml    as    per mantis
#27411.
2. Parameter DioPortName is updated with portgroups
pin information
R403_DIO_P1M_10_11_14_15_18_
1.0.4
Following changes are made:
19_22_23.arxml
1. File is renamed from R403_DIO_P1M_701310_701311_
701314_701315_701318_701319_701322_701323.arxml to
R403_DIO_P1M_10_11_14_15_18_19_22_23.arxml as per
mantis #27411.
BSWMDT
R403_DIO_P1x_BSWMDT.arxml
1.0.4
Following changes are made:
1. Environment section is updated for new devices.
2. Copyright information is updated.
Source Code
Dio.c
1.0.21
No change
Dio_Ram.c
1.0.7
No change
Dio_Version.c
1.0.6
No change
Dio.h
1.0.11
No change
Dio_Debug.h
1.0.3
No change
Dio_LTTypes.h
1.0.14
No change
Dio_PBTypes.h
1.0.12
No change
Dio_Ram.h
1.0.10
No change
Dio_Version.h
1.0.8
No change
Tool Executable
Dio_X1x.exe
1.0.16
No change
Dio_X1x.cfgxml
1.0.1
No change
Page 12 of 42

Renesas Electronics

Release Date: 08/06/2015

P1x Sample Application P1M Source file
App_DIO_P1M_Sample.c
1.0.4
No change
P1x Sample Application P1M header file
App_DIO_Device_Sample.h
1.0.4
Following changes are made:
1. Updated to support new devices 701318, 701319, 701320,
701321, 701322, 701323
2. Copyright information is updated.
P1x User Manual
AUTOSAR_DIO_Component_User
1.0.6
Following changes are made:
Manual.pdf
1. Chapter 2 reference documents section is updated.
2. Chapter 3 section 3.1.1 is updated for new devices.
3. Chapter 4 section 4.1 General is updated and a note is added
regarding interrupt vector (.c) file
4. Chapter 13
13.1.1 Translation header files section is updated as per new
devices.
13.1.2 PDF section is updated as per new devices.
13.3.1 Sample application structure is updated for new devices
13.3.2 Building sample application section is updated
13.4 Memory and throughput details are updated for 144 pin
devices.
AUTOSAR_DIO_Tool_UserManual
1.0.2
Section 2.1 Reference documents section is updated with the
.pdf
parameter definition file names.
4.3 Known Issues

ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 13 of 42

Renesas Electronics

Release Date: 08/06/2015

5  FLS
5.1  Target Info
Processor
P1M - R7F701310
Module
FLS
Date
08-June-2015
5.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_FLS_P1M_04_05.arxml
1.1.1
As part of P1x V4.00.04 Release,
1. As per mantis #24538, parameter 'FlsCancelTime'
is added in FlsPublishedInformation container.
2. As per mantis #24538, parameter 'FlsCFCancelTime' is added
in FlsCodeFlash container.
3. As per mantis #23970, description of parameters
'FlsEraseTime', 'FlsWriteTime', 'FlsBlankCheckTime' and
'FlsReadTime' are updated.
4. As per mantis #27411, filename is updated.
5. Updated file version and copyright information.
R403_FLS_P1M_10_to_15.arxml
1.1.1
As part of P1x V4.00.04 Release,
1. As per mantis #24538, parameter 'FlsCancelTime' is added in
FlsPublishedInformation container.
2. As per mantis #24538, parameter 'FlsCFCancelTime'
is added in FlsCodeFlash container.
3. As per mantis #23970, description of parameters
'FlsEraseTime', 'FlsWriteTime', 'FlsBlankCheckTime' and
'FlsReadTime' are updated.
4. As per mantis #27411, filename is updated.
5. Updated file version and copyright information.
R403_FLS_P1M_18_to_23.arxml
1.0.1
As part of P1x V4.00.04 Release,
1. As per mantis #24538, parameter 'FlsCancelTime' is added in
FlsPublishedInformation container.
2. As per mantis #24538, parameter 'FlsCFCancelTime'
is added in FlsCodeFlash container.
3. As per mantis #23970, description of parameters
'FlsEraseTime', 'FlsWriteTime', 'FlsBlankCheckTime' and
'FlsReadTime' are updated.
Page 14 of 42

Renesas Electronics

Release Date: 08/06/2015

4. As per mantis #27411, filename is updated.
5. Updated file version and copyright information.
BSWMDT
R403_FLS_P1x_BSWMDT.arxml
1.0.4
As part of P1x V4.00.04 release, following changes are made:
1. Updated software version.
2. Updated file version and copyright information.
Source Code
Fls.c
1.3.9
As part of P1x V4.00.04 release, following changes are made:
1. As per mantis #28186, section
DRIVERSTATE_DATA_PROTECTION is renamed to
FLS_DRIVERSTATE_DATA_PROTECTION.
2. Updated file version.
Fls_Irq.c
1.0.2
No change
Fls_Internal.c
1.3.6
No change
Fls_Ram.c
1.2.5
No change
Fls_Version.c
1.1.0
No change
Fls.h
1.3.5
No change
Fls_Debug.h
1.0.1
No change
Fls_Internal.h
1.3.2
No change
Fls_Irq.h
1.0.1
No change
Fls_PBTypes.h
1.5.3
No change
Fls_Ram.h
1.2.5
No change
Fls_Types.h
1.3.5
No change
Fls_Version.h
1.1.1
No change
Tool Executable
Fls_X1x.exe
1.3.6
No change
Fls_X1x.cfgxml
1.0.0
No change
X1x Sample Application source file
App_FLS_Common_Sample.c
1.1.9
No change
X1x Sample Application header file
App_FLS_Common_Sample.h
1.0.2
No change
P1x Sample Application P1M Source file
App_FLS_P1M_Sample.c
1.0.0
No change
P1x Sample Application P1M header file
App_FLS_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_FLS_Component_User
1.0.5
The following changes are made:
Manual.pdf
1. Chapter 2: Reference document is updated
Page 15 of 42

Renesas Electronics

Release Date: 08/06/2015

2. As part of device support activity for R7F701304,
R7F701305, R7F701313, R7F701315, R7F701318 to
R7F701323 updated sections 3.1.1, 13.1.1, 13.1.2, 13.3.1.
3. Updated version number and copyright year.
4. Updated section 13.4 for memory and throughput.
5. Removed section Compiler, Linker and Assembler in
Chapter13.
6. Removed Test_Application_P1x.trxml path from Section
3.1.1.
7. Section 4.1 is updated for adding note in Forethoughts.
8. Chapter 12 is updated.
9. Section 4.2. Preconditions is updated.
10. Updated Tables 4-2 and 4-3 in Section 4.5.
11. Chapter 14: Release Detail is updated for FLS Driver
Version
AUTOSAR_FLS_Tool_UserManual
1.0.3
The following changes are made:
.pdf
• Pdf name and version are updated in Section 2.1
• Added parameters FlsCancelTime and FlsCFCancelTime in the
list of mandatory parameters in Section 8.1.
• The description of error ERR092029 is updated in Section 8.1.
• Updated version number and copyright year.
5.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf
Page 16 of 42

Renesas Electronics

Release Date: 08/06/2015

6  FLSTST
6.1  Target Info
Processor
P1M - R7F701310
Module
FLSTST
Date
08-June-2015
6.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_FLSTST_P1M_04_05.arxml
1.0.3
As part of P1x V4.00.04 development activity the following
changes are made:
1. As per mantis #27411, file name changed to
R403_FLSTST_P1M_04_05.arxml
2. Copyright information updated.
3. ADMIN-DATA updated.
R403_FLSTST_P1M_10_to_15.arx
1.0.3
As part of P1x V4.00.04 development activity the following
ml
changes are made:
1. As per mantis #27411, file name changed to
R403_FLSTST_P1M_10_to_15.arxml
2. Copyright information updated.
3. ADMIN-DATA updated.
R403_FLSTST_P1M_18_to_23.arx
1.0.1
As part of P1x V4.00.04 development activity the
ml
following changes are made:
1. As per mantis #27411, file name changed to
R403_FLSTST_P1M_18_to_23.arxml
2. Copyright information updated.
3. ADMIN-DATA updated.
BSWMDT
R403_FLSTST_P1x_BSWMDT.arx
1.0.3
As part of P1x V4.00.04 development activity the
ml
following changes are made:
1. Environment section updated to add device
support
2. Copyright information updated.
Source Code
FlsTst.c
1.0.6
No change
FlsTst_Ram.c
1.0.3
No change
FlsTst_Version.c
1.0.1
No change
Page 17 of 42

Renesas Electronics

Release Date: 08/06/2015

FlsTst.h
1.0.4
No change
FlsTst_Debug.h
1.0.0
No change
FlsTst_PBTypes.h
1.0.3
No change
FlsTst_Ram.h
1.0.4
No change
FlsTst_Types.h
1.0.2
No change
FlsTst_Version.h
1.0.0
No change
Tool Executable
FlsTst_X1x.exe
1.0.4
No change
FlsTst_X1x.cfgxml
1.0.0
No change
X1x Sample Application source file
App_FLSTST_Common_Sample.c
1.0.1
No change
X1x Common Sample Application header file
App_FLSTST_Common_Sample.h
1.0.0
No change
P1x Sample Application P1M Source file
App_FLSTST_P1M_Sample.c
1.0.0
No change
P1x Sample Application P1M header file
App_FLSTST_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_FLSTST_Component_
1.0.5
As part of P1x V4.00.04 following changes are
UserManual.pdf
made:
1. Section 4.1 is updated by adding forethought
2. Section 13.2 for compiler, linker and assembler
options is removed
3. Sections 13.3.1, Section 13.3.2, Section 13.3.3 are
updated with RAM/ROM details and throughput
details
4. Section 13 and Section 13.1.1 are updated by
adding the new devices supported by the translation
header
5. Section 13.1.2 is updated with the renamed pdf
files used
6. Section 13.2.1 is updated by adding the sample
applications added for the new devices
7. Section 13.2.2 is updated by adding the new
devices supported.
AUTOSAR_FLSTST_SA_Test_Pro
1.0.1
No change.
cedure.pdf
AUTOSAR_FLSTST_Tool_UserMa
1.0.3
As part of P1x 4.00.04 the following changes are
nual.pdf
made:
Page 18 of 42

Renesas Electronics

Release Date: 08/06/2015

Reference documents section is updated.
6.3 Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf
Page 19 of 42

Renesas Electronics

Release Date: 08/06/2015

7  FR
7.1  Target Info
Processor
P1M - R7F701310
Module
FR
Date
08-June-2015
7.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_FR_P1M_04_05_10_to_15_1
1.0.4
As per the PRD,
8_to_23.arxml
1. Devices R7F701318, R7F701319, R7F701320, R7F701321,
R7F701322 and R7F701323 are added in 'FrDeviceName'
parameter and in environment section and devices which are not in
scope is removed.
2. As per Mantis #27411, The file name has been changed to
R403_FR_P1M_04_05_10_to_15_18_to_23 from
R403_FR_P1M_701300_701301_701304_701305_701308_to_7
01323
3. As per Mantis #27728, Max, Min and default value of following
parameters FrOutputPtrTableAddress, FrFifoPtrTableAddress
and FrInputPtrTableAddress are modified.
BSWMDT
R403_Fr_P1x_BSWMDT.arxml
1.0.2
As part of P1x V4.00.04 Maintenance activity,
1. Software version information is updated.
2. Module ID is Changed to 81
3. Environment Section is updated to add all
Supported devices of P1M.
Source Code
Fr_59.c
1.0.4
No change
Fr_59_Internal.c
1.0.4
No change
Fr_59_Version.c
1.0.1
No change
Fr_59_Ram.c
1.0.2
No change
Fr_59_Debug.h
1.0.1
No change
Fr_59_GeneralTypes.h
1.0.1
No change
Fr_59_Internal.h
1.0.3
As  part  of  P1x_V4.00.04  maintenance  activity,  As  per  mantis
#27460, following API's are declared as extern.
1.  Fr_Input_Queue_Halt(),  Fr_User_Request_Input_Transfer(),
Fr_User_Request_Output_Transfer.
Page 20 of 42

Renesas Electronics

Release Date: 08/06/2015

Fr_59_PBTypes.h
1.0.3
No change
Fr_59_Ram.h
1.0.2
No change
Fr_59_Types.h
1.0.1
No change
Fr_59_Version.h
1.0.1
No change
Fr_59.h
1.0.3
No change
Tool Executable
Fr_X1x.exe
1.0.4
No change
Fr_X1x.cfgxml
1.0.0
Initial Version.
X1x Common Sample Application Source file for node1
App_FR_Common_Sample.c
1.0.1
No change
X1x Common Sample Application Source file for node2
App_FR_Common_Sample.c
1.0.1
No change
X1x Common Sample Application header file for node1
App_FR_Common_Sample.h
1.0.1
No change
X1x Common Sample Application header file for node2
App_FR_Common_Sample.h
1.0.1
No change
P1x Sample Application P1M Source file for node1
App_FR_P1M_Sample.c
1.0.2
No change
P1x Sample Application P1M Source file for node2
App_FR_P1M_Sample.c
1.0.2
No change
P1x Sample Application P1M header file for node1
App_FR_Device_Sample.h
1.0.2
No change
P1x Sample Application P1M header file for node2
App_FR_Device_Sample.h
1.0.2
No change
P1x User Manual
AUTOSAR_FR_Component_User
1.0.3
Following changes are made:
Manual.pdf
1.  Chapter 2 Reference Documents updated.
2.  Chapter 1, 8, 12 and Sections 3.1.1, 4.2, 4.5, 10.3, 13.2.1,
13.3.3 Updated the file names by adding vender id.
3.  Section 13.2.1.    Sample Application Structure updated by
adding the sample application configuration for supported
devices.
4.  Memory and Throughput details updated in section 13.2.
5.  Chapter 14 Release Details updated.
6.  Copyright information updated.
7.  Removed Compiler and Linker options.
AUTOSAR_FR_Tool_UserManual.
1.0.4
Following changes are made:
pdf
1. File names of Fr_PBcfg.c and Fr_Cfg.h renamed to
Fr_59_PBcfg.c and Fr_59_Cfg.h.
Page 21 of 42

Renesas Electronics

Release Date: 08/06/2015

2. Copyright information updated
7.3 Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf
Page 22 of 42

Renesas Electronics

Release Date: 08/06/2015

8  GPT
8.1  Target Info
Processor
P1M - R7F701310
Module
GPT
Date
08-June-2015
8.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_GPT_P1M_04_05_12_13_20_21.arx
1.0.1
As part of P1x V4.00.04 development activity the
ml
following changes are made:
1. As per mantis #27411, file name changed
to
R403_GPT_P1M_04_05_12_13_20_21.ar
xml
2. Copyright information updated.
3. ADMIN-DATA updated.
R403_GPT_P1M_10_11_14_15_18_19_22_
1.0.6
As part of P1x V4.00.04 development
23.arxml
activity the
following changes are made:
1. As per mantis #27411, file name changed
to
R403_GPT_P1M_10_11_14_15_18_19_2
2_23.arxml
2. Copyright information updated.
3. ADMIN-DATA updated.
BSWMDT
R403_GPT_P1x_BSWMDT.arxml
1.0.4
No change
Source Code
Gpt.c
1.0.17
No change
Gpt_Irq.c
1.0.8
No change
Gpt_LLDriver.c
1.0.19
No change
Gpt_Ram.c
1.0.4
No change
Gpt_Version.c
1.0.3
No change
Gpt.h
1.0.5
No change
Gpt_Debug.h
1.0.3
No change
Gpt_Irq.h
1.0.7
No change
Gpt_LLDriver.h
1.0.5
No change
Page 23 of 42

Renesas Electronics

Release Date: 08/06/2015

Gpt_PBTypes.h
1.0.14
No change
Gpt_Ram.h
1.0.4
No change
Gpt_RegReadBack.h
1.0.1
No change
Gpt_Types.h
1.0.5
No change
Gpt_Version.h
1.0.4
No change
Tool Executable
Gpt_X1x.exe
1.1.6
No change
Gpt_X1x.cfgxml
1.0.0
No change
X1x Common Sample Application Source file
App_GPT_Common_Sample.c
1.0.5
No change
X1x Common Sample Application header file
App_GPT_Common_Sample.h
1.0.3
No change
P1x Sample Application P1M Source file
App_GPT_P1M_Sample.c
1.0.1
No change
P1x Sample Application P1M header file
App_GPT_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_GPT_Component_UserManua
1.0.5
Following changes are made:
l.pdf
1. Added note in chapter4 Forethoughts.
2. Removed Compiler Assembler and linker option.
3. Updated copyright information.
4. Updated chapter 13 to add additional device support.
5. Updated throughput and memory details.
AUTOSAR_GPT_Tool_UserManual.pdf
1.0.5
Following changes are made:
• Updated copyright information.
• Updated reference section with new PDF name.
8.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 24 of 42

Renesas Electronics

Release Date: 08/06/2015

9  ICU
9.1  Target Info
Processor
P1M - R7F701310
Module
ICU
Date
08-June-2015
9.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_ICU_P1M_04_05_12_13_20
1.0.1
As per    mantis issue #27411, following changes has been
_21.arxml
made:
1. PDF renamed as
R403_ICU_P1M_04_05_12_13_20_21.arxml
2. Copyright information is updated.
R403_ICU_P1M_10_11_14_15_18
1.1.2
As per    mantis issue #27411, following changes has been
_19_22_23.arxml
made:
1. PDF renamed as
R403_ICU_P1M_04_05_12_13_20_21.arxml
2. Copyright information is updated.
BSWMDT File
R403_ICU_P1x_BSWMDT.arxml
1.0.2
No change
Source Code
Icu.c
1.5.5
No change
Icu_Irq.c
1.2.0
No change
Icu_LLDriver.c
1.6.6
No change
Icu_Ram.c
1.1.4
No change
Icu_Version.c
1.0.4
No change
Icu.h
1.4.4
No change
Icu_Debug.h
1.0.1
No change
Icu_Irq.h
1.1.1
No change
Icu_LLDriver.h
1.3.4
No change
Icu_PBTypes.h
1.5.5
No change
Icu_Ram.h
1.1.4
No change
Icu_Types.h
1.1.2
No change
Icu_Version.h
1.0.3
No change
Tool Executable
Icu_X1x.exe
1.4.6
No change
Page 25 of 42

Renesas Electronics

Release Date: 08/06/2015

Icu_P1x.cfgxml
1.0.0
No change
X1x Common Sample Application Source file
App_ICU_Common_Sample.c
1.3.4
No change
P1x    Sample Application Source file
App_ICU_P1M_Sample.c
1.0.4
As a part of P1x V4.00.04 release corrected
Port_Init() for Device 701310.
X1x Common Sample Application Header file
App_ICU_Common_Sample.h
1.0.2
No change
P1x Sample Application Header file
App_ICU_Device_Sample.h
1.0.0
No change
P1x User Manual
AUTOSAR_ICU_Component_User
1.0.7
Following changes are made:
Manual.pdf
  1.  Chapter  2  Reference  documents  are  updated  for  version
change.
2.  Chapter  4  is  updated  for  information  regarding  Interrupt
vector table.
3. Section 13.1.1 is updated for adding new devices.
4. Section 13.1.1 is updated for names of PDF.
5.  Section  13.2  Compiler,  Linker  and  Assembler  section  is
removed.
6.  Section  13.2  is  updated  for  parameter  definition  file  and
sample application configuration files of all P1M devices.
7. Section 13.3 Memory and Throughput details are updated
AUTOSAR_ICU_Tool_UserManual
1.0.4
Following changes are made:
.pdf
Parameter  definition  file  names  and  versions  are  updated  in
section 2.1.
9.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 26 of 42

Renesas Electronics

Release Date: 08/06/2015

10  MCU
10.1 Target Info
Processor
P1M - R7F701310
Module
MCU
Date
08-June-2015
10.2 Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_MCU_P1M_04_05.arxml
1.1.4
1. As per Mantis #26418, Description of "McuResetReason"
parameter is to
"The parameter represents the different type of reset that a Micro
supports. This parameter is referenced by the parameter
EcuMResetReason in the ECU State manager module,
MCU_SW_RESET."
2. As per Mantis #27411, The file name has been changed to
R403_MCU_P1M_04_05 from
R403_MCU_P1M_701304_701305
3. Local RAM range corrected to 4273864704 to 4273995775
R403_MCU_P1M_10_to_15_18_to_
1.0.1
1. As per Mantis #26418, Description of "McuResetReason"
23.arxml
parameter is to
"The parameter represents the different type of    reset that a
Micro supports. This parameter is referenced by the parameter
EcuMResetReason in the ECU State manager module,
MCU_SW_RESET."
2. As per Mantis #27411,    The file name has been changed to
R403_MCU_P1M_10_to_15_18_to_23 from
R403_MCU_P1M_701310_to_701315_7013018_to_7013023.
BSWMDT
R403_MCU_P1x_BSWMDT.arxml
1.0.5
Updated SW-VERSION for changes in Source code
Source Code
Mcu.c
1.0.6
1. As per mantis #26418 ,following change is made:
MCU_SW_RST is corrected with name MCU_SW_RESET ,
MCU_WDT_RST is corrected with name
MCU_WATCHDOG_RESET,
MCU_POWER_ON_CLEAR_RST is corrected with name
MCU_POWER_ON_RESET
2. Added code comments as per MO Review in Mantis
Page 27 of 42

Renesas Electronics

Release Date: 08/06/2015

#27515
3. Justifications for QAC warnings Msg(4:0857), Msg(4:2983),
Msg(4:4499), Msg(4:2991), Msg(4:2982),
Msg(4:2992), Msg(4:2996), Msg(4:0400).
Mcu_Irq.c
1.0.6
1. Added code comments as per MO Review in Mantis
#27515
2. Added justification for MISRA warning Msg(4:3138)
3. Added compiler switch, #ifndef
Os_MCU_FEINT_CAT2_ISR and #ifndef
MCU_FEINT_CAT2_ISR for MCU_FENMI_ENTRY and
MCU_FENMI_LEAVE as per mantis #27723
Mcu_Ram.c
1.0.4
Added code comments as per MO Review in Mantis    #27515
Mcu_Version.c
1.0.2
No changes
Mcu.h
1.0.3
1. Added code comments as per MO Review in Mantis #27515
2. Added Justification for MISRA Violation:
START Msg(4:3412)
Mcu_Debug.h
1.0.2
Added code comments as per MO Review in Mantis
#27515
Mcu_Irq.h
1.0.2
1.Added code comments as per MO Review in Mantis    #27515
2.Removed _Interrupt_ from MCU_FEINT_ISR
Mcu_PBTypes.h
1.0.4
Added code comments as per MO Review in Mantis    #27515
Mcu_Ram.h
1.0.4
Added code comments as per MO Review in Mantis    #27515
Mcu_Types.h
1.0.4
1.As per mantis #26418 ,following change is made:
MCU_SW_RST is corrected with name MCU_SW_RESET ,
MCU_WDT_RST is corrected with name
MCU_WATCHDOG_RESET ,
MCU_POWER_ON_CLEAR_RST is corrected with name
MCU_POWER_ON_RESET
2. Added code comments as per MO Review in Mantis    #27515
Mcu_Version.h
1.0.1
Added code comments as per MO Review in Mantis    #27515
Tool Executable
Mcu_P1x.exe
1.1.1
Updated for Ver4.0004 release
Mcu_P1x.cfgxml
1.0.0
No change
P1x Sample Application P1M Source file
App_MCU_P1M_Sample.c
1.0.3
As per mantis #27723, the following change is made,
1. Removed #pragma intvect MCU_FEINT_ISR 0x000000E0.
P1x Sample Application P1M header file
App_MCU_Device_Sample.h
1.0.2
No change
Page 28 of 42

Renesas Electronics

Release Date: 08/06/2015

P1x User Manual
AUTOSAR_MCU_Component_Use
1.0.5
Following changes are made:
rManual.pdf
1. New section, “4.7 Callout API” added to chapter 4.
2. Information regarding Interrupt vector table is added to
“Section 4.1 General”.
3. As part of device support activity for R7F701304, R7F701305,
R7F701313, R7F701315, R7F701318 to R7F701323 updated
sections 3.1.1, 13.1, 13.2.
4. Removed section Compiler,Linker and Assembler in
Chapter13.
5. Updated section 13.3 for memory and throughput
6. Copyright information has been changed to 2015
AUTOSAR_MCU_Tool_UserManu
1.0.3
The following changes are made:
al.pdf
• Pdf name and version are updated in Section 2.1
• Updated version and copyright year.
10.3 Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 29 of 42

Renesas Electronics

Release Date: 08/06/2015

11  PORT
11.1  Target Info
Processor
P1M - R7F701310
Module
PORT
Date
08-June-2015
11.2  Release Items
Filename
Version
Change Description
P1x- Parameter Definition files
R403_PORT_P1M_04_05.arxml
1.0.1
As per mantis 27411,27777,26630 following changes
are made
1. File name changed to R403_PORT_P1M_04_05.arxml
from R403_PORT_P1M_701304_701305.arxml
2. Copyright information is updated.
3. Parameter 'PortIpControl' is removed from
PortGroup0,PortGroup2 PortPin4,PortGroup3
PortPin11,14,PortGroup4 PortPin2-4 and    PortGroup5
PortPin5-14
4. Parameters 'PortInputSelection', 'PortUnlimitedCurrentControl',
'PortDriveStrengthControl' and
'PortOpenDrainControl_Expansion' are removed from PortPin4 of
PortGroupJtag0.
R403_PORT_P1M_10_11_14_15.ar
1.0.4
As per mantis 27411,27777,26630 following changes    are made:
xml
1. File name changed from
R403_PORT_P1M_701310_701311_701314_701315.arxml
to R403_PORT_P1M_10_11_14_15.arxml.
2. Copyright information is updated.
3. Parameter 'PortInputSelection' is removed from
PortPin0 of PortGroup0 and PortPin4 of PortGroupJtag0.
4. Parameters 'PortInputSelection', 'PortUnlimitedCurrentControl',
'PortDriveStrengthControl' and
'PortOpenDrainControl_Expansion' are removed from PortPin4 of
PortGroupJtag0
5. Parameter 'PortIpControl' is removed from
PortGroup0,PortGroup3 PortPin11,14, PortGroup4 PortPin2-4
and    PortGroup5 PortPin5-15.
R403_PORT_P1M_12_13.arxml
1.0.2
As per mantis 27411,27777,26630 following changes are made:
1. File name changed from
Page 30 of 42

Renesas Electronics

Release Date: 08/06/2015

R403_PORT_P1M_701312_701313.arxml to
R403_PORT_P1M_12_13.arxml
2. Copyright information is updated.
3. Parameter 'PortIpControl' is removed from
PortGroup0,PortGroup1 PortPin1,PortGroup3
PortPin11,14,PortGroup4 PortPin2-4 and PortGroup5
PortPin0,5-14.
4. Parameter 'PortInputSelection' is removed from
PortGroup2 PortPin3,6,8,PortGroup3 PortPin3
5. Parameters 'PortInputSelection', 'PortUnlimitedCurrentControl',
'PortDriveStrengthControl' and
'PortOpenDrainControl_Expansion' are removed from
PortPin4 of PortGroupJtag0.
R403_PORT_P1M_18_19_22_23.ar
1.0.1
As per mantis 27411,27777,26630 following changes are made:
xml
1. File name changed from
R403_PORT_P1M_701318_701319_701322_701323.arxml    to
R403_PORT_P1M_18_19_22_23.arxml.
2. Copyright information is updated.
3. Parameters 'PortInputSelection',
'PortUnlimitedCurrentControl',    'PortDriveStrengthControl' and
'PortOpenDrainControl_Expansion' are removed from PortPin4 of
PortGroupJtag0
4. Parameter 'PortIpControl' is removed from
PortGroup0,PortGroup3 PortPin5,11,14, PortGroup4 PortPin2-4
and    PortGroup5 PortPin5-14
R403_PORT_P1M_20_21.arxml
1.0.1
As per mantis 27411,27777,26630 following changes
are made:
1. File name changed from
R403_PORT_P1M_701320_701321.arxml to
R403_PORT_P1M_20_21.arxml.
2. Copyright information is updated.
3. Parameter 'PortIpControl' is removed from
PortGroup0,PortGroup2 PortPin0,PortGroup3
PortPin11,14,PortGroup4 PortPin2-4 and PortGroup5 PortPin5-14
4. Parameter 'PortInputSelection' is removed from PortGroup0
PortPin10,PortGroup3 PortPin13.
5. Parameters 'PortInputSelection', 'PortUnlimitedCurrentControl',
'PortDriveStrengthControl' and
'PortOpenDrainControl_Expansion' are removed from
PortPin4 of PortGroupJtag0.
Page 31 of 42

Renesas Electronics

Release Date: 08/06/2015

BSWMDT
R403_PORT_P1x_BSWMDT.arxml
1.0.3
As per mantis #27419 following changes are made:
1. Environment section is updated to add P1x devices
2. Copyright information is updated.
Source Code
Port.c
1.5.9
No change
Port_Ram.c
1.0.3
No change
Port_Version.c
1.0.2
No change

Port.h
1.5.3
No change
Port_Debug.h
1.0.1
No change
Port_Types.h
1.3.1
No change

Port_PBTypes.h
1.4.7
No change
Port_Ram.h
1.0.1
No change
Port_Version.h
1.0.5
No change
Tool Executable
Port_X1x.exe
1.3.12
Tool updated for P1x Ver4.00.04 release.
Port_X1x.cfgxml
1.0.0
No change
P1x Sample Application P1M Source file
App_PORT_P1M_Sample.c
1.0.4
No change
P1x Sample Application P1M header file
App_PORT_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_PORT_Component_Us
1.0.5
Following changes are made:
erManual.pdf
1. Section 1.1 Document Overview is updated.
2. Chapter 2 Reference documents are updated for version change.
3. Chapter 4 is updated for information regarding Interrupt vector
table.
4. Chapter 6 Port_SetPinMode is updated.
5. Section 10.2.4 Port_PinModeType is updated.
6. Section 13.1.1 is updated for adding new devices.
7. Section 13.2 Compiler, Linker and Assembler section is
removed.
8. Section 13.2 is updated for parameter definition file and sample
application configuration files of all P1M devices.
9. Section 13.3 Memory and Throughput details are updated.
AUTOSAR_PORT_Tool_UserManu
1.0.5
Following changes are made:
al.pdf
1.  Parameter  Definition  file  names  and  versions  are  updated  in
section 2.1.
Page 32 of 42

Renesas Electronics

Release Date: 08/06/2015

2. Error message ERR124018 is added in section 8.1.
11.3 Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 33 of 42

Renesas Electronics

Release Date: 08/06/2015

12  PWM
12.1  Target Info
Processor
P1M - R7F701310
Module
PWM
Date
08-June-2015
12.2  Release Items
Filename
Version
Change Description
P1x Parameter Definition file
R403_PWM_P1M_04_05_12_13_2
1.0.1
As part of P1x V4.00.04 Maintenance Activity, the following
0_21.arxml
changes are done.
1. As per mantis #27411, the file names are changed and file
version is updated.
2. Copyright information is updated.
3. Admin Data is updated.
R403_PWM_P1M_10_11_14_15_1
1.0.3
As part of P1x V4.00.04 Maintenance Activity,the following
8_19_22_23.arxml
changes are done.
1. As per mantis #27411, the file names are changed and file
version is updated.
2. Copyright information is updated.
3. Admin Data is updated.
BSWMDT File
R403_PWM_P1x_BSWMDT.arxml
1.0.3
No change
Source Code
Pwm.c
1.6.7
No change
Pwm_Irq.c
1.2.1
No change
Pwm_LLDriver.c
1.6.9
No change
Pwm_Ram.c
1.3.8
No change
Pwm_Version.c
1.0.4
No change
Pwm.h
1.4.6
No change
Pwm_Debug.h
1.0.1
No change
Pwm_Irq.h
1.2.0
No change
Pwm_LLDriver.h
1.4.4
No change
Pwm_PBTypes.h
1.4.9
No change
Pwm_Ram.h
1.3.8
No change
Pwm_Types.h
1.5.5
No change
Pwm_Version.h
1.0.5
No change
Page 34 of 42

Renesas Electronics

Release Date: 08/06/2015

Tool Executable
PWM_X1x.exe
1.6.5
No change
Pwm_X1x.cfgxml
1.0.0
No change
X1x Sample Application Source file
App_PWM_Common_Sample.c
1.4.4
No change
X1x Sample Application header file
App_PWM_Common_Sample.h
1.0.3
No change
P1x Sample Application P1M Source file
App_PWM_P1M_Sample.c
1.0.3
No change
P1x Sample Application P1M Header file
App_PWM_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_PWM_Component_Us
1.0.3
As part of V4.00.04 P1x Maintenance Activity,Following changes
erManual.pdf
are made.
1. Chapter 2 is updated for referenced documents version.
2. Updated Section 3.1.1 and section 13.1.1 for adding the device
names.
3. Section 13.3.1 is updated for name of the parameter    definition
file and additional devices.
4. Section 13.4 is updated for ROM/RAM usage, Stack Depth and
Throughput details.
5. Section 4.1 is updated to add notes for the file
“Interrupt_VectorTable.c” and the API
“Pwm_SetChannelOutput”.
6. In Section 13, The Compiler,Linker and Assembler options    are
removed.
7. Section 4.6, Table 4-2, Remarks is updated for the
Set_TriggerDealy API.
8. In Section 4.1, a note is updated for the ‘The counter of    master
channel’.
AUTOSAR_PWM_Tool_UserManu
1.0.3
As part of V4.00.04 P1x Maintenance Activity,
al.pdf
following changes are made:
1. Chapter 2 ‘Reference’ is updated for the name and version of
the parameter definition files.
2. Error message ERR000019 is added in section 8.1
12.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 35 of 42

Renesas Electronics

Release Date: 08/06/2015

13  RAMTST
13.1  Target Info
Processor
P1M - R7F701310
Module
RAMTST
Date
08-June-2015
13.2  Release Items
Filename
Version
Change Description
P1x Parameter Definition file
R403_RAMTST_P1M_04_05.arxml
1.0.1
As per mantis 25915 following changes are made:
1. File name changed to R403_RAMTST_P1M_04_05.arxml
from R403_RAMTST_P1M_701304_701305.arxml.
2. LOWER-MULTIPLICITY of
RamTstDemEventParameterRefs container and
RAMTST_E_RAM_FAILURE parameter    is updated.
R403_RAMTST_P1M_10_to_15_1
1.0.3
As per mantis 25915 , following changes are made :
8_to_23.arxml
1. LOWER-MULTIPLICITY of
RamTstDemEventParameterRefs container and
RAMTST_E_RAM_FAILURE parameter    is updated.
2. File name changed from
R403_RAMTST_P1M_701310_to_701315_701318
_to_701323.arxml to
R403_RAMTST_P1M_10_to_15_18_to_23.arxml
BSWMDT
R403_RAMTST_P1x_BSWMDT.ar
1.0.4
No change
xml
Source Code
RamTst.c
1.1.4
No change
RamTst.h
1.1.3
No change
RamTst_RegReadBack.h
1.0.1
No change
RamTst_Types.h
1.1.2
No change
Tool Executable
RamTst_X1x.exe
1.0.8
No change
  RamTst_X1x.cfgxml
1.0.0
No change
X1x Sample Application source file
App_RAMTST_Common_Sample.c
1.0.1
No change
X1x Sample Application header file
App_RAMTST_Common_Sample.h
1.0.0
No change
Page 36 of 42

Renesas Electronics

Release Date: 08/06/2015

P1x Sample Application P1M Source file
App_RAMTST_P1M_Sample.c
1.0.2
No change
P1x Sample Application P1M header file
App_RAMTST_Device_Sample.h
1.0.1
No change
P1x User Manual
AUTOSAR_RAMTST_Component
1.0.3
As part of P1x V4.00.04 activity following changes are made:
_UserManual.pdf
1. In chapter 2, Reference documents updated.
2. Chapter 3, section 3.3.1 Folder structure updated.
3. Chapter 13 supporting device name updated, also section
13.1.1 updated.
4. Chapter 13, section 13.2 compiler, linker, and assembler
options removed.
5. Chapter 13, section 13.2 Sample Application updated.
6. Chapter 13, section 13.3 Memory And Throughput Details
updated.
AUTOSAR_RAMTST_Tool_User
1.0.3
Following changes are made:
Manual.pdf
1.Updated chapter 2 by adding new PDF reference.
13.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 37 of 42

Renesas Electronics

Release Date: 08/06/2015

14  SPI
14.1  Target Info
Processor
P1M - R7F701310
Module
SPI
Date
08-June-2015
14.2  Release Items
Filename
Version
Change Description
P1x Parameter Definition file
R403_SPI_P1M_04_05_12_13_20_
1.0.5
As per mantis #27411,following changes are made
21.arxml
1. File has been renamed to reduce file name length.
2. Updated Copyright information.
R403_SPI_P1M_10_11_14_15_18_
1.0.5
As per mantis #27411,following changes are made
19_22_23.arxml
1. File has been renamed to reduce file name length.
2. Updated Copyright information.
BSWMDT File
R403_SPI_P1x_BSWMDT.arxml
1.0.6
Following changes are made:
1. Software version information is updated.
2. Updated copyright information.
Source Code
Spi.c
1.5.6
No change
Spi_Driver.c
1.4.4
Following changes are made
1. As per mantis #27771, Spi_ReceiveISR API is updated to
remove compilation warning.
2. As per mantis #27772, Spi_HwInit API is updated for 32 bit
DMA settings.
Spi_Irq.c
1.2.8
No change
Spi_Ram.c
1.2.8
No change
Spi_Scheduler.c
1.2.12
No change
Spi_Version.c
1.0.6
No change
Spi.h
1.1.5
No change
Spi_Driver.h
1.2.9
No change
Spi_Irq.h
1.2.3
No change
Spi_LTTypes.h
1.2.11
As per mantis #27772, definition for
SPI_DMA_32BIT_RX_SETTINGS and
SPI_DMA_32BIT_TX_SETTINGS are added.
Spi_PBTypes.h
1.2.11
No change
Spi_Ram.h
1.2.8
No change
Page 38 of 42

Renesas Electronics

Release Date: 08/06/2015

Spi_Scheduler.h
1.2.4
No change
Spi_Types.h
1.2.7
No change
Spi_Version.h
1.0.6
No change
Tool Executable
Spi_X1x.exe
1.2.12
No change
Spi_X1x.cfgxml
1.0.0
No change
X1x Common Sample Application Source file
App_SPI_Common_Sample.c
1.0.7
As part of P1x V4.00.04 Release activity,
1. Removed all device specific macros.
2. Test Application is updated to make it common across all family
X1x Common Sample Application header file
App_SPI_Common_Sample.h
1.0.5
As part of P1x V4.00.04 Release activity,
1. Removed all device specific macros.
2. Test Application is updated to make it common across all family
P1x Sample Application P1M Source file
App_SPI_P1M_Sample.c
1.0.3
As part of P1x V4.00.04 development activity, following changes
are made:
1. Corrected port settings and chip select settings for master for
701310 external loopback testing.
2. Updated slave register settings.
3. Updated Copyright information.
P1x Sample Application P1M header file
App_SPI_Device_Sample.h
1.0.2
As part of P1x V4.00.04 development activity, following
changes are made:
1. Modified for 701310 external loopback testing.
2. Updated slave register settings.
3. Updated Copyright information
P1x User Manual
AUTOSAR_SPI_Component_User
1.0.6
Following changes are made :
Manual.pdf
1. Updated Chapter 2 ‘Reference Documents’ to correct the name
and version of device manual.
2. Information regarding Interrupt vector table has been provided
in section 4.1 ‘General’.
3. In Chapter 13, ’P1M Specific Information’ P1M 4.0.3 supported
devices are updated.
4. Table 13-1 PDF information updated for P1M 4.0.3 supported
devices.
5. Section 13.1.1 has been updated to include the translation
header file for all P1M 4.0.3 supporting devices.
Page 39 of 42

Renesas Electronics

Release Date: 08/06/2015

6. Updated section 13.3.1 ‘Sample Application Structure’ to add
all the supported devices for P1M 4.0.3.
7. Updated section 13.3.2 ‘Building the Sample Application’ to
add configuration details for the device 701310.
8. Updated section 13.4 ‘Memory and Throughput’ for the device
R7F701310.
9. Updated chapter 14 ‘Release Details’ to correct the SPI driver
version.
10. Removed section ‘Compiler, Linker and Assembler’ from
chapter 13.
11.  Added  macros  SPI_DMA_32BIT_TX_SETTINGS  and
SPI_DMA_32BIT_RX_SETTINGS  in  Chapter  6  ‘Registers
Details’.
AUTOSAR_SPI_Tool_UserManual.
1.0.7
Following changes are made:
pdf
1. Updated section 2.1 ‘Reference Documents’ to correct the name
and version of Parameter Definition Files.
2. Section 8.1 and Section 8.2 is modified for removing warning
and adding error message (WRN083001 to ERR083122).
14.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 40 of 42

Renesas Electronics

Release Date: 08/06/2015

15  WDG
15.1  Target Info
Processor
P1M - R7F701310
Module
WDG
Date
08-June-2015
15.2  Release Items
Filename
Version
Change Description
P1x - Parameter Definition files
R403_WDG_P1M_04_05_10_to_15
1.0.3
As part of P1x V4.00.04 development activity the
_18_to_23.arxml
following changes are made:
1. As per mantis #27411, file name changed to
R403_WDG_P1M_04_05_10_to_15_18_to_23.arxml
2. Copyright information updated.
3. ADMIN-DATA updated.
BSWMDT
R403_WDG_P1x_BSWMDT.arxml
1.0.3
No change
Source Code
Wdg_59_DriverA.c
1.0.12
No change
Wdg_59_DriverA_Irq.c
1.0.8
No change
Wdg_59_DriverA_Private.c
1.0.5
No change
Wdg_59_DriverA_Ram.c
1.0.5
No change
Wdg_59_DriverA_Version.c
1.0.4
No change
Wdg_59_DriverA.h
1.0.6
No change
Wdg_59_DriverA_Debug.h
1.0.1
No change
Wdg_59_DriverA_Irq.h
1.0.5
No change
Wdg_59_DriverA_PBTypes.h
1.0.8
No change
Wdg_59_DriverA_Private.h
1.0.3
No change
Wdg_59_DriverA_Ram.h
1.0.5
No change
Wdg_59_DriverA_RegReadBack.h
1.0.0
No change
Wdg_59_DriverA_Types.h
1.0.4
No change
Wdg_59_DriverA_Version.h
1.0.5
No change
Tool Executable
Wdg_X1x.exe
1.0.17
No change
Wdg_X1x.cfgxml
1.0.0
No change
X1x Common Sample Application Source file
App_WDG_Common_Sample.c
1.0.10
No change
Page 41 of 42

Renesas Electronics

Release Date: 08/06/2015

X1x Common Sample Application header file
App_WDG_Common_Sample.h
1.0.4
No change
P1x Sample Application P1M Source file
App_WDG_P1M_Sample.c
1.0.3
No change
P1x Sample Application P1M header file
App_WDG_Device_Sample.h
1.0.2
No change
P1x User Manual
AUTOSAR_WDG_Component_Us
1.0.4
Following changes are made:
erManual.pdf
1. Updated Chapter 4.1 to add notes.
2. Updated Chapter 13 to add new device support.
3. Removed sections for Compiler, Linker and Assembler.
4. Updated Chapter 13.3 with memory and throughput details.
5. Updated copyright information.
AUTOSAR_WDG_Tool_UserManu
1.0.2
Following changes are made:
al.pdf
1. Updated Chapter 2 to add PDF reference.
2. Updated copyright information.
15.3  Known Issues
ID
Description
1.
Please refer KnownIssues_P1x_R403_2015_CW23.pdf

Page 42 of 42

Document Outline

20.10 - RenesasMcalSuprt Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. RenesasMcalSuprt

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Suprt_Renesas_Mcal_02.00.00

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3177

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/12/16

Lead Peer Reviewer:

Kathleen Creager

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Source Code

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

N/A

Source File Revision:

N/A

Header File Name:

Renesas_Compiler.h

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. 1

MDD Name:

N/A

Revision:

N/A

FDD/SCIR/DSR/FDR/CM Name:

N/A

Revision:

N/A

Quality Check Items:

Rationale is required for all answers of No

for variable names

N/A

Comments:

for constant names

N/A

Comments:

for function names

N/A

Comments:

for other names (component, memory

N/A

Comments:

mapping handles, typedefs, etc.)

All paths assign a value to outputs, ensuring

N/A

Comments:

all outputs are initialized prior to being written

Requirements Tracability tags in code match the requirements tracability in the FDD

N/A

Comments:

requirements tracability in the FDD

All variables are declared at the function level.

N/A

Comments:

Synergy version matches change history

kzshz2: Intended Use: Indicate that the the versioning was confirmed by the peer reviewer(s). Rationale: There have been many occassions where versions were not updated in files and as a result Unit Test were referencing wrong versions. This often time leads to the need to re-run of batch tests.

N/A

Comments:

and Version Control version in file comment block

Change log contains detailed description of changes

N/A

Comments:

and Work CR number

Code accurately implements FDD (Document or Model)

N/A

Comments:

Verified no Compiler Errors or Warnings

KMC: Intended Use: To confirm no compiler errors or warnings exist for the code under review (warnings from contract header files may be ignored). Rationale: This is needed to ensure there will be no errors discovered at the time of integration. A Sandox project should be used; QAC can find compiler errors but not warnings.

N/A

Comments:

Component.h is included

N/A

Comments:

All other includes are actually needed. (System includes

N/A

Comments:

only allowed in Nexteer library components)

Software Design and Coding Standards followed:

Version:

Code comments are clear, correct, and adequate

N/A

Comments:

and have been updated for the change: [N40] and

all other rules in the same section as rule [N40],

plus [N75], [N12], [N23], [N33], [N37], [N38],

[N48], [N54], [N77], [N79], [N72]

Source file (.c and .h) comment blocks are per

N/A

Comments:

standards and contain correct information: [N41], [N42]

Function comment blocks are per standards and

N/A

Comments:

contain correct information: [N43]

Code formatting (indentation, placement of

N/A

Comments:

braces, etc.) is per standards: [N5], [N55], [N56],

[N57], [N58], [N59]

Embedded constants used per standards; no

N/A

Comments:

"magic numbers": [N12]

Memory mapping for non-RTE code

N/A

Comments:

is per standard

All execution-order-dependent code can be

N/A

Comments:

recognized by the compiler: [N80]

All loops have termination conditions that ensure

N/A

Comments:

finite loop iterations: [N63]

All divides protect against divide by zero

N/A

Comments:

if needed: [N65]

All integer division and modulus operations

N/A

Comments:

handle negative numbers correctly: [N76]

All typecasting and fixed point arithmetic,

N/A

Comments:

including all use of fixed point macros and

timer functions, is correct and has no possibility

of unintended overflow or underflow: [N66]

All float-to-unsiged conversions ensure the.

N/A

Comments:

float value is non-negative: [N67]

All conversions between signed and unsigned

N/A

Comments:

types handle msb==1 as intended: [N78]

All pointer dereferencing protects against

N/A

Comments:

null pointer if needed: [N70]

Component outputs are limited to the legal range

N/A

Comments:

defined in the FDD DataDict.m file : [N53]

All code is mapped with FDD (all FDD

N/A

Comments:

subfunctions and/or model blocks identified

with code comments; all code corresponds to

some FDD subfunction and/or model block): [N40]

Review did not identify violations of other

N/A

Comments:

coding standard rules

Anomaly or Design Work CR created

N/A

Comments: List Anomaly or CR numbers

for any FDD corrections needed

General Notes / Comments:

Review only delivered file from renesas MCAL vs files to be checked in.

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/12/16

Lead Peer Reviewer:

Kathleen Creager

Approved by Reviewer(s):

Yes

Other Reviewer(s):

21 - RTE

RTE

Component Documentation

21.1 - Rte Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Rte

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Rte_Vector_4.8.0.0_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3178

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/20/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

21.2 - SafetyGuide_Rte

YourTopic

21.3 - SafetyGuide_Rte_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76

21.4 - SafetyGuide_Rtes

MICROSAR RTE
Safety Guide

Version 4.8.0

Authors
Sascha Sommer, Bernd Sigle
Status
Released

Safety Guide MICROSAR RTE
Document Information
History
Author
Date
Version
Remarks
4.1.0
2013-04-15
Sascha
Initial Creation for RTE 4.1 (AUTOSAR 4)
Sommer
4.2.0
2013-10-29
Sascha
Updated for RTE 4.2
Sommer
Explained MICROSAR OS interrupt locking
Bernd Sigle  APIs.
Corrected review findings especially the
used abbreviations.
4.3.0
2014-02-05
Sascha
Updated for RTE 4.3
Sommer
Clarified Assumptions about VFB Trace
Hooks
Described Inter-ECU sender/receiver from
the ASIL partition
Support for mapped client/server calls
between partitions
Multicore Support
SuspendAllInterrupts is no longer used
4.4.0
2014-06-11
Sascha
Updated for RTE 4.4
Sommer
4.5.0
2014-10-15
Bernd Sigle  Updated for RTE 4.5
Rte_DRead added
4.6.0
2014-12-10
Sascha
Updated for RTE 4.6
Sommer
4.7.0
2015-03-18
Sascha
Updated for RTE 4.7
Sommer
4.8.0
2015-07-15
Sascha
Updated for RTE 4.8
Sommer
Described APIs/scheduling of ASIL BSW
Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_SWS_RTE.pdf

3.2.0
[2]   AUTOSAR
AUTOSAR_SWS_OS.pdf

5.0.0
[3]   AUTOSAR
AUTOSAR_SWS_StandardTypes.pdf

1.3.0
[4]   AUTOSAR
AUTOSAR_SWS_PlatformTypes.pdf

2.5.0
[5]   AUTOSAR
AUTOSAR_SWS_CompilerAbstraction.pdf

3.2.0
2015, Vector Informatik GmbH
Version: 4.8
2 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
[6]   AUTOSAR
AUTOSAR_SWS_MemoryMapping.pdf

[7]   Vector
Technical Reference MICROSAR RTE
4.8.0
[8]   ISO
ISO/DIS 26262
2009

Scope of the Document
This document describes the use of the MICROSAR RTE with regards to functional safety.
All  general  aspects  of  the  MICROSAR  RTE  are  described  in  a  separate  document  [7],
which is also part of the delivery.

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 4.8
3 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
1
Purpose
The SEooC  is developed based on assumptions on the intended functionality, use and
context, including external interfaces.  To  have  a  complete  safety  case,  the  validity  of
these  assumptions  has to be  checked  in  the context of the actual item after integration
of the SEooC.
The application conditions for SEooC provide the assumptions made on the requirements
(including safety requirements) that are placed on the SEooC by higher levels of design
and also on the design external to the SEooC and the assumed safety requirements and
assumptions related to the design of the SEooC.
The  ASIL  capability  of  this  SEooC  designates the  capability  of  the  SEooC to
comply  with  assumed  safety requirements assigned with the given ASIL.
Information given by this document helps to check  if  the  SEooC  does fulfil  the  item
requirements,  or if a  change  to  the  SEooC  will be necessary in accordance with the
requirements of ISO 26262.

The following document describes the SEooC MICROSAR RTE in the version 4.8.

2015, Vector Informatik GmbH
Version: 4.8
8 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
2
Assumptions on the scope of the MICROSAR RTE
2.1
MICROSAR RTE overview
The MICROSAR RTE implements the AUTOSAR Standard of a Runtime Environment for
AUTOSAR Software Components (SWCs) and Basic Software Modules (BSW). This
means that the RTE is responsible for triggering the execution of SWC and BSW specific
code in the form of runnable and schedulable entities. Moreover, the RTE provides APIs,
for example for inter-ECU and intra-ECU communication and for exclusive area accesses.
These APIs can be used by the runnable entities and BSW modules.
The MICROSAR RTE is a generic software component that is not tied to a specific item.
Item specific functionality will be provided by the SWCs. The SWCs therefore also
determine the ASIL that is required for the RTE. Consequently, the MICROSAR RTE can
be seen as Safety Element out of Context (SEooC) according to ISO26262-10. This
document provides the assumptions regarding the software safety requirements and the
architectural design specification that were used for the development of the MICROSAR
RTE. These assumptions have to be confirmed during item development.
The MICROSAR RTE is completely generated by the MICROSAR RTE Generator that is
developed according to the established SPICE certified process (further referred to as
QM).
If the generated code shall be used in an ASIL context, it has to be qualified according to
the requirements of ISO 26262-6.
This document describes how the RTE configuration needs to look like so that it is in line
with the safety assumptions and so that the complexity of the generated RTE code for
ASIL SWCs is kept low enough to be reviewable for qualification. Review hints are
provided in chapter 6.
The final integration of the RTE into a safety related item then needs to be done by a
functional safety expert.

Please note that this document is an extension to the Technical Reference of the
MICROSAR RTE with focus on safety related issues. Refer to the Technical Reference [7]
for general topics like the RTE configuration, integration of the RTE into an ECU and a
description of the RTE APIs.
An overall description of the RTE and AUTOSAR in general can be found in the AUTOSAR
specifications.

Caution
The MICROSAR RTE Generator was not developed according to ISO26262. This
document gives hints on what needs to be done in order to use the generated code
within an item that is developed according to ISO26262.

2015, Vector Informatik GmbH
Version: 4.8
9 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
Safety goals identified for the development result from the following hazard and risk list
ID
Description of hazards that could occur
H&R_RTE_1

H&R_RTE_2

H&R_RTE_3

Table 2-1   Hazards
According to ISO26262,  the hazard  analysis and risk assessment shall be based on the
item  definition. As  the  development  started  with  the  unit  design,  the  hazards  have  to  be
identified by the integrator for the specific item in which the RTE shall be integrated.

2.2
Standards and Legal requirements
The  MICROSAR  RTE  Generator  was  developed  according  to  the  AUTOSAR  RTE
specification. The generated code can be qualified so that  it can be used within  an item
that is developed according to ISO26262.
2.3
Functions of the MICROSAR RTE
The MICROSAR RTE  provides the following functionality:
>  AUTOSAR Runtime Environment according to [1] for QM SWCs and BSW:
>  communication between different runnables within the same SWC (explicit and
implicit inter-runnable variables)
>  communication between different SWCs on the same ECU (queued and non-
queued explicit and implicit sender/receiver communication, client/server
communication, mode communication)
>  communication between SWCs and BSW modules located on the same ECU
(queued and non-queued explicit and implicit sender/receiver communication,
client/server communication, mode communication)
>  communication between SWCs on different ECUs (queued and non-queued
explicit and implicit sender/receiver communication)
>  Calibration Parameters
>  Per-Instance Memories
>  Exclusive Areas
Please see the RTE Technical Reference [7] for a full list of supported features.

2015, Vector Informatik GmbH
Version: 4.8
10 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
>  AUTOSAR Runtime Environment for ASIL SWCs and BSW when the generated RTE
code is qualified according to the requirements of ISO26262 (Code description and
configuration limitations described in this document):
>  Possibility to assign SWCs with different  safety levels to distinct  OS
applications, so that a MPU can be used to provide freedom from interference
with regards to memory
>  Support for Basic Tasks
>  Cyclic triggering of runnable entities
>  Cyclic triggering of schedulable entities
>  Per-Instance Memories
>  Explicit Inter-Runnable Variables
>  Explicit intra-ECU Sender/Receiver Communication with last-is best behaviour
between SWCs with the same and different safety levels
>  Explicit inter-ECU Sender/Receiver Communication with last-is best behaviour
>  Direct Synchronous Client/Server calls inside the same OS application
>  Calibration Parameters
>  Explicit Exclusive Areas

>  AUTOSAR Runtime Environment for ASIL SWCs when the generated RTE code is
qualified according to the requirements of ISO26262 (Not handled in this document due
to the many possible code variants):
>  Support for Extended Tasks
>  Init, Background, DataReceived, DataReceptionError, DataSendCompleted
Triggers
>  Implicit Sender/Receiver communication
>  Queued Sender/Receiver communication
>  Synchronous and Asynchronous Client/Server calls to mapped server runnables
in different OS applications

Table 2-2 summarizes the RTE features that are available for ASIL and QM SWCs.
2015, Vector Informatik GmbH
Version: 4.8
11 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

1

on
W
tii
S

tr
B
e
Feature
h

pa
W
m t
S
or

e B
d f
h
e
W
S
n t
at
i
B

r
/
pa
Cs
e
Cs
W
s
W
Cs
SL
M S
I
W
S
Q
S
A
Multicore Support

    
Runnable Triggers
TimingEvent

    
InitEvent
  

BackgroundEvent
  

DataReceivedEvent4
  

DataReceivedErrorEvent4
  

DataSendCompletedEvent
  

OperationInvokedEvent4
    
AsynchronousServerCallReturnEvent4
  

ModeSwitchEvent4


ModeSwitchAckEvent


SWC Settings
Source Code

    
Object Code
  

Multiple Instantiation
  

Indirect API
  

Runnable Settings
Minimum Start Interval

  

Task Settings
Basic Tasks

    
Extended Tasks
  

Calibration Support
Rte_CData API

    
Rte_Prm API
    
Online Calibration


Per
Rte_Pim API
-Instance Memories

    
Inter
Rte_IrvWrite API
-Runnable Variables

    
Rte_IrvRead API
    
Rte_IrvIWrite API
  

Rte_IrvIRead API
  

Sender/Receiver Communication
Rte_Write API

    
Rte_Invalidate API
  

Rte_Read API
    

1 SWCs can either be assigned to the same partition as the BSW (recommended for QM SWCs, see column 1), or one
or  more  separate  partitions  can  be  created.  In  this  case,  no  features  that  require  special  handling  when  the  RTE  is
initialized by the BSW and no features that require direct access to the BSW can be used. The marked features can be
used for QM and ASIL SWCs but only the APIs marked in the column “ASIL SWCs” are described in this document.
2015, Vector Informatik GmbH
Version: 4.8
12 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

1

on
W
tii
S

tr
B
e
Feature
h

pa
W
m t
S
or

e B
d f
h
e
W
S
n t
at
i
B

r
/
pa
Cs
e
Cs
W
s
W
Cs
SL
M S
I
W
S
Q
S
A
Rte_DRead API
  

Rte_IWrite API
  

Rte_IWriteRef API
  

Rte_IInvalidate API
  

Rte_IRead API
  

Rte_IStatus API
  

Rte_Feedback API
  

Rte_IsUpdated API
    
Rte_NeverReceived API4
  

Rte_Send API2
  

Rte_Receive API2
  

inter-ECU communication
    
intra-ECU communication
    
Unconnected Ports
  

transmission acknowledgement
  

alive timeout
  

rx filters4
  

Client/Server Communication
Rte_Call API

    
Rte_Result API
  

synchronous calls to unmapped runnables3
    
synchronous calls to mapped runnables on same task
    
synchronous calls to runnables on different tasks2
  

asynchronous calls
  

Mode communication
Rte_Switch API



Rte_Mode API4
    
Enhanced Rte_Mode API4
  

Rte_SwitchAck  API



2  Only  supported  when  all  senders/callers  are  within  the  same  partition.  The  servers/receivers  can  be  in  a  different
partition.
3 Please note that this might not be possible when the server runnable is located in a different  OS Application as the
server  is  executed  with  the  access  rights  of  the  caller.  Also  no  additional  protection  measures  are  applied  when  the
communication is between SWCs with different safety level.
4 Please note that this feature is not possible for QM SWCs when the sender is an ASIL SWC
2015, Vector Informatik GmbH
Version: 4.8
13 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

1

on
W
tii
S

tr
B
e
Feature
h

pa
W
m t
S
or

e B
d f
h
e
W
S
n t
at
i
B

r
/
pa
Cs
e
Cs
W
s
W
Cs
SL
M S
I
W
S
Q
S
A
mode switch acknowledgement


mode disablings4


Exclusive Areas
implicit exclusive areas

  

explicit exclusive areas
    
Rte_Enter API
    
Rte_Exit API
    
Implementation Method All InterruptBlocking
  

Implementation Method OS InterruptBlocking
    
Implementation Method OsResources
  

Implementation Method CooperativeRunnablePlacement    

BSW Module Support (SchM)
TimingEvent

    
Background Event
  

explicit exclusive areas
    
SchM_Enter API
    
SchM_Exit API
    
EA Implementation Method All InterruptBlocking
    
EA Implementation Method OS InterruptBlocking
    
Table 2-2   RTE features for ASIL and QM SWCs
2015, Vector Informatik GmbH
Version: 4.8
14 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
2.4
Operating conditions
The MICROSAR RTE is part of the MICROSAR Safe Architecture (Figure 2-1).

Figure 2-1  MICROSAR Safe Architecture
This  architecture  is  based  on  the  MICROSAR AUTOSAR  stack  developed  with  Vector’s
ISO9001 and SPICE based standard quality management.
The Add-On MICROSAR Safe Context extends this stack with an Operating System with
memory protection in order to use the MICROSAR BSW with application software with a
safety integrity level up to ASIL D.
ASIL Decomposition in the MICROSAR Safe Architecture is implemented through software
partitioning as described in ISO 26262 (Figure 2-2).

Figure 2-2  ASIL Decomposition
2015, Vector Informatik GmbH
Version: 4.8
15 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
This means MICROSAR Safe Context provides freedom from interference with regards to
memory  so  that  the  QM  parts  of  the  software  cannot  overwrite  memory  from  the  ASIL
application. An additional Safe Watchdog module provides freedom from interference with
regards to CPU runtime.
For  Safe  Communication  between  different  ECUs,  the  AUTOSAR  E2E  Library  can  be
used.

The  MICROSAR  RTE  extends  the  MICROSAR  Safe  Context  concept  to  the  software
component level. SWCs inherit the ASIL from the safety requirements that are allocated to
them. With the MICROSAR RTE, it is possible to use SWCs with different ASIL as well as
QM  SWCs  and  BSW  within  the  same  ECU.  The  MICROSAR  RTE  furthermore  provides
communication mechanisms that can be used to implement communication between ASIL
and QM SWCs.

A list of assumptions regarding the overall system architecture and development process
is given in the next chapter.

2.5
Assumptions
ID
Description of assumption on the scope of the MICROSAR RTE
ASS_RTE_1
The OS provides freedom from interference for different OS Applications
with regards to memory. This means that code in one OS Application
cannot destroy memory in another OS Application.
ASS_RTE_2
The AUTOSAR Memory Abstraction for the target platform and the OS
make it possible to assign RTE/BSW variables to specific OS Applications
so that they can only be written by code that is executed within this OS
Application.
Moreover in case of Multicore, the RTE variables are mapped to
noncacheable RAM so that they can be accessed by all cores.
ASS_RTE_3
The tool chain initializes global variables or the API Rte_InitMemory is
called before the OS is started. Rte_InitMemory initializes variables from
different OS Applications. Therefore it needs to be started without
memory protection.
ASS_RTE_4
The OS allows non protected reads to RTE/BSW variables within the
same and foreign OS Applications.
ASS_RTE_5
Freedom from interference with regards to CPU runtime is provided
through external means, for example with the help of a control flow
monitor. The mechanisms for it are either implemented in a way that the
RTE cannot deactivate them or a review is performed that checks that the
RTE does not impact their operation.
ASS_RTE_6
The OS APIs that are used by the RTE in ASIL parts of the code can be
called from different contexts without interference:
>  TerminateTask
>  SuspendOSInterrupts
2015, Vector Informatik GmbH
Version: 4.8
16 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
>  osDisableLevelUM (MICROSAR OS)
>  osDisableLevelKM (MICROSAR OS)
>  osDisableLevelAM (MICROSAR OS)
>  osDisableGlobalUM (MICROSAR OS)
>  osDisableGlobalKM (MICROSAR OS)
>  osDisableGlobalAM (MICROSAR OS)
>  ResumeOSInterrupts
>  osRteEnableLevelUM (MICROSAR OS)
>  osRteEnableLevelKM (MICROSAR OS)
>  osRteEnableLevelAM (MICROSAR OS)
>  osRteEnableGlobalUM (MICROSAR OS)
>  osRteEnableGlobalKM (MICROSAR OS)
>  osRteEnableGlobalAM (MICROSAR OS)
>  GetSpinlock (Multicore Systems)
>  ReleaseSpinlock (Multicore Systems)
ASS_RTE_7
The OS provides at least the APIs
>  SuspendOSInterrupts
>  osDisableLevelUM (MICROSAR OS)
>  osDisableLevelKM (MICROSAR OS)
>  osDisableLevelAM (MICROSAR OS)
>  osDisableGlobalUM (MICROSAR OS)
>  osDisableGlobalKM (MICROSAR OS)
>  osDisableGlobalAM (MICROSAR OS)
>  ResumeOSInterrupts
>  osRteEnableLevelUM (MICROSAR OS)
>  osRteEnableLevelKM (MICROSAR OS)
>  osRteEnableLevelAM (MICROSAR OS)
>  osRteEnableGlobalUM (MICROSAR OS)
>  osRteEnableGlobalKM (MICROSAR OS)
>  osRteEnableGlobalAM (MICROSAR OS)
with the same or higher ASIL than the SWCs
2015, Vector Informatik GmbH
Version: 4.8
17 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
In Multicore Systems, the OS also needs to provide the APIs
>  GetSpinlock
>  ReleaseSpinlock
with the same or higher ASIL than the SWCs
ASS_RTE_8
The RTE configuration is chosen in such a way that the
OS/System mechanisms for freedom from interference (memory and
runtime) can also be used to implement freedom from interference for
SWCs with different ASIL. This makes it necessary to map SWCs with
different ASIL to different OS Applications. All OS Applications with SWCs
that do not have the highest ASIL need to be nontrusted. This includes
the OS Application of the BSW. See also chapter 5.2.
ASS_RTE_9
The RTE configuration is chosen in such a way that no OS APIs need to
be called in the RTE APIs or the TASK bodies that violate the safety
requirements of the ASIL SWCs.
The RTE code calls the following OS APIs:
>  SetRelAlarm
>  CancelAlarm
>  SetEvent
>  GetEvent
>  ClearEvent
>  WaitEvent
>  GetTaskID
>  ActivateTask
>  TerminateTask
>  Schedule
>  ChainTask
>  GetResource
>  ReleaseResource
In case of multicore systems also the API
>  GetCoreID
is called.
ASS_RTE_10
The RTE configuration is chosen in such a way that no SWC needs to
directly call methods in (Service-) SWCs with lower ASIL and no (Service-
) SWCs with lower ASIL needs to call methods in ASIL SWCs except for
the case when the SWCs explicitly allow this kind of usage. If necessary,
this work is delegated to wrapper SWCs in the same OS Application as
the called/calling SWC. Direct calls can moreover be avoided when the
server runnables are mapped to tasks. See also chapter 5.2.
ASS_RTE_11
The RTE configuration is chosen in such a way that the RTE APIs or
2015, Vector Informatik GmbH
Version: 4.8
18 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
TASKS for a SWC do not contain calls to BSW modules with lower ASIL
than the SWC itself that might cause interference. If necessary, this work
is delegated to wrapper SWCs in the same OS Application as the BSW
modules. For external communication, the RTE proxies the calls to the
Com module. See also chapter 5.2.
ASS_RTE_12
The RTE does not need to provide freedom from interference for
communication. In an AUTOSAR system, the E2ELibrary that is directly
called by the SWCs is responsible for Safe communication. Nevertheless,
the RTE provides APIs that can be called by the E2ELibrary.
ASS_RTE_13
The Generated RTE code for ASIL SWCs is qualified according to the
requirements of ISO26262 by the integrator so that it reaches the same
ASIL as the SWCs themselves. This is necessary because the RTE
Generator was only developed with Vectors standard quality
management (QM).
ASS_RTE_14
The hardware is suited for safety relevant software according to the
requirements of ISO26262. The hardware requirements are mostly
determined by the SWCs that shall be supported by the RTE. The
MICROSAR RTE does not impose other hardware safety requirements
as those that are already required by the SWCs and the OS.
ASS_RTE_15
The development tool chain (for example editors, compilers, linkers,
make environment, flash utilities) is suited for the development of safety
relevant software according to the requirements of ISO26262. All tools
need to reach the appropriate Tool Qualification Level (TCL).
Table 2-3 Assumptions regarding the system architecture and environment
2015, Vector Informatik GmbH
Version: 4.8
19 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
3
Assumptions on the safety goals of the MICROSAR RTE
ID
ASIL  Description of hazards  Ref assumption
Ref H & R
that could occur
SG_RTE_1

SG_RTE_2

Table 3-1   Safety Goals
According to ISO26262, safety goals are determined for each hazardous event evaluated
in  the  hazard  analysis.  As  the  hazard  analysis  could  not  be  done  due  to  the  unknown
target  item,  the  safety  goals  have  to  be  identified  by  the  integrator  once  the  hazard
analysis is done.

ID
Description of safe state
Ref safety goal
SS_RTE_1

SS_RTE_2

Table 3-2   Safe States
Due  to  the  missing  safety  goals,  no  safe  states  could  be  identified  that  can  be  used  to
achieve  a  safety  goal.  The  safe  states  have  to  be  identified  by  the  integrator  once  the
safety goals are known.
2015, Vector Informatik GmbH
Version: 4.8
20 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
4
Safety concept of the MICROSAR RTE
4.1
Functional concept
The MICROSAR RTE was developed with the following assumptions regarding the safety
requirements. No references to safety goals and target ASIL are listed for the requirements
as these depend on the particular context into which the RTE is integrated.

ID
Description of safety requirement
ASIL
Ref SG, ASS
SR_RTE_1  The RTE (with the help of a MPU and an appropriate

OS) shall provide freedom from interference with
regards to memory for ASIL SWCs. This means that
the RTE shall protect ASIL SWCs from BSW with
lower ASIL. Additionally, the RTE shall also protect
ASIL SWCs also from other SWCs with lower ASIL.
The protection shall include the inter-runnable
variables, per instance memories, sender buffers and
stacks of the SWCs. Moreover, the protection shall be
transparent to the SWCs, e.g. it shall be possible to
access the protected inter-runnable variables and
per-instance memories with the default AUTOSAR
RTE APIs Rte_IrvWrite, Rte_IrvRead and Rte_Pim.
SR_RTE_2  The RTE shall provide intra-ECU communication

mechanism for SWCs with the same and different
ASIL. The communication shall be possible through
the AUTOSAR RTE APIs Rte_Read and Rte_Write
that are used for non-queued sender/receiver
communication.
SR_RTE_3  The RTE shall provide mechanisms for data

consistency that can be used by the ASIL SWCs to
prevent concurrent accesses to shared ressources.
(explicit exclusive areas). The realization of the
exclusive areas shall be possible through the
AUTOSAR RTE APIs Rte_Enter and Rte_Exit.
SR_RTE_4  The RTE shall provide access to calibration

parameters for the ASIL SWCs. It shall be possible to
access the calibration parameters with the default
AUTOSAR RTE APIs Rte_Prm and Rte_CData.
Table 4-1   Safety Requirements
2015, Vector Informatik GmbH
Version: 4.8
21 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
4.2
Safe state and degradation concept
The MICROSAR RTE does not support degradation to the safe state as the safe state
depends on the functionality of the item. Safe state degradation therefore also has to be
implemented by the application or by the OS. Memory protection faults are supposed to be
handled by the OS.
4.3
Fault tolerance and diagnostics concept
The fault tolerance and diagnostics concept depends on the requirements of the
Application SWCs. It has to be implemented within the application SWCs.
2015, Vector Informatik GmbH
Version: 4.8
22 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
5
Integration of the MICROSAR RTE in a new particular context
5.1
Assumptions
ID
ASIL  Description of assumptions, safety goals, safety
Validity check
requirements
ASS_RTE_1

The OS provides freedom from interference for

different OS Applications with regards to memory.
This means that code in one OS Application cannot
destroy memory in another OS Application.
ASS_RTE_2

The AUTOSAR Memory Abstraction for the target

platform and the OS make it possible to assign
RTE/BSW variables to specific OS Applications so
that they can only be written by code that is executed
within this OS Application.
Moreover in case of Multicore, the RTE variables are
mapped to noncacheable RAM so that they can be
accessed by all cores.
ASS_RTE_3

The tool chain initializes global variables or the API

Rte_InitMemory is called before the OS is started.
Rte_InitMemory initializes variables from different OS
Applications. Therefore it needs to be started without
memory protection.
ASS_RTE_4

The OS allows non protected reads to RTE/BSW

variables within the same and foreign OS
Applications.
ASS_RTE_5

Freedom from interference with regards to CPU

runtime is provided through external means, for
example with the help of a control flow monitor. The
mechanisms for it are either implemented in a way
that the RTE cannot deactivate them or a review is
performed that checks that the RTE does not impact
their operation.
ASS_RTE_6

The OS APIs that are used by the RTE in ASIL parts

of the code can be called from different contexts
without interference:
>  TerminateTask
>  SuspendOSInterrupts
>  osDisableLevelUM (MICROSAR OS)
>  osDisableLevelKM (MICROSAR OS)
>  osDisableLevelAM (MICROSAR OS)
>  osDisableGlobalUM (MICROSAR OS)
>  osDisableGlobalKM (MICROSAR OS)
>  osDisableGlobalAM (MICROSAR OS)
2015, Vector Informatik GmbH
Version: 4.8
23 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
>  ResumeOSInterrupts
>  osRteEnableLevelUM (MICROSAR OS)
>  osRteEnableLevelKM (MICROSAR OS)
>  osRteEnableLevelAM (MICROSAR OS)
>  osRteEnableGlobalUM (MICROSAR OS)
>  osRteEnableGlobalKM (MICROSAR OS)
>  osRteEnableGlobalAM (MICROSAR OS)
>  GetSpinlock (Multicore Systems)
>  ReleaseSpinlock (Multicore Systems)
ASS_RTE_7

The OS provides at least the APIs

>  SuspendOSInterrupts
>  osDisableLevelUM (MICROSAR OS)
>  osDisableLevelKM (MICROSAR OS)
>  osDisableLevelAM (MICROSAR OS)
>  osDisableGlobalUM (MICROSAR OS)
>  osDisableGlobalKM (MICROSAR OS)
>  osDisableGlobalAM (MICROSAR OS)
>  ResumeOSInterrupts
>  osRteEnableLevelUM (MICROSAR OS)
>  osRteEnableLevelKM (MICROSAR OS)
>  osRteEnableLevelAM (MICROSAR OS)
>  osRteEnableGlobalUM (MICROSAR OS)
>  osRteEnableGlobalKM (MICROSAR OS)
>  osRteEnableGlobalAM (MICROSAR OS)
with the same or higher ASIL than the SWCs
In Multicore Systems, the OS also needs to provide
the APIs
>  GetSpinlock
>  ReleaseSpinlock
with the same or higher ASIL than the SWCs
ASS_RTE_8

The RTE configuration is chosen in such a way that

the
OS/System mechanisms for freedom from
interference (memory and runtime) can also be used
2015, Vector Informatik GmbH
Version: 4.8
24 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
to implement freedom from interference for SWCs
with different ASIL. This makes it necessary to map
SWCs with different ASIL to different OS Applications.
All OS Applications with SWCs that do not have the
highest ASIL need to be nontrusted. This includes the
OS Application of the BSW. See also chapter 5.2.
ASS_RTE_9

The RTE configuration is chosen in such a way that

no OS APIs need to be called in the RTE APIs or the
TASK bodies that violate the safety requirements of
the ASIL SWCs.
The RTE codes calls the following APIs:
>  SetRelAlarm
>  CancelAlarm
>  SetEvent
>  GetEvent
>  ClearEvent
>  WaitEvent
>  GetTaskID
>  ActivateTask
>  TerminateTask
>  Schedule
>  ChainTask
>  GetResource
>  ReleaseResource
In case of multicore systems also the API
>  GetCoreID
is called.
ASS_RTE_10
The RTE configuration is chosen in such a way that

no SWC needs to directly call methods in (Service-)
SWCs with lower ASIL and no (Service-) SWCs with
lower ASIL needs to call methods in ASIL SWCs
except for the case when the SWCs explicitly allow
this kind of usage. If necessary, this work is delegated
to wrapper SWCs in the same OS Application as the
called/calling SWC. Direct calls can moreover be
avoided when the server runnables are mapped to
tasks. See also chapter 5.2.
ASS_RTE_11
The RTE configuration is chosen in such a way that

the RTE APIs or TASKS for a SWC do not contain
calls to BSW modules with lower ASIL than the SWC
itself that might cause interference. If necessary, this
work is delegated to wrapper SWCs in the same OS
2015, Vector Informatik GmbH
Version: 4.8
25 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
Application as the BSW modules. For external
communication, the RTE proxies the calls to the Com
module.  See also chapter 5.2.
ASS_RTE_12
The RTE does not need to provide freedom from

interference for communication. In an AUTOSAR
system, the E2ELibrary that is directly called by the
SWCs is responsible for Safe communication.
Nevertheless, the RTE provides APIs that can be
called by the E2ELibrary.
ASS_RTE_13
The Generated RTE code for ASIL SWCs is qualified
according to the requirements of ISO26262 by the
integrator so that it reaches the same ASIL as the
SWCs themselves. This is necessary because the
RTE Generator was only developed with Vectors
standard quality management (QM).
ASS_RTE_14
The hardware is suited for safety relevant software

according to the requirements of ISO26262. The
hardware requirements are mostly determined by the
SWCs that shall be supported by the RTE. The
MICROSAR RTE does not impose other hardware
safety requirements as those that are already
required by the SWCs and the OS.
ASS_RTE_15
The development tool chain (for example editors,

compilers, linkers, make environment, flash utilities) is
suited for the development of safety relevant software
according to the requirements of ISO26262. All tools
need to reach the appropriate Tool Qualification Level
(TCL).
SR_RTE_1

The RTE (with the help of a MPU and an appropriate
OS) shall provide freedom from interference with
regards to memory for ASIL SWCs. This means that
the RTE shall protect ASIL SWCs from BSW with
lower ASIL. Additionally, the RTE shall also protect
ASIL SWCs also from other SWCs with lower ASIL.
The protection shall include the inter-runnable
variables, per instance memories, sender buffers and
stacks of the SWCs. Moreover, the protection shall be
transparent to the SWCs, e.g. it shall be possible to
access the protected inter-runnable variables and
per-instance memories with the default AUTOSAR
RTE APIs Rte_IrvWrite, Rte_IrvRead and Rte_Pim.
SR_RTE_2

The RTE shall provide intra-ECU communication

mechanism for SWCs with the same and different
ASIL. The communication shall be possible through
the AUTOSAR RTE APIs Rte_Read and Rte_Write
that are used for non-queued sender/receiver
communication.
SR_RTE_3

The RTE shall provide mechanisms for data

consistency that can be used by the ASIL SWCs to
prevent concurrent accesses to shared ressources.
(explicit exclusive areas). The realization of the
2015, Vector Informatik GmbH
Version: 4.8
26 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
exclusive areas shall be possible through the
AUTOSAR RTE APIs Rte_Enter and Rte_Exit
SR_RTE_4

The  RTE  shall  provide  access  to  calibration
parameters for the ASIL SWCs. It shall be possible to
access  the  calibration  parameters  with  the  default
AUTOSAR RTE APIs Rte_Prm and Rte_CData.
Table 5-1   Assumptions that need to be verified during the integration

The  MICROSAR  RTE  Generator  does  not  produce  ASIL  code.  However,  the  following
chapter tries to explain how an RTE configuration needs to look like so that it is both, in
line with the assumptions given in the previous table, and that it can be reviewed to reach
compliance with a certain ASIL level.
5.2
RTE Configuration
During the software design, it has to be decided if the SWCs need to be developed with a
certain ASIL. In the MICROSAR RTE, OS Applications are used to partition the SWCs of
an  ECU  according  to  their  ASIL.  Therefore,  for  every  used  ASIL,  at  least  one  OS
Application has to be created. Furthermore an  OS Application for the QM BSW needs to
be created. It can also be used for the QM SWCs. All OS Applications apart from the OS
Applications with the highest ASIL need to be nontrusted. An example  is given  in  Figure
5-1.
OsApplication1 (QM)
OsApplication2
OsApplication3
OsApplication4
(ASIL D)
(ASIL A)
(ASIL D)
Software
Software
Software
Software
Software
Component
Component
Component
Component
Component
MICROSAR RTE
OsApplication1
(QM)
BSW

Figure 5-1  SWC to OsApplication Mapping
The assignment of the SWCs to the OS Applications happens through the task mapping.
2015, Vector Informatik GmbH
Version: 4.8
27 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
That means the RTE tasks need to be assigned to the OS Applications. Every SWC then
needs to be mapped to the appropriate OS Application by mapping its runnables to tasks
of that OS Application.
As the BSW OS Application is nontrusted, the following memory protection limitations from
the RTE Technical Reference apply for all SWCs:
>  All schedulable entities of QM BSW Modules need to be assigned to the BSW OS
Application
>  All SWCs with mode provide ports need to be assigned to the BSW OS Application.
>  All SWCs that contain runnables with mode disabling dependencies or mode triggers
need to be assigned to the BSW OS Application.
>  Direct client/server calls between OS Applications are not allowed. Exceptions are
possible when the servers explicitly allow that they are run within the contexts of the
client OS Applications. The RTE generator issues a warning when it detects direct
client/server calls between OS Applications.

Caution
When a client directly calls a server in another OS Application, the server runnable will
  run within the OS Application of the client. This means it can access resources e.g.
memory that are normally only supposed to be accessed by runnables in the client OS
Application. Moreover the server is not able to access resources that can only be
accessed by his own OS Application.
This might violate the safety requirements of the SWCs.

It  is  assumed  that  the  MICROSAR  RTE  is  used  together  with  MICROSAR  OS  Safe
Context.  While  most APIs  of  MICROSAR  OS  Safe  Context  can  be  called  from  arbitrary
contexts  without  causing  interference,  only  certain APIs  are  implemented  in  a  way  that
ASIL code can rely on them. Therefore, the following RTE features that rely on ASIL OS
functionality cannot be used in ASIL SWCs:
>  Extended Tasks
>  Minimum Start Interval
>  Exclusive Areas with implementation methods other than Interrupt Blocking
>  Alive timeout
>  Triggering of runnables in other SWCs e.g. by OnDataReception,
OnDataReceptionError, OnDataSendCompletion triggers of a sender/receiver port

The following general RTE feature cannot be used when ASIL SWCs are present because
it requires calls to non ASIL BSW modules:
>  Measurement with XcpEvents

2015, Vector Informatik GmbH
Version: 4.8
28 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
To simplify the review, it is also recommended to only use a subset of the RTE features in
the ASIL SWCs. The review chapter in this document only describe the RTE APIs for the
case when the following features are not used:
>  VFB Trace Hooks
>  Invalidation
>  Rx Filters
>  Implicit Exclusive Areas
>  Implicit Inter-Runnable Variables
>  Multiple Instantiation
>  Object Code SWCs
>  Unconnected ports
>  Implicit sender/receiver communication
>  Online calibration
>  Transmission acknowledgement
>  Never Received API
>  Enhanced Rte_Mode API
>  Development Error Tracer (DET)
>  Data Prototype Mappings

Summarized, ASIL SWCs may use the following RTE features without violating the RTE
safety assumptions and with the goal in mind to have easy to review code:
>  Runnables with cyclic triggers
>  Runnables with OperationInvokedTriggers
>  Basic tasks. (This means all runnables on an ASIL task need to share the same cycle
time and offset.)
>  Explicit Intra-ECU Sender/Receiver communication (Last-Is-Best)
>  Explicit Inter-ECU Sender/Receiver communication (Last-Is-Best)
>  Rte_IsUpdated API
>  Synchronous Client/Server calls to unmapped runnables or runnables with
CanBeInvokedConcurrently set to true. The client and server need to be mapped to the
same OS Application. Exceptions are possible when the servers explicitly allow such
usage.
>  Explicit Inter-Runnable variables
>  Mode require ports without mode triggers and mode disabling dependencies
2015, Vector Informatik GmbH
Version: 4.8
29 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
>  Explicit exclusive areas
>  Per-instance memories
>  SWC local Calibration parameters
>  Calibration ports

Please note that the names of the objects in the RTE configuration are used in identifiers
in the generated RTE and OS C code. The names have to be chosen in such a way that
the identifiers do not exceed the limits of the target compiler and that they do not conflict
with other identifiers from other modules.
Also  the  filenames  of  the  generated  files  are  created  from  object  names  in  the  RTE
configuration. It also needs to be checked that the file names do not exceed the limits of
the target compiler.
5.3
RTE Generation
Once the RTE is configured it can be generated with the MICROSAR RTE Generator.
The MICROSAR RTE Generator will run some checks prior to the generation.
Errors in the Configuration are reported with an [Error] prefix. The generator will abort the
generation  in  this  case.  Warnings  are  reported  with  [Warning].  Every  warning  has  to  be
checked and it needs to be assured that the warnings do not cause any harm.
Moreover after the generation, it has to be checked that the output directory contains no
old  files  from  previous  generations.  The  RTE  Generator  provides  a  magic  number  pre-
processor check at the end of the files that will issue a compile error when it detects an old
file.  Please  note  that  selective  file  generation  needs  to  be  disabled  in  order  to  use  the
magic number check.
2015, Vector Informatik GmbH
Version: 4.8
30 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6
Qualification of generated RTE Code
The following section gives some hints on what needs to be verified when the RTE shall
be used for ASIL SWCs. The API descriptions show how the RTE code is supposed to look
like according to the generator design when the configuration is based on the description
in chapter 5.2. If the generated code diverges from the code descriptions, the integrator
has to verify that the differences do not cause any harm.

Caution
The MICROSAR RTE generator does not generate ASIL code. If the RTE code shall be
used for ASIL SWCs, the generated code has to be qualified. ISO26262 lists various
methods that can or have to be applied to reach a certain ASIL. The integrator has to
decide which methods are suited for his project and take the required actions.

6.1
Introduction
As the generated RTE code heavily depends on the names of the objects from the RTE
configuration, the API descriptions use the following placeholders:

<oa> OS Application
<soa> sender OS Application
<roa> receiver OS Application
<bswoa> BSW OS Application

<c> component type name
<bsw> BSW module name
<sc> sender component type name
<rc> receiver component type name

<ci> component instance name
<sci> sender component instance name
<rci> sender component instance name

 port prototype
<sp> sender port prototype
<rp> receiver port prototype

<d> data element prototype
<sd> sender data element prototype
2015, Vector Informatik GmbH
Version: 4.8
31 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
<rd> sender data element prototype

<o> operation prototype
<re> runnable entity name
<res> runnable/schedulable entity symbol
<sre> server runnable entity name
<sres> server runnable entity symbol
<signalid> identifier for signal specific buffers
<nocache> _NOCACHE extension for variables that are accessed from multiple cores

<t> data type
<tp> pointer to data type

<name> per-instance memory, calibration parameter, exclusive area or inter-runnable
variable name
<Lock> Interrupt Locking / Spinlock function as described in chapter 6.3.4
<UnLock> Interrupt Unlocking / Spinlock function as described in chapter 6.3.4
<Rte_MemCpy> Memory Copy function as described in chapter 6.9.1

Placeholders written in upper case, for example , mean that the replacement string is
written in upper case.
6.2
Compiler and Memory Abstraction
The RTE code uses the AUTOSAR compiler and memory abstraction for functions,
function prototypes and variable declarations.
#define RTE_START_SEC_<secname>
#include "MemMap.h"

<Object0>
[<Object1>]
[<ObjectN>]

#define RTE_STOP_SEC_<secname>
#include "MemMap.h"
The memory abstraction is used to assign RTE variables to OS Applications. <secname>
is the used memory section, for example CODE, VAR, CONST.
All variables are assigned to the OS Application in which they are written.
Section defines contain the name of the OS Application with the exception of the section
defines for the OS Application that contains the BSW. It directly uses the section defines of
the RTE.
2015, Vector Informatik GmbH
Version: 4.8
32 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
In  case  of  multicore  systems,  the  memory  abstraction  defines  use  an  additional
_NOCACHE  extension  when  variables  are  accessed  from  multiple  cores.  It  has  to  be
assured that variables with this extension are mapped to noncacheable RAM and that  all
variables that are accessed from multiple cores are mapped with this extension.
The RTE includes the file MemMap.h that has to issue the  correct compiler pragmas for
the  platform  so  that  variables  within  the  memory  abstraction  are  mapped  to  the  correct
protected  memory  sections.  See  the Technical  Reference  of  the  OS  of  how  this  can  be
accomplished.  During  integration  it  has  to  be  assured  that  the  mapping  mechanisms
function properly. The RTE section and compiler abstraction defines are described in the
RTE Technical Reference.
Besides  these,  the  MICROSAR  RTE  uses  the  following  macros  from  the  compiler
abstraction:
  FUNC
  AUTOMATIC
  STATIC
  NULL_PTR
  FUNC_P2CONST
  P2VAR
  P2CONST
  CONST
  CONSTP2CONST
  P2FUNC
  VAR
Their functionality needs to be verified for correctness on the target platform.
6.3
DataTypes
6.3.1  Imported Types
The  MICROSAR  RTE  imports  the  following  types  from  Std_Types.h  and  the
Platform_Types.h header that is included by Std_Types.h. It needs to be assured that they
are mapped to the correct platform specific types:
  boolean
  uint8
  uint16
  uint32
  uint64
  sint8
  sint16
  sint32
  sint64
  float32
2015, Vector Informatik GmbH
Version: 4.8
33 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
 float64
 uint8_least
 uint16_least
 uint32_least
 sint8_least
 sint16_least
 sint32_least
 Std_ReturnType
Furthermore the following imported defines need to be correct:
 STD_ON
 STD_OFF
6.3.2 Application Types Generated by the RTE
The RTE Generator generates the data types from the configuration to the header
Rte_Type.h. It has to be checked that Rte_Type.h contains all configured data types and
that the datatypes are in line with the configuration. The RTE generator only generates
implementation data types.
Besides the name of the generated data type, also its properties have to be checked. For
primitive types, this means that the upper and lower limit defines are identical to the ones
that are specified in the configuration and that the base type that is used for the data type
covers its full range. Upper and lower Limits are only generated to the file Rte_<c>_Type.h
when a components uses the application data type that defines the limits.
For complex array types, it has to be checked that the base type is the same as the one
that is configured in the configuration. Furthermore, the length of the array needs to be
identical to the one from the configuration for array types.
For complex record types, the types, names and order of the contained elements needs to
be the same as specified in the configuration.
For enumerations, all generated enumeration literals also need to be defined to the values
that are specified in the configuration. It has to be checked that the list of literals is
complete and that no literal conflicts with other identifiers. The literals are generated to
Rte_<c>_Type.h when a component uses a datatype that references a compu method with
a texttable.

6.3.3
Handling of Array and String Data Types
In the RTE APIs, arrays are passed as pointer to the array base type.
For simplicity, the code descriptions in the following chapters only show examples with
primitive integer types.

6.3.4
Datatype specific handling of Interrupt Locks and Spinlocks
The RTE implements data consistency mechanisms in some of its APIs. Data consistency
is provided with the SuspendOSInterrupts and ResumeOSInterrupts OS APIs on a single
2015, Vector Informatik GmbH
Version: 4.8
34 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
core. As the calls to these OS APIs significantly increase the runtime of the RTE APIs, the
RTE tries to optimize them away when they are not needed.
The APIs are optimized away when the variables can be written atomically by the ECU.
The  behaviour  is  controlled  by  the  setting  of  the  parameter AtomicVariableAccess  in  the
configuration of the EcuC module in the ECUC configuration file.

For simplicity, the code descriptions in the following chapters only show APIs in which the
interrupt locks are not optimized away. When the RTE code for the ASIL SWCs is verified,
it  needs  to  be  checked  that  the optimization  is  correct,  e.g.  that  a  variable  can  really  be
accessed atomically by the ECU.

Some versions of MICROSAR OS provide optimized interrupt locking APIs. The RTE will
use these APIs when they are available.
For nontrusted OS Applications the RTE may call
>  osDisableLevelUM
>  osDisableLevelAM
>  osDisableGlobalUM
>  osDisableGlobalAM
to disable the interrupts and
>  osEnableLevelUM
>  osEnableLevelAM
>  osEnableGlobalUM
>  osEnableGlobalAM
to reenable the interrupts.

For trusted OS Applications the RTE may call
>  osDisableLevelKM
>  osDisableLevelAM
>  osDisableGlobalKM
>  osDisableGlobalAM
to disable the interrupts and
>  osEnableLevelKM
>  osEnableLevelAM
>  osEnableGlobalKM
>  osEnableGlobalAM
2015, Vector Informatik GmbH
Version: 4.8
35 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
to reenable the interrupts.

The optimized APIs are mapped to the macros
Rte_DisableOSInterrupts/Rte_DisableAllInterrupts and
Rte_EnableOSInterrupts/Rte_EnableAllInterrupts.

In the following code examples, <Lock> resolves to SuspendOSInterrupts, or
Rte_DisableOSInterrupts/Rte_DisableAllInterrupts.
<UnLock>
resolves
to
ResumeOSInterrupts or Rte_EnableOSInterrupts/Rte_EnableAllInterrupts. The RTE
generator tries to use the “Disable” variant whenever possible as it is usually faster. It has
to be assured that this variant is only used, when there are no nested calls to the locking
APIs. They cannot be used when the runnable is configured to enter or to run in an
exclusive area. For every locking operation the matching unlocking operation needs to be
called.
It needs to be assured that no included header breaks these operation (e.g. by redefining
them).

On multicore systems, locking the interrupts will only provide data consistency on the core
for which the RTE API is called. In order to provide data consistency also when variables
are accessed from different cores, the <Lock> and <UnLock> operations are extended
with additional GetSpinlock and ReleaseSpinlock calls.

Example:
SuspendOSInterrupts();
(void)GetSpinlock(<SpinlockId>);

Access data structures.

(void)ReleaseSpinlock(<SpinlockId>);
ResumeOSInterrupts();

All places where the protected data structures are accessed need to be protected by the
same Spinlock (same <SpinlockId>)
The interrupt lock APIs can be omitted when the spinlock cannot be accessed by multiple
tasks on the same core.
Instead
of
SuspendOSInterrupts
and
ResumeOSInterrupts
also
Rte_DisableOSInterrupts/Rte_DisableAllInterrupts
and
Rte_EnableOSInterrupts/Rte_EnableAllInterrupts can be used, the distinction is the same
as explained above.

2015, Vector Informatik GmbH
Version: 4.8
36 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

6.4
SWC Implementation
The RTE is the module that glues the SWCs to the AUTOSAR stack. For this, the RTE
generator generates a list of files that provide the datatypes and APIs for the SWCs and
that call the runnable entities of the SWCs. A description of all generated files can be found
in the RTE Technical Reference.
From the generated files, the SWCs shall only include the appropriate RTE header
Rte_<c>.h directly. It provides the SWC specific functionality.
The SWC implementation shall at least contain all configured runnable entities.
The signature of the runnable entities is
FUNC(void, <c>_CODE) <res>(<parglist><arglist>)
or
FUNC(Std_ReturnType, <c>_CODE) <res>(<parglist><arglist>)

for server runnables with return type.
<arglist> is “void” for non-server runnables, otherwise it contains the arguments of the
server operation.
<parglist> is empty for runnables without port defined arguments, otherwise it contains the
port defined arguments.
# define <c>_START_SEC_CODE
# include "MemMap.h"

FUNC(void, <c>_CODE) <res>(<parglist><arglist>)
{

}

# define <c>_STOP_SEC_CODE
# include "MemMap.h"

Runnable entity implementations shall be surrounded by <c>_CODE memory abstraction
defines as shown above.
Every runnable entity shall have a prototype in Rte_<c>.h that is also surrounded by the
same memory abstraction defines.
Server runnables with return value shall return a value in all return paths.
The value shall be RTE_E_OK or one of the application return codes from the
configuration. The application return code defines are contained in the file Rte_<c>.h. It
needs to be checked that the return defines provide the same value as described in the
configuration.
2015, Vector Informatik GmbH
Version: 4.8
37 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

Runnable entities in ASIL SWC should only contain calls to the following RTE APIs:
> Std_ReturnType Rte_Write__<d>(<data>)
> Std_ReturnType Rte_Read__<d>(<data>)
> boolean Rte_IsUpdated__<d>()
> Std_ReturnType Rte_Call__<o>(<data_1>, <data_n>)
> <type> Rte_Pim_<name>()
> <return> Rte_CData_<name>()
> <return> Rte_Prm__<name>()
> <return> Rte_IrvRead_<re>_<name>()
> void Rte_IrvWrite_<re>_<name>(<data>)
> void Rte_Enter_<name>()
> void Rte_Exit_<name>()
> Rte_ModeType_<m> Rte_Mode__<d>()

The Rte_Write, Rte_Read, Rte_IsUpdated, Rte_Call, Rte_IrvRead, Rte_IrvWrite,
Rte_Enter, Rte_Exit APIs are only allowed to be called from a runnable when the runnable
is configured to access the port data element/port operation/inter-runnable
variable/exclusive area for which the API is generated.
The Rte_CData and Rte_Pim APIs are only allowed to be called from runnables in the
SWCs in which they are configured.
The Rte_Prm API is only allowed to be called from runnables in the SWC that contains the
matching calibration receiver port.
For every API that is called by the SWC implementation, it needs to be checked, that the
called API is configured for the SWC and that Rte_<c>.h declares the API.
Furthermore, it needs to be assured that RTE and OS variables are only modified with
afore mentioned RTE API calls. The variables are not allowed to be modified directly within
the runnable code.
It also has to be assured that the RTE APIs with parameters are called with the correct
parameters with regards to type and access rights. When pointers are passed to the RTE
APIs, it has to be assured that the pointers stay valid during the whole runtime of the RTE
API and that the underlying objects are not modified outside the RTE API during the
runtime of the RTE API.

All RTE APIs for a SWC are declared in the header Rte_<c>.h. APIs are implemented
either as macro or as function. When the APIs are implemented as functions, the
2015, Vector Informatik GmbH
Version: 4.8
38 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
implementation is contained in the file Rte_<oa>.c of the OS Application to which the SWC
is mapped.
It needs to be assured that all functions that are called from within RTE code are imported
from the correct versions of the AUTOSAR, Com and OS source and header files.
The inclusion of files from these and other modules shall not re-define any identifier that is
defined in the generated RTE code, e.g. through #define macros. Exceptions are the RTE
memory section defines that can be redeclared in MemMap. However, it needs to be
checked that the mapping of the variables to the code sections works as expected.

6.5
BSW Implementation

The RTE is the module that glues the BSW to the AUTOSAR stack. For this, the RTE
generator generates a list of files that provide the datatypes and APIs for the BSW and that
call the schedulable entities of the BSW. A description of all generated files can be found in
the RTE Technical Reference.
From the generated files, the BSW shall only include the appropriate RTE header
SchM_<bsw>.h directly. It provides the BSW specific functionality.
The BSW implementation shall at least contain all configured schedulable entities.
The signature of the schedulable entities is
FUNC(void, <BSW>_CODE ) <res>()

Schedulable entity implementations shall be surrounded by <BSW>_CODE memory
abstraction defines.
Every schedulable entity shall have a prototype in SchM_<bsw>.h that is also surrounded
by the same memory abstraction defines.

Schedulable entities in ASIL BSW should only contain calls to the following RTE APIs:
> void SchM_Enter_<bsw>_<name>()
> void SchM_Exit_<bsw>_<name>()

All RTE APIs for a BSW module are declared in the header SchM_<bsw>.h. APIs are
implemented either as macro or as function. When the APIs are implemented as functions,
the implementation is contained in the file Rte_<oa>.c of the OS Application to which the
BSW is mapped.
It needs to be assured that all functions that are called from within RTE code are imported
from the correct versions of the AUTOSAR, Com and OS source and header files.
2015, Vector Informatik GmbH
Version: 4.8
39 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
The inclusion of files from these and other modules shall not re-define any identifier that is
defined in the generated RTE code, e.g. through #define macros. Exceptions are the RTE
memory section defines that can be redeclared in MemMap. However, it needs to be
checked that the mapping of the variables to the code sections works as expected.

6.6
SWC specific RTE APIs
6.6.1 Rte_Write
6.6.1.1 Configuration Variant Intra-ECU Without IsUpdated
> source code SWC
> no support for multiple instantiation
> no indirect API
> intra-ECU communication
> receiver is connected
> no receiver triggered on data reception
> no receiver triggered on data reception error
> no transmission acknowledgement
> no rx filtering
> no data prototype mapping
> no invalidation
> is updated is not configured for the receivers
> never received is not configured for the receiver
6.6.1.2 Generated Code Intra-ECU Without IsUpdated
Rte_<c>.h defines Rte_Write as follows:
#define Rte_Write__<d> Rte_Write_<c>__<d>

When the attribute “EnableTakeAddress” is not set for the port and when the data element
can be accessed atomically by the ECU and when the data element is not an array or
string type, Rte_Write_<c>__<d> is declared as macro that writes to a global RTE
variable.

# define RTE_START_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
# include "MemMap.h"
2015, Vector Informatik GmbH
Version: 4.8
40 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

extern VAR(<t>, RTE_VAR_INIT<nocache>) Rte_<ci>__<d>;

# define RTE_STOP_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_Write_<c>__<d>(data) (Rte_<ci>__<d> = (data),
((Std_ReturnType)RTE_E_OK))

Otherwise, the API is implemented in Rte_<oa>.c
#define RTE_START_SEC_CODE
#include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Write_<c>__<d>(<t> data)
{
Std_ReturnType ret = RTE_E_OK;

 Rte_WriteHook_<c>__<d>_Start(data);
 <Lock>();
 Rte_<ci>__<d> = *(&data);
<UnLock>();
Rte_WriteHook_<c>__<d>_Return(data);
 return ret;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

and Rte_<c>.h only contains the prototype:
# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Write_<c>__<d>(<t> data);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

In both cases the global variable in Rte_<oa>.c is declared as
#define RTE_START_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<dt>, RTE_VAR_INIT<nocache>) Rte_<ci>__<d> = <initializer>;
#define RTE_STOP_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
2015, Vector Informatik GmbH
Version: 4.8
41 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

where <initializer> is the C representation of the init value that is configured for the port
data element.

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:
Rte_<ci>__<d> = <initializer>;

If the data element is of a string or array type, no direct assignments are used. Instead, the
assignment is replaced by a memcpy

<Rte_MemCpy>(Rte_<ci>__<d>, *(data), sizeof(<t>));

If the datatype can be read and written atomically, the <Lock>() and <UnLock>() calls are
omitted from the Rte_Write API.

When Rte_Write is not a macro, it needs to be assured that the macros
Rte_WriteHook_<c>__<d>_Start(data) and
Rte_WriteHook_<c>__<d>_Return(data) do not have any side effects.

6.6.1.3 Configuration Variant Intra-ECU With IsUpdated
> source code SWC
> no support for multiple instantiation
> no indirect API
> intra-ECU communication
> receiver is connected
> no receiver triggered on data reception
> no receiver triggered on data reception error
> no transmission acknowledgement
> no rx filtering
> no data prototype mapping
> no invalidation
> is updated is configured for one receiver
> never received is not configured for the receiver
2015, Vector Informatik GmbH
Version: 4.8
42 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

6.6.1.4
Generated Code Intra-ECU With IsUpdated
Rte_Write with configured IsUpdated is similar to the variant without IsUpdated. However,
in the IsUpdated case, Rte_Write is always implemented as function in Rte_<oa>.c.

/******************************************************************************
* Update Flags for each Receiver with enableUpdate != 0
*****************************************************************************/
# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

VAR(Rte_<oa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_RxUpdateFlags = {
 0
};

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_<oa>_RxUpdateFlagsInit() (Rte_MemClr(&Rte_<oa>_RxUpdateFlags,
sizeof(Rte_<oa>_RxUpdateFlagsType)))

#define RTE_START_SEC_CODE
#include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Write_<c>__<d>(<t> data)
{
 Std_ReturnType ret = RTE_E_OK;

 Rte_WriteHook_<c>__<d>_Start(data);
 <Lock>();
Rte_<ci>__<d> = *(&data);
 Rte_<oa>_RxUpdateFlags.Rte_RxUpdate_<rci>_<rp>_<rd>_Sender =
!Rte_<roa>_RxUpdateFlags.Rte_RxUpdate_<rci>_<rp>_<rd>;
 <UnLock>();
 Rte_WriteHook_<c>__<d>_Return(data);
 return ret;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

2015, Vector Informatik GmbH
Version: 4.8
43 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
Rte_<roa>.c declares the variable Rte_<roa>_RxUpdateFlags as follows:

# define RTE_START_SEC_VAR_<roa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

VAR(Rte_<roa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<roa>_RxUpdateFlags = {
 0
};

# define RTE_STOP_SEC_VAR_<roa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_<roa>_RxUpdateFlagsInit() (Rte_MemClr(&Rte_<roa>_RxUpdateFlags,
sizeof(Rte_<roa>_RxUpdateFlagsType)))

The extern declaration for Rte_<roa>_RxUpdateFlags is declared in Rte_Type.h:
# define RTE_START_SEC_VAR_<roa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<roa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<roa>_RxUpdateFlags;

# define RTE_STOP_SEC_VAR_<roa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to call Rte_<oa>_RxUpdateFlagsInit() and
Rte_<roa>_RxUpdateFlagsInit().

The Update flag types are declared in Rte_Type.h
typedef struct
{
 Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd>_Sender : 1;
} Rte_<oa>_RxUpdateFlagsType;

typedef struct
{
 Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd> : 1;
} Rte_<roa>_RxUpdateFlagsType;

2015, Vector Informatik GmbH
Version: 4.8
44 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.1.5 Configuration Variant Inter-ECU
> source code SWC
> no support for multiple instantiation
> no indirect API
> pure inter-ECU communication
> no transmission acknowledgement
> no invalidation
> no data prototype mapping
6.6.1.6 Generated Code Inter-ECU
Rte_<c>.h defines Rte_Write as follows:
#define Rte_Write__<d> Rte_Write_<c>__<d>

The API is implemented in Rte_<oa>.c
# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

VAR(Rte_<oa>_TxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_TxUpdateFlags = {
 0,
 0,
};

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_<oa>_TxUpdateFlagsInit() (Rte_MemClr(&Rte_<oa>_TxUpdateFlags,
sizeof(Rte_<oa>_TxUpdateFlagsType)))

#define RTE_START_SEC_CODE
#include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Write_<c>__<d>(<t> data)
{
Std_ReturnType ret = RTE_E_OK;

 Rte_WriteHook_<c>__<d>_Start(data);
 <Lock>();
2015, Vector Informatik GmbH
Version: 4.8
45 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
 Rte_<signalid> = *(&data);
Rte_<oa>_TxUpdateFlags.Rte_TxUpdate_<c>__<d>
=
RTE_COM_SENDSIGNALPROXY_SEND;
 Rte_<oa>_TxUpdateFlags.Rte_TxUpdateProxy_<c>__<d> =
!Rte_<bswoa>_TxUpdateFlags.Rte_TxUpdateProxy__<c>__<d>;
<UnLock>();
Rte_WriteHook_<c>__<d>_Return(data);
 return ret;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

and Rte_<c>.h only contains the prototype:
# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Write_<c>__<d>(<t> data);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

The extern declaration for Rte_<oa>_TxUpdateFlags is declared in Rte_Type.h:

typedef struct
{
 Rte_BitType Rte_TxUpdate_<c>__<e> : 2;
 Rte_BitType Rte_TxUpdateProxy_<c>__<e> : 1;
} Rte_<oa>_TxUpdateFlagsType;

# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<oa>_TxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_TxUpdateFlags;

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to call Rte_<oa>_TxUpdateFlagsInit().

In both cases the global variable in Rte_<oa>.c is declared as
2015, Vector Informatik GmbH
Version: 4.8
46 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
#define RTE_START_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<dt>, RTE_VAR_INIT<nocache>) Rte_<signalid> = <initializer>;
#define RTE_STOP_SEC_VAR_<oa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"

where <initializer> is the C representation of the init value that is configured for the port
data element.

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:
Rte_<signalid> = <initializer>;

If the data element is of a string or array type, no direct assignments are used. Instead,
the assignment is replaced by a memcpy
<Rte_MemCpy>(Rte_<signalid>, *(data), sizeof(<t>));

If the datatype can be read and written atomically, the <Lock>() and <UnLock>() calls are
omitted from the Rte_Write API.

When Rte_Write is not a macro, it needs to be assured that the macros
Rte_WriteHook_<c>__<d>_Start(data) and
Rte_WriteHook_<c>__<d>_Return(data) do not have any side effects.

6.6.2 Rte_Read
6.6.2.1 Configuration Variant Without IsUpdated
> source code SWC
> no support for multiple instantiation
> no indirect API
> alive timeout is not configured
> invalidation is not configured
> is updated is not configured
> never received is not configured
> no data prototype mapping
> sender is connected
2015, Vector Informatik GmbH
Version: 4.8
47 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
> intra-ECU or inter-ECU communication
6.6.2.2 Generated Code Without IsUpdated
Rte_<c>.h defines Rte_Read as follows:
#define Rte_Read__<d> Rte_Read_<c>__<d>

When the attribute “EnableTakeAddress” is not set for the port and when the data element
can be accessed atomically by the ECU, Rte_Read_<c>__<d> is declared as macro
that reads from a global RTE variable.

# define RTE_START_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(<t>, RTE_VAR_INIT<nocache>) Rte_<sci>_<sp>_<sd> ;

# define RTE_STOP_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_Read_<c>__<d>(data) (*(data) = Rte_<sci>_<sp>_<sd> ,
((Std_ReturnType)RTE_E_OK))

Otherwise, the API is implemented in Rte_<oa>.c
# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Read_<c>__<d>(<tp> data)
{
 Std_ReturnType ret = RTE_E_OK;

 Rte_ReadHook_<c>__<d>_Start(data);
 <Lock>();
 *(data) = Rte_<sci>_<sp>_<sd> ;
 <UnLock>();
 Rte_ReadHook_<c>__<d>_Return(data);

 return ret;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

2015, Vector Informatik GmbH
Version: 4.8
48 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
and Rte_<c>.h only contains the prototype:

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Read_<c>__<d>(<tp> data);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

In both cases the global variable in Rte_<soa>.c is declared as
#define RTE_START_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<dt>, RTE_VAR_INIT<nocache>) Rte_<sci>_<sp>_<sd> = <initializer>;
#define RTE_STOP_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"

where <initializer> is the C representation of the init value that is configured for the sender
port data element.

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:

Rte_<sci>_<sp>_<sd> = <initializer>;

If the data element is a of a string or array type, no direct assignments are used. Instead,
the assignment is replaced by a memcpy
<Rte_MemCpy>(*(data), Rte_<sci>_<sp>_<sd> , sizeof(<t>));

The extern declaration for the global variable is contained in Rte_Type.h:
#define RTE_START_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
extern VAR(<dt>, RTE_VAR_INIT<nocache>) Rte_<sci>_<sp>_<sd>;
#define RTE_STOP_SEC_VAR_<soa><nocache>_INIT_UNSPECIFIED
#include "MemMap.h"

If the datatype can be read and written atomically, the <Lock>() and <UnLock>() calls are
omitted from the Rte_Read API.

When Rte_Read is not a macro, it needs to be assured that the macros
Rte_ReadHook_<c>__<d>_Start(data) and
Rte_ReadHook_<c>__<d>_Return(data) do not have any side effects.
2015, Vector Informatik GmbH
Version: 4.8
49 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

When Rte_Read reads data from a component or BSW with lower safety level, sanity
checks have to be applied to the input data.

6.6.2.3 Configuration Variant With IsUpdated
> source code SWC
> no support for multiple instantiation
> no indirect API
> alive timeout is not configured
> invalidation is not configured
> no data prototype mapping
> is updated is configured
> never received is not configured
> sender is connected
> intra-ECU or inter-ECU communication
6.6.2.4 Generated Code With IsUpdated
Rte_Read with configured IsUpdated is similar to the variant without IsUpdated. However,
in the IsUpdated case, Rte_Read is always implemented as function in Rte_<oa>.c.

/******************************************************************************
* Update Flags for each Receiver with enableUpdate != 0
*****************************************************************************/
# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

VAR(Rte_<oa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_RxUpdateFlags = {
 0
};

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_<oa>_RxUpdateFlagsInit() (Rte_MemClr(&Rte_<oa>_RxUpdateFlags,
2015, Vector Informatik GmbH
Version: 4.8
50 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
sizeof(Rte_<oa>_RxUpdateFlagsType)))

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Read_<c>__<d>(<tp> data)
{
 Std_ReturnType ret = RTE_E_OK;

 Rte_ReadHook_<c>__<d>_Start(data);
 <Lock>();
*(data) = Rte_<sci>_<sp>_<sd> ;
 Rte_<oa>_RxUpdateFlags.Rte_RxUpdate_<ci>__<d> =
Rte_<soa>_RxUpdateFlags.Rte_RxUpdate_<ci>__<d>_Sender;
 <UnLock>();
 Rte_ReadHook_<c>__<d>_Return(data);

 return ret;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

The variable Rte_<soa>_RxUpdateFlags is declared in Rte_<soa>.c as:

# define RTE_START_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

VAR(Rte_<soa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<soa>_RxUpdateFlags = {
 0
};

# define RTE_STOP_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_<soa>_RxUpdateFlagsInit() (Rte_MemClr(&Rte_<soa>_RxUpdateFlags,
sizeof(Rte_<soa>_RxUpdateFlagsType)))

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to call Rte_<oa>_RxUpdateFlagsInit() and
Rte_<soa>_RxUpdateFlagsInit().

2015, Vector Informatik GmbH
Version: 4.8
51 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

The Update flags are declared in Rte_Type.h
typedef struct
{
Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd> : 1;
} Rte_<oa>_RxUpdateFlagsType;

typedef struct
{
Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd>_Sender : 1;
} Rte_<soa>_RxUpdateFlagsType;

# define RTE_START_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<soa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<soa>_RxUpdateFlags;

# define RTE_STOP_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<oa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_RxUpdateFlags;

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

Please note that in case of inter-ECU sender/receiver communication <soa> is the BSW
OS Application.
2015, Vector Informatik GmbH
Version: 4.8
52 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.3
Rte_IsUpdated
6.6.3.1
Configuration Variant

> source code SWC
> no support for multiple instantiation
> no indirect API
> alive timeout is not configured
> invalidation is not configured
> is updated is configured
> never received is not configured
> sender is connected
> intra-ECU or inter-ECU communication
6.6.3.2
Generated Code

Rte_<c>.h defines Rte_IsUpdated as follows:
# define Rte_IsUpdated__<d> Rte_IsUpdated_<c>__<d>
# define Rte_IsUpdated_<c>__<d>()
((Rte_<oa>_RxUpdateFlags.Rte_RxUpdate_<rci>_<rc>_<rd> ==
Rte_<soa>_RxUpdateFlags.Rte_RxUpdate_<rci>_<rp>_<rd>_Sender) ? FALSE : TRUE)

The Update flags are declared in Rte_Type.h

/******************************************************************************
* LOCAL DATA TYPES AND STRUCTURES
*****************************************************************************/

typedef unsigned int Rte_BitType;

typedef struct
{
 Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd> : 1;
} Rte_<oa>_RxUpdateFlagsType;

typedef struct
{
 Rte_BitType Rte_RxUpdate_<rci>_<rp>_<rd>_Sender :1;
} Rte_<soa>_RxUpdateFlagsType;

2015, Vector Informatik GmbH
Version: 4.8
53 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

# define RTE_START_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<oa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<oa>_RxUpdateFlags;

# define RTE_STOP_SEC_VAR_<oa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

# define RTE_START_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(Rte_<soa>_RxUpdateFlagsType, RTE_VAR_ZERO_INIT<nocache>)
Rte_<soa>_RxUpdateFlags;

# define RTE_STOP_SEC_VAR_<soa><nocache>_ZERO_INIT_UNSPECIFIED
# include "MemMap.h"

Variable initialization happens in Rte.c as described for the Rte_Read and Rte_Write APIs
(see 6.6.1.4 and 6.6.2.4).
2015, Vector Informatik GmbH
Version: 4.8
54 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.4 Rte_IrvWrite
6.6.4.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
6.6.4.2 Generated Code
When the inter runnables variable can be accessed atomically by the ECU
Rte_IrvWrite_<re>_<name> is declared as macro that writes to a global RTE variable.
# define RTE_START_SEC_VAR_<oa>_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(<t>, RTE_VAR_INIT) Rte_Irv_<ci>_<name>;

# define RTE_STOP_SEC_VAR_<oa>_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_IrvWrite_<re>_<name>(data) (Rte_Irv_<ci>_<name> = (data))

Otherwise, the API is implemented in Rte_<oa>.c
#define RTE_START_SEC_CODE
#include "MemMap.h"

FUNC(void, RTE_CODE) Rte_IrvWrite_<c>_<re>_<name>(<t> data)
{
 Rte_IrvWriteHook_<c>_<re>_<name>_Start(data);
 <Lock>();
 Rte_Irv_<ci>_<name> = data;
<UnLock>();
Rte_IrvWriteHook_<c>_<re>_<name>_Return(data);
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"

and Rte_<c>.h only contains a define to the function:

2015, Vector Informatik GmbH
Version: 4.8
55 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(void, RTE_CODE) Rte_IrvWrite_<c>_<re>_<name>(<t> data);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

#define Rte_IrvWrite_<re>_<name> Rte_IrvWrite_<c>_<re>_<name>

In both cases the global variable in Rte_<oa>.c is declared as
#define RTE_START_SEC_VAR_<oa>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<dt>, RTE_VAR_INIT) Rte_Irv_<ci>_<name> = <initializer>;
#define RTE_STOP_SEC_VAR_<oa>_INIT_UNSPECIFIED
#include "MemMap.h"

where <initializer> is the C representation of the init value that is configured for the inter-
runnable variable.

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:
Rte_Irv_<ci>_<name> = <initializer>;

If the datatype can be read and written atomically, the <LockInterupts>() and <UnLock>()
calls are omitted from the Rte_IrvWrite API.

When Rte_IrvWrite is not a macro, it needs to be assured that the macros
Rte_IrvWriteHook_<c>_<re>_<name>_Start(data) and
Rte_IrvWriteHook_<c>_<re>_<name>_Return(data) do not have any side effects.

2015, Vector Informatik GmbH
Version: 4.8
56 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.5 Rte_IrvRead
6.6.5.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
6.6.5.2 Generated Code
When the inter runnables variable can be accessed atomically by the ECU
Rte_IrvRead_<re>_<name> is declared as macro that reads a global RTE variable.
# define RTE_START_SEC_VAR_<oa>_INIT_UNSPECIFIED
# include "MemMap.h"

extern VAR(<t>, RTE_VAR_INIT) Rte_Irv_<ci>_<name>;

# define RTE_STOP_SEC_VAR_<oa>_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_IrvRead_<re>_<name>(data) Rte_Irv_<ci>_<name>

Otherwise, the API is implemented in Rte_<oa>.c
#define RTE_START_SEC_CODE
#include "MemMap.h"

FUNC(<t>, RTE_CODE) Rte_IrvRead_<c>_<re>_<name>(void)
{
<t> irvValue;

Rte_IrvReadHook_<c>_<re>_<name>_Start();

 <Lock>();
 irvValue = Rte_Irv_<ci>_<name>;
<UnLock>();

Rte_IrvReadHook_<c>_<re>_<name>_Return();

return irvValue;
}

#define RTE_STOP_SEC_CODE
#include "MemMap.h"
2015, Vector Informatik GmbH
Version: 4.8
57 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

and Rte_<c>.h only contains a define to the function:
# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(<t>, RTE_CODE) Rte_IrvRead_<c>_<re>_<name>(void);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

#define Rte_IrvRead_<re>_<name> Rte_IrvRead_<c>_<re>_<name>

In both cases the global variable in Rte_<oa>.c is declared as
#define RTE_START_SEC_VAR_<oa>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<dt>, RTE_VAR_INIT) Rte_Irv_<ci>_<name> = <initializer>;
#define RTE_STOP_SEC_VAR_<oa>_INIT_UNSPECIFIED
#include "MemMap.h"
where <initializer> is the C representation of the init value that is configured for the inter-
runnable variable.

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:
Rte_Irv_<ci>_<name> = <initializer>;

If the datatype can be read and written atomically, the <Lock>() and <UnLock>() calls are
omitted from the Rte_IrvRead API.

When Rte_IrvRead is not a macro, it needs to be assured that the macros
Rte_IrvReadHook_<c>_<re>_<name>_Start() and
Rte_IrvReadHook_<c>_<re>_<name>_Return() do not have any side effects.

2015, Vector Informatik GmbH
Version: 4.8
58 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.6 Rte_Pim
6.6.6.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
6.6.6.2 Generated Code
The API Rte_Pim is declared as access to a global RTE variable in Rte_<c>.h

# define RTE_START_SEC_VAR_DEFAULT_RTE_<oa>_PIM_GROUP_UNSPECIFIED
# include "MemMap.h"

extern VAR(<t>, RTE_VAR_DEFAULT_RTE_<oa>_PIM_GROUP) Rte_<ci>_<name>;

# define RTE_STOP_SEC_VAR_DEFAULT_RTE_<oa>_PIM_GROUP_UNSPECIFIED
# include "MemMap.h"

# define Rte_Pim_<name>() \\
(&Rte_<ci>_<name>)

Depending on the configuration of the memory section (see RTE Technical Reference) the
DEFAULT_RTE_<oa>_PIM_GROUP string is replaced by the configured group name.

The Rte_<c>_<name> variable is declared in Rte_<oa>.c:

# define RTE_START_SEC_VAR_DEFAULT_RTE_<oa>_PIM_GROUP_UNSPECIFIED
# include "MemMap.h"

VAR(<t>, RTE_VAR_DEFAULT_RTE_<d>_PIM_GROUP) Rte_<ci>_<name>;

# define RTE_STOP_SEC_VAR_DEFAULT_RTE_<oa>_PIM_GROUP_UNSPECIFIED
# include "MemMap.h"

2015, Vector Informatik GmbH
Version: 4.8
59 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.7 Rte_CData
6.6.7.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> no online calibration
6.6.7.2 Generated Code
The API Rte_CData is declared as access to a global RTE variable in Rte_<c>.h
# define RTE_START_SEC_CONST_DEFAULT_RTE_CDATA_GROUP_UNSPECIFIED
# include "MemMap.h"

extern CONST(<t>, RTE_CONST_DEFAULT_RTE_CDATA_GROUP) Rte_<c>_<name>;

# define RTE_STOP_SEC_CONST_DEFAULT_RTE_CDATA_GROUP_UNSPECIFIED
# include "MemMap.h"

# define Rte_CData_<name>() (Rte_<c>_<name>)

Depending on the configuration of the memory section (see RTE Technical Reference) the
DEFAULT_RTE_CDATA_GROUP string is replaced by the configured group name.
The Rte_<c>_<name> variable is declared in Rte_<oa>.c:

#define RTE_START_SEC_CONST_DEFAULT_RTE_CDATA_GROUP_UNSPECIFIED
#include "MemMap.h"

CONST(<t>, RTE_CONST_DEFAULT_RTE_CDATA_GROUP) Rte_<c>_<name> = <initializer>;

#define RTE_STOP_SEC_CONST_DEFAULT_RTE_CDATA_GROUP_UNSPECIFIED
#include "MemMap.h"

where <initializer> is the C representation of the init value that is configured for the
calibration parameter = <initializer> is omitted when the calibration parameter does not
have an init value.

2015, Vector Informatik GmbH
Version: 4.8
60 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.8 Rte_Prm
6.6.8.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> no indirect API
> no online calibration
> calibration port is connected
6.6.8.2 Generated Code
When the attribute “EnableTakeAddress” is not set for the calibration port, the API
Rte_Prm is declared as access to a global RTE variable in Rte_<c>.h
# define RTE_START_SEC_CONST_DEFAULT_RTE_CALPRM_GROUP_UNSPECIFIED
# include "MemMap.h"

extern CONST(<t>, RTE_CONST_DEFAULT_RTE_CALPRM_GROUP) Rte_<sc>_<sp>_<sd>;

# define RTE_STOP_SEC_CONST_DEFAULT_RTE_CALPRM_GROUP_UNSPECIFIED
# include "MemMap.h"

# define Rte_Prm__<d>() (Rte_<sc>_<sp>_<sd> )

Depending on the configuration of the memory section (see RTE Technical Reference) the
DEFAULT_RTE_CALPRM_GROUP string is replaced by the configured group name.

When “EnableTakeAddress” is set for the calibration port Rte_<c>.h maps the API to a
function in Rte_<oa>.c

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(<t>, RTE_CODE) Rte_Prm_<c>__<d>(void);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

# define Rte_Prm__<d> Rte_Prm_<c>__<d>

2015, Vector Informatik GmbH
Version: 4.8
61 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
Rte_<oa>.c then contains:

FUNC(<t>, RTE_CODE) Rte_Prm_<c>__<d>(void)
{
return Rte_<sc>_<sp>_<sd>;
}

In both cases the Rte_<sc>_<sp>_<sd> variable is declared in Rte.c:

#define RTE_START_SEC_CONST_DEFAULT_RTE_CALPRM_GROUP_UNSPECIFIED
#include "MemMap.h"

CONST(<t>, RTE_CONST_DEFAULT_RTE_CALPRM_GROUP) Rte_<sc>_<sp>_<sd> =
<initializer>;

#define RTE_STOP_SEC_CONST_DEFAULT_RTE_CALPRM_GROUP_UNSPECIFIED
#include "MemMap.h"

where <initializer> is the C representation of the init value that is configured for the
calibration parameter. No initializer is used when the calibration parameter does not have
an init value.

2015, Vector Informatik GmbH
Version: 4.8
62 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.9 Rte_Mode
6.6.9.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> no indirect API
> mode port is connected
6.6.9.2 Generated Code
The API Rte_Mode is declared as access to a global RTE variable in Rte_<c>.h

When the attribute “EnableTakeAddress” is not set for the mode port, the API is
implemented as macro.

# define RTE_START_SEC_VAR<nocache>_INIT_UNSPECIFIED
# include "MemMap.h"
extern VAR(<t>, RTE_VAR_INIT<nocache>) Rte_ModeMachine_<sci>_<sp>_<sd>;
# define RTE_STOP_SEC_VAR<nocache>_INIT_UNSPECIFIED
# include "MemMap.h"

# define Rte_Mode__<d>() Rte_ModeMachine_<sci>_<sp>_<sd>

Otherwise the API is defined to a function
# define RTE_START_SEC_CODE
# include "MemMap.h"
FUNC(<t>, RTE_CODE) Rte_Mode_<c>__<d>(void);
# define RTE_STOP_SEC_CODE
# include "MemMap.h"

# define Rte_Mode__<d> Rte_Mode_<c>__<d>

that is implemented in Rte_<oa>.c
2015, Vector Informatik GmbH
Version: 4.8
63 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(<t>, RTE_CODE) Rte_Mode_<c>__<d>(void)
{
return Rte_ModeMachine_<sci>_<sp>_<sd>;
}

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

In both cases the global variable in Rte_<soa>.c is declared as

#define RTE_START_SEC_VAR<nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
VAR(<t>, RTE_VAR_INIT<nocache>) Rte_ModeMachine_<sci>_<sp>_<sd> = <mode>;
#define RTE_STOP_SEC_VAR<nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
where <mode> is the mode mode define for the configured init mode.

The extern declaration is contained in Rte_Type.h:
#define RTE_START_SEC_VAR<nocache>_INIT_UNSPECIFIED
#include "MemMap.h"
extern VAR(<t>, RTE_VAR_INIT<nocache>) Rte_ModeMachine_<sci>_<sp>_<sd>;
#define RTE_STOP_SEC_VAR<nocache>_INIT_UNSPECIFIED
#include "MemMap.h"

For systems where the compiler does not initialize global variables, the API
Rte_InitMemory needs to do the initialization:

Rte_ModeMachine_<sci>_<sp>_<sd> = <mode>;
2015, Vector Informatik GmbH
Version: 4.8
64 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.10 Rte_Call
6.6.10.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> no indirect API
> Synchronous call
> Direct call:
> server runnable is not mapped
> server runnable is mapped to the same task
> server runnable has CanBeInvokedConcurrently set to true
6.6.10.2 Generated Code
When the server runnable has a return code and no port defined arguments, the API
Rte_Call is declared in Rte_<c>.h as macro:

# define <c>_START_SEC_CODE
# include "MemMap.h"
FUNC(Std_ReturnType, <c>_CODE) <sres>(<arglist>);
# define <c>_STOP_SEC_CODE
# include "MemMap.h"

# define Rte_Call__<o> <sres>

When the server runnable does not have a return code or if there are port defined
arguments and “EnableTakeAddress” is not set Rte_Call is declared as:
# define <c>_START_SEC_CODE
# include "MemMap.h"
FUNC(void, <c>_CODE) <sres>(<parglist><arglist>);
# define <c>_STOP_SEC_CODE
# include "MemMap.h"

# define Rte_Call__<o>(<arglist>) (<sres>(<parglist><arglist),
((Std_ReturnType)RTE_E_OK))

When the server runnable does not have a return code or if there are port defined
arguments and “EnableTakeAddress” is set, Rte_Call is declared as:
2015, Vector Informatik GmbH
Version: 4.8
65 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Call_<c>__<o>(<parglist><arglist>);

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

# define Rte_Call__<o> Rte_Call_<c>__<o>

and Rte_<oa>.c contains the code

# define RTE_START_SEC_CODE
# include "MemMap.h"

FUNC(Std_ReturnType, RTE_CODE) Rte_Call_<c>__<o>(<parglist><arglist>)
{
 Std_ReturnType ret = RTE_E_OK;
 Rte_CallHook_<c>__<o>_Start(<parglist><arglist>);

 Rte_Runnable_<sc>_<sre>_Start(<parglist><arglist>);
 <sres>(<arglist>);
 Rte_Runnable_<sc>_<sre>_Return(<parglist><arglist>);

 Rte_CallHook_<c>__<o>_Return(<parglist><arglist>);
 return ret;
}

# define RTE_STOP_SEC_CODE
# include "MemMap.h"

The return value of the Rte_Call API needs to be evaluated when the server operation has
configured application return codes.
When Rte_Call is not a macro, it needs to be assured that the Rte_CallHook_ and
Rte_Runnable_ macros do not have any side effects.

2015, Vector Informatik GmbH
Version: 4.8
66 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.11 Rte_Enter
6.6.11.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> Implementation method is set to OS interrupt blocking
6.6.11.2 Generated Code
The API Rte_Enter is declared in Rte_<c>.h as

# define Rte_Enter_<name>() \
 { \
 Rte_EnterHook_<c>_<name>_Start(); \
 SuspendOSInterrupts(); \
 Rte_EnterHook_<c>_<name>_Return(); \
}

It needs to be assured that the macros Rte_EnterHook_<c>_<name>_Start() and
Rte_EnterHook_<c>_<name>_Return() do not have any side effects.

It has to be assured that no included non-OS header or SWC code redefines the
SuspendOSInterrupts() and ResumeOSInterrupts() calls.
2015, Vector Informatik GmbH
Version: 4.8
67 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.6.12 Rte_Exit
6.6.12.1 Configuration Variant
> source code SWC
> no support for multiple instantiation
> Implementation method is set to OS interrupt blocking
6.6.12.2 Generated Code
The API Rte_Exit is declared in Rte_<c>.h as

# define Rte_Exit_<name>() \
 { \
 Rte_ExitHook_<c>_<name>_Start(); \
 ResumeOSInterrupts(); \
 Rte_ExitHook_<c>_<name>_Return(); \
}

It has to be assured that no included non-OS header or SWC code redefines the
SuspendOSInterrupts() and ResumeOSInterrupts() calls.

It needs to be assured that the macros Rte_ExitHook_<c>_<name>_Start() and
Rte_ExitHook_<c>_<name>_Return() are do not have any side effects.

2015, Vector Informatik GmbH
Version: 4.8
68 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.7
BSW specifc RTE APIs
6.7.1 SchM_Enter
6.7.1.1 Configuration Variant
> source code BSW
> Implementation method is set to All or OS interrupt blocking
6.7.1.2 Generated Code
The API SchM_Enter is declared in SchM_<bsw>.h as

# define SchM_Enter_<bsw>_<name>() \
 { \
 SuspendAllInterrupts(); \
}

for ImplementationMethod All Interrupt Blocking. Otherwise SuspendOSInterrupts() is
called.
It has to be assured that no included non-OS header or BSW code redefines the
SuspendAllInterrupts()/SuspendOSInterrupts()
and
ResumeAllInterrupts()/ResumeOSInterupts() calls.
6.7.2 SchM_Exit
6.7.2.1
Configuration Variant
> source code BSW
> Implementation method is set to All or OS interrupt blocking
6.7.2.2 Generated Code
The API SchM_Exit is declared in SchM_<bsw>.h as

# define SchM_Exit_<bsw>_<name>() \
 { \
 ResumeAllInterrupts(); \
}

for ImplementationMethod All Interrupt Blocking. Otherwise ResumeOSInterrupts() is
called.
2015, Vector Informatik GmbH
Version: 4.8
69 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
It has to be assured that no included non-OS header or BSW code redefines the
SuspendAllInterrupts()/SuspendOSInterrupts()
and
ResumeAllInterrupts()/ResumeOSInterupts() calls.

2015, Vector Informatik GmbH
Version: 4.8
70 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.8
RTE Lifecycle APIs
6.8.1 Rte_Start
Rte_Start is not called from the ASIL context.
6.8.2 Rte_Stop
Rte_Stop is not called from the ASIL context.
6.8.3 Rte_InitMemory
Rte_InitMemory needs to be called before the OS sets up the memory protection when the
compiler does not initialize global variables. The method itself and the method it calls need
to do all initialization for the APIs that are listed in chapter 6.6.
6.9
RTE Internal Functions
6.9.1 Rte_MemCpy
Rte_MemCpy is called by RTE code that is called from the ASIL SWCs in order to copy
data from the memory location “source” to the memory location „destination“. When
Rte_MemCpy is called from the ASIL SWCs it needs to be checked that the parameter
num which specifies the number of bytes that shall be copied is of type uint16 and that the
memory regions “destination” and “source” contain num bytes. Moreover destination needs
to be writable. For larger data sizes, the generator uses a method Rte_MemCpy32 that
copies in blocks of 4 byte when source and destination are aligned accordingly.

FUNC(void, RTE_CODE) Rte_MemCpy(P2VAR(void, AUTOMATIC, RTE_APPL_VAR)
destination, P2CONST(void, AUTOMATIC, RTE_APPL_DATA) source, uint16_least num)

FUNC(void, RTE_CODE) Rte_MemCpy32(P2VAR(void, AUTOMATIC, RTE_APPL_VAR)
destination, P2CONST(void, AUTOMATIC, RTE_APPL_DATA) source, uint16_least num)

The functionality of Rte_MemCpy and Rte_MemCpy32 needs to be checked.
Rte_MemCpy and Rte_MemCpy32 must not read and write outside the specified memory
regions and the alignment requirements of the target platform need to be fulfilled.
6.9.2 Rte_MemClr
Rte_MemClr is not called from the ASIL SWCs. It is used for the initialization of global
variables with zeros within Rte.c and Rte_<oa>.c.
STATIC FUNC(void, RTE_CODE) Rte_MemClr(P2VAR(void, AUTOMATIC, RTE_VAR_NOINIT)
ptr, uint16_least num);

2015, Vector Informatik GmbH
Version: 4.8
71 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
It has to be checked, that the first parameter is a pointer to a writable variable and that the
second parameter is the length of the variable. Rte_MemClr is not allowed to write outside
the specified memory region.
6.10 RTE Tasks
It needs to be checked that Rte_<oa>.c contains the implementation of all RTE tasks that
are assigned to ASIL OS Applications:

TASK(<name>)
{
 Rte_Task_Dispatch(<name>);

 /* call runnable */
 Rte_Runnable_<c>_<re>_Start();
 <res>();
 Rte_Runnable_<c>_<re>_Return();

 (void)TerminateTask();
}

It needs to be checked that the trace hooks
> Rte_Task_Dispatch
> Rte_Runnable_<c>_<re>_Start
> Rte_Runnable_<c>_<re>_Return
do not have any side effects.
The task body is only allowed to contain calls to runnables and schedulable entities that
are mapped to the task in the configuration and calls to TerminateTask. The call to
TerminateTask needs to be the last operation in the task and it always needs to be done.
It has to be assured that no included non-OS header or RTE code redefines the TASK()
and TerminateTask() calls.
The name within the TASK call needs to be the name of the configured OS task.
For schedulable entities, the calls to the hooks are omitted by default.
6.11 Verification of OS Configuration
The integrator is responsible for correctly configuring the OS.
It needs to be checked that the OS contains no trusted OS Applications that do not have
the highest ASIL.
It needs to be checked that the OS contains no tasks that are assigned to an ASIL OS
Application and that are not implemented with the given ASIL.
2015, Vector Informatik GmbH
Version: 4.8
72 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
6.12 Verification of Memory Mapping Configuration
It needs to be verified that all variables Rte_<sci>__<d> of sender port data elements,
Rte_<oa>_RxUpdateFlags, Rte_Irv_<ci>_<name> of inter-runnable variables and
Rte_<ci>_<name> of per-instance memories from ASIL SWCs are mapped to memory
sections of the SWC’s OS Application so that they are protected from writes outside this
OS Application.
When the variables are assigned to different sections or when other RTE variables are
assigned to the section, memory protection faults might occur.

2015, Vector Informatik GmbH
Version: 4.8
73 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
7
Safety Lifecycle Tailoring
The development of the MICROSAR RTE started as Safety Element out of context at the
software unit level.
The unit design is based on the requirements of the AUTOSAR RTE specification [1].
Based  on  the  requirements  and  the  RTE  design  a  set  of  test  cases  with  typical
configurations were derived. The RTE was generated for the test cases and compiled with
SWC stubs. Finally, the code was runtime tested on different target platforms and a MISRA
analysis was performed.
During the development of the MICROSAR RTE, assumptions regarding the architecture
and  the  safety  requirements  were  made.  The  integrator  is  responsible  for  creating  a
complete architecture design and for specifying the software safety requirements. He then
needs to verify the assumptions that are listed within this document.
As  the  generated  RTE  code  heavily  depends  on  the  input  configuration,  it  is  also  the
responsibility of the integrator to integrate and test the generated RTE code.
Furthermore, it needs to be verified that the generated code fulfils the safety requirements
of the target system.

2015, Vector Informatik GmbH
Version: 4.8
74 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
8  Glossary and Abbreviations
8.1
Glossary
Term
Description
DaVinci DEV
DaVinci Developer: The SWC and RTE Configuration Editor.
DaVinci CFG
DaVinci Configurator: The BSW and RTE Configuration Editor.
E2E PW
E2E Protection Wrapper: Wrapper Functions to access the E2E Library
Table 8-1   Glossary

8.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
ASIL
Automotive Safety Integrity Level
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
E2E
AUTOSAR End-to-End Communication Protection Library
ECU
Electronic Control Unit
H&R
Hazard and Risk Analysis
HIS
Hersteller Initiative Software
ISO
International Organization for Standardization
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR
solution)
MPU
Memory Protection Unit (realized in hardware by the processor)
RTE
Runtime Environment
SEooC
Safety Element out of Context: a safety-related element which is not
developed for a specific item
SWC
Software Component
OS
Operating System
OS Application
An OS Application is a set of tasks and ISRs with a partial common MPU
setting
TCL
Tool Qualification Level
QM
Quality Management (used for software parts developed following only a
standard quality management process)
Table 8-2   Abbreviations
2015, Vector Informatik GmbH
Version: 4.8
75 / 76
based on template version 4.8.0

Safety Guide MICROSAR RTE
9  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 4.8
76 / 76
based on template version 4.8.0

Document Outline

21.5 - TechnicalReference_Rte

MICROSAR RTE

21.6 - TechnicalReference_Rte_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139

21.7 - TechnicalReference_Rtes

MICROSAR RTE
Technical Reference

Version 4.8.0

Authors
Bernd Sigle, Martin Schlodder, Sascha Sommer,
Stephanie Schaaf, Katharina Benkert, Cornelius Reuss
Status
Released

Technical Reference MICROSAR RTE

Document Information
History
Author
Date
Version  Remarks
Bernd Sigle
2005-11-14  2.0.0
Document completely reworked and adapted to
AUTOSAR RTE
Bernd Sigle
2006-04-20  2.0.1
API description for Rte_IRead / Rte_IWrite added,
description of used OS/COM services added
Bernd Sigle
2006-07-11  2.0.2
API description for Rte_Receive / Rte_Send added;
Adaptation to RTE SWS 1.0.0 Final
Martin Schlodder  2006-11-02  2.0.3
Separation of RTE and target package
Martin Schlodder  2006-11-15  2.0.4
Client/Server communication
Martin Schlodder  2006-12-21  2.0.5
Serialized client/server communication
Martin Schlodder  2007-01-17  2.0.6
Array data types
Martin Schlodder  2007-02-14  2.0.7
Added exclusive areas, removed description of
TargetPackages
Bernd Sigle
2007-02-19  2.0.8
Added transmission acknowledgement  handling and
minor rework of the document
Bernd Sigle
2007-04-25  2.0.9
Added Rte_IStatus
Martin Schlodder  2007-04-27  2.0.10
Added IRV and Const/Enum
Martin Schlodder  2007-05-01  2.1.0
Completed documentation for Version 2.2
Bernd Sigle
Bernd Sigle
2007-07-27  2.1.1
Added Rte_InitMemory, Rte_IWriteRef Runnable.
Added description of runnable activation offset und
updated picture of MICROSAR architecture.
Martin Schlodder  2007-08-03  2.1.2
Added description of template update.
Martin Schlodder  2007-11-16  2.1.3
Added warning regarding IWrite / IrvIWrite.
Bernd Sigle
Added API descriptions of VFB trace hooks.
Updated data type info for nested types.
Martin Schlodder  2008-02-06  2.1.4
Updated descriptions on template merging and task
Bernd Sigle
mapping.
Added description of Rte_Pim, Rte_CData,
Rte_Calprm and Rte_Result.
Added support of string data type.
Updated command line argument description.
Added NvRAM mapping description.
Added chapter about compiler abstraction and
memory mapping.
Hannes Futter
2008-03-11  2.1.5
Additional command line switches to support direct
generation on xml and dcf files.
Bernd Sigle
2008-03-26  2.2.0
Updated description of NV Memory Mapping and
Chapter about limitations added.
Chapter about compiler and memory abstraction
updated.
Support for AUTOSAR Release 3.0 added.
2015, Vector Informatik GmbH
Version: 4.8.0
2 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Bernd Sigle
2008-04-16  2.3.0
Added description about A2L file generation and
updated command line options and example calls to
cover also the AUTOSAR XML input files.
Bernd Sigle
2008-07-16  2.4.0
Removed limitations for multiple instantiation and
compatibility mode support.
Bernd Sigle
2008-08-13  2.5.0
Added description of indirect APIs Rte_Port, Rte_Ports
and Rte_NPorts. Added description of platform
dependent resource calculation.
Bernd Sigle
2008-10-23  2.6.0
Added description of memory protection support.
Bernd Sigle
2009-01-23  2.7.0
Added description of mode management APIs
Rte_Mode and Rte_Switch and updated description of
Rte_Feedback.
Added description of Rte_Invalidate and
Rte_IInvalidate and added new Com APIs.
Added additional runnable trigger events and removed
section for runnables without trigger, which is no
longer supported.
Deviation for [rte_sws_2648] added.
Usage of new document template
Bernd Sigle
2009-03-26  2.8.0
Removed limitations for unconnected ports and for
data type generation.
Sascha Sommer  2009-08-11  2.9.0
Added description about usage of basic / extended
Bernd Sigle
task
Added description of command line parameter -v
Sascha Sommer  2009-10-22  2.10.0
Added a warning for VFB trace hooks that prevent
Bernd Sigle
macro optimizations
Explained that the Activation task attribute has to be
set for basic tasks
Init-Runnables no longer need to have a special suffix
Explained the new periodic trigger implementation
dialog.
Server runnables with CanBeInvokedConcurrently set
to false do not need to be mapped to tasks when the
calling clients cannot interrupt each other
Resource Usage is now listed in a HTML report
Updated version of referenced documents and of
supported AUTOSAR release.
Updated examples with new workspace file extension.
Added new defines for memory mapping.
Bernd Sigle
2010-04-09  2.11.0
Added description of user header file Rte_UserTypes.h
Updated component history and interface functions to
the OS. Added pictures of Rte Interfaces and Rte
Include Structure. Updated picture of MICROSAR
architecture. Rework of chapter structure.
Bernd Sigle
2010-05-25  2.11.1
Added description of RTE optimization mode
2015, Vector Informatik GmbH
Version: 4.8.0
3 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Bernd Sigle
2010-05-26  2.12.0
Added new measurement chapter, added description
Sascha Sommer
of COM Rx Filter, macros for access of invalid value,
initial value, lower and upper limit, added support of
minimum start interval and second array passing
variant. Support of AUTOSAR Release 3.1 (RTE SWS
2.2.0)
Bernd Sigle
2010-07-22  2.13.0
Added online calibration support. Removed limitation

of missing transmission error detection
Bernd Sigle
2010-09-28  2.13.1
Added more detailed description of extended record

data type compatibility rule
Bernd Sigle
2010-11-23  2.14.0
Removed obsolete command line parameters –bo, –bc

and –bn.
Stephanie Schaaf
2011-07-25  2.15.0
Added general support of AUTOSAR Release 3.2.1
Bernd Sigle
(RTE SWS 2.4.0).
Sascha Sommer
Added support of never received status.
Added support of S/R update handling.
Mentioned that –g c and –g i ignore service
components when –m specifies an ECU project.
Explained RTE usage with Non-Trusted BSW
Added hint for FUNC_P2CONST() problems
Explained measurement of COM signals
Stephanie Schaaf   2012-01-25  2.16.0
Enhanced command line interface (support for several
Bernd Sigle
generation modes in one command line call, optional
Sascha Sommer
command line parameter –m)
Split of RTE into OS Application specific files
Byte arrays no longer need to be mapped to signals
groups
Allow configuration of Schedule() calls in non-
preemptive tasks
Bernd Sigle
2012-05-18  2.17.0
Corrected description how the Rte_IsUpdated API can
be enabled
Bernd Sigle
2012-09-18  2.18.0
Added general support of AUTOSAR Release 3.2.2
(RTE SWS 2.5.0).
Added support of non-queued N:1 S/R communication
Bernd Sigle
2012-08-28  3.90.0
AUTOSAR 4.0.3 support, DaVinci Configurator 5
support
Bernd Sigle
2012-12-11  4.0.0
Updated API descriptions concerning
RTE_E_UNCONNECTED  return code
Added description of Rte_UserTypes.h file which is
now also generated with the template mechanism
Stephanie Schaaf  2013-03-26  4.1.0
Added support of Rte_MemSeg.a2l file
Added description of –o sub option for A2L file path
Bernd Sigle
2013-06-14  4.1.1
Added Multi-Core support (S/R communication)
Added support of Inter-Runnable Variables with
composite data types
2015, Vector Informatik GmbH
Version: 4.8.0
4 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Katharina Benkert  2013-10-30  4.2.0
Added support for arrays of dynamic data length
Stephanie Schaaf
(Rte_Send/Rte_Receive)
Sascha Sommer
Added support for parallel generation for multiple
Bernd Sigle
component types
Multicore support
Added support for SchM Contract Phase Generation
Added support for Nv Block SWCs
Katharina Benkert  2014-02-06  4.3.0
Added support of VFB Trace Client Prefixes
Sascha Sommer
Optimized Multicore support without IOCs
Stephanie Schaaf
Memory Protection support for Multicore systems
Inter-ECU sender/receiver communication, queued
sender/receiver communication and mapped
client/server calls are no longer limited to the BSW
partition
Added support of Development Error Reporting
Added support of registering XCP Events in the XCP
module configuration
Stephanie Schaaf  2014-06-17  4.4.0
Support for unconnected client ports for synchronous
Bernd Sigle
C/S communication
Inter-Ecu C/S communication using SOME/IP
Transformer
Support for PR-Ports
S/R Serialization using SOME/IP Transformer and E2E
Transformer
Support LdCom
Bernd Sigle
2014-08-13  4.4.1
Described decimal coding of the version defines and
the return code of SchM_GetVersionInfo
Added chapter about additional copyrights of FOSS
Bernd Sigle
2014-09-12  4.4.2
Minor format changes only
Bernd Sigle
2014-08-13  4.5.0
Support Postbuild-Selectable for variant data
mappings and variant COM signals
Support E2E Transformer for Inter-Ecu C/S
communication
Support tasks mappings where multiple runnable or
schedulable entities using different cycle times or
activation offsets are mapped to a single Basic Task.
The realization uses OS Schedule Tables
Support Rte_DRead API
Enhanced support for PR-Ports
Support ServerArgumentImplPolicy = use
ArrayBaseType
Explicit order of ModeDeclarationGroups
2015, Vector Informatik GmbH
Version: 4.8.0
5 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Bernd Sigle
2014-12-08  4.6.0
Support of PR Mode Ports
Support of PR Nv Ports
Support of bit field data types (CompuMethods with
category BITFIELD_TEXTTABLE)
Runtime optimized copying of large data
Support for SW-ADDR-METHOD on RAM blocks of
NvRAM SWCs
Bernd Sigle
2015-02-20  4.7.0
Support of background triggers
Support of data prototype mappings
Support of bit field text table mappings
Support of union data types
Support of UTF16 data type serialization in the
SOME/IP transformer
Runtime optimization in the generated RTE code by
usage of optimized interrupt locking APIs of the
MICROSAR OS
Support of further E2E profiles for data transformation
with the SOME/IP and E2E transformer
Support of OS counters with tick durations smaller
than 1µs
Bernd Sigle
2015-07-26  4.8.0
Support of COM based Transformer ComXf
Support of different strategies for writing NV data in Nv
Block SWCs
Support of C/S Interfaces for Nv Block SWCs
SWC Template generation provides user sections for
documentation of runnable entities
Wide character support in paths
Improved counter selection for operating systems with
multiple OS applications
Support of optimized macro implementation for
SchM_Enter and SchM_Exit
Enhanced OS Spinlock support
Enable optimizations in QM partitions
Table 1-1   History of the document
2015, Vector Informatik GmbH
Version: 4.8.0
6 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Reference Documents
No.
Title
Version
[1]
AUTOSAR_SWS_RTE.pdf
3.2.0
[2]
AUTOSAR_EXP_VFB.pdf
2.2.0
[3]
AUTOSAR_SWS_COM.pdf
4.2.0
[4]
AUTOSAR_SWS_OS.pdf
5.0.0
[5]
AUTOSAR_SWS_NVRAMManager.pdf
3.2.0
[6]
AUTOSAR_SWS_ECU_StateManager.pdf
3.0.0
[7]
AUTOSAR_SWS_StandardTypes.pdf
1.3.0
[8]
AUTOSAR_SWS_PlatformTypes.pdf
2.5.0
[9]
AUTOSAR_SWS_CompilerAbstraction.pdf
3.2.0
[10]
AUTOSAR_SWS_MemoryMapping.pdf
1.4.0
[11]
AUTOSAR_TPS_SoftwareComponentTemplate.pdf
4.2.0
[12]
AUTOSAR_TPS_SystemTemplate.pdf
4.2.0
[13]
AUTOSAR_TPS_ECUConfiguration.pdf
3.2.0
[14]
AUTOSAR_TR_Glossary.pdf
2.4.0
[15]
AUTOSAR_TPS_BSWModuleDescriptionTemplate.pdf
2.2.0
[16]
AUTOSAR_SWS_XCP.pdf
2.0.0
[17]
AUTOSAR_SWS_ DevelopmentErrorTracer.pdf
3.2.0
[18]
Vector DaVinci Configurator Online help

[19]
Vector DaVinci Developer Online help

[20]
AUTOSAR Calibration User Guide
1.0
Table 1-2   Reference documents

Scope of the Document
This  document  describes  the  MICROSAR  RTE  generator.  It  assumes  that  the  reader  is
familiar with the AUTOSAR architecture, especially the software component (SWC) design
methodology  and  the AUTOSAR  RTE  specification.  It  also  assumes  basic  knowledge  of
some basic software  (BSW) modules like AUTOSAR Os, Com,  LdCom,  NvM and EcuM.
The  description  of  those  components  is  not  part  of  this  documentation.  The  related
documents are listed in Table 1-2.

2015, Vector Informatik GmbH
Version: 4.8.0
7 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Please note
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2015, Vector Informatik GmbH
Version: 4.8.0
8 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.

Component Version  New Features
2.3
 Complex hierarchical data types like arrays of records
 Optimization: Depending on the configuration the Rte_Read API is
generated as macro if possible
2.4
 String data type (Encoding ISO-8859-1)
 SWC local calibration parameters (Rte_CData)
 Optimization: Depending on the configuration the Rte_Write API is
generated as macro if possible
 Generation of unmapped client runnables enabled
 Asynchronous C/S communication (Rte_Result)
2.5
 Support of AUTOSAR 3.0 Revision 0001
 Access to calibration element prototypes of calibration components
(Rte_Calprm)
 Access to Per-Instance Memory (Rte_Pim)
 SWC implementation template generation (command line option -g i)
and Contract Phase generation (command line option -g c)  for a
complete ECU
2.6
 Intra-ECU timeout handling for synchronous C/S communication
 Parallel access of synchronous and asynchronous server calls to an
operation of one server port
 Generation of an ASAM MCD 2MC / ASAP2 compatible A2L file
fragment for calibration parameters and Per-Instance Memory
2.7
 Multiple instantiation of software components
 Compatibility mode
 Object code software components
2.8
 Indirect APIs (Rte_Ports, Rte_NPorts and Rte_Port)
 Port API Option 'EnableTakeAddress'
 Platform dependent resource calculation.
2.9
 Memory protection (OS with scalability class SC3/SC4)
2.10
 Mode management including mode switch triggered runnable entities
and mode dependent execution of runnable entities. (Rte_Switch,
Rte_Mode and Rte_Feedback for mode switch acknowledge)
 Data element invalidation (Rte_Invalidate and Rte_IInvalidate)
 Data reception error triggered runnable entities for invalidated and
outdated data elements
 Multiple cyclic triggers per runnable entity
 Multiple OperationInvokedEvent triggers for the same runnable entity
with compatible operations
 Extended A2L file generation for calibration parameters and Per-
2015, Vector Informatik GmbH
Version: 4.8.0
15 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Component Version  New Features
Instance Memory for user defined attributes (A2L-ANNOTATION)
2.11
 Signal Fan-In
 Unconnected provide ports
 Generation of unreferenced data types
 Evaluation of COM return codes
2.12
 Basic task support (automatically selection)
 Several optimizations (e.g. unneeded interrupt locks and Schedule()
call removed)
 Enhanced error reporting with help messages (-v command line
option)
 Support of acknowledgement only mode for transmission and mode
switch notification
 Usage of compiler library functions (e.g. memcpy) removed
 Template file update mechanism also introduced for Rte_MemMap.h
and Rte_Compiler_Cfg.h
2.13
 Unconnected require ports
 Basic task support (manual selection)
 Init-Runnables no longer have name restrictions
 Automatic periodic trigger generation can be disabled e.g. useful for
Schedule Table support
 HTML Report including resource usage
 Explicit selection of task role (Application / BSW Scheduler / Non Rte)
 Runnables with CanBeInvokedConcurrently set to false no longer
require a mapping, if they are not called concurrently.
2.14
 Support composite data types where not all primitive members require
an invalid value
 Support inclusion of user header file 'Rte_UserTypes.h'
2.15
 Optimized runnable scheduling to reduce latency times
 Allow implementation template generation for service components,
complex device drivers and EcuAbstraction components
 Optimization mode (minimize RAM consumption /  minimize execution
time)
2.16
 MinimumStartInterval attribute (runnable de-bouncing)
 Measurement support for S/R communication, Interrunnable variables
and mode communication. Extended A2L File generation and support
of new ASAM MCD 2MC / ASAP2 standard. Measurement with
XcpEvents
 Com Filter (NewDiffersOld, Always)
 Invalid value accessible from application
 Support of second array passing variant
2.17
 Online calibration support
 Support transmission error detection
 Support of extended record data type compatibility for S/R
communication with different record layout on sender and receiver side
2.18
 Enhanced implicit communication support
2015, Vector Informatik GmbH
Version: 4.8.0
16 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Component Version  New Features
2.19
 Support of AUTOSAR 3.2 Revision 0001
 Support never received status
 Support S/R update handling (Rte_IsUpdated based on AUTOSAR
4.0)
 Enhanced measurement support (Inter-Ecu S/R communication)
 Selective file generation (only if file content is modified)
 Support for Non-Trusted BSW
2.20
 Enhanced command line interface (support for several generation
modes in one call, optional command line parameter –m)
 Split of generated RTE into OS Application specific files
 Byte arrays no longer need to be mapped to signal groups
 Allow configuration of Schedule() calls in non-preemptive tasks
 Generation of MISRA justification comments
2.21
 Support of SystemSignals and SystemSignalGroups using the same
name
 Support of hexadecimal coded enumeration values
2.22
 Support of AUTOSAR 3.2 Revision 0002
 Support S/R update handling according AUTOSAR 3.2.2
 Support N:1 S/R communication
 Support unconnected calibration R-Ports
 Enhanced initial value handling
3.90
 Support of AUTOSAR 4.0 Revision 0003
4.0
 Support of pointer implementation data types
 Support of ‘On Transition’ triggered runnable entities
 Support of data type symbol attribute
 Support of component type symbol attribute
 Template generation mechanism added for Rte_UserTypes.h
4.1
 Support of Rte_MemSeg.a2l
 Enhanced command line interface (path for A2L files selectable)
4.1.1
 Multi-Core support (S/R communication)
 Support of Inter-Runnable Variables with composite data types
4.2
 Support for arrays of dynamic data length (Rte_Send/Rte_Receive)
 Support for parallel generation for multiple component types
 Multi-Core support:
  C/S communication
  Mode communication without ModeDisablings and ModeTriggers
  Inter-ECU S/R communication
 Support mapping of individual OperationInvoked triggers
 Support of SchM Contract Phase Generation
 Support of Nv Block SWCs
4.3
 Support of VFB Trace Client Prefixes
 Enhanced Memory Protection support
  Memory Protection support for Multi-Core systems
  Inter-ECU sender/receiver communication is no longer limited to the
2015, Vector Informatik GmbH
Version: 4.8.0
17 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Component Version  New Features
BSW partition
  Mapped client/server calls are no longer limited to the BSW partition
  Queued sender/receiver communication is no longer limited to the
BSW partition
 Optimized Multi-Core support without IOCs
 Support of Development Error Reporting
 Support of registering XCP Events in the XCP module configuration
4.4
 Support for unconnected client ports for synchronous C/S
communication
 Inter-Ecu C/S communication using SOME/IP Transformer
 Support for PR-Ports
 S/R Serialization using SOME/IP Transformer and E2E Transformer
 Support LdCom
 Improved support for 3rd Party OS interoperability especially regarding
OS Counter handling
4.5
 Support Postbuild-Selectable for variant data mappings and variant
COM signals
 Support E2E Transformer for Inter-Ecu C/S communication
 Support tasks mappings where multiple runnable or schedulable
entities using different cycle times or activation offsets are mapped to a
single Basic Task. The realization uses OS Schedule Tables
 Support Rte_DRead API
 Enhanced support for PR-Ports
 Support ServerArgumentImplPolicy = use ArrayBaseType
 Support for Mode Declaration Groups with Explicit Order
4.6
 Support of PR Mode Ports
 Support of PR Nv Ports
 Support of bit field data types (CompuMethods with category
BITFIELD_TEXTTABLE)
 Runtime optimized copying of large data
 Support for SW-ADDR-METHOD on RAM blocks of NvRAM SWCs
4.7
 Support of background triggers
 Support of data prototype mappings
 Support of bit field text table mappings
 Support of union data types
 Support of UTF16 data type serialization in the SOME/IP transformer
 Runtime optimization in the generated RTE code by usage of
optimized interrupt locking APIs of the MICROSAR OS
 Support of further E2E profiles for data transformation with the
SOME/IP and E2E transformer
 Support of OS counters with tick durations smaller than 1µs
4.8
 Support of COM based Transformer ComXf
 Support of different strategies for writing NV data in Nv Block SWCs
 Support of C/S Interfaces for Nv Block SWCs
 SWC Template generation provides user sections for documentation of
2015, Vector Informatik GmbH
Version: 4.8.0
18 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Component Version  New Features
runnable entities
 Wide character support in paths
 Improved counter selection for operating systems with multiple OS
applications
 Support of optimized macro implementation for SchM_Enter and
SchM_Exit
 Enhanced OS Spinlock support
 Enable optimizations in QM partitions
Table 1-1   Component history
2015, Vector Informatik GmbH
Version: 4.8.0
19 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

2  Introduction
The  MICROSAR  RTE  generator  supports  RTE  and  contract  phase  generation.
Additionally, application template code can be generated for software components and for
VFB trace hooks.
This document describes the MICROSAR RTE generation process, the RTE configuration
with DaVinci Configurator and the RTE API.
Chapter  3  gives  an  introduction  to  the  MICROSAR  RTE.  This  brief  introduction  to  the
AUTOSAR  RTE  can  and  will  not  replace  an  in-depth  study  of  the  overall  AUTOSAR
methodology  and  in  particular  the AUTOSAR  RTE  specification,  which  provides  detailed
information on the concepts of the RTE.
In  addition  chapter  3  describes deviations, extensions and  limitations  of  the  MICROSAR
RTE compared to the AUTOSAR standard.
The RTE  generation process including the command line parameters of the  MICROSAR
RTE generator is described in chapter 4. This chapter also gives hints for integration of the
generated  RTE  code  into  an  ECU  project.  In  addition  it  describes  the  memory  mapping
and compiler abstraction related to the RTE and finally, chapter 4.6 describes the memory
protection support of the RTE including hints for integration with the OS.
The  RTE  API  description  in  chapter  5  covers  the  API  functionality  implemented  in  the
MICROSAR RTE.
The description of  the  RTE  configuration  in chapter  6  covers the  task mapping,  memory
mapping  and  the  code  generation  settings  in  DaVinci  Configurator.  A  more  detailed
description  of  the  configuration  tool  including  the  configuration  of  AUTOSAR  software
components and compositions and their integration in an ECU project can be found in the
online help of the DaVinci Configurator [18].

Supported AUTOSAR Release*:
4
Supported Configuration Variants:
pre-compile
Vendor ID:
RTE_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
RTE_MODULE_ID
2 decimal
AR Version:
RTE_AR_RELEASE_MAJOR_VERSION
AUTOSAR Release
RTE_AR_RELEASE_MINOR_VERSION
version
RTE_AR_RELEASE_REVISION_VERSION
decimal coded
SW Version:
RTE_SW_MAJOR_VERSION
MICROSAR RTE
RTE_SW_MINOR_VERSION
version
RTE_SW_PATCH_VERSION
decimal coded
* For the precise AUTOSAR Release 4.x please see the release specific documentation.
2015, Vector Informatik GmbH
Version: 4.8.0
20 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

2.1
Architecture Overview
The RTE is the realization of the interfaces of the AUTOSAR Virtual Function Bus (VFB)
for  a  particular  ECU.  The  RTE  provides  both  standardized  communication  interfaces  for
AUTOSAR software  components  realized by  generated RTE APIs and it also  provides a
runtime environment for the component code – the runnable entities. The RTE triggers the
execution  of  runnable  entities  and  provides  the  infrastructure  services  that  enable
communication  between  AUTOSAR  SWCs.  It  is  acting  as  a  broker  for  accessing  basic
software modules including the OS and communication services.
The  following  figure  shows  where  the  MICROSAR  RTE  is  located  in  the  AUTOSAR
architecture.

Figure 2-1  AUTOSAR architecture

RTE functionality overview:
  Execution of runnable entities of SWCs on different trigger conditions
  Communication mechanisms between SWCs (Sender/Receiver and Client/Server)
  Mode Management
  Inter-Runnable communication and exclusive area handling
2015, Vector Informatik GmbH
Version: 4.8.0
21 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

  Per-Instance Memory and calibration parameter handling
  Multiple instantiation of SWCs
  OS task body and COM / LDCOM callback generation
  Automatic configuration of parts of the OS, NvM and COM / LDCOM dependent of the
needs of the RTE
  Assignment of SWCs to different memory partitions/cores

SchM functionality overview:
  Execution of cyclic triggered schedulable entities (BSW main functions)
  Exclusive area handling for BSW modules
  OS task body generation

2015, Vector Informatik GmbH
Version: 4.8.0
22 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

composite structure Component
Interfaces to SWCs and BSW Moduls
«EmbeddedInterface»
«EmbeddedInterface»
RTE::S/R (explicit)
RTE::Mode Handling
+ Rte_Write__<o>([IN Rte_Instance <instance>,] IN <data>)() :Std_ReturnType
+ Rte_Switch__<o>([IN Rte_Instance <instance>,] IN <mode>)() :Std_ReturnType
+ Rte_Read__<o>([IN Rte_Instance <instance>,] OUT <data>)() :Std_ReturnType
+ Rte_Mode__<o>([IN Rte_Instance <instance>])() :Std_ReturnType
+ Rte_Send__<o>([IN Rte_Instance <instance>,] IN <data> [,IN uint16 <length>])() :Std_ReturnType
+ Rte_Mode__<o>([IN Rte_Instance <instance>,] OUT previous, OUT next)() :<currentmode>
+ Rte_Receive__<o>([IN Rte_Instance <instance>,] OUT <data> [,OUT uint16 <length>])() :Std_ReturnType
+ Rte_SwitchAck__<o>([IN Rte_Instance <instance>])() :<currentmode>
+ Rte_Feedback__<o>([IN Rte_Instance <instance>])() :Std_ReturnType
+ Rte_Invalidate__<o>([IN Rte_Instance <instance>])() :Std_ReturnType
+ Rte_IsUpdated__<o>([IN Rte_Instance <instance>])() :boolean
«EmbeddedInterface»
RTE::C/S
«EmbeddedInterface»
+ Rte_Call__<o>([IN Rte_Instance <instance>,] <data_1> ... <data_n>)() :Std_ReturnType
RTE::S/R (implicit)
+ Rte_Result__<o>([IN Rte_Instance <instance>,] <data_1> ... <data_n>)() :Std_ReturnType
+ Rte_IWrite_<re>__<o>([IN Rte_Instance <instance>,] IN <data>)() :void
+ Rte_IWriteRef_<re>__<o>([IN Rte_Instance <instance>])() :<return ref>
+ Rte_IRead_<re>__<o>([IN Rte_Instance <instance>])() :<return>
«EmbeddedInterface»
+ Rte_IStatus_<re>__<o>([IN Rte_Instance <instance>])() :Std_ReturnType
RTE::Indirect API
+ Rte_IInvalidate_<re>__<o>([IN Rte_Instance <instance>])()
+ Rte_Port_([IN Rte_Instance <instance>])() :Rte_PortHandle__<R/P>
+ Rte_Ports_<pi>_<R/P>([IN Rte_Instance <instance>])() :Rte_PortHandle__<R/P>
«provide optionally»
+ Rte_NPorts_<pi>_<R/P>([IN Rte_Instance <instance>])() :uint8
«EmbeddedInterface»
RTE::Inter-Runnable Variable
+ Rte_IrvWrite_<v([IN Rte_Instance <instance>,] IN <data>)() :void
«EmbeddedInterface»
+ Rte_IrvRead_<v>([IN Rte_Instance <instance>])() :<return>
«provide optionally»
RTE::Calibration Parameter
+ Rte_IrvIWrite_<re>_<v([IN Rte_Instance <instance>,] IN <data>)() :void
+ Rte_CData_<c>([IN Rte_Instance <instance>])() :<parameter>
+ Rte_IrvIRead_<re>_<v>([IN Rte_Instance <instance>])() :<return>
+ Rte_Prm__<c>([IN Rte_Instance <instance>])() :<parameter>
«provide optionally»
«EmbeddedInterface»
RTE::Exclusiv e Area
«EmbeddedInterface»
«provide optionally»
+ Rte_Enter_<ea>([IN Rte_Instance <instance>])() :void
RTE::Per-Instance Memory
«provide optionally»
+ Rte_Exit_<ea>([IN Rte_Instance <instance>])() :void
+ Rte_Pim_([IN Rte_Instance <instance>])() :<pim>
«EmbeddedInterface»
«provide optionally»
«EmbeddedInterface»
SchM::Exclusiv e Area
RTE::Error Handling
+ SchM_Enter_<ea>([IN Rte_Instance <instance>])() :void
+ Rte_HasOverlayedError(Std_ReturnType) :boolean
+ SchM_Exit_<ea>([IN Rte_Instance <instance>])() :void
«provide optionally» + Rte_ApplicationError(Std_ReturnType) :Std_ReturnType
+ Rte_IsInfrastructureError(Std_ReturnType) :boolean
«provide optionally»
«provide optionally»
«provide optionally»
Module
RTE
«use optionally»
«provide optionally»
«use optionally»
«use optionally»
Interfaces to Os
Interfaces to Com
«EmbeddedInterface»
«EmbeddedInterface»
«EmbeddedInterface»
Used Interfaces::Os
RTE::COM Callback
Prov ided Interfaces::
+ ActivateTask(TaskType) :StatusType
+ Rte_COMCbk_<SignalName>() :void
Memory Initialization
+ CancelAlarm(AlarmType) :StatusType
+ Rte_COMCbkRxTOut_<SignalName>() :void
+ Rte_InitMemory() :void
+ ChainTask(TaskType) :StatusType
+ Rte_COMCbkTAck_<SignalName>() :void
+ ClearEvent(EventMaskType) :StatusType
+ Rte_COMCbkTxTOut_<SignalName>() :void
+ DisableAllInterrupts() :void
+ Rte_COMCbkTErr_<SignalName>() :void
+ EnableAllInterrupts() :void
+ Rte_COMCbkInv_<SignalName>() :void
+ GetEvent(TaskType, EventMaskType*) :StatusType
+ GetResource(ResourceType) :StatusType
«provide optionally»
+ GetTaskID(TaskType*) :StatusType
+ IocRead_<iocid>(OUT <data>)() :Std_ReturnType
+ IocReadGroup_<iocid>(OUT <data0>,..., OUT <data_n>)() :Std_ReturnType
«EmbeddedInterface»
+ IocReceive_<iocid>(OUT <data>)() :Std_ReturnType
Used Interfaces::Com
Interfaces to Xcp
+ IocSend_<iocid>[_<sid>](IN <data>)() :Std_ReturnType
+ Com_SendDynSignal(Com_SignalIdType, const void*, uint16) :uint8
+ IocWrite_<iocid>[_<sid>](IN <data>)() :Std_ReturnType
«EmbeddedInterface»
+ Com_SendSignal(Com_SignalIdType, const void*) :uint8
+ IocWriteGroup_<iocid>[_<sid>](IN <data0>,..., IN <data_n>)() :Std_ReturnType
Used Interfaces::Xcp
+ Com_UpdateShadowSignal(Com_SignalIdType, const void*) :void
+ ReleaseResource(ResourceType) :StatusType
+ Com_SendSignalGroup(Com_SignalGroupIdType) :uint8
+ ResumeOSInterrupts() :void
+ Xcp_Event(uint8) :void
+ Com_ReceiveDynSignal(Com_SignalIdType, void*, uint16*) :uint8
+ Schedule() :StatusType
+ Com_ReceiveSignal(Com_SignalIdType, void*) :uint8
+ SetEvent(TaskType, EventMaskType) :StatusType
+ Com_ReceiveShadowSignal(Com_SignalIdType, void*) :uint8
+ SetRelAlarm(AlarmType, TickType, TickType) :StatusType
+ Com_ReceiveSignalGroup(Com_SignalGroupIdType) :uint8
+ SuspendOSInterrupts() :void
+ Com_InvalidateSignal(Com_SignalIdType) :uint8
+ TerminateTask() :StatusType
+ Com_InvalidateSignalGroup(Com_SignalGroupIdType) :uint8
+ WaitEvent(EventMaskType) :StatusType
Interfaces to EcuM
Interfaces to NvM
«EmbeddedInterface»
«EmbeddedInterface»
«EmbeddedInterface»
RTE::Lifecycle
SchM::Lifecycle
RTE::Nv M Callback
+ Rte_Start() :Std_ReturnType
+ SchM_Init([IN SchM_ConfigType ConfigPtr])() :void
+ Rte_GetMirror__<d>(void*) :Std_ReturnType
+ Rte_Stop() :Std_ReturnType
+ SchM_Deinit() :void
+ Rte_SetMirror__<d>(const void*) :Std_ReturnType
+ SchM_GetVersionInfo(Std_VersionInfoType*) :void

Figure 2-2 Interfaces to adjacent modules of the RTE

2015, Vector Informatik GmbH
Version: 4.8.0
23 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3  Functional Description
3.1
Features
The features listed in the following tables cover the complete functionality specified for the
RTE.
The AUTOSAR  standard  functionality  is  specified  in  [1],  the  corresponding  features  are
listed in the tables
  Table 3-1   Supported AUTOSAR standard conform features
  Table 3-2   Not supported AUTOSAR standard conform features
Vector Informatik provides further RTE functionality beyond the AUTOSAR standard. The
corresponding features are listed in the table
  Table 3-3   Features provided beyond the AUTOSAR standard

The following features specified in [1] are supported:
Supported AUTOSAR Standard Conform Features
Explicit S/R communication (last-is-best)  [API: Rte_Read, Rte_Write]
Explicit S/R communication (queued polling)  [API: Rte_Receive, Rte_Send]
Variable length arrays
Explicit S/R communication (queued blocking)  [API: Rte_Receive]
Implicit S/R communication  [API:Rte_IRead, Rte_IWrite, Rte_IWriteRef]
Timeout handling (DataReceiveErrorEvent) [API: Rte_IStatus]
Data element invalidation [API: Rte_Invalidate, Rte_IInvalidate]
Intra-Ecu S/R communication
Inter-Ecu S/R communication
1:N S/R communication (including network signal Fan-Out)
N:1 S/R communication (non-queued, pure network signal Fan-In or pure Intra-Ecu)
C/S communication (synchronous, direct calls)  [API: Rte_Call]
C/S communication (synchronous, scheduled calls)  [API: Rte_Call]
C/S communication (asynchronous calls)  [API: Rte_Call]
C/S communication (asynchronous) [API: Rte_Result]
Intra-Ecu C/S communication
Inter-Ecu C/S communication using SOME/IP Transformer
N:1 C/S communication
Explicit exclusive areas [API: Rte_Enter, Rte_Exit]
Implicit exclusive areas
Explicit Inter-Runnable Variables [API: Rte_IrvRead, Rte_IrvWrite]
Implicit Inter-Runnable Variables [API: Rte_IIrvRead, Rte_IIrvWrite]
2015, Vector Informatik GmbH
Version: 4.8.0
24 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Supported AUTOSAR Standard Conform Features
Transmission ack. status (polling and blocking) [API: Rte_Feedback]
Runnable category 1a, 1b und 2
RTE Lifecycle-API [API: Rte_Start, Rte_Stop]
Nv Block Software Components
Runnable to task mapping
Data element to signal mapping
Task body generation
VFB-Tracing
Multiple trace clients
ECU-C import / export
Automatic OS configuration according the needs of the RTE (basic and extended task support)
Automatic COM / LDCOM configuration according the needs of the RTE
Primitive data types
Composite data types
Data reception triggered runnables entities (DataReceivedEvent)
Cyclic triggered runnable entities (TimingEvent)
Data transmission triggered runnable entities (DataSendCompletionEvent)
Data reception error triggered runnables entities (DataReceiveErrorEvent)
Mode switch acknowledge triggered runnable entities (ModeSwitchedAckEvent)
Mode switch triggered runnable entities (ModeSwitchEvent)
Background triggered runnable and scheduleable entities (BackgroundEvent)
Contract phase header generation
Port access to services (Port defined argument values)
Port access to ECU-Abstraction
Compatibility mode
Per-Instance Memory [API: Rte_Pim]
Multiple instantiation on ECU-level
Indirect API [API: Rte_Port, Rte_NPorts, Rte_Ports]
SWC internal calibration parameters [API: Rte_CData]
Shared calibration parameters (CalprmComponentType) [API: Rte_Prm]
Mode machine handling [API: Rte_Mode/Rte_Switch]
Mode switch ack. status (polling and blocking) [API: Rte_SwitchAck]
Multi-Core support (S/R communication, C/S communication, Mode communication (partially))
Memory protection
Unconnected ports
COM-Filter (NewDiffersOld, Always)
Measurement (S/R-Communication, Mode-Communication, Inter-Runnable Variables)
Runnable de-bouncing (Minimum Start Interval)
2015, Vector Informatik GmbH
Version: 4.8.0
25 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Supported AUTOSAR Standard Conform Features
Online calibration support
Never received status
S/R update handling [API: Rte_IsUpdated]
Contract Phase Header generation for BSW-Scheduler
PR-Ports
Optimized S/R communication [API: Rte_DRead]
Variant Handling support (Postbuild selectable for variant data mappings and COM signals)
Data prototype mapping
Bit field texttable mapping
Table 3-1   Supported AUTOSAR standard conform features
3.1.1
Deviations
The following features specified in [1] are not supported:
Not Supported AUTOSAR Standard Conform Features
COM-Filter (only partially supported)
Measurement (Client-Server arguments)
external Trigger (via port) [API: Rte_Trigger]
Inter-Runnable Trigger (SWC internal) [API: Rte_IrTrigger]
Tx-Ack for implicit communication [API: Rte_IFeedback]
BSW-Scheduler Mode Handling [API: SchM_Mode, SchM_Switch, SchM_SwitchAck]
external Trigger between BSW modules [API: SchM_Trigger]
BSW-Scheduler Trigger [API: SchM_ActMainFunction]
BSW-Scheduler Calibration Parameter Access [API: SchM_CData]
Post Build Variant Sets
Debugging and Logging Support
Variant Handling support (Pre-Compile variability, Postbuild variability for Connectors and
ComponentPrototypes)
Multi-Core support (Mode communication with ModeSwitchTriggers or ModeDisablings,
Rte_ComSendSignalProxyImmediate, RteIocInteractionReturnValue=RTE_COM)
Restarting of partitions
Re-scaling of ports / Data conversion
Pre-Build data set generation phase
Post-Build data set generation phase
Initialization of PerInstanceMemories
Asynchronous Mode Handling
MC data support
Generated BSWMD
Range checks
2015, Vector Informatik GmbH
Version: 4.8.0
26 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Not Supported AUTOSAR Standard Conform Features
RTE memory section initialisation strategies
External conﬁguration switch strictConfigurationCheck
Table 3-2   Not supported AUTOSAR standard conform features
3.1.2
Additions/ Extensions
The following features are provided beyond the AUTOSAR standard:
Features Provided Beyond The AUTOSAR Standard
Rte_InitMemory API function. See Chapter 5.14.3 for details.
Init-Runnables. See Chapter 3.6.9 for details.
VFB Trace Hooks for SchM APIs. See Chapter 5.16.3 and 5.16.4 for details.
Measurement support for mode communication. See Chapter 6.6 for details.
Measurement with XCP Events. See Chapter 6.6 for details.
S/R Serialization using SOME/IP Transformer and E2E Transformer (AR4.2.1)
C/S Serialization using SOME/IP Transformer and E2E Transformer (AR4.2.1)
LdCom Support (AR4.2.1)
ComXf Support (AR4.2.1)
Table 3-3   Features provided beyond the AUTOSAR standard
3.1.3
Limitations
There are no known limitations.
2015, Vector Informatik GmbH
Version: 4.8.0
27 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.2
Initialization
The  RTE  is  initialized  by  calling  Rte_Start.  Initialization  is  done  by  the  ECU  State
Manager (EcuM).
The Basis Software Scheduler (SchM) is initialized by calling  SchM_Init. Initialization is
done by the ECU State Manager (EcuM).
3.3
AUTOSAR ECUs
Besides  the  basic  software  modules  each AUTOSAR  ECU  has  a  single  instance  of  the
RTE  to  manage  the  application  software  of  the  ECU.  The  application  software  is
modularized and assigned to one or more AUTOSAR software components (SWC).
3.4
AUTOSAR Software Components
AUTOSAR  software  components  (SWC)  are  described  by  their  ports  for  communication
with  other  SWCs  and  their  internal  behavior  in  form  of  runnable  entities  realizing  the
smallest schedulable code fragments in an ECU.
The following communication paradigms are supported for port communication:
  Sender-Receiver (S/R): queued and last-is-best, implicit and explicit
  Client-Server (C/S): synchronous and asynchronous
  Mode communication
  Calibration parameter communication
S/R and C/S communication may occur Intra-ECU or between different ECUs (Inter-ECU).
Mode communication and calibration parameters can only be accessed ECU internally.
In addition to Inter-SWC communication over ports, the description of the internal behavior
of  SWCs  contains  also  means  for  Intra-SWC  communication  and  synchronization  of
runnable entities.
  Inter-Runnable Variables
  Per-Instance Memory
  Exclusive Areas
  Calibration Parameters
The description of the internal behavior of SWCs finally contains all information needed for
the handling of runnable entities, especially the events upon which they are triggered.
3.5
Runnable Entities
All  application  code  is  organized  into  runnable  entities,  which  are  triggered  by  the  RTE
depending  on  certain  conditions.  They  are  mapped  to  OS  tasks  and  may  access  the
communication and data consistency mechanisms provided by the SWC they belong to.
2015, Vector Informatik GmbH
Version: 4.8.0
28 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

The trigger conditions for runnable entities are described below, together with the
signature of the runnable entities that results from these trigger conditions. A detailed
description of the signature of runnable entities may be found in section 5.3 Runnable
Entities.
3.6
Triggering of Runnable Entities
AUTOSAR has introduced the concept of RTEEvents to trigger the execution of runnable
entities. The following RTEEvents are supported by the MICROSAR RTE:
 TimingEvent
 DataReceivedEvent
 DataReceiveErrorEvent
 DataSendCompletedEvent
 OperationInvokedEvent
 AsynchronousServerCallReturnsEvent
 ModeSwitchEvent
 ModeSwitchedAckEvent
 InitEvent
 BackgroundEvent

The RTEEvents can lead to two different kinds of triggering:
 Activation of runnable entity
 Wakeup of waitpoint
Activation of runnable entity starts a runnable entity at its entry point while
wakeup of waitpoint resumes runnable processing at a waitpoint. The second is not
possible for all RTEEvents and needs an RTE API to setup this waitpoint inside the
runnable entity code.
Depending on the existence of a waitpoint, runnable entities are categorized into category
1 or category 2 runnables. A runnable becomes a category 2 runnable if at least one
waitpoint exists.
3.6.1
Time Triggered Runnables
AUTOSAR defines the TimingEvent for periodic triggering of runnable entities. The
TimingEvent can only trigger a runnable entity at its entry point. Consequently there
exists no API to set up a waitpoint for a TimingEvent. The signature of a time triggered
runnable is:
void <RunnableName>([IN Rte_Instance instance])

2015, Vector Informatik GmbH
Version: 4.8.0
29 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.6.2
Data Received Triggered Runnables
AUTOSAR defines the DataReceivedEvent to trigger a runnable entity on data
reception (queued or last-is-best) or to continue reception of queued data in a blocking
Rte_Receive call. Both intra ECU and inter ECU communication is supported. Data
reception triggered runnables have the following signature:
void <RunnableName>([IN Rte_Instance instance])

3.6.3
Data Reception Error Triggered Runnables
AUTOSAR defines the DataReceiveErrorEvent to trigger a runnable entity on data
reception error. A reception error could be a timeout (aliveTimeout) or an invalidated
data element. The DataReceiveErrorEvent can only trigger a runnable entity at its
entry point. Consequently there exists no API to set up a waitpoint for a
DataReceiveErrorEvent. The signature of a data reception error triggered runnable is:
void <RunnableName>([IN Rte_Instance instance])

3.6.4
Data Send Completed Triggered Runnables
AUTOSAR defines the DataSendCompletedEvent to signal a successful or an
erroneous transmission of explicit S/R communication. The DataSendCompletedEvent
can either trigger the execution of a runnable entity or continue a runnable, which waits at
a waitpoint for the transmission status or the mode switch in a blocking Rte_Feedback
call. Both intra ECU and inter ECU communication is supported. Data send completed
triggered runnables have the following signature:
void <RunnableName>([IN Rte_Instance instance])

3.6.5
Mode Switch Triggered Runnables
AUTOSAR defines the ModeSwitchEvent to trigger a runnable entity on either entering
or exiting of a specific mode of a mode declaration group. The ModeSwitchEvent can
only trigger a runnable entity at its entry point. Consequently there exists no API to set up
a waitpoint for a ModeSwitchEvent. The signature of a mode switch triggered runnable
is:
void <RunnableName>([IN Rte_Instance instance])

3.6.6
Mode Switched Acknowledge Triggered Runnables
AUTOSAR defines the ModeSwitchedAckEvent to signal a successful mode transition.
The ModeSwitchedAckEvent can either trigger the execution of a runnable entity or
continue a runnable, which waits at a waitpoint for the mode transition status. Only intra
ECU communication is supported. Runnables triggered by a mode switch acknowledge
have the following signature:
void <RunnableName>([IN Rte_Instance instance])

2015, Vector Informatik GmbH
Version: 4.8.0
30 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.6.7
Operation Invocation Triggered Runnables
The OperationInvokedEvent is defined by AUTOSAR to always trigger the execution
of a runnable entity. The signature of server runnables depends on the parameters defined
at the C/S port. Its general appearance is as follows:
{void|Std_ReturnType} <Runnable>([IN Rte_Instance inst] {,paramlist}*)

The return value depends on application errors being assigned to the operation that the
runnable represents. The parameter list contains input in/output and output parameters.
Input parameters for primitive data type are passed by value. Input parameters for
composite data types and all in/output and output parameters independent whether they
are primitive or composite types are passed by reference. The string data type is handled
like a composite type.
3.6.8
Asynchronous Server Call Return Triggered Runnables
The AsynchronousServerCallReturnsEvent signals the end of an asynchronous
server execution and triggers either a runnable entity to collect the result by using
Rte_Result or resumes the waitpoint of a blocking Rte_Result call.
The runnables have the following signature:
{void|Std_ReturnType} <Runnable>([IN Rte_Instance inst] {,paramlist}*)

3.6.9
Init Triggered Runnables
Initialization runnables are called once during startup and have the following signature:
void <RunnableName>([IN Rte_Instance instance])

3.6.10 Background Triggered Runnables
Background triggered runnables have to be mapped to tasks with lowest priority. The
runnables are called by the RTE in an endless loop – in the background – when no other
runnable runs. The signature of a background triggered runnable is:
void <RunnableName>([IN Rte_Instance instance])
2015, Vector Informatik GmbH
Version: 4.8.0
31 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.7
Exclusive Areas
An exclusive area (EA) can be used to protect either only a part of runnable code (explicit
EA access) or the complete runnable code (implicit EA access). AUTOSAR specifies four
implementation methods which are configured during ECU configuration of the RTE. See
also Chapter 6.9.
  OS Interrupt Blocking
  All Interrupt Blocking
  OS Resource
  Cooperative Runnable Placement
All of them have to ensure that the current runnable is not preempted while executing the
code inside the exclusive area.
The  MICROSAR  RTE  analyzes  the  accesses  to  the  different  RTE  exclusive  areas  and
eliminates redundant ones if that is possible e.g. if runnable entities accessing the same
EA they cannot preempt each other and can therefore be dropped.

Info
For SchM exclusive areas the automatic optimization is currently not supported.
  Optimization must be done manually by setting the implementation method to NONE.

3.7.1
OS Interrupt Blocking
When an exclusive area uses the implementation method  OS_INTERRUPT_BLOCKING, it
is
protected
by
calling
the
OS
APIs
SuspendOSInterrupts()
and
ResumeOSInterrupts(). The OS does not allow the invocation of event and resource
handling  functions  while  interrupts  are  suspended.  This  precludes  calls  to  any  RTE API
that  is  based  upon  an  explicitly  modeled  waitpoint  (blocking  Rte_Receive,
Rte_Feedback,  Rte_SwitchAck  or  Rte_Result API)  as  well  as  synchronous  server
calls (which sometimes use waitpoints that are not explicitly modeled or other rescheduling
points).  Additionally,  all  APIs  that  might  trigger  a  runnable  entity  on  the  same  ECU  or
cause a blocking queue access to be released are forbidden, as well as exclusive areas
implemented as OS Resource.
3.7.2
All Interrupt Blocking
When an exclusive area uses the implementation method ALL_INTERRUPT_BLOCKING, it
is
protected
by
calling
the
OS  APIs
SuspendAllInterrupts()
and
ResumeAllInterrupts(). The OS does not allow the invocation of event and resource
handling  functions  while  interrupts  are  suspended.  This  precludes  calls  to  any  RTE API
that  is  based  upon  an  explicitly  modeled  waitpoint  (blocking  Rte_Receive,
Rte_Feedback,  Rte_SwitchAck  or  Rte_Result API)  as  well  as  synchronous  server
calls (which sometimes use waitpoints that are not explicitly modeled or other rescheduling
points).  Additionally,  all  APIs  that  might  trigger  a  runnable  entity  on  the  same  ECU  or
cause a blocking queue access to be released are forbidden, as well as exclusive areas
implemented as OS Resource.
2015, Vector Informatik GmbH
Version: 4.8.0
32 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.7.3
OS Resource
An  exclusive  area  using  implementation  method  OS_RESOURCE  is  protected  by  OS
resources entered and released via GetResource() / ReleaseResource()calls, which
raise the task priority so that no other task using the same resource may run. The OS does
not  allow  the  invocation  of  WaitEvent()  while  an OS  resource  is  occupied. This  again
precludes  calls  to  any  RTE API  that  is  based  upon  an  explicitly  modeled  waitpoint  and
synchronous server calls.
3.7.4
Cooperative Runnable Placement
For exclusive areas with implementation method COOPERATIVE_RUNNABLE_PLACEMENT,
the RTE generator only applies a check whether any of the tasks accessing the exclusive
area are able to preempt any other task of that group. This  again precludes calls to any
RTE API that is based upon an explicitly modeled waitpoint and synchronous server calls.

2015, Vector Informatik GmbH
Version: 4.8.0
33 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

3.8
Error Handling
3.8.1
Development Error Reporting
By default, development errors are reported to the DET using the service
Det_ReportError() as specified in [17], if development error reporting is enabled in the
RteGeneration parameters (i.e. by setting the parameters DevErrorDetect and / or
DevErrorDetectUninit).
If another module is used for development error reporting, the function prototype for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError(). The reported RTE ID is 2.
The reported service IDs identify the services which are described in chapter 5. The
following table presents the service IDs and the related services:
Service ID
Service
0x00
SchM_Init
0x01
SchM_Deinit
0x03
SchM_Enter
0x04
SchM_Exit
0x13
Rte_Send
0x14
Rte_Write
0x15
Rte_Switch
0x16
Rte_Invalidate
0x17
Rte_Feedback
0x18
Rte_SwitchAck
0x19
Rte_Read
0x1A
Rte_DRead
0x1B
Rte_Receive
0x1C
Rte_Call
0x1D
Rte_Result
0x1F
Rte_CData
0x20
Rte_Prm
0x28
Rte_IrvRead
0x29
Rte_IrvWrite
0x2A
Rte_Enter
0x2B
Rte_Exit
0x2C
Rte_Mode
0x30
Rte_IsUpdated
0x70
Rte_Start
0x71
Rte_Stop
0x90
Rte_COMCbkTAck_<sn>
0x91
Rte_COMCbkTErr_<sn>
0x92
Rte_COMCbkInv_<sn>
2015, Vector Informatik GmbH
Version: 4.8.0
34 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Service ID
Service
0x93
Rte_COMCbkRxTOut_<sn>
0x94
Rte_COMCbkTxTOut_<sn>
0x95
Rte_COMCbk_<sg>
0x96
Rte_COMCbkTAck_<sg>
0x97
Rte_COMCbkTErr_<sg>
0x98
Rte_COMCbkInv_<sg>
0x99
Rte_COMCbkRxTOut_<sg>
0x9A
Rte_COMCbkTxTOut_<sg>
0x9F
Rte_COMCbk_<sn>
0xF0
Rte_Task
0xF1
Rte_IncDisableFlags
0xF2
Rte_DecDisableFlags
Table 3-4 Service IDs
The errors reported to DET are described in the following table:
Error Code
Description
RTE_E_DET_ILLEGAL_NESTED_EX
The same exclusive area was called nested or exclusive
CLUSIVE_AREA
areas were not exited in the reverse order they were
entered
RTE_E_DET_UNINIT
Rte/SchM is not initialized
RTE_E_DET_MODEARGUMENT
Rte_Switch was called with an invalid mode parameter
RTE_E_DET_TRIGGERDISABLECOU Counter of mode disabling triggers is in an invalid state
NTER
RTE_E_DET_TRANSITIONSTATE
Mode machine is in an invalid state
RTE_E_DET_MULTICORE_STARTUP Initialization of the master core before all slave cores
were initialized
RTE_E_DET_ILLEGAL_SIGNAL_ID
RTE callback was called for a signal that is not active in
the current variant.
Table 3-5 Errors reported to DET

The error RTE_E_DET_UNINIT will only be reported if the parameter
DevErrorDetectUninit is enabled. The reporting of all other errors can be enabled by
setting the parameter DevErrorDetect.
2015, Vector Informatik GmbH
Version: 4.8.0
35 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4  RTE Generation and Integration
This  chapter  gives  necessary  information  about  the  content  of  the  delivery,  the  RTE
generation process including a description about the different RTE generation modes and
finally information how to integrate the MICROSAR RTE into an application environment of
an ECU.
4.1
Scope of Delivery
The delivery of the RTE contains no static RTE code files. The RTE module is completely
generated  by  the  MICROSAR  RTE  Generator. After  the  installation,  the  delivery  has  the
following content:
Files
Description
DVCfgRteGen.exe
Command line MICROSAR RTE generator
(including several DLLs and XML files)
MicrosarRteGen.exe
MICROSAR RTE File generator
Rte.jar
DaVinci Configurator 5 adaptation modules
Settings_Rte.xml
Rte_Bswmd.arxml
BSWMD file for MICROSAR RTE
TechnicalReference_Asr_Rte.pdf
This documentation
ReleaseNotes_MICROSAR_RTE.htm  Release Notes
Table 4-1   Content of Delivery

Info
The RTE Configuration Tool DaVinci Developer is not part of MICROSAR RTE / BSW
  installation package. It has to be installed separately.

2015, Vector Informatik GmbH
Version: 4.8.0
36 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.2
RTE Generation
The MICROSAR RTE generator can be called either from the command line application
DVCfgCmd.exe or directly from within the DaVinci Configurator.
4.2.1
Command Line Options
Option
Description
--project <file>
–p <file>
Specifies the absolute path to the DPA project file.
--generate
-g
Generate the given project specified in <file>.
--moduleToGenerate
-m <module> Specifies the module definition references, which
should be generated by the -g switch. Separate
multiple modules by a ','.
E.g. /MICROSAR/Rte, /MICROSAR/Nm
--genArg=”<module>: <params>”
Passes the specified parameters <params> to the
generator of the specified module <module>. For
details of the possible parameters of the RTE module
see Table 4-3.
--help
-h
Displays the general help information of
DVCfgCmd.exe
Table 4-2 DVCfgCmd Command Line Options
4.2.2
RTE Generator Command Line Options
Option
Description
–m <obj>
Selects the DaVinci model object, where <obj> is either
<ECUProjectName> or <ComponentTypeName>.
Note: If –g i or –g c are selected, which accepts both,
<ComponentTypeName> or <ECUProjectName> and the
configuration contains such objects with the same name, the
component type object takes preference over the ECU project.
When the workspace contains only a single ECUProject or a single
ComponentType, the -m parameter can be omitted.
With the –m parameter also multiple component types can be selected,
delimited with semicolons.
–g [r|c|i|h]
Selects generation of the RTE with the following sub options:
r Selects RTE generation for the ECU project specified via option -
m <ECUProjectName>. This is the default option. Therefore –g is
equal to –g r.

2015, Vector Informatik GmbH
Version: 4.8.0
37 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

c Selects RTE contract phase header generation for a single
component type or BSW module if -m
<ComponentTypeName/BswModuleName> or for multiple
component types and BSW modules if –m
<ComponentType1Name/BswModule1Name>;
<ComponentType2Name/BswModule2Name> or for all non-
service component types and BSW modules of an ECU project if
-m <ECUProjectName>.

i Selects implementation template generation for a single
component type if -m <ComponentTypeName> or for multiple
component types if –m
<ComponentType1Name>;<ComponentType2Name> or for all
non- service component types of an ECU project if -m
<ECUProjectName>.
The optional –f <file> parameter specifies the file name to use
for the implementation template file. If the –f <file> parameter
is not given, or –m contains an ECU project name, the filename
defaults to <ComponentTypeName>.c.
Already existing implementation files are updated and a backup is
created.

h Selects VFB trace hook template generation for the ECU project
specified via option -m <ECUProjectName>.
The optional –f <file> parameter specifies the file name to use
for the VFB trace hook template file. If the –f <file> parameter
is not given, the filename defaults to
VFBTraceHook_<ECUProjectName>.c.
Already existing implementation files are updated and a backup is
created.

This parameter can be used more than one time to generate several
modes in one step.
–o <path>
Output path for the generated files.
-o r=<path>
If more than one generation mode is active, a special path can be
-o c=<path>
specified for each generation mode by assigning the path to the
-o i=<path>
character that is used as sub option for the –g parameter.
-o h=<path>
Furthermore the path for the application header files in the RTE
-o s=<path>
generation mode can be selected via option –o s=<path>. By default
-o a=<path>
they are generated into the subdirectory “Components”.
The path for A2L files can be specified with the option –o a=<path>.
These files are generated into the RTE directory by default.
Note: The <path> configured with -o parameter overwrites the path
which is specified in the dpa project file.
–f <file>
Optional parameter to specify the output file name for options –g i
and –g h.
Note: For option –g i the output file name can only be specified if –m
specifies a component type. The output file name cannot be specified
2015, Vector Informatik GmbH
Version: 4.8.0
38 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

when –m specifies multiple component types.
-v
Enables verbose mode which includes help information for error,
warning and info messages.
–h
Displays the general help information.
Table 4-3 RTE Generator Command Line Options
4.2.3
Generation Path
The RTE output files are generated into the path which is either specified within the dpa
project file or which is specified in the –o command line option. If several generation
modes are activated in parallel, for each phase a special path can be specified with the –o
command line option.
In RTE generation phase (command line option –g or –g r), the component type specific
application header files are generated into the subdirectory Components. This
subdirectory can be changed in the RTE generation phase with the option –o
“s=<path>”. In addition the directory for the A2L files, which are generated into the RTE
directory by default, can be specified with the option –o “a=<path>”.
4.3
MICROSAR RTE generation modes
The sections give an overview of the files generated by the MICROSAR RTE generator in
the different RTE generation modes and some examples how the command line call looks
like.
4.3.1
RTE Generation Phase
The following files are generated by the RTE generation: (Option –g or –g r)
File
Description
Rte_<ComponentType>.h
Application header file, which has to be included into the SWC
code. This header file is the only file to be included in the
component code. It is generated to the Components subdirectory
by default.
Rte_<ComponentType>_Type.h Application type header file. This header file contains SWC specific
type definitions. It is generated to the Components subdirectory
by default.
SchM_<BswModule>.h
Module interlink header file, which has to be included into the BSW
module code.
SchM_<BswModule>_Type.h
Module interlink types header file. This header file contains BSW
module specific type definitions.
<ComponentType>_MemMap.h Template contains SWC specific part of the memory mapping. It is
generated to the Components subdirectory by default.
Rte.c
Generated RTE
Rte_<OsApplication>.c
OsApplication specific part of the generated RTE (only generated

when OsApplications are configured)
Rte_PBCfg.c
The RTE post build data set configuration file contains the data
structures for the postbuild RTE initialization.
Rte.h
RTE internal declarations
2015, Vector Informatik GmbH
Version: 4.8.0
39 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Rte_Main.h
Header file for RTE lifecycle API
Rte_Cfg.h
Configuration file for the RTE
Rte_Cbk.h
Contains prototypes for COM callbacks
Rte_Hook.h
Contains relevant information for VFB tracing
Rte_Type.h
Contains the application defined data type definitions and RTE
internal data types
Rte_DataHandleType.h
The RTE data handle types header file contains the data handle

type declarations required for the component data structures.
Rte_PBCfg.h
The RTE post build data set configuration header contains the
declarations for the data structures that are used for the postbuild
RTE initialization.
Rte_UserTypes.h
Template which is generated if either user defined data types are
required for Per-Instance memory or if a data type is used by the
RTE but generation is skipped with the typeEmitter attribute.
Rte_MemMap.h
Template contains RTE specific part of the memory mapping
Rte_Compiler_Cfg.h
Template contains RTE specific part of the compiler abstraction
usrostyp.h
Template which is only generated if memory protection support is
enabled. In that case this file is included by the MICROSAR OS.
Rte.oil
OS configuration for the RTE
Rte_Needs.ecuc.arxml
Contains the RTE requirements on BSW module configuration for
Os, Com and NvM.
Rte.a2l
A2L file containing CHARACTERISTIC and MEASUREMENT

objects for the generated RTE
Rte_MemSeg.a2l
A2L file containing MEMORY_SEGMENT objects for the
generated RTE
Rte_rules.mak,
Make files according to the AUTOSAR make environment proposal
Rte_defs.mak,
are generated into the mak subdirectory.
Rte_check.mak,
Rte_cfg.mak
Rte.html
Contains information about RAM / CONST consumption of the
generated RTE as well as a listing of all triggers and their OS
events and alarms.
Table 4-4   Generated Files of RTE Generation Phase

Example:

DVCfgCmd -p "InteriorLight.dpa" –m /MICROSAR/Rte –g
2015, Vector Informatik GmbH
Version: 4.8.0
40 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.3.2
RTE Contract Phase Generation
The following files are generated by the RTE contract phase generation: (Option –g c)
File
Description
Rte_<ComponentType>.h
Application header file, which must be included into the SWC
code. This header file is the only file to be included in the
component code.
Rte_<ComponentType>_Type.h Application type header file. This header file contains SWC specific
type definitions.
<ComponentType>_MemMap.h Template contains SWC specific part of the memory mapping.
Rte.h
RTE internal declarations
Rte_Type.h
Contains the application defined data type definitions and RTE
internal data types
Rte_DataHandleType.h
The RTE data handle types header file contains the data handle
type declarations required for the component data structures.
Rte_UserTypes.h
Template which is generated if either user defined data types are
required for Per-Instance memory or if a data type is used by the
RTE but generation is skipped with the typeEmitter attribute.
Rte_MemMap.h
Template contains RTE specific part of the memory mapping
Rte_Compiler_Cfg.h
Template contains RTE specific part of the compiler abstraction
SchM_<BswModule>.h
Module interlink header file, which has to be included into the BSW
module code.
SchM_<BswModule>_Type.h
Module interlink types header file. This header file contains BSW
module specific type definitions.
Table 4-5 Generated Files of RTE Contract Phase

Example:

DVCfgCmd -p "InteriorLight.dpa"
 -m /MICROSAR/Rte
 –g
 --genArg=”Rte: -g c –m SenderComponent”

The generated header files are located in a component type specific subdirectory. The
application header file must be included in each source file of a SWC implementation,
where the RTE API for that specific SWC type is used.
The application header file created in the RTE contract phase can be used to compile
object code components, which can be linked to an RTE generated in the RTE generation
phase. The application header files are generated in RTE compatibility mode.

Caution
During the RTE generation phase an optimized header file is generated. This optimized
 header file should be used when compiling the source code SWCs during the ECU
build process.
2015, Vector Informatik GmbH
Version: 4.8.0
41 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

The usage of object code SWCs, which are compiled with the application header files
of the contract phase, require an “Implementation Code Type” for SWCs set to “object
code” in order to tell the RTE generator in the RTE generation phase NOT to create
optimized RTE API accesses but compatible ones.
2015, Vector Informatik GmbH
Version: 4.8.0
42 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.3.3
Template Code Generation for Application Software Components
The following file is generated by the implementation template generation: (Option –g i)
File
Description
<FileName>.c
An implementation template is generated if the –g i option is
selected. The –f option specifies the name of the generated c file.
If no name is selected the default name <ComponentTypeName>.c
is used.
Table 4-6 Generated Files of RTE Template Code Generation

Example:

DVCfgCmd -p "InteriorLight.dpa"
 –m /MICROSAR/Rte
 –g
 --genArg=”Rte: -g i –m SenderComponent -f Component1.c”

The generated template files contain all empty bodies of the runnable entities for the
selected component type. It also contains the include directive for the application header
file. In addition, the available RTE API calls are included in comments.

Caution
When the destination file of the SWC template code generation is already available,
 code that is placed within the user code sections marked by “DO NOT CHANGE”-
comments is transferred unchanged to the updated template file.
Additionally, a numbered backup of the original file is made before the new file is
written.
The preservation of runnable code is done by checking for the runnable symbol. This
implies that after a change of the name of a runnable the runnable implementation is
preserved, while a change of the symbol results in a new empty function for the
runnable.
Code that was removed during an update is kept in the “removed code” section at the
bottom of the implementation file and in the numbered backups.
The template update is particularly useful when e.g. access to some interfaces has
been added or removed from a runnable, because then the information of available
APIs is updated by the generation process without destroying the implementation.

2015, Vector Informatik GmbH
Version: 4.8.0
43 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.3.4
VFB Trace Hook Template Code Generation
The following file is generated by the VFB trace hook template generation: (Option –g h)
File
Description
<FileName>.c
An implementation template of the VFB trace hooks is generated if
the –g h option is selected. The –f option specifies the name of
the generated c file. If no name is selected the default name
VFBTraceHook_< ECUProjectName >.c is used.
Table 4-7 Generated Files of VFB Trace Hook Code Generation
Example:

DVCfgCmd -p "InteriorLight.dpa"
 –m /MICROSAR/Rte
 –g
 --genArg=”Rte: -g h –f VFBTraceHook_myEcu.c”

Caution
When the destination file of the VFB trace hook template generation is already
 available, code that is placed within the user code sections marked by “DO NOT
CHANGE” comments is transferred unchanged to the updated template file.
Additionally, a numbered backup of the original file is made before the new file is
written.
The preservation of trace hook code is done by checking for the trace hook name.
When the name of a hook changes, e.g. because the name of a data element
changed, then the code of the previous trace hook is removed.
Code that was removed during an update is kept in the “removed code” section at the
bottom of the implementation file and in the numbered backups.
The template update is particularly useful when some trace hooks have been added or
removed due to changed interfaces or OS usage.

2015, Vector Informatik GmbH
Version: 4.8.0
44 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.4
Include Structure
4.4.1
RTE Include Structure
class RTE Include Structure
Legend
Generated RTE C File
Generated RTE Header Files
Com.h
Rte_Cbk.h
Header Files of other Modules
Xcp.h
SchM_<Bsw>.h
«include»
«include»
«include»
«include»
Os.h
«include»
«include» «include»
«include»
Rte_<Swc>.h
«include»
Ioc.h
«include»
«include»
Rte.c
«include»
«include»
SchM_<Bsw>_Type.h
«include»
«include»
«include»
Rte_<Swc>_Type.h
<Swc>_MemMap.h
«include»
«include»
«include»
«include»
«include»
«include»
«include»
«include»
Rte_Type.h
Rte_Hook.h
«include»
«include»
Rte_DataHandleType.h
«include»
«include»
«include»
«include»
«include»
MemMap.h
Rte_Main.h
Rte.h
Rte_Cfg.h
«include»
«include»
Rte_MemMap.h
«include»
«include»
«include»
«include»
Rte_PBCfg.h
«include»
Det.h
Std_Types.h
Rte_UserTypes.h
«include»
«include»
Platform_Types.h
Compiler_Cfg.h
Compiler.h
«include»
«include»
Rte_Compiler_Cfg.h

Figure 4-1 RTE Include Structure

2015, Vector Informatik GmbH
Version: 4.8.0
45 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.4.2
SWC Include Structure
The following figure shows the include structure of a SWC with respect to the RTE
dependency. All other header files which might be included by the SWC are not shown.
class Sw c Include Structure
Legend
User SWC Implementation File(s)
Generated RTE Header Files
Header Files of other Modules
<Swc>.c
1..*
«include»
Rte_<Swc>.h
Com.h
«include»
«include»
«include»
<Swc>_MemMap.h
Rte_<Swc>_Type.h
«include»
Rte_DataHandleType.h
«include»
«include»
«include»
Rte_Type.h
Rte_MemMap.h
«include»
«include»
«include»
MemMap.h
Rte.h
Rte_UserTypes.h
«include»

Figure 4-2 SWC Include Structure

2015, Vector Informatik GmbH
Version: 4.8.0
46 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.4.3
BSW Include Structure
The following figure shows the include structure of a BSW module with respect to the
SchM dependency. All other header files which might be included by the BSW module are
not shown.
class Bsw Include Structure
Legend
BSW Module File(s)
Generated RTE Header Files
Header Files of other Modules
<Bsw>.c
1..*
«include»
SchM_<Bsw>.h
«include»
«include»
Os.h
SchM_<Bsw>_Type.h
«include»
Rte_PBCfg.h
«include»
«include»
Rte.h
Rte_Type.h

Figure 4-3 BSW Include Structure

2015, Vector Informatik GmbH
Version: 4.8.0
47 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.5
Compiler Abstraction and Memory Mapping
The objects (e.g. variables, functions, constants) are declared by compiler independent
definitions – the compiler abstraction definitions. Each compiler abstraction definition is
assigned to a memory section.
The following two tables contain the memory section names and the compiler abstraction
definitions defined for the RTE and illustrate their assignment among each other.
Compiler Abstraction
Definitions

E

A
R
T

T I
OD
A
A
T I
NI

C
V
D

_
_
_

NI
T
O_
I
k>
l>

L
L
L

R
T
T I
N

c

a
E
P
P
P
C
P
P
P

A

O_
I
lo
l>
T
R
E
N
OI
R
Z
T
N
m>
a
T

OD
A
A
A
A
A
_
I
I
N
_
N
_
OI
_
mB
T
S
T_<
E
C
>_
>
>_
V
D

ZE

_
_
_
_
R
I_ R N_ R <Pi_ a <C_ S
S
E
L
L
L
R
A
A
A
R
ON
OD
V
R
V
R
V
R
v
R
C
C
P
P
P
Memory Mapping
A
A
A
A
N
A
ON
ON
OD
P
P
P
V_ >_ V_ >_ V_ >_ V_ <_ V_ C_ >_ C_ C_ >_ A_ <SWC_ <SWC_ <SWC_ A_ A_
Sections
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
TE
R
<Swc
R
<Swc
R
<Swc
R
R
R
R
<Swc
R
R
<Swc
R
R
R
R
R
R
RTE_START_SEC_VAR_ZERO_INIT_8BIT

RTE_STOP_SEC_VAR_ZERO_INIT_8BIT
RTE_START_SEC_VAR_ZERO_INIT_UNSPECIFIED

RTE_STOP_SEC_VAR_ZERO_INIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_ZERO_INIT_UNSPECIFIED1 
RTE_STOP_SEC_VAR_<OsAppl>_ZERO_INIT_UNSPECIFIED1
<Swc>_START_SEC_VAR_ZERO_INIT_UNSPECIFIED
 
<Swc>_STOP_SEC_VAR_ZERO_INIT_UNSPECIFIED
RTE_START_SEC_VAR_INIT_UNSPECIFIED
 
RTE_STOP_SEC_VAR_INIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_INIT_UNSPECIFIED1
 
RTE_STOP_SEC_VAR_<OsAppl>_INIT_UNSPECIFIED1
<Swc>_START_SEC_VAR_INIT_UNSPECIFIED
 
<Swc>_STOP_SEC_VAR_INIT_UNSPECIFIED
RTE_START_SEC_VAR_NOINIT_UNSPECIFIED
 
RTE_STOP_SEC_VAR_NOINIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_NOINIT_UNSPECIFIED1
 
RTE_STOP_SEC_VAR_<OsAppl>_NOINIT_UNSPECIFIED1
<Swc>_START_SEC_VAR_NOINIT_UNSPECIFIED
 
<Swc>_STOP_SEC_VAR_NOINIT_UNSPECIFIED
RTE_START_SEC_VAR_<Pim>_UNSPECIFIED
 
RTE_STOP_SEC_VAR_<Pim>_UNSPECIFIED
RTE_START_SEC_<NvRamBlock>
 
RTE_STOP_SEC_<NvRamBlock>
RTE_START_SEC_VAR_<Cal>_UNSPECIFIED
 
RTE_STOP_SEC_VAR_<Cal>_UNSPECIFIED
RTE_START_SEC_CONST_UNSPECIFIED
 
RTE_STOP_SEC_CONST_UNSPECIFIED
<Swc>_START_SEC_CONST_UNSPECIFIED
 
<Swc>_STOP_SEC_CONST_UNSPECIFIED

1 This memory mapping sections are only used if memory protection support is enabled
2015, Vector Informatik GmbH
Version: 4.8.0
48 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

RTE_START_SEC_CONST_<Cal>_UNSPECIFIED
 
RTE_STOP_SEC_CONST_<Cal>_UNSPECIFIED
RTE_START_SEC_CODE
 
RTE_STOP_SEC_CODE
<Swc>_START_SEC_CODE
 
<Swc>_STOP_SEC_CODE
RTE_START_SEC_APPL_CODE
 
RTE_STOP_SEC_APPL_CODE
Table 4-8 Compiler abstraction and memory mapping
Compiler Abstraction E
Definitions HC

A
E

H
OC
E
C
N
H
A

_
C
TI
A
OC
N

NI
OC
_
N
TI

O_
_
R
T
N
I
N
OI

ZE_
I_
N_
R
R
R
Memory Mapping
A
A
A
V_
V_
V_
Sections
TE
TE
TE
R
R
R
RTE_START_SEC_VAR_NOCACHE_ZERO_INIT_8BIT


RTE_STOP_SEC_VAR_NOCACHE_ZERO_INIT_8BIT
RTE_START_SEC_VAR_NOCACHE_ZERO_INIT_UNSPECIFIED


RTE_STOP_SEC_VAR_NOCACHE_ZERO_INIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_NOCACHE_ZERO_INIT_UNSPECIFIED


RTE_STOP_SEC_VAR_<OsAppl>_NOCACHE_ZERO_INIT_UNSPECIFIED
RTE_START_SEC_VAR_NOCACHE_INIT_UNSPECIFIED


RTE_STOP_SEC_VAR_NOCACHE_INIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_NOCACHE_INIT_UNSPECIFIED


RTE_STOP_SEC_VAR_<OsAppl>_NOCACHE_INIT_UNSPECIFIED
RTE_START_SEC_VAR_NOCACHE_NOINIT_UNSPECIFIED


RTE_STOP_SEC_VAR_NOCACHE_NOINIT_UNSPECIFIED
RTE_START_SEC_VAR_<OsAppl>_NOCACHE_NOINIT_UNSPECIFIED


RTE_STOP_SEC_VAR_<OsAppl>_NOCACHE_NOINIT_UNSPECIFIED
Table 4-9 Compiler abstraction and memory mapping for non-cacheable variables
The memory mapping sections and compiler abstraction defines specified in Table 4-9 are
only used for variables which are shared between different cores on multicore systems.
These variables must be linked into non-cacheable memory.
The RTE specific parts of Compiler_Cfg.h and MemMap.h depend on the configuration
of the RTE. Therefore the MICROSAR RTE generates templates for the following files:
 Rte_Compiler_Cfg.h
 Rte_MemMap.h
They can be included into the common files and should be adjusted by the integrator like
the common files too.
2015, Vector Informatik GmbH
Version: 4.8.0
49 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.5.1
Memory Sections for Calibration Parameters and Per-Instance Memory
The variable part of the memory abstraction defines for calibration parameters <Cal> and
Per-Instance Memory <Pim> depends on the configuration. The following table shows the
attributes, which have to be defined in DaVinci Developer in order to assign a calibration
parameter or a Per-Instance Memory to one of the configured groups. The groups
represented by the enumeration values of the attributes can be configured in the attribute
definition dialog in DaVinci Developer without any naming restrictions. Only the name of
the attribute itself is predefined as described in the table below.
Object Type
Attribute Name
Attribute Type
Calibration Parameter
PAR_GROUP_CAL
Enumeration
Calibration Element Prototype PAR_GROUP_EL
Enumeration
Per-Instance Memory
PAR_GROUP_PIM
Enumeration
NvBlockDataPrototype
PAR_GROUP_NVRAM
Enumeration

Details of configuration and usage of User-defined attributes can be found in the DaVinci
Online Help [19].
Example for Calibration Parameters:
If the attribute PAR_GROUP_CAL contains e.g. the enumeration values CalGroupA and
CalGroupB and calibration parameters are assigned to those groups, the RTE generator
will create the following memory mapping defines:
RTE_START_SEC_CONST_CalGroupA_UNSPECIFIED
RTE_STOP_SEC_CONST_CalGroupA_UNSPECIFIED
RTE_START_SEC_CONST_CalGroupB_UNSPECIFIED
RTE_STOP_SEC_CONST_CalGroupB_UNSPECIFIED

In addition the following memory mapping defines are generated, if the calibration method
Initialized RAM is enabled (see also Chapter 6.6):
RTE_START_SEC_VAR_CalGroupA_UNSPECIFIED
RTE_STOP_SEC_VAR_CalGroupA_UNSPECIFIED
RTE_START_SEC_VAR_CalGroupB_UNSPECIFIED
RTE_STOP_SEC_VAR_CalGroupB_UNSPECIFIED

2015, Vector Informatik GmbH
Version: 4.8.0
50 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Example for Per-Instance Memory:
If the attribute PAR_GROUP_PIM contains e.g. the enumeration values PimGroupA and
PimGroupB and Per-Instance Memory is assigned to those group, the RTE generator will
create the following memory mapping defines:
RTE_START_SEC_VAR_PimGroupA_UNSPECIFIED
RTE_STOP_SEC_VAR_PimGroupA_UNSPECIFIED
RTE_START_SEC_VAR_PimGroupB_UNSPECIFIED
RTE_STOP_SEC_VAR_PimGroupB_UNSPECIFIED
4.5.2
Memory Sections for Software Components
The MICROSAR RTE generator generates specific memory mapping defines for each
SWC type which allows to locate SWC specific code, constants and variables in different
memory segments.
The variable part <Swc> is the camel case software component type name. The RTE
implementation template code generator (command line option –g i) uses the SWC
specific sections to locate the runnable entities in the appropriate memory section.
The SWC type specific parts of MemMap.h depend on the configuration. The MICROSAR
RTE generator creates a template for each SWC according the following naming rule:
 <Swc>_MemMap.h
2015, Vector Informatik GmbH
Version: 4.8.0
51 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.5.3
Compiler Abstraction Symbols for Software Components and RTE
The RTE generator uses SWC specific defines for the compiler abstraction.
The following define is used in RTE generated SW-C implementation templates in the
runnable entity function definitions.
<Swc>_CODE

In addition, the following compiler abstraction defines are available for the SWC developer.
They can be used to declare SWC specific function code, constants and variables.
<Swc>_CODE
<Swc>_CONST
<Swc>_VAR_NOINIT
<Swc>_VAR_INIT
<Swc>_VAR_ZERO_INIT

If the user code contains variable definitions, which are passed to the RTE API by
reference in order to be modified by the RTE (e.g. buffers for reading data elements) the
RTE uses the following define to specify the distance to the buffer.
RTE_APPL_VAR (RTE specific)

If the user code contains variable or constant definitions, which are passed to the RTE API
as pure input parameter (e.g. buffers for sending data elements) the RTE uses the
following define to specify the distance to the variable or constant.
RTE_<SWC>_APPL_DATA (SWC specific)
RTE_APPL_DATA (RTE specific)

All these SWC and RTE specific defines for the compiler abstraction might be adapted by
the integrator. The configured distances have to fit with the distances of the buffers and the
code of the application.

Caution
The template files <Swc>_MemMap.h, Rte_MemMap.h and Rte_Compiler_Cfg.h
 have to be adapted by the integrator depending on the used compiler and hardware
platform especially if memory protection is enabled.
When the files are already available during RTE generation, the code that is placed
within the user code sections marked by “DO NOT CHANGE”-comments is transferred
unchanged to the updated template files. The behavior is the same as for template
generation of other files like SWC template generation.
2015, Vector Informatik GmbH
Version: 4.8.0
52 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.6
Memory Protection Support
The MICROSAR RTE supports memory protection as an extension to the AUTOSAR RTE
specification. Therefore the memory protection support of the Operating System provides
the  base  functionality.  The  support  is  currently  limited  to  the  Vector  MICROSAR  OS
because the RTE requires read access to the data from all partitions what is not required
by AUTOSAR. Moreover when trusted functions are used, the RTE uses wrapper functions
that are only generated by MICROSAR OS.
4.6.1
Partitioning of SWCs
The partitioning of SWCs to memory areas can be done DaVinci CFG. The partitioning is
based  on  assignment  of  tasks  to  OS  applications,  which  is  part  of  the  OS  configuration
process.
There exists the restriction that all Runnable Entities of a single SWC have to be assigned
to  the  same  OS  application.  This  restriction  and  the  assignment  of  tasks  to  OS
applications  indirectly  assign  SWCs  to  OS  applications.  This  is  the  basis  for  grouping
SWCs  to  different  memory  partitions.  Additional  information  about  memory  protection
configuration can be found in Chapter 6.3.
4.6.2
OS Applications
The operating system supports different scalability classes (SC). Only in SC3 and SC4 the
memory  protection  mechanism  is  available.  Therefore  the  configuration  of  the  required
scalability  class  is  the  first  step  to  enable  memory  partitioning.  The  second  step  is  the
assignment  of  SWCs to  partitions  (OS  applications)  which  is done  by  assigning  tasks  to
OS applications as described above.
The OS supports two types of OS applications:
  Non-Trusted
  Trusted
Non-Trusted OS applications run with enabled memory protection, trusted OS applications
with disabled memory protection.
Both  types  are  supported  by  the  MICROSAR  RTE  and  can  be  selected  in  the  OS
application configuration dialog or directly in the OS configuration tool.
Caution
If no assignment of tasks to OS applications exist memory protection is disabled.


2015, Vector Informatik GmbH
Version: 4.8.0
53 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.6.3
Partitioning Architecture
When  memory  protection  is  used,  one  or  more  SWCs  can  be  assigned  to  an  OS
application but it is not allowed to split up a SWC between two or more OS applications.
That means that all runnables of a SWC have to be assigned to tasks, which belong to the
same OS application.  It is the responsibility of the RTE to transfer the data of S/R and the
arguments of C/S port interfaces over the protection boundaries.
Caution
Client-Server invocations implemented as direct function calls should be used inside
  one OS application only.

The MICROSAR RTE itself and the BSW can either run in a trusted OS application or in a
non-trusted OS application. Both architectures are described below.
4.6.3.1
Trusted RTE and BSW
trusted application
trusted application
Non-trusted
application
AUTOSAR
Software
Software
Software
Software
Component
Component
Component
Software
Component
..............
MICROSAR RTE
Service
Component
Communication
Complex
Device Driver
Ecu Abstraction
Operating
System
Basic Software
trusted/non-trusted
application
ECU-Hardware

Figure 4-4  Trusted RTE Partitioning example

This architecture overview assumes that the RTE and the BSW modules that are used by
the  RTE  run  in  one  or  more  trusted  OS  applications.  Application  software  components
(SWC) above the RTE can either be trusted or non-trusted. When this architecture is used,
2015, Vector Informatik GmbH
Version: 4.8.0
54 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

the RTE uses trusted functions so that non-trusted SWCs can access the BSW and SWCs
in  other  OS  applications.  In  this  architecture,  Rte_Start()  has  to  be  called  from  a
trusted task and the Com module needs to run in trusted context, too. The RTE will use the
same OS application as the BSW Scheduler tasks.
An architecture where the BSW modules and the RTE are assigned to a non-trusted OS
application is described in the next chapter.
4.6.3.2
Non-Trusted RTE and BSW
non-trusted
trusted application
Non-trusted
application
application
AUTOSAR
Software
Software
Software
Software
Component
Component
Component
Software
Component
..............
MICROSAR RTE
Service
Component
Communication
Complex
Device Driver
Ecu Abstraction
Operating
System
Basic Software
trusted/non-trusted
application
ECU-Hardware

Figure 4-5  Non-trusted RTE Partitioning example

This architecture overview assumes that the BSW modules below the RTE, as well as the
RTE itself run in a single non-trusted OS application. The SWCs above the RTE can either
be assigned to the same non-trusted OS application as the BSW or they can be assigned
to one or more other non-trusted or trusted OS applications. Every OS application has its
own buffers which are only written by runnables that run in the same OS application. The
RTE does not use trusted functions in this architecture. Therefore it is possible to create a
system where all SWCs and the BSW are assigned to non-trusted OS applications and all
runnables/tasks always run with enabled memory protection.
2015, Vector Informatik GmbH
Version: 4.8.0
55 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

The  non-trusted  RTE  architecture  is  automatically  chosen  when  the  RTE  configuration
fulfills the following criterions:
  The tasks that contain the BSW modules are known by the RTE. This can be achieved
by configuring them as BSW Scheduler tasks (See chapter 6.2).
  All BSW Scheduler tasks are assigned to the same non-trusted OS application (further
referred to as BSW OS Application). It is assumed that this is also the OS application
that initializes the RTE by calling Rte_Start. The application tasks can either be
assigned to the BSW OS Application or to other non-trusted or trusted OS
applications.
  All SWCs with mode provide ports are assigned to the BSW OS Application.
  All SWCs that contain runnables with mode disabling dependencies or mode triggers
are assigned to the BSW OS Application.
  There are no direct client/server calls across OS applications

No special limitations apply to SWCs that are assigned to the same OS application as the
BSW.  Moreover,  the  following  RTE  features  can  also  be  used  by  SWCs  in  other  OS
applications:
  direct or buffered inter-runnable variables
  per-instance memories
  SWC local calibration parameters
  access to calibration software components
  queued and nonqueued intra-ECU sender/receiver communication (when there is only
a single sender partition)
  inter-ECU sender/receiver communication (see also chapter 4.8.1)
  direct client/server calls to runnables within the same OS application
  mapped client/server calls to runnables in the same and different OS applications (see
also chapter 4.8.2)
  reading modes with the Rte_Mode API
  explicit and implicit exclusive areas
2015, Vector Informatik GmbH
Version: 4.8.0
56 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.6.4
Conceptual Aspects
For intra OS application communication no additional RTE interaction is required. Special
memory  protection  handling  is  required  only  if  communication  between  different  OS
applications exists. In that case, the RTE has to provide means to transfer data over the
protection boundaries. The only possibility is the usage of trusted function calls inside the
generated RTE code. Those trusted function calls are expensive concerning code usage
and runtime. Therefore the usage of trusted function calls should be minimized if possible.
The  MICROSAR  RTE  generator  uses  trusted  function  calls  only  if  necessary.  In  some
cases the usage of trusted function calls can be avoided by assigning the RTE buffers to
the  appropriate  OS  application.   The  Vector  MICROSAR  OS  only  provides  write  access
protection but doesn’t support read access protection. This behavior is the basis to avoid
trusted function calls, because the writing OS application can be seen as the owner of the
memory buffer. Only a simple assignment of the buffer to the appropriate OS application is
necessary. This also makes it possible to completely avoid trusted function calls when the
“Non-trusted RTE“ architecture (chapter 4.6.3.2) is chosen.
Only if the memory assignment cannot be used, the RTE needs trusted functions to cross
the protection boundaries.
For that purpose, the RTE generator uses the OS application of the BSW Scheduler tasks
as its own OS application, which always needs to be trusted. The trusted functions called
by the RTE are assigned to that trusted OS application. In addition to the communication
between SWCs of different OS applications, there also exists communication between the
COM BSW module and the RTE. Especially the notifications of the COM  are done in an
undefined call context. The MICROSAR RTE assumes that the calls of the COM callbacks
are done from the OS application that contains the BSW Scheduler tasks.
2015, Vector Informatik GmbH
Version: 4.8.0
57 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.6.5
Memory Protection Integration Hints
4.6.5.1
Enabling of Memory Protection support
Please make sure that memory protection is enabled by assigning tasks to OS
applications and by selecting scalability class SC3 or SC4 in the OS configuration.
4.6.5.2
Memory mapping in Linker Command File
If memory protection is enabled, the RTE generator creates additional OS application
specific memory sections for variables: In addition, the user has to split up his Per-
Instance Memory (PIM) sections to the different OS applications. These additional memory
sections have to be mapped in the linker command file to the appropriate memory
segments. See OS and compiler / linker manual for details.
The individual memory sections are listed in chapter 4.5.
The standard RTE memory section defines need to be mapped to the same segments as
the BSW.
OS Application specific parts of the RTE implementation are generated to separate
Rte_<OsApplicationName>.c files.
4.6.5.3
OS Configuration extension
In addition to the RTE extensions in the OS configuration which are done automatically by
the RTE generator, the following steps have to be done by the Integrator.
All OS objects, used by BSW modules e.g. ISRs, BSW-Tasks, OS resources, alarms etc.
have to be assigned to an OS application. COM callbacks have to run in the same OS
application as the RTE/BSW Scheduler tasks. Dependent on the implementation of the
COM Stack, the tasks or ISRs, which call the COM callbacks must therefore be assigned
to the right OS application.
In the OS configuration of an SC3 or SC4 OS, the tasks must explicitly allow access by
other OS applications. Due to possible calls of ActivateTask or SetEvent inside RTE
implemented COM callbacks, the accessing BSW OS applications for all application tasks,
which are affected by these calls need to be configured. This is automatically done when
the RTE configuration contains all BSW Scheduler tasks. Otherwise, the configuration
needs to be extended by the integrator.
If the RTE configuration contains not all BSW Scheduler tasks, also the OS application
that sets up the tasks and alarms by calling Rte_Start needs to be configured for the
task and alarm objects in the OS configuration.
This configuration extension has to be done in the OS configuration tool.
2015, Vector Informatik GmbH
Version: 4.8.0
58 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.7
Multicore support
Similar  to  the  mapping  of  SWCs  to  partitions  with  different  memory  access  rights,  the
MICROSAR RTE also supports the mapping of  SWCs to partitions on different  cores for
parallel execution.
4.7.1
Partitioning of SWCs
The  mapping  of  SWCs  to  cores  happens  with  the  help  of  OS  Applications  like  in  the
memory protection use case. The user has to assign runnables to tasks and tasks to OS
Applications  in  order  to  map  SWCs  to  partitions.  The  OS  Applications  can  then  be
assigned  to  one  of  the  cores  of  the  ECU.  SWCs  can  only  be  assigned  to  a  single  OS
Application. This means that  all runnables  of a SWC  need to be mapped to tasks within
the same OS Application.
When  two  SWCs  on  different  cores  communicate  with  each  other,  the  RTE  will
automatically apply data consistency mechanisms.
4.7.2
BSW in Multicore Systems
The  MICROSAR  RTE  assumes  that  all  BSW  modules  with  direct  RTE  interaction  (e.g.
COM and NVM) are located in a single BSW OS Application on a single  BSW core. The
only  exceptions  are  BSW  modules  like  OS  and  ECUM  that  need  to  be  available  on  all
cores.  For AUTOSAR4,  the BSW OS Application  is  the  OS Application  that  contains  the
tasks  with  the  schedulable  entities. The  RTE  assumes  that  all  COM  and  NVM  callbacks
are called from this BSW OS Application.
All  RTE  Lifecycle  APIs  (Rte_Start(),  Rte_Stop(),  Rte_InitMemory(),
SchM_Init(), SchM_Deinit()) have to be called on all cores.
Cyclic triggered runnables will start to run as soon as Rte_Start() is called on the BSW
core.
It is recommended to use only a single BSW OS Application per core. The RTE will then
configure  the  access  rights  so  that  Rte_Start()  can  be  called  from  the  core  specific
BSW OS application.

Caution
The RTE will start the scheduling of cyclic triggered runnable entities as soon as
  Rte_Start() is called on the BSW Core. Therefore, Rte_Start() on the BSW core
should only be invoked when the Rte_Start() calls on all other cores finished
execution. This is checked with a DET check.

2015, Vector Informatik GmbH
Version: 4.8.0
59 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.7.3
IOC Usage
In multicore systems, the OS provides Inter OS-Application Communicator (IOC) Objects
for  the  communication  between  the  individual  cores.  However,  on  many  systems  the
memory of the different cores can also be accessed without IOCs. This is the case when
the  RTE  variables  that  are  used  for  communication  are  mapped  to  non-cacheable  RAM
and when they can either be accessed atomically or when the accesses are protected with
a spinlock. Moreover in case of memory protection, this is only possible when a variable is
only written by a single partition and when the variable can be read by the other partitions.
The MICROSAR RTE Generator tries to avoid IOCs so that it can use the same variables
for intra and inter partition communication. Moreover spinlocks are only used for variables
that cannot be accessed atomically.
If the RTE variables cannot be mapped to globally readable, shared, non-cacheable RAM
the  usage  of  IOCs  can  be  enforced  with  the  EnforceIoc  parameter  in  the
RteGeneration parameters.

Caution
RTE variables that are mapped to NOCACHE memory sections need to be mapped to
  non-cacheable RAM. See also chapter 4.5.

4.8
BSW Access in Partitioned systems
When  the  SWCs  are  assigned  to  different  OS  Applications,  only  the  SWCs  that  are
assigned  to  the  BSW  OS  Application  can  access  the  BSW  directly.  SWCs  that  are
assigned to other cores or partitions do not always have the required access rights. The
same is true for runnable entities that are directly called by the BSW through client/server
interfaces. The RTE can transparently provide proxy code for such BSW accesses but the
user needs to map the SendSignal proxy and the server runnables to tasks in which they
can be executed.
4.8.1
Inter-ECU Communication
IOCs or additional global RTE variables are automatically inserted by the RTE generator
when data needs to be sent from a partition without BSW to another ECU. This is required
because the COM APIs cannot be called directly in this case.
Instead, the RTE provides a schedulable entitiy  Rte_ComSendSignalProxyPeriodic,
which periodically calls the COM APIs when a partition without BSW transmitted data.
The schedulable entity Rte_ComSendSignalProxyPeriodic should be mapped to the
same task as Com_MainFunctionTx  with a lower position in task so that  it can update
the signals before they are transmitted by COM. Rte_ComSendSignalProxyPeriodic
will be scheduled with the same cycle time as Com_MainFunctionTx. For this, the RTE
generator reads the period from the COM configuration.
For  the  reception  of  signals  no  special  handling  is  required.  The  RTE  will  automatically
forward the received data to the appropriate partition in the COM notifications.

2015, Vector Informatik GmbH
Version: 4.8.0
60 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

4.8.2
Client Server communication
Also client server calls between SWCs in different partitions are possible.
In order to execute the server runnable in another partition, the server runnable needs to
be  mapped  to  a  task.  The  RTE  will  then  make  the  server  arguments  available  in  the
partition of the server runnable, execute the server runnable in the context of its task and
return the results to the calling partition.
Direct  client  server  calls  to  servers  on  other  cores  are  not  possible  because  this  would
enforce that the server is executed in the context of the client core. This would lead to data
consistency problems for RTE APIs that only provide buffer pointers like Rte_Pim(). The
RTE  cannot  use  IOCs  for  these  APIs  because  the  actual  buffer  update  is  done  by  the
application code.
You can instruct the RTE to generate a context switch. You can decide this over the task
mapping of a function trigger.
If you consider RTE calls which originate from the same partition as the server runnable, a
context switch into the task of the server runnable may not be required. Here, doing a task
switch would mean an additional overhead which can be avoided.
Therefore  it  is  also  possible  to  configure  an  additional  server  port  prototype  for  clients
which are local to the server partition. The triggers from both server ports can then trigger
the same server runnable. However, only  the  trigger  from  the  port  that  is  connected
to    foreign  partitions needs  to  be mapped onto  a  task. As  a  consequence,  the  RTE  can
implement calls from partition local clients as efficient direct function calls.
Please take into account, that this is only allowed when the server runnable is not invoked
concurrently  or  marked  as  “can  be  invoked  concurrently”.  In  addition,  you  can  use
Exclusive Areas to protect the runnable against concurrent access problems.

2015, Vector Informatik GmbH
Version: 4.8.0
61 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5 API Description
The RTE API functions used inside the runnable entities are accessible by including the
SWC application header file Rte_<ComponentType>.h.

Info
The following API descriptions contain the direction qualifier IN, OUT and INOUT. They
 are intended as direction information only and shall not be used inside the application
code.

For an interfaces overview please see Figure 2-2.
5.1
Data Type Definition
The MICROSAR RTE has special handling for the implementation data types, which are
defined in Std_Types.h and Platform_Types.h (see [7] and [8] for details). The RTE
generator assumes that these data types are available and therefore skips the generation
of type definitions.
In addition implementation data types where the typeEmitter attribute is set to a value
different to RTE or where the value is not empty the RTE generator also skips generation
of the type definition. In this case the user has to adopt the generated template file
Rte_UserTypes.h which should contain the type definitions for the skipt implementation
data types because the RTE itself needs the type definition.
All other primitive or composite application and implementation data types are generated
by the RTE generator. This includes the data types which are assigned to a SWC by a
definition of an IncludedDataTypeSet.
Floating point data types with double precision may not be used for data elements with
external connectivity, because the MICROSAR COM layer lacks support for 64 bit data
types.
5.1.1
Invalid Value
The MICROSAR RTE provides access to the invalid value of a primitive data type. It can
be accessed with the following macro:
InvalidValue_<DataType>

Caution
Because the macro does not contain the Rte_ prefix, care must be taken not to define
data types conflicting with any other symbols defined by the RTE or the application
 code.

2015, Vector Informatik GmbH
Version: 4.8.0
62 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.1.2
Upper and Lower Limit
The range of the primitive application data types is specified by an upper and a lower limit.
These limits are accessible from the application by using the following macro if the limits
are specified:
<DataType>_LowerLimit
<DataType>_UpperLimit

Caution
Because the macro does not contain the Rte_ prefix, care must be taken not to define
data types conflicting with any other symbols defined by the RTE or the application
 code.

5.1.3
Initial Value
Like the limits also the initial value of an un-queued data element of an S/R port prototype
is accessible from the application:
Rte_InitValue_<PortPrototype>_<DataElementPrototype>

Caution
The initial value of an Inter-Ecu S/R communication might be changed by the post-build
 capabilities of the communication stack. Please note that the macro of the RTE still
provides the original initial value defined at pre-compile time. Please don’t use the
macro if the initial value will be changed in the communication stack at post-build time.

5.2
API Error Status
Most of the RTE APIs provide an error status in the API return code. For easier evaluation
the MICROSAR RTE provides the following status access macros:
Rte_IsInfrastructureError(status)
Rte_HasOverlayedError(status)
Rte_ApplicationError(status)

The macros can be used inside the runnable entities for evaluation of the RTE API return
code. The boolean return code of the Rte_IsInfrastructure and Rte_HasOverlayedError
macros indicate if either the immediate infrastructure error flag (bit 7) or the overlay error
flag (bit 6) is set.
The Rte_ApplicationError macro returns the application errors without overlayed errors.
2015, Vector Informatik GmbH
Version: 4.8.0
63 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.3
Runnable Entities
Runnable entities are configured in DaVinci and must be implemented by the user. DaVinci
features the generation of a template file containing the empty bodies of all runnable
entities that are configured for a specific component type.
5.3.1
<RunnableEntity>

Prototype
void <RunnableEntity> ( [IN Rte_Instance instance] )
{Std_ReturnType|void} <ServerRunnable> ( [IN Rte_Instance instance] {,
IN type [*]inputparam}* {, OUT type *outputparam}* )
Parameter
Instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
[*]inputparam, *outputparam
Parameters are only present for server runnables, i.e. runnable
entities triggered by an OperationInvokedEvent. Input (IN) parameters
are passed by value (primitive types) or reference (composite and
string types), output (OUT) parameters are always passed by
reference.
Return code
RTE_E_OK
Server runnables return RTE_E_OK for successful operation
execution if an application error is referenced by the operation
prototype. Application errors are defined at the client/server port
interface.
RTE_E_<interf>_<error>
Server runnables may return an application error (in the range of 1 to
63) if the operation execution was not successful. Application errors
are defined at the client/server port interface and are referenced by
the operation prototype.
Existence
If configured in DaVinci.
Functional Description
The user function <RunnableEntity>() is the specific implementation of a runnable entity of a
software component and has to be provided by the user. It is called from the MICROSAR RTE.
The first prototype form with no return value and only the optional instance parameter is valid for the
following trigger conditions:
 TimingEvent: Triggered on expiration of a configured timer.
 DataReceivedEvent: Triggered on reception of a data element.
 DataReceiveErrorEvent: Triggered on reception error of a data element.
 DataSendCompletionEvent: Triggered on successful transmission of a data element.
 ModeSwitchEvent: Triggered on entering or exiting of a mode of a mode declaration group.
 ModeSwitchedAckEvent: Triggered on completion of a mode switch of a mode declaration
group.
 AsynchronousServerCallReturnsEvent: Triggered on finishing of an asynchronous server
2015, Vector Informatik GmbH
Version: 4.8.0
64 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

call. The Rte_Result() API shall be used to get the out parameters of the server call.
The first prototype form is also valid for initialization runnables (Init-Runnables):
  Triggered on startup of the RTE.
The second prototype form is valid for server runnables:
  OperationInvokedEvent: Triggered on invocation of the operation in a C/S port interface
(server runnable). A return value is only present if application errors are referenced by the
implemented operation. The parameter list is directly derived from the configured operation
prototype with the addition of the optional instance parameter.
The configuration of the trigger conditions can be done in the runnable entities tab of the component type
configuration.
Call Context
The call context of server runnables depends on the task mapping. Server runnables mapped to a task
are executed in the context of this task, unmapped server runnables are executed in the context of the
task that invoked the operation. All other runnables are invoked by the RTE in the context of the task the
runnables are mapped to.
Caution
The relative priority of the assigned OS tasks is responsible for the call sequence
  of Init-Runnables. The RTE ensures that the Init-Runnable is called before any
other runnable mapped to the same task, but does not enforce that all Init-
Runnables have been executed before any other runnable is called. To make sure
that all Init-Runnables are executed before any other runnable is called, all Init-
Runnables should be mapped to the task with the highest priority.

Caution
Init runnables are a Vector extension to the AUTOSAR standard and may not be
  supported by other RTE generators.

2015, Vector Informatik GmbH
Version: 4.8.0
65 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.4
SWC Exclusive Areas
5.4.1
Rte_Enter

Prototype
void Rte_Enter_<ExclusiveArea> ( [IN Rte_Instance instance] )
Parameter
Instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
-

Existence
This API exists when at least one runnable has configured explicit access
(canEnterExclusiveArea) to an exclusive area of a component.
Functional Description
The function Rte_Enter_<ea>() implements explicit access to the exclusive area. The exclusive
area is defined in the context of a component type and may be accessed by all runnables of that
component, either implicitly or explicitly via this API.
This function is the counterpart of Rte_Exit_<ea>(). Each call to Rte_Enter_<ea>() must be
matched by a call to Rte_Exit_<ea>() in the same runnable entity. One exclusive area must not
be entered more than once at a time, but different exclusive areas may be nested, as long as they
are left in reverse order of entering them.
For restrictions on using exclusive areas with different implementations, see section 3.6.10.
Call Context
This function can be used inside runnable entities.

2015, Vector Informatik GmbH
Version: 4.8.0
66 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.4.2
Rte_Exit

Prototype
void Rte_Exit_<ExclusiveArea> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
-

Existence
This API exists when at least one runnable has configured explicit access
(canEnterExclusiveArea) to an exclusive area of a component.
Functional Description
The function Rte_Exit_<ea>() implements releasing of an explicit entered exclusive area. The
exclusive area is defined in the context of a component type and may be accessed by all runnables
of that component, either implicitly or explicitly via this API.
This function is the counterpart of Rte_Enter_<ea>(). Each call to Rte_Enter_<ea>() must
be matched by a call to Rte_Exit_<ea>() in the same runnable entity. One exclusive area must
not be entered more than once at a time, but different exclusive areas may be nested, as long as
they are left in reverse order of entering them.
For restrictions on using exclusive areas with different implementations, see section 3.6.10.
Call Context
This function can be used inside runnable entities.
2015, Vector Informatik GmbH
Version: 4.8.0
67 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.5
BSW Exclusive Areas
5.5.1
SchM_Enter

Prototype
void SchM_Enter_<Bsw>_<ExclusiveArea> ( void )
Parameter
-

Return code
-

Existence
This API exists when at least one schedulable entity has configured access
(canEnterExclusiveArea) to an exclusive area in the internal behavior of the BSW module
description.
Functional Description
The function SchM_Enter_<bsw>_<ea>() implements access to the exclusive area. The
exclusive area is defined in the context of a BSW module and may be accessed by all schedulable
entities of that module via this API.
This function is the counterpart of SchM_Exit_<bsw>_<ea>(). Each call to
SchM_Enter_<bsw>_<ea>() must be matched by a call to SchM_Exit_<bsw>_<ea>() in the
same schedulable entity. One exclusive area must not be entered more than once at a time, but
different exclusive areas may be nested, as long as they are left in reverse order of entering them.
For restrictions on using exclusive areas with different implementation methods, see section 3.6.10.
Call Context
This function can be used inside a schedulable entity in Task or Interrupt context.

2015, Vector Informatik GmbH
Version: 4.8.0
68 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.5.2
SchM_Exit

Prototype
void SchM_Exit_<Bsw>_<ExclusiveArea> ( void )
Parameter
-

Return code
-

Existence
This API exists when at least one schedulable entity has configured access
(canEnterExclusiveArea) to an exclusive area in the internal behavior of the BSW module
description.
Functional Description
The function SchM_Exit_<bsw>_<ea>() implements releasing of the exclusive area. The
exclusive area is defined in the context of a BSW module and may be accessed by all schedulable
entities of that module via this API.
This function is the counterpart of SchM_Enter_<bsw>_<ea>(). Each call to
SchM_Enter_<bsw>_<ea>() must be matched by a call to SchM_Exit_<bsw>_<ea>() in the
same schedulable entity. One exclusive area must not be entered more than once at a time, but
different exclusive areas may be nested, as long as they are left in reverse order of entering them.
For restrictions on using exclusive areas with different implementation methods, see section 3.6.10.
Call Context
This function can be used inside a schedulable entity in Task or Interrupt context.

2015, Vector Informatik GmbH
Version: 4.8.0
69 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6
Sender-Receiver Communication
5.6.1
Rte_Read

Prototype
Std_ReturnType Rte_Read__<d> ( [IN Rte_Instance instance,] OUT <DataType> *data )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
*data
The output <data> is passed by reference. The <DataType> is
the type, specified at the data element prototype in the SWC
description.
Return code
RTE_E_OK
Data read successfully.
RTE_E_UNCONNECTED
Indicates that the receiver port is not connected.
RTE_E_INVALID
An invalidated signal has been received by the RTE.
RTE_E_MAX_AGE_EXCEEDED
Indicates a timeout, detected by the COM module in case of
inter ECU communication, if an aliveTimeout is specified.
RTE_E_NEVER_RECEIVED
No data received since system start.
RTE_E_SOFT_TRANSFORMER_ERROR An error during transformation occurred which shall be notified
to the SWC but still produces valid data as output.
RTE_E_HARD_TRANSFORMER_ERROR An error during transformation occurred which produces invalid
data as output.
Existence
This API exists, if the runnable entity of a SWC has configured direct (explicit) access in the role
dataReceivePointByArgument for the data element in the DaVinci configuration and the referenced data
element prototype is configured without queued communication (isQueued=false).
Functional Description
The function Rte_Read__<d>() supplies the current value of the data element. This API can be used
for explicit read of S/R data with isQueued=false. After startup Rte_Read provides the initial value.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
70 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.2
Rte_DRead

Prototype
<DataType> Rte_DRead__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
Return code
<DataType>
The return value contains the current value of the data element.
The <DataType> is the (primitive) type, specified at the data
element prototype in the SWC description.
Existence
This API exists, if the runnable entity of a SWC has configured direct (explicit) access in the role
dataReceivePointByValue for the data element in the DaVinci configuration and the referenced data
element prototype is configured without queued communication (isQueued=false).
Functional Description
The function Rte_DRead__<d>() supplies the current value of the data element. This API can be used
for explicit read of S/R data with isQueued=false. After startup or if the receiver port is unconnected,
Rte_DRead provides the initial value. The API is only available for primitive data types.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
71 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.3
Rte_Write

Prototype
Std_ReturnType Rte_Write__<d> ( [IN Rte_Instance instance,] IN <DataType> data )
Std_ReturnType Rte_Write__<d> ( [IN Rte_Instance instance,] IN <DataType> *data )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
data
The input data <data> for primitive data types without string
types is passed by value. The <DataType> is the type, specified
at the data element prototype in the SWC description.
*data
The input data <data> for string types and composite data types
is passed by reference. The <DataType> is the type, specified
at the data element prototype in the SWC description.
Return code
RTE_E_OK
Data passed to communication services successfully.
RTE_E_COM_STOPPED
An infrastructure communication error was detected by the RTE.
RTE_E_SOFT_TRANSFORMER_ERROR An error during transformation occurred which shall be notified
to the SWC but still produces valid data as output.
RTE_E_HARD_TRANSFORMER_ERROR An error during transformation occurred which produces invalid
data as output.
Existence
This API exists, if the runnable entity of a SWC has configured direct (explicit) access to the data element in
the DaVinci configuration and the referenced data element prototype is configured without queued
communication (isQueued=false).
Functional Description
The function Rte_Write__<d>() can be used for explicit transmission of S/R data with
isQueued=false.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
72 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.4
Rte_Receive

Prototype
Std_ReturnType Rte_Receive__<d> ( [IN Rte_Instance instance,] OUT <DataType> *data, [OUT uint16
*length] )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
*data
The output <data> is passed by reference. The <DataType> is
the type, specified at the data element prototype in the SWC
description.
*length
In case of an array with variable number of elements, the
dynamic length <length> is returned.
Return code
RTE_E_OK
Data read successfully.
RTE_E_UNCONNECTED
Indicates that the receiver port is not connected.
RTE_E_NO_DATA
A non-blocking call returned no data due to an empty receive
queue. No other error occurred.
RTE_E_TIMEOUT
Returned by a blocking call after the timeout has expired. No
data returned and no other error occurred. The argument buffer
is not changed.
RTE_E_LOST_DATA
Indicates that some incoming data has been lost due to an
overflow of the receive queue. This is not an error of the data
returned in the out parameter.
RTE_E_SOFT_TRANSFORMER_ERROR An error during transformation occurred which shall be notified
to the SWC but still produces valid data as output.
RTE_E_HARD_TRANSFORMER_ERROR An error during transformation occurred which produces invalid
data as output.
Existence
This API exists, if the runnable entity of a SWC has configured polling or waiting access to the data element
in the DaVinci configuration and the referenced data element prototype is configured with queued
communication (isQueued=true).
Functional Description
The function Rte_Receive__<d>() supplies the oldest value stored in the reception queue of the data
element. This API can be used for explicit read of S/R data with isQueued=true.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
73 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.5
Rte_Send

Prototype
Std_ReturnType Rte_Send__<d> ( [IN Rte_Instance instance,] IN <DataType> data )
Std_ReturnType Rte_Send__<d> ( [IN Rte_Instance instance,] IN <DataType> *data, [IN uint16
length] )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
data
The input data <data> for primitive data types without string
types is passed by value. The <DataType> is the type, specified
at the data element prototype in the SWC description.
*data
The input data <data> for string types and composite data types
is passed by reference. The <DataType> is the type, specified
at the data element prototype in the SWC description.
length
In case of an array with variable number of elements, the input
data <length> specifies the dynamic array length.
Return code
RTE_E_OK
Data passed to communication services successfully.
RTE_E_COM_STOPPED
An infrastructure communication error was detected by the RTE.
RTE_E_LIMIT
The submitted data has been discarded because the receiver
queue is full. Relevant only to intra ECU communication.
RTE_E_SOFT_TRANSFORMER_ERROR An error during transformation occurred which shall be notified
to the SWC but still produces valid data as output.
RTE_E_HARD_TRANSFORMER_ERROR An error during transformation occurred which produces invalid
data as output.
Existence
This API exists, if the runnable entity of a SWC has configured access to the data element in the DaVinci
configuration and the referenced data element prototype is configured with queued communication
(isQueued=true).
Functional Description
The function Rte_Send__<d>() can be used for explicit transmission of S/R data with
isQueued=true.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
74 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.6
Rte_IRead

Prototype
<DataType> Rte_IRead_<r>__<d> ( [IN Rte_Instance instance] )
<DataType> *Rte_IRead_<r>__<d> ( [IN Rte_Instance instance] )
Parameter
Instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<DataType>
The return value contains the buffered data for primitive data types.
<DataType> is the type, specified at the data element prototype in the
SWC description
<DataType> *
The return value contains a reference to the buffered data for string
types and composite data types. <DataType> is the type, specified at
the data element prototype in the SWC description
Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) access to the data
element in the DaVinci configuration.
Functional Description
The function Rte_IRead_<r>__<d>() supplies the value of the data element, stored in a
buffer before starting of the runnable entity. This API can be used for buffered (implicit) read of S/R
data with isQueued=false. After startup Rte_IRead provides the initial value.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

2015, Vector Informatik GmbH
Version: 4.8.0
75 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.7
Rte_IWrite

Prototype
void Rte_IWrite_<r>__<d> ( [IN Rte_Instance instance,] IN <DataType> data )
void Rte_IWrite_<r>__<d> ( [IN Rte_Instance instance,] IN <DataType> *data )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
data
The input data <data> for primitive data types without string types is
passed by value. The <DataType> is the type, specified at the data
element prototype in the SWC description.
*data
The input data <data> for string types and composite data types is
passed by reference. The <DataType> is the type, specified at the
data element prototype in the SWC description.
Return code
-

Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) access to the data
element in the DaVinci configuration.
Functional Description
The function Rte_IWrite_<r>__<d>() can be used for buffered transmission of S/R data
with isQueued=false. Note, that the actual transmission is performed and therefore visible for
other runnable entities after the runnable entity has been terminated.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

Caution
When implicit write access to a data element has been configured for a runnable, the
 runnable has to update the data element at least once during its execution time using
the Rte_IWrite API or writing to the location returned by the Rte_IWriteRef API.
Otherwise, the content of the data element is undefined upon return from the runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
76 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.8
Rte_IWriteRef

Prototype
<DataType> *Rte_IWriteRef_<r>__<d> ( [IN Rte_Instance instance] )
Parameter
Instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<DataType> *
The return value contains a reference to the buffered data.
<DataType> is the type, specified at the data element prototype in the
SWC description
Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) access to the data
element in the DaVinci configuration.
Functional Description
The function Rte_IWriteRef_<r>__<d>() can be used for buffered transmission of S/R
data with isQueued=false. Note, that the actual transmission is performed and therefore visible
for other runnable entities after the runnable entity has been terminated.
The returned reference can be used by the runnable entity to directly update the corresponding
data elements. This is especially useful for data elements of composite types.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

Caution
When implicit write access to a data element has been configured for a runnable, the
 runnable has to update the data element at least once during its execution time using
the Rte_IWrite API or writing to the location returned by the Rte_IWriteRef API.
Otherwise, the content of the data element is undefined upon return from the runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
77 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.9
Rte_IStatus

Prototype
Std_ReturnType Rte_IStatus_<r>__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
RTE_E_OK
Data read successfully.
RTE_E_UNCONNECTED
Indicates that the receiver port is not connected.
RTE_E_INVALID
An invalidated signal has been received by the RTE.
RTE_E_MAX_AGE_EXCEEDED Indicates a timeout, detected by the COM module in case of inter ECU
communication, if an aliveTimeout is specified.
RTE_E_NEVER_RECEIVED
No data received since system start.
Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) access to the data
element in the DaVinci configuration and if either
 data element outdated notification (aliveTimeout > 0) or
 data element invalidation is activated for this data element or
 the attribute handleNeverReceived is configured.
Functional Description
The function Rte_IStatus_<r>__<d>() returns the status of the data element which can be read
with Rte_IRead.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC). Usage in
other runnables of the same SWC is forbidden!
2015, Vector Informatik GmbH
Version: 4.8.0
78 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.10 Rte_Feedback

Prototype
Std_ReturnType Rte_Feedback__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
RTE_E_NO_DATA
No data transmitted, when the feedback API was attempted (non-
blocking call only).
RTE_E_UNCONNECTED Indicates that the sender port is not connected.
RTE_E_TIMEOUT
A timeout notiﬁcation was received from COM before any error
notiﬁcation (Inter-ECU only).
RTE_E_COM_STOPPED The last transmission was rejected when either Rte_Send / Rte_Write
API was called and the COM was stopped or an error notiﬁcation from
COM was received before any timeout notiﬁcation (Inter-ECU only).
RTE_E_TRANSMIT_ACK A “transmission acknowledgement” has been received.
Existence
This API exists, if the runnable entity of a SWC has configured explicit access to the data element
in the DaVinci configuration of a runnable entity and in addition the transmission acknowledgement
is enabled at the communication specification. Furthermore, polling or waiting acknowledgment
mode has to be specified for the same data element. If a timeout is specified, timeout monitoring
for waiting acknowledgment access is enabled.
Functional Description
The function Rte_Feedback__<d>() can be used to read the transmission status for explicit
S/R communication. It indicated the status of data, transmitted by Rte_Write() and
Rte_Send() calls. Depending on the configuration, the API can be either blocking or non-blocking.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
79 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.6.11 Rte_IsUpdated

Prototype
boolean Rte_IsUpdated__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
TRUE
Data element has been updated since last read.
FALSE
Data element has not been updated since last read.
Existence
This API exists, if the runnable entity of a SWC has configured explicit access to the data element
in the DaVinci configuration of a runnable entity and in addition the EnableUpdate attribute is
enabled at the communication specification.
Functional Description
The function Rte_IsUpdated__<d>() returns if the data element has been updated since
the last read or not.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
80 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.7
Data Element Invalidation
5.7.1
Rte_Invalidate

Prototype
Std_ReturnType Rte_Invalidate__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
Return code
RTE_E_OK
No error occurred.
RTE_E_COM_STOPPED
The RTE could not perform the operation because the COM
service is currently not available (inter ECU communication
only).
Existence
This API exists, if the runnable entity of a SWC has configured explicit and non-queued access to the data
element in the DaVinci configuration of a runnable entity and in addition the data element invalidation is
enabled at the communication specification (CanInvalidate=true).
Functional Description
The function Rte_Invalidate__<d>() can be used to set the transmission data invalid for explicit
non-queued S/R communication.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
81 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.7.2
Rte_IInvalidate

Prototype
void Rte_IInvalidate_<r>__<d> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
-

Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) access to the data
element in the DaVinci configuration of a runnable entity and in addition the data element
invalidation is enabled at the communication specification (CanInvalidate=true).
Functional Description
The function Rte_IInvalidate_<r>__<d>() can be used to set the transmission data
invalid for implicit (buffered) S/R communication.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

2015, Vector Informatik GmbH
Version: 4.8.0
82 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.8
Mode Management
5.8.1
Rte_Switch

Prototype
Std_ReturnType Rte_Switch__<m> ( [IN Rte_Instance instance,]
IN Rte_ModeType_<ModeDeclarationGroup> mode )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
mode
The next mode. It is of type Rte_ModeType_<m>, where <m> is the
name of the mode declaration group.
Return code
RTE_E_OK
Mode switch trigger passed to the RTE successfully.

RTE_E_LIMIT
The submitted mode switch has been discarded because the mode
queue is full.
Existence
This API exists, if the runnable entity of a SWC has configured access to the mode declaration
group prototype in the DaVinci configuration.
Functional Description
The function Rte_Switch__<m>() can be used to trigger a mode switch of the specified
mode declaration group prototype.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
83 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.8.2
Rte_Mode

Prototype
Rte_ModeType_<ModeDeclarationGroup> Rte_Mode__<m> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
RTE_TRANSITION_<mg> This return code is returned if the mode machine is in a mode
transition.
RTE_MODE_<mg>_<m>
This value is returned if the mode machine is not in a transition.
<m> indicates the currently active mode.
Existence
This API exists, if the runnable entity of a SWC has configured access to the mode declaration
group prototype in the DaVinci configuration and the enhanced Mode API is not active.
Functional Description
The function Rte_Mode__<m>() provides the current mode of a mode declaration group
prototype.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
84 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.8.3
Enhanced Rte_Mode

Prototype
Rte_ModeType_<ModeDeclarationGroup> Rte_Mode__<m> ( [IN Rte_Instance instance],
OUT Rte_ModeType_<ModeDeclarationGroup> previousMode,
OUT Rte_ModeType_<ModeDeclarationGroup> nextMode )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
previousMode
The previous mode is returned if the mode machine is in a transition.
nextMode
The next mode is returned if the mode machine is in a transition.
Return code
RTE_TRANSITION_<mg> This return code is returned if the mode machine is in a mode
transition.
RTE_MODE_<mg>_<m>
This value is returned if the mode machine is not in a transition.
<m> indicates the currently active mode.
Existence
This API exists, if the runnable entity of a SWC has configured access to the mode declaration
group prototype in the DaVinci configuration and the enhanced Mode API is active.
Functional Description
The function Rte_Mode__<m>() provides the current mode of a mode declaration group
prototype. In addition it provodes the previous mode and the next mode if the mode machine is in
transition.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
85 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.8.4
Rte_SwitchAck

Prototype
Std_ReturnType Rte_SwitchAck__<m> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
RTE_E_NO_DATA
No mode switch triggered, when the switch ack API was attempted
(non-blocking call only).
RTE_E_TIMEOUT
No mode switch processed within the specified timeout time, when the
switch ack API was attempted (blocking call only).
RTE_E_TRANSMIT_ACK The mode switch acknowledgement has been received.
RTE_E_UNCONNECTED Indicates that the mode provide port is not connected.
Existence
This API exists, if the runnable entity of a SWC has configured access to the mode declaration
group prototype in the DaVinci configuration of a runnable entity and in addition the mode switch
acknowledgement is enabled at the mode switch communication specification. Furthermore, polling
or waiting acknowledgment mode has to be specified for the same mode declaration group
prototype. If a timeout is specified, timeout monitoring for waiting acknowledgment access is
enabled.
Functional Description
The function Rte_SwitchAck__<m>() can be used to read the mode switch status of a
specific mode declaration group prototype. It indicated the status of a mode switch, triggered by an
Rte_Switch call. Depending on the configuration, the API can be either blocking or non-blocking.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
86 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.9
Inter-Runnable Variables
5.9.1
Rte_IrvRead

Prototype
<DataType> Rte_IrvRead_<r>_<v> ( [IN Rte_Instance instance] )
void Rte_IrvRead_<r>_<v> ([IN Rte_Instance instance,] OUT <DataType> *data)
Parameter
Instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
*data
The output <data> is passed by reference for composite data types.
The <DataType> is the type of the Inter-Runnable Variable specified in
the SWC description.
Return code
<DataType>
The return value contains the current content of the Inter-Runnable
Variable of primitive data types. The <DataType> is the type of the
Inter-Runnable Variable specified in the SWC description.
Existence
This API exists, if the runnable entity of a SWC has configured direct (explicit) read access to the
Inter-Runnable Variable in the SWC configuration.
Functional Description
The function Rte_IrvRead_<r>_<v>() supplies the current value of the Inter-Runnable Variable.
This API is used to read direct (explicit) Inter-Runnable Variables. After startup Rte_IrvRead
provides the configured initial value.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

2015, Vector Informatik GmbH
Version: 4.8.0
87 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.9.2
Rte_IrvWrite

Prototype
void Rte_IrvWrite_<r>_<v> ( [IN Rte_Instance instance,] IN <DataType> data )
void Rte_IrvWrite_<r>_<v> ( [IN Rte_Instance instance,] IN <DataType> *data )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
data
The input data <data> is passed by value for primitive data types. The
<DataType> is the type of the Inter-Runnable Variable specified in the
SWC description.
*data
The input data <data> for composite data types is passed by
reference. The <DataType> is the type of the Inter-Runnable Variable
specified in the SWC description.
Return code
-

Existence
This API exists, if the runnable entity of a SWC has configured direct (explicit) write access to the
Inter-Runnable Variable in the SWC configuration.
Functional Description
The function Rte_IrvIWrite_<r>_<v>() can be used for updating direct (explicit) access Inter-
Runnable Variables. The update is performed immediately.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

2015, Vector Informatik GmbH
Version: 4.8.0
88 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.9.3
Rte_IrvIRead

Prototype
<DataType> Rte_IrvIRead_<r>_<v> ( [IN Rte_Instance instance] )
<DataType> *Rte_IrvIRead_<r>_<v> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<DataType>
The return value contains the buffered content of the Inter-Runnable
Variable for primitive data types. The <DataType> is the type of the
Inter-Runnable Variable specified in the SWC description.
<DataType> *
The return value contains a reference to the buffered content of the
Inter-Runnable Variable for composite data types. The <DataType> is
the type of the Inter-Runnable Variable specified in the SWC
description.
Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) read access to the
Inter-Runnable Variable in the SWC configuration.
Functional Description
The function Rte_IrvIRead_<r>_<v>() supplies the value of the Inter-Runnable Variable,
stored in a buffer before the runnable entity is started. This API is used to read the buffered
(implicit) Inter-Runnable Variable. After startup Rte_IrvIRead provides the configured initial
value.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

2015, Vector Informatik GmbH
Version: 4.8.0
89 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.9.4
Rte_IrvIWrite

Prototype
void Rte_IrvIWrite_<r>_<v> ( [IN Rte_Instance instance,] IN <DataType> data )
void Rte_IrvIWrite_<r>_<v> ( [IN Rte_Instance instance,] IN <DataType> *data)
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
data
The input data <data> is passed by value for primitive data types. The
<DataType> is the type of the Inter-Runnable Variable specified in the
SWC description.
*data
The input data <data> is passed by reference for composite data
types. The <DataType> is the type of the Inter-Runnable Variable
specified in the SWC description.
Return code
-

Existence
This API exists, if the runnable entity of a SWC has configured buffered (implicit) write access to
the Inter-Runnable Variable in the SWC configuration.
Functional Description
The function Rte_IrvIWrite_<r>_<v>() can be used for updating buffered (implicit) Inter-
Runnable Variables. Note, that the actual update is performed and therefore visible for other
runnable entities after the runnable entity has been terminated.
Call Context
This function can be used inside the runnable <r> of an AUTOSAR software component (SWC).
Usage in other runnables of the same SWC is forbidden!

Caution
When buffered (implicit) write access to an Inter-Runnable Variable has been
 configured for a runnable, the runnable has to update the Inter-Runnable variable at
least once during its execution time using the Rte_IrvIWrite API. Otherwise, the
content of the Inter-Runnable Variable may become undefined upon return from the
runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
90 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.10 Per-Instance Memory
5.10.1 Rte_Pim

Prototype
<C-type> *Rte_Pim_<n> ( [IN Rte_Instance instance] )
<DataType> *Rte_Pim_<n> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<C-Type> *
If the configured data type of the Per-Instance Memory is specified by
any C type string, a reference to the PIM of the C-type is returned.
<DataType> *
If the configured DataType of the Per-Instance Memory is an
AUTOSAR DataType, a reference to the PIM of this AUTOSAR type is
returned. If the data type is known and completely described, the RTE
generator knows the size of the PIM variable and is able to generate
the PIM variables in a specific optimized order.
Existence
This API exists for each specified Per-Instance Memory specified for an AUTOSAR application
SWC.
Functional Description
The function Rte_Pim_<n>() can be used to access Per-Instance Memory. Note: If several
runnable entities have concurrent access to the same Per-Instance Memory, the user has to
protect the accesses by using implicit or explicit exclusive areas.
Call Context
This function can be used inside all runnable entities of the AUTOSAR software component (SWC)
specifying the Per-Instance Memory.

Caution
When the Per–Instance Memory uses no AUTOSAR data type and is also not based
 on a standard data type like e.g. uint8 the RTE generator cannot create the type
definition for this type.
In this case the user has to provide a user header file Rte_UserTypes.h which
should contain the type definitions for the Per-Instance Memory allowing the RTE
generator to allocate the Per-Instance memory.

2015, Vector Informatik GmbH
Version: 4.8.0
91 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.11 Calibration Parameters
5.11.1 Rte_CData

Prototype
<DataType> Rte_CData_<cp> ( [IN Rte_Instance instance] )
<DataType> *Rte_CData_<cp> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<DataType>
For primitive data types the return value contains the content of the
calibration parameter. The return value is of type <DataType>, which
is the type of the calibration element prototype.
<DataType> *
For composite data types and string types the return value contains
the reference to the calibration parameter. The return value is of type
<DataType>, which is the type of the calibration element prototype.
Existence
This API exists for each calibration element prototype specified for an AUTOSAR application SWC.
Functional Description
The function Rte_CData_<cp>() can be used to access SWC local calibration parameters.
Depending on the configuration the Rte_CData API returns a SWC type specific (shared) or SWC
instance specific (perInstance) calibration parameter.
Call Context
This function can be used inside all runnable entities of the AUTOSAR software component (SWC)
specifying the calibration parameters.

2015, Vector Informatik GmbH
Version: 4.8.0
92 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.11.2 Rte_Prm

Prototype
<DataType> Rte_Prm__<cp> ( [IN Rte_Instance instance] )
<DataType> *Rte_Prm__<cp> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
<DataType>
For primitive data types the return value contains the content of the
calibration parameter. The return value is of type <DataType>, which
is the type of the calibration element prototype.
<DataType> *
For composite data types and string types the return value contains
the reference to the calibration parameter. The return value is of type
<DataType>, which is the type of the calibration element prototype.
Existence
This API exists for each calibration element prototype specified for a calibration software
component.
Functional Description
The function Rte_Prm__<cp>() can be used to access the instance specific calibration
element prototypes of a calibration component.
Call Context
This function can be used inside all runnable entities of the AUTOSAR software component (SWC)
specifying access to calibration element prototypes of calibration components via calibration ports.

2015, Vector Informatik GmbH
Version: 4.8.0
93 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.12 Client-Server Communication
5.12.1 Rte_Call

Prototype
Std_ReturnType Rte_Call__<o> ( [IN Rte_Instance instance,] {IN type
[*]inputparam,}* {OUT type *outputparam,}* {INOUT type *inoutputparam,}* )
Parameter
instance
Instance handle, used to distinguish between the different
instances in case of multiple instantiation.
Note: This is an optional parameter depending on the
configuration of supportsMultipleInstantiation
attribute.
[*]inputparam, *outputparam,
The number and type of parameters is determined by the
*inoutputparam,
operation prototype. Input (IN) parameters are passed by value
(primitive types) or reference (composite and string types),
output (OUT) and input-output (INOUT) parameters are always
passed by reference.
Return code
RTE_E_OK
Operation executed successfully.
RTE_E_UNCONNECTED
Indicates that the client port is not connected.
RTE_E_LIMIT
The operation is invoked while a previous invocation has not yet
terminated. Relevant only for asynchronous calls.
RTE_E_COM_STOPPED
An infrastructure communication error was detected by the RTE.
Relevant only to external communication.
RTE_E_TIMEOUT
Returned by a synchronous call after the timeout has expired
and no other error occurred. The arguments are not changed.
RTE_E_<interf>_<error>
Server runnables may return an application error if the operation
execution was not successful. Application errors are defined at
the client/server port interface and are references by the
operation prototype.
RTE_E_SOFT_TRANSFORMER_ERROR An error during transformation occurred which shall be notified
to the SWC but still produces valid data as output.
RTE_E_HARD_TRANSFORMER_ERROR An error during transformation occurred which produces invalid
data as output.
Existence
This API exists, if the runnable entity of a SWC has configured access to the operation prototype in the
DaVinci configuration.
Functional Description
The function Rte_Call__<o>() invokes the server operation <o> with the specified parameters. If
Rte_Call returns with an error, the INOUT and OUT parameters are unchanged.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
94 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.12.2 Rte_Result

Prototype
Std_ReturnType Rte_Result__<o> ( [IN Rte_Instance instance,]
{OUT type *outputparam,}* )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
*outputparam
The number and type of parameters is determined by the operation
prototype. The output (OUT) parameters are always passed by
reference.
Return code
RTE_E_OK
Operation executed successfully.
RTE_E_UNCONNECTED Indicates that the client port is not connected.
RTE_E_NO_DATA
The result of the asynchronous operation invocation is not available.
Relevant only for non-blocking call.
RTE_E_COM_STOPPED An infrastructure communication error was detected by the RTE.
Relevant only to external communication.
RTE_E_TIMEOUT
The result of the asynchronous operation invocation is not available in
the specified time. Relevant only for blocking call.
RTE_E_<interf>_<error>
Server runnables may return an application error if the operation
execution was not successful. Application errors are defined at the
client/server port interface and are references by the operation
prototype.
Existence
This API exists, if the runnable entity of a SWC has configured polling or waiting access to an
asynchronous invoked operation of a C/S port interface.
Functional Description
The function Rte_Result__<o>() provides the result of asynchronous C/S calls. In case of
a polling call, the API returns the OUT parameters if the result is already available while for
asynchronous calls the API waits until the server runnable has finished the execution or a timeout
occurs.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
95 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.13 Indirect API
5.13.1 Rte_Ports

Prototype
Rte_PortHandle__<R/P> Rte_Ports__<P/R> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
Rte_PortHandle__<R/P> The API returns a pointer to the first port data structure of the port
data structure array.
Existence
This API exists, if the indirect API is configured at the Component Type.
Functional Description
The function Rte_Ports__<R/P> returns an array containing the port data structures of all
require ports indicated by the API extension <R> or provide ports indicated by of the port
interface specified by in order to allow indirect access of the port APIs via the port handle (e.g.
iteration over all ports of the same interface).
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
96 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.13.2 Rte_NPorts

Prototype
uint8 Rte_NPorts__<P/R> ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
uint8
The API returns the size of the port data structure array provided by
Rte_Ports.
Existence
This API exists, if the indirect API is configured at the component type.
Functional Description
The function Rte_NPorts__<R/P> returns the number of array entries (port data structures)
of all require ports indicated by the API extension <R> or provide ports indicated by of the port
interface specified by .
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).
2015, Vector Informatik GmbH
Version: 4.8.0
97 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.13.3 Rte_Port

Prototype
Rte_PortHandle__<R/P> Rte_Port_ ( [IN Rte_Instance instance] )
Parameter
instance
Instance handle, used to distinguish between the different instances in
case of multiple instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
Rte_PortHandle__<R/P> The API returns a pointer to a port data structure.
Existence
This API exists, if the indirect API is configured at the component type.
Functional Description
The function Rte_Port_ returns the port data structure of the port specified by . It allows
indirect API access via the port handle.
Call Context
This function can be used inside a runnable entity of an AUTOSAR software component (SWC).

2015, Vector Informatik GmbH
Version: 4.8.0
98 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.14  RTE Lifecycle API
The lifecycle API functions are declared in the RTE lifecycle header file Rte_Main.h
5.14.1  Rte_Start

Prototype
Std_ReturnType Rte_Start ( void )
Parameter
-

Return code
RTE_E_OK
RTE initialized successfully.
RTE_E_LIMIT
An internal limit has been exceeded.
Functional Description
The RTE lifecycle API function Rte_Start allocates and initializes system resources and
communication resources used by the RTE.
Call Context
This function has to be called by the ECU state manager after basic software modules have been
initialized especially OS and COM. It has to be called on every core that is used by the RTE. The
call on the core that contains the BSW will start the triggering of all cyclic runnables. Therefore
Rte_Start on the other cores has to be executed first.

5.14.2  Rte_Stop

Prototype
Std_ReturnType Rte_Stop ( void )
Parameter
-

Return code
RTE_E_OK
RTE initialized successfully.
RTE_E_LIMIT
A resource could not be released.
Functional Description
The RTE lifecycle API function Rte_Stop releases system resources and communication
resources used by the RTE and shutdowns the RTE. After Rte_Stop is called no runnable entity
must be processed.
Call Context
This function has to be called by the ECU state manager on every core that is used by the RTE.
The call on the core that contains the BSW will stop the triggering of the cyclic runnables.

2015, Vector Informatik GmbH
Version: 4.8.0
99 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.14.3  Rte_InitMemory

Prototype
void Rte_InitMemory ( void )
Parameter
-

Return code
-

Functional Description
The API function Rte_InitMemory is a MICROSAR RTE specific extension and should be used
to initialize RTE internal state variables if the compiler does not support initialized variables.
Call Context
This function has to be called before the ECU state manager calls the initialization functions of
other BSW modules especially the AUTOSAR COM module.  It has to be called on all cores that
are used by the RTE.

Caution
Rte_InitMemory API is a Vector extension to the AUTOSAR standard and may not be
  supported by other RTE generators.

2015, Vector Informatik GmbH
Version: 4.8.0
100 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.15 SchM Lifecycle API
The lifecycle API functions are declared in the RTE lifecycle header file Rte_Main.h
5.15.1 SchM_Init

Prototype
void SchM_Init ( [IN SchM_ConfigType ConfigPtr] )
Parameter
ConfigPtr
Pointer to the Rte_Config_<VariantName> data structure that shall be
used for the RTE initialization of the active variant in case of a
postbuild selectable configuration. The parameter is omitted in case
the project contains no postbuild selectable variance.
Return code
-

Functional Description
This function initializes the BSW Scheduler and resets the timers for all cyclic triggered schedulable
entities (main functions). Note that all main functions calls are activated upon return from this
function.
Call Context
This function has to be called by the ECU state manager from task context. The OS has to be
initialized before as well as those BSW modules for which the SchM provides triggering of
schedulable entities (main functions). The API has to be called on all cores that are used by the
RTE.

5.15.2 SchM_Deinit

Prototype
void SchM_Deinit ( void )
Parameter
-

Return code
-

Functional Description
This function finalizes the BSW Scheduler and stops the timer which triggers the main functions.
Call Context
This function has to be called by the ECU state manager from task context. It has to be called on
all cores that are used by the RTE.

2015, Vector Informatik GmbH
Version: 4.8.0
101 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.15.3 SchM_GetVersionInfo

Prototype
void SchM_GetVersionInfo (Std_VersionInfoType *versioninfo )
Parameter
versioninfo
Pointer to where to store the version information of this module.
Return code
-

Existence
This API exists if RteSchMVersionInfoApi is enabled.
Functional Description
SchM_GetVersionInfo() returns version information, vendor ID and AUTOSAR module ID of
the component.
The versions are decimal-coded.
Call Context
The function can be called on interrupt and task level.

2015, Vector Informatik GmbH
Version: 4.8.0
102 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16 VFB Trace Hooks
The RTE’s “VFB tracing” mechanism allows to trace interactions of the AUTOSAR
software components with the VFB. The choice of events resides with the user and can
range from none to all. The “VFB tracing” functionality is designed to support multiple
clients for each event. If one or multiple clients are specified for an event, the trace
function without client prefix will be generated followed by the trace functions with client
prefixes in alphabetically ascending order.
5.16.1 Rte_[<client>_]<API>Hook_<cts>_<ap>_Start

Prototype
void Rte_[<client>_]<API>Hook_<cts>_<ap>_Start ( [IN const Rte_CDS_<cts>* inst,]
params )
Parameter
Rte_CDS_<cts>* inst
The instance specific pointer of type Rte_CDS_<cts> is used to
distinguish between the different instances in case of multiple
instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
params
The parameters are the same as the parameters of the <API>. See
the corresponding API description for details.
Return code
-

Existence
This VFB trace hook exists if the global and the hook specific configuration switches are enabled.
Functional Description
This VFB trace hook is called inside the RTE APIs directly after invocation of the API. The user has
to provide this hook function if it is enabled in the configuration. The placeholder <API> represents
one of the following APIs:
Enter, Exit, Write, Read, Send, Receive, Invalidate, SwitchAck, Switch, Call, Result, IrvWrite,
IrvRead
The <AccessPoint> is defined as follows:
 Enter, Exit: <ExclusiveArea>
 Write, Read, Send, Receive, Feedback, Invalidate:
<PortPrototype>_<DataElementPrototype>
 Switch, SwitchAck: <PortPrototype>_<ModeDeclarationGroupPrototype>
 Call, Result: <PortPrototype>_<OperationPrototype>
 IrvWrite, IrvRead: <InterRunnableVariable>
Call Context
This function is called inside the RTE API. The call context is the context of the API itself. Since
APIs can only be called in runnable context, the context of the trace hooks is also the runnable
entity of an AUTOSAR software component (SWC).
2015, Vector Informatik GmbH
Version: 4.8.0
103 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.2 Rte_[<client>_]<API>Hook_<cts>_<ap>_Return

Prototype
void Rte_[<client>_]<API>Hook_<cts>_<ap>_Return ( [IN const Rte_CDS_<cts> *inst,]
params )
Parameter
Rte_CDS_<cts>* inst
The instance specific pointer of type Rte_CDS_<cts> is used to
distinguish between the different instances in case of multiple
instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
params
The parameters are the same as the parameters of the API. See the
corresponding API description for details.
Return code
-

Existence
This VFB trace hook exists if the global and the hook specific configuration switches are enabled.
Functional Description
This VFB trace hook is called inside the RTE APIs directly before leaving the API. The user has to
provide this hook function if it is enabled in the configuration. The placeholder <API> represents
one of the following APIs:
Enter, Exit, Write, Read, Send, Receive, Invalidate, Feedback, Switch, SwitchAck, Call, Result,
IrvWrite, IrvRead
The <AccessPoint> is defined as follows:
 Enter, Exit: <ExclusiveArea>
 Write, Read, Send, Receive, Feedback, Invalidate:
<PortPrototype>_<DataElementPrototype>
 Switch, SwitchAck: <PortPrototype>_<ModeDeclarationGroupPrototype>
 Call, Result: <PortPrototype>_<OperationPrototype>
 IrvWrite, IrvRead: <InterRunnableVariable>
Call Context
This function is called inside the RTE API. The call context is the context of the API itself. Since
APIs can only be called in runnable context, the context of the trace hooks is also the runnable
entity of an AUTOSAR software component (SWC).

Caution
The RTE generator tries to prevent overhead by sometimes implementing the Rte_Call
 API as macro that does a direct runnable invocation. If VFB trace hooks are enabled
for such an Rte_Call API or for the called server runnable, these optimizations are no
longer possible.
Also macro optimizations for Rte_Read, Rte_DRead, Rte_Write, Rte_IrvRead and
Rte_IrvWrite APIs are disabled when VFB tracing for that APIs is enabled.

2015, Vector Informatik GmbH
Version: 4.8.0
104 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Caution
The RTE does not call VFB trace hooks for the following APIs because they are
 intended to be implemented as macros.
 Implicit S/R APIs: Rte_IWrite, Rte_IWriteRef, Rte_IRead, Rte_IStatus,
Rte_IInvalidate
 Implicit Inter-Runnable Variables: Rte_IrvIWrite, Rte_IrvIRead
 Per-instance Memory and calibration parameter APIs: Rte_Pim, Rte_CData,
Rte_Prm
 Indirect APIs: Rte_Ports, Rte_Port, Rte_NPorts
 RTE Life-Cycle APIs: Rte_Start, Rte_Stop

5.16.3 SchM_[<client>_]<API>Hook_<Bsw>_<ap>_Start

Prototype
void SchM_[<client>_]<API>Hook_<bsw>_<ap>_Start ( params )
Parameter
params
The parameters are the same as the parameters of the <API>. See
the corresponding API description for details.
Return code
-

Existence
This VFB trace hook exists if the global and the hook specific configuration switches are enabled.
Functional Description
This VFB trace hook is called inside the RTE APIs directly after invocation of the API. The user has
to provide this hook function if it is enabled in the configuration. The placeholder <API> represents
one of the following APIs:
Enter, Exit
The <AccessPoint> is defined as follows:
 Enter, Exit: <ExclusiveArea>
Call Context
This function is called inside the RTE API. The call context is the context of the API itself. Since
APIs can be called from a BSW function, the context of the trace hooks depends on the context of
the BSW function.

Caution
The SchM Hook APIs are a Vector extension to the AUTOSAR standard and may not
 be supported by other RTE generators.
2015, Vector Informatik GmbH
Version: 4.8.0
105 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.4 SchM_[<client>_]<API>Hook_<Bsw>_<ap>_Return

Prototype
void SchM_[<client>_]<API>Hook_<bsw>_<ap>_Return ( params )
Parameter
params
The parameters are the same as the parameters of the <API>. See
the corresponding API description for details.
Return code
-

Existence
This VFB trace hook exists if the global and the hook specific configuration switches are enabled.
Functional Description
This VFB trace hook is called inside the RTE APIs directly before leaving the API. The user has to
provide this hook function if it is enabled in the configuration. The placeholder <API> represents
one of the following APIs:
Enter, Exit
The <AccessPoint> is defined as follows:
 Enter, Exit: <ExclusiveArea>
Call Context
This function is called inside the RTE API. The call context is the context of the API itself. Since
APIs can be called from a BSW function, the context of the trace hooks depends on the context of
the BSW function.

Caution
The SchM Hook APIs are a Vector extension to the AUTOSAR standard and may not
 be supported by other RTE generators.

2015, Vector Informatik GmbH
Version: 4.8.0
106 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.5 Rte_[<client>_]ComHook_<SignalName>_SigTx

Prototype
void Rte_[<client>_]ComHook_<SignalName>_SigTx ( <DataType> *data )
Parameter
<DataType>* data
Pointer to data to be transmitted via the COM API.
Note: <DataType> is the application specific data type of Rte_Send,
Rte_Write or Rte_IWrite.
Return code
-

Existence
This VFB trace hook exists, if at least one data element prototype of a port prototype has to be
transmitted over a network (Inter-Ecu) and the global and the hook specific configuration switches
are enabled.
Functional Description
This hook is called just before the RTE invokes Com_SendSignal or
Com_UpdateShadowSignal.
Call Context
This function is called inside the RTE APIs Rte_Send and Rte_Write. The call context is the
context of the API itself. Since APIs can only be called in runnable context, the context of the trace
hooks is also the runnable entity of an AUTOSAR software component.
If buffered communication (Rte_IWrite) is used, the call context is the task of the mapped
runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
107 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.6 Rte_[<client>_]ComHook_<SignalName>_SigIv

Prototype
void Rte_[<client>_]ComHook_<SignalName>_SigIv ( void )
Parameter
-

Return code
-

Existence
This VFB trace hook exists, if at least one data element prototype of a port prototype has to be
transmitted over a network (Inter-Ecu) and the global and the hook specific configuration switches
are enabled. In addition the canInvalidate attribute at the UnqueuedSenderComSpec of the
data element prototype must be enabled.
Functional Description
This hook is called just before the RTE invokes Com_InvalidateSignal.
Call Context
This function is called inside the RTE APIs Rte_Invalidate. The call context is the context of the
API itself. Since APIs can only be called in runnable context, the context of the trace hooks is also
the runnable entity of an AUTOSAR software component.
If buffered communication (Rte_IInvalidate) is used, the call context is the task of the mapped
runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
108 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.7 Rte_[<client>_]ComHook_<SignalName>_SigGroupIv

Prototype
void Rte_[<client>_]ComHook_<SignalGroupName>_SigGroupIv ( void )
Parameter
-

Return code
-

Existence
This VFB trace hook exists, if at least one data element prototype of a port prototype is composite
and has to be transmitted over a network (Inter-Ecu) and the global and the hook specific
configuration switches are enabled. In addition the canInvalidate attribute at the
UnqueuedSenderComSpec of the data element prototype must be enabled.
Functional Description
This hook is called just before the RTE invokes Com_InvalidateSignalGroup.
Call Context
This function is called inside the RTE APIs Rte_Invalidate. The call context is the context of the
API itself. Since APIs can only be called in runnable context, the context of the trace hooks is also
the runnable entity of an AUTOSAR software component.
If buffered communication (Rte_IInvalidate) is used, the call context is the task of the mapped
runnable.

2015, Vector Informatik GmbH
Version: 4.8.0
109 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.8 Rte_[<client>_]ComHook_<SignalName>_SigRx

Prototype
void Rte_[<client>_]ComHook_<SignalName>_SigRx ( <DataType> *data )
Parameter
<DataType>* data
Pointer to the data received via the COM API.
Note: <DataType> is the application specific data type of
Rte_Receive, Rte_Read, Rte_DRead or Rte_IRead.
Return code
-

Existence
This VFB trace hook exists, if at least one data element prototype of a port prototype has to be
received from a network and the global and hook specific configuration switches are enabled.
Functional Description
This VFB Trace Hook is called after the RTE invokes Com_ReceiveSignal or
Com_ReceiveShadowSignal.
Call Context
This function is called inside the RTE API Rte_Read or Rte_DRead. The call context is the
context of the API itself. Since this API can only be called in runnable context, the context of the
trace hooks is also the runnable entity of an AUTOSAR software component.
If buffered communication (Rte_IRead) is used, the call context is the task of the mapped
runnable.
If queued communication is configured (Rte_Receive), the call of the Com API is called inside the
COM callback after reception. In this case, the context of the trace hook is the context of the COM
callback.
Note: This could be the task context or the interrupt context!

2015, Vector Informatik GmbH
Version: 4.8.0
110 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.9 Rte_[<client>_]ComHook<Event>_<SignalName>

Prototype
void Rte_[<client>_]ComHook<Event>_<SignalName> ( void )
Parameter
-

Return code
-

Existence
This VFB trace hook is called inside the <Event> specific COM callback, directly after the
invocation by COM and if the global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates the start of a COM callback. <Event> depends on the type of the
callback.
 empty string: Rte_COMCbk_<SignalName>
 TxTOut Rte_COMCbkTxTOut_<SignalName>
 RxTOut Rte_COMCbkRxTOut_<SignalName>
 TAck Rte_COMCbkTAck_<SignalName>
 TErr Rte_COMCbkTErr_<SignalName>
 Inv Rte_COMCbkInv_<SignalName>
Call Context
This function is called inside the context of the COM callback.
Note: This could be the task context or the interrupt context!

2015, Vector Informatik GmbH
Version: 4.8.0
111 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.10 Rte_[<client>_]Task_Activate

Prototype
void Rte_[<client>_]Task_Activate ( TaskType task )
Parameter
task
The same parameter is also used to call the OS API ActivateTask
Return code
-

Existence
This VFB trace hook is called by the RTE immediately before the invocation of the OS API
ActivateTask and if the global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates the call of ActivateTask of the OS.
Call Context
This function is called inside Rte_Start and in the context RTE API functions which trigger the
execution of a runnable entity where the runnable is mapped to a basic task. For API functions, the
call context is the runnable context.

5.16.11 Rte_[<client>_]Task_Dispatch

Prototype
void Rte_[<client>_]Task_Dispatch ( TaskType task )
Parameter
task
The parameter indicates the task to which was started (dispatched) by
the OS
Return code
-

Existence
This VFB trace hook exists for each configured RTE task and is called directly after the start if the
global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates the call activation of a task by the OS.
Call Context
The call context is the task.

2015, Vector Informatik GmbH
Version: 4.8.0
112 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.12 Rte_[<client>_]Task_SetEvent

Prototype
void Rte_[<client>_]Task_SetEvent ( TaskType task, EventMaskType event )
Parameter
task
The same parameter is also used to call the OS API SetEvent
event
The same parameter is also used to call the OS API SetEvent
Return code
-

Existence
This VFB trace hook is called by the RTE immediately before the invocation of the OS API
SetEvent and if the global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates the call of SetEvent.
Call Context
This function is called inside RTE API functions and in COM callbacks. For API functions, the call
context is the runnable context.
Note: For COM callbacks the context could be the task context or the interrupt context!

5.16.13 Rte_[<client>_]Task_WaitEvent

Prototype
void Rte_[<client>_]Task_WaitEvent ( TaskType task, EventMaskType event )
Parameter
task
The same parameter is also used to call the OS API WaitEvent
event
The same parameter is also used to call the OS API WaitEvent
Return code
-

Existence
This VFB trace hook is called by the RTE immediately before the invocation of the OS API
WaitEvent and if the global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates the call of WaitEvent.
Call Context
This function is called inside RTE API functions and in generated task bodies.

2015, Vector Informatik GmbH
Version: 4.8.0
113 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.14 Rte_[<client>_]Task_WaitEventRet

Prototype
void Rte_[<client>_]Task_WaitEventRet ( TaskType task, EventMaskType event )
Parameter
task
The same parameter is also used to call the OS API WaitEvent
event
The same parameter is also used to call the OS API WaitEvent
Return code
-

Existence
This VFB trace hook is called by the RTE immediately after returning from the OS API WaitEvent
and if the global and the hook specific configuration switches are enabled.
Functional Description
This trace hook indicates leaving the call of WaitEvent.
Call Context
This function is called inside RTE API functions and in generated task bodies.

5.16.15 Rte_[<client>_]Runnable_<cts>_<re>_Start

Prototype
void Rte_[<client>_]Runnable_<cts>_<re>_Start ( [IN const Rte_CDS_<cts> *inst] )
Parameter
Rte_CDS_<cts>* inst
The instance specific pointer of type Rte_CDS_<cts> is used to
distinguish between the different instances in case of multiple
instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
-

Existence
This VFB trace hook is called for all mapped runnable entities if the global and the hook specific
configuration switches are enabled.
Functional Description
This trace hook indicates invocation of the runnable entity. It is called just before the call of the
runnable entity and allows for example measurement of the execution time of a runnable together
with the counterpart Rte_[<client>_]Runnable_<cts>_<re>_Return.
Call Context
This function is called inside RTE generated task bodies.
2015, Vector Informatik GmbH
Version: 4.8.0
114 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.16.16 Rte_[<client>_]Runnable_<cts>_<re>_Return

Prototype
void Rte_[<client>_]Runnable_<cts>_<re>_Return ( [IN const Rte_CDS_<cts> *inst] )
Parameter
Rte_CDS_<cts>* inst
The instance specific pointer of type Rte_CDS_<cts> is used to
distinguish between the different instances in case of multiple
instantiation.
Note: This is an optional parameter depending on the configuration of
supportsMultipleInstantiation attribute.
Return code
-

Existence
This VFB trace hook is called for all mapped runnable entities if the global and the hook specific
configuration switches are enabled.
Functional Description
This trace hook indicates invocation of the runnable entity. It is called just after the call of the
runnable entity and allows for example measurement of the execution time of a runnable together
with the counterpart Rte_[<client>_]Runnable_<cts>_<re>_Start.
Call Context
This function is called inside RTE generated task bodies.

2015, Vector Informatik GmbH
Version: 4.8.0
115 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.17  RTE Interfaces to BSW
The RTE has standardized Interfaces to the following basic software modules
  COM / LDCOM
  NVM
  DET
  OS
  XCP
  SCHM
The actual used API’s of these BSW modules depend on the configuration of the RTE.
5.17.1  Interface to COM / LDCOM
Used COM API
Com_SendSignal
Com_SendDynSignal
Com_SendSignalGroup
Com_UpdateShadowSignal
Com_ReceiveSignal
Com_ReceiveDynSignal
Com_ReceiveSignalGroup
Com_ReceiveShadowSignal
Com_InvalidateSignal
Com_InvalidateSignalGroup

Used LDCOM API
LdCom_IfTransmit

The RTE generator provides COM / LDCOM callback functions for signal notifications. The
generated callbacks, which are called inside the COM layer, have to be configured in the
COM  /  LDCOM  configuration  accordingly.  The  necessary  callbacks  are  defined  in  the
Rte_Cbk.h header file.

Caution
The RTE generator assumes that the context of COM / LDCOM callbacks is either a
  task context or an interrupt context of category 2.
It is explicitly NOT allowed that the call context of a COM / LDCOM callback is an
interrupt of category 1.

In  order  to  access  the  COM  /  LDCOM  API  the  generated  RTE  includes  the
Com.h/LdCom.h header file if necessary.
During  export  of  the  ECU  configuration  description  the  necessary  COM  /  LDCOM
callbacks  are  exported  into  the  COM    /  LDCOM  section  of  the  ECU  configuration
description.
2015, Vector Informatik GmbH
Version: 4.8.0
116 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.17.2  Interface to OS
In  general,  the  RTE  may  use  all  available  OS  API  functions  to  provide  the  RTE
functionality  to  the  software  components. The  following  table  contains  a  list  of  used  OS
APIs of the current RTE implementation.
Used OS API
SetRelAlarm
CancelAlarm
StartScheduleTableRel
NextScheduleTable
StopScheduleTable
SetEvent
GetEvent
ClearEvent
WaitEvent
GetTaskID
GetCoreID
ActivateTask
Schedule
TerminateTask
ChainTask
GetResource
ReleaseResource
GetSpinlock
ReleaseSpinlock
DisableAllInterrupts
EnableAllInterrupts
SuspendAllInterrupts
ResumeAllInterrupts
SuspendOSInterrupts
ResumeOSInterrupts
CallTrustedFunction (MICROSAR OS specific)
IocWrite
IocRead
IocWriteGroup
IocReadGroup
IocSend
IocReceive

In order to access the OS API the generated RTE includes the Os.h header file.
2015, Vector Informatik GmbH
Version: 4.8.0
117 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

The OS configuration needed by the RTE is stored in the file  Rte_Needs.ecuc.arxml
which is created during the RTE Generation Phase.
For  legacy  systems  the  OS  configuration  is  also  stored  in  Rte.oil.  This  file  is  an
incomplete OIL file and contains only the RTE relevant configuration. It should be included
in an OIL file used for the OS configuration of the whole ECU.

Caution
The generated files Rte_Needs.ecuc.arxml and Rte.oil file must not be
  changed!

5.17.3  Interface to NVM
The RTE generator provides NvM callback functions for synchronous copying of the mirror
buffers  to  and  from  the  NvM.  The  generated  callbacks,  which  are  called  inside  the
NvM_MainFunction,  have  to  be  configured  in  the  NvM  configuration  accordingly.  The
necessary callbacks are defined in the Rte_Cbk.h header file.

Caution
The RTE generator assumes that the call context of NvM callbacks is the task which
  calls the NvM_MainFunction.

During  export  of  the  ECU  configuration  description  the  necessary  NVM  callbacks  are
exported into the NVM section of the ECU configuration description.
5.17.4  Interface to XCP
In addition to the usage of the Com and the OS module as described by AUTOSAR, the
MICROSAR  RTE  generator  optionally  can  also  take  advantage  of  the  MICROSAR  XCP
module.
This  makes  it  possible  to  configure  the  RTE  to  trigger  XCP  Events  when  certain
measurement points are reached.
This  for  example  also  allows  the  measurement  of  buffers  for  implicit  sender/receiver
communication when a runnable entity is terminated.
Measurement is described in detail in chapter 6.6 Measurement and Calibration.
When measurement with XCP Events is enabled, the RTE therefore includes the header
Xcp.h and calls the Xcp_Event API to trigger the events.
Used Xcp API
Xcp_Event

2015, Vector Informatik GmbH
Version: 4.8.0
118 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

5.17.5  Interface to SCHM
In
multicore
and
memory
protection
systems,
the
schedulable
entity
Rte_ComSendSignalProxyPeriodic is provided by the RTE and is used to access the
COM  from  OS  Applications  without  BSW.  This  schedulable  entity  needs  to  be  called
periodically by the SCHM.
See chapter 4.8.1 for details.
Provided Schedulable Entity
Rte_ComSendSignalProxyPeriodic

5.17.6  Interface to DET
The RTE generator reports development errors to the DET, if development error detection
is enabled.
See chapter 3.8.1 for details.
Used DET API
Det_ReportError

2015, Vector Informatik GmbH
Version: 4.8.0
119 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6  RTE Configuration
The RTE specific configuration in DaVinci Configurator encompasses the following parts:
  assignment of runnables to OS tasks
  assignment of OS tasks to OS applications (memory protection/multicore support)
  assignment of Per-Instance Memory to NV memory blocks
  selection of the exclusive area implementation method
  configuration of the periodic triggers
  configuration of measurement and calibration
  selection of the optimization mode
  selection of required VFB tracing callback functions
  configuration of the built-in call to the RTE generator
  platform dependent resource calculation
6.1
Configuration Variants
The RTE supports the configuration variants
  VARIANT-PRE-COMPILE
  VARIANT-POST-BUILD-SELECTABLE
The configuration classes of the  RTE parameters depend on the supported configuration
variants. For their definitions please see the Rte_bswmd.arxml file.
6.2
Task Configuration
Runnable  Entities  triggered  by  any  kind  of  RTE  Event  e.g.  TimingEvent  have  to  be
mapped to tasks. Only server runnables (triggered by an OperationInvokedEvent) that
either  have  their  CanBeInvokedConcurrently  flag  enabled  or  that  are  called  from
tasks  that  cannot  interrupt  each  other  do  not  need  to  be  mapped.  For  optimization
purposes  they  can  be  called  directly  and  are  then  executed  in  the  context  of  the  calling
runnable (client).
The task configuration within DaVinci Configurator also contains some attributes which are
part of the OS configuration. The parameters are required to control RTE generation.

2015, Vector Informatik GmbH
Version: 4.8.0
120 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

The creation of tasks is done in OS Configuration Editor in the in the DaVinci Configurator.
The Task Mapping Assistant has to be used to assign the triggered functions (runnables
and schedulable entities) to the tasks.

Figure 6-1 Mapping of Runnables to Tasks

The  MICROSAR  RTE  supports  the  generation  of  both  BASIC  and  EXTENDED  tasks.  The
Task  Type  can  either  be  selected  or  the  selection  is  done  automatically  if  AUTO  is
configured.
While  extended  tasks  are  used  for  tasks  that  need  to  wait  for  different  RTE  trigger
conditions, basic tasks are used when all runnables of a task are triggered by one or more
identical triggers.
A typical example for this might be several cyclic triggered runnables that share the same
activation offset and cycle time.
Moreover another requirement for basic task usage is that the mapped runnables do not
use APIs that requires a waitpoint, like a blocking Rte_Feedback().
In addition to the Task Type the number of possible task activations can be configured in
the same dialog.

Caution
When RTE events that trigger a runnable are fired multiple times before the actual
  runnable invocation happens and when the runnable is mapped to an extended task,
the runnable is invoked only once.
However, if the runnable is mapped to a basic task, the same circumstances will cause
multiple task activations and runnable invocations. Therefore, for basic tasks, the task
attribute Activation in the OS configuration has to be set to the maximum number of
2015, Vector Informatik GmbH
Version: 4.8.0
121 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

queued task activations. If Activation is too small, additional task activations may result
in runtime OS errors. To avoid the runtime error the number of possible Task Activation
should be increased.

6.3
Memory Protection and Multicore Configuration
For  memory  protection  or  multicore  support  the  tasks  have  to  be  assigned  to  OS
applications.  The  following  figures  show  the  configuration  of  OS  applications  and  the
assignment of OS tasks. For multicore support also the Core ID has to configured for the
OS application.

Figure 6-2 Assignment of a Task to an OS Application

Caution
Make sure that the operating system is configured with scalability class SC3 or SC4.

2015, Vector Informatik GmbH
Version: 4.8.0
122 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Figure 6-3 OS Application Configuration
2015, Vector Informatik GmbH
Version: 4.8.0
123 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.4
NV Memory Mapping
Each instance of a Per-Instance Memory, which has configured Needs memory mapping
can be mapped to an NV memory block of the NvM.
The Per-Instance Memory (PIM) is used as mirror buffer for the NV memory block. During
startup, the EcuM calls NvM_ReadAll, which initializes the configured PIM with the value
of  the  assigned  NV  memory  block.  During  shutdown,  NvM_WriteAll  stores  the  current
value of the PIM buffer in the corresponding NV memory block.
The  RTE  configurator  provides  support  for  manual  mapping  of  already  existing  NV
memory  blocks  or  automatically  generation  of  NV  memory  blocks  and  mapping  for  all
PIMs.
The  RTE  has  no  direct  Interface  to  the  NvM  in  the  source  code.  There  exists  only  an
Interface on configuration level. The RTE configurator has to configure the following parts
of the NvM configuration.
  Address of PIM representing the RAM mirror of the NV memory block.
  Optionally the address of calibration parameter for default values.
  Optionally the size of the PIM in bytes if available during configuration time.

The  following  figure  shows  the  Memory  Mapping  in  DaVinci  Configurator  where
assignment of Per-Instance Memory to NV memory blocks can be configured.

Figure 6-4 Mapping of Per-Instance Memory to NV Memory Blocks
2015, Vector Informatik GmbH
Version: 4.8.0
124 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.5
RTE Generator Settings
The following figure shows how the MICROSAR RTE Generator has to be enabled for
code generation within the DaVinci Configurator.

Figure 6-5 RTE Generator Settings

2015, Vector Informatik GmbH
Version: 4.8.0
125 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.6
Measurement and Calibration
The  MICROSAR  RTE  generator  supports  the  generation  of  an  ASAM  MCD-2MC
compatible  description  of  the  generated  RTE  that  can  be  used  for  measurement  and
calibration  purposes.  When  measurement  or  calibration  is  enabled  the  RTE  generator
generates  a  file  Rte.a2l  that  contains  measurement  objects  for  sender/receiver  ports,
per-instance  memories  and  inter-runnable  variables.  Calibration  parameters  are
represented as characteristic objects.

Figure 6-6 Measurement and Calibration Generation Parameters

The switch A2L Version controls the ASAM MCD-2MC standard to which the Rte.a2l file
is compliant. Version 1.6.0 is recommended as it supports a symbol link attribute that can
be used by the measurement and calibration tools to automatically obtain the address of a
characteristic or measurement object in the compiled and linked RTE code.
What  measurements  and  characteristics  are  listed  in  the  Rte.a2l  file  depends  on  the
measurement  and  calibration  settings  of  the  individual  port  interfaces,  per-instance
memories,  inter-runnable variables and calibration parameters and if the variable can be
measured  in  general.  For  example,  measurement  is  not  possible  for  queued
communication as described in the RTE specification. When “Calibration Access” is set to
“NotAccessible”, an object will not be listed in the Rte.a2l file.
2015, Vector Informatik GmbH
Version: 4.8.0
126 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Within  the  Rte.a2l  file,  the  measurement  objects  are  grouped  by  SWCs.  When  inter-
ECU sender/receiver communication shall be measured, the groups will also contain links
to  measurement  objects  with  the  name  of  the  COM  signal  handle.  These  measurement
objects have to be provided by the COM.
Furthermore, the generated Rte.a2l is only a partial A2L file. It is meant to be included in
the MODULE block of a skeleton A2L file with the ASAM MCD-2MC /include command.
This  makes  it  possible  to  specify  additional  measurement  objects,  for  example  from  the
COM, and IF_DATA blocks directly in the surrounding A2L file.

In order to also allow the measurement of implicit buffers for inter-ECU communication, the
MICROSAR RTE generator supports measurement  with the help of XCP Events. This is
controlled  by  the  flag  “Use  XCPEvents”.  When  XCP  Events  are  enabled,  the  RTE
generator  triggers  an  XCP  Event  that  measures  the  implicit  buffer  after  a  runnable  with
implicit  inter-ECU  communication  is  terminated  and  before  the  data  is  sent.  “Use
XCPEvents” also enables the generation of one XCP Event at the end of every task that
can be used to trigger the measurement of other objects.

The  RTE  generator  automatically  adds  the  XCP  Events  to  the  configuration  of  the  XCP
module. The Event IDs are then automatically calculated by the XCP module.
The  definitions  for  the  Events  are  generated  by  the  XCP  module  into  the  file
XCP_events.a2l.  This  file  can  be  included  in  the  DAQ  section  of  the  IF_DATA  XCP
section in the skeleton A2L file.

The  MICROSAR  RTE  supports  three  different  online  calibration  methods,  which  can  be
selected globally for the whole ECU. They differ in their kind how the APIs Rte_CData and
Rte_Prm access the calibration parameter. By default the online calibration is switched off.
The following configuration values can be selected:
  None
  Single Pointered
  Double Pointered
  Initialized RAM

In  addition  to  the  ECU  global  selection  of  the  method  the  online  calibration  have  to  be
activated for each component individually by setting the Calibration Support switch.
2015, Vector Informatik GmbH
Version: 4.8.0
127 / 139
based on template version 3.5

Technical Reference MICROSAR RTE


Figure 6-7 SWC Calibration Support Parameters

For each component with activated Calibration Support memory segments are generated
into the file Rte_MemSeg.a2l. This file can be  included in the MOD_PAR section in the
skeleton A2L  file.  This  makes  it  possible  to  specify  additional  memory  segments  in  the
surrounding A2L file.
If  the  method  Initialized  RAM  is  selected,  segments  for  the  Flash  data  section  and  the
RAM  data  section  of  each  calibration  parameter  are  generated.  The  Flash  sections  are
mapped to the corresponding RAM sections.
If the Single Pointered or Double Pointered method is enabled, only memory segments for
the  Flash  data  sections  are  listed  in  the  Rte_MemSeg.a2l.  In  addition  a  segment  for  a
RAM  buffer  is  generated,  when  the  Single  Pointered  method  is  used  and  a
CalibrationBufferSize is set. This parameter specifies the size of the RAM buffer in
byte. If it is set to 0, no RAM buffer will be created.
2015, Vector Informatik GmbH
Version: 4.8.0
128 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

Figure 6-8  CalibrationBufferSize Parameter
The  following  figure  shows  a  possible  include  structure  of  an A2L  file.  In  addition  to  the
fragment A2L files that are generated by the RTE generator other parts (e.g. generated by
the BSW) can be included in the skeleton A2L file.

Figure 6-9  A2L Include Structure

For more details about the creation of a complete A2L file see [20].
2015, Vector Informatik GmbH
Version: 4.8.0
129 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.7
Optimization Mode Configuration
A  general  requirement  to  the  RTE  generator  is  production  of  optimized  RTE  code.  If
possible  the  MICROSAR  RTE  Generator  optimizes  in  different  optimization  directions  at
the same time. Nevertheless, sometimes it isn’t possible to do that. In that case the default
optimization direction is “Minimum RAM Consumption”. The user can change this behavior
by manually selection of the optimization mode.
  Minimum RAM Consumption (MEMORY)
  Minimum Execution Time (RUNTIME)

The  following  figure  shows  the  Optimization  Mode  Configuration  in  DaVinci  Configurator.

Figure 6-10 Optimization Mode Configuration
2015, Vector Informatik GmbH
Version: 4.8.0
130 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.8
VFB Tracing Configuration
The  VFB  Tracing  feature  of  the  MICROSAR  RTE  may  be  enabled  in  the  DaVinci
Configrator as shown in the following picture.

Figure 6-11  VFB Tracing Configuration

You may open an already generated Rte_Hook.h header file from within this dialog. This
header file contains the complete list of all available trace hook functions, which can be
activated independently. You can select and copy the names and insert these names into
the trace function list of this dialog manually or you can import a complete list from a file. If
you want to enable all trace functions you can import the trace functions from an already
generated Rte_Hook.h. The VFB Trace Client Prefix defines an additional prefix for all
VFB trace functions to be generated. With this approach it is for example possible to
enable additionally trace functions for debugging (Dbg) and diagnostic log and trace (Dlt)
at the same time.

Info
All enabled trace functions have to be provided by the user. Section 4.3.4 describes
  how a template for VFB trace hooks can be generated initially or updated after
configuration changes.
2015, Vector Informatik GmbH
Version: 4.8.0
131 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.9
Exclusive Area Implementation
The implementation method for exclusive areas can be set in the DaVinci Configurator as
shown in the following picture.

Figure 6-12 Exclusive Area Implementation Configuration

2015, Vector Informatik GmbH
Version: 4.8.0
132 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.10  Periodic Trigger Implementation
The  runnable  activation  offset  and  the  trigger  implementation  for  cyclic  runnable  entities
may be set in the ECU project editor as shown in the following picture.

Figure 6-13 Periodic Trigger Implementation Configuration

Caution
Currently it is not supported to define an activation offset and a trigger implementation
  per trigger. The settings can only be made for the complete runnable with potential
several cyclic triggers.

The activation offset specifies at what time relative to the start of the RTE the runnable /
main function is triggered for the first time.
Trigger  implementation  can  either  be  set  to  Auto  or  None.  When  it  is  set  to  the  default
setting  Auto,  the  RTE  generator  will  automatically  generate  and  set  OS  alarms  that  will
then trigger the runnables  /  main functions. When trigger implementation is set  to  None,
the RTE  generator only creates the tasks  and events  for triggering the runnables  / main
functions. It is then the responsibility of the user to periodically activate the basic task to
which a runnable / main function is mapped or to send an event when the runnable / main
function is mapped to an extended task.
2015, Vector Informatik GmbH
Version: 4.8.0
133 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

This  feature  can  also  be  used  to  trigger  cyclic  runnable  entities  /  main  functions  with  a
schedule table. This allows the synchronization with FlexRay.
To ease the creation of such a schedule table, the generated report Rte.html contains a
trigger listing. The listing contains the triggered runnables / main functions, their tasks and
the used events and alarms.

Figure 6-14 HTML Report

If  the  OS  alarm  column  for  a  trigger  is  empty,  the  runnable  /  main  function  needs  to  be
triggered  manually.  In  the  example  above,  this  is  the  case  for  all  runnables  except  for
RunnableCyclic.
The row for Runnable2 does not contain an event because this runnable is mapped to a
basic task.
To  manually  implement  the  cyclic  triggers,  one  could  for  example  create  a  repeating
schedule table in the OS configuration with duration 10 that uses a counter with a tick time
of  one  millisecond.  An  expiry  point  at  offset  0  would  then  need  to  contain  SETEVENT
actions  for  the  runnables  Runnable1  and  Runnable3  and  an  ACTIVATETASK  action  for
Runnable2.
Moreover further expiry points with the offsets 2, 4, 6, 8 are needed to activate Runnable1
and Runnable2 and another expiry point with offset 5 is needed to activate Runnable3.

Caution
When the trigger implementation is set to none, the settings for the cycle time and the
  activation offset are no longer taken into account by the RTE. It is then the
responsibility of the user to periodically trigger the runnables / main functions at the
configured times. Moreover the user also has to make sure that this triggering does not
happen before the RTE is completely started.

2015, Vector Informatik GmbH
Version: 4.8.0
134 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

6.11  Resource Calculation
The RTE generator generates the file Rte.html containing the RAM and CONST usage of
the generated RTE. The RTE generator makes the following assumptions.
  Size of a pointer: 2 bytes. The default value of the RTE generator can be changed with
the parameter Size Of RAM Pointer in the EcuC module.
  Size of the OS dependent data type TaskType: 1 byte
  Size of the OS dependent data type EventMaskType: 1 byte
  Padding bytes in structures and arrays are considered according to the configured
parameters Struct Alignment and Struct In Array Alignment in the EcuC
module for NvM blocks.
  Size of a boolean data type: 1 byte (defined in PlatformTypes.h)

The  pointer  size  and  the  alignment  parameters  can  be  found  in  the  container
EcuC/EcucGeneral in the Basic Editor of DaVinci Configurator.

Figure 6-15 Configuration of platform settings

2015, Vector Informatik GmbH
Version: 4.8.0
135 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

7  Glossary and Abbreviations
7.1
Glossary
Term
Description
DaVinci DEV
DaVinci Developer: The SWC Configuration Editor.
DaVinci CFG
DaVinci Configurator: The BSW and RTE Configuration Editor.
Table 7-1   Glossary
The AUTOSAR  Glossary  [14]  also  describes  a  lot  of  important  terms,  which  are  used  in
this document.
7.2
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
Com
Communication Layer
ComXf
Com based Transformer
C/S
Client-Server
E2E
End-to-End Communication Protection
E2EXf
End-to-End Transformer
EA
Exclusive Area
ECU
Electronic Control Unit
EcuM
ECU State Manager
FOSS
Free and Open Source Software
HIS
Hersteller Initiative Software
IOC
Inter OS-Application Communicator
ISR
Interrupt Service Routine
MICROSAR
Microcontroller Open System Architecture (Vector’s  AUTOSAR solution)
NvM
Non-volatile Memory Manager
PIM
Per-Instance Memory
OIL
OSEK Implementation Language
OSEK
Open Systems and their corresponding Interfaces for Electronics in
Automotive
RE
Runnable Entity
SE
Schedulable Entity
RTE
Runtime Environment
SchM
Schedule Manager
2015, Vector Informatik GmbH
Version: 4.8.0
136 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

SOME/IP
Scalable service-oriented middleware over IP
SomeIpXf
SOME/IP Transformer
S/R
Sender-Receiver
SWC
Software Component
SWS
Software Specification
VFB
Virtual Functional Bus
Table 7-2 Abbreviations
2015, Vector Informatik GmbH
Version: 4.8.0
137 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

8  Additional Copyrights
The MICROSAR RTE Generator  contains Free and Open Source Software (FOSS). The
following table lists the files which contain this software, the kind and version of the FOSS,
the  license  under  which  this  FOSS  is  distributed  and  a  reference  to  a  license  file  which
contains the original text of the license terms and conditions. The referenced license files
can be found in the directory of the RTE Generator.

File
FOSS
License
License Reference
MicrosarRteGen.exe  Perl 5.20.2
Artistic License
License_Artistic.txt
Newtonsoft.Json.dll
Json.NET 6.0.4  MIT License
License_JamesNewton-King.txt
Rte.jar
flexjson 2.1
Apache License V2.0  License_Apache-2.0.txt
Table 8-1   Free and Open Source Software Licenses
2015, Vector Informatik GmbH
Version: 4.8.0
138 / 139
based on template version 3.5

Technical Reference MICROSAR RTE

9  Contact
Visit our website for more information on

  News
  Products
  Demo software
  Support
  Training data
  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 4.8.0
139 / 139
based on template version 3.5

Document Outline

21.8 -

MICROSAR RTE Release Notes

MICROSAR RTE 4.8.0 - DaVinci Developer Version 3.11.x

RTE features

Support of COM based Transformer ComXf
Support of different strategies for writing NV data in Nv Block SWCs
Support of C/S Interfaces for Nv Block SWCs
SWC Template generation provides user sections for documentation of runnable entities
Wide character support in paths
Improved counter selection for operating systems with multiple OS applications
Support of optimized macro implementation for SchM_Enter and SchM_Exit
Enhanced OS Spinlock support
Enable optimizations in QM partitions
Improved command line handling regarding paths which spaces and '-' signs
MISRA improvements

Fixed issues

Generation error: GenAPI error for record elements with init values TRUE/FALSE (ESCAN00083111)
Use of uninitialized value in concatenation when a data constraint with [0,0] exists (ESCAN00083589)
Asynchronous Rte_Call API for inter-ECU C/S communication without timeout does not check LdCom_IfTransmit return value (ESCAN00083611)
Compiler error: access to missing task variable in Rte_Call API (ESCAN00083765)
Compiler error: Missing structure for .Rte_CallCompleted access (ESCAN00083779)
Compiler error: duplicate members in TxUpdateFlagsType (ESCAN00083791)
Receiver that is not mapped to the BSW partition reads invalid data (ESCAN00083832)
Mode Declaration Groups with EXPLICIT_ORDER do not work correctly (ESCAN00083841)
Compiler error: Unconnected IWriteRef accesses unknown UNDEFINED structure element (ESCAN00083854)
Generator reports invalid array access (ESCAN00083943)
Compiler error: Missing initializer for NV data element (ESCAN00084379)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.7.1 - DaVinci Developer Version 3.10.x

RTE features

Allow generation of RTE for unconnected P-Ports without initial value
Support for implicit/explicit OS ScheduleTable synchronization strategy
Improve OS counter selection for operating systems with multiple OS applications

Fixed issues

Compiler error: Undeclared identifier Rte__AckFlags (ESCAN00081744)
OsScheduleTable generation is prevented by incorrect error message (ESCAN00082156)
Wrong order of modes for ModeDeclarationGroup of category EXPLICIT_ORDER (ESCAN00082564)
Wrong XcpEvent time stamp unit (ESCAN00082628)
Rte_Read / Rte_IStatus don't return RTE_E_INVALID before the first reception of a COM signal / signal group when the initial value equals the invalid value (ESCAN00082764)
Generator reports use of uninitialized values (ESCAN00082888, ESCAN00082918)
Compiler error: Missing extern declaration for queued sender-/receiver buffer (ESCAN00082942)
Failing uninit Det check due to wrong condition (ESCAN00083162)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.7.0 - DaVinci Developer Version 3.10.x

RTE features

Support of background triggers
Support of data prototype mappings
Support of bit field text table mappings
Support of union data types
Support of UTF16 data type serialization in the SOME/IP transformer
Runtime optimization in the generated RTE code by usage of optimized interrupt locking APIs of the MICROSAR OS
Support of further E2E profiles for data transformation with the SOME/IP and E2E transformer
Support of OS counters with tick durations smaller than 1�s
Buffer optimization for implicit communication in the same preemption area
Further use cases where macro optimized APIs are used
Support of data types with local type references using compu methods
Several enhancements in command line parameter processing

Fixed issues

Add support for connection of data types with compu method to data types without compu method (ESCAN00081084)
Missing on data reception trigger in case of NvRAM SWCs (ESCAN00081085)
Missing identifier in Rte_Read macro definition (ESCAN00081148)
Mismatching memory sections for declaration and extern declaration (ESCAN00081221)
Compiler error: Empty data structures for mode management (ESCAN00081311)
Compiler warning: Rte_Mode API is generated twice (ESCAN00081313)
Wrong generated OS Application references to OsScheduleTables (ESCAN00081435)
Generator error: No OperationPort found for client (ESCAN00081520)
Wrong NvMRomBlockDataAddress added to the NvM configuration (ESCAN00081525)
Missing error message leads to wrong-generated task body in special use-case (ESCAN00081531)
Missing prototypes for server runnables in case of direct server calls over OS application boundaries (ESCAN00081646)
Compiler error: Missing Rte_Mode API (ESCAN00081676)
Wrong initialization of Rte_ModeQueue with enhanced Mode API (ESCAN00081748)
Wrong error message that a Port Data Structure is needed for a PR-Port (ESCAN00081757)
Rte_InitMemory assigned to NO_INIT instead of INIT_MEMORY (ESCAN00081821)
Calibration parameters using application data types do not consider data constraints and compu method in A2L generation (ESCAN00081911)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.6.0 - DaVinci Developer Version 3.9.x

RTE features

Enhanced PR port support. Now bi-directional ports can also be used for Nv ports and mode ports.
Support of bit field data types (CompuMethods with category BITFIELD_TEXTTABLE)
Runtime optimized copying of large data
Support for SW-ADDR-METHOD on RAM blocks of NvRAM SWCs
Add support for multiple Nv mappings per element of Nv block descriptors
Several enhancements of the SOME/IP transformer support
Enhanced RTE / OS interaction regarding TickTime configuration based on RteExpectedTickDuration configuration parameter

Fixed issues

Compiler error: Missing function Rte_Task_SetEvent (ESCAN00077993)
Compiler warning: unused variable within Rte_InitMemory() (ESCAN00078602)
Compiler error: WaitEvent call without arguments (ESCAN00078781)
NV-Ports in combination with atomic SWCs (ESCAN00079443)
Null pointer exception for SchM only configurations with COM/LDCOM (ESCAN00079503)
Compiler warning: implicit main function declaration (ESCAN00079558)
Missing Interrupt Unlock for Implicit IOC accesses (ESCAN00079628)
Generator error when no SystemTimer is configured (ESCAN00079904)
Compiler error: Wrong typedef order for pointer data types (ESCAN00079916)
RTE Generator creates NvBlock with the name UNDEFINED (ESCAN00080227)
Wrong buffer name for NV Ports with missing port access (ESCAN00080377)
Missing check for secondsPerTick values smaller than 1�s for MICROSAR OS Counters (ESCAN00080404)
Wrong error message that the configuration contains no counter with sufficient resolution if a non MICROSAR OS is used (ESCAN00080405)
Incomplete propagation of NV mapping (ESCAN00080447)
Wrong Rte_IWrite/Rte_IInvalidate macro generation for unconnected ports of multi instantiated SWCs (ESCAN00080726)
Compiler error: Multiple Instantiated SWCs with Implicit Communication (ESCAN00080878)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.5.0 - DaVinci Developer Version 3.9.x

RTE features

Extended support for PR-Ports (Buffer overlaying for explicit S/R communication)
Added OS schedule table support for implementation of cyclic triggered executable entities. This allows mapping of multiple cyclic triggers with different cycle times and offset into a basic task.
E2E protection for C/S inter ECU communication using profile 4
Post-Build Selectable (Identity Manager)
Support Rte_DRead API (DataReceivePointByValue)
Improved handling of mode request type maps and mode declaration groups
Support compatibility for mode port interfaces using mode declaration group prototypes with different short names
Support for uint64 and sint64 Implementation Data Types as AUTOSAR Platform Types
Support for ServerArgumentImplPolicy = useArrayBaseType

Fixed issues

Can't handle Utf-8 character in DVRteGenPath from Settings_Rte.xml file (ESCAN00078713)
Compiler error: Undeclared variables used by SOME/IP Transformer (only for Client/Server communication) due to merge scenario (ESCAN00078938)
SOME/IP Transformer doesn't convert between AUTOSAR size indicator and SOME/IP length indicator (relevant for variable arrays) (ESCAN00079000)
Trigger Transmit callback doesn't send initial values / valid SOME/IP messages if LdCom_IfTransmit() wasn't called previously by the RTE (ESCAN00079003)
Invalid usage of same transformer for implementation data type and application data type (mapped to same implementation data type) (ESCAN00079185)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.4.2 - DaVinci Developer Version 3.8.x

Fixed issues

Linker error: missing Rte_TrustedCom* function (ESCAN00077991)
RTE49999 An unexpected error occurred for Asynchronous Client/Server calls (ESCAN00078067)
Null Pointer Exception during Rte calculation when no sw component instances exist (ESCAN00078070)
Compiler error: (void)SetRelAlarm(UNDEFINED (ESCAN00078128)
Compiler error: Missing declaration for Rte_CalprmInitRam (ESCAN00078208)
Rx variables of Com receive signal proxy (only multicore and memory protection use case without IOCs) are not initialized at runtime (ESCAN00078290)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.4.1 - DaVinci Developer Version 3.8.x

RTE features

Support for application ports at service components

Fixed issues

RTE 49999 warning and compilation error when Inter-ECU client/server communication is used (ESCAN00076662)
Initial reception of invalid signals does not invalidate never received and is updated status (ESCAN00076685)
Generator error: wide character in print (ESCAN00076804)
Compiler error: Wrong initialization of Inter-Runnable Variables of composite data types in memory protected EcuC (ESCAN00076850)
Invalid handling of application datatypes with compu method that are mapped to float implementation datatypes (ESCAN00076908)
Wrong transformer buffer size calculation for string data types that are part of a array element (ESCAN00077031)
Enhanced Mode API returns wrong previous and next mode during transition at provide ports (ESCAN00077099)
Compiler error: Rte_Call API accesses missing task variable (ESCAN00077186)
Internal Generator Error: Deep recursion in PropagateServerRunnableInformation (ESCAN00077388)
Compiler error: Incompatible type in assignment (ESCAN00077480)
Compiler error: Rte_Type.h contains structure definitions without name (ESCAN00077571)
RxInvalidate flags are not reset in COM callback on data reception if they are realized by IOCs (ESCAN00077629)
Do not reuse cached SystemInfo when it was generated without ECUC (ESCAN00077671)
DataSendCompletion Event is fired too early in case of 1:N communication with external receiver (ESCAN00077770)
Rte Generator creates ComFilterAlgorithm parameter without value (ESCAN00077823)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.4.0 - DaVinci Developer Version 3.8.x

RTE features

Inter-Ecu C/S Communication using SOME/IP transformation
S/R Serialization using SOME/IP and optionally E2E transformation
Support LdCom
Basic support for PR-Ports. Currently no buffer overlaying is implemented. The read and write APIs of the PR-Port uses separate buffers.
Support for unconnected client ports for synchronous C/S communication
Support for data constraints on type reference data type
Improved support for 3rd Party OS interoperability especially regarding OS Counter handling

Fixed issues

SetEvent/ActivateTask in Rte_Call triggers the ProtectionHook (ESCAN00074746)
Compiler error: Missing Rte_MemClr in case of inter-ECU sender/receiver communication from partitions without BSW (ESCAN00074763)
Compiler error: duplicate function SchM_GetVersionInfo (ESCAN00074940)
Additional generator error when complex constants are used in combination with different data types (ESCAN00075122)
RTE49999 error message in case hex constants are used as init value for float data elements (ESCAN00075129)
Validator aborts due to null pointer dereference in case the mandatory SupportsMultipleInstantation attribute is missing (ESCAN00075572)
RTE generator does not report all unconnected client ports (ESCAN00075616)
RTE generator issues an error when RteXcpEventSupport is enabled (ESCAN00076005)
Internal Generator Error when unconnected client ports are used (ESCAN00076184)
Unwanted generation of begin and end tags for Xcp checksum block of A2L memory segments (ESCAN00076298)

Limitations of AUTOSAR 4.x support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.3.0 - DaVinci Developer Version 3.7.x

RTE features

Memory Protection support:
- Memory protection can now also be used in multi core ECUs
- Inter-ECU sender/receiver communication, queued sender/receiver communication and mapped client/server calls are no longer limited to the BSW partition
- Added warning message for directly invoked C/S calls from trusted to non-trusted partitions
Multi Core support:
- Several optimizations regarding inter core communication e.g. usage of shared non-cachable memory instead of OS IOCs
SWC Template Generator:
- If a server runnable is invoked by the Diagnostic Communication Manager (Dcm) and E_NOT_OK is specified as application error in the port interface description the generated runnable returns this negative return code and no longer RTE_E_OK.
- The backup files *.bak are only generated if there are changes in the template code.
Added support for transmission acknowledge handling for 1:N communication if only one external receiver exists
Runtime Optimization: Remove unnecessary interrupt locks
Added support for the Development Error Tracer (Det)
Added support for multiple VFB trace hook clients
Enhanced Nv Block length calculation which also considers padding bytes by evaluation of alignment configuration
Speed Optimization of the RTE Generator
Enhanced XCP Event handling

Fixed issues

Closed negative interval bound is shifted by +1 (ESCAN00071792)
Lower and upper limit of data constraints are inverted (ESCAN00071798)
Fixed generator error "[Internal Error] Use of uninitialized value in numeric ne" (ESCAN00072085)
Remove duplicated "_" characters from calculated ECUC objects (ESCAN00072087)
Fixed compiler error: Missing member in Rte_CS_ClientQueueType (ESCAN00072245)
Fixed compiler error: Missing member in Rte_ClientIdleFlagsType (ESCAN00072258)
Fixed compiler error: else without if in Rte_Call API (ESCAN00072517)
Fixed compiler error: Wrong Rte_IRead return type in case of signal group degradation (ESCAN00072628)
Implementation method "All Interrupt Blocking" for RTE exclusive areas only disables OS interrupts of category 2 (ESCAN00072640)
Conversion of ranges with open negative boundary/boundaries to closed one(s) is off by 1 (ESCAN00072737)
Assertions fail for certain implementation/application data types with data constraint boundary "-#INF"/"#INF" (ESCAN00072839)
CompuMethod of type "Use Physical To Internal" might give wrong limits, invalid values and init values (ESCAN00072841)
Fixed wrong generation of interrupt locks in Com Callback (ESCAN00072960)
Fixed wrong calculation of ComSignalType for signals with dynamic length. UINT8_N was set but UINT8_DYN should be used (ESCAN00073116)
Fixed compiler error: RTE doesn't generate RxInvalidate flags (ESCAN00073241)
Fixed Null Pointer Exception during Rte calculation when an annotation has no origin (ESCAN00073758)
Enhanced Mode API returns wrong previous mode (ESCAN00073815)
Fixed compiler error: Redefinition of variable for a Rom Block of a NV Block Descriptor (ESCAN00073877)
Superfluous interrupt unlock function in case of implicit communication with never received handling (ESCAN00074110)

Limitations of AUTOSAR 4.x support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.2.1 - DaVinci Developer Version 3.6.x

Fixed issues

Fixed crashes of the RTE generator caused by wrong access to license library (ESCAN00072158)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.2.0 - DaVinci Developer Version 3.6.x

RTE features

Enhanced Multi-Core support:
- C/S communication over core boundaries
- Inter-Ecu S/R communication from the slave cores
- Mode reception from the slave cores
Support of NV block software component types
Support of SchM Contract Phase Generation
Enhanced command line interface which allows generation of multiple component templates or contract phase header files for a list of SWCs and/or BSW modules
Support of array data types with dynamic length for queued S/R communication (Rte_Send/Rte_Receive)
Runtime optimization in the generated RTE code by usage of optimized interrupt locking APIs of the MICROSAR OS
Generation of scaling (factor and offset) and unit information for data types into the generated component templates
Support additional unmapped triggers for mapped server runnables
Support for queued intra-Ecu N:1 S/R communication added
Enhanced configuration consistency checks

Fixed issues

Padding bytes of record data types for queued S/R communications are not considered (ESCAN00068117)
Generation not possible when there are multiple tasks with schedulable entities on the same core (ESCAN00068557)
Compiler error: missing Rte_TxAck_ struct entry (ESCAN00068931)
Rte generator aborts with unexpected exit code (ESCAN00068978)
Server runnable is called with invalid arguments (ESCAN00069402)
Compiler error: Missing or invalid flag declarations in case of memory protection (ESCAN00069513)
Client/Server operation unexpectedly returns RTE_E_TIMEOUT (ESCAN00069574)
Function declaration and macro are both generated for Rte_Send (ESCAN00069729)
Rte generator aborts generation when an enumeration data type contains no enumeration literals (ESCAN00069512)
Rte_IrvRead returns wrong data in case inter runnable variables are not used inter runnables (ESCAN00070123)
Missing function prototype in application header for unconnected send ports (ESCAN00070715)
Compiler error: Extended task that only contains init runnables (ESCAN00071119)
RTE Generator crashes while comparing two array implementation data types with different array size semantic (ESCAN00071210)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.1.3 - DaVinci Developer Version 3.5.x

Fixed issues

Removed check if upper limit > lower limit. The requirement [rte_sws_7176] was removed in AUTOSAR 4.0.3 (ESCAN00072740)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.1.2 - DaVinci Developer Version 3.5.x

Fixed issues

Padding bytes of record data types for queued S/R communications are not considered (ESCAN00068117)
Generation not possible when there are multiple tasks with schedulable entities on the same core (ESCAN00068557)
Compiler error: missing Rte_TxAck_ struct entry (ESCAN00068931)
Rte generator aborts with unexpected exit code (ESCAN00068978)
Rte generator aborts generation when an enumeration data type contains no enumeration literals (ESCAN00069512)
Client/Server operation unexpectedly returns RTE_E_TIMEOUT (ESCAN00069574)
Function declaration and macro are both generated for Rte_Send (ESCAN00069729)
Rte_IrvRead returns wrong data in case inter runnable variables are not used inter runnables (ESCAN00070123)
Missing function prototype in application header for unconnected send ports (ESCAN00070715)
Compiler error: Extended task that only contains init runnables (ESCAN00071119)
RTE Generator crashes while comparing two array implementation data types with different array size semantic (ESCAN00071210)
Closed negative interval bound is shifted by +1 (ESCAN00071792)
Lower and upper limit of data constraints are inverted (ESCAN00071798)
Remove duplicated "_" characters from calculated ECUC objects (ESCAN00072087)
Fixed compiler error: Missing member in Rte_CS_ClientQueueType (ESCAN00072245)
Fixed compiler error: else without if in Rte_Call API (ESCAN00072517)
Fixed compiler error: Wrong Rte_IRead return type in case of signal group degradation (ESCAN00072628)
Implementation method "All Interrupt Blocking" for RTE exclusive areas only disables OS interrupts of category 2 (ESCAN00072640)
Conversion of ranges with open negative boundary/boundaries to closed one(s) is off by 1 (ESCAN00072737)
CompuMethod of type "Use Physical To Internal" might give wrong limits, invalid values and init values (ESCAN00072841)
Fixed wrong generation of interrupt locks in Com Callback (ESCAN00072960)
Enhanced Mode API returns wrong previous mode (ESCAN00073815)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.1.1 - DaVinci Developer Version 3.5.x

RTE features

Support of Multi-Core (S/R communication over core boundaries)
Support of Inter-Runnable Variables with composite data types

Fixed issues

RTE generator reports use of uninitialized values (ESCAN00067990)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.1.0 - DaVinci Developer Version 3.5.x

RTE features

Support of measurement and calibration for calibration software component types
Support of A2L segment generation for online calibration method "Initialized RAM"
Support of calibration buffer generation
Support of OsSchedulePoint setting for init runnables
Support of reference data types that reference platform types
Cycle time in the generated A2L is now set for XcpEvents of cyclic triggered runnables
Improved commandline handling
Support for Configurator 5 licensing mechanism
Generated files are reported in Configurator 5 now
Automatically calculated parameters are greyed in Configurator 5 now
Generation is prevented in the postbuild phase now
Several improvements in the checks and validation rules
MISRA enhancements

Fixed issues

Fixed limits for float values in generated A2L file (ESCAN00065206)
Fixed enumeration literal in generated A2L file (ESCAN00066289)
Fixed order of matrix dimensions in generated A2L file (ESCAN00066810)
Fixed compiler error when init runnables call servers on other tasks (ESCAN00065417)
Fixed triggering of runnables with cyclic triggers that are mapped to BSW Scheduler tasks (ESCAN00065738)
Fixed generation of enumeration literals (ESCAN00066097)
Fixed that OnEntry triggered runnables are no longer triggered for the wrong mode (ESCAN00066296)
Fixed runnable triggering for OnTransition triggers (ESCAN00067234)
Fixed compiler error due to inconsistency between COM configuration and RTE COM callback generation (ESCAN00066956)
Fixed compiler error in case of implicit communication (ESCAN00066549)
Fixed RTE generator crash with null pointer exception when configuration contains ComponentTypes but no ComponentInstances (ESCAN00065829)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 4.0.0 - DaVinci Developer Version 3.4.x

RTE features

Support of 'On Transition' triggered runnable entities
Support of component type symbol name
Support of data type symbol name
Support of pointer implementation data types
Generation of 'Rte_UserTypes.h' with RTE template mechanism
Completed support of unconnected ports for AUTOSAR 4 by introduction of the return codes RTE_E_UNCONNECTED
BSW exclusive area implementation method 'CUSTOM' was introduced, which allows manual implementation of the SchM exclusive area APIs SchM_Enter and SchM_Exit in a separate file
Add support for different EcuC package structures
Support of compatibility mode for AUTOSAR 4
Several improvements in the checks and validation rules
Update NvM configuration for mapped per instance memories
Optimized generator memory usage for data elements with many subelements
MISRA enhancements

Fixed issues

Incomplete support of RTE Exclusive Area Implementation method ALL_INTERRUPT_BLOCKING leads to wrong validation results (ESCAN00062257)
Generated A2L file may lead to plausibility check warnings in MC tools (ESCAN00063135)
RTE generator aborts with an internal error when the RTE Generator was called with a composition or a calibration SW component type (ESCAN00062200)
Enhanced Rte_Mode API reports an inconsistent state (ESCAN00062543)
Template update for _MemMap.h does not work (ESCAN00061678)
Compile error when multiple instantiated SWCs uses calibration require ports (ESCAN00063506)
Compile error may occur when Rte_IsUpdated function is used with indirect API (ESCAN00063620)
IRead and IStatus APIs return wrong values in case of unconnected ports (ESCAN00063829)
Mode disablings are not initialized correctly (ESCAN00062339)
RTE generator aborts with an error on Japanese Windows (ESCAN00062831)
RTE generator reports use of uninitialized values (ESCAN00062817)
RTE generator does not remove obsolete objects from the ECUC configuration (ESCAN00062525)

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 3.90.0 - DaVinci Developer Version 3.3.x

RTE features

Support of AUTOSAR 4.0.3

Limitations of AUTOSAR 4.0 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 2.22.0 - DaVinci Developer Version 3.3.x

RTE features

General support of AUTOSAR 3.2.2 (RTE SWS 2.5.0)
Support of Rte_IsUpdated API. Configuration is now independent of the E2E support.
Support of non-queued N:1 Intra-Ecu S/R communication
Allow unconnected calibration R-Ports
Initial value can be omitted, if the initial value is defined at the connected port

Fixed issues

Runnables with mode disabling dependencies are not triggered (ESCAN00059438)
Fixed internal error in RTE Generator caused by configurations containing unconnected calibration parameter P-Ports (ESCAN00060622)
Fixed compile error when measurement is enabled for ports with implicit access (ESCAN00060815)
Fixed compile errors when mapping primitive byte arrays to Com signals (ESCAN00060835)
Fixed wrong generated function prototype for Rte_CData API when RTE_PTR2ARRAYBASETYPE_PASSING is active and a string or array calibration parameter is accessed in an object code SWC or uses multiple instantiation (ESCAN00061640)

Limitations of AUTOSAR 3.2.2 support

See TechnicalReference_Asr_Rte.pdf for details.

MICROSAR RTE 2.21.0 - DaVinci Developer Version 3.2.x

RTE features

Added support for hexadecimal coded enumeration values
Add support for SystemSignals that use the same name as SystemSignalGroups

Fixed issues

Fixed linker error caused by wrong entries in Calibration Parameter Handle Section in special configuration variants (ESCAN00057382)
Fixed linker error caused by missing Rte_IsUpdated API if object code SWCs are used in a special configuration variant (ESCAN00057845)
Fixed wrong default mapping for SWC specific constant memory sections (ESCAN00058272)
Removed wrong and not required MISRA justifications for preprocessor defines (ESCAN00058459)
Fixed missing OS Alarm references in OS Application configuration during EcuC-Synchronization in case of memory protection support is enabled (ESCAN00058629)
Fixed wrong calls of Com_SendSignal / Com_SendSignalGroup with wrong handle ID in special fan-in use case (ESCAN00057764)

MICROSAR RTE 2.20.1 - DaVinci Developer Version 3.1.x

Fixed issues

Fixed wrong initialization of binary coded strings (ESCAN00056860)

MICROSAR RTE 2.20.0 - DaVinci Developer Version 3.1.x

RTE features

The call of Schedule() API in non-preemptive Basic Tasks has been made configurable.
Added MISRA justifications in the source code of the generated RTE code.
Enhanced memory protection support:
- The generated RTE code is split into OS Application specific files.
- The generated file 'usrostyp.h' uses now also the template mechanism and can be modified by the user.
- Additional SWC specific memory mapping section defines were added for variables and can be used in the SWC code. In case of memory protection a default mapping to OS Application specific memory sections of the OS is created.
Enhanced command line interface:
- The RTE generator was extended to support generation of multiple generation modes in one command line call. This improvement speeds up generation and makes the command line interface easier and more powerful.
- If the configuration contains only one ECU-Project or only one Software Component Type the command line parameter -m is no longer required.
Byte arrays no longer need to be mapped to COM signal groups. An optional mapping to primitive COM signals of type UINT8_N has been implemented as specified in AUTOSAR 3.2.1. This support was previously only available for string types.
Added support of binary coded string data types (non-printable characters)
Optimizations:
- Further removement of unnecessary interrupt locks
- Handling of mode disabling dependencies was optimized

Fixed issues

Fixed compiler warning when a server is triggered by multiple operations with different but compatible interfaces (ESCAN00053739)
Fixed wrong return code of Rte_Receive API during very first read of a queued data element (ESCAN00054769)
Fixed Rte_XcpEvents.a2l which contained wrong MAX_DAQ_LIST settings (ESCAN00054211)
Fixed wrong generated OS configuration leading to an OS runtime error when OS resources are used by runnables on the BSW Scheduler tasks (ESCAN00054157)
Added missing check that prevents that signal groups are mapped to different record types in case of fan-in (ESCAN00056005)
Fixed compilation error caused by variable redefinitions when fan-in is used in combination with memory protection (ESCAN00056006)

MICROSAR RTE 2.19.1 - DaVinci Developer Version 3.0 (SP5)

RTE features

Enhanced memory protection support:
- C/S communication over memory protection boundaries can now also be done with unmapped server runnables leading to a direct function call. In that case the RTE Generator creates a warning message.
- Allow usage of mode machines in the non BSW OS Applications when the BSW is non-trusted.
Optimization in generated RTE code by removal of superfluous interrupt locks if 'Minimize Execution Time' is configured and mode disabling dependencies are used.

Fixed issues

Fixed compile error when measurement is enabled for unconnected ports in case of memory protection (ESCAN00052919)
Fixed missing interrupt locks for implicit inter-runnable variables (ESCAN00052957)
Fixed wrong reported mode of Rte_Mode API during initialization (ESCAN00053108)
Fixed invalid runnable triggers for runnables which are disabled in the init mode of a mode machine (ESCAN00053110)
Fixed compile error due to structure mismatch in special configuration of online calibration method initialized RAM (ESCAN00053211)

MICROSAR RTE 2.19.0 - DaVinci Developer Version 3.0 (SP5)

RTE features

General support of AUTOSAR 3.2.1 (RTE SWS 2.4.0)
Support of Rte_IsUpdated API based on AUTOSAR 4.0
Support Never-Received status in Rte_Read and Rte_IStatus API
Support of selective file generation. This generation mode can be enabled by setting 'BoardConditionalGenerating' in the general settings. If this mode is enabled, only files are generated when the content is different compared to previous generated files.
Enhanced measurement support:
- Measurement of Inter-Ecu S/R communication. This requires that measurement objects for COM Signals with the naming convention Com_< SignalName > are available in the A2L file.
- Optimized XcpEvent ID allocation to avoid conflicts with BSW measurement XcpEvent IDs
Enhanced SWC Template Generation:
- Support of E2E Protection Wrapper API
- Generated Rte_IWrite calls initialize the implicit S/R buffers with the configured initial value. By default this initialization code is disabled. It can be enabled with the preprocessor switch RTE_INIT_IMPLICIT_BUFFERS.
Optimization in generated RTE code by removal of superfluous interrupt locks for atomic signal and signal group access operations.
Several optimizations and enhancements in the memory protection support e.g. support of non-trusted BSW. See Technical Reference for details.

Fixed issues

Harmonized values returned by the UpperLimit and LowerLimit defines and added some missing ones (ESCAN00048418)
Fixed compilation error caused by a missing check if an init runnable contains a wait point (ESCAN00051267)
Added missing void cast of unused return value for XcpEvent() calls, which causes MISRA violation 16.10 in configurations where measurement with XcpEvent support is enabled (ESCAN00050023)
Fixed compilation error caused by missing internal Rte_MemClr function. The compilation error only occurs when minimum start interval is used and other configuration variants which need the same internal function are not configured (ESCAN00050730)
Fixed compilation error caused by Init-Runnables which uses implicit S/R communication and are mapped to extended tasks (ESCAN00051059)
Fixed linker error caused by missing Rte_Read/Rte_Receive API for unconnected port (ESCAN00051089)
Fixed compilation error caused by missing status variable (ESCAN00051490)
Fixed invalid and missing measurement and characteristic references in A2L groups (ESCAN00050851)
Fixed wrong generated error message 'Use of uninitialized value in concatenation (.) or string' in some special configuration variants (ESCAN00048927)
Fixed wrong optimization for multiple implicit accesses within the same task (ESCAN00052147)
Fixed wrong optimization which may lead to missing ResumeOSInterrupts() calls in task bodies with implicit S/R data access in special cases (ESCAN00052426)

Limitations of AUTOSAR 3.x support

Inter-ECU C/S communication is not supported.

MICROSAR RTE 2.18.2 - DaVinci Developer Version 3.0 (SP4)

Fixed issues

Fixed wrong calls of Com_SendSignal / Com_SendSignalGroup with wrong handle ID in special fan-in use case (ESCAN00057764)

MICROSAR RTE 2.18.1 - DaVinci Developer Version 3.0 (SP4)

RTE features

Added check for server runnables that are configured with minimum start interval which is not allowed.

Fixed issues

Fixed compilation error due to access to an invalidate flag that is not declared in case of an unconnected receiver port and enabled measurement support (ESCAN00050471)
Fixed compilation error when alive timeout is used in combination with memory protection (ESCAN00050643)
Minimum start interval code is not initialized properly when memory protection is used (ESCAN00050645)
Fixed compilation error when invalidation is used for external signals and when memory protection is enabled (ESCAN00050646)
Fixed buffer overflow during initialization when the value of a constant is out of base type range (ESCAN00050820)

MICROSAR RTE 2.18.0 - DaVinci Developer Version 3.0 (SP4)

RTE features

Support of implicit API behavior according AUTOSAR 3.x using task specific buffers for runtime optimization.
Support for symbolic name values with module short name prefixes for COM handles used in the interface between RTE and COM.
Optimization in generated RTE Code: Reduced number of OS Events needed for identical trigger condition in case of DataReceivedEvents or DataReceptionErrorEvents.

Fixed issues

Fixed compile/link error due to wrong indirect API generation in some specific configuration variants (ESCAN00046908)
Fixed compile warning caused by missing type casts in the generated RTE code. The warning may occur depending on the used compiler and only in special configurations where asynchronous C/S communication or implicit S/R communication together with string or array data types is used (ESCAN00047830)
Fixed compilation error due to wrong generated Rte_Call API in special configuration variant (ESCAN00048109)
Fixed wrong optimization for runnables triggered on Tx acknowledge of Inter-ECU communication which may lead to a delayed execution of the runnable. The wrong behavior depends on the task mapping of the involved runnable entities (ESCAN00048452)

MICROSAR RTE 2.17.6 - DaVinci Developer Version 3.0 (SP3)

Fixed issues

Fixed compilation error due to access to an invalidate flag that is not declared in case of an unconnected receiver port and enabled measurement support (ESCAN00050471)
Fixed compilation error when alive timeout is used in combination with memory protection (ESCAN00050643)
Minimum start interval code is not initialized properly when memory protection is used (ESCAN00050645)
Fixed compilation error when invalidation is used for external signals and when memory protection is enabled (ESCAN00050646)
Fixed buffer overflow during initialization when the value of a constant is out of base type range (ESCAN00050820)
Fixed invalid and missing measurement and characteristic references in A2L groups (ESCAN00050851)
Fixed linker error caused by missing Rte_Read/Rte_Receive API for unconnected port (ESCAN00051089)
Fixed compilation error caused by a missing check if an init runnable contains a wait point (ESCAN00051267)
Fixed missing interrupt locks for implicit inter-runnable variables (ESCAN00052957)
Fixed wrong reported mode of Rte_Mode API during initialization (ESCAN00053108)
Fixed invalid runnable triggers for runnables which are disabled in the init mode of a mode machine (ESCAN00053110)
Fixed compile error due to structure mismatch in special configuration of online calibration method initialized RAM (ESCAN00053211)
Fixed compiler warning when a server is triggered by multiple operations with different but compatible interfaces (ESCAN00053739)
Fixed Rte_XcpEvents.a2l which contained wrong MAX_DAQ_LIST settings (ESCAN00054211)
Fixed wrong return code of Rte_Receive API during very first read of a queued data element (ESCAN00054769)
Added missing check that prevents that signal groups are mapped to different record types in case of fan-in (ESCAN00056005)
Fixed linker error caused by wrong entries in Calibration Parameter Handle Section in special configuration variants (ESCAN00057382)
Runnables with mode disabling dependencies are not triggered (ESCAN00059438)
Fixed wrong calls of Com_SendSignal / Com_SendSignalGroup with wrong handle ID in special fan-in use case (ESCAN00057764)
Fixed wrong RTE generation caused by missing data mappings of signal groups when dcf format and AUTOSAR 3.1.4 is used with Signal-Group Degradation feature (ESCAN00060016)

MICROSAR RTE 2.17.5 - DaVinci Developer Version 3.0 (SP3)

RTE features

Optimization in generated RTE code by removal of superfluous interrupt locks for atomic signal and signal group access operations.
The generated SWC template code (command line option -g i) contains Rte_IWrite calls for all implicit data write accesses of a runnable entity. By default this initialization code is disabled. It can be enabled with the preprocessor switch RTE_INIT_IMPLICIT_BUFFERS.
Added check for server runnables that are configured with minimum start interval which is not allowed.

Fixed issues

Added missing void cast of unused return value for XcpEvent() calls, which causes MISRA violation 16.10 in configurations where measurement with XcpEvent support is enabled (ESCAN00050023)
Harmonized values returned by the UpperLimit and LowerLimit defines and added some missing ones (ESCAN00048418, ESCAN00048443)
Fixed compile warning caused by missing type casts in the generated RTE code. The warning may occur depending on the used compiler and only in special configurations where asynchronous C/S communication or implicit S/R communication together with string or array data types is used (ESCAN00047830)
Fixed compilation error due to wrong generated Rte_Call API in special configuration variant (ESCAN00048109)
Fixed wrong optimization for runnables triggered on Tx acknowledge of Inter-ECU communication which may lead to a delayed execution of the runnable. The wrong behavior depends on the task mapping of the involved runnable entities (ESCAN00048452)
Fixed compilation error caused by missing internal Rte_MemClr function. The compilation error only occurs when minimum start interval is used and other configuration variants which need the same internal function are not configured (ESCAN00050730)

MICROSAR RTE 2.17.4 - DaVinci Developer Version 3.0 (SP3)

RTE features

Enhanced measurement and calibration support: Added scaling information (Factor, Offset and Unit) and description to the generated A2L file.

MICROSAR RTE 2.17.3 - DaVinci Developer Version 3.0 (SP3)

Fixed issues

Fixed compile error when measurement is activated for an unconnected provide port with enabled transmission acknowledge handling (ESCAN00047654)
Fixed missing volatile keyword for primitive calibration parameters (ESCAN00047633)
Fixed wrong usage of minimum start interval for multiple runnables with the same triggers even if not configured for all (ESCAN00047458)
Fixed wrong generated A2L file containing invalid COMPU_METHOD for Enumeration Datatypes without Enumerator (ESCAN00047354)
Fixed compile error/warning if measurement is activated for a data element prototype of an unconnected port prototype (ESCAN00046717)
Fixed usage of wrong GroupSignal IDs for SignalGroups in case of signal fan-in on the same cluster (ESCAN00047704)
Fixed compilation error compilation caused by several COM callback functions with the same name in case of configured PDU fan-in/fan-out (ESCAN00047713)

MICROSAR RTE 2.17.2 - DaVinci Developer Version 3.0 (SP3)

RTE features

Added support for pure "documentation ports". Data elements are no longer require initial values when they have no port access, are not connected and no measurement support is configured.

Fixed issues

Fixed compiler warning "Useless assignment to variable . Assigned value not used." if synchronous operation invocation is configured for a C/S interface where additional application errors exist (ESCAN00045763)
Fixed compile error caused by non-deterministic RTE generation which may lead to inconsistencies between OS and RTE configuration in some mode management configurations (ESCAN00046352)

MICROSAR RTE 2.17.1 - DaVinci Developer Version 3.0 (SP3)

Fixed issues

Fixed invalid array accesses when RTE_PTR2ARRAYBASETYPE_PASSING array passing schema is selected (ESCAN00045373)

MICROSAR RTE 2.17.0 - DaVinci Developer Version 3.0 (SP3)

RTE features

Support of online calibration methods 'Initialized Ram', 'Single Pointered' and 'Double Pointered'.
Support of extended record data type compatibility rule for S/R communication with different record layouts on sender and receiver side. Now it's allowed to have a subset of the record elements on receiver side even if the sender provides more elements. In addition it's no longer required to have the same order of the record elements on both sides of the communication.
Support of Tx-Timeout and Tx-Error notification callbacks of COM. Note: Now also on transmission error the 'On Data Send Completion' triggered runnables are activated. The SW-C runnable code has to call the Rte_Feedback API to distinguish between a positive transmission acknowledgement or a transmission error.

Fixed issues

Fixed wrong activated alive timeout handling if alive timeout was configured as real value '0.0' (ESCAN00043201)
Fixed compilation error if RTE VFB trace hooks in Rte_Switch API are used (ESCAN00044080)
RTE code generation aborts due to missing runnable trigger when the runnable has configured a minimum start interval (ESCAN00044176)
Reset alive timeout status also on reception of an invalid signal when the invalid handling mechanism is configured to 'keep' (ESCAN00044180)

Limitations of AUTOSAR 3.x support

Inter-ECU C/S communication is not supported.

MICROSAR RTE 2.16.1 - DaVinci Developer Version 3.0 (SP2)

Fixed issues

Fixed usage of wrong GroupSignal IDs for SignalGroups in case of signal fan-in on the same cluster (ESCAN00047704)
Fixed compilation error compilation caused by several COM callback functions with the same name in case of configured PDU fan-in/fan-out (ESCAN00047713)

MICROSAR RTE 2.16.0 - DaVinci Developer Version 3.0 (SP2)

RTE features

Support of AUTOSAR 3.1 (RTE SWS 2.2.0)
Support of 'minimum start interval' for runnable entities (runnable debouncing)
Support of Rx data filter (COM-Filter) 'NewDiffersOld' and 'Always'
Enhanced measurement and calibration support:
- Measurement of Intra-Ecu S/R communication (implicit and explicit)
- Measurement of Inter-Ecu S/R communication (implicit only)
- Measurement of Inter-Runnable Variables
- Measurement of mode machine states
- Additional structure in A2L file
- Selection of A2L standard version (V1.51 and V1.6)
- Support of XcpEvent based measurement
Support of invalid value access macro generation

Fixed issues

Fixed compilation error for string data elements of unconnected receive ports when implicit communication is used (ESCAN00042349)

Limitations of AUTOSAR 3.x support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.

MICROSAR RTE 2.15.5 - DaVinci Developer Version 3.0 (SP1)

RTE features

Added support for Windows 7

Fixed issues

Fixed compiler warning when a server is triggered by multiple operations with different but compatible interfaces (ESCAN00053739)
Fixed wrong return code of Rte_Receice API during very first read of a queued data element (ESCAN00054769)
Fixed missing interrupt locks for implicit inter-runnable variables (ESCAN00052957)
Fixed wrong reported mode of Rte_Mode API during initialization (ESCAN00053108)
Fixed invalid runnable triggers for runnables which are disabled in the init mode of a mode machine (ESCAN00053110)
Fixed linker error caused by missing Rte_Read/Rte_Receive API for unconnected port (ESCAN00051089)
Fixed compilation error when invalidation is used for external signals and when memory protection is enabled (ESCAN00050646)
Fixed compile warning caused by missing type casts in the generated RTE code. The warning may occur depending on the used compiler and only in special configurations where asynchronous C/S communication or implicit S/R communication together with string or array data types is used (ESCAN00047830)
Fixed missing UpperLimit and LowerLimit defines (ESCAN00048418)
Fixed wrong optimization for runnables triggered on Tx acknowledge of Inter-ECU communication which may lead to a delayed execution of the runnable. The wrong behavior depends on the task mapping of the involved runnable entities (ESCAN00048452)
Fixed missing volatile keyword for primitive calibration parameters (ESCAN00047633)
Fixed wrong generated A2L file containing invalid COMPU_METHOD for Enumeration Datatypes without Enumerator (ESCAN00047354)
Fixed compiler warning "Useless assignment to variable . Assigned value not used." if synchronous operation invocation is configured for a C/S interface where additional application errors exist (ESCAN00045763)
Fixed compile error caused by non-deterministic RTE generation which may lead to inconsistencies between OS and RTE configuration in some mode management configurations (ESCAN00046352)
Fixed compilation error if RTE VFB trace hooks in Rte_Switch API are used (ESCAN00044080)

MICROSAR RTE 2.15.4 - DaVinci Developer Version 3.0 (SP1)

RTE features

Optimization in generated RTE Code: Enhanced support for speed optimized bit access

Fixed issues

Fixed OS runtime error when OS resources are used by runnables on the BSW Scheduler tasks (ESCAN00054157)

MICROSAR RTE 2.15.3 - DaVinci Developer Version 3.0 (SP1)

Fixed issues

Fixed compilation error due to wrong generated Rte_Call API in special configuration variant (ESCAN00048109)
Fixed compilation error caused by a missing check if an init runnable contains a wait point (ESCAN00051267)

MICROSAR RTE 2.15.2 - DaVinci Developer Version 3.0 (SP1)

RTE features

Optimization in generated RTE Code: Support for speed optimized bit access dependent on new RTE configuration switch 'Optimization Mode'

Fixed issues

Fixed missing data element initialization for signal fan-in (ESCAN00042875)
Fixed missing trace hooks for client server communication (ESCAN00041826)

MICROSAR RTE 2.15.1 - DaVinci Developer Version 3.0 (SP1)

Fixed issues

Fixed wrong generated RTE which may lead to compiler warnings due to generation of unneeded functions in some mode management configurations (ESCAN00042573)
Added missing check if different receivers use different invalidation settings (ESCAN00042733)
DaVinci DLL updated which contains fixes for multi-ECU use cases and also for signal multiplexing

MICROSAR RTE 2.15.0 - DaVinci Developer Version 3.0 (SP1)

RTE features

Support implementation template generation for service components, complex device drivers and EcuAbstraction components if -m parameter contains a single SWC type
Optimization in generated RTE Code: Optimized runnable scheduling to reduce latency times of communication between SWCs

Fixed issues

Fixed wrong mode handling for multiple instantiated software components which uses R-Mode ports (ESCAN00041459)
Fixed wrong lost of signal data in case of a signal fan-in for composite data element prototypes (ESCAN00042144)
Fixed multiple activation error of an extended task in OS in specific mode management configuration (ESCAN00042044)

MICROSAR RTE 2.14.0 - DaVinci Developer Version 3.0 (SP1)

RTE features

Support complex data types where not all primitive members require an invalid value.
Support inclusion of user header file 'Rte_UserTypes.h' allows type definitions for Per-Instance memory, which doesn't use an AUTOSAR data type. Inclusion of this header file can be enabled by setting the preprocessor switch 'RTE_ENABLE_USER_DATATYPES' during compilation.
Optimization in generated RTE Code: Reduced number of OS Events needed for identical trigger conditions.

Fixed issues

Compile errors for port connections with different but compatible record types (ESCAN00040001)
Missing Per-Instance memory declarations in 'Rte_Type.h' when multiple instantiation is used (ESCAN00040668)
Missing check for implicit APIs when a mapped server runnable is called from a client on the same task (ESCAN00040701)
Internal error during RTE generation if mode disablings and mode switch triggers are used in special configuration (ESCAN00041128)
Use initial value of the receiver if sender and receiver have configured different initial values (ESCAN00041176)

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Runnable debouncing is not supported.

MICROSAR RTE 2.13.0 - DaVinci Developer Version 3.0

RTE features

Support of unconnected require ports for S/R, mode and asynchronous C/S communication.
Support of deactivation switch for automatic OS alarm generation for cyclic runnable triggers. This allows usage of OS schedule tables for user specific trigger implementation.
Support of explicit configured OS task types. In addition to the automatic selection by the RTE generator the user can select basic or extended task type manually.
Support of explicit configured task types (application task, BSW-Scheduler task and non-RTE task). Only application tasks are generated by the RTE generator.
Support configuration dependent 'constant' generation.
Generation of a HTML Report for the generated RTE.
Enable VFB trace hooks for direct function call optimized Rte_Call API.
Content of the 'Description' tab in DaVinci Developer is written to the generated SWC templates.
Speed optimization of the RTE generator in several generation modes e.g. in Ecu-C synchronization mode.
Optimization in generated RTE Code:
- Macro implementation for direct Inter-Runnable Variables if possible.
- Removal of superfluous interrupt locks for atomic copy operations.
- Allow direct function calls also for server runnables with "canbeInvokedConcurrently" = false.
- Remove unused data types in SWC template for better overview in the generated templates.

Fixed issues

Use 'volatile' memory qualifier for calibration parameters (ESCAN00038866)
Cyclic Triggered runnable gets triggered at the wrong time (ESCAN00039073)
Out of memory error during SWC template and contract phase generation (ESCAN00039023)
MISRA warnings for unsigned integer constants (ESCAN00037939)
Missing interrupt locks for macro optimized S/R communication when signal fan-in is used (ESCAN00037947)
Missing interrupt locks for inter-runnable variable accesses in unmapped server runnables (ESCAN00039714)

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Runnable debouncing is not supported.

MICROSAR RTE 2.12.1 - DaVinci Tool Suite Version 2.3 (SP7)

Fixed issues

Fixed memory protection issues when receiving S/R data over the network in non-trusted software components (ESCAN00037453)

MICROSAR RTE 2.12.0 - DaVinci Tool Suite Version 2.3 (SP7)

RTE features

Support of Basic Tasks. Automatically selection of the task type (Basic vs. Extended) by the RTE Generator dependent on the configuration.
Enhanced error reporting with help messages in verbose generation mode (new command line option -v). The enhanced error reporting also includes some new checks and warning messages.
Template update mechanism now also available for compiler and memory abstraction header files Rte_Compiler_Cfg.h and Rte_MemMap.h.
Optimization in generated RTE Code:
- Reduced number of OS Alarms needed for cyclic triggers.
- Removed unneeded interrupt locks.
- Removed unneeded Schedule() calls.
- New macro based C/S call in some additional configuration variants.
Initial value of invalidation status now depends on the initial value and the invalid value of the data element.

Fixed issues

Fixed wrong generated RTE code for implicit Inter-Runnable Variables access, where potentially needed interrupt locks were missed (ESCAN00036473)
Fixed wrong generated RTE code where Rte_Feedback returned RTE_E_TRANSMIT_ACK although no transmission ack was received (ESCAN00036202)
Fixed wrong generated RTE code where Rte_Feedback for Waiting Mode Switch/Transmit Acknowledgement never returned (ESCAN00036160)
Fixed wrong generated RTE code for some configurations where memory protection is used together with communication over the network or together with mode handling (ESCAN00034746)
Fixed RTE Generator leading to generator warnings about uninitialized variables in some mode management configuration variants (ESCAN00034752)
Fixed wrong generated RTE code where mode disablings got ignored if several mode machines disabled the same runnable (ESCAN00034755)
Fixed wrong generated RTE code leading to compile error for synchronous server calls in a special configuration variant (ESCAN00035726)
Fixed generated RTE code leading to a compile warning "condition always true" in a special mode management configuration variant (ESCAN00036127)
Fixed wrong generated RTE code leading to a compile error when different ports using the same port interface have configured different invalidation settings and the indirect API is enabled (ESCAN00036854)
Fixed wrong generated RTE code leading to a compile error when 'EnableTakeAddress' and either unconnected sender ports or mode switch APIs in general are used (ESCAN00037125)
Fixed non unique OS event names when short names are used which are limited to 32 characters (ESCAN00037187)

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Runnable debouncing is not supported.

MICROSAR RTE 2.11.0 - DaVinci Tool Suite Version 2.3 (SP6)

RTE features

Support of unconnected P-Ports. (Sender-Ports, Mode-Ports and Server-Ports)
Support of signal Fan-In.
Generation of all data types irrespective of their actual usage.
COM return codes are evaluated and passed to the application SWCs.
Generation of more compact RTE code (reduction of number of lines especially for calibration parameters with init values).

Fixed issues

Fixed wrong generated RTE code leading to compile errors for some specific Memory Protection configurations (ESCAN00033767)
Fixed wrong generated RTE code leading to compile warnings in some ModeManagement configurations (ESCAN00033590)
Fixed wrong generated RTE code leading to compile errors in specific configurations using unconnected server ports (ESCAN00031826)
Fixed RTE generation or compilation error for mode provide ports without configured port access for at least one runnable entity (ESCAN00034420)
Fixed wrong generated RTE code leading to wrong mode handling if one task handles more than one mode machine instance (ESCAN00034473)
Fixed wrong generated RTE code leading to compile errors in Rte_Mode API if only some port prototypes of the same component type have configured indirect API (ESCAN00034480)

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Runnable debouncing is not supported.

MICROSAR RTE 2.10.3 - DaVinci Tool Suite Version 2.3 (SP5)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.10.2 - DaVinci Tool Suite Version 2.3 (SP5)

Fixed issues

Fixed twice triggered runnable entity after mode switch during initialization for mode machines with queue size > 1 (ESCAN00033174)
Fixed missing runnable trigger for internal implicit communication with invalidation (Replace) and data reception triggered runnable (ESCAN00033176)
Fixed generation error if mode disabling dependencies exist but no mode switch triggered runnable is configured for a mode machine (ESCAN00033177)

MICROSAR RTE 2.10.1 - DaVinci Tool Suite Version 2.3 (SP5)

Fixed issues

Fixed wrong macro optimization for complex data types (ESCAN00032981)
Fixed wrong invalidation handling for data elements with both internal and external connectivity (ESCAN00032982)

MICROSAR RTE 2.10.0 - DaVinci Tool Suite Version 2.3 (SP5)

RTE features

Support of Mode Management including mode switch triggered runnable entities and mode dependent execution of runnable entities. (Rte_Switch, Rte_Mode and Rte_Feedback for mode switch acknowledge).
Support of Data Element Invalidation (Rte_Invalidate and Rte_IInvalidate).
Support of data reception error triggered runnable entities for invalidated and outdated data elements.
Support of multiple cyclic triggers per runnable entity.
Support of multiple 'On Operation Invocation trigger' for the same runnable entity with compatible operations.
Extended A2L file generation for Calibration Parameters and Per-Instance Memory for user defined Attributes (A2L-ANNOTATION).

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Online Calibration is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Unconnected Ports are not supported.
Runnable debouncing is not supported.
N:1 S/R communication is not supported.

MICROSAR RTE 2.9.4 - DaVinci Tool Suite Version 2.3 (SP4)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.9.3 - DaVinci Tool Suite Version 2.3 (SP4)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.9.2 - DaVinci Tool Suite Version 2.3 (SP4)

Fixed issues

Fixed wrong RTE COM callback generation name when using signal groups (ESCAN00031405)

MICROSAR RTE 2.9.1 - DaVinci Tool Suite Version 2.3 (SP4)

Fixed issues

Fixed wrong aliveTimeout handling for internal communication (ESCAN00031196)
Fixed optimized string data type handling (ESCAN00031212)

MICROSAR RTE 2.9.0 - DaVinci Tool Suite Version 2.3 (SP4)

RTE features

Support of Memory Protection (OS with scalability class SC3/SC4)

RTE changes

Removed direction qualifier IN, OUT, INOUT in RTE API prototypes. This requires re-generation of the component templates.
Rte_Start no longer initializes the reception buffers for COM signals. This has to be done by the COM module itself and is synchronized in the configuration.
Support of characters '\' and '"' in constants of data type String.

Fixed issues

Fixed duplicated names in Port Defined Arguments (ESCAN00030255)
Fixed insufficient protection of inter-runnable variables and exclusive areas (ESCAN00030127)
Fixed wrong component data structure entries for direct inter-runnable variables for those components, which do not support multiple instantiation (ESCAN00030348)
Fixed wrong handling of exclusive area if component data structure is used (ESCAN00030462)
Fixed wrong handling of "EnableTakeAddress" (ESCAN00030542)

MICROSAR RTE 2.8.1 - DaVinci Tool Suite Version 2.3 (SP3)

Fixed issues

Fixed duplicated typedef for Exclusive Areas in Compatibility Mode (ESCAN00029664)
Fixed wrong transmission acknowledgment handling (ESCAN00029809)

MICROSAR RTE 2.8.0 - DaVinci Tool Suite Version 2.3 (SP3)

RTE features

Support of Indirect APIs (Rte_Ports, Rte_NPorts and Rte_Port).
Support of Port API Option 'EnableTakeAddress'.
Support of platform dependent resource calculation.

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Data Element invalidation (Rte_Invalidate, Rte_IInvalidate) is not supported.
Online Calibration is not supported.
Mode-Handling (Rte_Mode, Rte_Switch) is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Unconnected S/R Ports and unconnected Calibration Ports are not supported.
DataReceiveErrorEvent as runnable trigger condition is not supported. Limited to polling mode via Rte_Read/Rte_IStatus API.
Runnable debouncing is not supported.
N:1 S/R communication is not supported.

Fixed issues

Sorting in component data structure changed to camel case (ESCAN00029215)
Fixed generation error when range enumeration values are used (ESCAN00029358)

MICROSAR RTE 2.7.1 - DaVinci Tool Suite Version 2.3 (SP2)

Fixed issues

Fixed wrong initialization of transmission acknowledgment (ESCAN00029115)

MICROSAR RTE 2.7.0 - DaVinci Tool Suite Version 2.3 (SP2)

RTE features

Support of Multiple Instantiation of SW Components.
Support of Compatibility Mode.
Support of Object Code SW Components.

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Indirect API (Rte_Port, Rte_Ports, Rte_NPorts) is not supported.
Data Element invalidation (Rte_Invalidate, Rte_IInvalidate) is not supported.
Online Calibration is not supported.
Mode-Handling (Rte_Mode, Rte_Switch) is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Unconnected S/R Ports and unconnected Calibration Ports are not supported.
DataReceiveErrorEvent as runnable trigger condition is not supported. Limited to polling mode via Rte_Read/Rte_IStatus API.
Runnable debouncing is not supported.
N:1 S/R communication is not supported.

Fixed issues

Fixed check for recursion of asynchronous C/S (ESCAN00027469)
Fixed RAM usage calculation for some C/S variants (ESCAN00028769)
Fixed wrong RTE generation for C/S operations with access mode set to 'none' (ESCAN00028838)

MICROSAR RTE 2.6.5 - DaVinci Tool Suite Version 2.3 (SP1)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.6.4 - DaVinci Tool Suite Version 2.3 (SP1)

Fixed issues

Fixed wrong prototype for compatible C/S ports (ESCAN00026419)
Fixed Perl warning (concatenation error) for unused service ports (ESCAN00027639)
Removed typecast in application error definition (ESCAN00027799)

MICROSAR RTE 2.6.3 - DaVinci Tool Suite Version 2.3 (SP1)

Fixed issues

Fixed issue in time conversion macro resulting in compiler warnings on some compilers due to wrong detected 'division by zero' messages (ESCAN00027538)

MICROSAR RTE 2.6.2 - DaVinci Tool Suite Version 2.3 (SP1)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.6.1 - DaVinci Tool Suite Version 2.3 (SP1)

No RTE Generator changes (DaVinci DLL update only).

MICROSAR RTE 2.6.0 - DaVinci Tool Suite Version 2.3 (SP1)

RTE features

Support of Intra-ECU Timeout-Handling for synchronous C/S communication.
Support of parallel access of synchronous and asynchronous server calls to an operation of one server port.
Generation of an ASAM MCD 2MC / ASAP2 compatible A2L file fragment for Calibration Parameters and Per-Instance Memory

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Multiple instantiation of SW Components is not supported.
Indirect API (Rte_Port, Rte_Ports, Rte_NPorts) is not supported.
Data Element invalidation (Rte_Invalidate, Rte_IInvalidate) is not supported.
Online Calibration is not supported.
Mode-Handling (Rte_Mode, Rte_Switch) is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Compatibility Mode is not supported.
Contract Phase Generation limited to Source Code SW-C compatibility.
Unconnected S/R Ports and unconnected Calibration Ports are not supported.
DataReceiveErrorEvent as runnable trigger condition is not supported. Limited to polling mode via Rte_Read/Rte_IStatus API.
Runnable debouncing is not supported.
N:1 S/R communication is not supported.

MICROSAR RTE 2.5.0 - DaVinci Tool Suite Version 2.3

RTE features

Support of AUTOSAR 3.0 (see Limitations of unsupported features)
New API supported: Rte_Calprm (Access to Calibration Element Prototypes of Calibration Components)
New API supported: Rte_Pim (Access to Per-Instance Memory)
Support of SW-C Implementation Template generation (command line option -g i) and Contract Phase generation (command line option -g c) for a complete ECU Project.

Fixed issues

Fixed wrong handling of Array data types which contain elements of data type String (ESCAN00025491)

Limitations of AUTOSAR 3.0 support

Inter-ECU C/S communication is not supported.
Intra-ECU Timeout-Handling for synchronous C/S communication is not supported.
Parallel access of synchronous and asynchronous server calls to an operation of one server port for Intra-Ecu C/S is not supported.
Multiple instantiation of SW Components is not supported.
Indirect API (Rte_Port, Rte_Ports, Rte_NPorts) is not supported.
Data Element invalidation (Rte_Invalidate, Rte_IInvalidate) is not supported.
Online Calibration is not supported.
Mode-Handling (Rte_Mode, Rte_Switch) is not supported.
COM Filters for Intra-ECU S/R communication are not supported.
Compatibility Mode is not supported.
Contract Phase Generation limited to Source Code SW-C compatibility.
Unconnected S/R Ports and unconnected Calibration Ports are not supported.
DataReceiveErrorEvent as runnable trigger condition is not supported. Limited to polling mode via Rte_Read/Rte_IStatus API.
Runnable debouncing is not supported.
N:1 S/R communication is not supported.

MICROSAR RTE 2.4.2 Beta - DaVinci Tool Suite Version 2.3 Beta

RTE features

New API supported in RTE Generation Phase: Rte_Result (asynchronous Client/Server communication)

Fixed issues

Changed return code of synchronous C/S call to mapped runnable from RTE_E_LIMIT to RTE_E_TIMEOUT on queue overflow (ESCAN00024800)

Limitations of the Beta Version

The RTE generator does not support Timeout-Handling for synchronous C/S communication.
The RTE generator does not support parallel access of synchronous and asynchronous server calls to an operation of one server port.
The RTE generator does not support Calibration Parameters of Calibration Components, which is already described in the Technical Reference (Rte_Calprm API).
The RTE generator does not support Per-Instance Memory, which is already described in the Technical Reference (Rte_Pim API).

MICROSAR RTE 2.4.1 Beta - DaVinci Tool Suite Version 2.3 Beta

RTE features

New API supported in RTE Contract Phase: Rte_Result (asynchronous Client/Server communication)
Added new checks for illegal configurations

Fixed issues

Fixed issue resulting in compiler warnings/errors because a const pointer is provided to the COM API, which expects a non-const pointer (ESCAN00024706)
Fixed issue of un-matching parameters in VFB trace hook prototypes, if port defined arguments are used (ESCAN00024707)
Fixed issue with configurations containing mapped server runnables (ESCAN00024535, ESCAN00024469)
Fixed issue with missing exclusive area warnings and bad results or illegal memory access for C/S calls to mapped runnables (ESCAN00024562)
Fixed issue resulting in compile errors for renamed network signals in gateway use cases (ESCAN00024713)
Fixed issue of undefined VFB trace hooks (ESCAN00024776)

Limitations of the Beta Version

The RTE generator does not support asynchronous C/S communication in the RTE Generation Phase, which is already described in the Technical Reference (Rte_Result API).
The RTE generator does not support Timeout-Handling for synchronous C/S communication, which is already described in the Technical Reference.
The RTE generator does not support Calibration Parameters of Calibration Components, which is already described in the Technical Reference (Rte_Calprm API).
The RTE generator does not support Per-Instance Memory, which is already described in the Technical Reference (Rte_Pim API).

MICROSAR RTE 2.4.0 Beta - DaVinci Tool Suite Version 2.3 Beta

RTE features

Support of String data type (Encoding ISO-8859-1)
New API supported: Rte_CData (SW-C local Calibration Parameters)
Optimization: Depending on the configuration the Rte_Write API is generated as macro if possible
Generation of unmapped client runnables enabled

Fixed issues

Fixed handling of unused server runnables for unconnected server ports (ESCAN00023783)
Fixed event handling for blocking Rte_Receive and Rte_Feedback in unmapped servers (ESCAN00023820)
Fixed IrvIWrite overwriting IrvIRead data (ESCAN00023669)
Fixed memory abstraction (ESCAN00023675)
Fixed generation of wrong OS Alarm settings if the cycle time for periodically runnables is a multiple of 1000 seconds (ESCAN00024400)
Fixed generation of wrong C/S handling in case of non-preemptive client tasks and mapped server runnables (ESCAN00024278)

Limitations of the Beta Version

The RTE generator does not support asynchronous C/S communication, which is already described in the Technical Reference (Rte_Result API).
The RTE generator does not support Timeout-Handling for synchronous C/S communication, which is already described in the Technical Reference.
The RTE generator does not support Calibration Parameters of Calibration Components, which is already described in the Technical Reference (Rte_Calprm API).
The RTE generator does not support Per-Instance Memory, which is already described in the Technical Reference (Rte_Pim API).

MICROSAR RTE 2.3.0 - DaVinci Tool Suite Version 2.2 (SP3)

RTE features

Support of complex hierarchical data types like arrays-of-records
Optimization: Depending on the configuration the Rte_Read API is generated as macro if possible

MICROSAR RTE 2.2.4 - DaVinci Tool Suite Version 2.2 (SP2)

RTE features

Support of AUTOSAR release 2.1
Generation of RTE memory usage report
Adaptation of object properties according to AUTOSAR 2.1
Support of activation offset for cyclic runnable entities
Support of AUTOSAR compiler abstraction and memory abstraction mechanism
Support of AUTOSAR makefile mechanism for the RTE
Additional APIs supported: Rte_InitMemory, Rte_IWriteRef
Smart template generator: Update of component implementation files after changing component description
Summary of generated files displayed in output window

Fixed issues

Rte_Feedback returns illegal error codes in some conditions
Generation of multiple internal S/R buffers (un-queued communication) with identical name
Multiple buffers generated for buffered Inter-Runnable Variables

MICROSAR RTE 2.2.2 - DaVinci Tool Suite Version 2.2 (SP1)

RTE features

Support of Port Defined Arguments

Fixed issues

Record constants missing in contract phase header

MICROSAR RTE 2.2.1 - DaVinci Tool Suite Version 2.2

RTE features

Support of array types and enumeration types
Support of exclusive areas and inter-runnable variables
Definition of data-send-completed trigger
State request API for data send points
Detailed configuration of VFB tracing
Support of symbol attribute of runnable entities

Fixed issues

Missing read-modify-write protection for queue overflow flags

Additional Information

Copyright

� Vector Informatik GmbH

Certified Quality Management System

The Quality/Process Management of Vector Informatik GmbH is being certified according to DIN EN ISO 9001:2000-12 (formerly DIN EN ISO 9001:1994-08) throughout since 1998-08-19.

Vector Informatik GmbH - Addresses

Vector Informatik GmbH
Ingersheimer Str. 24
D-70499 Stuttgart, Germany
Tel.: +49 (711) 80670-0
Fax: +49 (711) 80670-100
info@vector-informatik.de
http://www.vector-informatik.com

Subsidiaries

Vector France SAS
168, Boulevard Cam�linat
92240 Malakoff
France
Tel.: +33 1 4231 4000
Fax: +33 1 4231 4009
information@vector-france.com
http://www.vector-france.com

Vector Japan Co., Ltd.
Seafort Square Center Bld.
18F, 2-3-12,
Higashi-shinagawa, Shinagawa-ku
Tokyo 140-0002
Japan
Tel.: +81 3 5769 6970
Fax: +81 3 5769 6975
info@vector-japan.co.jp
http://www.vector-japan.co.jp

VecScan AB
Theres Svenssons Gata 9
417 55 Gothenburg
Sweden
Tel.: +46 (31) 76476 00
Fax: +46 (31) 76476 19
info@vecscan.com
http://www.vecscan.com

Vector CANtech, Inc.
39500 Orchard Hill Place
Suite 550
Novi, Michigan 48375
USA
Tel.: +1 (248) 449-9290
Fax: +1 (248) 449-9704
info@vector-cantech.com
http://www.vector-cantech.com

Vector Korea IT Inc.
Daerung Post Tower III, 508
182-4 Guro-dong, Guro-gu
Seoul 152-790
Republic of Korea
Tel.: +82(0)2 2028 0600
Fax: +82(0)2 2028 0604
info@vector-korea.com
http://www.vector-korea.com

Vector GB Ltd.
Rhodium
Central Boulevard
Blythe Valley Park
Solihull, Birmingham
West Midlands B90 8AS
United Kingdom
Tel.: +44 (0) 7530 264701
info@vector-gb.co.uk
http://www.vector-gb.co.uk

Vector Informatik India Prv. Ltd.
Lokesh Madan
4/1/1/1 Sutar Icon
Sus Road
Pashan
Pune 411021
India
Tel.: +91 20 2587 2023
Fax: +91 20 2587 2025
lokesh.madan@vector-india.com
http://www.vector-india.com

Vector Informatik GmbH Representative Office Shanghai
Suite 605, Tower C, Everbright
Convention Center
No. 70 Caobao Road
Xuhui District
Shanghai 20035
China
Tel.: +86 21 6432 53530
Fax: +86 21 6432 5308
info@vector-china.com
http://www.vector.com/vi_index_cn.html

22 - SPI Handler Driver

SPI Handler Driver

Component Documentation

22.1 - AUTOSAR_SPI_Component_UserManual

AUTOSAR MCAL R4.0 User's Manual

22.2 - AUTOSAR_SPI_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68

22.3 - AUTOSAR_SPI_Component_UserManuals

AUTOSAR MCAL R4.0.3
User’s Manual

SPI Driver Component Ver.1.0.6
Embedded User’s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.02 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.
   3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
   11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
ANSI
American National Standards Institute
API
Application Programming Interface
ARXML/arxml
AutosaR eXtensible Mark-up Language
ASIC
Application Specific Integration Circuit
AUTOSAR
AUTomotive Open System Architecture
BSW
Basic SoftWare
CPU
Central Processing Unit
CS
Chip Select
CSIH/CSIG
Enhanced Queued Clocked Serial Interface.
DEM/Dem
Diagnostic Event Manager
DET/Det
Development Error Tracer
DMA
Direct Memory Access
EB
External Buffer
ECU
Electronic Control Unit
EDL
Extended Data Length
EEPROM
Electrically Erasable Programmable Read-Only Memory
FIFO
First In First Out
GNU
GNU’s Not Unix
GPT
General Purpose Timer
HW
HardWare
IB
Internal Buffer
Id
Identifier
I/O
Input/Output
ISR
Interrupt Service Routine
KB
Kilo byte
MCAL
Microcontroller Abstraction Layer
MHz
Mega Hertz
MCU
Microcontroller unit
NA
Not Applicable
PLL
Phase Locked Loop
RAM
Random Access Memory
ROM
Read Only Memory
RTE
Run Time Environment
SPI
Serial Peripheral Interface
µs
Micro Seconds
5

Definitions

Term
Represented by
Sl. No.
Serial Number
6

10

Introduction                                                                Chapter 1

Chapter 1
Introduction

The purpose of this document is to describe the information related to SPI
Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of SPI Driver
Component. The system overview of complete AUTOSAR architecture is
shown in the below Figure:

Application Layer

AUTOSAR  RTE

System Services

On board Device Abstraction

SPI Driver

Microcontroller

Figure 1-1  System Overview Of AUTOSAR Architecture

The SPI Driver is part of the Microcontroller Abstraction Layer (MCAL), the
lowest layer of Basic Software in the AUTOSAR environment.
11

Chapter 1                                                              Introduction

The Figure in the following page depicts the SPI Driver as part of layered
AUTOSAR MCAL Layer:

M icrocont roller  Drivers
M e mo r y  Drivers
Communication  Drivers
I/O  Drivers

in
e
in
ter
x
S

W
te
te
n
P
at
GP
M
r
r
a
I
F
n
n
l

c
C
R
C
a
a

H
E
LI
C
le
P
P
hd
o
AM
T
U
l
l
a
AN
x
A
I
D
O

E
N
re

F
F
n
R
C
WM
D
I
o

P

g

l
l
d

U
O
R
a
C
a
a

R
l
y

T

s
s
e

h
h
OM

r

P
E
Micro -
o
x
L
w
t.
IN

e
Controller

r

Figure 1-2  System Overview Of The SPI Driver In AUTOSAR MCAL Layer

The SPI Driver Component comprises Embedded software and the
Configuration Tool to achieve scalability and configurability.

The SPI Driver component code Generation Tool is a command line tool that accepts ECU
configuration description files as input and generates source and header files. The
configuration description is an ARXML file that contains information about the configuration for
SPI Driver. The tool generates the Spi_PBcfg.c, Spi_Lcfg.c, Spi_Cfg.h and Spi_Cbk.h.

The SPI driver provides services for reading from and writing to devices connected
through SPI buses. It provides access to SPI communication to several users (For
example, EEPROM, I/O ASICs). It also provides the required mechanism to configure the
on-chip SPI peripheral.
12

Introduction                                                                Chapter 1

1.1.
Document Overview

The document has been segmented for easy reference. The table below
provides user with an overview of the contents of each section:

Section
Contents
Section 1 (Introduction)
This section provides an introduction and overview of SPI Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure, Makefile structure for SPI
Process)
Driver Component. This section also explains about the Makefile
descriptions, Integration of SPI Driver Component with other
components, building the SPI Driver Component along with a sample
application.
Section 4 (Forethoughts)
This section provides brief information about the SPI Driver Component,
the preconditions that should be known to the user before it is used,
memory modes, data consistency details, deviation list and Support For
Different Interrupt Categories.
Section 5 (Architecture Details)
This section describes the layered architectural details of the SPI Driver
Component.
Section 6 (Register Details)
This section describes the register details of SPI Driver Component.
Section 7 (Interaction Between
This section describes interaction of the SPI Driver Component with the
User And SPI Driver Component)  upper layers.
Section 8 (SPI Driver Component  This section provides information about the SPI Driver Component
Header And Source File
source files is mentioned. This section also contains the brief note on the
Description)
tool generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the SPI Driver Component Code
Generation Tool.
Section 10 (Application
This section explains all the APIs provided by the SPI Driver Component.
Programming Interface)
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13(P1M
This section provides P1M specific information also the information
Specific information)
about linker compiler and sample application.
Section 14 (Release Details)
This section provides release details with version name and base
version.
13

Chapter 1 Introduction

14

Reference Documents
Chapter 2

Chapter 2
Reference Documents

Sl. No.
Title
Version
1.
Autosar R4.0
3.2.0
AUTOSAR_SWS_SPIHandlerDriver.pdf
2.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
-
Note: AUTOSAR BUGZILLA is a database, which contains concerns raised
against information present in AUTOSAR Specifications.
3.
r01uh0436ej0070_rh850p1x.pdf
0.70
4.
Autosar R4.0
3.2.0
AUTOSAR_SWS_CompilerAbstraction.pdf
5.
Autosar R4.0
1.4.0
AUTOSAR_SWS_MemoryMapping.pdf
6.
Autosar R4.0
2.5.0
AUTOSAR_SWS_PlatformTypes.pdf
7.
Autosar R4.0
0.3
AUTOSAR_BSW_MakefileInterface.pdf
15

Chapter 2 Reference Documents

16

Integration And Build Process
Chapter 3

Chapter 3
Integration And Build Process

In this section the folder structure of the SPI Driver Component is explained.
Description of the Makefiles along with samples is provided in this section.

Remark The details about the C Source and Header files that are generated by the
SPI Driver Generation Tool are mentioned in the
“AUTOSAR_SPI_Tool_UserManual.pdf”.

3.1.
SPI Driver Component Makefile

The Makefile provided with the SPI Driver Component consists of the GNU
Make compatible script to build the SPI Driver Component in case of any
change in the configuration. This can be used in the upper level Makefile (of
the application) to link and build the final application executable.

3.1.1. Folder Structure

The files are organized in the following folders:

Remark Trailing slash ‘\’ at the end indicates a folder

X1X\common_platform\modules\spi\src\ Spi_Driver.c

\ Spi.c

\ Spi_Scheduler.c

\Spi_Irq.c

\Spi_Ram.c

\Spi_Version.c

X1X\common_platform\modules\spi\include\Spi_Driver.h

\Spi.h

\Spi_Scheduler.h

\Spi_Irq.h

\Spi_LTTypes.h

\Spi_PBTypes.h

\Spi_Ram.h

\Spi_Version.h

\Spi_Types.h

X1X\P1x\modules\spi\Sample_application\<SubVariant>\make\<Compiler>

\App_SPI_P1M_Sample.mak

17

Chapter 3
 Integration And Build Process

X1X\P1x\modules\spi\Sample_application\<SubVariant>\obj\ <compiler>

X1X\common_platform\modules\spi\generator\Spi_X1x.exe

X1X\P1x\common_family\generator
\Sample_Application_P1x.trxml
\P1x_translation.h

X1X\P1x\modules\spi\generator
\R403_SPI_P1x_BSWMDT.arxml

X1X\P1x\modules\spi\user_manual

(User manuals will be available in this folder)

Notes:
1. <Compiler> can be ghs.

2. <SubVariant> can be P1M.

3. <AUTOSAR_version> can be 4.0.3.

18

  Forethoughts

  Chapter 4
Chapter 4
Forethoughts

4.1.  General

Following information will aid the user to use the SPI Driver Component
software efficiently:

•
SPI Driver component does not take care of setting the registers which
configure clock, prescaler and PLL.

•
SPI Driver component handles only the Master mode.

•
SPI Driver component supports full-duplex mode.

•
The chip select is implemented using the microcontroller pins and it is
configurable.

•
The required initialization of the port pins configured for chip select has to
be performed by the Port Driver Component.

•
The microcontroller pins used for chip select is directly accessed by the
SPI Driver component without using the APIs of DIO module.

•
Maximum number of channels and sequences configurable is 256 and job
is 65536.

•
The scope is restricted to post-build with multiple configuration sets.

•
The identifiers for channels, jobs and sequences entered by the user
should start from 0 and should be continuous.

•
The width of the transmitted data unit is configurable and the valid values
are 8 bits to 32 bits.

•
The number of channels, jobs and sequences should be same across
multiple configuration sets.

•
The channels, jobs and sequences cannot be deleted or added at post-
build time.

•
The SPI hardware unit cannot be deleted or added at post–build time. But,
the reassignment of the SPI hardware units to different jobs is possible at
post-build time.

•
The DMA unit cannot be deleted or added at post–build time. But, the
reassignment of DMA units to the SPI hardware units is possible at post-
build time.

•
When the level of scalable functionality is configured as 2, then two SPI
buses using separate hardware units are required. In this case, the SPI
bus dedicated for synchronous transmission is configurable.

•
When the level of scalable functionality is configured as 2, two modes of
asynchronous communication using polling or interrupt mechanism are
possible. These modes are selectable during execution time.

•
When the level of scalable functionality is configured as 1 or 2, If interrupt
mechanism is selected during execution time, the transmission and
reception will be performed using the on-chip DMA unit only if the DMA
mode is enabled through the configuration.

•
The LEVEL 2 SPI Handler is specified for microcontrollers that have to
provide at least two SPI busses using separated hardware units. Otherwise,
using this level of functionality makes no sense.
19

Chapter 4 Forethoughts
•
When Level Delivered is 0 and 2, the memory mode configured for jobs
linked for the synchronous sequence shall be always Direct Access Mode
only.

•
If user configures 32 bit IB and EB channels and additionally configures
DMA in direct access mode there will be a generator error message.

•
When the SPI driver is configured in Level 2 (SpiLevelDelivered) and the
DMA is also configured (SpiDmaMode), then the asynchronous mode
needs to be set for interrupt mode using the API Spi_SetAsyncMode.

•
The SPI DMA type is specified by the parameter SPI_DMA_TYPE_USED.

Note: The DMA will work whenever the DMA access for the LOCAL RAM,
which is having PE guard protection is enabled (this can be done by
configuring the PE guard registers.)

•
Direct Access mode can be effectively used in case of sequence having
channels and buffers of significantly different properties.

•
Double Buffer mode can be effectively used in case of sequence having
more number of jobs, channels and buffers with same hardware properties
for continuous transmission of data. For double buffer mode only usage of
internal buffers is allowed. FIFO mode can be effectively used at the time of
transmit/receive of large amount of data. FIFO mode can also be used in
case of sequence having lesser number of jobs and having more channels
and buffers.
•
In case size of buffers is more than the hardware buffer size i.e. 128 words,
an interrupt will occur after every 128 words are transmitted where the
hardware buffer will be loaded with the remaining buffers to be transmitted.

•
In a particular configurations where CSIH HW units are configured, Spi_Init
function must be called before Port_Init function.

•
Only if "SpiCsInactive" parameter is set to "true", the PWR bit in CSI
hardware will be cleared for that hardware unit, so setting "false" value can
lead to unnecessary power consumption.

•
When “SpiCsIdleEnforcement” is set to true for the jobs configured for CSIH
Hw units, the value configured for "SpiCsInactive" will not have any impact
in actual Chip Select behavior".

•
The parameter "SpiCsIdleEnforcement" influences the behavior of idle level
of the chip select during data transfer and after the transmission of a job.

•
When the parameter 'SpiCsIdleEnforcement' is configured as false, the
corresponding chip select is deactivated before every channel transmission
and stays active after transmission until another job with different CS is
transmitted.

•
When the parameter 'SpiCsIdleEnforcement' is configured as true, the chip
select is deactivated after job transmission. An idle phase of CS is inserted
between transmissions of two data buffers. The duration of idle state of the
chip select between the channels transmissions will be less than duration of
idle state of the chip select between single data of each channel.
•
In CSIG,CS is active during the whole job transmission independently of
data and is set to inactive state after job is finished.

Table 4-1
Table for Chip Select behavior
Figure
SpiCSInactiveAfterlastdata
SpiCsIdleEnforcement
4-1
FALSE
TRUE
4-2
TRUE
TRUE
4-3
TRUE
FALSE
4-4
FALSE
FALSE
20

  Forethoughts

  Chapter 4

Note: In the below figures, the signal represented in Yellow is the clock signal
and the Blue signal is the chip select signal.

Figure 4-1  Chip select behavior when SpiCSInactiveAfterlastdata is False and
SpiCsIdleEnforcement is True

Note: If ‘SpiCsIdleEnforcement’ is TRUE, Chip select will get deactivated after
transmission is over, even if ‘SpiCSInactiveAfterlastdata’ is configured as
FALSE.

Figure 4-2  Chip select behavior when SpiCSInactiveAfterlastdata is True and
SpiCsIdleEnforcement is True

Figure 4-3  Chip select behavior when SpiCSInactiveAfterlastdata is True and
SpiCsIdleEnforcement is False
Note:
21

  Chapter 4                                                             Forethoughts
1. The expected CS behavior may not be observed at high baud rates in case
of Asynchronous transmission using Direct Access Mode, due to general
limitation of the serial controllers.
2. CS state can be held for Asynchronous transmission by using buffer modes
like FIFO.

Figure 4-4  Chip select behavior when SpiCSInactiveAfterlastdata is False and
SpiCsIdleEnforcement is False

This information is valid only for DIRECT ACCES MODE.

•
For availability of Data Consistency Check on the port pins, please refer
respective microcontroller user manual.

•
Sequences assigned to a hardware channel (CSIHx) which is configured to
work with transmit only memory mode can be an interruptible or non-
interruptible sequence (specified by the parameter
SpiInterruptibleSequence). However, even if the sequence is non-
interruptible, it can still be interrupted by CPU-controlled high priority
communication functionality. I.e. the parameter SpiInterruptibleSequence
is valid only for software interruption.

•
Each of the high priority sequences shall refer to a unique chip select line.

  These lines shall not be referred by any of the low priority sequences too.

•
In order to support DEEPSTOP functionality without resetting the
microcontroller, the re initialization of the Driver using Spi_Init API is
supported. To achieve this functionality the
'SPI_E_ALREADY_INITIALIZED' Det error check is to be suppressed
using ‘SpiAlreadyInitDetCheck’ parameter when DET is enabled. When
DET is disabled there is no impact of “SpiAlreadyInitDetCheck” parameter.

•
In a Hardware channel which has sequences working with transmit only
mode and is of high priority, if there is a request for transmission of high
priority sequence, then it will interrupt an ongoing sequence with transmit
only mode if the sequence is non-interruptible.
•
When the sequence is getting transmitted with transmit only mode, if there
is a request for high priority sequence, the ongoing sequence will be
interrupted after the ongoing job is finished and memory mode will switch
from transmit only mode to direct access mode automatically for high
priority sequence transmission and after its completion, the interrupted
sequence will resume transmission in transmit only mode.

•  MCTL1, MCTL2 and CSIHnMRWP0 registers are allowed to be accessed
when there is an ongoing communication only when PWR is set.

22

  Forethoughts

  Chapter 4
•
Manual transmission is possible only in Direct Access and FIFO modes.
However user has to implement his own ISRs for SPI. In case he wants to
use Renesas SPI driver transmission in parallel, he has to call Renesas SPI
ISRs functions from his custom ISRs (e.g. use different interrupt category
mode).

•
The file Interrupt_VectorTable.c provided is just a Demo and not all
interrupts will be mapped in this file. So the user has to update the
Interrupt_VectorTable.c as per his configuration.

•
The notifications should be called from user’s complex driver ISRs

•
High values for parameter ‘SpiCsHoldTiming’should not be used with
Synchronous Transmit function but if it is used, user should make sure
that next consecutive SPI action happens after CS hold time expired.

•
The parameter SpiTimeOut generates a scalar value that decides the
number of times a loop will be executed while polling. If exceeded the loop
breaks reporting a production error.

This information is valid only for Static Configuration

•
The parameter SpiPersistentHWConfiguration decides whether Hardware
configuration is static or dynamic. This is applicable for both CSIG and
CSIH and both Synchronous and Asynchronous communication and all
memory modes.
•
If SpiPersistentHWConfiguration is “True”, then HW configuration is static
(configuration is performed in the function Spi_Init ()function and not during
each transmission.

•
Static Configuration, allows the user to manually start transmission without
invoking SPI module APIs after Spi driver was initialized.

•
In Static configuration, all parameters in channel/job/external devices
containers linked to a hardware unit should be same. Refer Table 4-2, 4-3
and 4-4 for the list of parameters

Table 4-2
List of parameters in Channel container that are linked
to the registers.

Parameter in
Registers linked
channel container
CSIH-CSIG
SpiDataWidth
CSIHnCFGx.CSIHnDLSx
CSIHnCFGx0.CSIHnDLS[3:
0]
SpiTransferStart
CSIHnCFGx.CSIHnDIRx
CSIHnCFGx0.CSIHnDLS[3:
0]

Table 4-3
List of parameters in Job container that are linked
to the registers.

Parameter in job
Registers linked
container
CSIH-CSIG
SpiPortPinSelect
CSIHnTXOW.CSIHnCSx
-
CSIHnCTL1.CSIHnCSx

23

  Chapter 4                                                             Forethoughts
Table 4-4
List of parameters in External Device container
that are linked to the registers.
Parameter in
Registers linked
channel container  CSIH
CSIG
SpiCsPolarity
CSIHnCTL1.CSIHnCSx
-
SpiCsInactive
CSIHnCTL1.CSIHnCSRI
-
SpiCsIdleEnforcem
CSIHnCFGx.CSIHnIDLx
-
ent
SpiCsIdleTiming
CSIHnCFGx.CSIHnIDx[2:0
-
]
SpiCsHoldTiming
CSIHnCFGx.CSIHnHDx[3:
-
0]
SpiCsInterDataDel
CSIHnCFGx.CSIHnINx[3:0
-
ay
]
SpiCsSetupTime
CSIHnCFGx.CSIHnSPx[3:
-
0]
SpiDataShiftEdge
CSIHnCFGx.CSIHnDAPx
CSIGnCFG0.CSIGnDAP
SpiShiftClockIdleL
CSIHnCTL1.CSIHnCKR
CSIGnCTL1.CSIGnCKR
evel
SpiBaudrateConfig
CSIHnBRSy.CSIH0BRS[1
CSIGnCTL2.CSIGnBRS
uration
1:0]
SpiBaudrateRegist
CSIHnCFGx.CSIHnBRSS
-
erSelect
x[11:0]
SpiInputClockSele
CSIHnCTL2.CSIHnPRS[2:
CSIGnCTL2.CSIGnPRS[2:0
ct
0]
]
SpiInterruptDelayM
CSIHnCTL1.CSIHnSIT
CSIGnCTL1.CSIGnSLIT
ode
SpiParitySelection
CSIHnCFGx.CSIHnPSx[1:
CSIGnCFG0.CSIGnPS[1:0]
0]
SpiFifoTimeOut
CSIHnMCTL0.CSIHnTO[4:
-
0]
SpiBroadcastingPri
CSIHnCFGx.CSIHnRCBx
-
ority

4.2.  Preconditions

Following preconditions have to be adhered by the user, for proper
functioning of the SPI Driver Component:

•
The Spi_Lcfg.c, Spi_PBcfg.c, Spi_Cbk.h and Spi_Cfg.h files generated by
the SPI Driver Component Code Generation Tool must be compiled and
linked along with SPI Driver Component source files.

•
The application has to be rebuilt, if there is any change in the Spi_Lcfg.c,
Spi_PBcfg.c, Spi_Cbk.h and Spi_Cfg.h files generated by the SPI Driver
Component Generation Tool.

•
File Spi_PBcfg.c generated for single configuration set or multiple
configuration sets using SPI Driver Component Generation Tool can be
compiled and linked independently.

24

  Forethoughts

  Chapter 4
•
The authorization of the user for calling the software triggering of a
hardware reset is not checked in the SPI Driver. This is the responsibility of
the upper layer.

•
The SPI Driver Component needs to be initialized before accepting any
request. The API Spi_Init should be invoked to initialize SPI Driver
Component.

•
The user should ensure that SPI Driver Component API requests are
invoked in the correct and expected sequence and with correct input
arguments.

•
Input parameters are validated only when the static configuration
parameter SPI_DEV_ERROR_DETECT is enabled. Application should
ensure that the right parameters are passed while invoking the APIs when
SPI_DEV_ERROR_DETECT is disabled.

•
A mismatch in the version numbers of header and the source files results
in compilation error. User should ensure that the correct versions of the
header and the source files are used.

•
The ISR functions and the corresponding handler addresses are provided
in Table ISR Handler Addresses. User should ensure that Interrupt Vector
table configuration is done as per the information provided in the table.

•
Within the callback notification functions only following APIs are allowed.

Spi_ReadIB Spi_WriteIB
Spi_SetupEB
Spi_GetJobResult
Spi_GetSequenceResult
Spi_GetHWUnitStatus
Spi_Cancel
All other SPI Handler/Driver API calls are not allowed.

4.3.  User Mode and Supervisor Mode

The below table specifies the APIs which can run in user mode, supervisor
mode or both modes:

Table 4-5 User Mode and Supervisory Mode

Interrupt mode
Polling mode


Sl.
API name
No.
supervi
user
user
superviso
sor
mode
mode
r mode
mode
1.
Spi_Init
-
x
-
x
2.
Spi_DeInit
-
x
-
x
3.
Spi_WriteIB
x
x
x
x
4.
Spi_AsyncTransmit

x
x
x
5.
Spi_ReadIB
x
x
x
x
6.
Spi_SetupEB
x
x
x
x
7.
Spi_GetStatus
x
x
x
x
25

Chapter 4 Forethoughts


Sl.
Interrupt mode
Polling mode
API name
No.
8.
Spi_GetJobResult
x
x
x
x
9.
Spi_GetSequenceResult
x
x
x
x
10.
Spi_GetVersionInfo
x
x
x
x
11.
Spi_SyncTransmit
x
x
x
x
12.
Spi_Cancel
-
x
-
x
13.
Spi_SetAsyncMode
x
x
-
x
14.
Spi_MainFunction_Handling
-
x
-
x
15.
Spi_GetHWUnitStatus
x
x
x
x

4.4. Memory modes

The SPI Driver will use different memory modes depending on the HW units
selected. If the HW unit configured is CSIG then only direct access mode has
to be configured. If the HW unit configured is CSIH then any of the following
four modes can be configured.
Table 4-6 HW unit and Memory Mode Selection

HW unit
Memory mode
CSIG0
Direct Access Mode
CSIH(0-3)
Direct Access Mode
FIFO Mode
Dual Buffer mode
Transmit Only Mode

4.5. Data Consistency

To support the re-entrance and interrupt services, the AUTOSAR SPI
component will ensure the data consistency while accessing its own RAM
storage or hardware registers. The SPI component will use
SchM_Enter_Spi_<Exclusive Area> and SchM_Exit_Spi_<Exclusive Area>
functions. The SchM_Enter_Spi_<Exclusive Area> function is called before
the data needs to be protected and SchM_Exit_Spi_<Exclusive Area>
function is called after the data is accessed.

The following exclusive area along with scheduler services is used to provide
data integrity for shared resources:

•
CHIP_SELECT_PROTECTION

•
RAM_DATA_PROTECTION

The functions SchM_Enter_Spi_<Exclusive Area> and
SchM_Exit_Spi_<Exclusive Area> can be disabled by disabling the
configuration parameter 'Spi_CriticalSectionProtection'. The flowchart will
indicate the flow with the pre-compile option 'Spi_CriticalSectionProtection'
enabled.

4.6. Deviation List
Table 4-7
SPI Driver Deviation List

Sl. No.
Description
AUTOSAR Bugzilla
26

  Forethoughts

  Chapter 4
Sl. No.
Description
AUTOSAR Bugzilla
1.
The parameter
48763
"SpiHwUnitSynchronous" is moved
to SpiJob container from
SpiChannel container.
2.
The total number of SPI Hardware
24328
Units is published as
“SPI_MAX_HW_UNIT”.
3.
The parameter “SPI_BAUDRATE”
-
is not used since the value
configured for this parameter
cannot be mapped directly to the
register value. Hence, a parameter
”SpiBaudrateSelection” is used to
select input frequency source.
4.
The parameter 'SpiTimeClk2Cs' is
-
not used since the value of this
parameter is configured as count
value. Hence, the parameter
'SpiClk2CsCount' is provided to
configure the wait loop count to add
delay between clock and chip
select.
5.
Type of the parameter SpiHwUnit is  -
ENUMERATION-PARAM-DEF  with
a list of all possible hardware units.
6.
The inclusion or deletion of the
-
hardware units will not be possible
in the post-build time. But the
reassignment of configured HW
unit for different jobs is possible.
7.
Type of the parameter SpiCs is
-
ENUMERATION-PARAM-DEF with
a list of all possible port lines.
8.
If the parameter "DataBufferPtr"
-
passed through the API
“Spi_ReadIB” is null pointer, then
the error
SPI_E_PARAM_POINTER will be
reported to DET.
9.
The channel parameters
-
“SpiChannelType”, “SpiIbNBuffers”
and “SpiEbMaxLength” are pre-
compile time parameters.
10.
A queue will be implemented and
-
maintained if there are more than
one sequence is requested for
transmission. The length of the
queue will be number of configured
jobs minus 1.
11.
If a sequence is requested for
-
transmission while already one
uninterruptible sequence is on-
going, the requested sequence will
be put on queue.
27

  Chapter 4                                                             Forethoughts
Sl. No.
Description
AUTOSAR Bugzilla
12.
The upper and lower multiplicity of  -
the parameter ‘SpiCsIdentifier’ is ‘1’
i.e.  mandatory and the default
value is NULL. The upper and
lower multiplicity of the parameter
‘SpiEnableCS’ is ‘1’ i.e. mandatory
and the default value is false.
13.
The parameters SpiMaxChannel,
-
SpiMaxJob and SpiMaxSequence
in SpiDriverConfiguration is made
as mandatory in the Parameter
Definition File of SPI Driver
Component.
14.
Notification related functions and
-
parameters configuration class
are changed from Link time to
Post Build, vice versa Spi_
Lcfg.c and Spi_Pbcfg.c files
structures are updated.
15.
The API Spi_GetVersionInfo is
-
implemented as macro without
DET error
SPI_E_PARAM_POINTER.

28

Architecture Details                                                           Chapter 5
Chapter 5
Architecture Details

To minimize the effort and to optimize the reuse of developed software on
different platforms, the SPI driver is split as High Level Driver and Low Level
Driver. The SPI Driver architecture is shown in the following figure:

SPI User

SPI High-level Driver

(Microcontroller Independent)

SPI Low Level Driver

MICROCONTROLLER

CSIH

CSIG

Figure 5-1  SPI Driver Architecture

The  High Level Driver exports the AUTOSAR API towards upper modules
and it will be designed to allow the compilation for different platforms without
or only slight modifications, i.e. that no reference to specific microcontroller
features or registers will appear in the High Level Driver. All these references
are moved inside a µC specific Low Level Driver. The Low Level Driver
interface extends the High Level Driver types and methods in order to adapt it
to the specific target microcontroller.

SPI Driver component:

The SPI Driver provides services for reading and writing to devices connected
via SPI busses. It provides access to SPI communication to several users like
EEPROM, Watchdog, I/O ASICs. It also provides the required mechanism to
configure the on chip SPI peripheral.

The SPI Driver component is divided into the following sub modules based on
the functionality required:

•
Initialization and De-initialization

•
Buffer Management

•
Communication

•
Status information
29

Chapter 5

Architecture Details

•
Module version information

The basic architecture of the SPI Driver component is illustrated in the
following Figure:

AP PL I C A T IO N  L A Y ER

us

Version

r
SP I  H ig h  Le v e l  Dr ive r

SPI Drive
Setting of

Sequen

HW
De -
Transmit and
ce and
Return the
register
initialization
receive the jobs
job
status of
Disabling
of SPI HW
and channels
notifica
module, job,
the
units
tion
sequence
interrupts

SP I  L ow  Le v e l  Dr ive r

Figure 5-2  Component Overview Of SPI Driver Component

SPI Driver Initialization and De-Initialization module

This module initializes and de-Initializes the SPI driver. It provides the
Spi_Init() and Spi_DeInit() APIs. The Spi_Init() API should be invoked before
the usage of any other APIs of Watchdog Driver Module.Spi-Init should be
called prior to Port_Init. De-initialization function puts all microcontroller SPI
peripherals in the same state such as Power On Reset.

Buffer Management

This module provides the services for reading and writing the internal buffers
and setting up the external buffer. The type of buffer for each channel is
configurable as either internal or external

The APIs related to this module are Spi_WriteIB(), Spi_ReadIB() and
Spi_SetupEB().

Communication

This module provides the services for the transmission of data on the SPI bus
both synchronously and asynchronously, cancelling the ongoing transmission
and setting the asynchronous transfer mode.

The synchronous mode is based on polling mechanism. But for the
asynchronous mode, the possible mechanisms are Polling and Interrupt
mode. One of these modes is selectable during execution by one of the
services provided by this sub-module.

The APIs related to this module are Spi_SyncTransmit(),
Spi_AsyncTransmit(), Spi_SetAsyncMode() and Spi_Cancel().
30

Architecture Details Chapter 5

Status Information

This module provides the services for getting the status of the SPI Driver and
hardware unit. It also provides the services for getting the result of the
specified job and specified sequence.

The APIs related to this module are Spi_GetStatus(),
Spi_GetHWUnitStatus(), Spi_GetJobResult() and Spi_GetSequenceResult().

Module Version Information

This module provides APIs for reading module Id, vendor Id and vendor
specific version numbers.

The API related to this module is Spi_GetVersionInfo().

31

Chapter 5

Architecture Details

32

Registers Details
Chapter 6

Chapter 6
Registers Details

This section describes the register details of SPI Driver Component.

Table 6-1
Register Details

Config

API Name
Registers
Macro/Variable
Parameter
Spi_Init
CSIGnCTL0
SpiMemoryModeSelection
SPI_ZERO

CSIHnCTL0
SPI_ZERO
DCSTCn
-
SPI_DMA_STR_CLEAR
DCENn
-
SPI_DMA_DCEN_DISABLE
DSAn
SpiDma
LpDmaConfig->ulTxRxRegAddress
DTCTn
SpiTxDmaChannel/
SPI_DMA_8BIT_TX_SETTINGS
SpiRxDmaChannel
SPI_DMA_16BIT_TX_SETTINGS
SPI_DMA_32BIT_TX_SETTINGS
SPI_DMA_8BIT_RX_SETTINGS
SPI_DMA_16BIT_RX_SETTINGS
SPI_DMA_32BIT_RX_SETTINGS

DDAn
SpiDma
LpDmaConfig->ulTxRxRegAddress

DTSn
SpiTxDmaChannel/
SPI_DMA_DISABLE
SpiRxDmaChannel
DTFRn
SpiTxDmaChannel/
LpDmaConfig->usDmaDtfrRegValue
SpiRxDmaChannel
CSIGnCTL1
SpiCsInactiveAfterLastData, LunDataAccess1.ulRegData
SpiDataWidth
CSIHnCTL1
LunDataAccess1.ulRegData
CSIHTIJC
-
LpIntCntlAddress
ICCSIGnIR
SpiHwUnitSelection
Spi_GstHWUnitInfo[LddHWUnit].usR
and
xImrMask
ICCSIGnIC
SpiMemoryModeSelection
Spi_GstHWUnitInfo[LddHWUnit].pTxI
mrAddress
ICCSIGnIRE
Spi_GstHWUnitInfo[LddHWUnit].pErr
orImrAddress
ICCSIHnIR
Spi_GstHWUnitInfo[LddHWUnit].usR
xImrMask
ICCSIHnIC
Spi_GstHWUnitInfo[LddHWUnit].pTxI
mrAddress
ICCSIHnIJC
LpHWUnitInfo->usTxCancelImrMask
ICCSIHnIRE
Spi_GstHWUnitInfo[LddHWUnit].pErr
orImrAddress
CSIHnTX0W
-
LunDataAccess1.ulRegData
SELCSIHDMA
-
SPI_SELCSIHDMA_REG_VAL
Spi_DeInit
CSIGnCTL0
SpiMemoryModeSelection
SPI_ZERO
CSIHnCTL0
SPI_ZERO

DCENn
-
SPI_DMA_DCEN_DISABLE
DTFRRQCn
-
SPI_DMA_DRQ_CLEAR
DCSTCn
-
SPI_DMA_STR_CLEAR
Spi_WriteIB
CSIHnMRWP0
-
ulRegData
CSIHnTX0W
-
ulRegData
Spi_AsyncTransmit
CSIHnMCTL0
-
LpJobConfig->usMCtl0Value
33

Chapter 6 Registers Details

Config

API Name
Registers
Macro/Variable
Parameter

CSIGnCFG0
-
LpJobConfig->ulConfigRegValue

CSIGnCTL0
SpiMemoryModeSelection
SPI_RESET_PWR
SPI_SET_DIRECT_ACCESS
SPI_SET_MEMORY_ACCESS
CSIHnCTL0
SPI_RESET_PWR
SPI_SET_DIRECT_ACCESS
SPI_SET_MEMORY_ACCESS
CSIGnSTCR0
-
SPI_CLR_STS_FLAGS
CSIHnSTCR0
-
SPI_CLR_STS_FLAGS
CSIGnCTL1
SpiCsInactiveAfterLastData, LunDataAccess1.ulRegData
SpiDataWidth
LpJobConfig->ulMainCtl1Value
SPI_SET_SLIT
CSIHnCTL1
LunDataAccess1.ulRegData
LpJobConfig->ulMainCtl1Value
SPI_SET_SLIT
DCSTCn
-
SPI_DMA_STR_CLEAR
DCENn
-
SPI_DMA_DCEN_DISABLE
DTCTn
-
SPI_DMA_FIXED_TX_SETTINGS
SPI_DMA_INV_TX_SETTINGS
LddNoOfBuffers
SPI_DMA_STR_REQ
SPI_DMA_ONCE
SPI_DMA_FIXED_RX_SETTINGS
SPI_DMA_INV_RX_SETTINGS
SPI_DMA_ONCE
DSAn
-
(uint32)LpTxData
DTFRn
-
(uint32)SPI_ZERO
(uint32)(LpDmaConfig->
usDmaDtfrRegValue
DCSTSn
-
SPI_DMA_STR
DTCn
-
SPI_ONE
DTFRRQCn
-
SPI_DMA_DRQ_CLEAR
DCENn
-
SPI_DMA_DCEN_ENABLE
DDAn
-
(uint32)(&Spi_GddDmaRxData)
DTFRn
-
SPI_ZERO
CSIGnCTL2
SpiBaudrateRegisterSelect
LpJobConfig->usCtl2Value
CSIHnCTL2
SpiFifoTimeOut
LpJobConfig->usCtl2Value
CSIHnCFG
SpiCsIdleTiming,
LunDataAccess1.ulRegData
SpiCsHoldTiming,
CSIGnCFG0
LunDataAccess1.ulRegData
SpiCsInterDataDelay,
CSIHnCFG0
SpiCsSetupTime,
LunDataAccess1.ulRegData
SpiCsIdleEnforcement
CSIHnMCTL1
-
SPI_ZERO

CSIHnMCTL2
-
LunDataAccess1.ulRegData
CSIHTX0W
-
LunDataAccess1.ulRegData
CSIHnCFG
SpiCsIdleTiming,
LunDataAccess1.ulRegData
SpiCsHoldTiming,
SpiCsInterDataDelay,
SpiCsSetupTime,
SpiCsIdleEnforcement

34

Registers Details
Chapter 6

Config

API Name
Registers
Macro/Variable
Parameter
CSIGnTX0W
-
LunDataAccess1.ulRegData
CSIHnBRS[0]
SpiBaudrateConfiguration
LpCsihOsBaseAddr->usCSIHBRS[0]
CSIHnBRS[1]
-
LpCsihOsBaseAddr->usCSIHBRS[1]
CSIHnBRS[2]
-
LpCsihOsBaseAddr->usCSIHBRS[2]
CSIHnBRS[3]
-
LpCsihOsBaseAddr->usCSIHBRS[3]
Spi_ReadIB
CSIHnRX0W
-
LunDataAccess2.ulRegData
CSIHnRX0H
-
LunDataAccess2.usRegData5[1]
CSIHnMRWP0
-
LunDataAccess1.ulRegData
CSIHRX0H
-
LunDataAccess2.usRegData5[0]
Spi_SetupEB
-
-
-
Spi_GetStatus
-
-
-
Spi_GetJobResult
-
-
-
Spi_GetSequenceRes -
-
-
ult
Spi_SyncTransmit
CSIHnMCTL0
-
-
CSIGnCTL0
-
LpJobConfig->usMCtl0Value
CSIHnCTL0
-
SPI_RESET_PWR
CSIGnCTL0
-
SPI_RESET_PWR
CSIHnCTL0
-
SPI_SET_DIRECT_ACCESS
CSIGnCTL0
-
SPI_SET_DIRECT_ACCESS
CSIHnCTL0
-
SPI_SET_PWR
CSIGnTX0W
-
SPI_SET_PWR
CSIHnRX0H
-
LunDataAccess3.ulRegData
CSIHnRX0H
-
LunDataAccess3.ulRegData
CSIGnCFG0
-
Spi_GusDataAccess
CSIGnCFG0
-
LddData
CSIGnCFG0
-
LpJobConfig->ulConfigRegValue
CSIGnCTL0
-
LunDataAccess1.ulRegData
CSIHnCTL0
-
SPI_ZERO
CSIGnCFG0
-
LddData
CSIGnCFG0
-
LpJobConfig->ulConfigRegValue
CSIGnCTL0
-
LunDataAccess1.ulRegData
CSIHnCTL0
-
SPI_ZERO
CSIGnSTR0
-
SPI_ZERO
CSIHnSTR0
-
SPI_HW_BUSY
CSIGnSTR0
-
SPI_HW_BUSY
CSIHnSTR0
-
SPI_ZERO
CSIGnSTCR0
-
SPI_ZERO
CSIHnSTCR0
-
SPI_CLR_STS_FLAGS
CSIGnCTL1
-
SPI_CLR_STS_FLAGS
CSIHnCTL1
SpiCsInactiveAfterLastData, LunDataAccess1.ulRegData
SpiDataWidth
CSIGnCTL2
SpiBaudrateRegisterSelect
LunDataAccess1.ulRegData
CSIHnCTL2
SpiFifoTimeOut
LpJobConfig->usCtl2Value
35

Chapter 6 Registers Details

Config

API Name
Registers
Macro/Variable
Parameter
CSIHnTX0W
-
LpJobConfig->usCtl2Value
CSIHnTX0W
-
LunDataAccess3.ulRegData
CSIHnCFG
SpiCsIdleTiming,
LunDataAccess1.ulRegData
SpiCsHoldTiming,
CSIHnCFG
LpJobConfig->ulConfigRegValue
SpiCsInterDataDelay,
SpiCsSetupTime,
SpiCsIdleEnforcement
CSIGnTX0W
-
LunDataAccess1.ulRegData

CSIGnRX0
-
Spi_GusDataAccess
CSIGnRX0
-
LddData
CSIGnRX0
-
LunDataAccess2.usRegData5[1]
CSIGnRX0
-
LunDataAccess2.usRegData5[0]
CSIHnBRS[0]
SpiBaudrateConfiguration
LpCsihOsBaseAddr->usCSIHBRS[0]
CSIHnBRS[1]
LpCsihOsBaseAddr->usCSIHBRS[1]
CSIHnBRS[2]
LpCsihOsBaseAddr->usCSIHBRS[2]
CSIHnBRS[3]
LpCsihOsBaseAddr->usCSIHBRS[3]
Spi_GetHWUnitStatus CSIGnSTR0
-
SPI_CSIG_CSIH_BUSY
CSIHnSTR0
-
SPI_CSIG_CSIH_BUSY
Spi_Cancel
CSIGnCTL0
-
SPI_ZERO
CSIHnCTL0
-
SPI_ZERO
CSIGnCTL0
-
SPI_SET_JOBE
CSIHnCTL0
-
SPI_SET_JOBE
CSIHTIJC
-
LpHWUnitInfo->ucTxCancelImrMask
Spi_SetAsyncMode
-
-
-
Spi_MainFunction_Ha CSIGnCTL0
-
SPI_SET_PWR
ndling
CSIHnCTL0
-
SPI_SET_PWR
CSIGTIR
-
SPI_CLR_INT_REQ
CSIGTIC
-
SPI_CLR_INT_REQ
Spi_GetVersionInfo
-
-
-

36

Interaction Between The User And SPI Driver Component
Chapter 7

Chapter 7
Interaction Between The User And SPI
Driver Component

The details of the services supported by the SPI Driver Component to
the upper layers users and the mapping of the channels to the hardware
units is provided in the following sections:

7.1.  Services Provided By SPI Driver Component To The
User

The SPI Driver Component provides the following functions to upper layer: -

•
To provide the required mechanism to configure the on-chip SPI peripheral.

•
To initialize and de-initialize the SPI driver.

•
To read and write to devices connected through SPI buses.

•
To provide the transmission of data on the SPI bus both synchronously and
asynchronously.

•
To cancel an ongoing transmission.

•
To set the asynchronous transfer mode.

•
To get the status of the SPI Driver and hardware unit.

•
To get the result of the specified job and specified sequence.

•
To provide access to SPI communication to several users(for example,
EEPROM, I/O ASICs).
•
To read the SPI Driver Component version information.


37

Chapter 7 Interaction Between The User And SPI Driver Component

38

SPI Driver Component Header And Source File Description
Chapter 8

Chapter 8
SPI Driver Component Header And
Source File Description

This section explains the SPI Driver Component’s source and header
files. These files have to be included in the project application while
integrating with other modules.

The C header file generated by SPI Driver Generation Tool:

•
Spi_Cfg.h

•
Spi_Cbk.h

The C source file generated by SPI Driver Generation Tool:

•
Spi_PBcfg.c

•
Spi_Lcfg.c

The SPI Driver Component C header files:

•
Spi_Driver.h

•
Spi_PBTypes.h

•
Spi_LTTypes.h

•
Spi_Ram.h

•
Spi.h

•
Spi_Irq.h

•
Spi_Scheduler.h

•
Spi_Version.h

•
Spi_Types.h

The SPI Driver Component C source files:

•
Spi_Driver.c

•
Spi.c

•
Spi_Irq.c

•
Spi_Ram.c

•
Spi_Scheduler.c

•
Spi_Version.c

The SPI Driver specific header files:

•
Compiler.h

•
Compiler_Cfg.h

•
MemMap.h
•
Platform_Types.h
•
rh850_Types.h

39

Chapter 8 SPI Driver Component Header And Source File Description

The description of the SPI Driver Component files is provided in the table
below:
Table 8-1
Description Of The SPI Driver Component Files

File
Details
Spi_Cfg.h
This file is generated by the SPI Driver Component Code Generation Tool for various
SPI Driver component pre-compile time parameters. This file contains macro
definitions for the configuration elements and exclusive areas for data protection. The
macros and the parameters generated will vary with respect to the configuration in
the input XML file.

This file is generated by the SPI Driver Component Code Generation Tool for
Spi_Cbk.h
provision of function prototype Declarations for SPI callback Notification Functions.
Spi_PBcfg.c
This file contains post-build configuration data. The structures related to channel
configuration, job configuration and sequence configuration are provided in this file.
Data structures will vary with respect to parameters configured.
Spi_Lcfg.c
This file contains provision of SPI Link time Parameters. The structures related to
hardware registers are provided in this file. Data structures will vary with respect to
parameters configured.
Spi_Driver.h
This file contains the Function Prototypes that are defined in Spi_Driver.c file.
Spi_PBTypes.h
This file contains the data structure definitions of the channel configuration, job
configuration and sequence configuration
Spi_LTTypes.h
This file contains the data structure definitions of CSIG and CSIH hardware registers,
Interrupt control registers, DMA hardware registers, Hardware unit information, DMA
unit information, storing current status of SPI communication, channel for the link
time parameters, function pointer for Callback notification function for Jobs,
processing sequence, storing external buffer attributes, Scheduler and DMA
Address.
Spi_Ram.h
This file contains the extern declarations for the global variables that are defined in
Spi_Ram.c file and the version information of the file.
Spi.h
This file provides extern declarations for all the SPI Driver Component APIs. This file
provides service Ids of APIs, DET Error codes and type definitions for SPI Driver
initialization structure. This header file shall be included in other modules to use the
features of SPI Driver Component.
Spi_Irq.h
This file contains the function prototypes that are defined in Spi_Irq.c file.
Spi_Scheduler.h
This file contains the function prototypes that are defined in Spi_Scheduler.c file.
Spi_Types.h
This file contains the common macro definitions and the data types required internally
by the SPI software component.
Spi_Version.h
This file contains the definitions of AUTOSAR version numbers of all modules that
are interfaced to SPI Driver.
Spi_Driver.c
This file contains the SPI Low Level Driver code.
Spi.c
This file contains the implementation of all APIs.
Spi_Irq.c
This file contains the ISR functions for SPI Driver Component.
Spi_Ram.c
This file contains the global variables used by SPI Driver Component.
Spi_Scheduler.c
This file contains the SPI Scheduler code. This contains function to schedule the
sequences according to the priority of the jobs.
Spi_Version.c
This file contains the code for checking version of all modules that are interfaced to
SPI Driver.
Compiler.h
This file Provides compiler specific (non-ANSI) keywords. All mappings of keywords,
which are not standardized, and/or compiler specific are placed and organized in this
compiler specific header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
40

SPI Driver Component Header And Source File Description
Chapter 8

File
Details
MemMap.h
This file allows to map variables, constants and code of modules to individual
memory sections. Memory mapping can be modified as per ECU specific needs.
Platform_Types.h
This file provides provision for defining platform and compiler dependent types.
rh850_Types.h
This file provides macros to perform supervisor mode (SV) write enabled Register

ICxxx and IMR register writing using OR/AND/Direct operation

41

Chapter 8 SPI Driver Component Header And Source File Description

42

Generation Tool Guide
Chapter 9

Chapter 9
Generation Tool Guide

For information on the SPI Driver Component Code Generation Tool,
please refer “AUTOSAR_SPI_Tool_UserManual.pdf” document.

43

Chapter 9 Generation Tool Guide

44

Application Programming Interface                                            Chapter 10

Chapter 10  Application Programming Interface

This section explains the Data types and APIs provided by the SPI Driver
Component to the Upper layers.

10.1.
Imported Types

This section explains the Data types imported by the SPI Driver Component and
lists its dependency on other modules.

10.1.1.
Standard Types

In this section all types included from the Std_Types.h are listed:

•
Std_ReturnType

•
Std_VersionInfoType

10.1.2.
Other Module Types

In this chapter all types included from the Dem_types.h are listed:

•
Dem_EventIdType

•
Dem_EventStatusType

10.2.
Type Definitions

This section explains the type definitions of SPI Driver Component
according to AUTOSAR Specification.

10.2.
1.
Spi_ConfigType

Name:
Spi_ConfigType
Type:
Structure

Implementation Specific
The   contents   of   the   initialization   data
Range:
structure are SPI specific

Description:
This type of the external data structure shall contain the initialization data for the SPI
driver/Handler

10.2.
2.
Spi_StatusType

Name:
Spi_StatusType
Type:
Enumeration

SPI_UNINIT
The SPI Handler/Driver is not initialized or not

usable

SPI_IDLE
The SPI Handler/Driver is not currently
Range:
transmitting any job
SPI_BUSY
The SPI Handler/Driver is performing a SPI
job(transmit)
Description:
This type defines a range of specific status for SPI Handler/driver

45

Chapter 10                                          Application Programming Interface

10.2.
3.
Spi_JobResultType

Name:
Spi_JobResultType
Type:
Enumeration

SPI_JOB_OK
The last transmission of the job has been

finished successfully

SPI_JOB_PENDING
The SPI Handler/Driver is performing a SPI
Range:
Job. The meaning of this status is equal to
SPI_BUSY
SPI_JOB_FAILED
The last transmission of the job has failed
Description:
This type defines a range of specific jobs status for SPI Handler/driver

10.2.
4.
Spi_SeqResultType

Name:
Spi_SeqResultType
Type:
Enumeration

SPI_SEQ_OK
The last transmission of the Sequence has

been finished successfully

SPI_SEQ_PENDING
The SPI Handler/Driver is performing a SPI

Sequence The meaning of this status is equal
Range:
to SPI_BUSY
SPI_SEQ_FAILED
The last transmission of the Sequence has
failed
SPI_SEQ_CANCELLED
The last transmission of the Sequence has
been cancelled by user.
Description:
This type defines a range of specific sequences status for SPI Handler/driver


10.2.
5.
Spi_DataType

Name:
Spi_DataType
Type:
uint8,uint16,uint32

0 to 255, 0 to 65535,
This is implementation specific but not all values

0 to 4294967296.
may be valid within the type This type shall be
Range:
chosen in order to have the most efficient
implementation on a specific microcontroller
platform
Description:
Type of application data buffer elements

10.2.
6.
Spi_NumberOfDataType

Name:
Spi_NumberOfDataType
Type:
uint16
Range:
0 to 65535

Description:
Type for defining the number of data elements of the type Spi_DataType to send and/or
receive by channel

46

Application Programming Interface                                            Chapter 10

10.2.
7.
Spi_ChannelType

Name:
Spi_ChannelType
Type:
uint8
Range:
0 to 255
Description:
Specifies the identification(Id) for a channel

10.2.
8.
Spi_JobType

Name:
Spi_JobType
Type:
uint16
Range:
0 to 65535
Description:
Specifies the identification(Id) for a Job

10.2.
9.
Spi_SequenceType

Name:
Spi_SequenceType
Type:
uint8
Range:
0 to 255
Description:
Specifies the identification(Id) for a sequence of Jobs

10.2.10
.
Spi_HWUnitType

Name:
Spi_HWUnitType
Type:
uint8
Range:
0 to 255
Description:
Specifies the identification(Id) for a SPI Hardware microcontroller peripheral(unit)

10.2.11
.
Spi_AsyncModeType

Name:
Spi_AsyncModeType
Type:
Enumeration

SPI_POLLING_MODE
The asynchronous mechanism is ensured by

polling, so interrupts related to SPI busses
Range:
handled asynchronously are disabled
SPI_INTERRUPT_MODE
Streaming access mode

Description:
Specifies the asynchronous mechanism mode for SPI busses handled asynchronously
in LEVEL2.

47

Chapter 10 Application Programming Interface

10.3. Function Definitions
Table 10-1 The APIs provided by the SPI Driver Component

SI. No
API’s
API’s specific

1.
Spi_Init
-
2.
Spi_DeInit
-
3.
Spi_WriteIB
-
4.
Spi_AsyncTransmit
-
5.
Spi_ReadIB
-
6.
Spi_SetupEB
-
7.
Spi_GetStatus
-
8.
Spi_GetJobResult
-
9.
Spi_GetSequenceResult
-
10.
Spi_GetVersionInfo
-
11.
Spi_SyncTransmit
-
12.
Spi_Cancel
-
13.
Spi_SetAsyncMode
-
14.
Spi_MainFuncnction_Handling
-
15.
Spi_GetHWUnitStatus
-

48

Development And Production Errors
Chapter 11
Chapter 11 Development And Production Errors

In this section the development errors that are reported by the SPI Driver Component
are tabulated. The development errors will be reported only when the pre compiler option
SpiDevErrorDetect is enabled in the configuration. The production code errors are not
supported by SPI Driver Component.

11.1. SPI Driver Component Development Errors

The following table contains the DET errors that are reported by SPI Driver
Component. These errors are reported to Development Error Tracer Module when the SPI
Driver Component APIs are invoked with wrong input parameters or without initialization of
the driver.

Table 11-1 DET Errors Of SPI Driver Component

Sl. No.
1
Error Code
SPI_E_PARAM_CHANNEL
Related API(s)
Spi_WriteIB, SpiReadIB and Spi_SetupEB
Source of Error
When the API service is invoked with invalid channel Id and if incorrect type of channel
(IB or EB) is used with services.
Sl. No.
2
Error Code
SPI_E_PARAM_JOB
Related API(s)
Spi_GetJobResult
Source of Error
When the API service is invoked with invalid job Id.
Sl. No.
3
Error Code
SPI_E_PARAM_SEQ
Related API(s)
Spi_AsyncTransmit, Spi_GetSequenceResult, Spi_SyncTransmit and Spi_Cancel
Source of Error
When the API service is invoked with invalid sequence Id.
Sl. No.
4
Error Code
SPI_E_PARAM_LENGTH
Related API(s)
Spi_SetupEB
Source of Error
When the API service is invoked with length greater than the configured length.
Sl. No.
5
Error Code
SPI_E_PARAM_UNIT
Related API(s)
Spi_GetHWUnitStatus
Source of Error
When the API service is invoked with invalid hardware unit Id.
Sl. No.
6
Error Code
SPI_E_SEQ_PENDING
Related API(s)
Spi_AsyncTransmit
Source of Error
When the API service is invoked in a wrong sequence.
Sl. No.
7
Error Code
SPI_E_SEQ_IN_PROCESS
Related API(s)
Spi_SyncTransmit
Source of Error
When the API service is invoked at wrong time.
Sl. No.
8
Error Code
SPI_E_ALREADY_INITIALIZED
Related API(s)
Spi_Init
Source of Error
When the API Spi_Init is invoked when the SPI driver is already initialized.
49

Chapter 11                                          Development And Production Errors

Sl. No.
9
Error Code
SPI_E_INVALID_DATABASE
Related API(s)
Spi_Init
Source of Error
When the API service is invoked with invalid pointer.
Sl. No.
10
Error Code
SPI_E_UNINIT
Related API(s)
Spi_Init, Spi_DeInit, Spi_AsyncTransmit, Spi_Cancel, Spi_GetHWUnitStatus,
Spi_GetJobResult, Spi_GetSequenceResult, Spi_WriteIB, Spi_ReadIB, Spi_SetupEB,
Spi_SyncTransmit and Spi_SetAsyncMode
Source of Error
When the APIs are invoked without the initialization of  SPI Driver Component.
Sl. No.
11
Error Code
SPI_E_PARAM_POINTER
Related API(s)
  Spi_ReadIB
Source of Error
When the API service is invoked with null pointer.
Note: This error code (SPI_E_PARAM_POINTER) is applicable for Autosar R4.0
only.
Sl. No.
12
Error Code
SPI_E_PARAM_CONFIG
Related API(s)
Spi_Init
Source of Error
When the API invoked with null config pointer.

11.2.  SPI Driver Component Production Errors

In this section the DEM errors identified in the SPI Driver Component are listed. SPI Driver
Component reports these errors to DEM by invoking Dem_ReportErrorStatus API. This API is
invoked, when the processing of the given API request fails.
Table 11-2 DEM Errors Of SPI Driver Component

Sl. No.
1
Error Code
SPI_E_HARDWARE_ERROR
Related API(s)
Spi_SyncTransmit and Spi_AsyncTransmit
Source of Error
When an overrun occurs when the next reception starts without performing a CPU
read of the value of the receive buffer, upon completion of the receive operation.
Sl. No.
2
Error Code
SPI_E_DATA_TX_TIMEOUT_FAILURE
Related API(s)
Spi_SyncTransmit
Source of Error
When Hardware data transmit timeout error is detected, This error will be reported to
DEM
50

Memory Organization
Chapter 12
Chapter 12  Memory Organization

Following picture depicts a typical memory organization, which must be
met for proper functioning of SPI Driver Component software.

ROM Section
SPI Driver Component
RAM  ect

Library  Object
es

SPI Driver code related to APIs are
Global RAM of unspecific size

placed in this memory.
required for SPI Driver functioning.

Segment Name:
X1

Y1

SPI_PUBLIC_CODE_ROM
Segment Name:

NOINIT_RAM_UNSPECIFIED

SPI Driver code related to internal

functions are placed in this memory
Global 1- bit RAM initialized by
start-Up code.

Segment Name:
X2


Y2
Segment Name:

SPI_PRIVATE_CODE_ROM
RAM_UNSPECIFIED

SPI Driver code related to ISR functions
Global 1-bit RAM to be initialized

are placed in this memory
by SPI Driver

Segment Name:
X3
Segment Name:
Y3


NOINIT_RAM_1BIT

SPI_FAST_CODE_ROM

Tool Generated Files

The const section (for SPI configuration

Global 8- bit R AM initialized by SPI D
structure of Type “Spi_ConfigType”) in

river.
the file Spi_PBcfg.c is placed in this


memory.
X4
Segment Name:
Y4

Segment Name:

SPI_CFG_DBTOC_UNSPECIFIED
NOIN IT _ RA M _8 BIT

The const section (other than SP I
Global 16 -bit RAM initialized by SPI

Configuration structure) in the file

Driver.

Spi_PBcfg.c is placed in this memory.
X5


Y5
Segment Name:

Segment name:

NOINIT_RAM_16 BIT

SPI_CFG_DATA_UNSPECIFIED

The const section in the file Spi_Lcfg.c,

Global RAM of unspecific size required
is placed in this memory.

for SPI Driver  functioning. The

Generation tool allocates this RAM.

Segment Name:
X6


CONST_ROM_UNSPECIFIED
Segment Name:


SPI_CFG_RAM_UNSPECIFIED

Figure 12-1  SPI Driver Component Driver Organization
51

Chapter 12

Memory Organization
ROM Section (X1, X2, X3,X4,X5 and X6):
SPI_PUBLIC_CODE_ROM (X1): API(s) of SPI Driver Component, which can
be located in code memory.

SPI_PRIVATE_CODE_ROM (X2): Internal functions of SPI Driver
Component code that can be located in code memory.

                   SPI_FAST_CODE_ROM(X3): SPI Driver code related to ISR
functions are placed in this memory Segment Name

SPI_CFG_DBTOC_UNSPECIFIED (X4): This section consists of SPI Driver
Component database table of contents generated by the SPI Driver
Component Generation Tool. This can be located in code memory.

SPI_CFG_DATA_UNSPECIFIED (X5):  This section consists of SPI
Driver Component constant configuration structures. This  can be located
in code memory.

CONST_ROM_UNSPECIFIED (X6): This section consists of SPI Driver
Component constant structures used for function pointers in SPI Driver
Component. This can be located in code memory.

RAM Section (Y1, Y2, Y3, Y4, Y5 and Y6):

NOINIT_RAM_UNSPECIFIED (Y1): This section consists of the global RAM
variables that are used internally by SPI Driver Component. This can be
located in data memory.

RAM_UNSPECIFIED (Y2): This section consists of the global RAM variables
of 1-bit size that are initialized by start-up code and used internally by SPI
Driver Component. This can be located in data memory.

RAM_1BIT (Y3): This section consists of the global RAM variables of 1-bit size
that  are  initialized  by  start-up  code  and  used  internally  by  SPI  Driver
Component.  The specific sections of  respective software components will  be
merged into this RAM section accordingly.

NOINIT_RAM_8BIT (Y4): This section consists of the global RAM variables of
8-bit size that are used internally by SPI Driver Component. This can be
located in data memory.

NOINIT_RAM_16BIT (Y5): This section consists of the global RAM variables
of 16-bit size that are used internally by SPI Driver Component. This can be
located in data memory.

SPI_CFG_RAM_UNSPECIFIED (Y6): This section consists of the global
RAM variables that are generated by SPI Driver Component Generation Tool.
This can be located in data memory.
Remark

•
X1, X2, Y1, Y2 and Y3 pertain to only SPI Driver Component and do not include memory
occupied by Spi_PBcfg.c or Spi_Lcfg.c file generated by SPI Driver Component Generation Tool.

User must ensure that none of the memory areas overlap with each other. Even ‘debug’ information
should not overlap.
52

P1M Specific Information
Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:
•  R7F701304
•  R7F701305
•  R7F701310
•  R7F701311
•  R7F701312
•  R7F701313
•  R7F701314
•  R7F701315
•  R7F701318
•  R7F701319
•  R7F701320
•  R7F701321
•  R7F701322
•  R7F701323

13.1. Interaction Between The User And SPI Driver
Component

The details of the services supported by the SPI Driver Component to the
upper layers users and the mapping of the channels to the hardware units is
provided in the following sections:

13.1.1.
Translation Header File

The translation header file supports following devices:

•  R7F701304
•  R7F701305
•  R7F701310
•  R7F701311
•  R7F701312
•  R7F701313
•  R7F701314
•  R7F701315
•  R7F701318
•  R7F701319
•  R7F701320
•  R7F701321
•  R7F701322
•  R7F701323

13.1.2.
Parameter Definition File
Parameter definition files support information for P1M
Table 13-1  PDF information for P1M

PDF Files
Devices Supported
R403_SPI_P1M_04_05_12_13_20_21. 701304,701305,701312,701313,701320,70
arxml
1321
53

Chapter 13
     P1M Specific Information

R403_SPI_P1M_10_11_14_15_18_19 701310,701311,701314,701315,701318,701
_22_23.arxml
319,701322,701323

13.1.3.
ISR Function

The table below provides the list of handler addresses corresponding to the
hardware unit ISR(s) in SPI Driver Component. The user should configure the
ISR functions mentioned below.
Table 13-2  Interrupt Handler

Interrupt Source
Name of the ISR Function
INTCSIG0IRE
SPI_CSIG0_TIRE_ISR
SPI_CSIG0_TIRE_CAT2_ISR
INTCSIG0IR
SPI_CSIG0_TIR_ISR
SPI_CSIG0_TIR_CAT2_ISR
INTCSIG0IC
SPI_CSIG0_TIC_ISR
SPI_CSIG0_TIC_CAT2_ISR
INTCSIH0IRE
SPI_CSIH0_TIRE_ISR
SPI_CSIH0_TIRE_CAT2_ISR
INTCSIH0IR
SPI_CSIH0_TIR_ISR
SPI_CSIH0_TIR_CAT2_ISR
INTCSIH0IC
SPI_CSIH0_TIC_ISR
SPI_CSIH0_TIC_CAT2_ISR
INTCSIH0IJC
SPI_CSIH0_TIJC_ISR
SPI_CSIH0_TIJC_CAT2_ISR
INTCSIH1IRE
SPI_CSIH1_TIRE_ISR
SPI_CSIH1_TIRE_CAT2_ISR
INTCSIH1IR
SPI_CSIH1_TIR_ISR
SPI_CSIH1_TIR_CAT2_ISR
INTCSIH1IC
SPI_CSIH1_TIC_ISR
SPI_CSIH1_TIC_CAT2_ISR
INTCSIH1IJC
SPI_CSIH1_TIJC_ISR
SPI_CSIH1_TIJC_CAT2_ISR
INTCSIH2IRE
SPI_CSIH2_TIRE_ISR
SPI_CSIH2_TIRE_CAT2_ISR
INTCSIH2IR
SPI_CSIH2_TIR_ISR
SPI_CSIH2_TIR_CAT2_ISR
INTCSIH2IC
SPI_CSIH2_TIC_ISR
SPI_CSIH2_TIC_CAT2_ISR
INTCSIH2IJC
SPI_CSIH2_TIJC_ISR
SPI_CSIH2_TIJC_CAT2_ISR
INTCSIH3IRE
SPI_CSIH3_TIRE_ISR
SPI_CSIH3_TIRE_CAT2_ISR
INTCSIH3IR
SPI_CSIH3_TIR_ISR
54

P1M Specific Information
Chapter 13

Interrupt Source
Name of the ISR Function
SPI_CSIH3_TIR_CAT2_ISR
INTCSIH3IC
SPI_CSIH3_TIC_ISR
SPI_CSIH3_TIC_CAT2_ISR
INTCSIH3IJC
SPI_CSIH3_TIJC_ISR
SPI_CSIH3_TIJC_CAT2_ISR

Interrupt Source
Name of the ISR Function
INTDMA[0-7]
SPI_DMA00_ISR

SPI_DMA00_CAT2_ISR
SPI_DMA01_ISR
SPI_DMA01_CAT2_ISR
SPI_DMA02_ISR
SPI_DMA02_CAT2_ISR
SPI_DMA03_ISR
SPI_DMA03_CAT2_ISR
SPI_DMA04_ISR
SPI_DMA04_CAT2_ISR
SPI_DMA05_ISR
SPI_DMA05_CAT2_ISR
SPI_DMA06_ISR
SPI_DMA06_CAT2_ISR
SPI_DMA07_ISR
SPI_DMA07_CAT2_ISR

13.2. Sample Application
The Sample Application is provided as reference to the user to understand the
method in which the SPI APIs can be invoked from the application.

Generic

AUTOSAR
RH850 Types

ST
STUB

Common SPI
P1x

SchM

STUB

sample
Sample
DEM

application
application

STUB Os
STUB

MCU

55

Chapter 13
 P1M Specific Information

Figure 13-1 Overview Of SPI Driver Sample Application

13.3.1.
Sample Application Structure

The Sample Application of the P1M is available in the path

The Sample Application consists of the following folder structure
X1X\P1x\modules\spi\definition\<AUTOSAR_version>\
 <SubVariant>\R403_SPI_P1M_04_05_12_13_20_21.arxml
 \R403_SPI_P1M_10_11_14_15_18_19_22_23.arxml
X1X\P1x\modules\spi\sample_application\<SubVariant>\<AUTOSAR_version>

 \src\Spi_Lcfg.c

\src\Spi_PBcfg.c

\inc\Spi_Cfg.h

\inc\Spi_Cbk.h

/config/App_SPI_P1M_701304_Sample.one
/config/App_SPI_P1M_701304_Sample.arxml
/config/App_SPI_P1M_701304_Sample.html

/config/App_SPI_P1M_701305_Sample.one
/config/App_SPI_P1M_701305_Sample.arxml
/config/App_SPI_P1M_701305_Sample.html

 /config/App_SPI_P1M_701310_Sample.one
/config/App_SPI_P1M_701310_Sample.arxml
/config/App_SPI_P1M_701310_Sample.html

/config/App_SPI_P1M_701311_Sample.one
/config/App_SPI_P1M_701311_Sample.arxml
/config/App_SPI_P1M_701311_Sample.html

/config/App_SPI_P1M_701312_Sample.one
/config/App_SPI_P1M_701312_Sample.arxml
/config/App_SPI_P1M_701312_Sample.html

/config/App_SPI_P1M_701313_Sample.one
/config/App_SPI_P1M_701313_Sample.arxml
/config/App_SPI_P1M_701313_Sample.html

/config/App_SPI_P1M_701314_Sample.one
/config/App_SPI_P1M_701314_Sample.arxml
/config/App_SPI_P1M_701314_Sample.html

/config/App_SPI_P1M_701315_Sample.one
/config/App_SPI_P1M_701315_Sample.arxml
/config/App_SPI_P1M_701315_Sample.html

/config/App_SPI_P1M_701318_Sample.one
/config/App_SPI_P1M_701318_Sample.arxml
/config/App_SPI_P1M_701318_Sample.html

/config/App_SPI_P1M_701319_Sample.one
/config/App_SPI_P1M_701319_Sample.arxml
/config/App_SPI_P1M_701319_Sample.html
56

P1M Specific Information
Chapter 13

/config/App_SPI_P1M_701320_Sample.one
/config/App_SPI_P1M_701320_Sample.arxml
/config/App_SPI_P1M_701320_Sample.html

/config/App_SPI_P1M_701321_Sample.one
/config/App_SPI_P1M_701321_Sample.arxml
/config/App_SPI_P1M_701321_Sample.html

/config/App_SPI_P1M_701322_Sample.one
/config/App_SPI_P1M_701322_Sample.arxml
/config/App_SPI_P1M_701322_Sample.html

/config/App_SPI_P1M_701323_Sample.one
/config/App_SPI_P1M_701323_Sample.arxml
/config/App_SPI_P1M_701323_Sample.html

In the Sample Application all the SPI APIs are invoked in the following
sequence:

•
The API Spi_Init is invoked with a valid database address for the proper
initialization of the SPI Driver, all the SPI Driver control registers and RAM
variables will get initialized after this API is called.

•
The API Spi_GetVersionInfo is invoked to get the version of the SPI Driver
module with a variable of Std_VersionInfoType, after the call of this API the
passing parameter will get updated with the SPI Driver version details.

•
The API Spi_GetHWUnitStatus will return the status of the specified SPI
Hardware microcontroller peripheral.

•
The API Spi_SyncTransmit will transmit data on the SPI bus
synchronously.

•
This module will take the passing parameter and set the SPI Driver status
to SPI_BUSY. Also it sets the sequence result to SPI_SEQ_PENDING and
first job result to SPI_JOB_PENDING and performs the transmission.

•
The API Spi_SetAsyncMode will set the asynchronous mechanism mode
for SPI busses handled asynchronously.

•
The API Spi_MainFunction_Driving is used for Asynchronous transmission
of the sequences in polling mode. This service is should be invoked in a
scheduler loop if the asynchronous transmission mode is selected as
                        SPI_POLLING_MODE.

•
The API Spi_Cancel will cancel the specified on-going sequence

transmission without canceling any Job transmission and the SPI Driver
will set the sequence result to SPI_SEQ_CANCELLED.

•
The API Spi_DeInit is invoked for de-initialization of the all the controls
registers and RAM variables.

13.3.2.
Building Sample Application

13.3.2.1.
Configuration Example

This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details
Configuration Details: App_SPI_P1M_701310_Sample.html

13.3.2.2.
Debugging The Sample Application
57

Chapter 13
 P1M Specific Information

Remark GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete the
build process using the delivered sample files.

• Open a Command window and change the current working directory to
”make” directory present as mentioned in below path:
 “X1X\P1x\common_family\make\<Compiler>”
•
Now execute the batch file SampleApp.bat with following parameters

SampleApp.bat Spi 4.0.3 <Device_name>.

•
After this, the tool output files will be generated with the configuration as
mentioned in App_SPI_P1M_701310_Sample.html file available in the
path:

“X1X\P1x\modules\spi\sample_application\<SubVariant>\<AUTOSAR_ver
sion>\config\App_SPI_P1M_<Device_Name>_Sample.html”

•
After this, all the object files, map file and the executable file
App_Spi_P1M_Sample.out will be available in the output folder:
(“X1X\P1x\modules\spi\sample_application\<SubVariant>
\obj\<Compiler>”)

• The executable can be loaded into the debugger and the sample application
can be executed.

Remark Executable files with ‘*.out’ extension can be downloaded into the target
hardware with the help of Green Hills debugger.

• If any configuration changes (only post-build) are made to the ECU
Configuration Description files

“X1X\P1x\modules\spi\sample_application\<SubVariant>
\<AUTOSAR_version>\config\App_SPI_P1M_<Device_Name>_Sample.arx
ml”

• The database alone can be generated by using the following commands.
make –f App_SPI_P1M_Sample.mak generate_spi_config
make –f App_SPI_P1M_Sample.mak App_SPI_P1M_Sample.s37
After this, a flash able Motorola S-Record file App_SPI_P1M_Sample.s37 is
available in the output folder.

Note: The <Device_name> indicates the device to be compiled, which can
be 701304 or 701305 or 701310 or 701314 or 701315 or 701318 or 701319
or 701320 or 701321 or 701322 or 701323

58

P1M Specific Information
Chapter 13

13.3. Memory And Throughput

13.4.1.
ROM/RAM Usage

The  details  of  memory  usage  for  the  typical  configuration, with  DET
disabled as provided in Section 13.3.2.1 Configuration Example are provided
in this section.
Table 13-7
ROM/RAM Details without DET

Sl. No.  ROM/RAM
Segment Name
Size in bytes for
701310
1.
ROM
SPI_PUBLIC_CODE_ROM
1412

SPI_PRIVATE_CODE_ROM
4264

CONST_ROM_UNSPECIFIED
100

SPI_CFG_DBTOC_UNSPECIFIED
48

SPI_CFG_DATA_UNSPECIFIED
164

SPI_FAST_CODE_ROM
      992
2.
RAM
RAM_UNSPECIFIED
4

NOINIT_RAM_1BIT
5

NOINIT_RAM_8BIT
5

NOINIT_RAM_16BIT
10

NOINIT_RAM_UNSPECIFIED
90

SPI_CFG_RAM_UNSPECIFIED
0

The details of memory usage for the typical configuration, with DET
enabled and all other configurations as provided in13.3.2.1Configuration
Example are provided in this section.

Table 13-8
ROM/RAM Details with DET

Sl. No.
ROM/RAM
Segment Name
Size in bytes for
701310
1.
ROM
SPI_PUBLIC_CODE_ROM
2432

SPI_PRIVATE_CODE_ROM
4264

CONST_ROM_UNSPECIFIED
100

SPI_CFG_DBTOC_UNSPECIFIED
48

SPI_CFG_DATA_UNSPECIFIED
164

SPI_FAST_CODE_ROM
992
59

Chapter 13
     P1M Specific Information

2.
RAM
RAM_UNSPECIFIED
4

NOINIT_RAM_1BIT
5

NOINIT_RAM_8BIT
5

NOINIT_RAM_16BIT
10

NOINIT_RAM_UNSPECIFIED
90

SPI_CFG_RAM_UNSPECIFIED
0
13.4.2.
Stack Depth

The worst-case stack depth for Driver Component is 216 bytes for the
typical configuration provided in Section 13.3.2.1Configuration Example.

13.4.3.
Throughput Details

The throughput details of the APIs for the configuration mentioned in
the Section13.3.2.1  Configuration  Example.  The  clock  frequency  used  to
measure the throughput is 160 MHz for all APIs.

Table 13-9
Throughput Details Of The APIs

Sl. No.
API Name
Throughput in
Remarks
microseconds
for 701310
1.
Spi_Init
3.690
-

2.
Spi_DeInit
1.710
-

3.
Spi_WriteIB
0.810
-

4.
Spi_AsyncTransmit
8.820
-

5.
Spi_ReadIB
0.720
-

6.
Spi_SetupEB
0.270
-

7.
Spi_GetStatus
0.180
-
8.
Spi_GetJobResult
0.360
-
9.
Spi_GetSequenceResult
0.360
-
10.
Spi_GetVersionInfo
0.360
-

11.
Spi_SyncTransmit
0.360
-

12.
Spi_GetHWUnitStatus
0.180
-
13.
Spi_Cancel
0.810
-
14.
Spi_SetAsyncMode
0.360
SPI_INTERRUPT
_ MODE
15.
Spi_SetAsyncMode
0.360
SPI_POLLING_
MODE
16.
Spi_MainFunction_Handling
1.170
-

60

  Release Details

      Chapter 14

Chapter 14  Release Details

SPI Driver Software

Version: 1.6.0

61

Chapter 14 Release Details

62

Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
25-Oct-2013
2.
Following changes are made.
1.0.1
28-Jan-2014
1.  Chapter 2 is updated for referenced documents version.
2.  Section 13.1.1 is updated for adding the device names.
3.  Section 13.2 is updated for assembler and linker details.
4.  Section 13.3 is updated for naming convention change of
parameter definition files.
5.  Chapter 14 is updated for SPI driver component version
information.

3.
Following changes are made.

1.  In section 13.4.3,Throughput Details are updated.

2.  In Section 13.4.1,ROM/RAM Usage are updated.
1.0.2
02-May-2014
3.  In Section13.3.1,Sample Application Structure API details are
updated.
4.  In chapter 5, Architecture Details Spi API  are updated.

5.  In chapter 14, Release Details Spi software version is updated.
4.
Following changes are made.
1.0.3
12-May-2014
1.Unwanted Device names are removed.
2.In page no 47, header is updated.

5.
Following changes are made.
1.0.4
27-Oct-2014
1. Chapter 4 is updated for CS logs and note is added
regarding general limitation of the serial controllers.
2. Note is added regarding the usage of the parameter
‘SpiCsHoldTiming’ for synchronous transmission.
3. Name of Table 4-4 and 4-5 is updated.
4. Table 4-3, Table 4-4 and Table 4-5 are updated for
Static configuration.
5. Section 4.1, description of parameter ‘SpiTimeOut’ is updated.
6. In Section 4.1 Note is added regarding extended data size
supported by FIFO.
7. Sections 13.4, ROM/RAM and Throughput Details are
updated.
8. Section 4.6 Deviation list is updated.
9. Section 13.2.1, 13.2.2 and 13.2.3 are updated for compiler, linker
and assembler details.
10. Chapter 14, Release Details are updated.
11. Section 11.2 is updated to delete error code
‘SPI_E_SELF_TEST_FAILURE’ for Self-Test and
SPI_E_READBACK_FAILURE for readback.
12. Chapter 12 Memory Organization is updated to correct section
name SPI_START_SEC_CODE_FAST to
SPI_FAST_CODE_ROM.
13. Section 13 is updated for device names and to add Parameter
Definition files section.
14. Chapter 8 is update to include rh850_types.h file
15. In chapter 4 note is added regarding the DMA access for local RAM
area.

63

6.
Following changes are made.
1.0.5
19-Nov-2014

1. Section 4.1 is updated to correct the notes and spell checks.
2. Revision history points are corrected
7.
Following changes are made:
1.0.6
29-April-2015

1.Updated Chapter 2 ‘Reference Documents’ to correct the name and
version of device manual.
2.Information regarding Interrupt vector table has been provided in
section 4.1 ‘General’.
3.In Chapter 13, ’P1M Specific Information’ P1M 4.0.3 supported
devices are updated.
4.Table 13-1 PDF information updated for P1M 4.0.3 supported devices.
5.Section 13.1.1 has been updated to include the translation header file
for all P1M 4.0.3 supporting devices.
6.Updated section 13.3.1 ‘Sample Application Structure’ to add all the
supported devices for P1M 4.0.3.
7.Updated section 13.3.2 ‘Building the Sample Application’ to add
configuration details for the device 701310.
8.Updated section 13.4  ‘Memory and Throughput’ for the device
R7F701310.
9.Updated chapter 14 ‘Release Details’ to correct the SPI driver version.
10.Removed section ‘Compiler, Linker and Assembler’ from chapter 13.
11.Updated table 6.1 in Chapter 6 ‘Registers Details’.

64

AUTOSAR MCAL R4.0.3 User's Manual
SPI Driver Component Ver.1.0.6
Embedded User’s Manual

Publication Date: Rev.0.02, April 29, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  d
etailed  information.
Renesas Electronics  America Inc.
2880 Scott Boulevard  Santa Clara, CA 95050-2554, U.S.A. Tel:  +1-408-588-6000, Fax: +1-408-588-6130
Renesas Electronics  Canada Limited
1101 Nicholson  Road, Newmarket,  Ontario L3Y 9C3, Canada
Tel: +1-905-898-5441, Fax: +1-905-898-3220
Renesas Electronics  Europe Limited
Dukes Meadow, Millboard Road, Bourne End, Buckinghamshire, SL8 5FH, U.K Tel: +44-1628-585-100, Fax: +44-1628-585-900
Renesas Electronics  Europe GmbH Arcadiastrasse 10, 40472 Düsseldorf,  Germany Tel: +49-211-65030, Fax: +49-211-6503-1327
Renesas Electronics  (China) Co., Ltd.
7th Floor, Quantum Plaza, No.27 ZhiChunLu  Haidian District, Beijing 100083, P.R.China
Tel: +86-10-8235-1155, Fax: +86-10-8235-7679
Renesas Electronics  (Shanghai)  Co., Ltd.
Unit 204, 205, AZIA Center, No.1233 Lujiazui Ring Rd., Pudong District, Shanghai 200120, China
Tel: +86-21-5877-1818, Fax: +86-21-6887-7858 / -7898
Renesas Electronics  Hong Kong Limited
Unit 1601-1613,  16/F., Tower 2, Grand Century Place, 193 Prince Edward Road West, Mongkok,  Kowloon, Hong Kong
Tel: +852-2886-9318, Fax: +852 2886-9022/9044
Renesas Electronics  Taiwan Co., Ltd.
7F, No. 363 Fu Shing North Road Taipei, Taiwan
Tel: +886-2-8175-9600, Fax: +886 2-8175-9670
Renesas Electronics  Singapore  Pte. Ltd.
1 harbourFront Avenue, #06-10, keppel Bay Tower, Singapore  098632
Tel: +65-6213-0200, Fax: +65-6278-8001
Renesas Electronics  Malaysia Sdn.Bhd.
Unit 906, Block B, Menara Amcorp, Amcorp Trade Centre, No. 18, Jln Persiaran  Barat, 46050 Petaling Jaya, Selangor Darul Ehsan, Malaysia
Tel: +60-3-7955-9390, Fax: +60-3-7955-9510
Renesas Electronics  Korea Co., Ltd.
11F., Samik Lavied' or Bldg., 720-2 Yeoksam-Dong, Kangnam-Ku, Seoul 135-080, Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User’s Manual

Document Outline

22.4 - AUTOSAR_SPI_Tool_UserManual

AUTOSAR MCAL R4.0 User's Manual

22.5 - AUTOSAR_SPI_Tool_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54

22.6 - AUTOSAR_SPI_Tool_UserManuals

AUTOSAR MCAL R4.0.3
User’s Manual

SPI Driver Component Ver.1.0.7

Generation Tool User’s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.02 May 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.

3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.

11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
AUTOSAR
AUTomotive Open System ARchitecture
BSWMDT
Basic Software Module Description Template
CSIH
Enhanced Queued Clocked Serial Interface.
DEM
Diagnostic Event Manager
EB
External Buffer
ECU
Electronic Control Unit
e.g
Example
Hz
Hertz
HW
Hardware
IB
Internal Buffer
Id
Identifier
MCAL
MicroController Abstraction Layer
MCU
Micro Controller Unit
PCLK
Peripheral Clock
Rx
Receive
SPI
Serial Peripheral Interface
Tx
Transmit
XML
eXtensible Mark-up Language

Definitions

Terminology
Description
BSWMDT File
This file is the template for the Basic Software Module Description.
Configuration XML File
This file contains the setting of command line options.
ECU Configuration Description
Input file to SPI Driver Generation Tool. It is generated by ECU
File
Configuration Editor.
Sl.No
Serial Number.
Translation XML File
This file contains the translation and device specific header file path.
5

6

List of Figures

Figure 3-1
Overview of SPI Driver Generation Tool .................................................................... 13

List of Tables

Table 5-1
Output Files Description .............................................................................................. 17

8

Introduction

Chapter 1

Chapter 1  Introduction

The SPI Driver component provides the service for initializing the whole SPI
structure of the microcontroller.

The SPI Driver Component comprises of two sections as Embedded Software
and the Generation Tool to achieve scalability and configurability.

The document describes the features of the SPI Driver Generation Tool. SPI
Driver Generation Tool is a command line tool that extracts information from
ECU Configuration Description File and generates SPI Driver C Source and C
Header files (Spi_Cfg.h, Spi_Cbk.h, Spi_PBcfg.c and Spi_Lcfg.c).

This document contains information on the options, input and output files of
the SPI Driver Generation Tool. In addition, this manual covers a step-by-step
procedure for the usage of tool.

ECU Configuration Description File contains information about SPI
configuration.

1.1  Document Overview

This user manual is organized as given in the table below:

Section
Contents
Section 1 (Introduction)
Provides an introduction to the document and explains how information
is organized in this manual.
Section 2 (Reference)
Provides a list of documents referred while developing this document.
Section 3 (SPI Driver
Provides the component overview of SPI Driver.
Generation Tool Overview)
Section 4 (Input Files)
Provides information about ECU Configuration Description File.
Section 5 (Output Files)
Explains the output files that are generated by the SPI Driver
Generation Tool.
Section 6 (Precautions)
Contains precautions to be taken during configuration of ECU
Configuration Description File.
Section 7 (User Configuration
Describes about user configuration validation done by the SPI Driver
Validation)
Generation Tool.
Section 8 (Messages)
Describes all the Error/Warning/Information messages of R4.0.3 which
helps the user to understand the probable reason for the same.
Section 9 (Notes)
Provides notes to help the user to understand this document better.
9

Chapter 1 Introduction

10

Reference
Chapter 2

Chapter 2  Reference

2.1
Reference Documents

The following table lists the documents referred to develop this document:

Sl.No.  Title
Version
1.
AUTOSAR_SWS_SPIHandlerDriver.pdf
3.2.0
2.
P1M Parameter Definition File
1.0.5

R403_SPI_P1M_04_05_12_13_20_21.arxml
3.
P1M Parameter Definition File
1.0.5

R403_SPI_P1M_10_11_14_15_18_19_22_23.arxml

2.2
Trademark Notice

Microsoft and Windows are trademarks/registered trademarks of Microsoft
Corporation.
11

Chapter 2
Reference

12

SPI Driver Generation Tool Overview
Chapter 3

Chapter 3  SPI Driver Generation Tool Overview

SPI Driver Generation Tool overview is shown below.

ECU

Configuration

Description

Spi_Cfg.h,
File, BSWMDT
SPI Driver
Spi_Cbk.h,
File, Translation
Generation
Spi_Lcfg.c,
XML File and
Tool
Spi_PBcfg.c
Configuration
XML File

Figure 3-1  Overview of SPI Driver Generation Tool

SPI Driver Generation Tool is a command line tool that extracts, analyzes the
configuration details provided in the input file and validates correctness of the
data and provides scalability and configurability for SPI Driver module. It
accepts ECU Configuration Description File(s), BSWMDT File, Translation
XML File and Configuration XML File as input and displays appropriate
context sensitive error messages for wrong input and exits. Tool creates the
Log file Spi.log that contains the list of Error/Warning/Information messages in
the output directory.

For the error free input file, the tool generates the following output files:
Spi_Lcfg.c, Spi_PBcfg.c, Spi_Cfg.h and Spi_Cbk.h.

Spi_Cfg.h and Spi_Cbk.h will be compiled and linked with SPI Driver
Component. Spi_Lcfg.c and Spi_PBcfg.c will be compiled and linked
separately from the other C Source files and placed in flash.

ECU Configuration Description File can be created or edited using ECU
Configuration Editor.

Remark
•  In case of errors the generation tool returns a 1, in case of no errors the
generation tool returns a 0.

•  SPI Driver Generation Tool uses “Common Published Information” from SPI
module specific BSWMDT File. SPI module specific BSWMDT File should
not be updated manually since it is ”Static Configuration” file.
13

Chapter 3 SPI Driver Generation Tool Overview

14

Input Files
Chapter 4

Chapter 4 Input Files

SPI Driver Generation Tool accepts ECU Configuration Description File(s),
BSWMDT File, Translation XML File and Configuration XML File as input.
SPI Driver Generation Tool needs information about SPI Driver module.
Hence ECU Configuration Description File should contain configuration of
SPI Driver module. Generation Tool ignores any other AUTOSAR component
configured in the ECU Configuration Description File. ECU Configuration
Description File can be generated using configuration editor.

ECU Configuration Description File must comply with AUTOSAR standard
ECU Configuration Description File format

Remark The detailed explanation about the parameters and containers are found in
P1x Parameter Definition File referred in Reference Documents section.
15

Chapter 4 Input Files

16

Output Files
Chapter 5

Chapter 5  Output Files

SPI Driver Generation Tool generates configuration details in C Header and C
Source files (Spi_Lcfg.c, Spi_PBcfg.c, Spi_Cbk.h and Spi_Cfg.h).

The content of each output file is given in the table below:

Table 5-1  Output Files Description

Output File
Details
Spi_Cfg.h
This file contains pre-compile time parameters and handles.
Spi_Cbk.h
This file contains callback function prototype declarations to be used by application.
Spi_PBcfg.c
This file contains post-build time parameters.
Spi_Lcfg.c
This file contains structures of link time parameters.

Remark  Output files generated by SPI Driver Generation Tool should not be modified
or edited manually.
17

Chapter 5 Output Files

18

Precautions
Chapter 6

Chapter 6  Precautions

•  ECU Configuration Description File and BSWMDT File must comply with
AUTOSAR standard for R4.0.3 ECU Configuration Description File and
BSWMDT File respectively.

•  The input file must contain SPI Driver module.

•  Default Translation XML File (Spi_X1x.trxml) should be present in same
location of Spi_X1x.exe when the variant specific trxml file is not given as
input in command line.
•  Default Configuration XML File (Spi_X1x.cfgxml) must be present in same
location of Spi_X1x.exe.

•  If Translation XML File is not provided on the command line,
Spi_X1x.trxml which is present in same location of Spi_X1x.exe is
considered as ‘default’ Translation XML File.

•  If Configuration XML File is not provided on the command line,
Spi_X1x.cfgxml which is present in same location of Spi_X1x.exe is
considered as ‘default’ Configuration XML File.

•  Translation XML File should contain the file extension ‘.trxml’.

•  Configuration XML File should contain the file extension ‘.cfgxml’.

•  All the function names and the string values configured should follow C
syntax for variables. It can only contain alphanumeric characters and “_”. It
should start with an alphabet.

•  If the output files generated by SPI Driver Generation Tool are modified
externally, then they may not produce the expected results or may lead to
error/warning/Information messages.

•  Short Name for a container should be unique within a name space.

•  An error free ECU Configuration Description File generated from
configuration editor has to be provided as input to the SPI Driver Generation
Tool. Otherwise Tool may not produce the expected results or may lead to
errors/warnings/information messages.

•  User has to make sure that the respective device specific configuration file is
used, otherwise Tool may not produce the expected results or may lead to
errors/warnings/information messages.

•  The description file should always be generated using AUTOSAR specified
configuration editor and it should not be edited manually.

Remark  Please refer the SPI Component User Manual for deviations from AUTOSAR
     specifications, if any.
19

Chapter 6 Precautions

20

User Configuration Validation
Chapter 7

Chapter 7 User Configuration Validation

This section provides help to analyze the error, warning and information
messages displayed during the execution of SPI Driver Generation Tool. It
ensures conformance of input file with syntax and semantics. It also performs
validation on the input file for correctness of the data.

For more details on list of Error/Warning/Information messages that are
displayed as a result of input file(s) validation, refer Chapter 8 “Messages”.

The Generation Tool displays error or warning or information when the user
has configured incorrect inputs. The format of Error/Warning/Information
message is as shown below.

• ERR/WRN/INF<mid><xxx>: <Error/Warning/Information Message>.

 where,
<mid>: 083 - SPI Driver Module Id (083) for user configuration checks.

000 - for command line checks.

<xxx>: 001-999 - Message Id.

• File Name: Name of the file in which the error has occurred.

• Path: Absolute path of the container in which the parameter is present.

‘File Name’ and ‘Path’ need not be present for all Error/Warning/Information
messages.
21

Chapter 7 User Configuration Validation

22

Messages
Chapter 8

Chapter 8  Messages

The messages help to identify the syntax or semantic errors in the ECU
Configuration Description File. Hence it ensures validity and correctness of
the information available in the ECU Configuration Description File.

The following section gives the list of error, warning and information
messages displayed by the Generation Tool.

8.1  Error Messages

ERR083001: Number of fields is not same for the entity 'Structure Name'.

This error occurs, if the number of fields is not same in the structure that is to
be generated in the output file.

ERR083002: Field 'Field Name' is empty in the entity 'Structure Name'.

This error occurs, if the structure fields that are to be generated in the output
file are empty.

ERR083003: 'SPI Driver/MCU Driver/DEM' Component is not present in
the input file(s).

This error will occur, if SPI Driver or MCU Driver or DEM component is not
present in the input ECU Configuration Description File(s).

ERR083004: The parameter 'parameter name' in the container 'container
name' should be configured.

This error occurs, if any of the mandatory configuration parameter(s)
mentioned below is (are) not configured in ECU Configuration Description File.
The list of mandatory parameters with respect to container is listed below:

Parameter Name
Container Name
SpiCancelApi

SpiChannelBuffersAllowed


SpiDevErrorDetect

SpiHwStatusApi

SpiInterruptibleSeqAllowed

SpiGeneral
SpiLevelDelivered
SpiSupportConcurrentSyncTransmit
SpiVersionInfoApi
SpiDmaMode
SpiDataConsistencyCheckEnable
SpiDataWidthSelection
SpiMaxBaudrate
SpiSyncSeqEndNotificationEnable
SpiPersistentHWConfiguration
SpiDmaTypeUsed
SpiHighPriorityHwHandlingEnable
SpiCriticalSectionProtection
23

   Chapter 8
Messages

  Parameter Name
Container Name

SpiDeviceName

SpiAlreadyInitDetCheck

SpiVersionCheckExternalModules
SpiGeneral
SpiSeqStartNotificationEnable
SpiTimeOut
SpiMaxChannel

SpiMaxJob
SpiDriver
SpiMaxSequence
SpiChannelId

SpiChannelType

SpiDataWidth
SpiChannel
SpiEbMaxLength
SpiIbNBuffers
SpiTransferStart
SpiCsPolarity


SpiDataShiftEdge


SpiShiftClockIdleLevel

SpiCsIdentifier

SpiEnableCs

SpiHwUnit

SpiTimeClk2Cs
SpiExternalDevice
SpiClk2CsCount
SpiBaudrateConfiguration
SpiInputClockSelect
SpiInterruptDelayMode
SpiParitySelection
SpiFifoTimeOut
SpiBroadcastingPriority
SpiClockFrequencyRef
SpiJobId

SpiJob
SpiJobPriority
SpiDeviceAssignment
SpiInterruptibleSequence

SpiSeqStartNotification
SpiSequence
SpiSequenceId
SpiHighPriorityHwSequence
SpiJobAssignment
SpiHwUnitSelection

SpiMemoryMode
SpiMemoryModeSelection
SpiTxDmaChannel

SpiRxDmaChannel
SpiDma
SpiDmaHwUnit
SPI_E_HARDWARE_ERROR
SpiDemEventParameterRefs
SPI_E_DATA_TX_TIMEOUT_FAILURE
SpiChannelIndex

SpiChannelList
SpiChannelAssignment
SpiMaxHwUnit
SpiPublishedInformation
24

Messages
Chapter 8

Remark If the containers SpiMemoryMode and SpiDmaMode are configured, then
the respective parameters which are mandatory should be configured.

ERR083005: In general per configuration set, the value of
'SpiChannelId' parameter should start with <0> and should be
sequential without any gaps.

This error occurs, if the value for parameter SpiChannelId present in the
container SpiChannel is not starting with zero and also not sequential or
with gaps for any given configuration set.

ERR083006: The value of the parameter 'SpiChannelType' in the
container 'SpiChannel' should be same for SPI Channels (having
same channel Id) across multiple configuration sets.

This error occurs, if the value of parameter SpiChannelType in the
container SpiChannel is not same for SPI Channels (having same
channel Id) across multiple configuration sets.

ERR083007: The number of SPI channels configured should be
same across the multiple configurations set container 'SpiDriver'.

This error occurs, if the number of SPI channels configured is not same
across the multiple configurations set container SpiDriver.

ERR083008: The value of the parameters 'SpiEbMaxLength' and
'SpiIbNBuffers' in the container 'SpiChannel' should be same for
SPI Channels (having same channel Id) across multiple
configuration sets.

This error occurs, if the value for parameters SpiEbMaxLength and
SpiIbNBuffers are not same for all SPI Channels (having same channel
Id) across multiple configuration sets in ECU Configuration Description
File.

ERR083009: The short name of the container 'SpiChannel' should be
same for channel having same 'SpiChannelId' <value for
SpiChannelId> across multiple configurations set container
'SpiDriver'.

This error occurs, if the short name of the container SpiChannel is not
same for channel having same SpiChannelId across multiple
configurations set in the container SpiDriver.

ERR083010: The value of the parameter 'SpiChannelType' in the
container 'SpiChannel' should be configured as <EB>, since the
value of the parameter 'SpiChannelBuffersAllowed' in the container
'SpiGeneral' is configured as <1>.

This error occurs, if SpiChannelBuffersAllowed in the container
SpiGeneral is configured as 1 and the parameter SpiChannelType in the
container SpiChannel is not configured as EB.

25

Chapter 8
Messages

ERR083011: The value of the parameter 'SpiChannelType' in the
container 'SpiChannel' should be configured as <IB>, since the value
of the parameter 'SpiChannelBuffersAllowed' in the container
'SpiGeneral' is configured as <0>.

This error occurs, If SpiChannelBuffersAllowed in the container
SpiGeneral is configured as 0 and the parameter SpiChannelType in the
container SpiChannel is not configured as IB.

ERR083012: The SPI channels configured for a specific job should
not be repeated when the parameter 'SpiMemoryModeSelection' in
the container 'SpiMemoryMode' is configured as
<DUAL_BUFFER_MODE/ TX_ONLY_MODE>.

This error occurs, if the value for channels configured for a specific
job is repeated when the parameter SpiMemoryModeSelection in the
container SpiMemoryMode is configured as DUAL_BUFFER_MODE
or TX_ONLY_MODE.

ERR083013: The SPI channels configured for a specific job should
have same value for the parameter 'SpiDataWidth' of container
'SpiChannel' since the parameter 'SpiMemoryModeSelection' in the
container 'SpiMemoryMode' is configured as <value of
SpiMemoryModeSelection> within a sequence.

This error occurs, if the value for channels configured for a specific job is
not same for the parameter SpiDataWidth of container SpiChannel when
the parameter SpiMemoryModeSelection in the container
SpiMemoryMode is configured as DUAL_BUFFER_MODE or
TX_ONLY_MODE or FIFO_MODE.

ERR083014: The total number of buffers configured for all jobs
linked to one CSIH HW Unit should be less than or equal to <64/128>
since the value of the parameter 'SpiMemoryModeSelection' in the
container 'SpiMemoryMode' is configured as <TX_ONLY_MODE> and
the parameter 'SpiDataWidth' in the container 'SpiChannel' is
configured as less than or equal to <16>.

This error occurs, if the total number of buffers configured for all jobs
linked to one CSIH HW Unit is more than 64/128 when the value of the
parameter SpiMemoryModeModeSelection in the container
SpiMemoryModeMode is configured as TX_ONLY_MODE and the
parameter SpiDataWidth in the container SpiChannel is configured as less
than or equal to 16.

ERR083015: The total number of buffers configured for all jobs
linked to one CSIH HW Unit should be less than or equal to <32/64>
since the value of the parameter 'SpiMemoryModeSelection' in the
container 'SpiMemoryMode' is configured as
<DUAL_BUFFER_MODE> and the parameter 'SpiDataWidth' in the
container 'SpiChannel' is configured as greater than <16>.

26

Messages
Chapter 8

This error occurs, if the total number of buffers configured for all jobs
linked to one CSIH HW Unit is more than 32/64 when the value of the
parameter SpiMemoryModeModeSelection in the container
SpiMemoryModeMode is configured as DUAL_BUFFER_MODE and the
parameter SpiDataWidth in the container SpiChannel is configured as
greater than 16.

ERR083016: The value of the parameter ‘SpiDataWidth’ in the
container ‘SpiChannel’ is not in the range of <7 to 8> since the
parameter ‘SpiDataWidthSelection’ in the container ‘SpiGeneral’ is
configured as<BITS_8>.

This error occurs, if the value of the parameter SpiDataWidth in the
container SpiChannel is not in the range of 7 to 8 when the parameter
SpiDataWidthSelection in the container SpiGeneral is configured as
BITS_8.

ERR083017: The value of the parameter ‘SpiDataWidth’ in the
container ‘SpiChannel’ is not in the range of <7 to 16> since the
parameter ‘SpiDataWidthSelection’ in the container ‘SpiGeneral’ is
configured as <BITS_16>.

This error occurs, if the value of the parameter SpiDataWidth in the
container SpiChannel is not in the range of 7 to 16 when the parameter
SpiDataWidthSelection in the container SpiGeneral is configured as
BITS_16.

ERR083018: In general per configuration set, the value of ‘SpiJobId’
parameter should start with <0> and should be sequential without
any gaps.

This error occurs, if the value for parameter SpiJobId present in the
container SpiJob is not sequential or with gaps and also not starting with
zero for any given configuration set in the ECU Configuration Description
File.

ERR083019: The number of SPI Jobs configured should be same
across the multiple configurations set container ‘SpiDriver’.

This error occurs, if the number of SPI jobs configured is not same across
the multiple configurations set container SpiDriver.

ERR083020: The value of the parameter ‘SpiJobEndNotification’
configured in the container ‘SpiJob’ should be unique for jobs
with hardware units of different memory modes.

This error occurs, if the parameter SpiJobEndNotification of the container
SpiJob is not unique for jobs with hardware units of different memory
modes.

ERR083021: The value of the parameter ‘SpiJobEndNotification’
present in the container ‘SpiJob’ should be same for SPI jobs
(having same Job Id).

27

Chapter 8
Messages

This error occurs, if the parameter SpiJobEndNotification in the
container SpiJob is not same for SPI jobs (having same Job Id)
across multiple configuration sets in ECU Configuration Description
File.

ERR083022: The value for the parameter ‘SpiHwUnitSynchronous’ in
the container ‘SpiJob' should be same for jobs that are associated
with same sequence.

This error occurs, if the value for the parameter SpiHwUnitSynchronous in
the container SpiJob is not same for jobs that are associated with same
sequence. In general, the transfer mode of the jobs (that are associated
with same sequence) should be same.

ERR083023: The value of the parameter ‘SpiHwUnitSynchronous’ in
the container ‘SpiJob’ should be same for all jobs that are having
same value for the parameter ‘SpiHwUnit’ in the container
‘SpiExternalDevice’ within a configuration set.

This error occurs, if the value of the parameter SpiHwUnitSynchronous in
the container SpiJob is different for all jobs that are having same value for
the parameter SpiHwUnit in the container SpiExternalDevice within a
configuration set.

ERR083024: The value configured for the parameter 'parameter
name' should follow C Syntax <[a-zA-Z][a-zA-Z0-9_]>.

This error occurs, if the value of configuration parameters mentioned
below does not adhere to C syntax i.e., the value should not contain
characters other than (a-z, A-Z, 0-9 or “_”) and it also should start with an
alphabet.

Parameter Name
Container Name
SpiJobEndNotification
SpiJob
SpiSeqEndNotification
SpiSequence

ERR083025: The jobs configured for the parameter
'SpiJobAssignment' in the container ‘SpiSequence’ should not be
repeated since the parameter ‘SpiMemoryModeSelection’ in the
container ‘SpiMemoryMode’ is configured as
<DUAL_BUFFER_MODE/TX_ONLY_MODE>.

This error occurs, if the parameter SpiMemoryModeSelection in the
container SpiMemoryMode is configured as DUAL_BUFFER_MODE or
TX_ONLY_MODE and the jobs configured for the parameter
SpiJobAssignment in the container SpiSequence is repeated.

ERR083026: The value of the parameter
‘SpiMemoryModeSelection’ in the container ‘SpiMemoryMode’
should be same across the multiple configurations set container
‘SpiDriver’.

28

Messages
Chapter 8

This error occurs, if the value of the parameter SpiMemoryModeSelection
in the container SpiMemoryMode is not same across the multiple
configurations set container SpiDriver.

ERR083027: The value of the parameter ‘SpiHwUnit’ in the container
‘SpiExternalDevice’ should be same when the parameter
‘SpiMemoryModeSelection’ in the container ‘SpiMemoryMode’ is
configured as <value of the parameter SpiMemoryModeSelection>
within a sequence.

This error occurs, if the value of the parameter SpiHwUnit in the container
SpiExternalDevice is not same when the parameter
SpiMemoryModeSelection in the container SpiMemoryMode is configured
as DUAL_BUFFER_MODE and TX_ONLY_MODE within sequence.

ERR083028: The short name of the container ‘SpiJob’ should be
same for job having same 'SpiJobId' <value for SpiJobId> across
multiple configurations set container ‘SpiDriver’.

This error occurs, if the short name of the container SpiJob is not same for
SPI jobs (having same job Id) across multiple configurations set container
SpiDriver.

ERR083029: The value of the parameter ‘SpiHwUnit’ in the container
‘SpiExternalDevice’ is configured as <value of SpiHwUnit>. The value
<value of SpiHwUnit> is not configured for the parameter
‘SpiHwUnitSelection’ in the container ‘SpiMemoryMode’.

This error occurs, if the value of the parameter SpiHwUnit in the
container SpiExternalDevice is configured as CSIHn and the same
value is not configured to the parameter SpiHwUnitSelection in the
container SpiMemoryMode. Here n is integer numbers e.g. 0, 1, etc.

ERR083030: The value of the parameter 'SpiHwUnit' in the container
‘SpiExternalDevice’ is not configured for the same memory mode as
the memory mode of the other jobs in the respective sequence.

This error occurs, if the value of the parameter SpiHwUnit in the container
SpiExternalDevice is not configured for the same memory mode as the
memory mode of the other jobs in the respective sequence.

ERR083031: The value <value of SpiHwUnitSelection> configured
for the parameter 'SpiHwUnitSelection’ present in the container
'SpiMemoryMode’ should be unique within configuration set
container
'SpiDriver'.

This error occurs, if the value of the parameter SpiHwUnitSelection in
the container SpiMemoryMode is not unique within configuration set
container SpiDriver.

29

Chapter 8
Messages

ERR083032: The same value should be configured for the parameter
‘SpiHwUnit’ in the container 'SpiExternalDevice' across the
multiple configuration sets.

This error occurs, if the value configured for the parameter SpiHwUnit in
the container SpiExternalDevice is not same across multiple
configuration sets.

ERR083033: The value of the parameter 'SpiHwUnitSelection' in the
container 'SpiMemoryMode' is configured as <value for
SpiHwUnitSelection>, but none of the container 'SpiExternalDevice'
has configured 'SpiHwUnit' as <value for SpiHwUnitSelection>.

This error occurs, if the hardware unit configured in the container
SpiMemoryMode is not present in any of the SpiExternalDevice container.

ERR083034: The number of SPI sequences configured should be
same across multiple configurations set container ‘SpiDriver’.

This error occurs, if the numbers of SPI sequences configured are not
same across the multiple configurations set container SpiDriver.

ERR083035: The value of parameter 'SpiSeqEndNotification' present
in the container 'SpiSequence' should be unique for the sequences
having jobs with hardware units of different memory modes.

This error occurs, if the value of parameter SpiSeqEndNotification present
in the container SpiSequence is not unique for the sequences having jobs
with hardware units of different memory modes.

ERR083036: The parameter ‘SpiSeqEndNotification’ in the container
‘SpiSequence’ should be same for sequences having same
'SpiSequenceId' <value for SpiSequenceId> across
multiple configurations set container ‘SpiDriver’.

This error occurs, if the parameter SpiSeqEndNotification in the container
SpiSequence is not same for SPI Sequences (having same Sequence Id)
across multiple configurations set container SpiSequence.

ERR083037: In general per configuration set, the value of
‘SpiSequenceId’ parameter should start with <0> and should be
sequential without any gaps.

This error occurs, if the parameter SpiSequenceId is not sequential or with
gaps and also not starting with zero within the container SpiSequence for
any of the given configuration set.

ERR083038: The short name of the container ‘SpiSequence’ should
be same for sequence having same 'SpiSequenceId' <value for
SpiSequenceId> across multiple configurations set container
‘SpiDriver’.

This error occurs, if the short name of the container SpiSequence is not
same for SPI Sequences (having same Sequence Id) across multiple
configurations set container ‘SpiDriver’.

30

Messages
Chapter 8

ERR083039: The value of parameter ‘SpiPortPinSelect’ in the
container ‘SpiJob’ should not be configured as <value of the
parameter SpiPortPinSelect> since the value of the parameter
‘SpiCsSelection’ present in the container ’SpiExternalDevice’ is
configured as <value of the parameter SpiCsSelection>.

This error occurs, if the value of the parameter SpiPortPinSelect in the
container SpiJob is configured as CSLn and the parameter
SpiCsSelection present in the container SpiExternalDevice is configured
as CS_VIA_GPIO. Here n is the integer number e.g. 0, 1, etc.

ERR083040: The value of parameter ‘SpiPortPinSelect’ in the
container ‘SpiJob’ should not be configured as <value of the
parameter SpiPortPinSelect> since the value of the parameter
‘SpiCsSelection’ present in the container ’SpiExternalDevice’ is
configured as <value of the parameter SpiCsSelection>.

This error occurs, if the value of the parameter SpiPortPinSelect in the
container SpiJob is configured as Port group related pins and the
parameter SpiCsSelection present in the container SpiExternalDevice is
configured as CS_VIA_PERIPHERAL_ENGINE.

ERR083041: The value of parameter ‘SpiChannelType’ in the
container ‘SpiChannel’ should be configured as <IB> since the
parameter
‘SpiMemoryModeSelection’ in the container
‘SpiMemoryMode’ is configured with one of the values from
<value of the parameter SpiMemoryModeSelection>.

This error occurs, if the value of the parameter
SpiMemoryModeSelection in the container SpiMemoryMode is
configured as DUAL_BUFFER_MODE or TX_ONLY_MODE and the
parameter SpiChannelType in the container SpiChannel is not
configured as IB.

The value of the parameter SpiChannelType in the SpiChannel
container can be configured as EB, if the parameter
SpiHighPriorityHwHandlingEnable is configured as true in SpiGeneral
container and if this channel is linked to a job which is linked to a high
priority sequence.

ERR083042: The parameter ‘SpiHwUnit’ present in the container
‘SpiExternalDevice’ is configured as <value of the parameter
SpiHwUnit> and all of the following parameters
(SpiCsIdleEnforcement, SpiCsIdleTiming, SpiCsHoldTiming,
SpiCsInterDataDelay and SpiCsSetupTime) should be configured.

This error occurs, if the parameter SpiHwUnit present in the container
SpiExternalDevice is configured as CSIHm and any of the parameters
SpiCsIdleEnforcement, SpiCsIdleTiming, SpiCsHoldTiming,
SpiCsInterDataDelay and SpiCsSetupTime is not configured. Here m is
integer number e.g. 0, 1, etc.

31

Chapter 8
Messages

ERR083043: The parameter ‘SpiPortPinSelect’ in the container
‘SpiJob’ configured should be only one unique value, since the
value of parameter ‘SpiHwUnit’ present in the container
‘SpiExternalDevice’ is configured as <value of the parameter
SpiHwUnit>.

This error occurs, if the value of the parameter SpiHwUnit present in
the container SpiExternalDevice is configured as CSIGn and more
than one unique value is configured for the parameter
SpiPortPinSelect in the container SpiJob. Here n is integer number e.g.
0, 1, etc.

ERR083044: The value of the parameter ‘SpiMaxChannel’ should
be equal to the total number of 'SpiChannel' container configured
within each 'SpiDriver' container.

This error occurs, if the value of the parameter SpiMaxChannel present in
container SpiDriver is not equal to total number of channels configured
within each SpiDriver container in ECU Configuration Description File.

ERR083045: The value of the parameter ‘SpiMaxJob’ should be equal
to the total number of 'SpiJob' container configured within each
'SpiDriver' container.

This error occurs, if the value of the parameter SpiMaxJob in the
container SpiDriver is not equal to the total number of jobs configured
within each SpiDriver container in ECU Configuration Description File.

ERR083046: The value of the parameter ‘SpiMaxSequence’ should
be equal to the total number of 'SpiSequence' container configured
within each 'SpiDriver' container.

This error occurs, if the value of the parameter SpiMaxSequence in the
container SpiDriver is not equal to the total number of jobs configured
within each SpiDriver container in ECU Configuration Description File.

ERR083048: The value of the parameter
‘SpiMemoryModeSelection’ in the container ‘SpiMemoryMode’
should be configured as <DIRECT_ACCESS_MODE> since the
value configured for the parameter ‘SpiLevelDelivered’ in the
container ‘SpiGeneral’ is <0>.

This error occurs, if the value configured for the parameter
SpiLevelDelivered in the container SpiGeneral is 0 and the value of the
parameter SpiMemoryModeSelection in the container SpiMemoryMode is
not configured as DIRECT_ACCESS_MODE.

ERR083049: At least one instance of the container 'SpiDma' should
be configured as the value of parameter 'SpiDmaMode' present in
the container 'SpiGeneral' is configured as <true>.

This error occurs, if the parameter SpiDmaMode present in the container
SpiGeneral is configured as true and no instance of the container
SpiDma is configured.

32

Messages
Chapter 8

ERR083050: The value configured for the parameters
‘SpiTxDmaChannel’ and ‘SpiRxDmaChannel’ should be unique
within a configuration set.

This error occurs, if the same DMA channel is configured for
SpiTxDmaChannel or SpiRxDmaChannel of SpiDma container for
hardware units (SpiDmaHwUnit) within a configuration set. DMA channel
(Tx or Rx) should be unique within a configuration set.

ERR083051: The number of SPI DMA configured should be same
across multiple configurations set container ‘SpiDriver’.

This error occurs, if the number of SPI DMA configured is not same
across multiple configurations set container SpiDriver.

ERR083052: The value configured in the parameters
‘SpiTxDmaChannel’ and ‘SpiRxDmaChannel’ in the container
‘SpiDma’ should be same across multiple configuration sets.

This error occurs, if the value configured in the parameters
SpiTxDmaChannel and SpiRxDmaChannel in the container SpiDma is
not same across multiple configuration set.

ERR083053: The value configured for the parameter 'SpiDmaHwUnit'
in the container 'SpiDma' should be configured in any of the
hardware units selected for jobs.

This error occurs, if the value configured for the parameter SpiDmaHwUnit
in the container SpiDma is not configured in any of the hardware units
selected for jobs.

ERR083054: The value of the parameter 'SpiDataWidth' in the
container 'SpiChannel' should not be greater than 16, since the
corresponding channel is associated with DMA HW unit
<Configured as DMA HW Unit>.

This error occurs, if the configured value of the parameter SpiDataWidth in
the container SpiChannel is greater than 16 and the corresponding HW
Unit is configured for DMA.

ERR083055: The value of parameter 'SpiPortPinSelect' <value of the
SpiPortPinSelect> in the container 'SpiJob' should not be same since
the hardware units configured for respective jobs are not same.

This error occurs, if the value of parameter SpiPortPinSelect is configured
in the container SpiJob is same and the hardware units configured for
respective jobs are different. This error is applicable only for CSIG
hardware unit related jobs.

ERR083056: The DMA HW unit configured in 'SpiDmaHwUnit'
parameter of the container 'SpiDma' is invalid as 'SpiDmaMode'
parameter is configured as <true> and the same DMA HW unit is
configured as <SYNCHRONOUS> in the parameter
‘SpiHwUnitSynchronous’ of the container ‘SpiJob’.

33

Chapter 8
Messages

This error occurs, if the SpiDmaMode parameter is configured as true and
the same DMA HW unit is configured as SYNCHRONOUS in the
parameter SpiHwUnitSynchronous of the container SpiJob.

ERR083057: The value of the parameter ‘SpiChannelIndex’
configured in container ‘SpiChannelList’ should be <Expected value
of SpiChannelIndex>. In general per Spi Job, the value of
‘SpiChannelIndex’ parameter should start with <0> and should be
sequential without any gaps.

This error occurs, if value of the parameter SpiChannelIndex in the
container SpiChannelList is not starting with 0 and not sequential for any
SpiJobId parameter in the container SpiJob.

ERR083058: The reference path <path> provided for the parameter
‘parameter name’ in the container ‘container name’, having short
name<container short name> is incorrect.

This error occurs, if incorrect reference provided for any of the
reference parameters (SPI_E_HARDWARE_ERROR,
SpiClockFrequencyRef, SpiDeviceAssignment,
SpiChannelAssignment and SpiJobAssignment).

ERR083059: The value of the parameter ‘SpiHwUnitSynchronous’ in
the container ‘SpiJob’ should be same for all jobs that are having
same value for the parameter ‘SpiHwUnit’ in the container
‘SpiExternalDevice’ across multiple configurations set container
‘SpiDriver’.

This error occurs, if the value of the parameter SpiHwUnitSynchronous in
the container SpiJob is different for all jobs that are having same value for
the parameter SpiHwUnit in the container SpiExternalDevice across
multiple configurations set container SpiDriver.

ERR083061: The value of the parameter ‘SpiCsSelection’ in the
container ‘SpiExternalDevice’ should not be configured as <value of
the parameter SpiCsSelection> since the value of the parameter
‘SpiHwUnit’ is configured as <value of the parameter SpiHwUnit>.

This error occurs, if the value of the parameter SpiHwUnit in the container
SpiExternalDevice is configured as CSIG<n> and the value of the
parameter SpiCsSelection in the container SpiExternalDevice is configured
as CS_VIA_PERIPHERAL_ENGINE. Here <n> is an integer number e.g. 0,
1 etc.

ERR083062: The value of the parameter ‘SpiCsSelection’ in the
container ‘SpiExternalDevice’ should be configured, since the value of
the parameter ‘SpiEnableCs’ in the container ‘SpiExternalDevice’ is
configured as <true>.

This error occurs, if the value of the parameter SpiEnableCs in the
container SpiExternalDevice is configured as true and the parameter
SpiCsSelection in the container SpiExternalDevice is not configured.
34

Messages
Chapter 8

ERR083063: The value of the parameter ‘SpiPortPinSelect’ in
the container ‘SpiJob’ should be configured, since the value
of the parameter ‘SpiEnableCs’ in the container
‘SpiExternalDevice’ is configured as <true>.

This error occurs, if the value of the parameter SpiEnableCs in the
container SpiExternalDevice is configured as true and the parameter
SpiPortPinSelect in the container SpiJob is not configured.

ERR083064: The value of the parameter ‘SpiCsSelection’ in the
container ‘SpiExternalDevice’ should not be configured, since the
value of the parameter ‘SpiEnableCs’ in the container
‘SpiExternalDevice’ is configured as <false>.

This error occurs, if the value of the parameter SpiEnableCs in the
container SpiExternalDevice is configured as false and the
parameter SpiCsSelection in the container SpiExternalDevice is
configured.

ERR083065: The value of the parameter ‘SpiPortPinSelect’ in
the container ‘SpiJob’ should not be configured, since the
value of the parameter ‘SpiEnableCs’ in the container
‘SpiExternalDevice’ is configured as <false>.

This error occurs, if the value of the parameter SpiEnableCs in the
container SpiExternalDevice is configured as false and the parameter
SpiPortPinSelect in the container SpiJob is configured.

ERR083066: The DMA HW unit is configured in ‘SpiDmaHwUnit’
parameter of ‘SpiDma’ container is invalid as the memory mode of
the respective hardware unit is configured as
<Configured memory mode>.

This error occurs, if DMA HW unit configured for the parameter
SpiDmaHwUnit in the container SpiDma is configured with the memory
mode of TX_ONLY_MODE or DUAL_BUFFER_MODE.
If SpiHighPriorityHwHandlingEnable is configured as true in SpiGeneral
container then the DMA HW unit configured for the parameter
SpiDmaHwUnit in the container SpiDma can be configured with the memory
mode of TX_ONLY_MODE.

ERR083067: The value of the parameter ‘SpiHwUnitSynchronous’ in
the container ‘SpiJob’ should be configured, since the value of the
parameter ‘SpiLevelDelivered’ in the container ‘SpiGeneral’ is
configured as <2>.

This error occurs, if the value of the parameter SpiLevelDelivered in
the container SpiGeneral is configured as 2 and the parameter
SpiHwUnitSynchronous in the container SpiJob is not configured.

ERR083068: The value for the parameter ‘SpiLevelDelivered’ in
the container ‘SpiGeneral’ is configured as <2> and the
parameter ‘SpiMemoryModeSelection’ in the container
‘SpiMemoryMode’ should be configured as
<DIRECT_ACCESS_MODE>, since the respective HW Unit is
configured for <SYNCHRONOUS> in the parameter
‘SpiHwUnitSynchronous’ of the container ‘SpiJob’.

35

Chapter 8
Messages

This error occurs, if the value of the parameter
SpiMemoryModeSelection in the container SpiMemoryMode is
configured as DIRECT_ACCESS_MODE and the respective HW Unit is
configured for SYNCHRONOUS in the parameter
SpiHwUnitSynchronous of the container SpiJob with the value
configured for the parameter SpiLevelDelivered in the container
SpiGeneral is 2.

ERR083069: The SPI channel configured across jobs should not be
repeated when the parameter ' SpiMemoryModeSelection' in the
container ' SpiMemoryMode' is configured as
<DUAL_BUFFER_MODE/ TX_ONLY_MODE>.

This error occurs, if the value of the parameter
SpiMemoryModeSelection in the container SpiMemoryMode is
configured as DUAL_BUFFER_MODE or TX_ONLY_MODE and the
channels configured for respective jobs are repeated.

ERR083070: The parameter 'SpiInterruptibleSequence' in the container
'SpiSequence' should be configured as <false>, since the jobs
connected to the sequence having the value of the parameter
'SpiMemoryModeSelection' in the container
'SpiMemoryMode' is configured as
<DUAL_BUFFER_MODE/TX_ONLY_MODE>.

This error occurs, if the jobs connected to the sequence having the value
of the parameter SpiMemoryModeSelection in the container
SpiMemoryMode is configured as DUAL_BUFFER_MODE or
TX_ONLY_MODE and the value of the parameter
SpiInterruptibleSequence in the container SpiSequence is not configured
false.

ERR083072: The value of the parameter ‘SpiDataWidth’ in the
container ‘SpiChannel’ is not in the range of <2 to 32> since the value
of the parameter ‘SpiHwUnit’ in the container SpiExternalDevice’ is
configured as CSIHn.

This error will occur, if the value of the parameter SpiDataWidth in the
container SpiChannel is not in the range of 2 to 32 and the value of
the parameter SpiHwUnit in the container SpiExternalDevice is
configured as CSIH<n>. Here <n> is integer numbers e.g. 0, 1, etc.

ERR083075: The chip select for the job <SpiJob short name> should
not be configured as <Chip select value>, since this chip select is
associated with a sequence <SpiSequence short name> which is
having ‘SpiHighPriorityHwSequence' parameter is configured as
<true>.

This error occurs, if the chip select for the job is configured as Chip
select value and this chip selects is associated with sequence which is
having SpiHighPriorityHwSequence parameter is configured as true.

36

Messages
Chapter 8

ERR083076: Maximum acceptable baud rate for the Job
<SpiJob short name> should be less than or equal to PCLK/4 in
external device <SpiExternal device short name> in the
configuration set <SpiDriver short name>.

This error occurs, when maximum acceptable baud rate for the job is
greater than PCLK/4.

ERR083078: The value of parameter ‘SpiHighPriorityHwSequence'
present in the container ‘SpiSequence' should be configured as
<true> for at least one of the sequences, since the parameter
‘SpiHighPriorityHwHandlingEnable' present in the container
'SpiGeneral' is configured as <true>.

The error occurs, if the value of the parameter SpiHighPriorityHwSequence
present in the container SpiSequence is not configured as true for none of
the sequences and the value of parameter
SpiHighPriorityHwHandlingEnable present in the container SpiGeneral is
configured as true.

ERR083080: The value configured for the parameter
'SpiSeqStartNotification' should follow C Syntax < [a-zA-Z] [a-zA-Z0-
9_]>.

This error occurs, if the value of configuration parameters mentioned below
does not adhere to C syntax i.e., the value should not contain characters
other than (a-z, A-Z, 0-9 or “_”) and it also should start with an alphabet.

ERR083081: The value of parameter 'SpiSeqStartNotification' present
in the container 'SpiSequence' should be unique for the sequences
having jobs with hardware units of different memory modes.

The error occurs, if the value configured for the parameter
'SpiSeqStartNotification' in the 'SpiSequence' container is same for the
sequences having jobs with hardware units of different memory modes.

ERR083082: The short name of the container ‘SpiSequence’ should be
same for sequence having same 'SpiSequenceId' <value for
SpiSequenceId> across multiple configurations set container
‘SpiDriver’.

This error occurs, if the short name of the container SpiSequence is not
same for SPI Sequences (having same Sequence ID) across multiple
configurations set container ‘SpiDriver’.

ERR083084: The parameter ‘SpiSeqStartNotification’ in the container
‘SpiSequence’ should be same for sequences having same
'SpiSequenceId' <value for SpiSequenceId> across multiple
configurations set container ‘SpiDriver’.

37

Chapter 8
Messages

This error will occur, if the parameter SpiSeqStartNotification in the
container SpiSequence is not same for SPI Sequences (having same
Sequence ID) across multiple configurations set container SpiSequence.

Parameter Name
Container Name
SpiSeqStartNotificationEnable
SpiGeneral
SpiSeqStartNotification
SpiSequence

ERR083085: The parameter 'SpiSeqEndNotification' in the container
'SpiSequence' should not be configured, when the parameter
'SpiHwUnitSynchronous' in the container ‘SpiJob’ is configured with
value 'SYNCHRONOUS' since the pre-compile parameter
'SpiSyncSeqEndNotificationEnable' in the 'SpiGeneral' container is
configured as false.

This error will occur if value of the parameter SpiHwUnitSynchronous in
the container ‘SpiJob’ is configured as ‘Synchronous’ , when the
parameter ‘SpiSyncSeqEndNotificationEnable’ in SpiGeneral container is
FALSE and the sequence to which the ‘SpiJob’ belongs has Sequence
end notification configured.

Parameter Name
Container Name
SpiSyncSeqEndNotificationEnable
SpiGeneral
SpiSeqEndNotification
SpiSequence

ERR083086: The value of the parameter 'SpiInputClockSelect' in the
container '/Renesas/Spi0/SpiDriverx/SpiExternalDevicex' should be
same for all Jobs using the same SpiHwUnit 'CSIHx'.

The error occurs, if value of the parameter ‘SpiInputClockSelect’ in the
container SpiExternalDevice is not same for all jobs using the same
SpiHwUnit.

ERR083087: The value of the parameter 'SpiBaudrateConfiguration' for
'CSIH_BAUDRATE_REGISTER_x' in the container
'/Renesas/Spi0/SpiDriverx/SpiExternalDevicex' should be same for all
Jobs using the same SpiHwUnit 'CSIHx'

The error occurs, if value of the parameter ‘SpiBaudrateConfiguration’ for a
baudrate register in the container SpiExternalDevice is not same for all
SpiExternalDevices using the same baudrate register for all jobs using the
same SpiHwUnit.

ERR083088: The value of the parameter 'SpiPortPinSelect' in the
container '/Spi0/SpiDriverx/SpiJobz' used for
'/Renesas/Spi0/SpiDriverx/SpiExternalDevicex' should not be used for
'/Renesas/Spi0/SpiDriverx/SpiExternalDevicey' in
'/Spi0/SpiDriver0/SpiJobw'.

38

Messages
Chapter 8

The error occurs, if the same value of the parameter SpiPortPinSelect
used by an SpiExternalDevice in a SpiJob container is configured for an
another SpiPortPinSelect used by another SpiExternalDevice in an
another SpiJob.

ERR083089: The value of the parameter 'SpiCsPolarity' in the
container 'SpiExternalDevice5' used for 'CSIH0' should be same as
value of the parameter 'SpiCsPolarity' in the container
'SpiExternalDevice0' used for 'CSIH0'.

The error occurs, if the value of the parameter SpiCsPolarity in the
container SpiExternalDevice, is not same across all the external devices
using the same SpiHwUnit CSIHx using the same chipselect.

ERR083090: The value of the parameter 'SpiFifoTimeOut' across the
containers 'SpiExternalDevicex' and 'SpiExternalDevicey' should be
same as they are referring the same SpiHw 'CSIHn'.

This error occurs, if the value of the parameters
SpiCsInactiveAfterLastData, SpiShiftClockIdleLevel, SpiInputClockSelect,
SpiInterruptDelayMode, and SpiFifoTimeOut in the SpiExternalDevice
container are not same across the External devices mapped to the same
SpiHw Unit.

ERR083091: The value of the parameter 'SpiTransferStart' across the
containers 'SpiChannelx' and 'SpiChannely' should be same as they
are referring the same SpiHw 'CSIHn'.

The error occurs, if value of the parameters SpiDataWidth,
SpiTransferStart present in SpiChannel container are not same across all
the channel containers using the same SpiHw Unit and
SpiPersistentHWConfiguration is configured as true.

In case of CSIHx SpiHw Unit the values of the parameters SpiDataWidth,
SpiTransferStart present in SpiChannel container are not same across all
the channel containers using the same CSIHx SpiHw and the same
chipselect lines and SpiPersistentHWConfiguration is configured as true.

In case of CSIGn SpiHw Unit the values of the parameters SpiDataWidth,
SpiTransferStart present in SpiChannel container are not same across all
the channel containers using the same CSIGn SpiHw and
SpiPersistentHWConfiguration is configured as true.

Container
Parameters
SpiDataWidth
SpiChannel
SpiTransferStart
SpiGeneral
SpiPersistentHWConfiguration

39

Chapter 8
Messages

ERR083092: The reference path <path> provided for the parameter
‘parameter name’ in the container ‘container name’, having short
name <container short name> is incorrect.
This error occurs, if incorrect reference provided for the reference
parameter (‘SPI_E_DATA_TX_TIMEOUT_FAILURE’).

ERR083093: The reference path <path> provided for the parameters
‘parameter name’ and ‘parameter name’ in the container ‘container
name’ should be unique.

This error occurs, if the reference path provided for the parameters
SPI_E_HARDWARE_ERROR and SPI_E_DATA_TX_TIMEOUT_FAILURE,
are not unique.

ERR083094: The reference path for parameter
'SPI_E_DATA_TX_TIMEOUT_FAILURE/ SPI_E_HARDWARE_ERROR'
in the container 'SpiDemEventParameterRefs' should be same
across multiple configuration set.

This error occurs, if the reference path provided for the parameters
'SPI_E_DATA_TX_TIMEOUT_FAILURE/ SPI_E_HARDWARE_ERROR is
not same across multiple configuration sets.

ERR083107: The value configured for the parameter
‘SpiDmaTrigCtrlOnCS’ should be same across multiple configuration
set.

This error occurs, when the value configured for the
parameterSpiDmaTrigCtrlOnCS is not same across multiple configuration
set.

ERR083108: When the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma, then the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect> (only one chip select) in the container SpiJob".

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is configured other than <value of parameter
SpiPortPinSelect> in the container SpiJob.

40

Messages
Chapter 8

ERR083109: When the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma, then the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect> (only one chip select) in the container SpiJob".

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and multiple chip selects
are configured for the parameter SpiPortPinSelect other than <value of
parameter SpiPortPinSelect> in the container SpiJob.

ERR083110: When the parameter ‘ SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> then the parameter
‘SpiDmaTrigCtrlOnCS’ should be configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ and the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect> in the container SpiJob.

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect’ is not configured as <value of parameter
SpiPortPinSelect> in the container SpiJob.

ERR083111: When the parameter ‘ SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> then the parameter
‘SpiDmaTrigCtrlOnCS’ should be configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ and the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect>(one chip select) in the container SpiJob.

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is configured with multiple chip select values in the
container SpiJob.

ERR083112: When the parameter ‘SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> and the parameter
‘SpiDmaTrigCtrlOnCS’ is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ then the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect> only in the container SpiJob.

41

Chapter 8
Messages

This error occurs, When the parameter SpiDmaHwUnit is configured as
<Value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is configured other than <value of parameter
SpiPortPinSelect> in the container SpiJob.

ERR083113: When the parameter ‘SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> and the parameter
‘SpiDmaTrigCtrlOnCS’ is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ then the parameter
‘SpiPortPinSelect’ should be configured as <value of parameter
SpiPortPinSelect> only in the container SpiJob.

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is configured with multiple chip selects in the container
SpiJob.

ERR083114: When the parameter ‘SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> and the parameter
‘SpiDmaTrigCtrlOnCS’ is configured as <value of parameter
SpiDmaTrigCtrlOnCS> or <value of parameter
<SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’, then at
least one <value of chip select> should be configured for the
parameter ‘SpiPortPinSelect’ in the container SpiJob.

This error occurs, when the parameter SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> and the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> or <value of parameter SpiDmaTrigCtrlOnCS> in
the container SpiDma, then at least one <value of chip select> should be
configured for the parameter SpiPortPinSelect in the container SpiJob.

ERR083115: When the parameter ‘ SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> then the parameter
‘SpiDmaTrigCtrlOnCS’ should be configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ and the parameter
‘SpiPortPinSelect’ should be configured as <value chip select> only
in the container SpiJob.

This error occurs, When the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> then the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is not configured as <value chip select> only in the
container SpiJob.

42

Messages
Chapter 8

ERR083116: When the parameter ‘ SpiDmaHwUnit’ is configured as
<value of parameter SpiDmaHwUnit> then the parameter
‘SpiDmaTrigCtrlOnCS’ should be configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container ‘SpiDma’ and the parameter
‘SpiPortPinSelect’ should be configured as <value chip select>
only in the container SpiJob.

This error occurs, when the parameter SpiDmaHwUnit is configured as
<value of parameter SpiDmaHwUnit> then the parameter
SpiDmaTrigCtrlOnCS is configured as <value of parameter
SpiDmaTrigCtrlOnCS> in the container SpiDma and the parameter
SpiPortPinSelect is configured with multiple chip selects in the container
SpiJob.

ERR083117: The value of parameter ‘SpiCsSelection‘ in the
container ‘SpiExternalDevice’ should not be configured as
<CS_VIA_GPIO> since the value of the parameter ‘SpiHwUnit’ is
configured as < CSIH>.

This error occurs, if the value of the parameter SpiHwUnit in the
container SpiExternalDevice is configured as CSIH<n> and the value
of the parameter SpiCsSelection in the container SpiExternalDevice is
configured as CS_VIA_GPIO. Here <n> is an integer number e.g. 0, 1
etc.

ERR083119: The parameter ' SPI_E_READBACK_FAILURE' in the
container 'SpiDemEventParameterRefs' has to be configured when
the parameter 'SpiReadBackConfiguration' is configured as <TRUE>
in 'SpiGeneral' container.

This error occurs, if the parameter SPI_E_READBACK_FAILURE is not
configured in the container SpiDemEventParameterRefs when the
parameter SpiReadBackConfiguration is configured as <TRUE> in
'SpiGeneral' container.

ERR083120: The parameter 'SpiPortPinSelect' value in the container
'SpiJob<x>', should be configured as CSL<n> since 'CSIH<x>' is
configured.

This error will occur if SpiPortPinSelect is not configured when
SpiHwUnit is configured with CSIHn device.

ERR083121: The value of the parameter ‘SpiDataWidth’ in the
container ‘SpiChannel’ is not in the range of <7 to 32> since the
value of the parameter ‘SpiHwUnit’ in the container
‘SpiExternalDevice’ is configured as CSIGn.

43

Chapter 8
Messages

This error will occur, if the value of the parameter SpiDataWidth in the
container SpiChannel is not in the range of 7 to 32 and the value of the
parameter SpiHwUnit in the container SpiExternalDevice is configured as
CSIG<n>. Here <n> is integer numbers e.g. 0, 1, etc.

ERR083122: The SPI channel having channel id <value of the
parameter SpiChannelId> configured in the container ‘SpiChannel’
should be referred by any of the SPI job.

This error occurs, if configured SPI channel is not referred by any of the
SPI job.

8.2 Warning Messages

WRN083002: The value of parameter 'SpiDeviceAssignment' from
the container ‘short name of SpiJob container of one
SpiPortPinSelect’ and ‘short name of SpiJob container of another
SpiPortPinSelect’ should be same since the value of parameter
'SpiPortPinSelect' of respective jobs is same, the memory mode of
the respective Job's hardware unit is configured as
<DUAL_BUFFER_MODE or TX_ONLY_MODE> and the respective
jobs belong to the same sequence.

This warning occurs, if SpiDeviceAssignment parameter in SpiJob is not
same for the jobs having same SpiHwUnit and SpiPortPinSelect with in the
same SpiSequence and the memory mode of the respective Job's
hardware unit is configured as DUAL_BUFFER_MODE or
TX_ONLY_MODE.

WRN083004: The value for ‘SpiDmaMode’ should be configured as
<false> since the value of the parameter ‘SpiLevelDelivered’ is
configured as <0>. Hence configuration value for DMA will be ignored
for this configuration.

This warning occurs, if the value for parameter SpiLevelDelivered is 0 and
SpiDmaMode is configured as true.

WRN083005: The value of parameter 'SpiDataWidth' from
'SpiChannel' container is <value of parameter SpiDataWidth> and
the value of parameter 'SpiDefaultData' is <value of parameter
SpiDefaultData>. Hence only Least Significant Byte is considered
from the value of parameter 'SpiDefaultData'.

This warning occurs, if the value configured in the parameter
SpiDefaultData of container SpiChannel is greater than the value
(2 SpiDataWidth – 1) of the same container when, the value of
SpiDataWidthSelection in the container SpiGeneral is configured as
BITS_8.

WRN083006: The value of parameter 'SpiDataWidth' from
'SpiChannel' container is <value of parameter SpiDataWidth> and
the value of parameter 'SpiDefaultData' is <value of parameter
44

Messages
Chapter 8

SpiDefaultData>. Hence only Least Significant Word is considered
from the value of parameter 'SpiDefaultData'.

This warning occurs, if the value configured in the parameter
SpiDefaultData of container SpiChannel is greater than the value
(2 SpiDataWidth – 1) of the same container when, the value of
SpiDataWidthSelection in the container SpiGeneral is configured as
BITS_16.

WRN083007: The SPI jobs having Job Id <value of the
parameter‘SpiJobId’> configured in the container ‘SpiJob’
should be referred by any of the SPI sequence.

This warning occurs, if configured SPI job is not referred by any of the SPI
sequence in ECU Configuration Description File.

WRN083009: The value of parameter 'SpiDmaMode' from the
container 'SpiGeneral' is configured as <false> and the container
'SpiDma' is configured. In this case, the configuration provided in
'SpiDma' container is ignored.

This warning occurs, if the value of parameter SpiDmaMode from the
container SpiGeneral is configured as false and the container SpiDma is
configured. In this case, the configuration provided in SpiDma container is
ignored.

WRN083010: The value for parameter ‘SpiCsPolarity’,
‘SpiCsInactive’, ‘SpiInterruptDelayMode’, ‘SpiInputClockSelect’
or ‘SpiBaudrateConfiguration' from the container
'SpiExternalDevice' should be same since the memory mode of the
respective hardware unit is configured as <DUAL_BUFFER_MODE
or TX_ONLY_MODE> and the respective jobs belong to the same
sequence. Only the configured value(s) for the first Job is
considered.

This warning occurs, if the value for parameter SpiCsPolarity,
SpiCsInactive, SpiInterruptDelayMode, SpiInputClockSelect or
SpiBaudrateConfiguration from the container SpiExternalDevice is not
same, the memory mode of the respective hardware unit is configured as
DUAL_BUFFER_MODE or TX_ONLY_MODE and the respective jobs
belong to the same sequence. Only the configured value(s) for the first
Job is considered.

WRN083012: SpiMemoryModeSelection for Spi jobs value of the
SpiJob short name of the value of the SpiSequence should be
<TX_ONLY_MODE>, since the parameter
SpiHighPriorityHwSequence in the SpiSequence container is
configured as <true> for this sequence. Hence the generation
tool ignores the value configured for the parameter
SpiHighPriorityHwSequence for this sequence.

This warning occurs, if the SpiMemoryModeSelection for Spi jobs value of
the SpiJob short name of the value of the SpiSequence should be
<TX_ONLY_MODE>, since the parameter SpiHighPriorityHwSequence in
45

Chapter 8
Messages

the SpiSequence container is configured as <true> for this sequence.
Hence the generation tool ignores the value configured for the parameter
SpiHighPriorityHwSequence for this sequence.

WRN083079: The parameter 'SpiSeqStartNotification' in the container
'SpiSequence' should not be configured, since the pre-compile
parameter, SpiSeqStartNotificationEnable' in the 'SpiGeneral'
container is configured as false.

The warning occurs if value is configured for the parameter
'SpiSeqStartNotification ‘in the container 'SpiSequence' when the
parameter 'SpiSeqStartNotificationEnable' in the 'SpiGeneral' container is
configured as false.

WRN083080: The value of the parameters 'SpiCsIdleEnforcement' and
'SpiCsInactiveAfterLastData' in the container 'SpiExternalDevice0' are
ignored for any CSIG HW Unit.

The warning will occur if the values are configured for parameters
SpiCsIdleEnforcement and SpiCsInactiveAfterLastData in the container
SpiExternalDevice for a CSIG HW Unit.

WRN083081: The value of the parameter 'SpiCsInactiveAfterLastData'
in the container 'SpiExternalDevice' is ignored for any CSIH HW Unit
as 'SpiCsIdleEnforcement' is configured as true.

The warning will occur if the values are configured for parameters
SpiCsIdleEnforcement is true and SpiCsInactiveAfterLastData is false in
the container SpiExternalDevice for a CSIH HW Unit.

WRN083084: The parameter ‘SpiLevelDelivered’ is configured as <0>
and ‘SpiInterruptibleSeqAllowed’ in the container ‘SpiGeneral’ is
configured as <true>. Hence the value of parameter
‘SpiInterruptibleSeqAllowed’ in the container ‘SpiGeneral’ is ignored.

This warning occurs, if the parameter SpiLevelDelivered is configured as
0 (SPI Level 0 Driver) and SpiInterruptibleSeqAllowed in the container
SpiGeneral is configured as true. Hence value of the parameter
SpiInterruptibleSeqAllowed in the container SpiGeneral is ignored.

WRN083085: The parameter 'SpiHighPriorityHwSequence' in the
container ‘SpiSequence’ should not be configured as <true>. Since
the pre-compile parameter 'SpiHighPriorityHwHandlingEnable' in
the ‘SpiGeneral’ container is configured as <false>. Hence the
generation tool ignores the value configured for the parameter
'SpiHighPriorityHwSequence'.

This warning occurs, if the value of the parameter
SpiHighPriorityHwSequence configured in the container SpiSequence
is not to be configured as true. And the parameter
46

Messages
Chapter 8

SpiHighPriorityHwHandlingEnable in the container SpiGeneral should be
false. On that moment Generation tool ignores the value configured for
the parameter SpiHighPriorityHwSequence.

8.3 Information Messages

INF083001: The value of the parameter ‘SpiShiftClockIdleLevel’ in the
container ‘SpiExternalDevice’ configured is ignored since the value of
parameter ‘SpiHwUnit’ present in the container 'SpiExternalDevice' is
configured as <CSIGn>.

This information occurs, if the value of parameter SpiHwUnit present in the
container SpiExternalDevice is configured as CSIG<n> and the value of
the parameter SpiShiftClockIdleLevel in the container SpiExternalDevice is
configured. In this case the value of SpiShiftClockIdleLevel in the
container SpiExternalDevice is ignored. Here <n> is integer number e.g. 0,
1, etc.

INF083003: Calculated SPI baud rate for job ‘SpiJob’ in configuration
set ‘SpiDriver’ should be equal to <Calculated
Buadrate Hz>.

This information occurs to provide the calculated SPI baud rate for job
(SpiJob) in configuration set SpiDriver.
The calculation of baud rate is done as follows:

Baudrate = (Referred peripheral clock from MCU) /
[(2^m) * SpiBaudrateConfiguration * 2]

SpiInputClockSelect
 m
PCLK
0
PCLK_DIVBY_2
1
PCLK_DIVBY_4
2
PCLK_DIVBY_8
3
PCLK_DIVBY_16
4
PCLK_DIVBY_32
5
PCLK_DIVBY_64
6

INF083005: The parameters 'SpiCsIdleEnforcement', 'SpiCsIdleTiming',
'SpiCsHoldTiming', 'SpiCsInterDataDelay' and 'SpiCsSetupTime' from
the container 'SpiExternalDevice' should not be configured since the
parameter 'SpiHwUnit' present in the container 'SpiExternalDevice' is
configured as <CSIGn>.

This information occurs, if the parameters SpiCsIdleEnforcement,
SpiCsIdleTiming, SpiCsHoldTiming, SpiCsInterDataDelay and
SpiCsSetupTime are configured when the parameter SpiHwUnit in the
container SpiExternalDevice is configured as CSIG<n>. Here <n> is
integer number e.g. 0, 1, etc.

INF083006: The HW unit <value of the parameter SpiSynchHwUnit>
published in the parameter ‘SpiSynchHwUnit’ of the container
47

Chapter 8
Messages

‘SpiCsig<m>/SpiCsih<n>’ is not configured as <SYNCHRONOUS>
for any of the hardware units selected for jobs.

This information occurs, if the value of the parameter SpiSynchHwUnit
configured in the container SpiCsig<m> or SpiCsih<n> is not configured
as SYNCHRONOUS for hardware units selected for any of the jobs.
Here <m> and <n> are integer numbers e.g. 0, 1, etc.

INF083008: The DMA trigger configured for hardware unit "CSIH1"
mentioned in the parameter 'SpiDmaTrigCtrlOnCS' does not match
with the hardware unit "CSIH0" of the parameter 'SpiDmaHwUnit' in
the container 'SpiDma', hence the value configured for the
parameter 'SpiDmaTrigCtrlOnCS' is ignored.

This information occurs, if the hardware unit configured in the parameter
SpiDmaTrigCtrlOnCS does not match with the hardware unit configured in
the parameter SpiDmaHwUnit of SpiDma container.

48

Notes Chapter 9
Chapter 9 Notes

“Generation Tool” and “Tool” terminologies are used interchangeably to
refer SPI Driver Generation Tool.

49

Chapter 9
Notes

50

                  Revision History

Sl.No.  Description
Version
Date
1.
Initial Version
1.0.0
24-Oct-2013
2.
Error message numbers updated.
1.0.1
28-Jan-2014

3.
Error message ERR083093 and ERR083094 are updated and
1
.0.2
29-Apr-2014
ERR083118 and ERR083119 are added.
4.
The information message INF083003 is updated for baud rate
1.0.3
12-May-2014
formula.
5.
1. Parameter SpiReadBackConfiguration is removed from table of Error  1.0.4
23-Jul-2014
message ERR083004.
2. The information message INF083008 is added.
3. Parameter SpiLoopBackSelfTest is added in table of Error message
ERR083004.
4. Error message ERR083119 is removed,   INF083004 is made as
WRN083084,   ERR083072 is updated and ERR083121 is added.
5. INF083007 is made as WRN083085, Error message ERR083085 is
reformulated and for ERR083084 table is added.
6.  ERR083120 is added.
6.
1. Error message ERR083118 is removed.
1.0.5
22-Oct-2014
2. Description of error message ERR083041 is updated.
3. Reference Documents section is updated.
4. Chapter 4 remark section is updated.
5. Chapter 6 is updated for the precautions.
6.  Parameter SpiLoopBackSelfTest is removed in table of Error
message ERR083004.
7. Parameter SPI_E_SELF_TEST_FAILURE is removed from error
messages ERR083093 and ERR083094.
7.
1. Error messages ERR083005, ERR083018 and ERR083037 are
1.0.6
19-Nov-2014
rephrased.
8.
Following changes are made:
1.0.7
16-May-2015

1. Updated section 2.1 ‘Reference Documents’ to correct the name and
version of Parameter Definition Files.
2. Section 8.1 and  Section 8.2 is modified for removing warning and
adding error message ( WRN083001 to ERR083122)

51

AUTOSAR MCAL R4.0.3 User's Manual
SPI Driver Component Ver.1.0.7
Generation Tool User's Manual

Publication Date: Rev.0.02, May 16, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  d
etailed  information.
Renesas  Electronics America  Inc.
2880  Scott  Boulevard Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics Canada  Limited
1101  Nicholson Road,  Newmarket, Ontari o  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf, Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics (Shanghai) Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics Hong  Kong  Limited
Unit  1601-1613, 16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok, Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics Singapore Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  Keppel  Bay  Tower,  Singapore 098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcor,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics Korea  Co.,  Ltd.
11F,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User’s Manual

Document Outline

22.7 - Spi Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Spi

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Spi_Renesas_Ar4.0.3_01.06.00_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3179

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

23 - Transport Protocol

Transport Protocol

Component Documentation

23.1 - TechnicalReference_TransportProtocolMultiConnection

YourTopic

23.2 - TechnicalReference_TransportProtocolMultiConnection_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139
Page 140
Page 141
Page 142
Page 143
Page 144
Page 145
Page 146
Page 147
Page 148
Page 149
Page 150
Page 151
Page 152
Page 153
Page 154
Page 155
Page 156
Page 157
Page 158
Page 159
Page 160
Page 161
Page 162
Page 163
Page 164
Page 165
Page 166
Page 167
Page 168
Page 169
Page 170
Page 171
Page 172
Page 173
Page 174
Page 175
Page 176
Page 177

23.3 - TechnicalReference_TransportProtocolMultiConnections

Technical Reference Transport Protocol ISO15765-2

Transport Protocol ISO15765-2
Technical Reference

Single/Multiple Connection
Version 3.14.00

Authors
Oliver Garnatz, Andreas Pick, Peter Herrmann,
Thomas Dedler
Status
Released

2013, Vector Informatik GmbH
Version: 3.14.00
1 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Document Information
History
Author
Date
Version
Remarks
Rein
1999-06-22
1.0
File created
Baeuerle
1999-11-02
1.42
Description of connection
specific timing parameters
added
Ebner
2000-07-17
1.51
Single connection version
removed; documents only
contains multiple connection
extensions
Garnatz
2000-09-19
2.03
Adaptation to new
MultiConnection TP
Garnatz
2001-02-09
2.07
Added new functionality
Garnatz
2001-05-11
2.10
Update new Generation Tool
versions
Garnatz
2001-09-14
2.17
General improvement;
Update to version 2.17 of
tpmc.c module
Garnatz
2002-01.24
2.27
SingleConnection version is
added; Protocol-Overview is
added
Garnatz
2002-06-18
2.33
Added restrictions for data
consistency
Pick / Garnatz
2002-10-16
2.36
Update: CAN Driver in polling
mode
Added: Fast transmission of
ConsecutiveFrames
Update: Usage of TransmitCF
parameter
Garnatz
2002-11-29
2.37
General rework
Garnatz
2003-01-16
2.39
Update:
TpTransmit/CopyToCan/Appl
TpCheckTA
Garnatz
2004-01-13
2.44
Update: ApplTpCopyToCAN
Pick
2004-03-01
2.52
Update: Mixed 29-bit ID
addressing
TpRxGetCanBuffer
TpRxSetBufferOverrun
TpRxGetAddressExtension
TpTxSetAddressExtension
Pick
2004-05-14
2.60
Multiple ECUs example
Restriction on
TpTxStateTask/TpRxStateTas
k
Tx/Rx message buffer
2013, Vector Informatik GmbH
Version: 3.14.00
2 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
consistency clarification
Return value of
ApplTpPreCopyCheck
Mixed 11-bit ID addressing
TpTransmit() return values
Added TpCanChannelInit()
Added TpRxSetTransmitID()
Changed
TpRxSetBufferOverrun
Changed
ApplTpTxCopyToCAN
Changes in chapter ‘How to
serve Different
               Connections (only
dynamic channels)’.
Pick
2004-12-01
2.68
Added description for GENy
configuration tool
(ESCAN00008734).
Update of API description
(ESCAN00008314).
Feature list added
(ESCAN00008315).
Prototype parameter
corrected (ESCAN00009965)

Pick
2005-04-07
2.72.00
Added description for multiple
addressing systems.
C++ access to TPMC.
Pick
2005-07-14
2.73.00
Added description for GENy
configuration
Herrmann
2005-07-19
2.73.00
Added new API functions:
TpRxSetWaitCorrectSN,
TpTxSetStrictFlowControlChe
ck
Herrmann
2005-08-11
2.73.00
Added new API functions:
TpRxSetTimeoutConfirmation
,
TpTxSetTimeoutConfirmation,
TpRxSetTimeoutCF,
TpTxSetTimeoutCF
Garnatz
2006-01-13
2.80.00
Added deviation to ISO
15765-2
Herrmann
2006-02-08
2.82.00
ISO 15765-2 deviations
elaborated
Herrmann
2006-03-03
2.86.00
Cleanup (ESCAN15514)
Herrmann
2006-03-23
2.86.00
ISO 15765-2 deviations
elaborated
Herrmann
2006-04-11
2.87.00
General rework after review
Herrmann
2006-07-03
2.89.00
Added WaitFrame handling.
2013, Vector Informatik GmbH
Version: 3.14.00
3 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Herrmann
2007-02-01
2.90.00
Added OEM feature
TP_ENABLE_STRICT_DL_C
HECK
Herrmann
2007-02-23
2.91.00
Added feature
TP_DISABLE_MF_RECEPTI
ON
Herrmann
2007-03-14
2.92.00
Added ApplFuncTpPrecopy
callback description and
reduced TpRxResetChannel
API usage to indication point
in time or after.
Herrmann
2007-09-20
2.93.00
Completed Multiple ECU
description (see chapter
7.3.1). Added TpRxGet-
AddressingFormat /
AssignedDestination
description.
 VERSION 3.xx
Herrmann
2007-10-15
3.00.00
Added description for new
TpClass
“Dispatched<AddressingType>”
Herrmann
2007-11-20
3.01.00
Cosmetics / Syntax
Herrmann
2008-01-14
3.02.00
New API:
TpTxGetTargetAddress
Herrmann
2008-02-12
3.03.00
Minor corrections within API
descriptions
(ApplTpTxErrorIndication,
TpRxGetCanBuffer)
Herrmann
2008-04-17,
3.04.00
Added description for

TP_ENBLE_DYN_CHANNEL_TIM
ING.
2008-07-17
Added description for the usage
of extended identifiers for
normal addressing as well at
configuration time as also
dynamically at runtime
(TP_USE_EXT_IDS_FOR_NO
RMAL).
Herrmann
2008-12-10
3.05.00
Added description for
GenMsgDelay attribute in
chapter 3.4.1
Herrmann
2009-01-25
3.07.00
Adapted version number to
ALM package number (3.06.00
skipped)
Herrmann
2009-11-25
3.08.00
Added description for reception
and transmission without flow
control frames for dyn.
(TpRxWithoutFC,
TpTxWithoutFC) and static
2013, Vector Informatik GmbH
Version: 3.14.00
4 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
(TpTxFlowControl,
TpRxFlowControl
) Tp classes.
Herrmann
2010-01-12
3.09.00
Enhanced description for DLC
checks on the Rx side (see
2.4.2.5).
Added API functions for 29-Bit
ext. Id dynamic handling.
Heil
2010-11-08
3.10.00
Added more flexibility for DLC
checks on the Rx side (see
2.4.2.5)
Herrmann
2011-01-19
3.11.00
Moved
TP_MEMORY_MODEL_DATA
from user config file to GENy
Herrmann
2011-04-05
3.12
ESCAN00051019: Added new
(customer specific) pre-compile
switches:
TP_ENABLE_IGNORE_FC_RE
S_STMIN,
TP_ENABLE_IGNORE_FC_OV
FL (see 3.2.3).
Herrmann
2011-07-11
3.13
ESCAN00051019: Added

support for the dynamic setting
of  29-bit CAN-IDs (see
Dedler
2011-09-21
4.2.2.31, 4.2.2.32, 4.2.3.29,
4.2.3.30).
Added new pre-compile switch:
TP_USE_UNEXPECTED_FC_
CANCELATION (see 3.2.3).
Dedler
2012-04-10
3.13.01
Description of
TpRxGetCanBuffer modified
according to ESCAN00057225
Dedler
2013-04-30
3.14.00
Description for non-standard
flow control handling updated
(3.2.3)

Reference Documents
No.
Title
[1]    /ISO/TF2/:  ISO FDIS 15765-2; Road vehicles — Diagnostics on CAN — Part 2: Network
layer services;
Date 2004-07-16
[2]    /OSEK-COM/:  OSEK/VDX Communication Version 2.1, revision 1 17th June 1998
[3]    /CANDrv/:  Manual for CAN Driver in used version
[4]    ISO15765-2:  ISO TC 22/SC 3;  ISO 15765-2:2003(E); Road vehicles — Diagnostics on
controller area network (CAN) — Part 2: Part 2: Network layer services

2013, Vector Informatik GmbH
Version: 3.14.00
5 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

Caution
We have configured the programs in accordance with your specifications in the
questionnaire. Whereas the programs do support other configurations than the one

specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2013, Vector Informatik GmbH
Version: 3.14.00
6 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1  Introduction
1.1
Relation between general component and shipped version capability
We  have  configured  the  programs  in  accordance  with  your  specifications  in  the
questionnaire.  Whereas  the  programs  do  support  other  configurations  than  the  one
specified  in  your  questionnaire,  Vector’s  release  of  the  programs  delivered  to  your
company  is  expressly  restricted  to  the  configuration  you  have  specified  in  the
questionnaire.

This implementation and this user manual are based on the documents, listed above.

It is important to know the documents above-mentioned for a better understanding
and the use of this manual.
/OSEK-COM/  defines different  kinds  of  transmissions.  One  of  them  is  the  USDT  (Unack-
nowledged  Unsegmented  Data  Transfer).  It  is  standardized  together  with  ISO/TC22/SC3
„Diagnostics on CAN“. The result of this standardization is the ISO Spezification15765-2.
The  presented  Vector-Implementation  is  based  on  the  harmonized  specification  between
OSEK-COM and ISO. The implementation is suitable for diagnostic purposes (KWP2000)
as well as for „long“ messages in „normal“ use.
Task  of  the  transport  layer  is  to  transmit  messages,  which  might  be  longer  than  a  CAN-
message.  If  messages  do  not  fit  into  a  CAN-message,  they  will  be  segmented  by  the
transport protocol to be transmitted.
Today  the  ISO/TF2-transport  protocol  is  mainly  used  for  diagnosis  applications  in  motor
vehicle. Most of all KWP2000 is used as a diagnosis protocol.
The introduction is followed by a brief overview of the architecture in the third chapter. On
one  side  the  most  important  points  of  the  specification  can  be  seen  there  (see  also
/ISO/TF2  and  /OSEK-COM/)  and  on  the  other  side  this  explains  the  main  ideas  of  this
implementation.
The fourth chapter presents how to set up the transport protocol in the “Generation Tool”.
The fifth chapter contains a description of user interfaces of implementation.
Transmission attributes and callback functions are presented in a table in chapter 5.
Rules to integrate CANbedded modules in customer projects are content of chapter 5, 6.
Chapter 7 is introducing a more advanced usage of the TP.
The last chapter contains an example for the user.

2013, Vector Informatik GmbH
Version: 3.14.00
15 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1.2
Name Conventions
The prefix of a function name determines the module to which it belongs.
Prefix
Remark
ApplTp...
These functions must be defined within the customer’s application and were called
by the Transport Layer module. The modules, which use functions of the Transport

Layer, are always called application in this manual.
ApplTpRx
Hook-Functions which belong to the “reception part” of the TP.
…
ApplTpTx
Hook-Functions which belong to the “transmission part” of the TP.
…
Can...
Functions belong to the CAN-Driver.
TpRx...
Functions belong to the “reception part” of the Transport Layer.
TpTx…
Functions belong to the “transmission part” of the Transport Layer.
Table 1-1 Name Conventions
2013, Vector Informatik GmbH
Version: 3.14.00
16 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1.3
Abbreviations
List of abbreviations in use:
AE
Address Extension
AI
Address Information
AK
Acknowledge
AR
Acknowledge Request
ASDT   Acknowledged Segmented Data Transfer
BS
Block Size
CF
Consecutive Frame
CTS
Clear To Send
DL
Data Length
FC
Flow Control
FF
First Frame
FS
Flow Status Control
ID
Identifier
SF
Single Frame
SN
Sequence Number
ST
Separation Time
TA
Target Address
TP
Transport Protocol
TPCI   Transport Protocol Control Information
USDT   Unacknowledged Segmented Data Transfer
UUDT  Unacknowledged Unsegmented Data Transfer
WT
Wait
XDL   extended Data Length
Table 1-2    Abbreviations
1.4
Channel vs. Connection
A (transport) channel is the physical part of the communication link, containing the
reception-/transmission mechanism. It can be understood as an instance of TPMC in an
object oriented meaning. Each channel can handle one connection at one point in time.
A connection describes a logical communication link between two ECU’s. In the
communication matrix it is a fixed assignment between these ECU’s to interchange data
(e.g. the diagnostic request and response message between the Tester and an ECU).
A connection includes all necessary communication parameters for the used addressing
mode (e.g. CAN-channel, CAN-IDs, Source-and Target Addresses, Base-Addresses, etc).
2013, Vector Informatik GmbH
Version: 3.14.00
17 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1.5
TP classes
1.5.1
SingleTP classes
In  a  Single  TP  class  only  one  connection  is  possible,  which  is  using  the  only  available
TpChannel.
1.5.2
Static MultiTP classes
While using Static TP classes every connection is fixed assigned to a TpChannel.
1.5.3
Dynamic MultiTP classes
The  idea  of  dynamic TP  classes  is  to  use  the  circumstances  that  not  all  connections are
used at the same time. Therefore a connection is necessary allocating a TpChannel at run-
time.
1.5.4
Dispatched MultiTP classes
The  “Dispatched”  MultiTP  class  was  introduced  to  disburden  the  application  from  the
dispatching job.
Using  the  “Dynamic  MultiTP”  classes,  which  support  only  one  single  set  of  callback
functions  for  all  connections  together,  the  dispatching  of  the  actual  destination  has  to  be
performed by the application.
Using  the  “Dispatched  MultiTP”  classes  all  of  the  dispatching  work  is  done  within  the
TPMC.
“Dispatched MultiTP” is located between static and dynamic TP classes.
Transmission
The new allocated TpChannel has included blank communication parameters only, except
for  the  connection-handle  (tpChannel  =  TpTxGetFreeChannel(connection)).    To
establish  the  connection  it  is  necessary  to  assign  the  connection  parameters  to  the
TpChannel. The TpChannel is always used to refer to the connection (like a handle). Every
callback- or API-function has the tpChannel as a parameter.
Reception
If a Single- or FirstFrames is received the Transport Protocol is searching internally for a
free  TpChannel.  If  a  free  TpChannel  is  found  a  data  buffer  will  be  requested  by  calling
ApplTpRxGetBuffer() from the application. Within this function the application has also
to decide to which connection the received TP frame belongs.
2013, Vector Informatik GmbH
Version: 3.14.00
18 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1.6
SingleConnection vs. MultipleConnection
The  TPMC  component  has  two  different  operation  modes:  a  SingleConnection  and  a
MultipleConnection  mode.  The  MultipleConnection  mode  has  the  capability  to  handle
different  transmissions  and  receptions  at  the  same  time  like  ECU  1  in  figure  1.  If
SingleConnection mode is used only one transmission and one reception (one full-duplex
connection) can be performed at  the same time (ECU  3 and ECU 4). A typical usage for
the SingleConnection mode is a diagnostic connection.
The  SingleConnection  mode  needs  lower  resources  (ROM  and  runtime),  than  the
MultipleConnection mode.
ECU 2
ECU 4
1
1

2
n
n
n
o
o
o
C
C
Con 3
C
ECU 1
Con 4
ECU 3
Con 4

Figure 1-1 SingleConnection vs. MultipleConnection
1.7
Features
The  main  focus  while  the  development  of  the  Transport  Layer  is  an  easy  to  handle  and
flexible application interface.
>  Therefore the buffer handling should be done by the application itself. This is more
flexible than a static buffer handling internally by the Transport Layer.
>  Each accepted order to the TP will be acknowledged only once – positive or
negative.
>  Full-duplex capability - every reception is independent from every transmission and
the other way round.
>  The static MultipleConnection TP supports connection-specific callback functions.
>  SingleConnection mode with lower resource demands.
>  Full ISO compliance
>  Non-ISO extensions like ‘zero-padding’; ‘connections without FlowControls’
>  Multiple addressing mode support (Normal- and Extended Addressing at the same
time in the same ECU)

1.7.1
Feature List
Not any version of TPMC offers any mentioned feature
2013, Vector Informatik GmbH
Version: 3.14.00
19 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Feature
Short Description
) f
of

/
ytil
on
i
(
abli
va
efault
A
D
General Features

Normal Addressing
Liz
11bit CAN ID Addressing, CAN ID identifies TP
-
message
Extended Addressing
Liz
11bit CAN ID Addressing, Source Address in CAN ID
-
and Target Address in first data byte
Normal Fixed
Liz
29bit CAN ID Addressing, Source and Target Address in -
Addressing
CAN ID
Mixed 11bit CAN ID
Liz
11bit CAN ID Addressing, CAN ID identifies TP
-
Addressing
message, first data byte used for AddressExtension 
Gateway
Mixed 29bit CAN ID
Liz
29bit CAN ID Addressing, Source and Target Address in -
Addressing
CAN ID, first data byte used for AddressExtension 
Gateway
Multiple Addressing
Liz
Combination of former mentioned addressing types
-

Static channel

Assignment between channel and connection is fixed at
assignment
compile time.
Advantage in opposite to dynamic assignment is better
efficiency (code + runtime)
Dynamic channel

Flexible pool of channels, which can be assigned to

assignment
connections at runtime. If no channel is free the request
is rejected. Nr of channels can be <= connections.
(Time division multiplexing)
C++ access to TPMC

C++ applications can access TPMC. Header declared

as extern C.
Additional OBD

Additional receive path to handle OBD requests at any

reception capability
time, independent to allocated channel resources.
Receiving Features

Extended API STmin

Enables functions to set and get the STmin value for a
Off
TpChannel.
Extended API

Enables functions to set and get the BS value for a
Off
BlockSize
TpChannel.
Precopy check / Check
Forwards CAN Driver Precopy callback from TPMC to
Off
TA function
application. Used for special purposes.
Check Target Address
Mixed29, Forwards CAN Driver Precopy callback from TPMC to
Off
former called:
Normal
application. Parameter TargetAddress is evaluated by
Application Precopy
Fixed
application. Return value 0xFF rejects reception.
Channel specific timing Static
Assigns individual timing values to each channel.
Off
TPMC
2013, Vector Informatik GmbH
Version: 3.14.00
20 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Custom Rx Memcopy

TP calls ApplTpRxCopyFromCAN callback function to
Off
enable the application copying the CAN frame data
itself.
Rx Channel without FC  Multi
No FC used in transport protocol communication.
Off
TPMC
Fast Precopy
Extended Target Address is not evaluated when receiving a TP
Off
,
frame.
Mixed29,
Normal
Fixed
Transmission of FC in

The FC is sending in CAN RX IRQ forced from FF and
On
ISR
last CF out of a block.
Fix Rx DLC Check

Check compares actual DLC with expected frame
Off
length (CAN: 8).
Variable Rx DLC Check
Check compares actual DLC with minimum expected
On
frame length. Check is TPMC frame type depending.
Functional FC Wait

Non ISO feature: A functional FC with flow status wait is  Off
supported to reload with functional addressing the
timeout timer awaiting physical FC.
Strict length check

If variable Rx Dlc is enabled then the minimum byte
Off
count is checked. If more bytes than announced in the
PCI byte (SF and last CF) are received then the frame
is accepted nevertheless. When the strict length check
feature is enabled (#define
TP_ENABLE_STRICT_DL_CHECK) then all frames which do
not exactly match the PCI-DL value are ignored.
Suppress Multi - frame

For some applications, which use only Single Frames
Off
reception
on the Rx side, the reception of Multi Frames can be
disabled by setting the TP_DISABLE_MF_RECEPTION
switch via a user configuration file.
The benefit is the smaller resource consumption. The
remaining Single Frame reception is unaffected.
Transmission

Features
Use STmin of FC

The STmin value is used from the FC.
Off
See also TxTransmitCF.
Analyze first FC only

Only first FC values are analyzed to set STmin and
Off
BlockSize.

Custom TX Memcopy

TP calls ApplTpTxCopyToCAN callback function to
Off
enable the application copying the TX data to the CAN
frame.
TX Channel without FC  Multi
Transmission without waiting for a FC. In dynamic TP
Off
TPMC
classes this feature can be activated for each channel.
Fast TX Transmission

Enables the application to send TP frames in cycle time  Off
faster than TpTxTask() cycle time.
Transmission of FC in

Directly response with FC in IRQ context of received FF  On
ISR
or CF.
Variable DLC

The DLC is adapted for SF, FC and last CF as indicated  Off
by addressing type and data amount.
2013, Vector Informatik GmbH
Version: 3.14.00
21 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Ignore FC content

FC is required for proceeding but standard values are
Off
used instead of received ones.
TX Handle Changeable
The used CAN Driver handle can be changed while
Off
runtime – has to be used with special care
No STmin after FC

No STmin time is kept after receiving a FC before
Off
sending next CF.
TX min timer

If the database attribute ‘GenMsgDelayTime’ has a
Off
value unequal to zero, the TP observes this minimum
time between two transmissions.

Special Features

Gateway API

Extended API to support Gateway requirements (TP

message routing)
Multiple ECU NR

Source- and TargetAddress can be modified while

runtime
Multiple ECU

Optimized support for physical multiple ECU

configurations.
Multiple Base Address
Extended  More than one Base Address can be used

BufferOverrun

If the request size exceeds the buffer size, this feature
off
Indication
can be used to receive the request anyway, without
copy the CF data.
Queue in ISR
Dynamic  The next queued element (if available) will be
on
TP-
transmitted within TX-ISR.
classes
ISO Compliancy

Distinguish between early ISO spec drafts and newer
on
ones concerning STmin interpretation, DataLength = 0
behavior and CF sequence error treatment.
Frame Padding

SF and last CF frame are padded out with a pattern
oem
given in the generation tool.
, off
Priority inversion

Prevents TPMC to interrupt a multi frame
on
protect
transmission/reception when transmission and
reception events are in wrong order processed (RX
event with higher priority than Tx event).
See also “2.5.1”.
Runtime checks

Runtime condition checks
off
Strict message flow

Illegal FlowControl frames will suspend a running
on
check
transmission – with same addressing information
Diag Functional
CANDes
Capability to handle functional diagnostic requests
on
channel
c (basic)  within TPMC (only for Vector Diag components e.g.:
CANDesc)

Table 1-3    Feature List
2013, Vector Informatik GmbH
Version: 3.14.00
22 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2  Architecture Overview
This chapter describes the basic functionality of the Transport Protocol and its main ideas
applying to the Vector implementation of the Transport Protocol. Particular functions of the
Transport Protocol modules, as well as its configuration are described in later chapters.
The  main  idea  of  the  Vector  implementation  is  to  provide  an  interface,  which  is  easy  in
operation  and  adequate  for  most  applications.  The  implementation  is  quite  efficient
regarding ROM and RAM as well as run-time requirements.
2.1
Requirements
This chapter shows basic requirements of the implementation of the Transport Protocol.
2.1.1
Protocol-Overview
The Task of the transport protocol is to transmit messages, which are generally longer than
a CAN message. If a message is very short, it is transmitted unsegmented within TP.
2.1.1.1
Construction of unsegmented messages
Sender
Receiver
DataLength = 2, DL=$2;
SingleFrame(SF)[(PCI.DL=2,xx.. ]
DataLength = 2
DL=$2

Figure 2-1 Example of unsegmented message
Unsegmented  messages  are  transmitted  by  a  SingleFrame  message.  SingleFrame
messages  can  have  a  length  of  7  data  bytes  at  a  maximum  (normal  addressing  s.b.)
respectively 6 data bytes (extended addressing, s.b.). There is no Flow-Control (s.b.).
2.1.1.2
Construction of segmented messages
Messages,  which  do  not  fit  into  a  SingleFrame  are  sent  by  a  sequence  of  single  CAN
frames. The receiver is informed of the length of the whole message in the FirstFrame by
the  sender.  ISO/TF2  defines  here  a  maximum  length  of  4095  bytes  for  user  data.  The
receiver  answers  with  a  FlowControl.  The  receiver  gives  the  BlockSize  and  the
SeparationTime  STmin  to  the  sender  in  this  FlowControl.  The  BlockSize  controls  the
number of ConsecutiveFrames,  which might  be sent  by the sender before waiting for the
receivers’ FlowControl (status). The minimum value of the SeparationTime STmin describes
the minimum sending distance between two ConsecutiveFrames, which can be processed
by  the  receiver.  The  sender  transmits  the  maximum  BlockSize  ConsecutiveFrames  after
the reception of the FlowControl. The receiver does not answer it with a FlowControl, if all
data has been transmitted.
2013, Vector Informatik GmbH
Version: 3.14.00
23 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Sender
Receiver
First Frame[(PCI.XDL=$
DataLength = 36
0, DL=$24,xx.. ]
XDL = $0, DL = $24
DL=$2
Flow Control frame
with impicite
Flow Control[PCI.FS, FC.BSmax=$3,FC,STmin, xx]
connection set-up
Consecutive Frame[PCI.SN=1, xx,xx..
Multiple
.]
consecutive
Consecutive Frame[
frames
PCI.SN=2, xx,xx...]
Consecutive Frame[PCI.SN=3, xx,xx...]
Flow Control frame
because
Flow Control[PCI.FS, FC.BSmax=$3,FC,STmin, xx]
SN=BSmax
The last
Conse
consecutive
cutive Frame[PCI.SN
frame include
=4, xx,xx...]
2 valid user
Conse
data bytes
cutive Frame[PCI.SN=5, xx,xx...]
End of multiple
frame

Figure 2-2 Construction of segmented message
2.1.2
Addressing modes
To handle the communication the Transport Protocol is using a Point-to-Point connection.
To establish a Point-to-Point transfer on a broadcast protocol like CAN additional address
information is needed (a source address for the transmit node and a target address for the
receive node).
The ISO/TF2 transport protocol defines four modes of addressing:
„Normal“ addressing
The CAN ID contains the complete addressing information (to each
source- and target address combination a unique CAN ID is assigned)
„Extended“ addressing  The CAN ID contains only the source address and the first data byte
contains the target addressing information.
“Normal fixed”
The extended CAN ID contains the complete addressing information
addressing
according J1939
“Mixed” addressing
Additionally to the extended CAN ID, according J1939, the first data
byte contains a second target address information.
Since ISO15765-2: 2003 the additional addressing mode mixed
addressing on 11-bit CAN IDs is defined. The address extension is
stored in the first byte followed by the TPCI information.
Table 2-1    Addressing Modes
2013, Vector Informatik GmbH
Version: 3.14.00
24 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The  Vector  TP  implementation  supports  all  addressing  mode.  The  used  addressing
method is normally determined at  compile-time regarding ROM  and RAM as well as run-
time  requirements.  For  special  purpose  it  is  also  possible  to  determine  the  used
addressing method at run-time (special version of the TPMC-module is needed).
2.1.2.1
Normal Addressing
The address information is coded in a unique CAN Identifier.
The  Transport  Protocol  uses  the  1st  and  sometimes  2nd  data  byte.  The  data  length  is
coded in 12bits. Therefore the maximum length of a message is limited to 4095 bytes. The
receivers’  control  information  (maximum  block  size  and  minimum  SeparationTime)  is
transmitted to the sender within a FlowControl.

Type
Byte 0
Byte 1
Byte 2
Byte 3
Byte 4
Byte 5
Byte 6
Byte 7
TPCI
SingleFrame
Data
Data
Data
Data
Data
Data
Data
Type
Length
TPCI
DataLength
FirstFrame
Data
Data
Data
Data
Data
Data
Type
Length
Length
Consecutive
TPCI
Data
Data
Data
Data
Data
Data
Data
Frame
Type
SN
TPCI
FlowControl
BS
ST
max
min
Type
FS

Table 2-2    Frame size on normal addressing
2.1.2.2
Mixed 11-bit ID Addressing
Mixed  11-bit  addressing  is  a  sub-format  of  normal  addressing  (refer  above)  where  the
mapping of the address information is further defined (see ISO 15765-2:2004).
The target address extension information is placed in the first data byte of the CAN frame
(see ISO 15765-2:2004) followed by the TPCI information in byte two.
2.1.2.3
Normal Fixed Addressing
Normal  fixed  addressing  is  a  sub-format  of  normal  addressing  (refer  above)  where  the
mapping  of  the  address  information  into  the  (extended)  CAN-Identifier  is  further  defined
(see ISO 15765-2).
J1939 name
P
R/DP
PF
PS
SA
Data field
Bits
3
2
8
8
8
64
ProtocolGroup
Target-
Source-
Content
Priority Reserved
TPCI/Data
Identification
Address
Address
CAN Id Bits
26-28
24-25
16-23
8-15
0-7
CAN data bytes
CAN Field
Identifier
Data

Table 2-3    CAN ID normal fixed addressing
For information about the “data field” see 2.1.2.1.
2.1.2.4
Extended Addressing
The  source  address  is  coded  into  the  CAN  ID  by  adding  the  address  to  a  base  CAN  ID
(e.g.:  with  a  base  CAN  ID  0x600  and  a  source  address  of  0x10  the  used  CAN  ID  are
0x610)
2013, Vector Informatik GmbH
Version: 3.14.00
25 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The target address information is placed in the first data byte of the CAN frame (see ISO
15765-2).
Type
Byte 0
Byte 1
Byte 2
Byte 3
Byte 4
Byte 5
Byte 6
Byte 7
TPCI
SingleFrame
ext Addr
Data
Data
Data
Data
Data
Data
Type
Length
TPCI
DataLength
FirstFrame
ext Addr
Data
Data
Data
Data
Data
Type
Length
Length
Consecutive
TPCI
ext Addr
Data
Data
Data
Data
Data
Data
Frame
Type
SN
TPCI
FlowControl
ext Addr
BS
ST
max
min
Type
FS

Table 2-4    Frame size extended addressing
2.1.2.5
Mixed 29-bit ID Addressing
Mixed 29-bit ID addressing is a sub-format of normal fixed addressing (refer above) where
the  mapping  of  the  address  information  into  the  (extended)  CAN-Identifier  is  further
defined (see ISO 15765-2).
The target address extension information is placed in the first data byte of the CAN frame
(see ISO 15765-2).
Type
Byte 0
Byte 1
Byte 2
Byte 3
Byte 4
Byte 5
Byte 6
Byte 7
Address
TPCI
SingleFrame
Data
Data
Data
Data
Data
Data
Extension
Type
Length
Address
TPCI
DataLength
FirstFrame
Data
Data
Data
Data
Data
Extension
Type
Length
Length
Consecutive
Address
TPCI
Data
Data
Data
Data
Data
Data
Frame
Extension
Type
SN
Address
TPCI
FlowControl
BS
ST
max
min
Extension
Type
FS

Table 2-5    Frame size extended addressing

2.1.2.6
Structure of TPCI-Byte
The coding of the TPCI of each frame type is shown in Table 2-6    Structure
of
TPCI-
bytes.

Encoding of Protocol Control Information (PCI)
2013, Vector Informatik GmbH
Version: 3.14.00
26 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
1.
Network Protocol Control Information (N_PCI) bytes
2.
Byte #1
Byte #2
Byte #3
N_PDU name
Bits 7-4
Bits 3-0

SingleFrame
N_PCItype = 0
SF_DL
N/A
N/A
FirstFrame
N_PCItype = 1
FF_DL
N/A
ConsecutiveFrame
N_PCItype = 2
SN
N/A
N/A
FlowControl
N_PCItype = 3
FS
BS
STmin
Table 2-6    Structure of TPCI-bytes
Hex value
Description
0
SingleFrame

For unsegmented message, the network layer protocol provides an optimised implementation of the
network protocol with the message length embedded in the PCI byte only. SingleFrame (SF) shall be
used to support the transmission of messages that can fit in a single CAN frame.
1
FirstFrame

A first frame (FF) shall only be used to support the transmission of messages that cannot fit in a single
CAN frame, i.e. segmented message. The first frame of a segmented message is encoded as a
FirstFrame (FF). On receipt of a FirstFrame the receiving network layer entity shall start assembling the
segmented message.
2
ConsecutiveFrame

When sending segmented data, all consecutive frames following the first frame (FF) are encoded as
ConsecutiveFrames (CF). On receipt of a Consecutive Frame (CF) the receiving network layer entity
shall assemble the received data bytes until the whole message is received. The receiving entity shall
pass the assembled message to the adjacent upper protocol layer after the last frame of the message
has been received without error.
3
FlowControl

The purpose of Flow Control is to regulate the rate at which Consecutive Frame network protocol data
unit are sent to the receiver. Three distinct types of Flow Control protocol control information are
specified to support this function. The type is indicated by a field of the protocol control information called
Flow Status (FS) as defined hereafter.
4 - F
Reserved

This range of values is reserved by this document.

SF_DL on SingleFrame
Contains the data length of the message (up to 7 bytes with normal
resp. up to 6 bytes with extended addressing).
FF_DL on FirstFrame
Contains the data length of the message. The most significant 4 bit
of the data length in byte #1, the remaining 8 bits are transmitted in
byte #2.
SN on ConsecutiveFrame
The Sequence Number is used to discover a doubling or the loss of
a data frame. The SN starts with ‘1’ and is calculated modulo ‘16’ (4
bit calculation).
FS on FlowControlFrame
‘0’ means CTS (ClearToSend): sender can continue sending
’1’ means WT (Wait): sender is not allowed to continue sending, it
has to wait until FC.CTS is received
‘2’ means OVF (Overflow): sender is not allowed to continue
sending, the transfer is stopped.
Table 2-7    Frames
2013, Vector Informatik GmbH
Version: 3.14.00
27 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

IDLE
2.2
Transmission
only dynamic classes

TpTxGetFreeChannel: Associate channel
TpGetFreeChannel
to connection (only for dynamic classes)
The  application  has  to  allocate  a  free

transport channel.
Reserve and block
es
s
the channel to this

connection
asl
c
c
TpTxSet...: Adjust transmit state
mi
(only for dynamic classes)
Wait for adjusting the
na
The new allocated TpChannel has only
transmit state
dy
Adjustable transmit states
y
blank communication parameters included,
nl
which await to be adjusted by the
TpTxSetCanChannel
O
application. Which parameters have to be
TpTxSetChannelID
TpTxSetTargetAddress
attuned depends on the used TpClass (see
TpTxSet...
TpTxSetEcuNumber
chapter 4.2 Functions of the Transport
Protocol)
TpTransmit: Start the transmission
Wait for Transmission
ApplTpTxCopyToCan: Copy data to CAN
The
Transport
Layer
supports
two
copy
mechanisms:  an  internal  and  an  application  specific
copy mechanism.
TpTransmit
With  the  application  specific  copy  mechanism  the
Transport  Layer  will  call  a  callback  function  to
request data each time data has to be transmitted.
Wait for Transmission
Event
ApplTpTxNotification / -CanMessageTransmitted
Each  time  a  transport  frame  (every  frame  or  only
with  pay  load)  will  be  transmitted,  the  Transport
Transmission Event
Layer notifies the application.
TpTxTask
for data segment
ApplTpTxConfirmation: Confirm the transmission
After  a  successful  transmission  the  application  will
be  notified.  This  would  be  a  good  point  in  time  to
ApplTpTx-
CopyToCan
release unused resources / buffers for example.

Transmit a CAN-
CanTransmit
Frame
Legend
Last
Get external event
Get internal event
Yes
Frame?
No
(TP API call)
Set external event
Set internal event
(Application call)
ApplTpTx-
ApplTpTx-
Set external event
Internal state
Confirmation
Notification
(Application call)
only used for special efforts
ApplTpTxCan-
ApplTpTxCan-
Message-
Message-
2013, Vector Informatik GmbH
Version:
T 3
ra.14.
nsm0
it0
t
ed
Transmitted
28 / 177
Figure 2-3 Transmission Architecture
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2.3
Reception
Wait for next
IDLE

CF
ApplTpPrecopyCheck: Should receive or not?
The ApplTpPrecopy will be called immediately after the
reception of each TP-Frame. The return value of the function
TpPrecopy
CanDriver
TpPrecopy
CanDriver
determines whether or not the TP-Frame is received
ApplTpRxGetBuffer: Associate a buffer
ApplTp-
ApplTp-
The  Transport  Layer  asks  the  application  for  a  buffer.  The
PrecopyCheck
PrecopyCheck
application has to return a valid buffer, in which the received
data will be stored. If the buffer is not valid, the reception will
be abort.
False '0'
Return Value
Return Value
False '0'
ApplTpRxCopyFromCan: Copy data from CAN
True '1'
The  Transport  Layer  supports  two  copy  mechanisms:  an
True '1'
internal and an application specific copy mechanism.
ConnectionSearch
Failed
DLC-checks
Frame checks
The  internal  copy  mechanism  can  only  be  used  with  a  flat-
ConnectionSearch
buffer-model.
DLC-checks
Failed
Frame checks
With the application specific copy mechanism the Transport
Is SF or
FF ?
Layer  will  invoke  a  callback  function  each  time  data  were
CF
FF
received.
SF
ApplTpRxGetTxId: Get FlowControl ID
(only with Dynamic Normal Addressing)
Consecutive
Single Frame
First Frame
Frame
A corresponding transmit ID for a FlowControl is needed.
ApplTpRxIndication: Indicate a reception
ApplTpRx-
ApplTpRx-
A complete block of transport frames is received.
GetBuffer
GetBuffer

Is
Important: The Transport Layer blocks the receive channel
Yes
NULL
to  prevent  a  double  occupancy  of  this  channel.  To  free  the
?
Is
receive channel the application can call TpRxResetChannel
Yes
NULL
No
().
?
No

ApplTpRx-
ApplTpRxSF
ApplTpRxFF
CF
ApplTpRx-
ApplTpRx-
ApplTpRx-
CopyFrom-
CopyFrom-
CopyFrom-
Can
Can
Can
ApplTpRx-
Last
No
GetTxID
CF ?
(depends on
configuration)
Yes
ApplTpRx-
ApplTpRx-
Indication
Indication
Figure 2-4 Reception Architecture

2013, Vector Informatik GmbH
Version: 3.14.00
29 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

2.4
Working behaviors
2.4.1
Timings
TpTransmit.FF
N_As
FF
ApplTpTxCanMsgTransmitted
ApplTpRxGetBuffer
N_Br
N_Bs
FC
N_Ar
ApplTpTxFC
ApplTpRxCanMessageTransmitted
N_Cs
N_Cr
N_As
CF
ApplTpTxCanMsgTransmitted
ApplTpRxCF
N_Cs
N_Cr
N_As
CF
ApplTpTxCanMsgTransmitted
ApplTpRxCF
N_Br
N_Bs
FC
N_Ar
ApplTpTxFC
ApplTpRxCanMessageTransmitted
N_Br
N_Bs
FC
N_Ar
ApplTpTxFC
ApplTpRxCanMessageTransmitted
N_Cs
N_Cr
N_As
CF
ApplTpTxConfirmation
ApplTpRxIndication

Figure 2-5 Transmission timings.

N_As  CAN message confirmation
N_Ar  CAN message confirmation timeout
timeout
N_Bs  Timeout FC
N_Br  Always zero (0)
N_Cs  STmin (from FlowControl)
N_Cr  Timeout CF
But not lower than Transmit CF
Table 2-8    Transmission timings
The TP needs the timings normalized to call cycles. Therefore all timings will be rounded
up to an integer multiple of call cycles.
The  timings  have  an  inaccuracy  while  runtime  (based  on  the  technical  concept  where
timers are set on interrupt level and decremented on task level). The jitter is either plus a
call cycle or minus a call cycle.
In general the ‘Timings’ are calculated with a jitter plus a call cycle – that means the value
of the timing is the first possible time after i.e. a timeout can occur.
2013, Vector Informatik GmbH
Version: 3.14.00
30 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The TP uses the following algorithm for calculation:
>  Timings: (STmin-Value + (TpCallCycle-1)) / TpCallCycle  + 1
2.4.2
Error detection
2.4.2.1
Reception of a SingleFrame
7
6
5
4
3
2
1
0
0
0
0
0
DL
Single Frame
Data Lenth

Figure 2-6 Single Frame TPCI
A  SingleFrame  will  be  ignored  if  the  DataLength  exceeds  the  maximum  length  of  a
SingleFrame (6 / 7 bytes).
2.4.2.2
Reception of a FirstFrame
7
6
5
4
3
2
1
0
0
0
0
1
XDL
First Frame
High Nibble of Data Length

Figure 2-7 First Frame TPCI
A  FirstFrame  will  be  ignored  (until  version  2.28)  if  the  TPCIlength  is  lower  than  the
maximum length of a SingleFrame (6 / 7 bytes).
2.4.2.3
Reception of a FlowControl
A  FlowControl  will  be  ignored  if  no  suitable  transmission  is  running  (suitable  means:  the
Source-  and  TargetAddresses  must  fit).  It  will  be  also  ignored  if  the  TPCIbyte  misfit  the
valid values.
7
6
5
4
3
2
1
0
0
0
1
1
FS
Flow Control
Flow State
0
Continue To Send
1
Wait
2
Overflow (15765:2003)

Figure 2-8 FlowFrameTPCI
If  a  suitable  transmission  is  found  the  state  machine  is  checked  for  waiting  for  a
FlowControl (except CAN Driver polling mode is used).
2013, Vector Informatik GmbH
Version: 3.14.00
31 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2.4.2.4
Reception of a ConsecutiveFrame
A ConsecutiveFrame will be ignored if no suitable reception is running (suitable means: the
Source- and TargetAddresses must fit).
7
6
5
4
3
2
1
0
0
0
1
0
SN
ConsecutiveFrame
Sequence Number

Figure 2-9 Consecutive Frame TPCI
If  a  suitable  reception  is  found  the  state  machine  is  checked  for  waiting  of  a
ConsecutiveFrame (except  CAN Driver polling mode is used). If the estimated Sequence
Number does not fit the current reception will be stopped.

2.4.2.5
Observing CAN frame DLC (Data Length Code)

The CAN frame DLC should be set by the sender to a value greater than or equal to the
values indicated in the table below.
Frame Type
Normal (fixed) Addressing  Extended/Mixed Addressing
SingleFrame
SF_DL+1
SF_DL+2
FirstFrame
8
8
FlowControl
3
4
ConsecutiveFrame
(except the last
8
8
ConsecutiveFrame)
Last
1+ ((FF_DL-6) mod[7])
2+ ((FF_DL-5) mod[6])
ConsecutiveFrame
Table 2-9    CAN frame DLC

The CAN frame DLC check can be configured for the following different ways:
none:

CAN frames are accepted if they are 8 bytes or less.
The frames are NOT checked against a minimum length.
only DLC 8:
CAN frames are ONLY accepted if they are exactly 8 bytes long.
variable DLC:
CAN frames are accepted if they are 8 bytes or less.
2013, Vector Informatik GmbH
Version: 3.14.00
32 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The frames are also checked against the required minimum length.
depend on driver:
CAN frames are accepted if they pass the DLC check configured on driver level. Refer
to [3] on how to set up the DLC check.

2.4.3
Buffer consistency
The  application programmer  has  to  guarantee  consistency  of  transmission  and  reception
buffers.
Transmission
Between
the
call
of
TpTransmit()
and
ApplTpTxConfirmation()
or
ApplTpTxErrorIndication()  writing  access  to  the  transmission  data  buffer  must  be
blocked (except the ApplTpCopyToCan() function is used to copy the data).
Reception
Between  the  call  of  ApplTpRxGetBuffer()  and  ApplTpRxIndication()  or
ApplTpRxErrorIndication()  writing  access  to  the  reception  data  buffer  must  be
blocked (except the ApplTpCopyFromCan() function is used to copy the data).

2.4.4
Function re-entrancy
The  TP  re-entrancy  is  based  on  the  different  tpChannels.  So  for  static  TP  classes,  with
separate  resources  for  each  single  connection,  there  is  no  re-entrancy  problem.  For
dynamic TP classes the re-entrancy is guaranteed too from the viewpoint of TP, as long as
the application handles the connection specific API properly.

2013, Vector Informatik GmbH
Version: 3.14.00
33 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2.5
Restriction
2.5.1
Restrictions to ISO/TF2 specification
In  this  chapter  you  will  find  the  restrictions  of  the  current  implementation  relative  to  the
ISO/TF2-specification:

Timing parameter:
>  Timing Parameter N_Br is always zero (0)
>  Timing Parameter N_As and N_Ar can only be defined by a common constant

WaitFrame support:
For versions until version 2.73.00:
>  The reception of WaitFrames is supported. The transmission of WaitFrames is not
supported, N_WFTmax is always zero (0).
For versions until version 2.88.00:
>  Commencing with version 2.73.00 the transmission of WaitFrames is supported but
N_WFTmax is not considered. The periodical transmission must be stopped by the
application and does not stop by itself.
From version 2.89.00:
>  Commencing with version 2.89.00 the maximal number of WaitFrames to be
transmitted (N_WFTmax) is supported and the transmission of WaitFrames stops
automatically when this limit is exceeded.
From version 3.01.00:
>  Commencing with version 3.01.00 the maximal number of WaitFrames to be received
(N_TxWFTmax) is supported and the reception of WaitFrames stops automatically
when this limit is exceeded.

2.5.2
Limitations of Transport Protocol Implementation
The Transport Protocol is a complex state machine, which is triggered by external events
like requests by the application, receive indications and transmit confirmations by the CAN
driver.
The state machine expects those events in the order they appear in the “real world” to
decide the next step to be performed. The state machine performs one event after the
other and each decision is based on the current state.

Under some very specific conditions, events may be given to the Transport Protocol state
machine in the incorrect order what can cause wrong decisions.

One requirement to the TP is that unexpected frames are to be ignored. Therefore it is
important to discard e.g. received FlowControl frames before the FirstFrame or
2013, Vector Informatik GmbH
Version: 3.14.00
34 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
ConsecutiveFrame has been sent. It may now happen that the transmit confirmation and
the receive indication event occur “at the same time”. In such a situation the concrete
behaviour depends on the sequence the underlying CAN driver handles such events.
Unfortunately this sequence depends on the hardware implementation of the CAN
controller and the interrupt concept of the µC. Usually RX handling is done first to prevent
loss of incoming data whereas TX handling has a lower priority. Most CAN controllers do
not support means to handle such events in the “real world order” later, if an immediate
handling is not possible due to e.g. an long lasting ISR lock or the CAN driver polling is
executed too slow.

Example:
The TP transmits its FirstFrame successfully to the bus and the tester answers very fast
with the FlowControl and the notification of the FirstFrame transmit event is delayed due to
(a) an ISR lock or (b) a too slow polling sequence, both events are valid at the same time.
Now it is up to the CAN driver how the notification sequence is performed.
If TX is handled first, TP is in a state to accept the FlowControl and everything went well. If
RX is handled first, TP is not aware that the FirstFrame has been already sent and will
ignore the incoming FlowControl. In that case, the TP runs in a timeout due to the partner
has sent its frame correctly but it was assigned to the wrong event sequence and was
therefore ignored.

TX
RX
CAN driver polling
First Frame
TX event: acknowledge
Acknowledge
Flow Control
RX event: FC received
Ack
CAN RX task:
CAN driver polling
   FC received.
   Error: Awaited FF
ackowledge.
Consecutive Frame
   Reject FC.
Ack
Consecutive Frame
CAN TX task:
  Acknowledge on FF
Ack
  Regulare proceeding
  (set timer, change
Consecutive Frame
   state)
Ack
TP task:
Flow Control
   Timeout on FC.
Ack
   Free TP channel.

Figure 2-10 Accumulation of events during CAN Driver polling

Implemented solution 1:
The TP can be configured to handle the event sequence always in the way it is notified by
the underlying driver. In that case it is fully compliant to the requirement that (timely)
2013, Vector Informatik GmbH
Version: 3.14.00
35 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
incorrect frames are rejected. Unfortunately, the rejection can happen in a short time
period also for correct transmitted frames. The time period where this can happen is equal
to the runtime of the e.g. FlowControl frame on the bus (e.g. for DLC=8 and 500kBd this is
approx. 200µs for an interrupt driven CAN driver or the CAN driver polling rate). Timely
incorrect received frames outside of this time window are correctly handled/rejected.

As a result, the correctly transmitted TP sequence might be aborted by a timeout on the
sender side and the tester has to repeat its request.

The configuration switch TP_HIGH_RX_LOW_TX_PRIORITY has to be kTpOff to select
the implementation 1.

Implemented solution 2:
The TP can be configured to accept FlowControl frames also in the time window after the
successful ECU internal FirstFrame transmit request till the frame is really on the bus. In
that case it is not fully compliant to the requirement that (timely) incorrect frames are
rejected. The length of the time period depends on the baudrate (message runtimes), the
busload and if the CAN driver is used in ISR or polling mode. The shortest time range is
some few 10µs up to a multiple of the CAN driver polling rate. Timely incorrect received
frames outside of this time window are correctly handled/rejected.

As a result of this behaviour, a too early (timely incorrect) received FlowControl frame will
be accepted by the TP and the transport layer continues to transmit its data.
Because this scenario does usually not or only rarely happen in the field but the
performance of the whole diagnostic process is higher, the selection of that configuration is
highly recommended.

The configuration switch TP_HIGH_RX_LOW_TX_PRIORITY has to be kTpOn to select
the implementation 2.

Info
Please note that the content of the received frame is always analyzed and illegal frames

are discarded as required. All above discussed issues are only valid if the frame is timely
incorrect but all other facts are correct concerning the current TP status.

Caution
Implementation solution 2 is automatically activated since version 2.36 of TPMC

component while the CAN Driver is used in polling mode. It is activated as default for
interrupt driven systems since version 2.63..


2013, Vector Informatik GmbH
Version: 3.14.00
36 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2.5.3
Deviations to ISO/TF2 specification
In this chapter you will find the deviations of the current  implementation compared to the
ISO/TF2-specification.
2.5.3.1
Handling of unexpected FlowControl / ConsecutiveFrame frames
Caution
This deviation is only in effect if the TP_HIGH_RX_LOW_TX_PRIORITY feature is

kTpOn.
The normal operation assumes that a transmit is followed first by its confirmation
interrupt and after that the next receive interrupt appears.
With a tester reacting very fast and simultaneously a controller that has a higher priority
for Rx interrupts than for Tx interrupts the Rx interrupt may be detected before the Tx
confirmation interrupt:
  Without the HighRx-LowTx feature the transmission stops at this point.
  With the activation of the HighRx-LowTx feature the TP implementation tries to
clear this unexpected sequence and to proceed with the transmission.
Nevertheless there are still some special situations left (see the description
above) that can not be cleared by the TP and so the transmission might be
stopped anyway.
Conclusion:
The HighRx-LowTx feature is activated by default to get a minimum of transmissions
being stopped.
You can deactivate the feature e.g. if your configuration does not require the feature or if
you prefer that the tester explicitly repeats requests after stopped transmissions.

Please see the description below to get an idea in which special situations some
malfunction is still possible.
See also chapter 2.5.2 ‘Limitations of Transport Protocol ’ for further details.

2013, Vector Informatik GmbH
Version: 3.14.00
37 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3  Settings for the MultiTP & SingleTP (multi-based)
To  use  the  MultiConnection  or  the  SingleConnection  (multi-based)  TP  with  the  GENy
CANGen or the DBKOMGen tool the “Manufacture” attribute in the database has to be set.
Additionally  a  License  File  for  GENy  and  CANGen  tool  is  needed,  which  includes  a
clearing for the MultiConnection Tp.
3.1
General settings with CANgen / DBKOMgen / GENy
In the following descriptions examples from the CANGen / DBKOMGen generation tool
GUI  are used.


Figure 3-1 General settings in Generation Tools

2013, Vector Informatik GmbH
Version: 3.14.00
38 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.1.1
Timing


Figure 3-2 Timing settings in Generation Tools
3.1.1.1
Transmission timing
Tx call cycle
Together  with  this  period,  the  function  TpTxTask()  has  to  be  called  periodically  by  the
application
TxTimeoutFC
In  the  Timeout  FC  edit  field,  the  FlowControl  timeout  value  is  specified.  Within  this  time,
the expected FC frame has to be received by the transmitting ECU.
TxTransmitCF
The  Transmit  CF  time  is  the  interval  for  the  transmission  of  ConsecutiveFrames.  This
value  is  used  as  a  constant  in  ECUs  that  don’t  use  the  STmin  value  from  FlowControl
frame.
If this time should be defined as a constant at compile time the configuration switch “Use
STMin from flow control frame” should be set to Off.
If  the  time  STMin  from  the  FlowControl  message  should  be  calculated,  the  configuration
switch  “Use  STMin  from  flow  control  frame”  has  to  be  selected.  Due  to  the  problem  to
handle  a  non-linear  buffer  (e.g.  ring-buffer  mechanism)  in  the  application  (usage  of
ApplTpCopyToCAN or Vector Diagnostic Layer) the Transmit CF parameter set the fastest
possible transmission.
Transmit CF set the lowest possible separation time.
Example: The Diagnostic Tester set the STmin value to zero. Which will mean to the ECU
to transmit as fast as possible. If the application uses in this case a ring-buffer mechanism
it has to fill the ring-buffer in the same fast way as the TP transmits the data. To prevent in
such a case a buffer under-run it is possible to limit the TP, by setting the lowest possible
separation  time  value,  so  that  the  calculated  STmin  cannot  be  smaller  than  the Transmit
CF value.
3.1.1.2
Reception timing
Rx call cycle
Together  with  this  period,  the  function  TpRxTask()  has  to  be  called  periodically  by  the
application
2013, Vector Informatik GmbH
Version: 3.14.00
39 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
RxTimeoutCF
After the Timeout CF time expires, a time-out occurs with the transport layer between the
receptions of two ConsecutiveFrames.
3.1.1.3
Common timing
CAN message confirmation timeout
Maximum  time  between  a  transmission  request  and  the  confirmation  interrupt,  indicating
that the frame is sent successfully (it is at least accepted by one net node).

3.1.2
Flow Control


Figure 3-3 Flow control settings in Generation Tools
3.1.2.1
Transmission
Use STMin from flow control frame
If  the  “Flow  control”  time  STMin  was  defined  as  constant  at  compile  time  for  the  whole
system,  it  won’t  be  necessary  to  calculate  it  at  runtime.  Setting  the  configuration  switch
„Use STMin from FlowControl frame“ to Off can parameterize this.
If  the  time  STMin  from  the  FlowControl  message  should  be  calculated,  the  configuration
switch “Use STMin from FlowControl frame” has to be selected.
3.1.2.2
Reception
STMin
The  STmin  edit  field  contains  the  minimum  separation  time  between  two  consecutive
frames. The separation time will be at least as long as configured or longer. The value in
this  edit  field  will  be  transmitted  to  the  sender  ECU  in  the  FlowControl  frame  from  the
current  ECU.  The  STmin  value  can  either  be  defined  at  compile  time  or  changed  at
runtime (see also 3.1.3 Extended API STmin).
BlockSize requested
The BlockSize specifies the number of ConsecutiveFrames until a FlowControl is needed.
The receiver defines the BlockSize. The sender always uses the BlockSize of the receiver.
The BlockSize value can either be defined at compile time or changed at runtime (see also
3.1.3 Extended API BlockSize).

2013, Vector Informatik GmbH
Version: 3.14.00
40 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.1.3
Misc


Figure 3-4 Misc. settings in Generation Tools
Extended API (variable BlockSize)
API extension, which can adjust the BlockSize value.
If  the  feature  is  enabled  the  BlockSize  can  be  set  at  run-time  by  using  the  functions
TpRxSetBS()  and TpRxGetBS().
Default value after initializations:  “BlockSize requested” (Section ‘Flow Control’)
Extended API(variable STmin)
API extension, which can adjust the STmin value.
If  the  feature  is  enabled  the  STmin  value  can  be  set  at  run-time  by  using  the  functions
TpRxSetSTMIN()  and TpRxGetSTMIN().
Default value after initializations: “STmin” (Section ‘Flow Control’)
Use fast RAM
The  RAM  demand  and  run-time  can  be  reduced  on  some  implementations,  if  some
frequently used variables of the Transport Protocol are put into the „near“ memory.
If  the  feature  is  enabled  (default)  the  less  used  variables  are  also  set  into  the  „near“-
memory. The code is smaller and faster.
Otherwise  less  used  variables  are  not  set  into  the  „near“-memory. The  code  is  a  little  bit
bigger and slower.
Use Gateway API
API extension, which was implemented for Gateway purpose, but it is also possible to use
it in other fields of applications.
If  the  feature  is  enabled  the  API  of  ‘ApplTpRxGetBuffer’  and  ‘ApplTpRxCheckTA’  is
extended  with  the  CanRxInfoStructPtr  from  the  CAN  Driver  Precopy  functions  API  (see
/CANDrv/ manual).
Within  this  CanRxInfoSturctPtr  parameter  the  CAN  ID,  pointer  to  the  CAN  data,  etc.  is
included.
Assertions
To detect some incorrect internal conditions of the Transport Protocol during development,
integration  and  software  test,  there  are  different  categories  of  so  called  assertions
configurable:
1.  User interface (for example input parameters, reentrance if not allowed)
2013, Vector Informatik GmbH
Version: 3.14.00
41 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
2.  Generated data
3.  Internal software errors (for example inconsistent internal states)
Each type of assertion can be configured independently.
These  assertions  will  help  in  different  development  phases  to  deal  with  unexpected
problems, which cannot be handled by the Transport-Protocol internally. In such case the
following callback function will be called by the Transport-Protocol:

void ApplTpFatalError( vuint8 errorNumber );

This  callback  function  has  to  be  provided  by  the  Application.  The  function  parameter
errorNumber  gives  more  detailed  information  about  the  kind  of  error,  which  is  occurred
(see also 4.4.4.1 ApplTpFatalError: Fatal Error for the different error-codes).
Generally,  the  error  number  has  to  be  checked  to  solve  the  underlying  problem.  The
recovery strategy is application dependent, but mostly there is a complete reset necessary
to set up the software correctly again.
Caution
This callback function must not return to the Transport-Protocol afterwards.

assert user
User assertion will be activated.
Should be used while development of Application software
assert internal
Internal assertions will be activated.
Should be used for tests of software changes in the Transport-Protocol
(Vector internal)
assert generated
Internal assertions will be activated.
Should be used if a new version of the Generation Tool is used
runtime checks
Runtime checks will be activated.
In contrast to the assertions the ‘runtime checks’ can also be used after the development
phase  and  should  guarantee  a  more  reliable  run.  Checks  for  parameter  plausibility,
overwriting of memory like beyond access of tables, etc..

2013, Vector Informatik GmbH
Version: 3.14.00
42 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.2
General settings with Generation Tool GENy
General  settings  can  be  done  under  the  TPMC  tree  element.  Most  important  is  the
selection of TpClass in the upper right window. Some online help is provided for the most
settings  in  the  OnScreenHelp  window.  Section  “Advanced  Configuration”  is  providing
special  features  like  Gateway  APIs  or  padding  of  TP  frames.  Some  features  might  be
greyed  which  means  that  this  features  are  preconfigured  based  on  OEM  or  other
constraints.  It  is  necessary  to  configure  for  each  Tp  class  at  least  one  “TP  Connection
Group” object. Some static configured TP classes like “Static Normal Multi TP” require one
Connection  Group  object  for  each  TP  connection  whereas  dynamic  TP  classes  have
always only one object. A Connection Group object represents a set of call back functions
for the application to notify successful transmission or reception.

Figure 3-5 Main window of component TPMC within configuration tool GENy.

2013, Vector Informatik GmbH
Version: 3.14.00
43 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.2.1
Configuration of Addressing Information
The  addressing  information  is  configured  for  each  channel.  The  provided  addressing
elements like TpTxMessage (for NormalAddressing) depend on the selected TP class. It is
required to assign a TpConnectionGroupObj for each Addressing information. In Dynamic
Multiple  Addressing  Tp  Classes  any  Addressing  Information  is  assigned  to  only  one  TP
Connection Group Object.

Figure 3-6 Main window of component TPMC within configuration tool GENy.

3.2.2
Usage of Far RAM buffers
Due to reasons of RAM resource availability it may be necessary to locate the receive and
transmit  buffers  handed  to  the  TP  in  a  far  memory  location.  All  message  buffer  related
types and callbacks will then use far pointers.
To enable this option the “Use far RAM buffers” option within the “Advanced Configuration”
tab must be enabled.
If that option does not suffice for your integration the “Memory Model Override” option can
be  used  alternatively  supporting  the  usage  of  a  special  qualification  string  that  can  be
entered as plain text (e.g.: @page @far).

3.2.3
Non standard handling of Flow Control frames
3.2.3.1
Reserved STmin Handling
According to ISO 15765-2 the STmin values 0x80-0xF0 and 0xFA-0xFF are reserved.
If  a  received  FC.CTS  frame  nevertheless  uses  one  of  these  reserved  values,  it  shall  be
interpreted from the TP as the maximum STmin time (0x7F) which is defined.
The TP supports two additional possibilities to handle reserved STmin values:
>  If the switch ‘TP_ENABLE_IGNORE_FC_RES_STMIN’ is defined, then a FC frame
with a reserved STmin value is silently ignored.
>  If the switch ‘TP_ENABLE_CANCEL_FC_RES_STMIN is defined, then a FC frame
with a reserved STmin value will lead to the cancellation of the Tx connection.
Note that each switch has only an effect if the STmin is evaluated at all. For cases where
STmin might not be evaluated, please refer to 3.2.3.4 and 3.2.3.5.

2013, Vector Informatik GmbH
Version: 3.14.00
44 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.2.3.2
Ignore Flow Control Overflow
According  to  ISO  15765-2  a  received  FC.OVFLW  (0x32)  will  abort  the  ongoing
transmission due to the lack of reception buffer at the receiver side.
If  the  switch  ‘TP_ENABLE_IGNORE_FC_OVFL’  is  defined  then  a  FC.OVFLW  frame  is
silently ignored instead.

3.2.3.3
Do not ignore unexpected Flow Control frames
According to ISO 15765-2 any unexpected FC frame shall be ignored.
If the switch TP_USE_UNEXPECTED_FC_CANCELATION is set to kTp_On, this behavior
is changed. Then every unexpected FC frame will cancel the current transmission.

3.2.3.4
Use STmin of FC
According  to  ISO  15765-2,  the  STmin  from an  FC.CTS  shall be  used as  separation time
between two consecutive frames.
If the switch TP_USE_STMIN_OF_FC  is set  to kTp_Off,  the STmin of the FC is ignored.
Instead,  the  configured  N_Cs  timeout  (TxTransmitCF  parameter,  see  3.1.1.1)  is  used  as
STmin.

3.2.3.5
Analyze first FC only
According to ISO 15765-2, the contents of each expected and received FC.CTS shall be
evaluated by a transmitter in order to adjust its BS and STmin values.
If the switch TP_USE_ONLY_FIRST_FC is set to kTp_On, only the BS and the STmin of
the  first  received  FC.CTS  are  evaluated.  These  values  are  then  used  for  the  complete
transmission. Further received FC.CTS are only used for synchronization and not to adjust
BS and STmin.

3.3
Additional settings via user-configuration file
3.3.1
Dynamic Timing API
Using this feature the application can dynamically change connection specific timing
values for:
>  CAN confirmation timeout (N_Ar, N_As)
>  Consecutive Frame timeout (N_Cr)
>  Flow Control timeout (N_Bs).
The dynamic channel timing feature can be enabled via a user configuration file.  If the
pre-processor switch “TP_ENABLE_DYN_CHANNEL_TIMING” is included in this way then
the TP takes the timing values from the following application provided variables:
tTpEngineTimer tpRxConfirmationTimeout [kTpRxChannelCount];
tTpEngineTimer tpTxConfirmationTimeout [kTpTxChannelCount];
2013, Vector Informatik GmbH
Version: 3.14.00
45 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
tTpEngineTimer tpRxTimeoutCF                 [kTpRxChannelCount];
tTpEngineTimer tpTxTimeoutFC                 [kTpTxChannelCount];

tTpEngineTimer  is  usually  of  type  canuint16,  for  8-bit  CPUs  it  might  also  be  defined  as
canuint8.
These  variables  are  initialized  internally  from  the  TP  with  the  constant  values  that  are
configured  in  the  generation  tool.  So  all  connection  specific  timing  are  equal  after  TP
initialization.
Please note that the TP expects these variables, containing the connection
specific timing values, to be supplied by the application.

For the further dynamic adaptation and differentiation of these connection specific values
the following API functions are available in addition:
>  TpRxSetTimeoutConfirmation (see 4.2.2.25 )
>  TpTxSetTimeoutConfirmation (see 4.2.3.26)
>  TpRxSetTimeoutCF ( see 4.2.2.26 )
>  TpTxSetTimeoutFC (see 4.2.3.27)
With these functions the belonging timeout values of the TP can be changed dynamically
during runtime.

3.4
TP classes: SingleTP (multi-based)
These TP classes are based on the MultiTP core but running only with one connection and
are optimized to consume a minimum of resources.
3.4.1
Database Attributes
Following Database attributes are needed:



Figure 3-7 Database Attributes for Single/Static TP classes

2013, Vector Informatik GmbH
Version: 3.14.00
46 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

DiagRequest / DiagResponse:  Used for diagnostic request messages to make special
pre-settings for the Vector diagnosis’s layers.
(Only available for some car-manufactures)

TpTxIndex:
      Used for application TP messages.
TP connections with FlowControl: bi-directional transmissions according to ISO 15765
standard
TP-connections without FlowControl: unidirectional transmissions nonconformance to the
ISO 15765 standard

conventions to read a connection out of the database
bidirectional with FC (standard) The TX-Node and the RX-Node includes each a TX-TP-message
with the same TpTxIndex value {Broadcast not possible}.
bidirectional without FC
not supported
unidirectional with FC
not supported
unidirectional without FC
The RX-Node do not include a TX-TP-message with a same
(not supported in SingleTP
TpTxIndex as the TX-TP-msg. of the TX-Node {Broadcast is
classes)
possible - TX-msg. can have more than one receiver}.

Table 3-1    Usage of TpTxIndex database attribute

GenMsgDelayTime:
If the database attribute ‘GenMsgDelayTime’ has a value unequal to zero, then the TP
observes this time between two transmissions as a minimum time distance.

3.4.2
TP class SingleTP (multi-based): Normal Addressing
No special settings needed
3.4.3
TP class SingleTP (multi-based): Extended Addressing
No special settings needed

3.4.4
TP class SingleTP (multi-based):Normal Fixed Addressing
3.4.4.1
Database Attributes
Refer to chapter 3.6.6.1 Database Attributes

3.5
TP classes Static MultiTP
For each TP-communication between two ECUs static defined connections are available.
3.5.1
Database Attributes
Refer to chapter 3.4.1 Database Attributes
2013, Vector Informatik GmbH
Version: 3.14.00
47 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.5.2
TP class specific settings

Figure 3-8 Additional TP settings (Static MultiTP) in Generation Tool
Connection specific timing parameters
If  ‘Connection  specific  timing  parameters’  are  activated  the  timing  parameters  of  each
connection can override the global timing values for this connection.
TpPreCopyCheck
Just enter a function name to use this hook function.

3.5.3
Connection specific timing parameters


Figure 3-9 Connection specific timing parameters

The following parameters can be configured individually for each connection:
Timings
>  TxTimeoutFC
>  TxTimeoutCF
>  RxTransmitCF
FlowControl
>  STMin
>  Requested BlockSize
For detailed descriptions refer chapter 3.1.1 Timing and the following
2013, Vector Informatik GmbH
Version: 3.14.00
48 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.5.4
Functions


Figure 3-10 Hook-Functions (Static MultiTP)
Just enter a suitable function name to use the hook function in your application.
For a detailed description of each function refer chapter 4.4.

3.6
TP classes Dynamic MultiTP
In opposite to the static MultiTP there are no fix connections available. All connections are
built-on during runtime and released after the transmission is complete. So the  resources
used per connection can be reused by other applications.

3.6.1
Properties
Tx channel count
Maximum possible number of parallel used TpChannel(s) for transmissions.
Rx channel count
Maximum possible number of parallel used TpChannel(s) for receptions.
Use Tx channels without FC
Enable the feature to use the non-ISO implementation ‘without FC’ for transmission.
Use Rx channels without FC
Enable the feature to use the non-ISO implementation ‘without FC’ for reception.

2013, Vector Informatik GmbH
Version: 3.14.00
49 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.6.2
Hook Functions
In  opposite  to  the  static  MultiTP,  where  all  hook  functions  are  available  once  for  each
statically configured connection, here this set  of hook functions is available  only once for
all  connections.    This  means  that  all  messages  have  to  be  dispatched  to    the  belonging
destination by the application for each connection.

These hook functions we recommend to use.

Figure 3-11 Mandatory functions for the usage of the CANdesc diagnostic component
Just enter a suitable function name to use the hook function in your application.
For a detailed description of each function refer to chapter 4.4.

These hook functions are optional.

Figure 3-12 Optional functions (example for the usage of the CANdesc diagnostic component)
Be careful
while using a Vector Diagnostic Layer it is necessary to hand over only the function calls

to the Diagnostic Layer, which belong to the diagnostic connection(s). An application
example is present, see chapter 8.5.1.

3.6.3
Dynamic Objects
The MultiConnection Tp uses the “dynamic TxID” functionality (Dynamic TxID  On) of the CAN-
Driver. However, you can specify additional dynamic objects for your application.
2013, Vector Informatik GmbH
Version: 3.14.00
50 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

Important
If you want to add dynamic objects for your application you have just to enter your count

of dynamic objects. The Generation Tool adds the usage of dynamic objects for the
MultiConnection Tp automatically.

3.6.4
TP class Dynamic MultiTP: Normal Addressing
3.6.4.1
CANdriver settings

Important
Actually the Generation Tool will not setup the reception messages automatically. The

user itself has to insert for each message, which should be processed by the TP (or for
a range of messages) a ‘TpPrecopy’-function. Please refer the CAN-driver manual
/CANdrv/ how to insert a Precopy-function.

3.6.5
TP class Dynamic MultiTP: Extended Addressing
3.6.5.1
TP class specific settings


Figure 3-13 Misc (Extended Addressing)
Own ECU number
It will be read out from the database attribute ‘TpOwnSystemEcuNumber’.
Lowest functional address
The  value  should  define  the  lowest  value  of  an  additional  range  of  receivable
TargetAddresses.
Not supported – use instead the hook function ApplTpCheckTA()
Highest functional address
The  value  should  define  the  highest  value  of  an  additional  range  of  receivable
TargetAddresses.
Not supported – use instead the hook function ApplTpCheckTA()
2013, Vector Informatik GmbH
Version: 3.14.00
51 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.6.5.2
Database Attributes

Name
Default
No TP used  Normal
Extended
(example)
TpNodeBaseAddress
FFFF
Default
Default
0x600
TpOwnSystemEcuNumber
FF
Default
Default
0x01
TpNodeMesageCount
FF
Default
Default
0xff
Table 3-2    Data Base Attributes
TpNodeBaseAddress
The not valid value FFFF indicates, that there is no base address necessary.

TpOwnSystemEcuNumber
This value provides the own ECU Number, necessary for setting up the transmit identifier.

TpNodeMessageCount
This value determines how many messages are assigned to the ‘range’ together with the
base address. This is necessary for the TP to calculate to which base the received CAN ID
is assigned.
The values for extended addressing are just an example:
The CAN ID for this node is 0x600 + 0x01 = 0x601.
3.6.5.3
Multiple Base Addresses
For each connection a dedicated base address including an address offset and a message
count can be specified.
3.6.6
TP class Dynamic MultiTP: Normal Fixed Addressing
3.6.6.1
Database Attributes



Figure 3-14 Database attributes for ‘Normal Fixed Addressing’
TpOwnSystemEcuNumber
Each  ECU  is  represented  in  the network  by  an  address  /  EcuNumber.  If  the  EcuNumber
0xff is used the TP activates the ‘Multiple EcuNumber’ feature (refer 7.4.1 Virtual ECU’s).

2013, Vector Informatik GmbH
Version: 3.14.00
52 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
TpNodeBaseAddress
This attribute includes the upper 13 bits (like priority, PGN) of the CAN-ID.
3.6.7
TP class Dynamic MultiTP: Mixed 29-bit Addressing
Currently open – support is only for generation tool GENy requested
3.6.8
TP class Dynamic MultiTP: Multiple Addressing
In this TP class it is possible to change the addressing mode in run-time.
3.6.8.1
Addressing mode


Figure 3-15 Addressing mode (Multiple Addressing)
Only the checked addressing modes will be supported.
3.6.8.2
CAN Driver settings
To distinguish the addressing mode while the reception different Precopy-functions will
exist for each mode. It is possible to insert the Precopy-function for a message or for a
range of messages (CAN-Driver Ranges).
> NormalAddressing: TpPrecopyNormal<DESTINATION>
> NormalFixedAddressing: TpPrecopyNormalFixed<DESTINATION>
> ExtendedAddressing: TpPrecopyExtended<DESTINATION>
> Mixed29Addressing: TpPrecopyMixed29<DESTINATION>
> Mixed11Addressing: TpPrecopyMixed11<DESTINATION>

Caution
Actually the Generation Tool will not setup the reception messages automatically.

<DESTINATION> is replaced by on of the following strings:
> Appl
> DiagFunc
> DiagPhys

These destinations identify the purpose of a given connection. DiagFunc will identify a
functional Diagnostic message (1:n). DiagPhys is representing the standard physical
diagnostic message (1:1) and Appl a standard TPMC connection used for application
purpose (1:1).
E.g.: NormalFixedAddressing range 18DA0500 with mask 0xFF which is specified by the
ISO standard as physical range would be configured in the CAN Driver as:
2013, Vector Informatik GmbH
Version: 3.14.00
53 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
TpPrecopyNormalFixedDiagPhys

Using a dispatcher in combination with two macro functions it is possible to distinguish
inside the TPMC callback function set between a diagnostic or applicational request
message and direct it to the correct component like CANdesc.

TpRxGetAddressingFormat(tpChannel) can be used to check against
#define kTpNormalAddressing
#define kTpExtendedAddressing
#define kTpNormalFixedAddressing
#define kTpMixed29Addressing
#define kTpMixed11Addressing
TpRxGetAssignedDestination( tpChannel) can be used to check against
#define kTpRequestAppl
#define kTpRequestDiagFunctional
#define kTpRequestDiagPhysical

Figure 3-16 Dedicated call of Precopy functions in TPMC by the driver.

2013, Vector Informatik GmbH
Version: 3.14.00
54 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.7
TP class Dispatched MultiTP
With the release version 3.00.00 of TPMC the “Dispatched” MultiTP class was introduced
to disburden the application from the dispatching job.
Using  the  “Dynamic  MultiTP”  classes,  which  support  only  one  single  set  of  callback
functions  for  all  connections  together,  the  dispatching  of  the  actual  destination  has  to  be
performed by the application.
Using  the  “Dispatched  MultiTP”  classes  all  of  the  dispatching  work  is  done  within  the
TPMC.
“Dispatched MultiTP” is located between static and dynamic TP classes. As well as Static
TP  it  supports  connection  specific  sets  of  callback  functions  and  dispatches  all
connections,  regarding  the Address  Information  (AI),  to  these  callback  functions.  Just  as
Dynamic TP resources are shared among the connections.

Diag
Appl_1
Appl_n

All connection specific attributes like timeouts,
max. tpChannels, callback function set, etc. are
Dispatched       TPMC
kept internally in the TPMC.

The configured address information (AI) is
linked (via a TPMC internal Precopy function)
AI_0
AI_1
AI_2
directly to the destination application.
Can Driver
CAN 2
CAN 1
Figure 3-17 Dedicated call of application callback functions in TPMC by the internal dispatcher.

Info
Please note that all existing applications are unaffected unless the new class is actually

selected in the generation tool.

2013, Vector Informatik GmbH
Version: 3.14.00
55 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
3.7.1
“Dynamic MultiTP” versus “Dispatched MultiTP” – a short analogy
3.7.1.1
Solution based on “Dynamic MultiTP”:
Here  all  dynamic  TpChannels  are  provided  as  a  global  resource  and  shared  by  all
connections.  So,  if  no  Rx  channel  is  currently  available  then  the  incoming  message  is
simply  discarded  by  the  TPMC,  no  reception  will  occur  and  the  application  will  not  be
notified.  Otherwise  the  primal  callback  function  to  map  an  incoming  request  to  a
connection,  the  ‘ApplTpRxGetBuffer’  function,  is  called.  The  addressing  data  statically
configured in GENy is not present for the dispatching application. There is no consistency
provided by the TPMC.
To  perform  this  mapping  the  addressing  information  statically  configured  has  to  be
compared  to  the  currently  received  CAN  message.  The  scope  of  the  addressing
information to be compared can be different and depends on the used addressing type.
If a valid connection is found within the ‘ApplTpRxGetBuffer’ function then a valid pointer to
the  application  buffer  is  handed  to  the  TPMC,  the  FC  status  can  be  set  and  the  FC
addressing  information  must  be  set  for  usage  by  the  TPMC.  The  identified  reception  is
marked  while  using  the  ‘TpRxSetConnectionNumber’ API  function  with  a  unique  number
defined  by  the  application.  To  distinguish  the  connections  in  later  callbacks  (e.g.
ApplTpRxIndication(tpChannel)), the API TpRxGetConnectionNumber(tpChannel) must be
used to get an application relevant handle. The tpChannel handle can and will be different
for each reception.

Receive Example: (see also chapter 8.5)
  /* get CAN-Id */
  requestId = TpRxGetChannelID(channel);
  if(requestId == MY_RECEIVE_ID) {
  /* store connection number */
  TpRxSetConnectionNumber(channel, kMyConnectionNo);
  /* set CAN-Id for response */
  TpRxSetTransmitID(channel, MY_TRANSMIT_ID);
  pBuf = myTpGetRxBuffer(channel, dataLength);
  /* handle FC status properly */
  if(pBuf == V_NULL) {
  TpRxSetFCStatus(channel, kTpFCStatusOverflow);
  }
  else {
  TpRxSetFCStatus(channel, kTpFCClearToSend);
  }
  }

For  the  transmission  a  Tx  channel  has  to  be  allocated,  a  connection  number  has  to  be
assigned and the connection parameters have to be set according to the addressing type
before the transmission can be started.

Transmit Example: (see also chapter 8.5)
  /* acquire a tx channel */
vuint8 channel = TpTxGetFreeChannel(kMyConnection0);
if(channel != kTpNoChannel ) {
  /* set CAN channel */
2013, Vector Informatik GmbH
Version: 3.14.00
56 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
 TpTxSetCanChannel(channel, kMyCanNo);
 /* set CAN identifiers */
 TpTxSetChannelID(channel, myTxCANId, myRxCANId); /* precalculated CAN Ids */
 TpTxSetTargetAddress(channel, target_address); /* extended addressing */
 /* trigger the transmission */
 TpTransmit(channel, data, length);
}

For all this topics several API functions must be used in a correct manner what may result
in a pretty complex dispatcher to be handled by the application.

3.7.1.2
Solution based on “Dispatched MultiTP”
Each connection group has a configurable number of TpChannels reserved for its own.
This offers an improved availability for concurrent receptions with no interference to other
TpChannel resources availability.
All Tp callbacks are dispatched internally in the TPMC. In addition to the passing of a raw
tpChannel a connection handle ‘addrInfoHandle’ is handed to the application. Behind this
‘addrInfoHandle’ all address information is available based on the static configuration
information. Only dynamic runtime address information (e.g. target address in case of
Extended- or NormalFixed- addressing) has to be handled extra.

Info
Please note that all application callback functions do not change their API.

Additional API functions are provided to get the ‘addressInfoHandle’ from the
corresponding tpChannel :
TpRxGetAddressInfoHandle(tpChannel): within reception callbacks
TpTxGetAddressInfoHandle(tpChannel): within transmission callbacks

A connection specific precopy function is introduced which is called when the dispatching
is already completed and resulted in exactly the call of this connection specific function. To
identify the connection later on just the ‘addressInfoHandle’ has to be stored by the
application.
The handles are provided in the form “kTp<Addressing Info Name>” in the generated
code. So the application can easily differentiate within the callback functions which
connection is present just by checking the ‘addressInfoHandle’ using the API
‘TpRxGetAddressInfoHandle()’. Please note that the differentiation in the callback
functions is only necessary if more than one AI is configured for one connection or if the
same callback functions are configured for more than one connection. Otherwise the
corresponding callback function is dedicated unambiguously to one connection.
Of course also here free TpChannels must be available (per connection group) or the
reception (transmission) will fail.

2013, Vector Informatik GmbH
Version: 3.14.00
57 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Example:
The following example shows a “Dispatched Multiple Addressing Multi TP” configuration
containing 3 connections (TpConnection000/001/002).

One AI is configured per connection and each connection uses a different addressing type
(Normal-, Extended-, NormalFixed- addressing).

2013, Vector Informatik GmbH
Version: 3.14.00
58 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Each connection has an appropriate
connection specific set of callback
functions beneath some other
connection specific attributes.

In the generated code the following constants are available for usage by the application.
The connections groups:
#define kTpGroupTpConnection000 0
#define kTpGroupTpConnection001 1
#define kTpGroupTpConnection002 2

The connection handles:
#define kTpConn0_AI1 0
#define kTpConn1_AI2 1
#define kTpConn2_AI3 2

The connection specific transmit macros:
#define TpTransmit_Conn0_AI1( data ,length) \
TpTransmitNormal( kTpConn0_AI1, data, length)
#define TpTransmit_Conn1_AI2( TA ,data ,length) \
TpTransmitExtended( kTpConn1_AI2, TA, data, length)
#define TpTransmit_Conn2_AI3( TA ,data ,length) \
TpTransmitNormalFixed(kTpConn2_AI3, TA, data, length)

2013, Vector Informatik GmbH
Version: 3.14.00
59 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

Now the application can easily differentiate within the connection specific callback
functions and decide how to proceed:

if(TpRxGetAddressInfoHandle(tpChan) == kTpConn1_AI2) {
  ...

TpTransmit_Conn1_AI2( TA ,data ,length);
  ...
}

3.7.2
Dispatched MultiTP API

Caution
To avoid collisions it is prohibited to use API-functions from the application site that are

used internally by the TPMC dispatcher.
This means that all API functions marked as “done internally by TP” in the tables below
are neither necessary nor available anymore!

3.7.2.1
Reception side

Dynamic MultiTP class
Dispatched MultiTP class

Since version 3.00.00
TpRxSetConnectionNumber
done internally by TP
TpRxGetConnectionNumber
done internally by TP
TpRxGetAddressingFormat
done internally by TP
TpRxGetAssignedDestination

TpRxResetChannel
available for application usage
TpRxSetTransmitID
TpRxGetStatus
TpRxSetBS
TpRxGetBS
TpRxSetSTMIN
TpRxGetSTMIN
TpRxGetChannelID
TpRxGetCanChannel
TpRxGetSourceAddress
TpRxGetReceivedTargetAddress
TpRxGetEcuNumber
TpRxSetBufferOverrun
TpRxGetAddressExtension
TpRxGetCanbuffer
TpRxSetWaitCorrectSN
TpRxSetTimeoutConfirmation
TpRxSetTimeoutCF
TpRxSetFCStatus
TpRxGetFCStatus
TpRxSetClearToSend

  New API functions for Dispatched classes:
2013, Vector Informatik GmbH
Version: 3.14.00
60 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please find a more detailed description in chapter 4.

TpGetConnectionGroup(AI_handle)
Get the connection group
(kTpGroup<ConnectionName>)
TpGetAddressingType (AI_handle)
Get the addressing type info (only for multiple
addressing class):
 kTpNormalAddressing,
 kTpExtendedAddressing,
 kTpNormalFixedAddressing,
 kTpMixed11Addressing,
 kTpMixed29Addressing
TpGetCanChannel(AI_handle)
Get the pertaining CAN channel (only for multiple
CAN channels)
TpGetRxId( AI_handle)
Get the Rx CAN-Identifier (only for normal
addressing)
TpGetTxId( AI_handle)
Get the Tx CAN-Identifier (only for normal
addressing)
TpGetBaseAddress( AI_handle)
Get the base address (only for extended
addressing)
TpGetAddressOffset( AI_handle)
Get the address offset pertaining to a base
address (only for extended addressing)
TpGetPriority( AI_handle)
Get the priority info from a 29-bit CAN
identifier (only for NormalFixed or Mixed29
addressing)
TpGetPGN( AI_handle)
Get the parameter group identification from a
29-bit CAN identifier (only for NormalFixed or
Mixed29 addressing)
TpGetEcuNumber( AI_handle)
Get the ECU address (only for NormalFixed or
Mixed29 addressing)

3.7.2.2
Transmission side

Info
Please note that the TpTransmit function is the only API that has to be adapted in the

application code.

Dynamic MultiTP class
Dispatched MultiTP class

Since version 3.00.00
TpTxSetChannelID
done internally by TP
TpTxSetCanChannel
done internally by TP
TpTxSetTargetAddress
done internally by TP
TpTxSetEcuNumber
done internally by TP
TpTxSetBaseAddress
done internally by TP
TpTxGetFreeChannel
done internally by TP
TpTxSetAddressingFormat
done internally by TP
TpTxGetConnectionNumber
done internally by TP
TpTxGetConnectionStatus
done internally by TP
TpTxSetAddressExtension
done internally by TP
TpTxSetResponse
done internally by TP
TpTxLockChannel
done internally by TP
TpTxUnlockChannel
(see note 1.) below)
TpTransmit
Either you can use the generated connection
specific macros:
TpTransmit_<ConnectionName>(data,len),
2013, Vector Informatik GmbH
Version: 3.14.00
61 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
TpTransmit_<ConnectionName>(TA,data,len),
TpTransmit_<ConnectionName>(AE,data,len),
TpTransmit_<ConnectionName>(TA,AE,data,len),

or directly the referenced functions:
TpTransmitNormal (AI, data, len),
TpTransmitExtended (AI, TA, data, len),
TpTransmitNormalFixed(AI, TA, data, len),
TpTransmitMixed11 (AI, AE, data, len),
TpTransmitMixed29 (AI, TA, AE, data, len).

Please refer to the API description in
chapter 4.

TpTxGetDataBuffer
available for application usage
TpTxGetDataIndex
TpTxResetChannel
TpTxGetSTminInFrame
TpTxPrepareSendImmediate
TpTxSendImmediate
TpRxSetStrictFlowControl
1.) Note: The Locking and Unlocking of tpChannels is no longer necessary. Due to the possibility to configure
a connection with a dedicated exclusive tpChannel the tpChannel resource is ‘locked’ implicitly.

 New API functions for Dispatched classes:
Please find a more detailed description in chapter 4.

TpTransmitNormal( AI_handle,data,len) Instead of using the addressing type
specific transmit functions we recommend
TpTransmitExtended( AI_handle,data,len) to use the connection specific macros
TpTransmitNormalFixed( AI_handle,data,len) which are generated.
TpTransmitMixed11( AI_handle,data,len
TpTransmitMixed29( AI_handle,data,len

2013, Vector Informatik GmbH
Version: 3.14.00
62 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4  API
4.1
Use of ISO15765-Transport Protocol
Please use the services of the ISO15765 Transport Protocol in your application according
to the instructions in this manual.
Please  include  the  tpmc.h  definition  file  in  all  modules  requiring  Transport  Protocol
Services.  All  available  services,  the  types  for  the  interface,  and  symbolic  constants  are
defined in this file.
After a power on reset and before any other call of the Transport Protocol the function void
TpInitPowerOn(void)  has  to  be  called.  The  main  program  of  the  Transport  Protocol
TpTxTask() and TpRxTask() has to be called periodically by the application.
All other services  of the Transport Protocol are called on those points  in  your application
where services are required.

4.2
Functions of the Transport Protocol
Field description of the following tables
Name of the function
Prototype
SingleConnectionTp

Function prototype for SingleConnectionTP
MultipeConnectionTP

Function prototype for MultipleConnectionTP
Parameter
Name of the parameter
Description of the parameter
Return code
name
Meaning of the return code
Availability
The API is included in all versions, except a restriction is given here
Description
Explanation of the functionality
Pre-condition(s)
Required preconditions before the function can be used.
Post-condition(s)
If a state change was done, it will be described here
Call context
The restrictions from where the function can be used are described here.
2013, Vector Informatik GmbH
Version: 3.14.00
63 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
Some additional notes
Examples
A short code example is given

4.2.1
Administrative Functions
4.2.1.1
TpInitPowerOn: Initialization
TpInitPowerOn
Prototype
SingleConnectionTp

void TpInitPowerOn  ( void )
MultipeConnectionTP

void TpInitPowerOn  ( void )
Parameter
-
-
Return code
-
-
Availability
No restrictions
Description
Power On Initialization of the TP. This function has to be called before all other functions of the Transport
Protocol once after Power On.
Pre-condition(s)
Global interrupts are disabled and CAN-driver with function CanInitPowerOn() and are initialized
correctly.
Post-condition(s)
The Transport Layer is ready for reception after calling TpInitPowerOn().
Call context
Background-loop level with global disabled interrupts
Please note
Call the TpInitPowerOn() before the application wants to reserve own dynamic transmission objects.
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
64 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.1.2
TpInit: Re-initialization
TpInit
Prototype
SingleConnectionTp

void TpInit  ( void )
MultipeConnectionTP

void TpInit ( void )
Parameter
-
-
Return code
-
-
Availability
No restrictions
Description
The Transport Layer is re-initialized after calling TpInit().
Pre-condition(s)
TpInitPowerOn() was called before. No TP functionality is used at this time.
Post-condition(s)
The Transport Layer is re-initialized after calling TpInit().
Call context
Background-loop level with global disabled interrupts
Please note
-
Examples
-

4.2.1.3
TpTask:  Observing timing conditions
TpTask
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpTask(void)
MultipeConnectionTP

void TP_API_CALL_TYPE TpTask(void)
Parameter
-
-
2013, Vector Informatik GmbH
Version: 3.14.00
65 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
-
-
Availability
No restrictions
Description
Function calls both TpRxTask and TpTxTask in correct order.
Pre-condition(s)
TpInitPowerOn() was called before.
Post-condition(s)
-
Call context
Cyclic task base.
Please note
-
Examples
-

4.2.1.4
TpCanChannelInit: CAN channel specifiic re-initialization
TpCanChannelInit
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpCanChannelInit(canuint8
canChannel)
MultipeConnectionTP

void TP_API_CALL_TYPE TpCanChannelInit(canuint8
canChannel)
Parameter
canChannel
-
Return code
-
-
Availability
Since TPMC version 2.41
Description
Any reception / transmission on this CAN channel will be stopped. If a connection was running the
application will be informed by calling the function ApplTpXxErrorIndication().
Pre-condition(s)
TpInitPowerOn() was called before. No TP functionality is used at this time.
2013, Vector Informatik GmbH
Version: 3.14.00
66 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
All running TP channels on this CAN channel are re-initialized.
Call context
Background-loop level with global disabled interrupts
Please note
-
Examples
-

4.2.1.5
TpRxTask: time base for reception timeouts
TpRxTask
Prototype
SingleConnectionTp

void TpRxTask(void)
MultipeConnectionTP

void TpRxTask(void)
Parameter
-
-
Return code
-
-
Availability
No restrictions
Description
The function TpRxTask() has to be called periodically (cycle time TTpRxCallCycle) by the application. This
function performs all Rx-Tasks of the Transport Layer and monitors the timings.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Background-loop level or OSEK-osTask with low priority.
Important note: This function must not be called in interrupt context!
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
67 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.1.6
TpTxTask: time base for timeouts/transmission
TpTxTask
Prototype
SingleConnectionTp

void TpTxTask(void)
MultipeConnectionTP

void TpTxTask(void)
Parameter
-
-
Return code
-
-
Availability
No restrictions
Description
The function TpTxTask() has to be called periodically (cycle time TTpTxCallCycle) by the application. This
function performs all Tx-Tasks of the Transport Layer and monitors the timings.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Background-loop level or OSEK-OSTask with low priority.
Important note: This function must not be called in interrupt context!
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
68 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.1.7
TpRxStateTask: optional transmission retry
TpRxStateTask
Prototype
SingleConnectionTp

void TpRxStateTask(void)
MultipeConnectionTP

void TpRxStateTask(vuint8 tpChannel)
Parameter
tpChannel
-
Return code
-
-
Availability
Since TPMC version 2.35
Description
The function TpRxStateTask() can be called optionally by the application. This function performs the link
from the Transport Layer to the CAN-Driver.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note

Examples
-

R

4.2.1.8
TpRxAllStateTask: optional transmission retry
TpRxAllStateTask
Prototype
SingleConnectionTp

void TpRxAllStateTask (void)
MultipeConnectionTP

void TpRxAllStateTask (void)
Parameter
-
-
2013, Vector Informatik GmbH
Version: 3.14.00
69 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
-
-
Availability
Since TPMC version 2.35
Description
The function TpRxAllStateTask() can be called optionally by the application. This function performs the
link from the Transport Layer to the CAN-Driver for all running Rx-connections.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.1.9
TpTxStateTask: optional transmission retry
TpTxStateTask
Prototype
SingleConnectionTp

void TpTxStateTask (void)
MultipeConnectionTP

void TpTxStateTask (vuint8 tpChannel)
Parameter
tpChannel
-
Return code
-
-
Availability
Since TPMC version 2.35
Description
The function TpTxStateTask() can be called optionally by the application. This function performs the link
from the Transport Layer to the CAN-Driver.
Pre-condition(s)
The TP is initialized with TpInitPowerOn ().
2013, Vector Informatik GmbH
Version: 3.14.00
70 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
-
Please note
It is prohibited to call TpTxStateTask () nested.
Examples
-

4.2.1.10 TpTxAllStateTask: optional transmission retry
TpTxAllStateTask
Prototype
SingleConnectionTp

void TpTxAllStateTask (void)
MultipeConnectionTP

void TpTxAllStateTask (void)
Parameter
tpChannel
-
Return code
-
-
Availability
Since TPMC version 2.35
Description
The function TpTxAllStateTask() can be called optionally by the application. This function performs the
link from the Transport Layer to the CAN-Driver for all running Tx-connections.
Pre-condition(s)
The TP is initialized with TpInitPowerOn ().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-
2013, Vector Informatik GmbH
Version: 3.14.00
71 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.2
Receive Functions
4.2.2.1
TpRxSetConnectionNumber: Assign a Connection-Number to a channel
TpRxSetConnectionNumber
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpRxSetConnectionNumber(vuint8 tpChannel,
void connection)
Parameter
tpChannel
Underlying tpChannel used for this connection.
connection
Connection number that shall be assigned to this tpChannel.
Return code
void
-
Availability
Only for dynamic TP classes
Description
This function assigns an application specific connection-number to this tpChannel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Use this function only inside the callback function ApplTpRxGetBuffer() !
Please note
-
Examples
-

4.2.2.2
TpRxGetConnectionNumber: Get the Corresponding Connection-Number
TpRxGetConnectionNumber
Prototype
SingleConnectionTp

-
MultipeConnectionTP
vuint8 TpRxGetConnectionNumber(vuint8 tpChannel)

2013, Vector Informatik GmbH
Version: 3.14.00
72 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
tpChannel
-
Return code
vuint8
-
Availability
Only for dynamic TP classes
Description
This function returns the connection-number, which is assigned to this tpChannel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
This tpChannel is not reset and a connection-number was previously assigned to it by the application.
(See TpRxSetConnectionNumber())
Post-condition(s)
-
Call context
-
Please note
A correct value will only be returned, if a connection number was set previously in the callback function
ApplTpRxGetBuffer() with TpRxSetConnectionNumber().
Examples
-

4.2.2.3
TpRxGetAddressingFormat:  Get the current addressing type
TpRxGetAddressingFormat
Prototype
SingleConnectionTp

-
MultipeConnectionTP

canbittype TpRxGetAddressingFormat(canuint8
tpChannel)
Parameter
tpChannel
Underlying TP channel
Return code

One of the following constants (canbittype:3):
#define kTpNormalAddressing
#define kTpExtendedAddressing
#define kTpNormalFixedAddressing
#define kTpMixed29Addressing
#define kTpMixed11Addressing

2013, Vector Informatik GmbH
Version: 3.14.00
73 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Only for Multiple Addressing TP
Description
This macro is used to retrieve the required addressing information in a multiple addressing environment.
Using a dispatcher in combination with the macro function it is possible to distinguish inside the TPMC
callback function set between the different addressing types and handle additional pertaining information.

Pre-condition(s)
A TP Channel is successful allocated.
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.4
TpRxGetAssignedDestination: Get the currently assigned destination
TpRxGetAssignedDestination
Prototype
SingleConnectionTp

-
MultipeConnectionTP

canbittype TpRxGetAssignedDestination(canuint8
tpChannel)
Parameter
tpChannel
Underlying tp channel
Return code

One of the following constants (canbittype:3):
#define kTpRequestAppl // Application
#define kTpRequestDiagFunctional // Functional Diag.
#define kTpRequestDiagPhysical // Physical Diag.
is delivered to differentiate between application, functional or physical diagnostic
requests.
Availability
Only for Multiple Addressing TP
2013, Vector Informatik GmbH
Version: 3.14.00
74 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Description
This macro is used to retrieve the required destination information in a multiple addressing environment.
Using a dispatcher in combination with the macro function it is possible to distinguish inside the TPMC
callback function set between the different destinations and handle the correct dispatching of the message
to the pertaining destination.

Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.5
TpRxResetChannel: Free Rx-TpChannel
TpRxResetChannel
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpRxResetChannel(void)
MultipeConnectionTP

void TP_API_CALL_TYPE TpRxResetChannel(canuint8
tpChannel)
Parameter
tpChannel
-
Return code
-
-
Availability
No restriction
Description
Each time a transport-frame was received the used channel is blocked. To receive another transport-frame
on this channel the application has to free this channel.
This is, in case of an erroneous reception, not required for the TpRxErrorIndication() callback.
The function is called within or after the Rx-Indication - callback.
If the application calls the reset-function then the application itself is also responsible to handle the reset
values inside the application in further processing steps.
2013, Vector Informatik GmbH
Version: 3.14.00
75 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Background-loop level or OSEK-OSTask with lower or same priority as TpTasks.
Please note
-
Examples
-

4.2.2.6
TpRxGetStatus: Rx-Channel Status
TpRxGetStatus
Prototype
SingleConnectionTp

vuint8 TpRxGetStatus(void)
MultipeConnectionTP

vuint8 TpRxGetStatus(vuint8 channel)
Parameter
channel
-
Return code
vuint8
kTpChannelInUse = 0x01
kTpChannelNotInUse =0x00
Availability
No restriction
Description
This function returns the actual status of the Rx-Channel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
The returned status can have more than two values!
The InUse-Flag is always coded in the lowest bit (0x01)
2013, Vector Informatik GmbH
Version: 3.14.00
76 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Examples
Because it is a status-field there are two possibilities for checking if the channel is InUse:

if ( TpRxGetStatus(user_channel) != kTpChannelNotInUse )
{
...
or:
if ( TpRxGetStatus(user_channel) & kTpChannelInUse )
{
...

4.2.2.7
TpRxSetBS: Setting up BlockSize on Reception Side
TpRxSetBS
Prototype
SingleConnectionTp

void TpRxSetBS(vuint8 newBlockSize)
MultipeConnectionTP

void TpRxSetBS(vuint8 channel, vuint8
newBlockSize)
Parameter
newBlockSize
-
channel

Return code
-

Availability
Extended API-BS must be activated
Description
The BlockSize-Value within the FlowControl can be adjusted by this function.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
77 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.2.8
TpRxGetBS: Get BlockSize on Reception Side
TpRxGetBS
Prototype
SingleConnectionTp

vuint8 TpRxGetBS(void)
MultipeConnectionTP

vuint8 TpRxGetBS(vuint8 channel)
Parameter
channel
-
Return code
-

Availability
Extended API-BS must be activated
Description
The BlockSize-Value within the FlowControl can be read by this function.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



4.2.2.9
TpRxSetSTMIN: Setting up STMin time on Reception Side
TpRxSetSTMIN
Prototype
SingleConnectionTp

void TpRxSetSTMIN(vuint8 newSTMinSize)
MultipeConnectionTP

void TpRxSetSTMIN(vuint8 channel, vuint8
newSTMinSize)
Parameter
Channel
-
2013, Vector Informatik GmbH
Version: 3.14.00
78 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
newSTMinSize

Return code
-

Availability
Extended API-STMIN must be activated
Description
The STmin-Value within the FlowControl can be adjusted by this function.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.10 TpRxGetSTMIN: Get STMin time on Reception Side
TpRxGetSTMIN
Prototype
SingleConnectionTp

vuint8 TpRxGetSTMIN(void)
MultipeConnectionTP

vuint8 TpRxGetSTMIN(vuint8 channel)
Parameter
Channel
-
Return code
-

Availability
Extended API-STMIN must be activated
Description
The STmin-Value within the FlowControl can be read by this function.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
2013, Vector Informatik GmbH
Version: 3.14.00
79 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.11 TpRxGetChannelID: Get Received CAN-Id
TpRxGetChannelID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint16 TpRxGetChannelID(vuint8 channel)
Parameter
Channel
-
Return code

CAN-ID
Availability
Only for dynamic TP class: Normal Addressing.
Description
This function returns the CAN-Identifier, of the last transport-frame
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
80 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.2.12  TpRxGetChannelExtID: Get Received Extended CAN-Id
TpRxGetChannelExtID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint32 TpRxGetChannelExtID(vuint8 channel)
Parameter
Channel
-
Return code

Extended CAN-ID
Availability
For
- Dynamic TP class Normal Addressing and
- Dispatched Normal Multi TP
Description
This function returns the extended CAN-Identifier, of the last transport-frame
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.13  TpRxGetCanChannel: Get physical CAN channel
TpRxGetCanChannel
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint8 TpRxGetCanChannel(vuint8 channel)
Parameter
Channel
-
2013, Vector Informatik GmbH
Version: 3.14.00
81 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
-

Availability
Only multiple CAN-channel systems
Description
This function returns the (physical) CAN-channel, through which the last transport-frame has been received.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.14 TpRxGetSourceAddress: Get received Source Address
TpRxGetSourceAddress
Prototype
SingleConnectionTp

vuint8 TpRxGetSourceAddress(void)
MultipeConnectionTP

vuint8 TpRxGetSourceAddress(vuint8 channel)
Parameter
Channel
-
Return code
-

Availability
Only for dynamic TP classes: Extended- and Normal Fixed Addressing
Description
This function returns the destination address, which has been received in the last transport-frame.
Pre-condition(s)
The TP is initialized with TpInitPowerOn()
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
82 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
-
Please note
-
Examples
-



4.2.2.15  TpRxGetReceivedTargetAddress: Get received Target Address
TpRxGetReceivedTargetAddress
Prototype
SingleConnectionTp
vuint8 TpRxGetReceivedTargetAddress(void)

MultipeConnectionTP

vuint8 TpRxGetReceivedTargetAddress(vuint8
channel)
Parameter
Channel

Return code
TargetAddress

Availability
Only for TP classes: Extended-, Normal Fixed-, and Mixed addressing with the extended gateway API
enabled.
Description
This function returns the destination address, which has been received in the last transport-frame. Normally
it is only used for gateway applications.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



2013, Vector Informatik GmbH
Version: 3.14.00
83 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.2.16  TpRxGetEcuNumber: Get ECU Number
TpRxGetEcuNumber
Prototype
SingleConnectionTp

vuint8 TpRxGetEcuNumber(void)
MultipeConnectionTP

vuint8 TpRxGetEcuNumber(vuint8 channel)
Parameter
Channel
-
Return code
-

Availability
Multiple EcuNumber feature must be activated
Description
This function returns the ECU Number, which has been received in the last transport-frame.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



4.2.2.17  TpRxGetParameterGroupIdentification: Get Identification of PGN
TpRxGetParameterGroupIdentification
Prototype
SingleConnectionTp

vuint8 TpRxGetParameterGroupIdentification(void)
MultipeConnectionTP

vuint8
TpRxGetParameterGroupIdentification(vuint8
channel)
2013, Vector Informatik GmbH
Version: 3.14.00
84 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
Channel
-
Return code
-

Availability
Caution
Currently not available.

Only for dynamic TP class: Normal Fixed Addressing with extended API

Description
This function returns the Identification of the Parameter Group, which has been received in the last
transport-frame.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.18 TpRxSetBufferOverrun: Enable partial acceptance
TpRxSetBufferOverrun
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpRxSetBufferOverrun(void)
MultipeConnectionTP

void TP_API_CALL_TYPE
TpRxSetBufferOverrun(canuint8 tpChannel)
Parameter
Channel
-
Return code
-

Availability
Since TPMC version 2.41.00. The buffer overrun feature must be enabled
2013, Vector Informatik GmbH
Version: 3.14.00
85 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Description
A reception can be received without copying the received data. This could be useful if the reception buffer is
too small, but the request must be received to reject it by a special response. The data of a Single- or
FirstFrame are copied, but no data are copied for ConsecutiveFrames. Due to this a buffer must be provided
with at least the maximum length of Single- or FirstFrame.
Pre-condition(s)
Only useful if a FF has been received
Post-condition(s)
-
Call context
Within function ApplTpRxGetBuffer()
Please note
-
Examples
-


4.2.2.19  TpRxSetTransmitID:   Set transmission CAN-Id
TpRxSetTransmitID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TP_API_CALL_TYPE TpRxSetTransmitID
(canuint8 tpChannel, canuint16 transmitID)
Parameter
tpChannel
-
transmitID
CAN-ID
Return code
-

Availability
Only TP-class ‘Dynamic NormalAddressing MultiTP’
Description
While receiving a multiple frame request the TP needs the CAN-ID for the transmission of the FlowControl
message. Additionally the Diagnostic/TP will need it to calculate the response transmission
(TpTxSetResponse()), why it is necessary to set it each time ApplTpRxGetBuffer() gets called.
Pre-condition(s)
-
Post-condition(s)
Response can be calculated automatically by the Function TpTxSetResponse().
2013, Vector Informatik GmbH
Version: 3.14.00
86 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
Within function ApplTpRxGetBuffer()
Please note
-
Examples
-

4.2.2.20 TpRxSetTransmitExtID: Set transmission Extended CAN-Id
TpRxSetTransmitExtID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TP_API_CALL_TYPE TpRxSetTransmitExtID
(canuint8 tpChannel, canuint32 transmitID)
Parameter
tpChannel
-
transmitID
Extended CAN-ID (29 bits)
Return code
-

Availability
Only TP-class ‘Dynamic NormalAddressing MultiTP’ and
TP-class ‘Dispatched NormalAddressing MultiTP’
Description
While receiving a multiple frame request the TP needs the CAN-ID for the transmission of the FlowControl
message. Additionally the Diagnostic/TP will need it to calculate the response transmission
(TpTxSetResponse()), why it is necessary to set it each time ApplTpRxGetBuffer() gets called.
Pre-condition(s)
-
Post-condition(s)
Response can be calculated automatically by the Function TpTxSetResponse().
Call context
Within function ApplTpRxGetBuffer()
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
87 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.2.21  TpRxGetChannelIDType:   Get the type of the received CAN-Id
TpRxGetChannelIDType
Prototype
SingleConnectionTp

-
MultipeConnectionTP

canuint8 TP_API_CALL_TYPE TpRxGetChannelIDType
(canuint8 tpChannel)
Parameter
tpChannel
-
Return code
canuint8
Either kTpCanIdTypeStd (11-Bit) or kTpCanIdTypeExt (29-Bit).
Availability
Only TP-class ‘Dynamic NormalAddressing MultiTP’.
Description
If mixed CAN-IDs, as well 11-Bit identifiers as also 29-Bit identifiers are used during runtime then this API
can be used to get the type of the identifier.
Pre-condition(s)
-
Post-condition(s)
Response can be calculated automatically by the Function TpTxSetResponse().
Call context
Within function ApplTpRxGetBuffer()
Please note
-
Examples
-

4.2.2.22  TpRxGetAddressExtension: Get address extension information
TpRxGetAddressExtension
Prototype
SingleConnectionTp

canuint8 TP_API_CALL_TYPE
TpRxGetAddressExtension(void)
MultipeConnectionTP

canuint8 TP_API_CALL_TYPE
TpRxGetAddressExtension(canuint8 tpChannel)
2013, Vector Informatik GmbH
Version: 3.14.00
88 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
tpChannel
-
Return code
canuint8

Availability
For mixed 29-bit ID and 11-bit ID addressing
Description
This function returns the address extension information from the first byte.
Pre-condition(s)
Running reception. Valid after callback function ApplTpRxGetBuffer().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.2.23 TpRxGetCanBuffer: Get CAN buffer pointer
TpRxGetCanBuffer
Prototype
SingleConnectionTp

CanChipDataPtrTP_API_CALL_TYPE
TpRxGetCanBuffer(void);
MultipeConnectionTP

CanChipDataPtr TP_API_CALL_TYPE
TpRxGetCanbuffer(canuint8 tpChannel);
Parameter
tpChannel
-
Return code
-

Availability
Since TPMC version 2.41.00
Description
Returns a pointer to the first payload byte of the last received CAN frame in the hardware data buffer
2013, Vector Informatik GmbH
Version: 3.14.00
89 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Pre-condition(s)
Reception must be in progress
Post-condition(s)
-
Call context
-
Please note
-
Examples
-


4.2.2.24  TpRxSetWaitCorrectSN:  Force to wait for a correct sequence number
TpRxSetWaitCorrectSN
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpRxSetWaitCorrectSN
(tpBool wait);
MultipeConnectionTP

void TP_API_CALL_TYPE TpRxSetWaitCorrectSN
(canuint8 tpChannel, tpBool wait);
Parameter
tpChannel
-
wait
kTpTrue, kTpFalse
Return code
-

Availability
Since TPMC version 2.73.00.
Only for Dynamic TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_DYN_AWAIT_CORRECT_SN
Description
The behaviour of the TPMC component in case of a wrong or missing sequence number can be changed:
By default (wait = kTpFalse) the TPMC behaviour is like described in ISO 15765-2.
By setting the ‘wait’ parameter to  ‘kTpTrue’ the behaviour can be changed in the way that TPMC does not
re-init the connection, but ignores the current frame and continues waiting for the correct sequence number.
Pre-condition(s)
-
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
90 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
Within function ApplTpRxGetBuffer().
Please note
-
Examples
-

4.2.2.25  TpRxSetTimeoutConfirmation:  Set CAN confirmation timeout
TpRxSetTimeoutConfirmation
Prototype
SingleConnectionTp

MultipeConnectionTP

void TP_API_CALL_TYPE
TpRxSetTimeoutConfirmation(canuint8 tpChannel,
tTpEngineTimer time);
Parameter
tpChannel
-
time
In timer ticks. The TpTask cycle time is equivalent to one timer tick.
Return code
-

Availability
Since TPMC version 2.73.00.
Only for Dynamic Multi TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_DYN_CHANNEL_TIMING.
Description
The CAN message confirmation timeout  value (N_Ar) can be changed dynamical.
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
Within function ApplTpRxGetBuffer().
Please note
-
Examples
-
2013, Vector Informatik GmbH
Version: 3.14.00
91 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

4.2.2.26  TpRxSetTimeoutCF:  Set Consecutive Frame confirmation timeout
TpRxSetTimeoutCF
Prototype
SingleConnectionTp

MultipeConnectionTP

void TP_API_CALL_TYPE TpRxSetTimeoutCF(canuint8
tpChannel, tTpEngineTimer time);
Parameter
tpChannel
-
time
In timer ticks. The TpTask cycle time is equivalent to one timer tick.
Return code
-

Availability
Since TPMC version 2.73.00.
Only for Dynamic Multi TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_DYN_CHANNEL_TIMING.
Description
The CF timeout  value (N_Cr) can be changed dynamical.
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
Within function ApplTpRxGetBuffer().
Please note
-
Examples
-

4.2.2.27  TpRxSetFCStatus:  set up Flow Control on reception side
TpRxSetFCStatus
Prototype
SingleConnectionTp

void TpRxSetFCStatus(canuint8 FCStatus)
MultipeConnectionTP
2013, Vector Informatik GmbH
Version: 3.14.00
92 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

void TpRxSetFCStatus(canuint8 tpChannel,
canuint8 FCStatus)
Parameter
FCStatus
KTpFCClearToSend
kTpFCStatusWait
kTpFCSupressFrame
kTpFCStatusOverflow
tpChannel

Return code

None
Availability
Only available with at least one of the following switches defined:
#define TP_ENABLE_FC_WAIT
#define TP_ENABLE_FC_SUPRESS
#define TP_ENABLE_FC_OVERFLOW
Each of these defines corresponds to the belonging status.
Description
The Flow Control content and also the further behaviour can be adjusted by this function.
By default the FC status is set to ‘kTpFCClearToSend’.
In case of ‘kTpFCStatusWait’ WaitFrames are sent until an explicit clear to send is initiated with the
corresponding API function ‘TpRxSetClearToSend()’.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May only be used within the application callback ‘ApplTpRxGetBuffer()’.
Please note
-

4.2.2.28 TpRxGetFCStatus: get the Flow Control setup on reception side
TpRxGetFCStatus
Prototype
SingleConnectionTp

canuint8 TpRxGetFCStatus(void)
MultipeConnectionTP

canuint8 TpRxGetFCStatus(canuint8 tpChannel)
Parameter
tpChannel

2013, Vector Informatik GmbH
Version: 3.14.00
93 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
canuint8
One of the possible status constants:
o  kTpFCClearToSend,
o  kTpFCStatusWait,
o  kTpFCSupressFrame,
o  kTpFCStatusOverflow
Availability
Only available with at least one of the following switches defined:
#define TP_ENABLE_FC_WAIT
#define TP_ENABLE_FC_SUPRESS
#define TP_ENABLE_FC_OVERFLOW
Each of these defines corresponds to the belonging status.
Description
The Flow Control content and also the further behaviour of the TP component depends on the FC status.
With this function the effective FC status can be questioned.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.2.2.29  TpRxSetClearToSend:  proceed with the transmission after FC wait frames
TpRxSetClearToSend
Prototype
SingleConnectionTp

void TpRxSetClearToSend(canuint8 *pBuffer)
MultipeConnectionTP

void TpRxSetClearToSend(canuint8 tpChannel,
canuint8 *pBuffer)
Parameter
tpChannel

Return code

None
2013, Vector Informatik GmbH
Version: 3.14.00
94 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Only available with the following switch defined:
#define TP_ENABLE_FC_WAIT
Description
When a request that was delayed previously by sending WaitFrames is now ready for reception, then the
reception can be started with this function.
The already received data is handed to the application buffer passed as parameter and the transmission of
a FC(CTS) is initiated.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
An activation of the WaitFames with a previous call of ‘TpRxSetFCStatus(kTpFCStatusWait)’ must have be
done and must still be active (the effective FC status delivered by TpRxGetFCStatus() is
‘kTpFCStatusWait’.), otherwise this function has no effect.
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.2.2.30  TpRxWithoutFC:  suppress FC frame usage at the Rx side
TpRxWithoutFC
Prototype
SingleConnectionTp

MultipeConnectionTP
void TP_API_CALL_TYPE TpRxWithoutFC(canuint8 tpChannel)

Parameter
tpChannel

Return code

None
Availability
Only available for dynamic Tp classes and with the following switch set to kTpOn:
#define TP_USE_RX_CHANNEL_WITHOUT_FC  kTpOn
2013, Vector Informatik GmbH
Version: 3.14.00
95 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Description
If the usage of Flow Control frames on the Rx side shall be avoided then the enabling of this feature can be
used to suppress all further FC frames within a distinct reception.
In this case the suppression of FC frames must be disabled for each new reception by calling this API
function for the belonging tpChannel within the  ApplTpRxGetBuffer() callback function.
For the reception of Single Frames this aspect is irrelevant.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Use this function only inside the callback function ApplTpRxGetBuffer() !
Please note
-
Examples
-

4.2.2.31  TpRxSetPGN: Set Parameter Group Number
TpRxSetPGN
Prototype
SingleConnectionTp

void TpRxSetPGN(vuint8 pgn)
MultipeConnectionTP

void TpRxSetPGN(vuint8 tpChannel, vuint8 pgn)
Parameter
tpChannel
-
pgn
Parameter Group Number to be used
Return code
-

Availability
Only for dynamic TP class Normal Fixed or Mixed-29 addressing.
Description
This function sets the Parameter Group Number (bit no. 16 - 23) within an extended 29 bit CAN-Identifer to
be used for the re-transmission of Flow Control frames for the current reception channel in case of a multi
frame reception.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
96 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
-
Please note
-
Examples
-


4.2.2.32  TpRxSetPriorityBits: Set Priority, Data Page and Reserved bits
TpRxSetPriorityBits
Prototype
SingleConnectionTp

void TpRxSetPriorityBits(vuint8 prio,
vuint8 res,
     vuint8 dataPage)
MultipeConnectionTP

void TpRxSetPriorityBits(vuint8 tpChannel,
vuint8 prio,
vuint8 res,
vuint8 dataPage)
Parameter
tpChannel
-
prio
Priority bits to be used (3 bits from bit position 26-28)
res
Reserved bit to be used (1 bit on bit position 25)
dataPage
Data Page bit to be used (1 bit on bit position 24)
Return code
-

Availability
Only for dynamic TP class Normal Fixed or Mixed-29 addressing.
Description
This function sets beside the Priority Bits (bit no. 26,27,28) also the bits for the ‘Reserved’ bit position (no.
25) and the ‘Data Page’ bit position (no. 24)  within an extended 29 bit CAN-Identifer to be used for the
retransmission of Flow Control frames for the current reception channel in case of a multi frame reception.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
2013, Vector Informatik GmbH
Version: 3.14.00
97 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
-
Examples
-

4.2.3
Transmit Functions
4.2.3.1
TpTxGetFreeChannel: Assign Channel to Connection
TpTxGetFreeChannel
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint8 TpTxGetFreeChannel(vuint8 connection)
Parameter
connection
-
Return code
vuint8

Availability
Only for dynamic TP classes.
Description
This function returns a free channel handle, if possible. If no channel was free the return value will be
kTpNoChannel. The Transport Layer assigns the connection-number to the channel.
The application has got the possibility to get the connection-number by using the function
TpTxGetConnectionNumber(channel).
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Within function ApplTpRxGetBuffer().
Please note
The connection-numbers starting at 0xf0 are reserved for internal usage.
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
98 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.3.2
TpTxGetConnectionNumber: Get the assigned Connection-Number
TpTxGetConnectionNumber
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint8 TpTxGetConnectionNumber(vuint8 channel)
Parameter
channel
-
Return code
vuint8

Availability
Only for dynamic TP classes.
Description
This function returns the connection-number which is assigned to this channel.
The application has got the possibility to assign the connection-number by using the function
TpTxGetFreeChannel(connectionNumber).
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.3
TpTxGetConnectionStatus: Get the Connection Status
TpTxGetConnectionStatus
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint8 TpTxGetConnectionStatus(vuint8
connection)
2013, Vector Informatik GmbH
Version: 3.14.00
99 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
connection
-
Return code
vuint8

Availability
Only for dynamic TP classes.
Description
This function returns the corresponding channel-number if it exits. If no channel is assigned to this
connection the return value is kTpNoChannel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.4
TpTxGetTargetAddress: Get the target address used for transmission
TpTxGetTargetAddress
Prototype

TpTxGetTargetAddress(canuint8 tpChannel)
Parameter
tpChannel

Return code
canuint8
Target address.
Availability
Only available for “Dispatched Multi TP” classes and NormalFixed-, Extended- or Mixed- Addressing type.
One of the following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
This API function enables the application to appoint confirmations to previously issued transmissions.
Without this API the appointment of confirmations with parallel transmissions and Normal Fixed, Mixed or
Extended addressing is not possible with “Dispatched Multi TP”.
2013, Vector Informatik GmbH
Version: 3.14.00
100 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.2.3.5
TpTxGetDataBuffer: Get the assigned Data Buffer
TpTxGetDataBuffer
Prototype
SingleConnectionTp

vuint8 TpTxGetDataBuffer (void)
MultipeConnectionTP

vuint8 TpTxGetDataBuffer (vuint8 channel)
Parameter
channel
-
Return code
vuint8

Availability
Only for dynamic TP classes.
Description
This function returns the pointer to the buffer which is assigned to this channel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-
2013, Vector Informatik GmbH
Version: 3.14.00
101 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

4.2.3.6
TpTxGetDataIndex: Get the assigned Data Index
TpTxGetDataIndex
Prototype
SingleConnectionTp

vuint8 TpTxGetDataIndex (void)
MultipeConnectionTP

vuint8 TpTxGetDataIndex (vuint8 channel)
Parameter
channel
-
Return code
vuint8

Availability
No restrictions
Description
This function returns the current offset into the buffer which is assigned to this channel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.7
TpTxSetChannelID: Set the CAN Transmit Id
TpTxSetChannelID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxSetChannelID(vuint8 channel,
  vuint16 transmitID,
  vuint16 receiveID)
2013, Vector Informatik GmbH
Version: 3.14.00
102 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
Channel
-
transmitID

receivedID

Return code
-

Availability
Only for dynamic TP class: Normal Addressing
Description
This function sets the transmit CAN-Identifier for the next call of TpTransmit(). Also the receive CAN-
Identifier (must be unique) to the corresponding FlowControl is set.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.8
TpTxSetChannelExtID: Set the CAN Transmit Extended Id
TpTxSetChannelExtID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxSetChannelExtID(vuint8 channel,
vuint32 transmitID,
vuint32 receiveID)
Parameter
Channel
-
transmitID

receivedID

Return code
-

2013, Vector Informatik GmbH
Version: 3.14.00
103 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
For
- Dynamic TP class Normal Addressing and
- Dispatched Normal Multi TP
Description
This function sets the transmit extended CAN-Identifier (29 bits) for the next call of TpTransmit(). Also
the receive extended CAN-Identifier (must be unique) to the corresponding FlowControl is set.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



4.2.3.9
TpTxSetCanChannel: Set physical CAN Channel
TpTxSetCanChannel
Prototype
SingleConnectionTp

void TpTxSetCanChannel( vuint8 canChannel)
MultipeConnectionTP

void TpTxSetCanChannel(vuint8 channel,
vuint8 canChannel)
Parameter
Channel
-
canChannel
Return code
-

Availability
Only for multiple CAN-channel systems and dynamic TP class.
Description
This function sets the (physical) CAN-channel for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
2013, Vector Informatik GmbH
Version: 3.14.00
104 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
-
Please note
-
Examples
-


4.2.3.10  TpTxSetTargetAddress: Set Target Address
TpTxSetTargetAddress
Prototype
SingleConnectionTp

void TpTxSetTargetAddress(vuint8 targetaddress)
MultipeConnectionTP

void TpTxSetTargetAddress(vuint8 channel,
  vuint8 targetaddress)
Parameter
Channel
-
targetaddress
Return code
-

Availability
Only for dynamic TP classes: Extended- and Normal Fixed Addressing
Description
This function sets the destination address for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



2013, Vector Informatik GmbH
Version: 3.14.00
105 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.3.11  TpTxSetEcuNumber: Set ECU Number
TpTxSetEcuNumber
Prototype
SingleConnectionTp

void TpTxSetEcuNumber(vuint8 ecuNr)
MultipeConnectionTP

void TpTxSetEcuNumber(vuint8 channel,
  vuint8 ecuNr)
Parameter
Channel
-
ecuNr

Return code
-

Availability
Only for dynamic TP classes: Extended- and Normal Fixed Addressing
‘Multiple EcuNumber’ feature must be activated
Description
This function sets the ECU Number for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-


4.2.3.12  TpTxSetBaseAddress: Set Base Address
TpTxSetEcuNumber
Prototype
SingleConnectionTp

MultipeConnectionTP

void TpTxSetBaseAddress(vuint8 channel,
  vuint8 baseAddress)
2013, Vector Informatik GmbH
Version: 3.14.00
106 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
Channel
-
baseAddress

Return code
-

Availability
Only for dynamic TP classes: Extended  Addressing
‘Multiple EcuNumber’ feature must be activated.
Description
This function sets the base address for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-


4.2.3.13  TpTxSetParameterGroupIdentification: Set Identification of PGN
TpTxSetParameterGroupIdentification
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxSetParameterGroupIdentification(vuint8
channel,
     vuint8
identification)
Parameter
Channel
-
identification

Return code
-

2013, Vector Informatik GmbH
Version: 3.14.00
107 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Caution
Currently not available.

Only for dynamic TP class: Normal Fixed Addressing with extended API

Description
This function sets the Identification of the ParameterGroup for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.14 TpTxSetPriority: Set Priority of the CAN-Frame
TpTxSetPriority
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxSetPriority(vuint8 channel,
vuint8 priority)
Parameter
Channel
-
priority

Return code
-

Availability
Caution
Currently not available.

Only for dynamic TP class: Normal Fixed Addressing with extended API

Description
This function sets the Priority of the CAN-Frame for the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
2013, Vector Informatik GmbH
Version: 3.14.00
108 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.15 TpTxSetResponse: Assemble a Response
TpTxSetResponse
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxSetResponse(vuint8 rxChannel,
vuint8 txChannel)
Parameter
rxChannel
-
txChanel

Return code
-

Availability
Only for dynamic TP classes.
Description
This function assembles a Response based on a received transport-frame for the next call of
TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
109 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.3.16  TpTransmit: Send a Message
TpTransmit
Prototype
SingleConnectionTp

vuint8 TpTransmit(vuint8* data,
  vuint16 count)
MultipeConnectionTP

vuint8 TpTransmit (vuint8  tpChannel,
vuint8* data,
vuint16 count)
Parameter
tpChannel

Data
Pointer to the data buffer that shall be transmitted.
count
Number of bytes to be transmitted.
Return code
vuint8
kTpSuccess: No transmission in progress (ready to send)
kTpBusy:   Transmission in progress
kTpFailed: If the data length is zero or the tpChannel is not allocated.
Availability
No restrictions
Description
Send a message.
The Transport Layer decides which transmission protocol (SingleFrame with up to 6/7 data bytes depending
on the addressing type) is used by checking the given count.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
After a transmission the channel is released, except the channel is explicitly locked.
Since version 2.35 the transmission request will be only queued within the context of TpTransmit. The
transmission to the bus starts within the TpTxStateTask (TpTxTask) calls.
kTpFailed: In previous versions (2.34.xx and earlier) it is possible that TpTransmit returns ‘kTpFailed’,
because the CANdriver (CanTransmit returns failed) is busy. Starting with version 2.35.00 only dynamic TP-
classes return this value in case of wrong attributes/parameters.
kTpBusy: A transmission is already running or GenMsgDelayTime is not kept.
kTpSuccess: Successful queued message that will be transmitted with the next task cycle.
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
110 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.3.17 TpTxLockChannel: Lock Channel
TpTxLockChannel
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxLockChannel(vuint8 channel)
Parameter
channel
-
Return code
-

Availability
Only for dynamic TP classes.
Description
If a channel is locked, it will not be released after a transmission.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.18 TpTxUnlockChannel: Unlock TX Channel
TpTxUnlockChannel
Prototype
SingleConnectionTp

-
MultipeConnectionTP

void TpTxUnlockChannel(vuint8 channel)
Parameter
channel
-
2013, Vector Informatik GmbH
Version: 3.14.00
111 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
-

Availability
Only for dynamic TP classes.
Description
Unlock the lock of the channel. The channel will be released with the next call of TpTxResetChannel() or
TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.19 TpTxResetChannel: Free TX-Channel
TpTxResetChannel
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpTxResetChannel(void)
MultipeConnectionTP

void TP_API_CALL_TYPE TpTxResetChannel(canuint8
tpChannel)
Parameter
tpChannel
-
Return code
-

Availability
No rectrictions
Description
The channel will be released by the Transport Layer. At the next call of TpTxGetFreeChannel() it can be
assigned to another connection.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
2013, Vector Informatik GmbH
Version: 3.14.00
112 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
Background-loop level or OSEK-OSTask with lower priority as TpTasks.
Please note
The tpChannel will be released in any case and immediately.
If a transmission is in progress the application will be informed by calling the function
ApplTpTxErrorIndication().
Examples
-

4.2.3.20 TpTxSetAddressExtension: Set Address Extension information
TpTxSetAddressExtension
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE
TpTxSetAddressExtension(canuint8
addressExtension);
MultipeConnectionTP

void TP_API_CALL_TYPE
TpTxSetAddressExtension(canuint8 tpChannel,
canuint8 addressExtension);
Parameter
adressExtension
-
tpChannel

Return code
-

Availability
For mixed 29-bit ID and mixed 11-bit ID addressing
Description
This function is used to set the address extension information.
Pre-condition(s)
This function must be called in advance of calling TpTransmit().
Post-condition(s)
-
Call context
-
2013, Vector Informatik GmbH
Version: 3.14.00
113 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
-
Examples
-



4.2.3.21  TpTxGetSTminInFrame:   Get STmin from FC frame
TpTxGetSTminInFrame
Prototype
SingleConnectionTp

canuint8 TP_API_CALL_TYPE
TpTxGetSTminInFrame(void)
MultipeConnectionTP

canuint8 TP_API_CALL_TYPE
TpTxGetSTminInFrame(canuint8 tpChannel)
Parameter
tpChannel
-
Return code
canuint8
STmin value
Availability
The STmin value must be taken out of the received FC frames (TP_USE_STMIN_OF_FC == kTpOn) and
the fast transmission feature (TP_USE_FAST_TX_TRANSMISSION == kTpOn) must be activated.
Description
Function is returning the STmin value of the last FC frame.
Pre-condition(s)
This function must be called in advance of calling TpTransmit().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
114 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.2.3.22  TpTxPrepareSendImmediate:   Prepare CF transmission by application
TpTxPrepareSendImmediate
Prototype
SingleConnectionTp

TP_EXTERNAL_INLINE canuint8 TP_API_CALL_TYPE
TpTxPrepareSendImmediate(void)
MultipeConnectionTP

TP_EXTERNAL_INLINE canuint8 TP_API_CALL_TYPE
TpTxPrepareSendImmediate(canuint8 tpChannel)
Parameter
tpChannel
-
Return code
canuint8
kTpSuccess, kTpFailed
Availability
The fast transmission feature (TP_USE_FAST_TX_TRANSMISSION) must be set to kTpOn.
Description
If the TP is not in the state for preparing a new CF-Frame (i.e. it is waiting for a FC) the function will return a
‘kTpFailed’. Otherwise if the preparation is successful it will return a ‘kTpSuccess’.
Note:   In the case of ‘kTpSuccess’ the application is responsible for the transmission of the next
ConsecutiveFrame. If the application does not call TpTxSendImmediate() the TP stays blocked.
Pre-condition(s)
-
Post-condition(s)
-
Call context
The call of this function is only allowed in the context of the TpTxCanMessageTransmitted() / ApplTpTxFC()
Hook-function.
Please note
-
Examples
-

4.2.3.23  TpTxSendImmediate: Start CF transmission by application
TpTxSendImmediate
Prototype
SingleConnectionTp

TP_EXTERNAL_INLINE void TP_API_CALL_TYPE
TpTxSendImmediate(void)
MultipeConnectionTP
2013, Vector Informatik GmbH
Version: 3.14.00
115 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

TP_EXTERNAL_INLINE void TP_API_CALL_TYPE
TpTxSendImmediate(canuint8 tpChannel)
Parameter

-
Return code

Availability
The fast transmission feature (TP_USE_FAST_TX_TRANSMISSION) must be set to kTpOn.
Description
Prepares the ConsecutiveFrame and calls the TpTxStateTask() to transmit the frame.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.24 TpTxSetAddressingFormat: Store the current addressing type
TpTxSetAddressingFormat
Prototype
MultipeConnectionTP

void TP_API_CALL_TYPE
TpTxSetAddressingFormat(canuint8 tpChannel,
SupportInfoStruct supportInfo)
Parameter
tpChannel
-
supportInfo

Return code

-
Availability
Multiple Addressing TP
2013, Vector Informatik GmbH
Version: 3.14.00
116 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Description
This function is used to prepare the required addressing information in a multiple addressing environment
and internally to assign a given connection to the right component.
#define kTpNormalAddressing
#define kTpExtendedAddressing
#define kTpNormalFixedAddressing
#define kTpMixed29Addressing
#define kTpMixed11Addressing
#define kTpRequestAppl // Application connection
#define kTpRequestDiagFunctional // Functional Diag connect.
#define kTpRequestDiagPhysical // Physical Diag connection
SupportInfoStruct supportInfo;
supportInfo.addressingFormat = kTpNormalAddressing;
supportInfo.assignedDestination = kTpRequestDiagPhysical;
TpTxSetAddressingFormat(DiagPhysChannel, supportInfo);
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.2.3.25  TpTxSetStrictFlowControl:  Enable/Disable ISO conformant FC handling
TpTxSetStrictFlowControl
Prototype
SingleConnectionTp

void TP_API_CALL_TYPE TpTxSetStrictFlowControl
(tpBool strict)
MultipeConnectionTP

void TP_API_CALL_TYPE TpRxSetStrictFlowControl
(canuint8 tpChannel, tpBool strict)
Parameter
tpChannel
-
strict
kTpTrue, kTpFalse
Return code

-
2013, Vector Informatik GmbH
Version: 3.14.00
117 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Since TPMC version 2.73.00.
Only for Dynamic TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_FC_MSG_FLOW_DYN_CHECK.
Description
The behaviour of the TPMC component in case of a missing FC frame can be changed:
By default (strict = kTpTrue) the TPMC behaviour is like described in ISO 15765-2.
By setting the ‘strict’ parameter to  ‘kTpFalse’ the behaviour can be changed in the way  that TPMC does
not re-init the connection, but ignores the current frame in case of a missing FC.
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
Call before TpTransmit()
Please note
-
Examples
-

4.2.3.26  TpTxSetTimeoutConfirmation:  Set the CAN confirmation timeout
TpTxSetTimeoutConfirmation
Prototype
SingleConnectionTp

MultipeConnectionTP

void TP_API_CALL_TYPE
TpTxSetTimeoutConfirmation(canuint8 tpChannel,
tTpEngineTimer time)
Parameter
tpChannel
-
Time
In timer ticks. The TpTask cycle time is equivalent to one timer tick.
Return code

-
2013, Vector Informatik GmbH
Version: 3.14.00
118 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Since TPMC version 2.73.00.
Only for Dynamic Multi TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_DYN_CHANNEL_TIMING.
Description
The CAN message confirmation timeout (N_As) value can be changed dynamical.
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
Call before TpTransmit().
Please note
-
Examples
-

4.2.3.27  TpTxSetTimeoutFC:  Set the FC confirmation timeout
TpTxSetTimeoutFC
Prototype
SingleConnectionTp

MultipeConnectionTP

void TP_API_CALL_TYPE TpTxSetTimeoutFC(canuint8
tpChannel, tTpEngineTimer time)
Parameter
tpChannel
-
Time
In timer ticks. The TpTask cycle time is equivalent to one timer tick.
Return code

-
Availability
Since TPMC version 2.73.00.
Only for Dynamic Multi TP.
The following constant must be defined via a user-config file:
#define TP_ENABLE_DYN_CHANNEL_TIMING.
Description
The FC timeout value (N_Bs) can be changed dynamical per channel.
2013, Vector Informatik GmbH
Version: 3.14.00
119 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Pre-condition(s)
A tpChannel is successful allocated.
Post-condition(s)
-
Call context
Call before TpTransmit().
Please note
-
Examples
-


4.2.3.28  TpTxWithoutFC:  suppress FC frame usage at the Tx side
TpTxWithoutFC
Prototype
SingleConnectionTp

MultipeConnectionTP
void TP_API_CALL_TYPE TpTxWithoutFC(canuint8 tpChannel)

Parameter
tpChannel

Return code

None
Availability
Only available for dynamic Tp classes and with the following switch set to kTpOn:
#define TP_USE_TX_CHANNEL_WITHOUT_FC  kTpOn
Description
If the usage of Flow Control frames on the Tx side shall be avoided then the enabling of this feature can be
used to suppress all further FC frames within a distinct transmission.
In this case the suppression of FC frames must be disabled for each new transmission by calling this API
function for the belonging tpChannel before calling TpTransmit.
For the transmission of Single Frames this aspect is irrelevant.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
Call from task context before calling TpTransmit.
2013, Vector Informatik GmbH
Version: 3.14.00
120 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
-
Examples
-

4.2.3.29 TpTxSetPGN: Set Parameter Group Number
TpTxSetPGN
Prototype
SingleConnectionTp

void TpTxSetPGN(vuint8 pgn)
MultipeConnectionTP

void TpTxSetPGN(vuint8 tpChannel, vuint8 pgn)
Parameter
tpChannel
-
pgn
Parameter Group Number to be used
Return code
-

Availability
Only for dynamic TP class Normal Fixed or Mixed-29 addressing.
Description
This function sets the parameter group number (bit no. 16 - 23) within an extended 29 bit CAN-Identifer for
the next call of TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
121 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

4.2.3.30  TpTxSetPriorityBits: Set Priority, Data Page and Reserved bits
TpTxSetPriorityBits
Prototype
SingleConnectionTp

void TpTxSetPriorityBits(vuint8 prio,
vuint8 res,
vuint8 dataPage)
MultipeConnectionTP

void TpTxSetPriorityBits(vuint8 tpChannel,
vuint8 prio,
    vuint8 res,
vuint8 dataPage)
Parameter
tpChannel
-
prio
Priority bits to be used (3 bits from bit position 26-28)
res
Reserved bit to be used (1 bit on bit position 25)
dataPage
Data Page bit to be used (1 bit on bit position 24)
Return code
-

Availability
Only for dynamic TP class Normal Fixed or Mixed-29 addressing.
Description
This function sets beside the Priority Bits (bit no. 26,27,28) also the bits for the ‘Reserved’ bit position (no.
25) and the ‘Data Page’ bit position (no. 24) within an extended 29 bit CAN-Identifer for the next call of
TpTransmit().
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



2013, Vector Informatik GmbH
Version: 3.14.00
122 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.3
Dispatched Multi TP class API

4.3.1
TpGetConnectionGroup: Get the connection group identification
TpGetConnectionGroup
Prototype

TpGetConnectionGroup(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
kTpGroup<ConnectionName> constant
Availability
Only available for “Dispatched Multi TP” classes.
One of the following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MULTIPLE_ADDRESSING
Description
Deliver the appropriate connection group identification as a constant.
Pre-condition(s)
-
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
The TP is initialized with TpInitPowerOn().
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
123 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.3.2
TpGetAddressingType:  Get the addressing type identification
TpGetAddressingType
Prototype

TpGetAddressingType(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
One of the possible status constants:
kTpNormalAddressing,
kTpExtendedAddressing,
kTpNormalFixedAddressing,
kTpMixed29Addressing
Availability
Only available for “Dispatched Multi TP” classes and “Multiple Addressing” type.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_MULTIPLE_ADDRESSING
Description
Deliver the appropriate addressing type as a constant.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
124 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.3.3
TpGetCanChannel: Get the CAN channel
TpGetCanChannel
Prototype

TpGetCanChannel(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
Number of the CAN channel.
Availability
Only available for “Dispatched Multi TP” classes and multiple CAN channels configured.
One of the following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MULTIPLE_ADDRESSING

Description
Deliver the appropriate CAN channel.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
125 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.3.4
TpGetRxId:  Get the received CAN-Id
TpGetRxId
Prototype

TpGetRxId(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
CAN identifier.
Availability
Only available for “Dispatched Multi TP” classes and “Normal Addressing” type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_ADDRESSING
Description
Deliver the appropriate Rx CAN identifier.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.5
TpGetTxId:  Get the CAN-Id to be used for transmission
TpGetTxId
Prototype

TpGetTxId(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
CAN identifier.
2013, Vector Informatik GmbH
Version: 3.14.00
126 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Only available for “Dispatched Multi TP” classes and “Normal Addressing” type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_ADDRESSING
Description
Deliver the appropriate Tx CAN identifier.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.6
TpGetBaseAddress: Get the Base Address
TpGetBaseAddress
Prototype

TpGetBaseAddress(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
Base address.
Availability
Only available for “Dispatched Multi TP” classes and “Extended Addressing” type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
Description
Deliver the appropriate base address.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
127 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.7
TpGetAddressOffest:  Get the Address Offset
TpGetAddressOffset
Prototype

TpGetAddressOffset(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
Address offset.
Availability
Only available for “Dispatched Multi TP” classes and “Extended Addressing” type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
Description
Deliver the appropriate address offset.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
The address 0x06F0 is separated in 2 parts:
- base address  0x0600 and
- address offset 0x00F0

2013, Vector Informatik GmbH
Version: 3.14.00
128 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.3.8
TpGetPriority:  Get the priority info from a 29 bit CAN-Id
TpGetPriority
Prototype

TpGetPriority(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
Priority value (0..7)
Availability
Only available for “Dispatched Multi TP” classes and “NormalFixed Addressing” or “Mixed29” addressing
type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
Deliver the appropriate address offset.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.9
TpGetPGN:  Get the parameter group identification from a 29 bit CAN-Id
TpGetPGN
Prototype

TpGetPGN(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
PGN value.
2013, Vector Informatik GmbH
Version: 3.14.00
129 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Availability
Only available for “Dispatched Multi TP” classes and “NormalFixed Addressing” or “Mixed29” addressing
type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
Deliver the appropriate address offset.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.10  TpGetEcuNumber:  Get the ECU number
TpGetEcuNumber
Prototype

TpGetEcuNumber(canuint8 addressInfoHandle)
Parameter
addressInfoHandle

Return code
canuint8
ECU number.
Availability
Only available for “Dispatched Multi TP” classes and “NormalFixed Addressing” or “Mixed29” addressing
type.
The following switches must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
Deliver the appropriate ECU number.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
2013, Vector Informatik GmbH
Version: 3.14.00
130 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
May be used in application context.
Typically used in the application callback functions.
Please note
-
Examples
-

4.3.11 TpTransmit

There are two alternatives available to transmit data. Either you use the generated
connection specific TpTransmit macros or you use the addressing type specific functions
behind the macros.

4.3.11.1 TpTransmit connection specific macros
The data pointer (type canuint8) and the data length (type canuint16) are always
necessary. Depending on the addressing type additional information like the Target
Address (TA) for Extended / NormalFixed addressing or the Address Extension (AE) for
Mixed addressing is necessary.

Addressing
Macro name
Type
Normal
TpTransmit_<ConnectionName>(canuint8 data,
 canuint16 len)
Extended
TpTransmit_<ConnectionName>(canuint8 TA,
NormalFixed
 canuint8 data,
 canuint16 len)
Mixed29
TpTransmit_<ConnectionName>(canuint8 TA,
 canuint8 AE,
 canuint8 data,
 canuint8 len)

4.3.11.2 TpTransmitNormal: transmit function for normal addressing
TpTransmitNormal
Prototype

TpTransmitNormal(canuint8 addressInfoHandle,
canuint8 data,
canuint16 length)
2013, Vector Informatik GmbH
Version: 3.14.00
131 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Parameter
addressInfoHandle

data
Pointer to the transmit data.
length
Length of the transmit data (in bytes).
Return code
canuint8
kTpSuccess:   No transmission in progress (ready to send)
kTpBusy:        Transmission in progress
kTpFailed:      Data length is zero
kTpNoChannel: No TP channel available
Availability
Only available for “Dispatched Multi TP” classes.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.3.11.3  TpTransmitExtended:  transmit function for extended addressing
TpTransmitExtended
Prototype

TpTransmitExtended(canuint8  addressInfoHandle,
canuint8  TA,
canuint8  data,
canuint16 length)
Parameter
addressInfoHandle

TA
Target Address.
data
Pointer to the transmit data.
2013, Vector Informatik GmbH
Version: 3.14.00
132 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
length
Length of the transmit data (in bytes).
Return code
canuint8
kTpSuccess:   No transmission in progress (ready to send),
kTpBusy:       Transmission in progress,
kTpFailed:      Data length is zero,
kTpNoChannel: No TP channel available.
Availability
Only available for “Dispatched Multi TP” classes.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_EXTENDED_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.3.11.4  TpTransmitNormalFixed:  transmit function for NormalFixed addressing
TpTransmitNormalFixed
Prototype
TpTransmitNormalFixed(canuint8  addressInfoHandle,

  canuint8  TA,
  canuint8  data,
  canuint16 length)
Parameter
addressInfoHandle

TA
Target Address.
data
Pointer to the transmit data.
length
Length of the transmit data (in bytes).
2013, Vector Informatik GmbH
Version: 3.14.00
133 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
canuint8
kTpSuccess:  No transmission in progress (ready to send)
kTpBusy:       Transmission in progress
kTpFailed:     Data length is zero
kTpNoChannel: No tpChannel available
Availability
Only available for “Dispatched Multi TP” classes.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_NORMAL_FIXED_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.3.11.5  TpTransmitMixed29:  transmit function for Mixed-29 addressing
TpTransmitMixed29
Prototype

TpTransmitMixed29(canuint8  addressInfoHandle,
  canuint8  TA,
  canuint8  AE,
  canuint8  data,
  canuint16 length)
Parameter
addressInfoHandle

TA
Target Address.
AE
Address Extension.
data
Pointer to the transmit data.
length
Length of the transmit data (in bytes).
2013, Vector Informatik GmbH
Version: 3.14.00
134 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
canuint8
kTpSuccess:    No transmission in progress (ready to send),
kTpBusy:         Transmission in progress,
kTpFailed:       Data length is zero,
kTpNoChannel: No TP channel available.
Availability
Only available for “Dispatched Multi TP” classes.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.3.11.6  TpTransmitMixed29:  transmit function for Mixed-29 addressing
TpTransmitMixed29
Prototype

TpTransmitMixed29(canuint8  addressInfoHandle,
  canuint8  TA,
  canuint8  AE,
  canuint8  data,
  canuint16 length)
Parameter
addressInfoHandle

TA
Target Address.
AE
Address Extension.
data
Pointer to the transmit data.
length
Length of the transmit data (in bytes).
2013, Vector Informatik GmbH
Version: 3.14.00
135 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
canuint8
kTpSuccess:    No transmission in progress (ready to send),
kTpBusy:         Transmission in progress,
kTpFailed:       Data length is zero,
kTpNoChannel: No TP channel available.
Availability
Only available for “Dispatched Multi TP” classes.
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_MIXED_29_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-


4.3.11.7  TpTransmitMixed11:  transmit function for Mixed-11 addressing
TpTransmitMixed29
Prototype

TpTransmitMixed11(canuint8  addressInfoHandle,
  canuint8  AE,
  canuint8  data,
  canuint16 length)
Parameter
addressInfoHandle

AE
Address Extension.
data
Pointer to the transmit data.
length
Length of the transmit data (in bytes).
2013, Vector Informatik GmbH
Version: 3.14.00
136 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code
canuint8
kTpSuccess:    No transmission in progress (ready to send)
kTpBusy:         Transmission in progress
kTpFailed:       Data length is zero
kTpNoChannel: No TP channel available
Availability
Only available for “Dispatched Multi TP” classes and at least one AI with mixed-11 as addressing type
The following switch must be defined:
#define TP_TYPE_MULTI_DISPATCHED_MULTIPLE_ADDRESSING
Description
Send the data with the given length to the CAN bus.
Pre-condition(s)
The TP is initialized with TpInitPowerOn().
Post-condition(s)
-
Call context
May be used in application context.
Please note
-
Examples
-

4.4
Application callback functions
In  the  Generation Tool  the  user  can define which  callback  functions  he  would  like  to  use
from the Transport Protocol. The names can be adjusted by the user. E.g. the prefix  User
can be used instead of Appl. These functions will only be provided, if they were configured
in the Generation Tool what can be done by entering a function name.
4.4.1
Reception side
4.4.1.1
ApplTpPrecopyCheck: Reception of TP-Frame
ApplTpPrecopyCheck
Prototype
Single Channel
Single Receive Channel
canuint8 ApplTpPrecopyCheck ( CanRxInfoStructPtr rxStruct )
Single Receive Buffer
canuint8 ApplTpPrecopyCheck ( CanReceiveHandle rxObject )
Multiple Receive Buffer
canuint8 ApplTpPrecopyCheck ( CanChipDataPtr rxRegPtr )
Multi Channel
Indexed (MRC)
canuint8 ApplTpPrecopyCheck ( CanRxInfoStructPtr rxStruct
)
2013, Vector Informatik GmbH
Version: 3.14.00
137 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Code replicated (SRB)
canuint8 ApplTpPrecopyCheck ( CanReceiveHandle rxObject )
Code replicated (MRB)
canuint8 ApplTpPrecopyCheck ( CanChipDataPtr rxRegPtr )
Parameter
rxObject
Handle of received object
rxRegPtr
Pointer to the received data in the CAN Controller receive register
rxStruct
Pointer to the receive structure
Return code
kCanCopyData
Received data will be copied using the CAN Driver 's internal copy mechanism
kCanNoCopyData
CAN Driver doesn’t copy data and doesn’t perform indication
Availability
since versions: TPMC: 2.35.00 | CANgen: 3.88.02 | DBKOMgen: 2.37.01
Description
Special functions for the application, which is immediately called after the reception of a TP-CAN-message.
If e.g. several CAN-Ids are defined in an ECU for the TP (gateway or multiple ECU) it has to be decided,
before the TP is able to make use of the CAN-message, whether the current CAN-message should be
processed or not depending on the CAN-ID. This user- check function can be used for it, which is called by
the TP on each data reception.
If this function returns „1“, the CAN-message is processed by the TP.
If this function returns „0“, the CAN- message is dismissed by the TP and the process is finished.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
138 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.1.2
ApplTpCheckTA: Check if Target Address is valid (version <= 2.72.00)
ApplTpCheckTA
Prototype
SingleConnectionTp

vuint8 ApplTpCheckTA (vuint8 tpCurrentTargetAddress)
MultipeConnectionTP

vuint8 ApplTpCheckTA (vuint8 tpCurrentTargetAddress)
SingleConnectionTp GATEWAY API

vuint8 ApplTpCheckTA (vuint8 tpCurrentTargetAddress,
 CanRxInfoStructPtr infoStruct)
MultipeConnectionTP GATEWAY API

vuint8 ApplTpCheckTA (vuint8 tpCurrentTargetAddress,
 CanRxInfoStructPtr infoStruct)
Parameter
tpCurrentTargetAddress -
infoStruct

Return code
vuint8
-
Availability
Only for TP versions less than or equal to 2.72.00. See also chapter 4.4.1.3 for the changed API description
available since version 2.73.00.
Only for dynamic TP classes: Extended- and Normal Fixed Addressing
Description
This function will be called for every reception of a TP-CAN-message. Within this function the application has
to decide, if the TargetAddress in the received CAN-frame is valid. If the TargetAddress is not valid and
should not be received the return value must be ‘kTpNoChannel’. If it should be received the TargetAddress
should be returned. See also chapter 7.4.1 Virtual ECU’s / ‘Multiple EcuNumber’ feature.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
Until versions: TPMC: 2.35.00 | CANgen: 3.88.02 | DBKOMgen: 2.37.01the function name was called
ApplTpPrecopy()
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
139 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.1.3
ApplTpCheckTA:  Check if Target Address is valid (since version 2.73.00)

ApplTpCheckTA
Prototype
SingleConnectionTp

t_ta_type ApplTpCheckTA (vuint8 tpCurrentTargetAddress)
MultipeConnectionTP

t_ta_type ApplTpCheckTA (vuint8 tpCurrentTargetAddress)
SingleConnectionTp GATEWAY API

t_ta_type ApplTpCheckTA (vuint8 tpCurrentTargetAddress,
CanRxInfoStructPtr infoStruct)
MultipeConnectionTP GATEWAY API

t_ta_type ApplTpCheckTA (vuint8 tpCurrentTargetAddress,
CanRxInfoStructPtr infoStruct)
Parameter
tpCurrentTargetAddress  -
infoStruct

Return code
t_ta_type
typedef enum
{
  kTpNone = 0,
  kTpPhysical = 1,
  kTpFunctional = 2
} t_ta_type;
Availability
Only for TP versions greater than or equal to 2.73.00. See also the former API description in chapter  4.4.1.2
Only for dynamic TP classes: Extended- and Normal Fixed Addressing
Description
This function will be called for every reception of a TP-CAN-message. Within this function the application has
to decide, if the TargetAddress in the received CAN-frame is valid and if it is a physical or functional identifer..
If the TargetAddress is not valid and should not be received the return value must be ‘kTpNone’.
If the TargetAddress is identified as a physical identifier then ‘kTpPhysical’ should be returned.
If the TargetAddress is identified as a functional identifier then ‘kTpFunctional’ should be returned.
See also chapter 7.4.1 Virtual ECU’s / ‘Multiple EcuNumber’ feature.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
2013, Vector Informatik GmbH
Version: 3.14.00
140 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
Until versions: TPMC: 2.35.00 | CANgen: 3.88.02 | DBKOMgen: 2.37.01the function name was called
ApplTpPrecopy()
Examples
-

4.4.1.4
ApplTpRxSF: Reception of Single Frame
ApplTpRxSF
Prototype
SingleConnectionTp

void ApplTpRxSF(void)
MultipeConnectionTP

void ApplTpRxSF(vuint8 channel)
Parameter
channel
-
Return code

-
Availability
No restriction
Description
This function is called after the reception of a single-frame. ApplTpRxGetBuffer() will be called before.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
141 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.1.5
ApplTpRxFF: Reception of First Frame
ApplTpRxFF
Prototype
SingleConnectionTp

void ApplTpRxFF (void)
MultipeConnectionTP

void ApplTpRxFF(vuint8 channel)
Parameter
channel
-
Return code

-
Availability
No restriction
Description
This function is called after the reception of a first-frame. ApplTpRxGetBuffer() will be called before.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.4.1.6
ApplTpRxCF: Reception of Consecutive Frame
ApplTpRxCF
Prototype
SingleConnectionTp

void ApplTpRxCF(void)
MultipeConnectionTP

void ApplTpRxCF(vuint8 channel)
Parameter
channel
-
2013, Vector Informatik GmbH
Version: 3.14.00
142 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Return code

-
Availability
No restriction
Description
This function is called after the reception of a consecutive-frame.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.4.1.7
ApplTpRxCanMessageReceived: Reception of CAN-Frame
ApplTpRxCanMessageReceived
Prototype
SingleConnectionTp

void ApplTpRxCanMessageReceived(void)
MultipeConnectionTP

void ApplTpRxCanMessageReceived(vuint8 channel)
Parameter
channel
-
Return code

-
Availability
until versions: TPMC: 2.35.00 CANgen: 3.88.02 DBKOMgen: 2.37.01
Will be not supported in the future.
Description
This function is called after the reception of a CAN-frame and is normally used only in gateways.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
143 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



4.4.1.8
ApplTpRxGetBuffer:   Assign a buffer to a channel
TpTxSetStrictFlowControl
Prototype
SingleConnectionTp

unsigned char* ApplTpRxGetBuffer(vuint16 dataLength)
MultipeConnectionTP

unsigned char* ApplTpRxGetBuffer(vuint8 channel,
     vuint16 dataLength)
SingleConnectionTp GATEWAY API

unsigned char* ApplTpRxGetBuffer(vuint16 dataLength
CanRxInfoStructPtr rxStruct)
MultipeConnectionTP GATEWAY API

unsigned char* ApplTpRxGetBuffer(vuint8 channel,
    vuint16 dataLength
CanRxInfoStructPtr rxStruct)
Parameter
dataLength
-
channel

rxStruct

Return code
usigned char
-
Availability
No restriction
Description
This function is called after reception of the first data to get a buffer with a minimum length of dataLength
from the application. The application has to return a pointer to this buffer. If the returned pointer is NULL, the
transport-message will not be received anymore.
The name of this callback function can be adjusted as desired in the Generation Tool.
2013, Vector Informatik GmbH
Version: 3.14.00
144 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.4.1.9
ApplTpRxCopyFromCAN: Application Copy Function
ApplTpRxCopyFromCAN
Prototype
SingleConnectionTp

void ApplTpRxCopyFromCan(vuint8 * source,
vuint16 count)
MultipeConnectionTP

void ApplTpRxCopyFromCan(vuint8 channel,
vuint8 * source,
vuint16 count)
Parameter
Source
-
Count

channel

Return code

-
Availability
No restriction
Description
The buffer management is done by the application. This function is always called by the Transport Protocol
while receiving a TP-CAN-message.
The argument source points to the receive buffer of the CAN-controller; the argument count determines
number of data, which has to be copied by the application function.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
145 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
-
Please note
-
Examples
void ApplTpRxCopyFromCan(vuint8 channel, vuint8 * source, vuint16 count)
{
  (void)memcpy(&(TpRxGetDataBuffer(channel)[TpRxGetDataIndex(channel)]),
source, count);
}

4.4.1.10  ApplTpRxIndication:   Reception closed  successful
ApplTpRxIndication
Prototype
SingleConnectionTp

void ApplTpRxIndication(vuint16 dataLength)
MultipeConnectionTP

void ApplTpRxIndication(vuint8 channel,
  vuint16 dataLength)
Parameter
dataLength
-
channel

Return code

-
Availability
No restriction
Description
This function is called after the completely reception of a single frame message or a multiple frame
message. dataLength is the number of received bytes in the reception buffer.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
146 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.1.11  ApplTpRxErrorIndication:   Reception closed with error
ApplTpRxErrorIndication
Prototype
SingleConnectionTp

void ApplTpRxErrorIndication(vuint8 errorCode)
MultipeConnectionTP

void ApplTpRxErrorIndication(vuint8 channel,
vuint8 errorCode)
Parameter
errorCode
>  kTpRxErrFF_SfreceivedAgain: While a reception is in progress a
new
>  Single- or FirstFrame is received, because the running reception will
be canceled and set up new.
>  KTpRxErrWrongSNreceived:    A ConsecutiveFrame with a wrong
SequenceNumber is received, because of the current reception will
be canceled.
>  KTpRxErrCFTimeout:               An awaited ConsecutiveFrame is not
received in the right time and a timeout occurs.
>  KTpRxErrConfIntTimeout:         The FlowControl could not
transmitted within the necessary time and a (confirmation) timeout
occurs.
channel

Return code

-
Availability
No restriction
Description
This function will be called if an error occurs on the channel. The channel will be reinitialized afterwards.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
147 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.1.12  ApplTpRxGetTxID:  Get CAN Transmit Id
ApplTpRxGetTxID
Prototype
SingleConnectionTp

-
MultipeConnectionTP

vuint16 ApplTpRxGetTxID(vuint16 receiveId)
Parameter
receiveId

Return code

-
Availability
Only for dynamic TP classes: Normal Addressing
Insert:
#define TP_USE_TX_ID_APPL_CHECK kTpOn
in a user-config file to use this feature.
!!! Attention: Only until TPMC version 2.60.00
Description
This function is called after reception of a First-Frame, to get the Transmit-ID for the FlowControl.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

2013, Vector Informatik GmbH
Version: 3.14.00
148 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.2
Reception side for functional messages
Only available if a functional connection group exists.

4.4.2.1
ApplFuncTpPrecopy:  Check if Target Address is valid
ApplFuncTpPrecopy
Prototype
Normal Fixed addressing, Extended addressing:

vuint8 ApplFuncTpPrecopy (vuint8 tpCurrentTargetAddress)
Normal Fixed addressing, Extended addressing with GATEWAY - API:

vuint8 ApplFuncTpPrecopy (vuint8 tpCurrentTargetAddress,
  CanRxInfoStructPtr infoStruct)
Mixed addressing:

vuint8 ApplFuncTpPrecopy (vuint8 tpCurrentTargetAddress,
vuint8 tpCurrentAddressExtension)
Mixed addressing with GATEWAY - API:

vuint8 ApplFuncTpPrecopy (vuint8 tpCurrentTargetAddress,
vuint8 tpCurrentAddressExtension,
CanRxInfoStructPtr infoStruct)
Parameter
tpCurrentTargetAddress
Contains the N_TA byte of the received message.
tpCurrentAddressExtension
Contains the N_AE byte of the received message.
infoStruct
Pointer to a data structure containing more information concerning the
received message (e.g. Raw Id, DLC).
Return code
vuint8
-
Availability
For TP classes: Extended-, Normal Fixed- and Mixed- Addressing.
If a functional connection groups exists and a callback name is configured. The default callback name used
is “TpFuncCheckTA”.
Description
This function will be called for every reception of a functional TP-CAN-message. Within this function the
application has to decide, if the TargetAddress / AddressExtension in the received CAN-frame is valid.
If the TargetAddress/AddressExtension is not valid and should not be received the return value must be
‘kTpNoChannel’. If it should be received the TargetAddress should be returned.
If the Multiple EcuNumber feature is used, then the concerning EcuNumber must be returned.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
2013, Vector Informatik GmbH
Version: 3.14.00
149 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Call context
-
Please note

Examples
-

4.4.3
Transmission side
4.4.3.1
ApplTpTxFC:   Reception of a Flow Control Frame
ApplTpTxFC
Prototype
SingleConnectionTp

void ApplTpTxFC(void)
MultipeConnectionTP

void ApplTpTxFC(vuint8 channel)
Parameter
receiveId

Return code

-
Availability
since versions: TPMC: 2.35.00 CANgen: 3.88.02 DBKOMgen: 2.37.01
Description
This function is called after the reception of a FlowControl-frame.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-



2013, Vector Informatik GmbH
Version: 3.14.00
150 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.3.2
ApplTpTxCanMessageTransmitted:  CAN-Message transmitted
ApplTpTxCanMessageTransmitted
Prototype
SingleConnectionTp

void ApplTpTxCanMessageTransmitted(void)
MultipeConnectionTP

void ApplTpTxCanMessageTransmitted(vuint8 channel)
Parameter
channel

Return code

-
Availability
No description
Description
This function is called each time after a successful transmission of an CAN-message / frame (only for TX
connections - .this will mean for SF; FF; CF and not for FC messages)
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.4.3.3
ApplTpTxNotification:   CAN-Frame transmitted
ApplTpTxNotification
Prototype
SingleConnectionTp

void ApplTpTxNotification(vuint8 count)
MultipeConnectionTP

void ApplTpTxNotification(vuint8 channel,
  vuint8 count)
Parameter
channel

2013, Vector Informatik GmbH
Version: 3.14.00
151 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
count

Return code

-
Availability
No restriction
Description
This function is called each time after sending Tp-Frames except “Single-Frames” and the “last
Consecutive-Frame”. Count is the number of transmitted data.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-

4.4.3.4
ApplTpTxCopyToCAN: Application Copy Function ( 16BIT Controller)
ApplTpTxCopyToCAN
Prototype
SingleConnectionTp

vuint8 ApplTpTxCopyToCAN(TpCopyToCanInfoStructPtr infoStruct)
MultipeConnectionTP

vuint8 ApplTpTxCopyToCAN(TpCopyToCanInfoStructPtr infoStruct)
Parameter
infoStruct

Return code
vuint8
If everything is fine return ‘kTpSucces’ otherwise ‘kTpFailed’.
Availability
No restriction
2013, Vector Informatik GmbH
Version: 3.14.00
152 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Description
The buffer management is done by the application. This function is always called by the Transport Protocol
before sending a TP-CAN-message.
The parameter is a pointer to the following structure:
struct tTpCopyToCanInfoStruct_s
{
  canuint8   Channel;      /* TP Channel*/
  canuint8* pDestination; /* Pointer to destination buffer */
  canuint8* pSource;      /*Pointer to linear source buffer*/
  canuint16  Length;       /* The maximum length to copy */
};
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
Since version 2.35 the TPMC component tries to call ApplTpCopyToCAN() again and again until
kTpSuccess is returned or ‘CAN message confirmation timeout’ occurs.
Examples
vuint8 ApplTpCopyToCan(TpCopyToCanInfoStructPtr infoStruct)
{
  (void)memcpy( infoStruct->pDestination, infoStruct->pSource,
  infoStruct->Length);
  return kTpSuccess;
}

4.4.3.5
ApplTpTxCopyToCAN:   Application Copy Function (8BIT Controller)
ApplTpTxCopyToCAN
Prototype
SingleConnectionTp

vuint8 ApplTpTxCopyToCAN(vuint8 offset,

      vuint8 count)
MultipeConnectionTP

vuint8 ApplTpTxCopyToCAN(vuint8 channel,
vuint8 offset,

      vuint8 count)
Parameter
Offset

2013, Vector Informatik GmbH
Version: 3.14.00
153 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Count

channel

Return code
vuint8
If everything is fine return kTpSuccess otherwise kTpFailed.
Availability
Caution
Only until TPMC version 2.49.00.

Since TPMC version 2.50.00 the API described in 4.4.3.4 “ApplTpTxCopyToCAN:   Application Copy
Function ( 16BIT Controller)” is used instead.
Description
The buffer management is done by the application. This function is always called by the Transport Protocol
before sending a TP-CAN-message.
The argument offset determines the offset into the sending buffer of CAN Driver (Offset=0..7); the
argument “count” determines number of data, which has to be copied by the application function.
The name of this callback function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
Since version 2.35 the TPMC component tries to call ApplTpCopyToCAN() again and again until
kTpSuccess is returned or ‘CAN message confirmation timeout’ occurs.
TpTxData(channel) can be used to access the transmit buffer of the CAN-driver.
Caution
Do not access the transmit buffer of the CAN-driver elsewhere

Examples
vuint8 ApplTpCopyToCan(vuint8 channel,
vuint8 offset,
vuint8 length)
{
  (void)memcpy( &TpTxData(channel)[ offset ],
  &TpTxGetDataBuffer(channel)[TpTxGetDataIndex(channel)],
  length);
  return kTpSuccess;
}

2013, Vector Informatik GmbH
Version: 3.14.00
154 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.3.6
ApplTpTxConfirmation:  Transmission closed successful
ApplTpTxConfirmation
Prototype
SingleConnectionTp

void ApplTpTxConfirmation(vuint8 state)
MultipeConnectionTP

void ApplTpTxConfirmation(vuint8 channel,
  vuint8 state)
Parameter
State

cannel

Return code

-
Availability
No description
Description
This function is called after a single- or a multiple-frame message is transmitted completely.
The state condition is given as a parameter and can be analyzed by the application. Please note that this
is intended for further usage, currently the delivered state is always kTpSuccess.
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
Currently the ‘state’ parameter is not used. So the default of this parameter is ‘kTpSuccess’.
Examples
vuint8 ApplTpCopyToCan(TpCopyToCanInfoStructPtr infoStruct)
{
  (void)memcpy( infoStruct->pDestination, infoStruct->pSource,
  infoStruct->Length);
  return kTpSuccess;
}

2013, Vector Informatik GmbH
Version: 3.14.00
155 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
4.4.3.7
ApplTpTxErrorIndication:  Transmission closed with error
ApplTpTxErrorIndication
Prototype
SingleConnectionTp

vuint8 ApplTpTxErrorIndication(vuint8 errorCode)
MultipeConnectionTP

vuint8 ApplTpTxErrorIndication(vuint8 channel,
    vuint8 errorCode)
Parameter
errorCode
>  kTpTxErrFCTimeout: An awaited FlowControl timed out
>  kTpTxErrConfIntTimeout: A TP-CAN-massage could not transmitted
within the necessary time and a (confirmation) timeout occurs.
>  kTpTxErrFCWrongFlowStatus: An invalid FlowControl-frame is
received.                            Only with activated strict message flow
checking (TP_USE_STRICT_MSG_FLOW_CHECKING must be set
to kTpOn in a user-config file to activate this feature).
>  kTpTxErrWFTmaxOverrun: WFTmax wait frames are received now
(only for MCAN, if TP_ENABLE_MCAN is defined)
>  kTpTxErrFCOverrun: the receiver reported an Overrun, channel is
terminated

Old error codes Old error codes since TPMC version 2.35
>  kTpTxErrBufferUnderrun: Within the ApplTpCopyToCAN function a
buffer-underrun occurs.
cannel

Return code

Hold the channel:                        kTpHoldChannel
Reinitializing / free the channel:  kTpFreeChannel
Availability
No description
Description
This function will be called if an error occurs on the channel. The application has now to decide if the
channel should be reinitialized or hold for reusing it (only for dynamic TP classes necessary).
The name of this callback-function can be adjusted as desired in the Generation Tool.
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
2013, Vector Informatik GmbH
Version: 3.14.00
156 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
Please note
Currently the ‘state’ parameter is not used. So the default of this parameter is ‘kTpSuccess’.
Examples
vuint8 ApplTpCopyToCan(TpCopyToCanInfoStructPtr infoStruct)
{
  (void)memcpy( infoStruct->pDestination, infoStruct->pSource,
  infoStruct->Length);
  return kTpSuccess;
}

4.4.4
Administrative Functions
4.4.4.1
ApplTpFatalError: Fatal Error

ApplTpFatalError
Prototype
SingleConnectionTp

void ApplTpFatalError(vuint8 errorCode)
MultipeConnectionTP

void ApplTpFatalError(vuint8 errorCode)
Parameter
errorCode
User assertions:
>  KTpErrNoDynObjAtTpInit: Within TpInitPowerOn() it is not possible
to allocate the necessary transmit-objects from CAN-driver – please
check initialization order
>  KTpErrChannelNrTooHigh: Possible access of a invalid tpChannel –
please check your application calls of the TP-API.
>  KTpRxErrFcCanIdIsMissing: The CAN-ID of the FlowControl was
not set within the ApplTpRxGetBuffer() function for dynamic
NormalAddressing – please check your application.
>  KtpTxErrDatalengthTooHigh: The application tried to transmit more
than 4095 bytes of data – please check your application.
>  KTpTxErrWrongFrameAtPretransmitSpecified: Internal state-
machine check – please get in contact with us.
>  KTpTxErrNoStateSpecified: Internal state-machine check – please
get in contact with us.
>  kTpRxErrNoStateSpecified: Internal state-machine check – please
get in contact with us.
>  kTpErrChannelNotInPreTransmitState: The application tried to
configure a not assigned tpChannel in a dynamic TP class – please
check your application.
2013, Vector Informatik GmbH
Version: 3.14.00
157 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
>  KTpErrWrongAddressingFormat: The application tried to configure a
tpChannel for a wrong AddressingMode (e.g.
TpTxSetTargetAddress for NormalAddressing configured
tpChannel) in a dynamic TP class – please check your application -
please check your application.
>  KTpRxErrSetResponseWithoutFc: The function TpTxSetResponse()
is called for without-FC configured tpChannel - please check your
application.
>  KTpTxErrSetResponseWithoutFc: The function TpTxSetResponse()
is called for without-FC configured tpChannel - please check your
application.
>  KTpErrChannelNotInUse: The application tried to get information
about an unused tpChannel – please check your application.
Internal assertions:
>  KTpErrChannelNrTooHigh: Possible access of a invalid tpChannel –
please check the stack-usage.
>  KTpRxErrNotInWaitCFState: Internal state-machine check – please
get in contact with us.
>  KTpErrChannelNotInUse: Internal state-machine check – please get
in contact with us.
>  KTpErrNoCanChannelFound: The CAN-driver confirmation function
is called with a wrong Handle, because it is not possible to calculate
the corresponding CAN-channel – please get in contact with us.
Return code

-
Availability
Until versions CANgen: 3.88.02 DBKOMgen: 2.37.01 TP-assertions are activated if the “Debug level” in
CAN-Driver includes “User”/”Internal”
Description
This function will be called if a fatal error occurs.
The name of this callback function is not changeable
Pre-condition(s)
-
Post-condition(s)
-
Call context
-
Please note
-
Examples
-




2013, Vector Informatik GmbH
Version: 3.14.00
158 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
5 Transmission Attributes & Callback functions

Figure 5-1 Transmission attributes and callback functions
2013, Vector Informatik GmbH
Version: 3.14.00
159 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
6  Integration of CANbedded Components into a Customer Project
6.1
Requirements to the Customer System Environment
A  customer  system  environment  from  the  CANbedded  component  point  of  view  is  the
environment  (system architecture)  where  the  component  together  with  other  CANbedded
components,  an  operation  system,  startup  code,  system  control  software  and  the
application is running.
To  full  fill  the  different  requirements  to  the  component  architecture  like  small  ROM  and
RAM  footprint,  short  API  runtime  and  short  interrupt  lock  times  (global  and  only
CAN/LIN/others  bus  interrupts)  during  the  API  execution,  some  requirements  to  the
customer’s system environment and the component usage in that system has to be given
to and kept by the user.
The  requirements  and  needs  to  use  CANbedded  components  in  a  customer  specific
project are listed in this chapter.  It is necessary to check the requirements, preconditions
and needs carefully to guaranteed the correct and consistent usage of the software in the
resulting  system  and  to  prevent  malfunction  and  data  consistency  problems  during  the
system execution (in the vehicle in the field).
6.2
Component Integration to the Customer Project
6.2.1
Requirements to the Component Initialization in a Customer Project
The  correct  sequence  for  all  CANbedded  component  initialization  calls  (e.g.  CAN  Driver,
network  management,  interaction  layer  …)  depends on  the  needs  for  the  whole,  vehicle
manufacturer specific integration package. Therefore the correct call location in the context
to the other (CANbedded) power up initialization calls for this component is just a example.
The following rules are valid for each use case of a CANbedded component in a customer
project and must be guaranteed to prevent faulty situations:
1)  The  component  must  be  initialized  after  the  primary  CAN  Driver  initialization  via
CanInitPowerOn().
2)  The  component  must  be  initialized  during  the  global  interrupt  is  locked,  to  prevent
any  interrupt  occurrences  during  the  initialization  sequence  of  this  and  ALL  other
CANbedded  modules.  Therefore  the  requirement  is  to  make  sure  the  global
interrupt  is  disabled  during  the  whole  initialization  sequence  of  all  CANbedded
components (driver, IL, NM, TP, diagnostics …).
3)  Please  note,  that  the  usage  of  CanDisableInterrupt  and  CanRestoreInterrupt  is
incorrect to lock the global interrupt during the CANbedded initialization sequence.
A customer project specific global interrupt lock and unlock is necessary.
4)  The customer system architecture must guarantee that all CANbedded modules are
initialized  before  the  first  usage  of  any  API  or  variable  access  in  the  customer’s
application software is performed.
5)  The  call  to  the  component  initialization  function  TpInitPowerOn()  will  reset  the
component  state  to  the  initial  state.  Therefore  it  is  NOT  recommended  to  call  the
component  initialization  function  during  the  system  runtime  to  e.g.  terminate
2013, Vector Informatik GmbH
Version: 3.14.00
160 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
something. Please check carefully, if the call to this API is valid (and helpful) in the
planned application context.
6)  Please  note,  that  the  call  to  the  component  initialization  function  may  be  runtime
consuming,  especially  if  there  are  additional  callbacks  to  the  application  are
performed and that the global interrupts are locked during that time, too.
7)  If an OSEK/OS is used, the basic initialization sequence has to be performed in the
startup-hook or, alternatively in an task used to initialized the whole system. Please
check, that the global interrupt is locked during the startup hook execution to ensure
the  required  data  consistency.  This  is  true  for  all  osCAN  OSEK  but  not  for  each
OSEK/OS  on  the  market.  If  the  initialization  is  performed  in  a  task,  the  interrupt
must be locked by the user for each OSEK/OS implementation.

6.2.2
Requirements to Component API Usage in a Customer Project
1)  The  CANbedded  component  needs  a first  initialization  of  all  internal  variables  and
states via the call of the initialization API function TpInitPowerOn(). It is not allowed
to  use  any API  or data  structure  of the  component  before  the  primary  initialization
has  been  performed.  See  chapter  6.2.1  Requirements  to  the  Component
Initialization in a Customer Project for details to the component needs according to
the initialization sequence.
2)  The  cyclic  function(s)  (e.g.  TpRxTask()/TpTxTask())  of  a  component  must  not  be
called  on  interrupt  level  (e.g.  the  timer  interrupt).  It  is  strictly  forbidden,  that  the
cyclic called component API interrupts the component’s API functions running in the
(CAN/LIN)  interrupt  context  or  an  other  component  API’s.  See  chapter  6.2.3.1
Common Requirements for details.
3)  It is not allowed to call any CANbedded API function in the context of an interrupt, if
this is not explicitly allowed or required in this documentation.
4)  Please  refer  to  chapter  6.2.3  Requirements  to  the  Customer  Project  Operating
System for the component requirements to the operating system.

6.2.3
Requirements to the Customer Project Operating System
The operating system used in the customer project has to fulfill the rules listed in chapter
6.2.3.1 Common Requirements to guarantee data consistency of the internal and external
component states and values.
6.2.3.1
Common Requirements
The  component  offers  different  API  functions  and  global  variable/state  access  to  the
application  program.  Some  of  these  API  functions  are  necessary  to  fulfill  the  basic
functionality of the component. This is e.g. the initialization and the cyclic called function to
realize the internal time base and the state handling.
The cyclic called API function TpRxTask()/TpTxTask() is also called TASK in the context of
this  chapter.  Due  to  the  need  for  fast  (1  -  10ms)  cyclic  calls,  this  tasks  are  often  called
erroneously  by  calling  this  API  function  in  an  timer  interrupt  context.  This  is  STRICTLY
forbidden.
2013, Vector Informatik GmbH
Version: 3.14.00
161 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The list below describes the common rules for all component API calls. The documentation
of  the API  functions  and  the  component  callback functions  describes  the  deviations from
this rules if, e.g. the API is allowed to be called during the TASK is running.
Please check carefully, if this restrictions are valid in your system:
>  API functions must not interrupt the (CAN/LIN) RX/TX interrupt service functions
>  API functions must not interrupt the TASK functions
>  API functions must not interrupt other API functions of the same component
>  TASK functions must not interrupt API functions of the same component
>  If there are multiple TASK functions for a component: TASK function must not interrupt
other TASK functions of the same component
>  TASK functions must not interrupt the (CAN/LIN) RX/TX interrupt service functions

Info
>  API and TASK functions are protected against interruption by the (CAN/LIN) RX/TX

interrupt service functions
>  There are no limitations for interruptions of the component API’s with other,
independent interrupt service functions (e.g. A/D converter, SIO lines, ...)

6.2.3.2
Round-Robin-Scheduler and Comparable OS Approaches
If the used operating system works like a round-robin scheduler or comparable and there
is only one common call level for application and CANbedded APIs with additional, small
interrupt handlers, the preconditions as described in chapter 6.2.3.4 should be valid.

6.2.3.3
Usage of OSEK/OS
The  component  can  be  used  together  with  an  OSEK  operating  system.  The  component
itself  is  operating  system  independent  and  can  therefore  be  used  together  with  an
OSEK/OS, if the rules listed in chapter 6.2.3.1 are fulfilled.
OSEK/OS  can  be  configured  to  4  different  setups  (BCC1  to  ECC2).  Depending  on  the
selected  setup,  OSEK/OS  is  non-preemptive  or  (full-)preemptive.  The  preemptive  setups
are able to run non-preemptive and preemptive tasks. Please refer to the chapters 6.2.3.4
and 6.2.3.5 for further details.
If  an  OSEK/OS  is  used,  the  basic  initialization  sequence  has  to  be  performed  in  the
startup-hook or, alternatively in an task used to initialized the whole system. Please check,
that the global interrupt is locked during the startup hook execution to ensure the required
data  consistency.  This  is  true  for  all  osCAN  OSEK  but  not  for  each  OSEK/OS  on  the
market. If the initialization is performed in a task, the interrupt must be locked by the user
for each OSEK/OS implementation.

2013, Vector Informatik GmbH
Version: 3.14.00
162 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
6.2.3.4
Non-Preemptive Operating System
If  an  non-preemptive  OS  is  used,  there  are  no  limitations  to  the  usage  of  CANbedded
component API’s on task/main level due to an task change is started by an OS-API call or
by exiting a function called directly by the OS scheduler.  Due to this there is no situation
with possible dangerous interruptions of component API executions in this environment.
Non-preemptive approaches are using also interrupt handlers for e.g. CAN, LIN, A/D and
D/A  conversion  and  other  things.  Until  the  requirements  listed  in  chapter  6.2.3.1  are
fulfilled, no critical situation according to data consistency and the CANbedded component
usage  occurs. The  CANbedded  component  itself  is  able  to  cope  with  the  interruption  via
the internal connection to the CAN/LIN driver.

6.2.3.5
Preemptive Operating System
If  the  CANbedded  component  has  to  be  used  in  a  full-preemptive  environment,  some
additional restrictions have to be kept in mind. If this is not explicitly allowed, please check
carefully, that the restrictions listed in chapter 6.2.3.1 are fulfilled by the system setup.
Possible  solutions  for  a  save  usage  of  the  CANbedded  component  may  be  calling  the
cyclic  functions  and  API’s  in  non-preemptive  tasks  or  to  lock  task  changes  during  the
execution of the cyclic function calls and the component APIs.
It  is  not  recommended  to  solve  the  restrictions  via  a  special  task  priority  setup  due  to
possible  maintenance  issues  when  changing  and  extending  the  software  system  in  the
future.
2013, Vector Informatik GmbH
Version: 3.14.00
163 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
7  Advanced usage
7.1
Separation of TimerTask and TransmissionTask (StateTask)
Until TPMC version 2.35 there is a combination of a timer observation and the handling of
transmission requests in one task function. By the demand of faster TP transmission the
most popular possibility is to separate the transmission mechanism from the timer task.
Since TPMC version 2.35 TimerTask and TransmissionTask are separated.
The ‘TimerTask’ includes the time observation. The ‘StateTask’ includes the transmission
handling of the CAN-frames. Especially the retry of the transmission while CanTransmit()
cannot accept the message, because the (all) TX registers are currently in use.
Like the former ‘Task’ function (TpXxTask()) the current ‘Task’ function (TpXxTask())
includes the call of both tasks to have a full compatibility. So it must be called further on
periodically. The ‘StateTask’ can be called out of a fixed time periods in addition.

Caution
It is not necessary to call the ‘StateTask’, if the CAN Driver queue is enabled.

void TpTxTask(void)
>   static void TpTxTimerTask(void) (not visible for the application)
>   void TpTxStateTaskAllChannels(void)

void TpRxTask(void)
>   void TpRxTimerTask(void) (not visible for the application)
>   void TpRxStateTaskAllChannels(void)

The ‘StateTaskAllChannels’ iterates over all tpChannels. To speed up only one connection.
a ‘StateTask’ is provided, which is handles the transmission of this connection.
void TpTxStateTask(vuint8 tpChannel)
void TpRxStateTask(vuint8 tpChannel)

7.2
Fast transmission of ConsecutiveFrames
Available since TPMC version 2.35.
The TP-layer  calculates  the  STmin  time  based  on  the  CallCycle  of  the TpTimerTask().To
guarantee  that  a  under  run  of  the  STmin  is  not  possible,  one  CallCycle  is  added.  This
conservative way of calculation do not fit the demand of a fast transmission.
The added feature includes a possibility to transmit a TP-frame as quick as possible.
Typically this feature can be used for a fast re-programming of ECU’s through Gateways or
Testers.
2013, Vector Informatik GmbH
Version: 3.14.00
164 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
The  feature  can’t  be  enabled  through  the  GenTools.  A  user-config  file  has  to  be  used,
including following define:
#define TP_USE_FAST_TX_TRANSMISSION kTpOn
7.2.1
Usage
The TP provides a special API function which assembles and transmits the next CF-frame
by skipping the internal timer for the minimum sending distance (STmin). This means the
application has the possibility to transmit the next CF frame faster than the calculated
minimum sending distance of the TP module allows.
Normally the timer will be reloaded with the value of the minimum sending distance and is
observed in the TpTxTimerTask(). By calling the function TpTxPrepareSendImmediate()
the timer of the TP is stopped. If the preparation returns a ‘kTpSuccess’ the application
gets the responsibility of transmitting the next ConsecutiveFrame. The application can
reload an (application) alarm-timer with the STmin value of the FlowControl-frame by
calling the function TpTxGetSTminInFrame(). If the alarm occurs (timer is decremented to
zero) the application can transmit the ConsecutiveFrame by calling the function
TpTxSendImmediate(), which prepares the CF-frame and calls the TpTxStateTask() to
transmit the frame immediately.
7.2.2
Application example
For non-zero STmins:
void ApplTpTxFC(canuint8 channel)
{
  if(kTpSuccess == TpTxPrepareSendImmediate(channel))
  {
  TpTxSendImmediate(channel);
  }
}
void ApplTpTxCanMessageTransmitted(canuint8 channel)
{
  canuint8 stminTime;

  if(kTpSuccess == TpTxPrepareSendImmediate(channel))
  {
stminTime = TpTxGetSTminInFrame(channel);

  /* load an OSEK-OS alarm (in ms) */
  SetRelAlarm(TpSepAlarm, MSEC(stminTime),0);

  /* after alarm time expires: TpTxSendImmediate(channel); */
  }
}

For zero STmins (fast as possible):
Attention:  Due to the current priority rules it could be possible that no real parallel
transmission is possible. All other channels are not handled anymore while
another transmission is running.

void ApplTpTxFC(canuint8 channel)
{
  if(kTpSuccess == TpTxPrepareSendImmediate(channel))
  {
  TpTxSendImmediate(channel);
  }
}
void ApplTpTxCanMessageTransmitted(canuint8 channel)
{
  if(kTpSuccess == TpTxPrepareSendImmediate(channel))
  {
2013, Vector Informatik GmbH
Version: 3.14.00
165 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
  TpTxSendImmediate(channel);
  }
}

7.3
Normal Fixed Addressing
7.3.1
Multiple ECU’s
Multiple  ECU’  s  are  control  units  which  are  assembled  several  times  within  the  CAN
network with the same software (example: seat in the front on the left hand side and on the
right  hand  side).  In  this  case,  the  application  has  to  decide  at  run-time,  which  ECU  is
actually installed and has to set-up these parameters dynamically.
7.3.1.1
Using the CANgen configuration tool
The  configuration  tool  does  not  apply  the  ECU  information  but  it  provides  all  possible
values for the application as constants in the generated code.

E.g.: In the generated tp_cfg.h file you will find constants for all existing ECU numbers:
#define kTpEcuNumber0        0x10
#define kTpEcuNumber1        0x11
#define kTpEcuNumber2        0x12
#define kTpEcuNumber3        0x13
…

2013, Vector Informatik GmbH
Version: 3.14.00
166 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
In case of using the CANgen configuration tool the application must accomplish two things
now at Power On time:
a) The actual ECU number must be set using the ComSetCurrentECU() API.
b) The actual ECU number must be provided to the TPMC.

Code example:
extern canuint8 tpEcuNumber;
canuint8 tpEcuNumber;

void main(void)
{
 CanInitPowerOn();
 ComSetCurrentECU(currentECU);
 ...
 if ( FirstECUis selected) {
 tpEcuNumber = kTpEcuNumber0;
 }
 else if (SecondECU is selcted) {
 tpEcuNumber = kTpEcuNumber1;
}
 TpInitPowerOn(); /* For some configuration it could be also
 DiagInitPowerOn() with implicit TPMC initialization */
 ...
 <EnableCAN_ISR>
}

7.3.1.2
Using the GENy configuration tool
The configuration tool does not apply the ECU information completely but it provides all
possible values for the application as constants in the generated code.

E.g.: In the generated tp_par.c file a kTpEcuNumber_field[] is provided for all existing ECU
numbers:

vuint8 kTpEcuNumber_field [4] = {

0x10,

0x11,

0x12,

0x13

}

2013, Vector Informatik GmbH
Version: 3.14.00
167 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
In case of using the GENy configuration tool there is left one thing now the application
must accomplish at Power On time:
a) The actual ECU number must be set using the ComSetCurrentECU() API.

Code example:

void main(void)
{
 CanInitPowerOn();
 ComSetCurrentECU(currentECU);
 ...
 TpInitPowerOn(); /* For some configuration it could be also
 DiagInitPowerOn() with implicit TPMC initialization */
 ...
 <EnableCAN_ISR>
}

7.4
Extended- and Normal Fixed Addressing
7.4.1
Virtual ECU’s / ‘Multiple EcuNumber’ feature
‘Virtual ECU’s’ are control units which include the logic of more than one ECU. In the
network they have to react for more than one ECU number. The application has to decide
which ECU number should be received and which not.
For versions < 2.73.00:
All TargetAddresses (except the functional TargetAddress 0xFF ) will be received through
the Transport Layer. Following the reception of a TP-frame the application callback
ApplTpPrecopy() is called by the Transport Layer. In this function the application has to
decide which TargetAddress should be received and which not. In this function the
application gets the received TargetAddress and has to return the TargetAddress itself to
receive TransportFrames. To not receive the following TransportFrames the return value
has to be ‘kTpNoChannel’ (0xff).
If the received TargetAddress e.g. is a part of a functional range, the application can
modify the received TargetAddress by returning another TargetAddress in the
ApplTpPrecopy function. If the returned value is unequal to the received the Transport
Layer will receive the TransportFrames with this TargetAddress and not with the received
(the responded FlowControl is also modified).

canuint8 ApplTpCheckTA(vuint8 targetAddress)
{
 vuint8 result;
 switch(targetAddress)
 {
 case TargetAddress_0:
 case TargetAddress_1:

...
 case TargetAddress_n:
 result = targetAddress;
 break;
 default:
 result = kTpNoChannel;
 }
 return result;
}

2013, Vector Informatik GmbH
Version: 3.14.00
168 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
For versions >= 2.73.00:
All TargetAddresses are received through the Transport Layer. Following the reception of a
TP-frame the application callback ApplTpPrecopy() is called by the Transport Layer. In this
function the application has to decide which TargetAddress should be received and which
not. The application gets the received TargetAddress and has to return either
‘kTpPhysical’ or ‘kTpFunctional’. To not receive any subsequent TP Frames the
application returns ‘kTpNone’.

t_ta_type ApplTpCheckTA(vuint8 targetAddress)
{
 t_ta_type result;
 if(targetAddress == MY_ECU_NUMBER)

{
 result = kTpPhysical;
 }
 else if((targetAddress >= TP_LOWEST_FUNCTIONAL_ADDRESS ) &&
 (targetAddress <= TP_HIGHEST_FUNCTIONAL_ADDRESS))
 result = kTpFunctional;
 }
 else
 {
 result = kTpNone;
 }
 return result;
}

7.5
Using different CAN-Identifiers
For some purposes different CAN-Ids, as well 11-Bit standard as also 29-Bit extended
identifiers shall be used for the Normal Addressing type. If so, the TPMC provides two
configuration opportunities to handle this requirement either statically at configuration time
or dynamically at runtime.
7.5.1
Statically configured CAN-Ids
By default 11-Bit standard Ids are used with Normal Addressing. If 29-Bit extended Ids are
requested by the user and thus also entered as Addressing Information in the GENy
generation tool, then the preprocessor switch TP_USE_EXT_IDS_FOR_NORMAL is generated
with the value kTpOn. The code is now applicable to be used with 29-Bit CAN-Ids.
7.5.2
Dynamically configured CAN-Ids
If the user has the necessity to handle both kinds of CAN-Ids during runtime, then in the
GENy generation tool different CAN-Ids can be entered for different Addressing
Informations. Now the preprocessor switch TP_USE_MIXED_IDS_FOR_NORMAL is generated
with the value kTpOn in addition and the code is now applicable to be used simultaneously
with 11- and 29- Bit CAN-Ids.
7.5.3
Additional API functions
If both kinds of CAN-Ids are used then the additional API function
canuint8 TpRxGetChannelIDType(canuint8 tpChannel) is provided.
This function either returns kTpCanIdTypeStd for 11-Bit or kTpCanIdTypeExt for 29-Bit
identifiers.

2013, Vector Informatik GmbH
Version: 3.14.00
169 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
7.6
Transmissions without Flow Control frames
For some purposes the usage of FC frames might be omitted. Please note that this feature
is not supported for single connection TP.
If  using  a  dynamic  Tp  Class  then  the  provided  API  functions  TpRxWithoutFC  resp.
TpTxWithoutFC can be used (see 0, 4.2.3.28) to control the FC usage.

If using a static Tp Class then a channel specific FC control information must be provided
at compile time for the TP containing the information if FC frames shall be used or not for a
specific channel either on the Rx- and/or on the Tx- side.
The definition and usage of the FC control array must be as described below:
vuint8 TpRxFlowControl[kTpRxChannelCount];
vuint8 TpTxFlowControl[kTpTxChannelCount];

In the default case, if the usage of FC frames is required, then the FC control array
contains a value of “1” for the belonging Rx- or Tx- channel. If FC frames shall be
suppressed, then the FC control array contains a value of “0” for the belonging Rx- or Tx-
channel.

Example:
vuint8 TpRxFlowControl[3] =
{ 1, // use FC frames
  1, // use FC frames
  0 // use no FC frames
};  //
vuint8 TpTxFlowControl[3] =
{ 1, // use FC frames
  1, // use FC frames
  0 // use no FC frames
};

2013, Vector Informatik GmbH
Version: 3.14.00
170 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
8  Example for the user
8.1
Administrative usage
The  Transport  Protocol  has  to  be  initialized  before  all  other  functions  were  called.  This
initialization has to be done after initializing the CAN-driver (CanInitPowerOn()), possibly
if  the  interrupts  are  still  locked.  The  Transport  Layer  is  ready  for  reception  after  calling
TpInitPowerOn().
To perform the state machine the functions TpRxTask() and TpTxTask() have to be called
periodically.
If the application wants to have access to the API of the TPMC-component it has to include
the “tpmc.h” file after including of the “can_inc.h” file.
8.2
How to Transmit a Tp-Frame?
8.2.1
Static Normal Addressing
First  you  need  an  own  buffer  with  your  data  which  should  be  transmitted.  To  start  the
transmission simply call TpTransmit().
if (TpTransmit(tpChannel, appl-buffer, appl-data-length) != kTpSuccess)
{
  /* Error case – transmission was not successful */
}

A confirmation function is called after the complete transmission. It can be used to release
buffers...
void ApplTpTxConfirmation(vuint8 tpChannel, vuint8 state)
{

If you want an own copy mechanism to move the data from your buffer into CAN buffer you
have  to  use  the  function  ApplTpTxCopyToCan()  (This  can  be  configured  in  the
Generation Tool).
8.2.2
Dynamic Addressing
(Normal- / Normal Fixed- / Extended- / Multiple-Addressing)
Before  the  application  can  call  TpTransmit()  (refer  8.2  How  to Transmit  a Tp-Frame?)  a
transport  channel  has  to  be  requested.  The  function  TpTxGetFreeChannel()  returns  a
free  transport  channel  or  –  if  no  channel  is  available  at  the  moment  –  kTpNoChannel.
After  a  channel  is  assigned,  the  channel  has  to  parameterized  by  the  application.  In  the
example below, the application will set the Transmit ID and Receive ID (Dynamic Normal
Addressing) before sending the data.
Important: replace the cursive words by your own
tpChannel = TpTxGetFreeChannel(connection-number);
if(tpChannel != kTpNoChannel)
{
  /* normal addressing */
  TpTxSetChannelID(tpChannel, TransmitID, ReceiveID);

  if (TpTransmit(tpChannel, appl-buffer, appl-data-length) != kTpSuccess)
  {
  /* Error case – transmission was not successful */
2013, Vector Informatik GmbH
Version: 3.14.00
171 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
 }
}

The callback functions provide only the tpChannel as a parameter. To get the unique
connection-number out of this tpChannel the function
TpTxGetConnectionNumber(tpChannel) is provided
void ApplTpTxConfirmation(vuint8 tpChannel, vuint8 state)
{
 switch(TpTxGetConnectionNumber(tpChannel))
.
.
8.3
How to Receive a Tp-Frame
It is only possible to get an Indication by a function callback. The reception progress is
completed by the Transport Layer.
Important: The Transport Layer blocks the receive tpChannel as long as the application
desires. To free the receive channel call TpRxResetChannel().
void ApplTpRxIndication ( vuint8 tpChannel, vuint16 dataLength)
{
...
...
TpRxResetChannel(tpChannel);
...
...
}
The Transport Layer supports only buffer-management by the application. If data will be
received, it is important to the Transport Layer to get a buffer into which the data can be
moved.
vuint8 * ApplTpRxGetBuffer (vuint8 tpChannel, vuint16 length)
{
 if (Is_ReceiveDataBuffer_free)
 {
 Set_ReceiveDataBuffer_Used;

 if (length <= MaxLength)
 {

/* return a valid data buffer */
 return ReceiveDataBuffer;
 } else {

 /* length is too big for the ReceiveDataBuffer – do not receive the data */
 return NULL;
 } else {

 /* ReceiveDataBuffer is not free – do not receive the data */
return NULL;
 }

}
8.4
How to Send a Response on a Received Transport-Frame
Normally the application has to set transmission attributes like TargetAddress,
TargetIdentifier or physical CanChannel (depending on the addressing mode and
configuration). So if the application want to send a response to the sender of a received
transport-frame it has to set these transmission attributes. For this case it can do it easily
by using the function TpTxSetResponse(). The Preconditions are only the Rx-Channel -
which is still blocked - from the sender and a free Tx-Channel for the transmission.
if ( (txTpChannel = TpTxGetFreeChannel(user_connection)) != kTpNoChannel )
{
 TpTxSetResponse(rxTpChannel, txTpChannel);
 TpRxResetChannel(rxTpChannel);
 TpTransmit(txTpChannel, ...);
}
2013, Vector Informatik GmbH
Version: 3.14.00
172 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
8.5
How to serve Different Connections (only dynamic channels)
The dynamic TP classes does not support connection specific callback functions.
Therefore the application needs an easy handling between the different connections with
less resource requirements. Especially the diagnostic-layer must be handled
8.5.1
How to serve the diagnostic connection
This is also an example to serve different connections in your own application! I.e. you can
derive from the diagnosis example to your own.
Reception part:
Within the ‘ApplTpRxGetBuffer()’ the application is responsible to  distinguish between the
different  connections.  If  the  right  connection  is  found  a  connection-number  can  be  set  to
have in the later callbacks a faster decision.
(Dynamic  Normal Addressing)  The  received  CAN-ID  (for  the  diagnosis)  is  unique  (get  it
with: TpRxGetChannelID(tpChannel))
Transmission part:
At the transmission the connection-number is unique. The diagnosis uses the connection-
numbers “kDiagConnection” and “kDiagAddConnection”.
2013, Vector Informatik GmbH
Version: 3.14.00
173 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
unsigned char* ApplTpRxGetBuffer(vuint8 tpChannel, vuint16 tpRxDataLength)
{
  switch(TpRxGetChannelID(tpChannel))
  {
  case DIAG_RECEIVE_ID:
  TpRxSetConnectionNumber(tpChannel, kDiagConnection);
  return DiagTpGetRxBuffer(tpChannel, tpRxDataLength);
  case APPL_RECEIVE_ID:
  TpRxSetConnectionNumber(tpChannel, CONNECTION_0);
  /* Check for an valid application buffer */
  return APPLICATION_BUFFER;
  default:
  return NULL;
  break;
  }
}

void ApplTpRxIndication(vuint8 tpChannel, vuint16 tpRxDataLength)
{
  switch(TpRxGetConnectionNumber(tpChannel))
  {
  case kDiagConnection:
  DiagPhysReception(tpChannel, tpRxDataLength);
  break;
  case CONNECTION_0:
  UserTpRxIndication(tpRxDataLength);
  break;
  default:
  break;
  }
}

void ApplTpRxErrorIndication(vuint8 tpChannel, vuint8 status)
{
  switch(TpRxGetConnectionNumber(tpChannel))
  {
  case kDiagConnection:
  DiagRxErrorIndication(tpChannel, status);
  case CONNECTION_0:
  UserTpRxErrorIndication(status);
  default:
  break;
  }
}

void ApplTpRxFF(vuint8 tpChannel)
{
  if (TpRxGetConnectionNumber( tpChannel ) == kDiagConnection )
  {
  DiagRestartS1TimerInternal( tpChannel );
  }
}

void ApplTpRxCF(vuint8 tpChannel)
{
  if (TpRxGetConnectionNumber( tpChannel ) == kDiagConnection )
  {
  DiagRestartS1TimerInternal( tpChannel );
  }
}

void ApplTpTxConfirmation(vuint8 tpChannel, vuint8 state)
{
  switch(TpTxGetConnectionNumber(tpChannel))
  {
  case kDiagConnection:
  DiagConfirmation( tpChannel, state);
  case CONNECTION_0:
  UserTpConfirmation(status);
  default:
  break;
  }
}

2013, Vector Informatik GmbH
Version: 3.14.00
174 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
vuint8 ApplTxErrorIndication(vuint8 tpChannel, vuint8 status)
{
 switch(TpTxGetConnectionNumber(tpChannel))
 {
 case kDiagConnection:
 return DiagTxErrorIndication(tpChannel, status);
 case CONNECTION_0:
 UserTpTxErrorIndication(status);
 default:
 return kTpFreeChannel;
 }
}

vuint8 ApplCopyToCAN(TpCopyToCanInfoStructPtr infoStruct)
{
 switch(TpTxGetConnectionNumber(infoStruct->Channel))
 {
 case kDiagConnection:
 return DiagCopyToCAN(infoStruct->Channel, kSFDataPos, tpTxDataLength);
 default:
 (void)memcpy( infoStruct->pDestination, infoStruct->pSource, infoStruct->Length);
 break;
 }
 return 0;
}

void ApplTpTxNotification(vuint8 tpChannel, vuint8 DataLength)
{
 switch(TpTxGetConnectionNumber(tpChannel))
 {
 case kDiagConnection:
 DiagTpMsgTxReady(tpChannel, DataLength);
 break;
 default:
 break;
 }
}
8.6
How to Lock a Tx-Channel and Why? (only dynamic channels)
Normally the application get a resource – use the resource – and release the resource. In
the current version the resource Transmit-tpChannel will be released by the Transport
Layer automatically after a transmission (for code optimization). If an application will use
the same channel more than one time (i.e. a periodically transmission) it has to lock the
channel.
...
...
TpTxLockChannel(channel);
TpTransmit(...)
...
TpTransmit(...)

...
TpTransmit(...)

The application has two possibilities to release the channel:
> unlock the channel using ‘TpTxUnlockChannel ()’: i.e. only one transmission without
a release should be done...
TpTxLockChannel(user_channel);
TpTransmit(user_channel, ...)
...
>wait until confirmation occured<
TpTxUnlockChannel(user_channel);
TpTransmit(user_channel, ...)
/* After this transmission the channel will be released */
...
2013, Vector Informatik GmbH
Version: 3.14.00
175 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2

>  release the channel using ‘TpTxResetChannel()’: Lock the resource for many
transfers as long as used
...
...
TpTxLockChannel(channel);
TpTransmit(...)
...
TpTransmit(...)
...
TpTxResetChannel(channel);
...
8.7
How to transmit a ConsecutiveFrame as quick as possible
Typically this requirement is used for a fast re-programming of ECU’s through Gateways or
Testers.
How to do that, please refer to chapter 7.2 Fast transmission of ConsecutiveFrames.

2013, Vector Informatik GmbH
Version: 3.14.00
176 / 177
based on template version 5.1.0

Technical Reference Transport Protocol ISO15765-2
9  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com
2013, Vector Informatik GmbH
Version: 3.14.00
177 / 177
based on template version 5.1.0

Document Outline

23.4 - Tp Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Tp

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Tp_Vector_GMLAN3.1_03.08.03_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/02/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

24 - Universal Measurement and Calibration Protocol (XCP)

Universal Measurement and Calibration Protocol (XCP)

Component Documentation

24.1 - TechnicalReference_XCP_on_CAN

Microsoft Word - TechnicalReference_XCP_on_CAN.doc

24.2 - TechnicalReference_XCP_on_CAN_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27

24.3 - TechnicalReference_XCP_on_CANs

XCP on CAN
Technical Reference

XCP on CAN Transport Layer

Version 1.08

Authors:
Frank Triem, Sven Hesselmann
Version:
1.08
Status:
released (in preparation/completed/inspected/released)

Technical Reference XCP on CAN

1 Document
Information
1.1 History
Author
Date
Version Remarks
Frank Triem
2005-01-03
1.0
ESCAN00010737: Initial draft
Klaus Emmert
Warning Text added
Frank Triem
2005-02-28
1.1
ESCAN00011300: Manual configuration
Frank Triem
2005-06-22
1.2
ESCAN00011772: Support multiple CAN channels
ESCAN00012311: Support CAN-Driver without
transmit queue
Frank Triem
2005-12-19
1.3
Rework due to inspection
Frank Triem
2006-04-24
1.4
ESCAN00015915: Correct filenames
Frank Triem
2006-05-30
1.5
ESCAN00016517: Update of table of contents
Frank Triem
2006-10-26
1.6
ESCAN00017220: Documentation of reentrant
capability of all functions
Sven
2007-09-14
1.7
Multiple Identity added
Hesselmann
Sven
2008-03-19 1.07.01 Invalid reference corrected
Hesselmann
Andreas
2009-01-14
1.08
ESCAN00031509: Description of how to define
Herkommer
Messages as Application Messages

1.2 Reference
Documents
Index
Document
[1]
XCP -Part 1 – Overview, Version 1.0 of 2003-04-08
[2]
XCP -Part 2- Protocol Layer Specification, Version 1.0 of 2003-04-08
[3]
XCP -Part 5- Example Communication Sequences, Version 1.0 of 2003-04-08
[4]
Technical Reference XCP Protocol Layer, Version 1.0 of 2005-01-17
[5]
Technical Reference CAN Driver, Version 2.21 of 2003-07-29
[6]
AN-AND-1-108 Glossary of CAN Protocol Terminology
http://www.vector-informatik.de

©2009, Vector Informatik GmbH
Version: 1.08
2 / 27
based on template version 1.3

Technical Reference XCP on CAN

1.3 Abbreviations
Abbreviations Complete expression
A2L
File Extension for an ASAM 2MC Language File
AML
ASAM 2 Meta Language
API
Application Programming Interface
ASAM
Association for Standardization of Automation and Measuring Systems
CAN
Controller Area Network
CANape
Calibration and Measurement Data Acquisition for Electronic Control Systems
CMD
Command
CTO
Command Transfer Object
DAQ
Synchronous Data Acquistion
DLC
Data Length Code ( Number of data bytes of a CAN message )
DLL
Data link layer
DTO
Data Transfer Object
ECU
Electronic Control Unit
ID
Identifier (of a CAN message)
Identifier
Identifies a CAN message
ISR
Interrupt Service Routine
MCS
Master Calibration System
Message
One or more signals are assigned to each message.
MRB
Multi receive buffer
MRC
Multi receive channel
OEM
Original equipment manufacturer (vehicle manufacturer)
RES
Command Response Packet
SRB
Single receive buffer
SERV
Service Request Packet
STIM
Stimulation
XCP
Universal Measurement and Calibration Protocol
VI
Vector Informatik GmbH

Also refer to [6] for a list of common abbreviations and terms.
©2009, Vector Informatik GmbH
Version: 1.08
3 / 27
based on template version 1.3

Technical Reference XCP on CAN

1.4 Naming
conventions
The names of the access functions provided by the XCP Transport Layer for CAN always
start with a prefix that includes the characters ‘Xcp’. The characters ‘Xcp’ are surrounded
by an abbreviation which refers to the service or to the layer which requests a XCP
service. The designation of the main services is listed below:
Naming conventions
Xcp…
It is mandatory to use all functions beginning with Xcp…
These services are called by either the data link layer, XCP Protocol Layer or
the application.
They are e.g. used for the transmission of messages.
ApplXcp
The functions, starting with ApplXcp… are functions that are provided by the
application and are called by the XCP Transport Layer for CAN.
These services are user callback functions that are application specific and
have to be implemented depending on the application.

Please note
We have configured the programs in accordance with your specifications in the

questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire..
©2009, Vector Informatik GmbH
Version: 1.08
4 / 27
based on template version 1.3

Technical Reference XCP on CAN

2 Overview
This document describes the features, API, configuration and integration of the XCP
Transport Layer for CAN. The XCP Protocol Layer, which is already described within a
separate document [4], is not covered by this document.
Please also refer to “The Universal Measurement and Calibration Protocol Family”
specification by ASAM e.V.
XCP on CAN is a hardware independent protocol that can be ported to almost any CAN
controller. Due to there are numerous combinations of micro controllers, compilers and
memory models it cannot be guaranteed that it will run properly on any of the above
mentioned combinations.
Please note that in this document the term Application is not used strictly for the user
software but also for any higher software layer, like e.g. a Communication Control Layer.
Therefore, Application refers to any of the software components using XCP on CAN.
The API of the functions is described in a separate chapter at the end of this document.
Referred functions are always shown in the single channel mode.

©2009, Vector Informatik GmbH
Version: 1.08
7 / 27
based on template version 1.3

Technical Reference XCP on CAN

3 Functional
Description
3.1 Overview
of
the functional scope
The XCP Transport Layers mange the transmission and reception of XCP Packets.
The XCP Transport Layer for CAN makes use of the CAN-Driver to transmit and receive
XCP messages. Since variable message length is not supported the XCP Transport Layer
has to ensure that all sent XCP messages have the same DLC. I.e. a DLC of 8.
3.2  Reception and transmission of XCP packets
Upon reception of any XCP message the function
vuint8 XcpPreCopy (PRECOPY_PARAM_TYPE PRECOPY_PARAM )
(5.3.1)
is called by the CAN-Driver and the XCP Packet is passed to the Protocol Layer by a call
of the function:
void XcpCommand ( MEMORY_ROM vuint32* pCommand )
After the command has been processed by the Protocol Layer the XCP Response Packet
is passed to the Transport Layer by the service
void ApplXcpSend (vuint8 len, MEMORY_ROM BYTEPTR msg )
(5.2.1)
and the XCP message is transmitted by the CAN-Driver service
vuint8 CanTransmit ( CanTransmitHandle tmtHandle )
the successful transmission is confirmed by the CAN-Driver by a call of
void XcpConfirmation ( CanTransmitHandle tmtObject )
(5.3.2)
The confirmation is passed to the Protocol Layer by a call of
void XcpSendCallback (void )

Asynchronous XCP Packet transmission like e.g. SERV, EV and DAQ are transmitted and
confirmed by the described sequence.
3.3  Support of multiple CAN channels
Multiple CAN channels are supported by the XCP Transport Layer for CAN. However it is
not possible to have multiple connections at one time. I.e. only one connection on one
CAN channel is allowed.
The option ‘multi connection protection’ ensures that only one XCP Master communicates
with the XCP Slave at one time.

©2009, Vector Informatik GmbH
Version: 1.08
8 /  27
based on template version 1.3

Technical Reference XCP on CAN

4  Integration into the application
This chapter describes the steps for the integration of the XCP Transport Layer for CAN
into an application environment of an ECU.
4.1 Files
The XCP Transport Layer for CAN consists of the following files:
Files of the XCP on CAN Transport Layer
xcp_can.c  XCP on CAN Transport Layer.
This file must not be changed by the user!
xcp_can.h  API of the XCP on CAN Transport Layer.
This file must not be changed by the application!
This file has to be included prior to XcpProf.h.
v_def.h
General Vector definitions of memory qualifiers and types.
This file must not be changed by the application!.
_xcp.cfg
XCP user config file template for the configuration on XCP Transport
Layer for CAN with CANgen.

Additionally the following files are generated by the generation tool GENy.
Files generated by GENy
xcp_cfg.h  Configuration file for XCP on CAN.
xcp_parc
Parameter definition for the XCP on CAN.
xcp_par.h  External declarations for the parameters.
v_cfg.h
General Vector configuration file for platform specifics.
v_inc.h
General header for including the Vector CANbedded stack headers.

Note that all files of XCP on CAN must not be changed manually except if CANgen is used
for the configuration of the CAN-Driver. In this case only the generated files xcp_cfg.h,
xcp_par.c and xcp_par.h are relevant and the additional general header for including
the generated header files _v_inc.h has to be customized and renamed to v_inc.h.

4.2 Version
changes
Changes and the release versions of the XCP Transport Layer for CAN are listed at the
beginning of the header and source code.

©2009, Vector Informatik GmbH
Version: 1.08
9 /  27
based on template version 1.3

Technical Reference XCP on CAN

4.3
Integration of XCP on CAN into the application
The Vector CANbedded stack includes optionally XCP on CAN, which comprises the XCP
Protocol Layer in conjunction with the XCP Transport Layer for CAN and the CAN-Driver.
Note that the CAN-Driver, which is distributed as a separate product, is only partly part of
XCP on CAN.
The following figure shows the interface between XCP on CAN and the application:

XCP on CAN
CAN Driver
(can_drv.c)
XcpCommand
XcpPreCopy
XCP on CAN
XcpConfirmation
Interface Layer
ApplXcpSend
XcpSendCallback
(xcp_can.c)
CanTransmit
XCP
Protocol Layer
( XcpProf.c )
XcpEvent
XcpInit
Application
XcpBackground
ApplXcp..

figure 4-1  Integration of XCP on CAN into the application

Practical Procedure
The integration of XCP on CAN can be done by following these steps:

1.  Configure XCP on CAN in the generation tool GENy and generate.
2.  Include the include header file v_inc.h into all modules that access the
XCP on CAN services or provide services that XCP on CAN uses.
3.  Add all source files and generated source files in the make file and link it
together with the data link layer and the application.
4. Initialize the data link layer after each reset during start-up before
initializing XCP on CAN (interrupts have to be disabled until the complete
initialization procedure is done) by calling XcpInit.
©2009, Vector Informatik GmbH
Version: 1.08
10 / 27
based on template version 1.3

Technical Reference XCP on CAN

5. If required call the background function XcpBackground cyclically.
6. Integrate the desired XCP on CAN services into your application. Call
especially the function XcpEvent(channel) cyclic with the appropriate
cycle time and channel number.
The XCP on CAN sources must not be changed for the integration into the
application.

©2009, Vector Informatik GmbH
Version: 1.08
11 / 27
based on template version 1.3

Technical Reference XCP on CAN

5 Description
of
the
API
The XCP on CAN application programming interface consists of services, which are
realized by function calls. These services are called wherever they are required. They
transfer information to- or take over information from XCP on CAN. This information is
stored in XCP on CAN until it is not required anymore, respectively until it is changed by
other operations.
Examples for calling the services of XCP on CAN can be found in the description of the
services.
5.1
Version of the source code
The source code version of the XCP Transportation Layer for CAN is provided by three
BCD coded constants:

V_MEMROM0 MEMORY_ROM vuint8 kXcpOnCanMainVersion =
(vuint8)(CP_XCPONCAN_VERSION >> 8);
V_MEMROM0 MEMORY_ROM vuint8 kXcpOnCanSubVersion =
(vuint8)(CP_XCPONCAN_VERSION);
V_MEMROM0 MEMORY_ROM vuint8 kXcpOnCanReleaseVersion =
(vuint8)(CP_XCPONCAN_RELEASE_VERSION);

Example
Version 1.00.00 is registered as:

kXcpOnCanMainVersion = 0x01;
kXcpOnCanSubVersion = 0x00;
kXcpOnCanReleaseVersion = 0x00;

These constants are declared as external and can be read by the application at any time.

©2009, Vector Informatik GmbH
Version: 1.08
12 / 27
based on template version 1.3

Technical Reference XCP on CAN

5.2
XCP Transport Layer for CAN services called by the Protocol Layer
The following XCP Transport Layer for CAN functions are called by the Protocol Layer.
The API of theses functions can be found in the header of the XCP on CAN components.

5.2.1 ApplXcpSend:
Transmission of XCP Packets
ApplXcpSend
Prototype
Single Channel
Single Receive Channel
void ApplXcpSend ( vuint8 len, const BYTEPTR msg )
Single Receive Buffer
N/a
Multiple Receive Buffer
N/a
Multi Channel
Indexed (MRC)
Not supported
Code replicated (SRB)
N/a
Code replicated (MRB)
N/a
Parameter
len
Length of the XCP Packet that has to be transmitted.
(with len = 1 ... 8)
msg
Pointer to the XCP Packet data.
Return code
-
-
Functional Description
Transmission of XCP Packets.

Particularities and Limitations
  Not reentrant
  Call context of: XcpEvent, XcpBackground and context of CAN-Driver

5.2.2 ApplXcpInit:
Initialization of XCP Transport Layer for CAN
ApplXcpInit
Prototype
Single Channel
Single Receive Channel
void ApplXcpInit ( void )
Single Receive Buffer
N/a
Multiple Receive Buffer
N/a
Multi Channel
Indexed (MRC)
Not supported
Code replicated (SRB)
N/a
Code replicated (MRB)
N/a
©2009, Vector Informatik GmbH
Version: 1.08
13 / 27
based on template version 1.3

Technical Reference XCP on CAN

Parameter
-
-
Return code
-
-
Functional Description
Initialization of the XCP Transport Layer for CAN.

Particularities and Limitations
  Not reentrant
  Call context of XcpInit

5.2.3
ApplXcpBackground: Background task of XCP Transport Layer for CAN
ApplXcpBackground
Prototype
Single Channel
Single Receive Channel
void ApplXcpBackground ( void )
Single Receive Buffer
N/a
Multiple Receive Buffer
N/a
Multi Channel
Indexed (MRC)
Not supported
Code replicated (SRB)
N/a
Code replicated (MRB)
N/a
Parameter
-
-
Return code
-
-
Functional Description
Cyclic background task of the XCP Transport Layer for CAN.

Particularities and Limitations
  Not reentrant
  Call context of XcpBackground

©2009, Vector Informatik GmbH
Version: 1.08
14 / 27
based on template version 1.3

Technical Reference XCP on CAN

5.3
XCP Transport Layer for CAN services called by the CAN-Driver
The following XCP Transport Layer for CAN functions are called by the CAN-Driver.
The API of theses functions can be found in the header of the CAN-Driver parameter file.

5.3.1
XcpPreCopy: XCP message precopy function
XcpPreCopy
Prototype
Single Channel CAN-Driver
Single Receive Channel
vuint8 XcpPreCopy ( CanRxInfoStructPtr rxStruct )
Single Receive Buffer
vuint8 XcpPreCopy ( CanReceiveHandle rxObject )
Multiple Receive Buffer
vuint8 XcpPreCopy ( CanChipDataPtr rxDataPtr )
Multi Channel CAN-Driver
Indexed (MRC)
vuint8 XcpPreCopy ( CanRxInfoStructPtr rxStruct )
Code replicated (SRB)
vuint8 XcpPreCopy ( CanReceiveHandle rxObject )
Code replicated (MRB)
vuint8 XcpPreCopy ( CanChipDataPtr rxDataPtr )
Parameter
rxStruct
Pointer to RxInfoStruct
rxObject
Handle of the received object
rxDataPtr
Pointer to received data
Return code
vuint8
kCanNoCopyData : no data needs to be copied by the CAN-Driver
Functional Description
Precopy function that is called upon every reception of a XCP message.

Particularities and Limitations
  Not reentrant
  Call context of CAN-Driver

©2009, Vector Informatik GmbH
Version: 1.08
15 / 27
based on template version 1.3

Technical Reference XCP on CAN

5.3.2 XcpConfirmation:
XCP message confirmation

XcpConfirmation
Prototype
Single Channel CAN-Driver
Single Receive Channel
void XcpConfirmation ( CanTransmitHandle tmtObject )
Single Receive Buffer
void XcpConfirmation ( CanTransmitHandle tmtObject )
Multiple Receive Buffer
void XcpConfirmation ( CanTransmitHandle tmtObject )
Multi Channel CAN-Driver
Indexed (MRC)
void XcpConfirmation ( CanTransmitHandle tmtObject )
Code replicated (SRB)
void XcpConfirmation ( CanTransmitHandle tmtObject )
Code replicated (MRB)
void XcpConfirmation ( CanTransmitHandle tmtObject )
Parameter
tmtObject
Transmit Handle of the confirmed message.
Return code
-
-
Functional Description
Confirmation function for the XCP message.
This function is called by the CAN-Driver whenever the XCP message has been transmitted successful.
Particularities and Limitations
Not reentrant
Call context of CAN-Driver

5.4
XCP Protocol Layer services called by the Transport Layer for CAN
The following XCP Protocol Layer services are called by the Transport Layer for CAN:
-
void ApplXcpInterruptEnable(void)
-
void ApplXcpInterruptDisbable(void)
-
void XcpCommand( MEMORY_ROM vuint32* pCommand )
-
void XcpSendCallBack( void )
-
vuint8 XcpGetState( void )
For a description of the API and the functionality of these functions please refer to the
Technical Reference XCP Protocol Layer [4].
5.5
CAN-Driver services called by the Transport Layer for CAN
The following CAN-Driver services are called by the Transport Layer for CAN:
-
vuint8 CanTransmit ( CanTransmitHandle tmtHandle )
For a description of the API and the functionality of these functions please refer to the
Technical Reference CAN Driver [5].
©2009, Vector Informatik GmbH
Version: 1.08
16 / 27
based on template version 1.3

Technical Reference XCP on CAN

6 Configuration of XCP on CAN
The configuration of XCP on CAN (XCP Protocol Layer and XCP Transport Layer for CAN)
is only supported by the generation tool GENy.
Therefore if the CAN-Driver is configured with CANgen two generation tools are used:
-
GENy for the configuration of the XCP Protocol Layer
-
CANgen for the configuration of the CAN-Driver. The XCP Transport Layer for CAN
has to be configured manually (refer to chapter 6.2).
6.1
Configuration of XCP on CAN with GENy
If GENy is used for the configuration of the whole CANbedded stack the configuration of
XCP on CAN is conveniently done by GENy. No database attributes are required for the
configuration of XCP on CAN.

figure 6-1 Component selection
©2009, Vector Informatik GmbH
Version: 1.08
17 / 27
based on template version 1.3

Technical Reference XCP on CAN

In order to configure the XCP Transport Layer for CAN (Cp_XcpOnCan) it has to be
activated on the designated channels. The activation of the XCP Transport Layer for CAN
requires to activate the XCP Protocol Layer (Cp_Xcp).
The configuration of each component is done on separate pages. Furthermore XCP
Transport Layer for CAN has ECU specific and channel specific settings that have to be
customized separately.
6.1.1
Main configuration page

figure 6-2  Main configuration page of XCP on CAN Transport Layer
Configuration options
Value
Description
XCP on CAN Transport Layer options
Variable DLC
  Enable
Activate/Deactivate the transmission of messages
  Disable
with variable DLC.
This option is not available yet!
Multi connection protection
  Enable
Activate/Deactivate the protection against multiple
  Disable
connections.
Only available if XCP on CAN is used on multiple
CAN channels.
Table 6-1  Main configuration page of XCP on CAN Transport Layer
©2009, Vector Informatik GmbH
Version: 1.08
18 / 27
based on template version 1.3

Technical Reference XCP on CAN

6.1.2
Channel configuration page
The messages can be selected in GENy within Component Cp_XcpOnCan under the
channel view (see below). The list boxes of the master/slave ID entry fields provide
messages which fit to the requirements. The user can select the appropriate message.

figure 6-3 Channel configuration page of XCP on CAN Transport Layer

Configuration options
Value
Description
Type of bus system
Ready Only
Bus system type for the specific channel.
Manufacturer
Ready Only
Value of the database attribute ‘manufacturer’.
XCP on CAN Transport Layer
Slave Id
Tx-ID
XCP Slave Identifier
This is the ID for Response Packets and DAQ packets.
Only IDs that are not IL, TP or Diag messages and that
have a DLC of 8 can be selected.
Master Id
RX-ID
XCP Master Identifier
This is the ID for Command Packets and STIM Packets.
©2009, Vector Informatik GmbH
Version: 1.08
19 / 27
based on template version 1.3

Technical Reference XCP on CAN

Only IDs that are not IL, TP or Diag messages and that
have a DLC of 8 can be selected.
Table 6-2  Channel configuration page of XCP on CAN Transport Layer
In case there are no messages of type Application available, no selection can be made in
the Master/Slave ID field.
In this case two possible solutions exist:
1. Change the attributes of the XCP message(s) in the database. There are special
attributes to specify a message as NM, TP, IL, etc.

In case this is not possible, use solution 2:

2. Within GENy an IL message can be configured to be ‘Appl’ message. In Tx and Rx
message view, set the checkbox ‘Application Message’ for the appropriate message (as
shown below, message B1_CCP). Then the type changes to Message Class ‘Appl’. Now
this message should be found in the slave or master ID selection.

figure 6-4  Changing message attribute to “Application Message”

6.1.3
Multiple Identity configuration
For information about setting up a Multiple Identity configuration please refer to the
according Technical Reference. This chapter only explains the XCP specific configuration.
For each configured Identity the Slave Id and Master Id must be configured. For a
configuration with Multiple Identity this is not done on the channel dependent page as
shown in chapter 6.1.2, but on the Identities page below the channel dependent page (s.
figure below).
©2009, Vector Informatik GmbH
Version: 1.08
20 / 27
based on template version 1.3

Technical Reference XCP on CAN

figure 6-5 Channel configuration page for Multiple Identity configurations of XCP on CAN Transport Layer

©2009, Vector Informatik GmbH
Version: 1.08
21 / 27
based on template version 1.3

Technical Reference XCP on CAN

6.2
Configuration of XCP on CAN with GENy and CANgen
If the CAN-Driver is configured by CANgen the configuration of the XCP Transport Layer
for CAN has to be done manually. The configuration of the XCP Protocol Layer is
performed conveniently by GENy.
Reference the user config file xcp.cfg on the XCP Protocol Layers main page in GENy
as shown in figure 6-6 and customize it according to Table 6-3.

figure 6-6 Adding a user config file in GENy

©2009, Vector Informatik GmbH
Version: 1.08
22 / 27
based on template version 1.3

Technical Reference XCP on CAN

Configuration options
Value
Description
XCP on CAN Transport Layer Options
XCP_TRANSPORT_LAYER_TYPE_CAN

Activate the XCP on CAN Transport Layer
XCP_xxx_VARIABLE_DLC
ENABLE
Activate/Deactivate the transmission of
DISABLE messages with variable DLC.
This option is not available yet!
XCP_xxx_MULTI_CHANNEL
ENABLE
Enable support of multiple CAN channels
DISABLE
XCP_xxx_MULTI_CONNECTION_PROT
ENABLE
Protection against multiple connections.
ECTION
DISABLE Only available if XCP on CAN is used on
multiple CAN channels
kXcpNumberOfCanChannels
2..255
Specify the number of CAN channels that
use XCP on CAN.
Only available if XCP on CAN is used on
multiple CAN channels
Table 6-3 Options and configuration of XCP on CAN Transport Layer

The XCP Slave ID and XCP Master ID have to be configured in the generation tool that
configures the CAN-Driver. If XCP on CAN is only used on one CAN channel refer to
chapter 6.2.1 ‘XCP on CAN uses only one CAN channel’ otherwise refer to chapter 6.2.2
‘XCP on CAN uses multiple CAN channels’.

6.2.1
XCP on CAN uses only one CAN channel
The generation tool CANgen has to be configured as follows:
 Add the precopy function XcpPreCopy for the XCP Master ID in your generation tool.
 Add the confirmation function XcpConfirmation for the XCP Slave ID in your generation tool.
The Transmit handle and the data buffer of the XCP Slave ID have to be defined in the
user config file xcp.cfg:
 #define XcpGetTransmitHandle() TransmitHandleOfSlaveId
#define XcpGetTransmitDataPtr() TransmitDataBufferOfSlaveId
 Replace TransmitHandleOfSlaveId by the transmit handle of the XCP Slave Id that can be
found in the header <node>.h.
 Replace TransmitDataBufferOfSlaveId by the transmit data buffer of the XCP Slave Id
that can be found in the header <node>.c.

Example for Slave Id XCP_DTO
#define XcpGetTransmitHandle() CanTxXCP_DTO

#define XcpGetTransmitDataPtr() (XCP_DTO._c)

©2009, Vector Informatik GmbH
Version: 1.08
23 / 27
based on template version 1.3

Technical Reference XCP on CAN

6.2.2
XCP on CAN uses multiple CAN channels
If XCP on CAN is used on multiple CAN channels (e.g. vehicle bus and private CAN) the
configuration of the XCP Master ID and XCP Slave ID is done by the following steps.
The generation tool CANgen has to be configured as follows:
  Add the precopy function XcpPreCopy for the XCP Master IDs in your generation tool.
  Add the confirmation function XcpConfirmation for the XCP Slave IDs in your generation tool.
The Transmit handles and the data buffers of the XCP Slave IDs have to be defined in an
additional source file.
V_MEMROM0 V_MEMROM1 CanTransmitHandle V_MEMROM2 xcpTxHandleField[] =
{
Tx handle of XCP Slave ID 1,
Tx handle of XCP Slave ID 2
};
V_MEMROM0 V_MEMROM1 TxDataPtr V_MEMROM2 xcpTxDataPtrField[] =
{
data bufferTx of XCP Slave ID 1,
data bufferTx of XCP Slave ID 2
};
The following macros have to be defined in the user config file xcp.cfg:
  #define XcpGetTransmitHandle() (xcpTxHandleField[xcpChannelNumber])
#define XcpGetTransmitDataPtr() (xcpTxDataPtrField[xcpChannelNumber])

Example for Slave Id XCP_DTO and XcpSlave

User config file xcp.cfg :
#define XcpGetTransmitHandle() (xcpTxHandleField[xcpChannelNumber])

#define XcpGetTransmitDataPtr() (xcpTxDataPtrField[xcpChannelNumber])

C Source Code:
V_MEMROM0 V_MEMROM1 CanTransmitHandle V_MEMROM2 xcpTxHandleField[] =
{
CanTxXCP_DTO,
CanTxXcpSlave
};

V_MEMROM0 V_MEMROM1 TxDataPtr V_MEMROM2 xcpTxDataPtrField[] =
{
XCP_DTO._c,
XcpSlave._c
};

©2009, Vector Informatik GmbH
Version: 1.08
24 / 27
based on template version 1.3

Technical Reference XCP on CAN

7 Limitations
7.1.1
Variable length of XCP Packets is not supported
The XCP protocol allows a variable length of XCP Packets. However many OEMs require
that all CAN messages sent within their automotive networks have to have a static DLC.
Therefore the DLC of XCP on CAN messages is always 8 and the Control Field of the
XCP Tails consists of fill bytes.

7.1.2
Assignment of CAN identifiers to DAQ lists is not supported
The assignment of CAN identifiers to DAQ lists is not supported.

7.1.3
Detection of all XCP slaves within a network
The detection of all XCP slaves within a network with the command GET_SLAVE_ID is not
supported.

7.1.4 Channel
API
XCP on CAN is only available with a single channel API.
However all currently available single and multiple channel APIs of the CAN-Driver are
supported.

7.1.5
Multiple Identity only supported for single channel configuration
Multiple Identity for XCP on CAN is only available fora single CAN channel configuration.

©2009, Vector Informatik GmbH
Version: 1.08
25 / 27
based on template version 1.3

Technical Reference XCP on CAN

8 FAQ
8.1
Transmit queue of CAN-Driver is disabled

FAQ
How to operate XCP on CAN if the transmit queue of the CAN-Driver is disabled.

If the transmit queue of the CAN-Driver is disabled at any time it might not be possible to
transmit the XCP Slave message due to an ongoing message transmission. Therefore the
message transmission might have to be requested several times.
This is done with the service ApplXcpBackground() that gets called by
XcpBackground(). This service has to be called cyclic with a recommended call cycle of
1ms. The faster it gets called the faster the XCP Slave message will participate in the
arbitration on the bus.

©2009, Vector Informatik GmbH
Version: 1.08
26 / 27
based on template version 1.3

Technical Reference XCP on CAN

9 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com
©2009, Vector Informatik GmbH
Version: 1.08
27 / 27
based on template version 1.3

Document Outline

24.4 - TechnicalReference_XCP_Protocol_Layer

Technical Reference

24.5 - TechnicalReference_XCP_Protocol_Layer_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105

24.6 - TechnicalReference_XCP_Protocol_Layers

XCP Protocol Layer
Technical Reference

Version 1.19.00

Version:
1.19.00
Status:
released

Technical Reference XCP Protocol Layer

1  History
Date
Version  Remarks
2005-01-17  1.00.00  ESCAN00009143: Initial draft
Warning Text added
2005-06-22  1.01.00  FAQ extended: ESCAN00012356, ESCAN00012314
ESCAN00012617: Add service to retrieve XCP state
2005-12-20  1.02.00  ESCAN00013883: Revise Resume Mode
2006-03-09  1.03.00  ESCAN00015608: Support command TRANSPORT_LAYER_CMD
ESCAN00015609: Support XCP on FlexRay Transport Layer
2006-04-24  1.04.00  ESCAN00015913: Correct filenames
Data page banking support of application callback template added
2006-05-08  1.05.00  ESCAN00016263: Describe support of reflected CRC16 CCITT
ESCAN00016159: Add demo disclaimer to XCP Basic
2006-05-29  1.06.00  ESCAN00016226: Support XCP on LIN Transport Layer
2006-07-20  1.07.00  ESCAN00012636: Add configuration with GENy
ESCAN00016956: Support AUTOSAR CRC module
2006-10-26  1.08.00  ESCAN00018115: DPRAM Support only available in XCP Basic
ESCAN00017948: Add paging support
ESCAN00017221: Documentation of reentrant capability of all
functions
2007-01-18  1.09.00  ESCAN00018809: Support data paging on Star12X / Cosmic
2007-05-07  1.10.00  Description of new features added
2007-09-14  1.11.00  Segment freeze mode now supported
2008-07-23  1.12.00  ESCAN00028586: Support of Program_Start callback
ESCAN00017955: Support MIN_ST_PGM
ESCAN00017952: Open Interface for command processing
2008-09-10  1.13.00  Additional pending return value of call backs added
MIN_ST configuration added
2008-12-01  1.14.00  ESCAN00018157: SERV_RESET is not supported
ESCAN00032344: Update of XCP Basic Limitations
2009-05-14  1.15.00  ESCAN00033909: New features implemented: Prog Write Protection,
Timestamps, Calibration activation
2009-07-30  1.15.01  Fixed some editorial errors
2009-11-17  1.15.02  ESCAN00037907: XCP Memory in far RAM
2009-12-17  1.16.00  Support of a2l export
2012-02-20  1.16.01  ESCAN00055216: DAQ Lists can be extended after
START_STOP_SYNCH
2012-08-13  1.17.00  ESCAN00060779: Support for address doubling in XCP for DSP
micros
2013-06-18  1.17.01  ESCAN00068051: Provide an API to detect XCP state and usage
2013-12-10  1.18.00  ESCAN00072503 Support custom CRC Cbk
2015, Vector Informatik GmbH
Version: 1.19.00
2 / 105

Technical Reference XCP Protocol Layer

ESCAN00072505 Support Generic GET_ID
2015-03-26 1.19.00 ESCAN00082098 Time Check for DAQ lists
ESCAN00081839 Wrong prototype description for
ApplXcpCheckReadAccess

Please note
We have configured the programs in accordance with your specifications in the

questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

Note for XCP Basic
Please note, that the demo and example programs only show special aspects of the

software. With regard to the fact that these programs are meant for demonstration
purposes only, Vector Informatik’s liability shall be expressly excluded in cases of
ordinary negligence, to the extent admissible by law or statute.

2015, Vector Informatik GmbH
Version: 1.19.00
3 / 105

Technical Reference XCP Protocol Layer

2  Overview
This  document  describes  the  features,  API,  configuration  and  integration  of  the  XCP
Protocol Layer. Both XCP versions: XCP Professional and XCP Basic are covered by this
document. Chapters that are only relevant for XCP Professional are marked.
This document does not cover the XCP Transport Layers for CAN, FlexRay and LIN, which
are available at Vector Informatik.
Please refer to [IV] for further information about XCP on CAN and the integration of XCP
on CAN with the Vector CANbedded software components. Further information about XCP
on  FlexRay  Transport  Layer  and  XCP  on  LIN  Transport  Layer  can  be  found  in  its
documentation.
Please  also  refer  to  “The  Universal  Measurement  and  Calibration  Protocol  Family”
specification by ASAM e.V.
The XCP Protocol Layer is a hardware independent protocol that can be ported to almost
any  hardware.  Due  to  there  are  numerous  combinations  of  micro  controllers,  compilers
and memory models it cannot be guaranteed that it will run properly on any of the above
mentioned combinations.
Please  note  that  in  this  document  the  term  Application  is  not  used  strictly  for  the  user
software but also for any higher software layer, like e.g. a Communication Control Layer.
Therefore, Application refers to any of the software components using XCP.
The API of the functions is described in a separate chapter at the end of this document.
Referred functions are always shown in the single channel mode.

Info
The source code of the XCP Protocol Layer, configuration examples and

documentation are available on the Internet at www.vector-informatik.de in a
functional restricted form.

2.1
Abbreviations and Items used in this paper

Abbreviations
Complete expression
A2L
File Extension for an ASAM 2MC Language File
AML
ASAM 2 Meta Language
API
Application Programming Interface
ASAM
Association for Standardization of Automation and Measuring Systems
BYP
BYPassing
CAN
Controller Area Network
CAL
CALibration
CANape
Calibration  and  Measurement  Data  Acquisition  for  Electronic  Control
Systems
2015, Vector Informatik GmbH
Version: 1.19.00
10 / 105

Technical Reference XCP Protocol Layer

CMD
Command
CTO
Command Transfer Object
DAQ
Synchronous Data Acquistion
DLC
Data Length Code ( Number of data bytes of a CAN message )
DLL
Data link layer
DTO
Data Transfer Object
ECU
Electronic Control Unit
ERR
Error Packet
EV
Event packet
ID
Identifier (of a CAN message)
Identifier
Identifies a CAN message
ISR
Interrupt Service Routine
MCS
Master Calibration System
Message
One or more signals are assigned to each message.
ODT
Object Descriptor Table
OEM
Original equipment manufacturer (vehicle manufacturer)
PAG
PAGing
PID
Packet Identifier
PGM
Programming
RAM
Random Access Memory
RES
Command Response Packet
ROM
Read Only Memory
SERV
Service Request Packet
STIM
Stimulation
TCP/IP
Transfer Control Protocol / Internet Protocol
UDP/IP
Unified Data Protocol / Internet Protocol
USB
Universal Serial Bus
XCP
Universal Measurement and Calibration Protocol
VI
Vector Informatik GmbH

Also refer to ‘AN-AND-1-108 Glossary of CAN Protocol Terminology.pdf’, which can be
found in the download area of http://www.vector-informatik.de.
2015, Vector Informatik GmbH
Version: 1.19.00
11 / 105

Technical Reference XCP Protocol Layer

2.2
Naming Conventions
The names of the access functions provided by the XCP Protocol Layer always start with a
prefix that includes the characters Xcp. The characters Xcp are surrounded by an
abbreviation which refers to the service or to the layer which requests a XCP service. The
designation of the main services is listed below:

Naming conventions
Xcp…
It is mandatory to use all functions beginning with Xcp…
These services are called by either the data link layer or the application.
They are e.g. used for the initialization of the XCP Protocol Layer and for the
cyclic background task.
ApplXcp...
The functions, starting with ApplXcp… are functions that are provided
either by any XCP Transport Layer or the application and are called by the
XCP Protocol Layer.
These services are user callback functions that are application specific and have
to be implemented depending on the application.

2015, Vector Informatik GmbH
Version: 1.19.00
12 / 105

Technical Reference XCP Protocol Layer

3  Functional Description
3.1
Overview of the Functional Scope
The  Universal  Measurement  and  Calibration  Protocol  (XCP)  is  standardized  by  the
European ASAM  working  committee  for  standardization  of  interfaces  used  in  calibration
and measurement data acquisition. XCP is a higher level protocol used for communication
between  a  measurement  and  calibration  system  (MCS,  i.e.  CANape)  and  an  electronic
control unit (ECU).
3.2
Communication Mode Info
In order to gather information about the XCP Slave device, e.g. the implementation version
number  of  the  XCP  Protocol  Layer  and  supported  communications  models,  the
communication mode info can be enabled by the switch XCP_ENABLE_COMM_MODE_INFO.
3.3
Block Transfer Communication Model (XCP Professional only)
In  the  standard  communication  model,  each  request  packet  is  responded  by  a  single
response packet or an error packet. To speed up memory  uploads, downloads and flash
programming  the  XCP  commands  UPLOAD,  DOWNLOAD  and  PROGRAM  support  a
block transfer mode similar to ISO/DIS 15765-2.
In  the  Master  Block  Transfer  Mode  can  the  master  transmit  subsequent  (up  to  the
maximum block size MAX_BS) request packets to the slave without getting any response
in between. The slave responds after transmission of the last request packet of the block.
In Slave Block Transfer Mode can the slave respond subsequent (there is no limitation) to
a request without any more requests in between.
Refer to chapter 7.2.1 for configuration details.
3.4
Slave Device Identification
3.4.1
XCP Station Identifier
The  XCP  station  identifier  is  an ASCII  string  that  identifies  the  ECU’s  software  program
version.
The  MCS  can  interpret  this  identifier  as  file  name  for  the  ECU  database.  The  ECU
developer  should  change  the  XCP  station  identifier  with  each  program  change. This  will
prevent  database  mix-ups  and  grant  the  correct  access  of  measurement  and  calibration
objects  from  the  MCS  to  the  ECU.  Another  benefit  of  the  usage  of  the  XCP  station
identifier is the automatic assignment of the correct ECU database at program start of the
MCS via the plug & play mechanism. The plug & play mechanism prevents the user from
selecting the wrong ECU database.
Refer  to  chapter  7.2.5.1  (Identification  by  ASAM-MC2  Filename  without  Path  and
Extension) for configuration details.

2015, Vector Informatik GmbH
Version: 1.19.00
13 / 105

Technical Reference XCP Protocol Layer

3.4.2
XCP Generic Identification
The  XCP provides  a  generic mechanism for identification  by  the GET_ID  command.  For
this  purpose  a  call-back  exist  which  can  be  implemented  by  the  user  to  provide  the
requested information. The following function
vuint32 ApplXcpGetIdData( MTABYTEPTR *pData, vuint8 id )
(6.5.2)
has to set a pointer to the identification information based on the requested id and return
the length of this information.
Refer to chapter 7.2.5.2 for an example implementation.
3.5
Seed & Key
The  seed  and  key  feature  allows  individual  access  protection  for  calibration,  flash
programming,  synchronous  data  acquisition  and  data  stimulation.  The  MCS  requests  a
seed  (a  few  data  bytes)  from  the  ECU  and  calculates  a  key  based  on  a  proprietary
algorithm and sends it back to the ECU.
The seed & key functionality can be enabled with the switch XCP_ENABLE_SEED_KEY and
disabled XCP_DISABLE_SEED_KEY in order to save ROM. Also refer to chapter 7.2.1.
The application callback function
vuint8  ApplXcpGetSeed(  MEMORY_ROM  vuint8  resourceMask,  BYTEPTR
seed )  (6.5.3)
return a seed that is transferred to the MCS. The callback function
vuint8  ApplXcpUnlock(  MEMORY_ROM  vuint8  *key,  MEMORY_ROM  vuint8
length )
(6.5.4)
has to verify a received key and if appropriate return the resource that shall be unlocked.
Annotation for the usage of CANape
The calculation of the key is done in a DLL named SEEDKEY1.DLL, which is developed by
the  ECU  manufacturer  and  which  must  be  located  in  the  EXEC  directory  of  CANape.
CANape can access the ECU only if the ECU accepts the key. If the key is not valid, the
ECU is locked.
Example Implementation for SEEDKEY1.DLL
The function call of ASAP1A_XCP_ComputeKeyFromSeed() is standardized by the ASAM
committee.

Example
FILE SEEDKEY1.H

#ifndef _SEEDKEY_H_

#define _SEEDKEY_H_
#ifndef DllImport
#define DllImport __declspec(dllimport)
#endif
#ifndef DllExport
#define DllExport __declspec(dllexport)
2015, Vector Informatik GmbH
Version: 1.19.00
14 / 105

Technical Reference XCP Protocol Layer

#endif
#ifdef SEEDKEYAPI_IMPL
#define SEEDKEYAPI DllExport __cdecl
#else
#define SEEDKEYAPI DllImport __cdecl
#endif
#ifdef __cplusplus
extern "C" {
#endif

BOOL SEEDKEYAPI ASAP1A_XCP_ComputeKeyFromSeed( BYTE *seed,

unsigned short sizeSeed,

BYTE *key,

unsigned short maxSizeKey,

unsigned short *sizeKey

);
#ifdef __cplusplus
}
#endif
#endif

FILE SEEDKEY1.C
#include <windows.h>
#define SEEDKEYAPI_IMPL
#include "SeedKey1.h"

extern "C" {
BOOL SEEDKEYAPI ASAP1A_XCP_ComputeKeyFromSeed( BYTE *seed,
 unsigned short sizeSeed,
 BYTE *key,
 unsigned short maxSizeKey,
 unsigned short *sizeKey
 )
{ // in that example sizeSeed == 4 is expected only
 if( sizeSeed != 4 ) return FALSE;
 if( maxSizeKey < 4 ) return FALSE;
 *((unsigned long*)key) *= 3;
 *((unsigned long*)key) &= 0x55555555;
 *((unsigned long*)key) *= 5;
 *sizeKey = 4;
 return TRUE;
 }
}

2015, Vector Informatik GmbH
Version: 1.19.00
15 / 105

Technical Reference XCP Protocol Layer

3.6
Checksum Calculation
The  XCP  Protocol  Layer  supports  calculation  of  a  checksum  over  a  specific  memory
range. The XCP Protocol Layer  supports all XCP ADD algorithms and the CRC16CCITT
checksum calculation algorithm.
XCP Professional allows the usage of the AUTOSAR CRC Module [VII]. If the AUTOSAR
CRC Module is used also the XCP CRC32 algorithm can be used.
Also refer to 7.2.2.1 ‘Table of Checksum Calculation Methods’.
If checksum calculation is enabled the background task
vuint8 XcpBackground( void )
(6.2.4)
has to be called cyclically.

3.6.1
Custom CRC calculation
The Protocol Layer also allows the calculation of the CRC by the application. For this the
call-back:
vuint8  ApplXcpCalculateChecksum(  ROMBYTEPTR  pMemArea,  BYTEPTR
pRes, vuint32 length )
is  called.  This  call-back  can  either  calculate  the  checksum  synchronously  and  return
XCP_CMD_OK  or it  can  trigger the  calculation  and  return  XCP_CMD_PENDING  for asynchronous
calculation of the checksum. In every case the response frame has to be assembled.
3.7
Memory Protection (XCP Professional only)
If XCP_ENABLE_WRITE_PROTECTION is defined write access of specific RAM areas can
be checked with the function
vuint8 ApplXcpCheckWriteAccess( MTABYTEPTR addr, vuint8 size )(6.5.7)
It should only be used, if write protection of memory areas is required.
If XCP_ENABLE_READ_PROTECTION is defined read access of specific RAM areas can be
checked with the function
vuint8 ApplXcpCheckReadAccess( MTABYTEPTR addr, vuint32 size )(6.5.8)
It should only be used, if read protection of memory areas is required.
While  the  first  two  functions  are  used  during  polling,  the  following  function  is  used  for
DAQ/STIM access:
vuint8 ApplXcpCheckDAQAccess( DAQBYTEPTR addr, vuint8 size )(6.5.9)
These  functions  can  be  used  to  protect  memory  areas  that  are  not  allowed  to  be
accessed, e.g. memory mapped registers or the xcp memory itself.
3.8
Event Codes
The slave device may report events to the master device by sending asynchronous event
packets  (EV),  which  contain  event  codes,  to  the  master  device.  The  transmission  is  not
guaranteed due to these event packets are not acknowledged.
2015, Vector Informatik GmbH
Version: 1.19.00
16 / 105

Technical Reference XCP Protocol Layer

The  transmission  of  event  codes  is  enabled  with  XCP_ENABLE_SEND_EVENT.  The
transmission is done by the service
void XcpSendEvent( vuint8 evc, MEMORY_ROM BYTEPTR c, vuint8 len
)
(6.2.5)
The event codes can be found in the following table.
Event
Code  Description
EV_RESUME_MODE
0x00  The slave indicates that it is starting in RESUME mode.
EV_CLEAR_DAQ
0x01  The slave indicates that the DAQ configuration in non-
volatile memory has been cleared.
EV_STORE_DAQ
0x02  The slave indicates that the DAQ configuration has been
stored into non-volatile memory.
EV_STORE_CAL
0x03  The slave indicates that the calibration data has been
stored.
EV_CMD_PENDING
0x05  The slave requests the master to restart the time-out
detection.
EV_DAQ_OVERLOAD
0x06  The slave indicates an overload situation when
transferring DAQ lists.
EV_SESSION_TERMINATED  0x07  The slave indicates to the master that it autonomously
decided to disconnect the current XCP session.
EV_USER
0xFE  User-defined event.
EV_TRANSPORT
0xFF  Transport layer specific event.

3.9
Service Request Messages (XCP Professional only)
The slave device may request some action to be performed by the master device. This is
done by the transmission of a Service  Request  Packet  (SERV) that  contains the service
request  code.  The  transmission  of  service  request  packets  is  asynchronous  and  not
guaranteed due to these packets are not being acknowledged.
The service request messages can be sent by the following functions
void ApplXcpUserService ( MEMORY_ROM vuint8 c )
(6.2.6)
void ApplXcpPrint ( MEMORY_ROM vuint8 *str )
(6.2.7)
Refer to 7.2.1 for the configuration of the service request message.
3.10  User Defined Command
The  XCP  Protocol  allows  having  a  user  defined  command  with  an  application  specific
functionality.
The
user
defined
command
is
enabled
by
setting
XCP_ENABLE_USER_COMMAND  and  upon  reception  of  the  user  command  the  following
callback function is called by the XCP command processor:
vuint8 ApplXcpUserService ( MEMORY_ROM BYTEPTR pCmd )
(6.5.11)

2015, Vector Informatik GmbH
Version: 1.19.00
17 / 105

Technical Reference XCP Protocol Layer

3.11  Transport Layer Command
The transport layer commands are received by the XCP Protocol Layer and processed by
the  XCP Transport  Layer. The  XCP  Protocol  Layer  transmits  the  XCP  response  packets
(RES) or XCP error packets (ERR).
The transport layer command is enabled by setting XCP_ENABLE_TL_COMMAND.
Upon reception of any transport layer command the following callback function is called by
the XCP command processor:
vuint8 ApplXcpTLService ( MEMORY_ROM BYTEPTR pCmd )
(6.4.6)

3.12  Synchronous Data Transfer
3.12.1  Synchronous Data Acquisition (DAQ)
The  synchronous  data  transfer  can  be  enabled  with  the  compiler  switch
XCP_ENABLE_DAQ. In this mode, the MCS configures tables of memory addresses in the
XCP  Protocol  Layer. These  tables  contain  pointers  to measurement  objects,  which  have
been  configured  previously  for  the  measurement  in  the  MCS.  Each  configured  table  is
assigned to an event channel.
The  function  XcpEvent(x)  has  to  be  called  cyclically  for  each  event  channel  with  the
corresponding  event  channel  number  as  parameter.  The  application  has  to  ensure  that
XcpEvent is called with the correct cycle time, which is defined in the MCS. Note that the
event channel numbers have to start at 0 and have to be continuous.
The  ECU  automatically  transmits  the  current  value  of  the  measurement  objects  via
messages to the MCS, when the function XcpEvent is executed in the ECU’s code with
the corresponding event channel number. This means that the data can be transmitted at
any particular point of the ECU code when the data values are valid.
The data acquisition mode can be used in multiple configurations that are described within
the next chapters.
Annotation for the usage of CANape
It is recommended to enable both data acquisition plug & play mechanisms to detect the
DAQ settings.
3.12.2  DAQ Timestamp
There are two methods to generate timestamps for data acquisition signals.
1. By the MCS tool on reception of the message
2. By the ECU (XCP slave)
The time precision of the MCS tool is adequate for the most applications; however, some
applications  like  the  monitoring  of  the  OSEK  operating  system  require  higher  precision
timestamps. In such cases, ECU generated timestamps are recommended.
For the configuration of the DAQ time stamped mode refer to chapter 7.2.7 (Configuration
of the DAQ Time Stamped Mode).
2015, Vector Informatik GmbH
Version: 1.19.00
18 / 105

Technical Reference XCP Protocol Layer

3.12.3  Power-Up Data Transfer (XCP Professional only)
Power-up data  transfer  (also  called  resume mode)  allows  automatic  data  transfer  (DAQ,
STIM)  of  the  slave  directly  after  power-up.  Automotive  applications  would  e.g.  be
measurements during cold start.
The slave and the master have to store all the necessary communication  parameters for
the  automatic  data  transfer  after  power-up.  Therefore  the  following  functions  have  to  be
implemented in the slave.
vuint8 ApplXcpDaqResume ( tXcpDaq * daq )
(6.5.21)
void ApplXcpDaqResumeStore ( MEMORY_ROM tXcpDaq * daq )
(6.5.22)
void ApplXcpDaqResumeClear ( void )
(6.5.23)
vuint8 ApplXcpCalResumeStore ( void )
(6.5.24)
To  use  the  resume  mode  the  compiler  switches  XCP_ENBALE_DAQ  and
XCP_ENABLE_RESUME_MODE have to be defined.
Annotation for the usage of CANape
Start the resume mode with the menu command Measurement|Start and push the button
“Measure offline” on the dialog box.
3.12.4  Data Stimulation (STIM) (XCP Professional only)
Synchronous Data Stimulation is the inverse mode of Synchronous Data Acquisition.
The  STIM  processor  buffers  incoming  data  stimulation  packets.  When  an  event  occurs
(XcpEvent is called), which triggers a DAQ list in data stimulation mode, the buffered data
is transferred to the slave device’s memory.
To use data stimulation the compiler switches XCP_ENBALE_DAQ and XCP_ENABLE_STIM
have to be defined.
3.12.5  Bypassing (XCP Professional only)
Bypassing  can  be  realized  by  making  use  of  Synchronous  Data Acquisition  (DAQ)  and
Synchronous Data Stimulation (STIM) simultaneously.
State-of-the-art Bypassing also requires the administration of the bypassed functions. This
administration has to be performed in a MCS like e.g. CANape.
Also  the  slave  should  perform  plausibility  checks  on  the  data  it  receives  through  data
stimulation.  The  borders  and  actions  of  these  checks  are  set  by  standard  calibration
methods. No special XCP commands are needed for this.
3.12.6  Data Acquisition Plug & Play Mechanisms
The XCP Protocol Layer comprises two plug & play mechanisms for data acquisition:
>  general information on the DAQ processor
(enabled with XCP_ENABLE_DAQ_PROCESSOR_INFO)
>  general information on DAQ processing resolution
(enabled with XCP_ENABLE_DAQ_RESOLUTION_INFO)
The general information on the DAQ processor contains:
>  general properties of DAQ lists
2015, Vector Informatik GmbH
Version: 1.19.00
19 / 105

Technical Reference XCP Protocol Layer

>  total number of available DAQ lists and event channels
The general information on the DAQ processing resolution contains:
>  granularity and maximum size of ODT entries for both directions
>  information on the time stamp mode

3.12.7  Event Channel Plug & Play Mechanism
The  XCP  Protocol  Layer  supports  a  plug  &  play  mechanism  that  allows  the  MCS  to
automatically detect the available event channels in the slave.
Please refer to chapter 7.2.6 (Configuration of the Event Channel Plug & Play Mechanism)
for details about the configuration of this plug & play mechanism.
Annotation for the usage of CANape
If the plug & play mechanism is not built-in, you must open the dialog XCP Device Setup
with the menu command Tools|Driver parameters. Go to the Event tab. Make one entry for
each  event  channel. An  event  channel  is  an  XcpEvent(x)  function  call  in  ECU  source
code.
3.12.8  Runtime Supervision of DAQ Measurement
To prevent OS timeouts caused by huge runtime of the XcpEvent function due to extensive
DAQ lists it is possible to enable a Runtime Supervision feature. If this feature is enabled
the following application call-backs are called during DAQ assembly:
void ApplXcpRtsStart ( void )
(6.5.26)
vuint8 ApplXcpRtsSnapshot ( void )
(6.5.27)
The first function is called to catch the initial timer value at measurement start. The second
function is called for each ODT during DAQ assembly to check whether a timer threshold
is exceeded. Depending on the return value of this function the current operation is either
continued or aborted. In case it is aborted a DAQ overrun is memorized to be sent to the
XCP Master with the next valid ODT.
The  given  examples,  located  in  xcp_appl.c,  are  based  on  a  16bit  timer  and  must  be
adapted by the user.

3.13  The Online Data Calibration Model
3.13.1  Page Switching
The  MCS  can  switch  between  a  flash  page  and  a  RAM  page.  The  XCP  command
SET_CAL_PAGE is used to activate the required page. The page switching is enabled with
the XCP_ENABLE_CALIBRATION_PAGE definition.
The following application callback functions have to be implemented:
vuint8 ApplXcpGetCalPage ( vuint8 segment, vuint8 mode )
(6.5.28)
vuint8 ApplXcpSetCalPage ( vuint8 segment, vuint8 page, vuint8
mode )
(6.5.29)
2015, Vector Informatik GmbH
Version: 1.19.00
20 / 105

Technical Reference XCP Protocol Layer

Annotation for the usage of CANape
Open  the  dialog  XCP  Device  Setup  with  the  menu  command Tools|Driver  Configuration.
Go to the tab “FLASH”. Activate page switching. Enter a flash selector value e.g. 1 and a
Ram selector e.g. 0.
3.13.2  Page Switching Plug & Play Mechanism
The MCS can be automatically configured if the page switching plug & play mechanism is
used. This mechanism comprises
>  general information about the paging processor
Also refer to chapter 7.2.9 (Configuration of the Page Switching Plug & Play Mechanism)
and to the XCP Specification [II].
The  page  switching  plug  &  play  mechanism  is  enabled  with  the  switch
XCP_ENBALE_PAGE_INFO.
3.13.3  Calibration Data Page Copying
Calibration data page copying is performed by the XCP command COPY_CAL_PAGE. To
enable this feature the compiler switch XCP_ENABLE_PAGE_COPY has to be set.
For  calibration  data  page  copying  the  following  application  callback  function  has  to  be
provided by the application:
vuint8 ApplXcpCopyCalPage( vuint8 srcSeg, vuint8 srcPage,
vuint8 destSeg, vuint8 destPage )
(6.5.30)
3.13.4  Freeze Mode Handling
Freeze mode handling is performed by the XCP commands SET_SEGMENT_MODE and
GET_SEGMENT_MODE.
To
enable
this
feature
the
compiler
switch
XCP_ENABLE_PAGE_FREEZE has to be set.
For freeze mode handling the following application callback functions have to be provided
by the application:
void ApplXcpSetFreezeMode( vuint8 segment, vuint8 mode )
(6.5.31)
vuint8 ApplXcpGetFreezeMode( vuint8 segment )
(6.5.32)

3.14  Flash Programming (XCP Professional only)
There are two methods available for the programming of flash memory.
>  Flash programming by the ECU’s application
>  Flash programming with a flash kernel
Depending on the hardware it might not be possible to reprogram an internal flash sector,
while a program is running from another sector. In this case the usage of a special flash
kernel is necessary.
2015, Vector Informatik GmbH
Version: 1.19.00
21 / 105

Technical Reference XCP Protocol Layer

3.14.1  Flash Programming by the ECU’s Application
If  the  internal  flash  has  to  be  reprogrammed  and  the  microcontroller  allows  to
simultaneously  reprogram  and  execute  code  from  the  flash  the  programming  can  be
performed with the ECU’s application that contains the XCP. This method is also used for
the programming of external flash.
The  flash  programming  is  done  with  the  following  XCP  commands  PROGRAM_START,
PROGRAM_RESET,
PROGRAM_CLEAR,
PROGRAM,
PROGRAM_NEXT,
PROGRAM_MAX, PROGRAM_RESET, PROGRAM_FORMAT1, PROGRAM_VERIFY2.
The  flash  prepare,  flash  program  and  the  clear  routines  are  platform  dependant  and
therefore have to be implemented by the application.
vuint8 ApplXcpProgramStart( void )
(6.5.18)
vuint8 ApplXcpFlashClear( MTABYTEPTR a, vuint32 size )
(6.5.19)
vuint8 ApplXcpFlashProgram( MEMORY_ROM BYTEPTR data,
MTABYTEPTR a, vuint8 size )
(6.5.20)
The flash programming is enabled with the switch XCP_ENABLE_PROGRAM.
Annotation for the usage of CANape
Open  the  dialog  XCP  Device  Setup  with  the  menu  command Tools|Driver  Configuration.
Go to the tab “FLASH” and select the entry “Direct” in the flash kernel drop down list.
3.14.1.1  Flash Programming Plug & Play Mechanism
The  MCS  (like  e.g.  CANape)  can  get  information  about  the  Flash  and  the  Flash
programming process from the ECU. The following information is provided by the ECU:
>  number of sectors, start address or length of each sector
>  the program sequence number, clear sequence number and programming method
>  additional information about compression, encryption
Also  refer  to  chapter  7.2.8  (Configuration  of  the  Flash  Programming  Plug  &  Play
Mechanism) and to the XCP Specification [II].
The  flash  programming  plug  &  play  mechanism  is  enabled  with  the  switch
XCP_ENABLE_PROGRAM_INFO.
3.14.2  Flash Programming with a Flash Kernel
A  flash  kernel  has  to  be  used  for  the  flash  programming  if  it  is  not  possible  to
simultaneously  reprogram  and  execute  code  from  the  flash.  Even  though  the
reprogrammed sector and the sector the code is executed from are different sectors.
The application callback function
vuint8 ApplXcpDisableNormalOperation( MTABYTEPTR a, vuint16
size )
(6.5.15)
is  called  prior  to  the  flash  kernel  download  in  the  RAM.  Within  this  function  the  normal
operation of the ECU has to be stopped and the flash kernel download can be prepared.

1 Command not supported
2 Command not supported
2015, Vector Informatik GmbH
Version: 1.19.00
22 / 105

Technical Reference XCP Protocol Layer

Due  to  the  flash  kernel  is  downloaded  in  the  RAM  typically  data  gets  lost  and  no  more
normal operation of the ECU is possible.
The  flash  programming  with  a  flash  kernel  is  enabled  with  the  switch
XCP_ENABLE_BOOTLOADER_DOWNLOAD.
Annotation for the usage of CANape
The  flash  kernel  is  loaded  by  CANape  Graph  into  the  microcontroller’s  RAM  via  XCP
whenever  the  flash  memory  has  to  be  reprogrammed.  The  flash  kernel  contains  the
necessary  flash  routines,  its  own  CAN-Driver  and  XCP  Protocol  implementation  to
communicate via the CAN interface with CANape Graph.
Every  flash  kernel  must  be  customized  to  the  microcontroller  and  the  flash  type  being
used. CANape already includes some flash kernels for several microcontrollers. There is
also  an  application  note  available  by  Vector  Informatik  GmbH  that  describes  the
development of a proprietary flash kernel.
Open  the  dialog  XCP  Device  Setup  with  the  menu  command Tools|Driver  Configuration.
Go to the tab “FLASH”, and select in the ‘flash kernel’ drop down list, the corresponding fkl
file for the microcontroller being used.
3.14.3  Flash Programming Write Protection
If  XCP_ENABLE_PROGRAMMING_WRITE_PROTECTION  is  defined  write  access  of  specific
FLASH areas can be checked with the function
vuint8 ApplXcpCheckProgramAccess( MTABYTEPTR addr, vuint8 size )(6.5.10)
It should only be used, if write protection of flash areas is required.

3.15  EEPROM Access (XCP Professional only)
For  uploading  data  from  the  ECU  to  a  MCS  the  XCP  commands  SHORT_UPLOAD  and
UPLOAD  are  used. The  switch  XCP_ENABLE_READ_EEPROM  allows  EEPROM  access  for
these commands.
Before reading from an address it is checked within the following callback function whether
EEPROM or RAM is accessed:
vuint8 ApplXcpCheckReadEEPROM
( MTABYTEPTR addr, vuint8 size, BYTEPTR data )
(6.5.5)
The EEPROM access is directly performed within this function.
For  downloading  data  from  the  MCS  to  the  ECU  the  XCP  commands
SHORT_DOWNLOAD, DOWNLOAD, DOWNLOAD_NEXT and DOWNLOAD_MAX can be
used.  The  switch  XCP_ENABLE_WRITE_EEPROM  allows  the  EEPROM  access  for  these
commands.
Also  before  writing  to  an  address  within  the  following  callback  function  it  is  checked
whether EEPROM or RAM is accessed
vuint8 ApplXcpCheckWriteEEPROM
( MTABYTEPTR addr, vuint8 size, MEMORY_ROM BYTEPTR data
)
(6.5.6)
2015, Vector Informatik GmbH
Version: 1.19.00
23 / 105

Technical Reference XCP Protocol Layer

3.16  Parameter Check
As  long  as  the  XCP  Protocol  Layer  is  not  thoroughly  tested  together  with  the  XCP
Transport Layer and the application, the parameter check should be enabled. This is done
by setting the compiler switch XCP_ENABLE_PARAMETER_CHECK.
The parameter check should be removed in order to save code space.
3.17  Performance Optimizations
The XCP Protocol Layer is a platform comprehensive higher software layer and therefore
platform  specific  optimizations  are  not  implemented.  However  it  is  possible  to  apply
platform specific optimizations.
The  memory  following  memory  access  functions  can  be  overwritten  by  either  macros  or
functions:
void XcpMemCpy( DAQBYTEPTR dest,
MEMORY_ROM DAQBYTEPTR src, vuint16 n )
(6.6.1)
void XcpMemSet( BYTEPTR p, vuint16 n, vuint8 b )
(6.6.2)
static void XcpMemClr( BYTEPTR p, vuint16 n )
(6.6.3)
It  is  recommended  to  use  DMA  access  as  far  as  possible  for  faster  execution  of  these
services.
The  transmission  of  data  transfer  objects  (DTO)  could  also  be  optimized  e.g.  by  using
DMA. Therefore the following function has to be overwritten
void XcpSendDto( const xcpDto_t *dto )
(6.6.4)
The above listed functions can be overwritten by defining a macro with the functions name
that is included in the XCP Protocol Layer component.
3.18  Interrupt Locks
The  functions  XcpEvent,  XcpSendCallBack,  XcpBackground  and  XcpCommand  are
not  reentrant.  If  one  of  these  functions  may  interrupt  one  of  the  others,  the  functions  or
macros  ApplXcpInterruptEnable  (6.4.4)  and  ApplXcpInterruptDisable  (6.4.5)
have to be defined to protect critical sections in the code from being interrupted. The XCP
Protocol Layer will not nest the sections with disabled interrupts. The time periods are as
short as possible, but note that ApplXcpSend is called with disabled interrupts!
3.19  Accessing internal data
The function
void XcpGetXcpDataPointer ( RAM tXcpData ** pXcpData )
(6.2.10)
provides  access  to  the  internal  data  structure  of  the  XCP  module.  By  means  of  this
function the internal data can be preset to a certain value. This can be used to process a
measurement  further  that  has  been  started  in  application  mode  but  is  finished  in  boot
mode.
2015, Vector Informatik GmbH
Version: 1.19.00
24 / 105

Technical Reference XCP Protocol Layer

As the whole data can be accessed, it must be handled with care.
3.20 En- / Disabling the XCP module
The function
void XcpControl ( vuint8 command )
(6.2.11)
can be used to en- or disable the XCP module during run time. Thus the XCP functionality
can be controlled by the application. The parameter “command” is either
kXcpControl_Disable to disable the Xcp or kXcpControl_Enable to enable it again.

Note

Please note that when XcpControl is called all APIs are disabled but the
state of the XCP remains. Thus a running DAQ list is continued after the XCP is
enabled again. If you want to prevent this, don’t use XcpControl to enable the
XCP again but use the Xcp_Init and <BusXcp>_Init functions to initialize the
XCP.

3.21 Support for address doubling in XCP for DSP micros

In order to support DSP µC that do not support Byte access the XCP provides a
mechanism called “address doubling”. If this feature is used all addresses received from
the tool must be doubled in order to access the physical address. CANape does this
automatically if a coff file for TMS320 is used as map file. If other tools are used this must
be done manually in the a2l file. This also means that the addresses for user callbacks are
doubled and must be divided by 2 to access the physical address. With an even virtual
address the high byte of the physical address is accessed. With an odd virtual address the
low byte of the physical address is accessed.

The affected APIs are:
- ApplXcpFlashClear (6.5.19)
- ApplXcpFlashProgram (6.5.20)
- ApplXcpCheckReadAccess (6.5.8)
- ApplXcpCheckProgramAccess (6.5.10)
- ApplXcpDisableNormalOperation (6.5.15)
- ApplXcpCheckWriteAccess (6.5.7)
- ApplXcpCheckReadEEPROM (6.5.5)
- ApplXcpCheckWriteEEPROM (6.5.6)
- ApplXcpCheckDAQAccess (6.5.9)
2015, Vector Informatik GmbH
Version: 1.19.00
25 / 105

Technical Reference XCP Protocol Layer

APIs which are not affected:
-  ApplXcpReadChecksumValue (6.5.33)
-  ApplXcpGetSeed (6.5.3)
-  ApplXcpUnlock (6.5.4)
-  ApplXcpGetIdData (6.5.2)
-  ApplXcpUserService (6.5.11)
-  ApplXcpOpenCmdIf (6.5.12)
-  ApplXcpWrite (6.5.35)
-  ApplXcpRead (6.5.34)

The following features/switches are not supported if “address doubling is used”:
-  XCP_ENABLE_CALIBRATION_MEM_ACCESS_BY_APPL
-  XCP_ENABLE_MODIFY_BITS
Also character arrays can not be measured as there is no way for XCP to know that it is
reading a character array.
2015, Vector Informatik GmbH
Version: 1.19.00
26 / 105

Technical Reference XCP Protocol Layer

4  Integration into the Application
This  chapter  describes  the  steps  for  the  integration  of  the  XCP  Protocol  Layer  into  an
application environment of an ECU.
4.1
Files of XCP Professional
The XCP Protocol Layer consists of the following files.
Files of the XCP Protocol Layer
XcpProf.c
XCP Professional source code.
This file must not be changed by the user!

XcpProf.h
API of XCP Professional.
This file must not be changed by the user!

_xcp_appl.c  Template that contains the application callback functions of the XCP
Protocol Layer. It is just an example and has to be customized.

v_def.h
General Vector definitions of memory qualifiers and types.
This file must not be changed by the application!

Additionally the following files are generated by the generation tool GENy. If no generation
tool or if CANgen is used the XPC Protocol Layer has to be customized manually. In this
case the following files will be available as template.
Files generated by GENy
xcp_cfg.h
XCP Protocol Layer configuration file.

xcp_par.c
Parameter definition for the XCP Protocol Layer.

xcp_par.h
External declarations for the parameters.

v_cfg.h
General Vector configuration file for platform specifics.

v_inc.h
General header for including the Vector CANbedded stacks headers.

Note that all files of XCP Professional must not be changed manually!
4.2
Files of XCP Basic
The XCP Protocol Layer consists of the following files:
Files of the XCP Protocol Layer
XcpBasic.c
XCP Basic source code.
This file must not be changed by the application!

XcpBasic.h
API of XCP Basic.
This file must not be changed by the application!

2015, Vector Informatik GmbH
Version: 1.19.00
27 / 105

Technical Reference XCP Protocol Layer

xcp_cfg.h
Configuration file template for the XCP Protocol Layer.
It is just an example and has to be customized.

xcp_par.c
Template with parameter definitions for the XCP Protocol Layer.
It is just an example and has to be customized

xcp_par.h
Template with external declarations for the parameters.
It is just an example and has to be customized

4.3
Version changes
Changes and the release versions of the XCP Protocol Layer are listed at the beginning of
the header and source code.
4.4
Integration of XCP into the Application
4.4.1
Integration of XCP on CAN (XCP Professional only)
The Vector CANbedded stack includes optionally XCP on CAN, which comprises the XCP
Protocol Layer in conjunction with the XCP on CAN Transport Layer and the CAN-Driver.
Note that the CAN-Driver, which is distributed as a separate product, is only partly part of
XCP on CAN.
The following figure shows the interface between XCP on CAN and the application:
X
C
P
o
n
C
A
N
C
A
N
D
river
(can
_d
rv.c)
X
cpC
om
m
and
X
C
P
o
n
C
A
N
In
terface L
ayer
A
pplX
cpS
end
X
cpS
endC
allback
(xcp
_can
.c)
X
C
P
P
ro
to
co
l L
ayer
( X
cp
P
ro
f.c )
X
cpE
vent
X
cpInit
A
p
p
licatio
n
X
cpB
ackground
A
pplX
cp..

Figure 4-1 Integration of XCP on CAN into the application

2015, Vector Informatik GmbH
Version: 1.19.00
28 / 105

Technical Reference XCP Protocol Layer

Practical Procedure
The integration of XCP on CAN can be done by following these steps:

1.  Configure XCP on CAN in the generation tool GENy and generate.
2.  Include the include header file v_inc.h into all modules that access the
XCP on CAN services or provide services that XCP on CAN uses.
3.  Add all source files and generated source files in the make file and link it
together with the data link layer and the application.
4.  Initialize  the  data  link  layer  after  each  reset  during  start-up  before
initializing XCP on CAN (interrupts have to be disabled until the complete
initialization procedure is done) by calling XcpInit.
5.  If required call the background function XcpBackground cyclically.
6.  Integrate  the  desired  XCP  on  CAN  services  into  your  application.  Call
especially the function XcpEvent(channel) cyclic with the appropriate
cycle time and channel number.
The  XCP  on  CAN  sources  must  not  be  changed  for  the  integration  into  the
application.

4.4.2
Integration with a Proprietary XCP Transport Layer
The  XCP  Protocol  Layer  needs  a  XCP  Transport  Layer  to  transmit  and  receive  XCP
protocol  messages  on  the  communication  link  (CAN,  FlexRay,  Ethernet,  SxI,  …)  that  is
used.  The  free  Vector  XCP  Protocol  Layer  implementation  does  not  include  the  XCP
Transport Layer, which typically is strongly ECU dependant. However the Vector XCP on
CAN software components already includes the XCP Transport Layer for CAN.
The following figure shows the interface between the transport layer and the protocol layer.
X
cpC
om
m
and
X
C
P
T
ran
sp
o
rt L
ayer
A
pplX
cpS
end
X
cpS
endC
allback
X
C
P
A
pplication - X
C
P
T
ransport Layer interface
P
ro
to
co
l L
ayer
( X
cp
B
asic.c )
X
cpE
vent
X
cpInit
A
p
p
licatio
n
X
cpB
ackground
A
pplX
cp..

Figure 4-2 Integration of XCP with a proprietary XCP Transport Layer
The transport layer driver has to notify the protocol layer after reception of a XCP protocol
message by calling the protocol layer function XcpCommand().
2015, Vector Informatik GmbH
Version: 1.19.00
29 / 105

Technical Reference XCP Protocol Layer

The protocol layer will use the function ApplXcpSend() of the transport layer to transmit
a command response message or a data acquisition message.
After  the  message  has  been  transmitted  successfully,  the  transport  layer  has  to  call  the
function XcpSendCallBack() of the protocol layer to indicate this.
The  functions  XcpInit(),  XcpEvent()  and  XcpBackground()  are  called  from  the
ECU’s application program.
The  function  ApplXcpGetPointer()  is  used  by  the  protocol  layer  to  convert  a  32  Bit
address with an address extension to a valid pointer.
Depending on the optional features that can be enabled upon demand further application
callback  functions  are  necessary. All  application  functions  are  indicated  in  Figure  4-2  by
their prefix ApplXcp….

Example
The following C pseudo code example shows the required software handshake between

the protocol layer and the transport layer. The example uses a simple transport layer
definition where the length of the protocol message is transmitted in the first byte of the
protocol packet:

/* Initialization */
XcpInit();

/* Main Loop */
for (;;) {

  /* Packet received */
  if (Message received) {
  XcpCommand(&ReceiveBuffer[1]);
  }

  /* Transmit Message Buffer available */
  if (Message transmitted) {
  XcpSendCallBack();
  }

  /* Background Processing */
  XcpBackground();
}
/* Transmit Function */
void ApplXcpSend(vuint8 len, MEMORY_ROM BYTEPTR msg ) {
  TransmitBuffer[0] = len; /* This is transport layer
specific */
  memcpy(&TransmitBuffer[1],msg,len);
  Transmit(TransmitBuffer);
}

/* Pointer Conversion */
MTABYTEPTR ApplXcpGetPointer( vuint8 addr_ext, vuint32 addr ) {
  Return (BYTE*)addr;
2015, Vector Informatik GmbH
Version: 1.19.00
30 / 105

Technical Reference XCP Protocol Layer

}

4.4.3
Motorola HC12 with CAN Transport Layer
See the application note “AN-IMC-1-007_Integration_of_the_Vector_XCP_Driver
with_a_free_CAN_Driver_v1.0.0_EN.pdf” which explains in detail how to integrate the
Vector basic XCP driver into an HC12 microcontroller with an existing CAN driver.

2015, Vector Informatik GmbH
Version: 1.19.00
31 / 105

Technical Reference XCP Protocol Layer

5 Feature List
This general feature list describes the overall feature set of the XCP Protocol Layer. Not all
of these features are available in XCP Basic. Please also refer to 9.2 “Limitations of XCP
Basic”.
Description of the XCP functionality
Version
Functions
Initialization
Initialization
Prof, Basic
XcpInit
ApplXcpInit
Task
Background task
Prof, Basic
ApplXcpBackground
XcpBackground
XCP Command Processor
Command Processor
Prof, Basic
XcpCommand
Transmission and Confirmation of XCP Packets
Prof, Basic
ApplXcpSend
XcpSendCallBack
Transmission of Response packets
Prof, Basic
XcpSendCrm
Transmission of XCP Packets
Prof, Basic
ApplXcpSendStall
ApplXcpSendFlush
XCP Commands
Get Identification
Prof, Basic
ApplXcpGetIdData
Seed & Key
Prof, Basic
ApplXcpGetSeed
ApplXcpUnlock
Short Download
Prof
-
Modify Bits
Prof
-
Write DAQ Multiple
Prof
ApplXcpCheckDAQAccess
Transport Layer Command
Prof
-
Open Command Interface
Prof
-
User command
Prof, Basic
ApplXcpUserService
Data Acquisition (DAQ)
Synchronous Data Acquisition and Stimulation
Prof, Basic
XcpEvent
ApplXcpCheckDAQAccess
DAQ Timestamp
Prof, Basic
ApplXcpGetTimestamp
Resume Mode
Prof
ApplXcpDaqResume
ApplXcpDaqResumeStore
ApplXcpDaqResumeClear
ApplXcpCalResumeStore
Online Data Calibration
Calibration page switching
Prof, Basic
ApplXcpGetCalPage
ApplXcpSetCalPage
Copy calibration page
Prof, Basic
ApplXcpCopyCalPage
Freeze Mode
Prof, Basic
ApplXcpSetFreezeMode
ApplXcpGetFreezeMode
2015, Vector Informatik GmbH
Version: 1.19.00
32 / 105

Technical Reference XCP Protocol Layer

Boot loader Download
Disable normal operation of ECU
Prof
ApplXcpDisableNormalOpera
tion
Start of the boot loader
Prof
ApplXcpStartBootLoader
Flash Programming
Reset of ECU
Prof
ApplXcpReset
Clear flash memory
Prof
ApplXcpFlashClear
Prepare flash programming
Prof
ApplXcpProgramStart
Program flash memory
Prof
ApplXcpFlashProgram
Special Features
Interrupt Control
Prof, Basic
ApplXcpInterruptEnable
ApplXcpInterruptDisable
Event Codes
Prof
XcpSendEvent
Service Request Packets
Prof
XcpPutchar
XcpPrint
Disconnect XCP
Prof, Basic
ApplXcpDisconnect
Pointer conversion
Prof, Basic
ApplXcpGetPointer
EEPROM access
Prof
ApplXcpCheckReadEEPROM
ApplXcpCheckWriteEEPROM
Write protection
Prof
ApplXcpCheckWriteAccess
Read protection
Prof
ApplXcpCheckReadAccess
Overwriteable macros
Prof, Basic
XcpMemCpy
XcpMemSet
XcpMemClr
XcpSendDto
En- / Disabling XCP module
Prof
XcpControl
Access to internal data
Prof
XcpGetXcpDataPointer
En-/Disable Calibration
Prof
-
Programming Write Protection
Prof
ApplXcpCheckProgramAccess

2015, Vector Informatik GmbH
Version: 1.19.00
33 / 105

Technical Reference XCP Protocol Layer

6  Description of the API
The XCP Protocol Layer application programming interface consists of services, which are
realized  by  function  calls.  These  services  are  called  wherever  they  are  required.  They
transfer  information  to-  or  take  over  information  from  the  XCP  Protocol  Layer.  This
information  is  stored  in  the  XCP  Protocol  Layer  until  it  is  not  required  anymore,
respectively until it is changed by other operations.
Examples  for  calling  the  services  of  the  XCP  Protocol  Layer  can  be  found  in  the
description of the services.

6.1
Version of the Source Code
The  source  code  version  of  the  XCP  Protocol  Layer  is  provided  by  three  BCD  coded
constants:

  V_MEMROM0 MEMORY_ROM vuint8 kCp_XcpMainVersion =
(vuint8)(CP_XCP_VERSION >> 8);
  V_MEMROM0 MEMORY_ROM vuint8 kCp_XcpSubVersion =
(vuint8)(CP_XCP_ VERSION);
  V_MEMROM0 MEMORY_ROM vuint8 kCp_XcpReleaseVersion =
(vuint8)(CP_XCP_RELEASE_VERSION);

Example
Version 1.00.00 is registered as:

kCp_XcpMainVersion = 0x01;
kCp_XcpSubVersion = 0x00;
kCp_XcpReleaseVersion = 0x00;

These constants are declared as external and can be read by the application at any time.
Alternatively the Version can be obtained with the GetVersionInfo API if enabled:
void  XcpGetVersionInfo (Std_VersionInfoType *XcpVerInfoPtr) (6.2.12)

2015, Vector Informatik GmbH
Version: 1.19.00
34 / 105

Technical Reference XCP Protocol Layer

6.2
XCP Services called by the Application
The following XCP services that are called by the application are all not reentrant. If they
are called within interrupt context at least the CAN-Interrupts have to be disabled.

6.2.1
XcpInit: Initialization of the XCP Protocol Layer
XcpInit
Prototype
Single Channel
Single Receive Channel  void XcpInit  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
This service initializes the XCP Protocol Layer and its internal variables. It must be called from the
application program before any other XCP function is called.
Particularities and Limitations
>  Call context: Task and interrupt level
>  This service function has to be called after the initialization of XCP Transport Layer.
>  The global interrupts have to be disabled while this service function is executed. This function
should be called during initialization of the ECU before the interrupts have been enabled
before.

6.2.2
XcpEvent: Handling of a data acquisition event channel
XcpEvent
Prototype
Single Channel
Single Receive Channel  vuint8 XcpEvent  ( vuint8 event )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
event
Number of event channels to process
The event channel numbers have to start at 0 and have to be
continuous. The range is: 0..x
2015, Vector Informatik GmbH
Version: 1.19.00
35 / 105

Technical Reference XCP Protocol Layer

Return code
vuint8
XCP_EVENT_NO :    Inactive (DAQ not running, Event not configured)
XCP_EVENT_DAQ :   DAQ active */
XCP_EVENT_DAQ_OVERRUN :  DAQ queue overflow
XCP_EVENT_STIM :  STIM active
XCP_EVENT_STIM_OVERRUN :  STIM data not available
Functional Description
Calling XcpEvent with a particular event channel number triggers the sampling and transmission
of all DAQ lists that are assigned to this event channel.
The event channels are defined by the ECU developer in the application program. An MCS (e.g.
CANape) must know about the meaning of the event channel numbers. These are usually
described in the tool configuration files or in the interface specific part of the ASAM MC2 (ASAP2)
database.
Example:
A motor control unit may have a 10ms, a 100ms and a crank synchronous event channel. In this
case, the three XcpEvent calls have to be placed at the appropriate locations in the ECU’s
program:
xcpEvent (0); /* 10ms cycle */
xcpEvent (1); /* 100ms cycle */
xcpEvent (2); /* Crank synchronous cycle */
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  Data acquisition has to be enabled: XCP_ENABLE_DAQ has to be defined
>  Call context: Task and interrupt level (not reentrant)

6.2.3
XcpStimEventStatus: Check data stimulation events
XcpStimEventStatus
Prototype
Single Channel
Single Receive Channel  vuint8 XcpStimEventStatus  ( vuint8 event, vuint8 action )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
event
Event channel number
action
STIM_CHECK_ODT_BUFFER : check ODT buffer
STIM_RESET_ODT_BUFFER : reset ODT buffer
Return code
vuint8
0 : stimulation data not available
1 : new stimulation data is available
2015, Vector Informatik GmbH
Version: 1.19.00
36 / 105

Technical Reference XCP Protocol Layer

Functional Description
Check if data stimulation (STIM) event can perform or delete the buffers.

Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  Data acquisition has to be enabled: XCP_ENABLE_STIM has to be defined
>  Call context: Task and interrupt level (not reentrant)

6.2.4
XcpBackground: Background calculation of checksum
XcpBackground
Prototype
Single Channel
Single Receive Channel  vuint8 XcpBackground  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
vuint8
0 : background calculation finished
1 : background calculation is still in progress
Functional Description
If the XCP command for the calculation of the memory checksum has to be used for large memory
areas, it might not be appropriate to block the processor for a long period of time. Therefore, the
checksum calculation is divided into smaller sections that are handled in XcpBackground.
Therefore XcpBackground should be called periodically whenever the ECU’s CPU is idle.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly
>  Call context: Task level

6.2.5
XcpSendEvent: Transmission of event codes
XcpSendEvent
Prototype
Single Channel
Single Receive Channel  void XcpSendEvent  ( vuint8 evc,
MEMORY_ROM BYTEPTR c,
vuint8 len )
Multi Channel
Indexed
not supported
Code replicated
not supported
2015, Vector Informatik GmbH
Version: 1.19.00
37 / 105

Technical Reference XCP Protocol Layer

Parameter
evc
event code
c
pointer to event data
len
event data length
Return code
-
-
Functional Description
Transmission of event codes via event packets (EV).
Please refer to chapter 3.8 Event Codes.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  Data acquisition has to be enabled: XCP_ENABLE_SEND_EVENT has to be defined
>  Call context: Task and interrupt level

6.2.6
XcpPutchar: Put a char into a service request packet
XcpPutchar
Prototype
Single Channel
Single Receive Channel  void XcpPutchar  ( MEMORY_ROM vuint8 c )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
c
character that is put in a service request packet
Return code
-
-
Functional Description
Put a char into a service request packet (SERV).
The service request packet is transmitted if either the maximum packet length is reached (the
service request message packet is full) or the character 0x00 is out in the service request packet.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  The switch XCP_ENABLE_SERV_TEXT_PUTCHAR has to be defined
>  Call context: Task and interrupt level (not reentrant)

6.2.7
XcpPrint: Transmission of a service request packet
XcpPrint
Prototype
Single Channel
2015, Vector Informatik GmbH
Version: 1.19.00
38 / 105

Technical Reference XCP Protocol Layer

Single Receive Channel  void XcpPrint  ( MEMORY_ROM vuint8 *str )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
str
pointer to a string that is terminated by 0x00
Return code
-
-
Functional Description
Transmission of a service request packet (SERV).
The string str is sent via service request packets. The string has to be terminated by 0x00.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  The switch XCP_ENABLE_SERV_TEXT_PRINT has to be defined
>  Call context: Task and interrupt level (not reentrant)

6.2.8
XcpDisconnect: Disconnect from XCP master
XcpDisconnect
Prototype
Single Channel
Single Receive Channel  void XcpDisconnect  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
If the XCP slave is connected to a XCP master a call of this function discontinues the connection
(transition to disconnected state). If the XCP slave is not connected this function performs no
action.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  Call context: Task and interrupt level (not reentrant)

6.2.9
XcpSendCrm: Transmit response or error packet
XcpSendCrm
2015, Vector Informatik GmbH
Version: 1.19.00
39 / 105

Technical Reference XCP Protocol Layer

Prototype
Single Channel
Single Receive Channel  void XcpSendCrm  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Transmission of a command response packet (RES), or error packet (ERR) if no other packet is
pending.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly, XCP is in connected state and a
command packet (CMD) has been received.
>  Call context: Task and interrupt level (not reentrant)

6.2.10  XcpGetXcpDataPointer: Request internal data pointer
XcpGetXcpDataPointer
Prototype
Single Channel
Single Receive Channel  void XcpGetXcpDataPointer ( RAM tXcpData ** pXcpData )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pXcpData
pointer to store the pointer to the module internal data
Return code
-
-
Functional Description
With this function the pointer to the module internal data can be received. With this pointer the
internal variable can be set to a certain configuration (e.g. after entering a boot mode where no
connection shall be established again). As this pointer allows the access to all internal data it must
be handled with care.
Particularities and Limitations
>  The switch XCP_ENABLE_GET_XCP_DATA_POINTER has to be defined

2015, Vector Informatik GmbH
Version: 1.19.00
40 / 105

Technical Reference XCP Protocol Layer

6.2.11  XcpControl: En- / Disable the XCP module
XcpControl
Prototype
Single Channel
Single Receive Channel  void XcpControl ( vuint8 command )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
command
parameter to either en- or disable the module
kXcpControl_Disable: disable the module
kXcpControl_Enable: enable the module
Return code
-
-
Functional Description
With this function the whole module can be en- or disabled. After initialization the module is
enabled. A call with parameter kXcpControl_Enable does not lead to any changed behavior. After
call with parameter kXcpControl_Disable each function either called by the application or by the
transport layer is directly left without any handling.
Thus this function can be used to disable the XCP functionality during runtime.
Particularities and Limitations
>  The switch XCP_ENABLE_CONTROL has to be defined

6.2.12  XcpGetVersionInfo: Request module version information
XcpGetVersionInfo
Prototype
Single Channel
Single Receive Channel  void XcpGetVersionInfo ( Std_VersionInfoType *XcpVerInfoPtr )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
XcpVerInfoPtr
Pointer to the location where the Version information shall be stored.
Return code
-
-
Functional Description
With this service it is possible to get the version information of this software module.
2015, Vector Informatik GmbH
Version: 1.19.00
41 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
  The switch XCP_ENABLE_VERSION_INFO_API has to be defined
>  Call context: task level (Re-entrant)

6.3
XCP Protocol Layer Functions, called by the XCP Transport Layer
For  using  the  following  functions  there  are  some  limitations  which  have  to  be  taken  into
consideration – especially when using an operation system like, i.e. OSEK OS:
>  The ISR level for the transmission and reception of CAN messages has to be the same.
>  Interrupts must be mutually
>  No nested calls of these functions are allowed. (i.e. these functions are not reentrant)
All functions provided by the application must match the required interfaces. This can be
ensured by including the header file in the modules which provide the required functions. If
these interfaces do not match unexpected run-time behavior may occur.

6.3.1
XcpCommand: Evaluation of XCP packets and command interpreter
XcpCommand
Prototype
Single Channel
Single Receive Channel  void XcpCommand  ( MEMORY_ROM vuint32* pCommand )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pCommand
Pointer to the XCP protocol message, which must be extracted from
the XCP protocol packet.
Return code
-
-
Functional Description
Every time the XCP Transport Layer receives a XCP CTO Packet this function has to be called.
The parameter is a pointer to the XCP protocol message, which must be extracted from the XCP
protocol packet.
Particularities and Limitations
>  The XCP Protocol Layer has to be initialized correctly.
>  Call context: Task and interrupt level (not reentrant)

2015, Vector Informatik GmbH
Version: 1.19.00
42 / 105

Technical Reference XCP Protocol Layer

6.3.2
XcpSendCallBack: Confirmation of the successful transmission of a XCP
packet
XcpSendCallBack
Prototype
Single Channel
Single Receive Channel  vuint8 XcpSendCallBack  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
vuint8
0 :  if the XCP Protocol Layer is idle (no transmit messages are
pending)
Functional Description
The XCP Protocol Layer does not call ApplXcpSend again, until XcpSendCallBack has
confirmed the successful transmission of the previous message. XcpSendCallBack transmits
pending data acquisition messages by calling ApplXcpSend again.
Note that if XcpSendCallBack is called from inside ApplXcpSend a recursion occurs, which
assumes enough space on the call stack.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly.
>  Call context: Task and interrupt level (not reentrant)

6.3.3
XcpGetState: Get connection state of XCP
XcpGetState
Prototype
Single Channel
Single Receive Channel  vuint8 XcpGetState  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
XCP_CONNECTED
XCP is connected
XCP_DISCONNECTED  XCP is disconnected
2015, Vector Informatik GmbH
Version: 1.19.00
43 / 105

Technical Reference XCP Protocol Layer

Functional Description
Get the connection state of the XCP Protocol Layer.
E.g. this service is used by the XCP on CAN Transport Layer to determine the connection state in
case multiple CAN channels are used.
Particularities and Limitations
>  The XCP Protocol Layer has to be initialized correctly.
>  Call context: Task and interrupt level (not reentrant)
>  Enabled/Disabled by XCP_xxx_GET_CONNECTION_STATE

6.4
XCP Transport Layer Services called by the XCP Protocol Layer
The prototypes of the functions that are required by the XCP  Protocol Layer can be found in the
component’s header.

6.4.1
ApplXcpSend: Request for the transmission of a DTO or CTO message
ApplXcpSend
Prototype
Single Channel
Single Receive Channel  void ApplXcpSend ( vuint8 len, MEMORY_ROM BYTEPTR msg )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
len
Length of message data
msg
Pointer to message
Return code
vuint8
0 : if the XCP Protocol Layer is idle (no transmit messages are
pending)
Functional Description
Requests for the transmission of a command transfer object (CTO) or data transfer object (DTO).
XcpSendCallBack must be called after the successful transmission of any XCP message. The
XCP Protocol Layer will not request further transmissions, until XcpSendCallBack has been
called.
Particularities and Limitations
>  Call context: Task and interrupt level (not reentrant)
>  ApplXcpSend is not defined as macro

2015, Vector Informatik GmbH
Version: 1.19.00
44 / 105

Technical Reference XCP Protocol Layer

6.4.2
ApplXcpInit: Perform XCP Transport Layer initialization
ApplXcpInit
Prototype
Single Channel
Single Receive Channel  void ApplXcpInit  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Initializations of the XCP Transport Layer.
This function is required by XCP on CAN if no CAN transmit queue is used.
Particularities and Limitations
>  Call context: Task and interrupt level (context of XcpInit)
>  ApplXcpInit is not defined as macro

6.4.3
ApplXcpBackground: XCP Transport Layer background operations
ApplXcpBackground
Prototype
Single Channel
Single Receive Channel  void ApplXcpBackground  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Performs background operations of the XCP Transport Layer.
This function is required by XCP on CAN if no CAN transmit queue is used.
Particularities and Limitations
>  Call context: Task and interrupt level (context of XcpBackground)
>  ApplXcpBackground is not defined as macro

2015, Vector Informatik GmbH
Version: 1.19.00
45 / 105

Technical Reference XCP Protocol Layer

6.4.4
ApplXcpInterruptEnable: Enable interrupts
ApplXcpInterruptEnable
Prototype
Single Channel
Single Receive Channel  void ApplXcpInterruptEnable  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Enabling of the global interrupts.

Particularities and Limitations
>  XCP is initialized correctly
>  Call context: Task and interrupt level
>  This function is reentrant!
>  The function ApplXcpInterruptEnable can be overwritten by the macro
ApplXcpInterruptEnable.

6.4.5
ApplXcpInterruptDisable: Disable interrupts
ApplXcpInterruptDisable
Prototype
Single Channel
Single Receive Channel  void ApplXcpInterruptDisable  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Disabling of the global interrupts.

2015, Vector Informatik GmbH
Version: 1.19.00
46 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
>  XCP is initialized correctly
>  Call context: Task and interrupt level
>  This function is reentrant!
>  The function ApplXcpInterruptDisable can be overwritten by the macro
ApplXcpInterruptDisable.

6.4.6
ApplXcpTLService: Transport Layer specific commands
ApplXcpTLService
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpTLService  ( MEMORY_ROM  BYTEPTR  pCmd )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pCmd
Pointer to COMMAND that has been received by the XCP Slave.
Return code
vuint8
XCP_CMD_OK :               Done
XCP_CMD_PENDING :         Call XcpSendCrm() when done
XCP_CMD_SYNTAX :           Error
XCP_CMD_BUSY :             not executed
XCP_CMD_UNKNOWN :         not implemented optional command
XCP_CMD_OUT_OF_RANGE :  command parameters out of range
Functional Description
Transport Layer specific command that is processed within the XCP Transport Layer.

Particularities and Limitations
>  XCP is initialized correctly
>  Call context: Task and interrupt level
>  The switch XCP_ENABLE_TL_COMMAND has to be defined

6.5
Application Services called by the XCP Protocol Layer
The prototypes of the functions that are required by the XCP Protocol Layer can be found
in the header.
The  XCP  Protocol  Layer  provides  application  callback  functions  in  order  to  perform
application and hardware specific tasks.
Note: All services within this chapter are called from task or interrupt level. All services are
not reentrant.
2015, Vector Informatik GmbH
Version: 1.19.00
47 / 105

Technical Reference XCP Protocol Layer

6.5.1
ApplXcpGetPointer: Pointer conversion
ApplXcpGetPointer
Prototype
Single Channel
Single Receive Channel  MTABYTEPTR ApplXcpGetPointer  ( vuint8 addr_ext, vuint32 addr )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr_ext
8 bit address extension
addr
32 bit address
Return code
MTABYTEPTR
Pointer to the address specified by the parameters
Functional Description
This function converts a memory address from XCP format (32-bit address plus 8-bit address
extension) to a C style pointer. An MCS like CANape usually reads this memory addresses from
the ASAP2 database or from a linker map file.
The address extension may be used to distinguish different address spaces or memory types. In
most cases, the address extension is not used and may be ignored.
This function is used for memory transfers like DOWNLOAD and UPLOAD.
Example:
The following code shows an example of a typical implementation of ApplXcpGetPointer:
MTABYTEPTR ApplXcpGetPointer( vuint8 addr_ext, vuint32 addr )
{
  return (MTABYTEPTR)addr;
}
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  This function can be overwritten by defining ApplXcpGetPointer as macro.

6.5.2
ApplXcpGetIdData: Get Identification
ApplXcpGetIdData
Prototype
Single Channel
Single Receive Channel  vuint32 ApplXcpGetIdData  ( MTABYTEPTR *pData, vuint8 id )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pData
Returns to identification information
2015, Vector Informatik GmbH
Version: 1.19.00
48 / 105

Technical Reference XCP Protocol Layer

id
Id of requested information
Return code
vuint32
length of the identification information
Functional Description
Returns a pointer to a pointer of MAP file names.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_GET_ID_GENERIC has to be defined

6.5.3
ApplXcpGetSeed: Generate a seed
ApplXcpGetSeed
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpGetSeed  ( MEMORY_ROM vuint8 resource,

BYTEPTR seed )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
Resource
Resource for which the seed has to be generated
XCP Professional and XPC Basic
RM_CAL_PAG :   to unlock the resource calibration/paging
RM_DAQ :
to unlock the resource data acquisition
XCP Professional only
RM_STIM :
to unlock the resource stimulation
RM_PGM :
to unlock the resource programming
Seed
Pointer to RAM where the seed has to be generated to.
Return code
vuint8
The length of the generated seed that is returned by seed.
Functional Description
Generate a seed for the appropriate resource.
The seed has a maximum length of MAX_CTO-2 bytes.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_SEED_KEY has to be defined

2015, Vector Informatik GmbH
Version: 1.19.00
49 / 105

Technical Reference XCP Protocol Layer

6.5.4
ApplXcpUnlock: Valid key and unlock resource
ApplXcpUnlock
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpUnlock  ( MEMORY_ROM vuint8 *key,

MEMORY_ROM vuint8 length )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
key
Pointer to the key.
length
Length of the key.
Return code
vuint8
XCP Professional and XPC Basic
0 :
if the key is not valid
RM_CAL_PAG :   to unlock the resource calibration/paging
RM_DAQ :
to unlock the resource data acquisition
XCP Professional only
RM_STIM :
to unlock the resource stimulation
RM_PGM :
to unlock the resource programming
Functional Description
Check the key and return the resource that has to be unlocked.
Only one resource may be unlocked at one time.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_SEED_KEY has to be defined

6.5.5
ApplXcpCheckReadEEPROM: Check read access from EEPROM
ApplXcpCheckReadEEPROM
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCheckReadEEPROM  ( MTABYTEPTR addr,

vuint8 size,

BYTEPTR data )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr
Address that is checked
size
Number of bytes
2015, Vector Informatik GmbH
Version: 1.19.00
50 / 105

Technical Reference XCP Protocol Layer

data
Pointer to data
(if the address is on the EEPROM the data is written here)
Return code
vuint8
0 : This is not EEPROM
1 : Read from EEPROM
Functional Description
Checks whether the address lies within the EEPROM memory or in the RAM area.
If the area is within the EEPROM area size data byte are read from addr and written to data.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_READ_EEPROM has to be defined

6.5.6
ApplXcpCheckWriteEEPROM: Check write access to the EEPROM
ApplXcpCheckWriteEEPROM
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCheckWriteEEPROM  ( MTABYTEPTR addr,

vuint8 size,

MEMORY_ROM BYTEPTR data)
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr
Address that is checked
size
number of bytes
data
pointer to data
(if addr is on the EEPROM this data is written to addr)
Return code
vuint8
XCP_CMD_OK :
EEPROM written
XCP_CMD_DENIED :  This is not EEPROM
XCP_CMD_PENDING :  EEPROM write in progress, call XcpSendCrm

when done
Functional Description
Checks whether the address addr is within the EEPROM memory. If not, the function returns
XCP_CMD_DENIED. If it lies within, EEPROM programming is performed. The function may return
during programming with XCP_CMD_PENDING or may wait until the programming sequence has
finished and then returns with XCP_CMD_OK.
If the programming sequence has finished, the XcpSendCrm function must be called.
XcpSendCrm is an internal function of the XCP Protocol Layer.
2015, Vector Informatik GmbH
Version: 1.19.00
51 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_WRITE_EEPROM has to be defined

6.5.7
ApplXcpCheckWriteAccess: Check address for valid write access
ApplXcpCheckWriteAccess
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCheckWriteAccess  ( MTABYTEPTR address,

vuint8 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
address
address
size
number of bytes
Return code
vuint8
0 :
if access is denied
>= 1 :
if access is granted
Functional Description
Check addresses for valid write access. A write access is enabled with the
XCP_ENABLE_WRITE_PROTECTION, it should be only used, if write protection of memory
areas is required
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_WRITE_PROTECTION has to be defined
>  Can be overwritten by the macro ApplXcpCheckWriteAccess

6.5.8
ApplXcpCheckReadAccess: Check address for valid read access
ApplXcpCheckReadAccess
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCheckReadAccess  ( MTABYTEPTR address,

vuint32 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
address
address
size
number of bytes
2015, Vector Informatik GmbH
Version: 1.19.00
52 / 105

Technical Reference XCP Protocol Layer

Return code
vuint8
0 :
if access is denied
>= 1 :
if access is granted
Functional Description
Check addresses for valid read access. A read access is enabled with the
XCP_ENABLE_READ_PROTECTION, it should be only used, if read protection of memory areas
is required
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_READ_PROTECTION has to be defined
>  Can be overwritten by the macro ApplXcpCheckReadAccess

6.5.9
ApplXcpCheckDAQAccess: Check address for valid read or write access
ApplXcpCheckDAQAccess
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCheckDAQAccess  ( DAQBYTEPTR address,

vuint8 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
address
address
size
number of bytes
Return code
vuint8
XCP_CMD_DENIED :  if access is denied
XCP_CMD_OK :
if access is granted
Functional Description
Check addresses for valid read or write access. This callback is called when a WRITE_DAQ
command is performed. Therefore it is not possible to know whether this is a read or write
access. Out of this reason this unified function is called.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_READ_PROTECTION or XCP_ENABLE_WRITE_PROTECTION has to
be defined

6.5.10  ApplXcpCheckProgramAccess: Check address for valid write access
ApplXcpCheckProgramAccess
Prototype
Single Channel
2015, Vector Informatik GmbH
Version: 1.19.00
53 / 105

Technical Reference XCP Protocol Layer

Single Receive Channel  vuint8 ApplXcpCheckProgramAccess  ( MTABYTEPTR address,

vuint8 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
address
address
size
number of bytes
Return code
vuint8
0 :
if access is denied
>= 1 :
if access is granted
Functional Description
Check addresses for valid write access. A write access is enabled with the
XCP_ENABLE_PROGRAMMING_WRITE_PROTECTION, it should be only used, if write protection
of memory areas is required
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_PROGRAMMING_WRITE_PROTECTION has to be defined
>  Can be overwritten by the macro ApplXcpCheckWriteAccess

6.5.11  ApplXcpUserService: User defined command
ApplXcpUserService
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpUserService ( MEMORY_ROM BYTEPTR pCmd )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pCmd
Pointer to XCP command packet
Return code
vuint8
XCP_CMD_OK :
positive response
XCP_CMD_PENDING :  Call XcpSendCrm() when done
XCP_CMD_SYNTAX :  negative response
Functional Description
Application specific user command.
Please refer to 3.10 User Defined Command.
2015, Vector Informatik GmbH
Version: 1.19.00
54 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_USER_COMMAND has to be defined

6.5.12  ApplXcpOpenCmdIf: XCP command extension interface
ApplXcpOpenCmdIf
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpOpenCmdIf  ( MEMORY_ROM  BYTEPTR  pCmd
BYTEPTR pRes, BYTEPTR pLength )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
pCmd
Pointer to COMMAND that has been received by the XCP Slave.
pRes
Pointer to response buffer that will be sent by the XCP Slave.
pLength
Number of bytes that will be sent in the response.
Return code
vuint8
XCP_CMD_OK :         Done
XCP_CMD_PENDING :   Call XcpSendCrm() when done
XCP_CMD_ERROR :      Error
Functional Description
Call back that can be used to extend the XCP commands of the XCP protocol layer.

Particularities and Limitations
>  XCP is initialized correctly
>  Call context: Task and interrupt level
>  The switch XCP_ENABLE_OPENCMDIF has to be defined

6.5.13  ApplXcpSendStall: Resolve a transmit stall condition
ApplXcpSendStall
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpSendStall  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
2015, Vector Informatik GmbH
Version: 1.19.00
55 / 105

Technical Reference XCP Protocol Layer

Return code
vuint8
0 :     if not successful
> 0 :  successful
Functional Description
Resolve a transmit stall condition in XcpPutchar or XcpSendEvent.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_SEND_EVENT or XCP_ENABLE_SERV_TEXT_PUTCHAR and
XCP_ENABLE_SEND_QUEUE are defined
>  The function can be overwritten by the macro ApplXcpSendStall()

6.5.14  ApplXcpSendFlush: Flush transmit buffer
ApplXcpSendFlush
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpSendFlush  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Flush the transmit buffer if there is one implemented in ApplXcpSend.
This function can be overwritten by a macro.
Particularities and Limitations
>  The function can be overwritten by the macro ApplXcpSendFlush()

6.5.15  ApplXcpDisableNormalOperation: Disable normal operation of the ECU
ApplXcpDisableNormalOperation
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpDisableNormalOperation  ( MTABYTEPTR a,

vuint16 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
2015, Vector Informatik GmbH
Version: 1.19.00
56 / 105

Technical Reference XCP Protocol Layer

Parameter
a
Address (where the flash kernel is downloaded to)
size
Size (of the flash kernel)
Return code
vuint8
XCP_CMD_OK :
download of flash kernel confirmed
XCP_CMD_DENIED :  download of flash kernel refused
Functional Description
Prior to the flash kernel download has the ECU’s normal operation to be stopped in order to
avoid misbehavior due to data inconsistencies.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_BOOTLOADER_DOWNLAOD has to be defined

6.5.16  ApplXcpStartBootLoader: Start of boot loader
ApplXcpStartBootLoader
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpStartBootLoader  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
vuint8
This function should not return.
0 :
negative response
> 0 :
positive response
Functional Description
Start of the boot loader.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_BOOTLOADER_DOWNLAOD has to be defined

6.5.17  ApplXcpReset: Perform ECU reset
ApplXcpReset
Prototype
Single Channel
Single Receive Channel  void ApplXcpReset  ( void )
2015, Vector Informatik GmbH
Version: 1.19.00
57 / 105

Technical Reference XCP Protocol Layer

Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Perform an ECU reset after reprogramming of the application.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_PROGRAM has to be defined

6.5.18  ApplXcpProgramStart: Prepare flash programming
ApplXcpProgramStart
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpProgramStart  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
vuint8
XCP_CMD_OK :
Preparation done
XCP_CMD_PENDING :   Call XcpSendCrm() when done
XCP_CMD_ERROR :   Flash programming not possible
Functional Description
Prepare the ECU for flash programming.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_PROGRAM has to be defined

6.5.19  ApplXcpFlashClear: Clear flash memory
ApplXcpFlashClear
2015, Vector Informatik GmbH
Version: 1.19.00
58 / 105

Technical Reference XCP Protocol Layer

Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpFlashClear  ( MTABYTEPTR address,

vuint32 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
address
Address
size
Size
Return code
vuint8
XCP_CMD_OK :
Flash memory erase done
XCP_CMD_PENDING :  Call XcpSendCrm() when done
XCP_CMD_ERROR :  Flash memory erase error
Functional Description
Clear the flash memory, before the flash memory will be reprogrammed.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_PROGRAM has to be defined

6.5.20  ApplXcpFlashProgram: Program flash memory
ApplXcpFlashProgram
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpFlashProgram  ( MEMORY_ROM BYTEPTR data,

MTABYTEPTR address,

vuint8 size )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
data
Pointer to data
address
Address
size
Size
Return code
vuint8
XCP_CMD_OK :
Flash memory programming finished
XCP_CMD_PENDING : Flash memory programming in progress.

XcpSendCrm has to be called when done.
2015, Vector Informatik GmbH
Version: 1.19.00
59 / 105

Technical Reference XCP Protocol Layer

Functional Description
Program the cleared flash memory.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switch XCP_ENABLE_PROGRAM has to be defined

6.5.21  ApplXcpDaqResume: Resume automatic data transfer
ApplXcpDaqResume
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpDaqResume  ( tXcpDaq * daq )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
daq
Pointer to dynamic DAQ list structure
Return code
vuint8
0 :
failed
>0 :
Ok
Functional Description
Resume the automatic data transfer.
The whole dynamic DAQ list structure that had been stored in non-volatile memory within the
service ApplXcpDaqResumeStore(..) has to be restored to RAM.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RESUME are defined

6.5.22  ApplXcpDaqResumeStore: Store DAQ lists for resume mode
ApplXcpDaqResumeStore
Prototype
Single Channel
Single Receive Channel  void ApplXcpDaqResumeStore  ( MEMORY_ROM tXcpDaq * daq )
Multi Channel
Indexed
not supported
Code replicated
not supported
2015, Vector Informatik GmbH
Version: 1.19.00
60 / 105

Technical Reference XCP Protocol Layer

Parameter
daq
Pointer to dynamic DAQ list structure.
Return code
-
-
Functional Description
This application callback service has to store the whole dynamic DAQ list structure in non-
volatile memory for the DAQ resume mode. Any old DAQ list configuration that might have
been stored in non-volatile memory before this command, must not be applicable anymore.
After a cold start or reset the dynamic DAQ list structure has to be restored by the application
callback service ApplXcpDaqResume(..).
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RESUME are defined

6.5.23  ApplXcpDaqResumeClear: Clear stored DAQ lists
ApplXcpDaqResumeClear
Prototype
Single Channel
Single Receive Channel  void ApplXcpDaqResumeClear  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
The whole dynamic DAQ list structure that had been stored in non-volatile memory within the
service ApplXcpDaqResumeStore(..) has to be cleared.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RESUME are defined

6.5.24  ApplXcpCalResumeStore: Store Calibration data for resume mode
ApplXcpCalResumeStore
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCalResumeStore  ( void )
Multi Channel
2015, Vector Informatik GmbH
Version: 1.19.00
61 / 105

Technical Reference XCP Protocol Layer

Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
vuint8
0 :    Storing not yet finished (STORE_CAL_REQ flag kept)
>0 :  Storing finished (STORE_CAL_REQ flag cleared)
Functional Description
This application callback service has to store the current calibration data in non-volatile
memory for the resume mode.
After a cold start or reset the calibration data has to be restored by the application.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RESUME are defined

6.5.25  ApplXcpGetTimestamp: Returns the current timestamp
ApplXcpGetTimestamp
Prototype
Single Channel
Single Receive Channel  XcpDaqTimestampType ApplXcpGetTimestamp  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
XcpDaqTimestampType timestamp
Functional Description
Returns the current timestamp.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_TIMESTAMP are defined
>  The parameter kXcpDaqTimestampSize defines the timestamp size. It can either be
DAQ_TIMESTAMP_BYTE, DAQ_TIMESTAMP_WORD, DAQ_TIMESTAMP_DWORD

6.5.26  ApplXcpRtsStart: Start Trigger for DAQ runtime supervision
ApplXcpRtsStart
2015, Vector Informatik GmbH
Version: 1.19.00
62 / 105

Technical Reference XCP Protocol Layer

Prototype
Single Channel
Single Receive Channel  void ApplXcpRtsStart  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
-
-
Functional Description
Function is used to trigger start of DAQ runtime supervision. This function must store a current
timestamp to be used for comparison later on.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RUNTIME_SUPERVISION are
defined

6.5.27  ApplXcpRtsSnapshot: Trigger for DAQ runtime supervision
ApplXcpRtsSnapshot
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpRtsSnapshot  ( void )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
-
-
Return code
uint8
Returns either XCP_OK or XCP_NOT_OK depending on whether
current measurement shall be continued or aborted.
Functional Description
Function is used to perform DAQ runtime supervision. This function must compare the current
time stamp to the one stored in ApplXcpRtsStart and determine whether runtime is exceeded.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_RUNTIME_SUPERVISION are
defined

2015, Vector Informatik GmbH
Version: 1.19.00
63 / 105

Technical Reference XCP Protocol Layer

6.5.28  ApplXcpGetCalPage: Get calibration page
ApplXcpGetCalPage
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpGetCalPage  ( vuint8 segment, vuint8 mode )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
segment
Logical data segment number
mode
Access mode
The access mode can be one of the following values:
CAL_ECU : ECU access
CAL_XCP : XCP access
Return code
vuint8
Logical data page number
Functional Description
This function returns the logical number of the calibration data page that is currently activated
for the specified access mode and data segment.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_TIMESTAMP are defined

6.5.29  ApplXcpSetCalPage: Set calibration page
ApplXcpSetCalPage
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpSetCalPage  ( vuint8 segment,

vuint8 page, vuint8 mode )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
segment
Logical data segment number
Page
Logical data page number
2015, Vector Informatik GmbH
Version: 1.19.00
64 / 105

Technical Reference XCP Protocol Layer

mode
Access mode
CAL_ECU : the given page will be used by the slave device application
CAL_XCP : the slave device XCP driver will access the given page
Both flags may be set simultaneously or separately.
Return code
vuint8
0 :
Ok
CRC_OUT_OF_RANGE :
segment out of range

( only one segment supported)
CRC_PAGE_NOT_VALID :
Selected page not available
CRC_PAGE_MODE_NOT_VALID :   Selected page mode not available
Functional Description
Set the access mode for a calibration data segment.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_DAQ and XCP_ENABLE_DAQ_TIMESTAMP are defined

6.5.30  ApplXcpCopyCalPage: Copying of calibration data pages
ApplXcpCopyCalPage
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpCopyCalPage  ( vuint8 srcSeg, vuint8 srcPage

vuint8 destSeg, vuint8 destPage )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
srcSeg
Source segment
srcPage
Source page
destSeg
Destination segment
destPage
Destination page
Return code
vuint8
0 :
Ok
XCP_CMD_PENDING :
Call XcpSendCrm() when done
CRC_PAGE_NOT_VALID :
Page not available
CRC_SEGMENT_NOT_VALID :  Segment not available
CRC_WRITE_PROTECTED :   Destination page is write protected.
Functional Description
Copying of calibration data pages.
The pages are copied from source to destination.
2015, Vector Informatik GmbH
Version: 1.19.00
65 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_PAGE_COPY and XCP_ENABLE_DAQ_TIMEOUT are defined

6.5.31  ApplXcpSetFreezeMode: Setting the freeze mode of a segment
ApplXcpSetFreezeMode
Prototype
Single Channel
Single Receive Channel  void ApplXcpSetFreezeMode ( vuint8 segment, vuint8 mode )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
segment
Segment to set freeze mode
mode
New freeze mode
Return code
-
-
Functional Description
Setting the freeze mode of a certain segment. Application must store the current freeze mode
of each segment.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_PAGE_FREEZE is defined

6.5.32  ApplXcpGetFreezeMode: Reading the freeze mode of a segment
ApplXcpGetFreezeMode
Prototype
Single Channel
Single Receive Channel  vuint8 ApplXcpGetFreezeMode ( vuint8 segment )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
segment
Segment to read freeze mode
Return code
vuint8
Return the current freeze mode, set by ApplXcpSetFreezeMode().
Functional Description
Reading the freeze mode of a certain segment. Application must store the current freeze mode
of each segment and report it by the return value of this function.
2015, Vector Informatik GmbH
Version: 1.19.00
66 / 105

Technical Reference XCP Protocol Layer

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_PAGE_FREEZE is defined

6.5.33  ApplXcpReadChecksumValue: Read a single byte from memory for
checksum creation
ApplXcpReadChecksumValue
Prototype
Single Channel
Single Channel
tXcpChecksumAddType ApplXcpRead  ( vuint32 addr )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr
32 Bit address
Return code
tXcpChecksumAddType Value used to create checksum.
Functional Description
Read from the memory to create checksum

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_MEM_ACCESS_BY_APPL and XCP_ENABLE_CHECKSUM is
defined

6.5.34  ApplXcpRead: Read a single byte from memory
ApplXcpRead
Prototype
Single Channel
Single Channel
vuint8 ApplXcpRead  ( vuint32 addr )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr
32 Bit address
Return code
vuint8
Pointer to the address specified by the parameters
2015, Vector Informatik GmbH
Version: 1.19.00
67 / 105

Technical Reference XCP Protocol Layer

Functional Description
Read a single byte from the memory.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_MEM_ACCESS_BY_APPL is defined

6.5.35  ApplXcpWrite: Write a single byte to RAM
ApplXcpWrite
Prototype
Single Channel
Single Channel
void ApplXcpWrite  ( vuint32 addr, vuint8 data )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
addr
32 Bit address
data
data to be written to memory
Return code
-
-
Functional Description
Write a single byte to RAM.

Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_MEM_ACCESS_BY_APPL is defined

6.5.36  ApplXcpCalculateChecksum: Custom checksum calculation

ApplXcpCalculateChecksum
Prototype
Single Channel
Single Channel
vuint8 ApplXcpCalculateChecksum  ( ROMBYTEPTR pMemArea,
BYTEPTR pRes, vuint32 length )
Multi Channel
Indexed
not supported
Code replicated
not supported
2015, Vector Informatik GmbH
Version: 1.19.00
68 / 105

Technical Reference XCP Protocol Layer

Parameter
pMemArea
Address pointer
pRes
Pointer to response string
Length
Length of mem area, used for checksum calculation
Return code
vuint8
XCP_CMD_OK/XCP_CMD_PENDING
Functional Description
Normally the XCP uses internal checksum calculation functions. If the internal checksum
calculation does not fit the user requirements this call-back can be used to calculate the
checksum by the application.
Particularities and Limitations
>  XCP is initialized correctly and in connected state
>  The switches XCP_ENABLE_CHECKSUM and XCP_ENABLE_CUSTOM_CRC is defined

6.6
XCP Protocol Layer Functions that can be overwritten
The following functions are defined within the XCP Protocol Layer and can be overwritten
for optimization purposes.
Note: All services within this chapter are called from task or interrupt level. All services are
not reentrant.

6.6.1
XcpMemCpy: Copying of a memory range
XcpMemCpy
Prototype
Single Channel
Single Receive Channel  void XcpMemCpy  ( DAQBYTEPTR dest,
MEMORY_ROM DAQBYTEPTR src, vuint8 n )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
dest
pointer to destination address
src
pointer to source address
n
number of data bytes to copy
Return code
-
-
2015, Vector Informatik GmbH
Version: 1.19.00
69 / 105

Technical Reference XCP Protocol Layer

Functional Description
General memory copy function that copies a memory range from source to destination.
This function is used in the inner loop of XcpEvent for data acquisition sampling.
This function is already defined in the XCP Protocol Layer, but can be overwritten by a macro or
function for optimization purposes. E.g. it would be possible to use DMA for faster execution.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly.
>  This function can be overwritten XcpMemCpy is defined.

6.6.2
XcpMemSet: Initialization of a memory range
XcpMemSet
Prototype
Single Channel
Single Receive Channel  void XcpMemSet  ( BYTEPTR p, vuint16 n, vuint8 b )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
p
pointer to start address
n
number of data bytes
b
data byte to initialize with
Return code
-
-
Functional Description
Initialization of n bytes starting from address p with b.
This function is already defined in the XCP Protocol Layer, but can be overwritten by a macro or
function for optimization purposes. E.g. it would be possible to use DMA for faster execution.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly.
>  This function can be overwritten if XcpMemSet is defined.

6.6.3
XcpMemClr: Clear a memory range
XcpMemClr
Prototype
Single Channel
Single Receive Channel  static void XcpMemClr  ( BYTEPTR p, vuint16 n )
Multi Channel
Indexed
not supported
Code replicated
not supported
2015, Vector Informatik GmbH
Version: 1.19.00
70 / 105

Technical Reference XCP Protocol Layer

Parameter
p
pointer to start address
n
number of data bytes
Return code
-
-
Functional Description
Initialize n data bytes starting from address p with 0x00.
This function is already defined in the XCP Protocol Layer, but can be overwritten by a macro or
function for optimization purposes. E.g. it would be possible to use DMA for faster execution.
Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly.
>  This function can be overwritten if XcpMemClr is defined.

6.6.4
XcpSendDto: Transmission of a data transfer object
XcpSendDto
Prototype
Single Channel
Single Receive Channel  void XcpSendDto  ( MEMORY_ROM xcpDto_t *dto )
Multi Channel
Indexed
not supported
Code replicated
not supported
Parameter
dto
pointer to data transfer object
Return code
-
-
Functional Description
Transmit a data transfer object (DTO).

Particularities and Limitations
>  The XCP Protocol Layer has been initialized correctly and XCP is in connected state.
>  The switch XCP_ENABLE_DAQ is defined
>  This function can be overwritten by defining XcpSendDto.

6.7
AUTOSAR CRC Module Services called by the XCP Protocol Layer (XCP
Professional Only)
The  following  services  of  the  AUTOSAR  CRC  Module  are  called  by  the  XCP  Protocol
Layer:
2015, Vector Informatik GmbH
Version: 1.19.00
71 / 105

Technical Reference XCP Protocol Layer

Crc_CalculateCRC16(…)
Crc_CalculateCRC32(…)
A detailed description of the API can be found in the software specification of the CRC
Module [VII].
2015, Vector Informatik GmbH
Version: 1.19.00
72 / 105

Technical Reference XCP Protocol Layer

7  Configuration of the XCP Protocol Layer
This chapter describes the common options for configuring (customizing) the XCP Protocol
Layer. Please note that the XCP Professional can conveniently be configured with GENy
(chapter 7.1). In this case no manual configuration has to be applied to the configuration
files.

The configuration of the XCP Protocol Layer without GENy can be found in chapter  7.2.It
is mainly applicable for the configuration of XCP Basic.
7.1
Configuration with GENy (XCP Professional only)
The XCP Protocol Layer is a higher software layer that can be configured independent of
the communication system channels. Therefore in GENy the Protocol Layer component is
attached  to  the  ECU.  I.e.  it  can  be  configured  without  associating  any  XCP  Transport
Layer in GENy.
Therefore there are no database attributes defined for the XCP Protocol Layer.
7.1.1
Component Configuration
7.1.1.1
General Settings

2015, Vector Informatik GmbH
Version: 1.19.00
73 / 105

Technical Reference XCP Protocol Layer

Figure 7-1 Component configuration – General settings

Configuration option
Description of configuration option
XCP Station Identifier
The 'XCP Station Identifier' is an ASAM-MC2 filename without path
and extension that identifies the ECU's software program version.
It is used for slave device identification and automatic session
configuration.
The Master Control System (MCS) can interpret this identifier as file
name for the ECU database. The ECU developer should change the
XCP station identifier with each program change. This will prevent
database mix-ups and grant the correct access of measurement and
calibration objects from the MCS to the ECU.
Another benefit of the usage of the XCP station identifier is the
automatic assignment of the correct ECU database at program start
of the MCS via the Plug&Play mechanism. The Plug&Play
mechanism prevents the user to choose the wrong ECU database.
Command Parameter
Checks of the range and validity of Command Transfer Object (CTO)
Check
and Data Transfer Object (DTO) parameters.
Enable Calibration
The option 'Enable Calibration' unlocks the commands
- DOWNLOAD
- DOWNLOAD_NEXT
- DOWNLOAD_MAX
- SHORT_DOWNLOAD
- MODIFY_BITS
If this option is disabled, these commands will return an
ERR_ACCESS_DENIED error and calibration of parameters will not
be possible!
Event Codes
'Event Codes' are transmitted within event packets (EV) from the
slave device to the master device.
The transmission is not guaranteed since event packets are not
acknowledged.
Please refer to the XCP Protocol Layer specification for the 'Table of
Event codes'.
Bootloader Download
In order to reprogram the internal flash of some microcontrollers it is
necessary to use a bootloader, because code cannot be executed
from flash while programming flash.
Memory Write Protection The option 'Memory Write Protection' enables write access to memory
areas.
I.e. prior to carrying out write access to RAM an application callback
function is called and the memory address is passed as parameter.
The application has to either grant or deny the memory access.
Memory Read Protection The option 'Memory Read Protection' enables read access to memory
areas.
I.e. prior to carrying out read access to RAM an application callback
function is called and the memory address is passed as parameter.
The application has to either grant or deny the memory access.
2015, Vector Informatik GmbH
Version: 1.19.00
74 / 105

Technical Reference XCP Protocol Layer

XCP Control
The option ‘XCP Control’ enables an API to en- or disable the XCP
module (s. 3.20).
Get Xcp Data Pointer
The option ‘Get Xcp Data Pointer’ enables an API to retrieve the
pointer to the internal data of the XCP module (s. 3.19)
Version Info API Support The 'Version Info Api' option provides access to the version
information of the XCP Protocol Layer module. Provided informations
are Module identifier, Vendor identifier and vendor specific Version
numbers.
Open Command
The ‘Open Command Interface’ can be used to add unsupported XCP
Interface
commands. A user call back is made available which must be
implemented in the application.
Session Status API
This option enables the API XcpGetState which can be used to
determine whether the XCP is in state XCP_CONNECTED or in state
XCP_DISCONNECTED
Address Doubling
Address Doubling allows byte addressing on word addressable
CPUs. For this purpose the Tool must double all addresses. If the
Tool does not support this automatically all addresses in the a2l file
must be doubled manually.
User Config File
The configuration file xcp_cfg.h is generated by GENy. If you want
to overwrite settings in the generated configuration file, you can
specify a path to a user defined configuration file.
The user defined configuration file will be included at the end of the
generated file. Therefore definitions in the user defined configuration
file can overwrite definitions in the generated configuration file.
EEPROM Access
Read Access
The option 'Read Access' allows read access to EEPROM.
The routines for accessing the EEPROM have to be implemented in
the application.
Write Access
The option 'Write Access' allows write access to EEPROM.
The routines for accessing the EEPROM have to be implemented in
the application.
Service Request Message
Service Request
'Service Request Messages' are always transmitted within service
Message
request packets (SERV) by the slave device, in order to request the
master device to perform some action.
The transmission is not guaranteed since service request packets are
not acknowledged by the master device.
Please also refer to the XCP Protocol Layer specification for the
'Table of service request codes
Print
The function XcpPrint(..) can be used for the transmission of
service request packets that contain text.
Table 7-1 Component configuration – General settings
2015, Vector Informatik GmbH
Version: 1.19.00
75 / 105

Technical Reference XCP Protocol Layer

7.1.1.2
Synchronous Data Acquisition

Figure 7-2 Component configuration – Synchronous Data Acquisition

Configuration option
Description of configuration option
Synchronous Data Acquisition Data elements located in the slave's memory are transmitted in
(DAQ)
Data Transfer Objects (DTOs) from slave to master (DAQ) and
from master to slave (STIM).
The Object Description Table (ODT) describes the mapping
between the synchronous data transfer objects and the slave's
memory.
2015, Vector Informatik GmbH
Version: 1.19.00
76 / 105

Technical Reference XCP Protocol Layer

Send Queue
The ‘Send Queue’ should be enabled if more than one ODT
(Object Description Table) is used and if the Transport Layer
does not support data queuing or data buffering.
It has to be enabled if the Vector XCP Transport Layer for CAN
is enabled.
Memory Size [byte]
A memory area has to be reserved for the dynamic allocation of
DAQ and ODT (Object Description Table) lists and for the
transmit queue.
Prescaler
If the option 'Prescaler' is enabled all DAQ lists support the
prescaler for reducing the transmission period.
Overrun Indication
Overrun situations are indicated to the Master Control System.
An overrun situation is e.g. an overflow of the transmit queue.
Write DAQ Multiple
This command allows downloading multiple DAQ list entries in
one CMD frame. This option only works if:
1.  MAX_CTO is at least 16 bytes big
2.  This feature is enabled in CANape (Extended driver
settings)
DAQ / ODT Message Header
If the option 'DAQ/ODT message header' is enabled the 2 byte
DAQ/ODT XCP Packet Identification is used: Relative ODT
number (1 byte), absolute DAQ list number (1 byte).
If the option 'DAQ/ODT message header' is disabled a 1 byte
Packet Identification (PID) is used: Absolute ODT number.
Attention: The 'DAQ/ODT Message Header' must not be
enabled if the XCP Transport Layer for CAN or FlexRay is
enabled.
Resume Mode
The option 'Resume Mode' or often also called 'Cold Start
Measurement' allows automatic data transfer (DAQ, STIM)
directly after power-up of the slave without prior connection to
the master calibration system. Also prior set calibration data can
be restored.
General Info
The option 'General Info' enables the XCP command
GET_DAQ_PROCESSOR_INFO, which provides general
information on DAQ lists.
Resolution Info
The option 'Resolution Info' enables the command
GET_DAQ_RESOLUTION_INFO, which provides information
on the resolution of DAQ lists.
Synchronous Data Stimulation (STIM)
Synchronous Data Stimulation  'Synchronous Data Stimulation (STIM)' is the inverse mode of
(STIM)
'Synchronous Data Acquisition (DAQ)'.
Data elements located in the slave's memory are transmitted in
Data Transfer Objects from the master device to the slave
device.
These data elements are written to RAM upon XCP events.
Number of ODTs for STIM
The maximum number of Object Descriptor Tables (ODTs) for
Synchronous Data Stimulation (STIM) has to be configured.
Event Info
2015, Vector Informatik GmbH
Version: 1.19.00
77 / 105

Technical Reference XCP Protocol Layer

Event Info
The option 'Event Info' enables the XCP command
GET_DAQ_EVENT_INFO, which provides the following
information about event channels:
>  Number of event channel
>  Name of event channel
>  Measurement cycle time of event channel
>  Direction of event channel: DAQ, STIM, DAQ&STIM
Events
The information about event channels, which is transferred from
the slave device to the master device, can be configured.
Attention: The number of the event channels has to be dense
and zero-based
Event Channel
For each 'Event Channel' information can be configured.
This information is transferred from the slave device to the
master device.
Number
The event channel numbers have to be dense and zero-based.
Therefore this number can not be entered manually.
The event channel number is passed as a argument to the
function XcpEvent(..).
Name
The name of the event channel is used to identify an event
within the master control system.
Cycle Time [Event Info Unit]
The 'Cycle Time' of the event channel is transferred to the
master control system and used to set up the master control
system.
Event Info Unit
Select the resolution of the time stamp ticks.
Direction
The following data acquisition 'Directions' of event channels are
possible:
>  DAQ: send cyclic data transfer packets from the slave device
to the master control system
>  STIM: send cyclic data transfer packets from the master
control system to the slave device
>  DAQ/STIM: both directions are possible, but not
simultaneously
DAQ Timestamp
DAQ Timestamp
Timestamps can be attached to Data Transfer Object (DTO)
Packets, to avoid measurement errors due to bus latency.
The timestamp unit and ticks per unit have to be defined if
timestamps are used.
Fixed Timestamp
If the 'Fixed Timestamp' option is selected the slave always
sends Data Transfer Object (DTO) Packets in time stamped
mode.
Otherwise timestamps are dynamically and individually enabled
for each DAQ list.
Size [byte]
Size of Timestamp. Possible timestamp sizes are 1Byte, 2Bytes
and 4Bytes.
Timestamp Unit
Select the resolution of the time stamp ticks.
2015, Vector Informatik GmbH
Version: 1.19.00
78 / 105

Technical Reference XCP Protocol Layer

Ticks per Unit
The timestamp will increment per unit by the value specified
here and wrap around if an overflow occurs.
Table 7-2 Component configuration – Synchronous Data Acquisition

7.1.1.3
Standard Commands

Figure 7-3 Component configuration – Standard Commands

Configuration option
Description of configuration option
Communication Mode Info
The XCP command 'GET_COMM_MODE_INFO' returns
optional information on different Communication Modes
supported by the slave and also the version number of the
Protocol Layer implementation.
If the master block mode is supported, also the maximum
allowed block size and the minimum separation time are
returned.
The XCP Protocol Layer supports the Standard Communication
model and also the Master Block Transfer Mode and the Slave
Block Transfer Mode.
Seed & Key
Resources within the slave device can be protected by a 'Seed
& Key' mechanism.
The following resources can be protected:
>  Synchronous data acquisition (DAQ)
>  Synchronous data stimulation (STIM)
>  Online calibration (CAL)
>  Programming (PGM)
Modify Bits
This command can be en- or disabled.
Short Download
This command can be en- or disabled. For bus systems with
maximum data length less equal eight (e.g. CAN, LIN) this
command make no sense as no data can be transported in
addition to the address information.
2015, Vector Informatik GmbH
Version: 1.19.00
79 / 105

Technical Reference XCP Protocol Layer

User Defined Command
The 'User Defined Command' is optional and can be
implemented within the application.
However it must not be used to implement functionalities done
by other services.
The application callback function ApplXcpUserService() is
provided to perform application specific actions.
GET_ID Command
Slave identification via GET_ID Command.
This option enables a call-back that is called when the XCP
Master sends the GET_ID command and can be used to return
the requested information (e.g. Map Filename, EPK Number, ...)

Transport Layer Command
The option 'Transport Layer Command' has to be enabled if
transport layer specific commands are used and supported by
the transport layer component.
Block Transfer
Block Upload
The Slave Block Transfer Mode speeds up memory upload by
transmitting an entire block of continuous response packets.
There is only a response packet before and after transmission
of the entire block.
There are no limitations allowed for the master device.
The slave returns whether it supports Slave Block Transfer
Model in the response of the request CONNECT.
Block Download
The Master Block Transfer Mode speeds up memory download
by transmitting an entire block of continuous request packets.
There is only one response packet after transmission of the
entire block.
The XCP Master has to meet the slave's limitations of the
maximum block size and the minimum separation time. These
communication parameters are responded within the response
to GET_COMM_MODE_INFO.
MIN_ST for Block Download
MIN_ST indicates the required minimum separation time
between the packets of a block transfer from the master device
to the slave device in units of 100 microseconds.
The value given in GENy is transmitted within the response to
the command GET_COMM_MODE_INFO.
Table 7-3 Component configuration – Standard Commands
7.1.1.4
Checksum

Figure 7-4 Component configuration – Checksum

2015, Vector Informatik GmbH
Version: 1.19.00
80 / 105

Technical Reference XCP Protocol Layer

Configuration option
Description of configuration option
Checksum
The XCP command BUILD_CHECKSUM returns a checksum
that is calculated over the memory block defined by the Memory
Transfer Address (MTA) and block size. The MTA will be post-
incremented by the block size.
The checksum type (size of the checksum) and the calculation
method can be configured.
Custom CRC Module Support  Support a custom CRC module by calling a user call-back.
Internal CRC calculation is deactivated.
AUTOSAR CRC Module
If ‘AUTOSAR CRC Module Support’ is enabled only the
Support
following checksum calculation methods are available:
>  CRC16_CCITT: CRC16 CCITT algorithm
>  CRC32: CRC32 algorithm
The CRC32 algorithm is only supported if the AUTOSAR CRC
Module is used.
Calculation Method
The following checksum calculation methods are supported:
>  ADD_11: add a BYTE into a BYTE checksum
>  ADD_12: add a BYTE into a WORD checksum
>  ADD_14: add a BYTE into a DWORD checksum
>  ADD_22: add a WORD into a WORD checksum
>  ADD_24: add a WORD into a DWORD checksum
>  ADD_44: add a DWORD into a DWORD checksum
>  CRC16_CCITT: CRC16 CCITT algorithm
>  CRC32: CRC32 algorithm
The CRC32 algorithm is only supported if the AUTOSAR CRC
Module is used.
All checksum calculation algorithms except of the CRC
algorithms ignore overflows. The block size has to be a multiple
of the size of the type that is added.
Block Size
Please refer to the help of 'Checksum'.
Table 7-4 Component configuration – Checksum

7.1.1.5
Page Switching

Figure 7-5 Component configuration – Page Switching

2015, Vector Informatik GmbH
Version: 1.19.00
81 / 105

Technical Reference XCP Protocol Layer

Configuration option
Description of configuration option
Page Switching
If calibration page switching (PAG) is enabled the access mode
calibration data segments can be set.
Calibration data segments and their pages are specified by
logical numbers.
General Paging Info
If 'General Paging Info' is enabled the XCP command
'GET_PAG_PROCESSOR_INFO' returns general information
on paging.
The following information is transferred from the slave device to
the master device:
> The total number of segments
> Whether the freeze mode is supported
Specific information for segments or pages is so far not
supported.
Copy Page
If more than one calibration page is defined, the slave can copy
a calibration page into another.
In principle any page of any segment can be copied to any page
of any segment. However, restrictions might be possible.
Freeze Mode
If enabled the commands SET_SEGMENT_MODE and
GET_SEGMENT_MODE are enabled and forwarded to the
application.
Enabling this feature also set the Freeze Mode Supported bit in
General Paging Info
Table 7-5 Component configuration – Page Switching
7.1.1.6
Programming

Figure 7-6 Component configuration – Programming

2015, Vector Informatik GmbH
Version: 1.19.00
82 / 105

Technical Reference XCP Protocol Layer

Configuration option
Description of configuration option
Programming
The option 'Programming' enables the programming of non-
volatile memory.
If the internal flash of the microcontroller cannot be
programmed while execution of code from the flash, the
'bootloader download' functionality has to be used instead.
Programming Write Protection  The option 'Programming Write Protection' enables the
programming write protection of non-volatile memory. I.e. prior
to carrying out write access to non-volatile memory an
application callback function (see 6.5.10) is called and the
memory address is passed as parameter. The application has
to either grant or deny the memory access.
Min_St_Pgm
This parameter defines the delay the Master should insert
between two consecutive PROGRAM_NEXT commands. This
parameter is only relevant if Block Mode is used.
Processor and Sector Info
The option 'Processor and Sector Info' enables the commands:
>  GET_PGM_PROCESSOR_INFO
Transfers the general properties for programming and the
total number of available sectors from the slave device to
the master device.
>  GET_SECTOR_INFO
Transfers information on a specific sector from the slave
device to the master device.
Sectors
The information for sectors, which is transferred from the slave
device to the master device, can be configured.
Attention: The sector number has to be dense and zero-based!
Sector
For each 'Sector' information can be configured. This
information is transferred from the slave device to the master
device.
Number
The sector numbers have to be dense and zero-based.
Therefore this number can not be entered manually.
Start Address
The 'Start Address' of each sector is individually configured in
the slave device and transferred to the master device.
End Address
The 'End Address' of each sector is individually configured in
the slave device and transferred to the master device.
Table 7-6 Component configuration – Programming

7.1.1.7
Generated a2l files
GENy  also  generates  multiple  a2l  files  which  can  be  used  in  the  Master  tool  for  easier
integration. The following files are generated:
  XCP.a2l (general protocol layer settings)
  XCP_daq.a2l (DAQ specific settings)
  XCP_events.a2l (DAQ event info)

2015, Vector Informatik GmbH
Version: 1.19.00
83 / 105

Technical Reference XCP Protocol Layer

Example Master.a2l:

...
/begin IF_DATA XCP
  /include XCP.a2l
  /begin DAQ
  /include XCP_daq.a2l
  /include XCP_events.a2l
  ...
  /end DAQ
  /include CanXCPAsr.a2l
/end IF_DATA
...
/include bsw.a2l
...

7.2
Configuration without Generation Tool
The  configuration  of  the  configuration  switches  and  constants  is  done  in  the  file
xcp_cfg.h. An example that contains the default configuration of XCP Basic is distributed
together  with  XCP  Basic.  It  is  recommended  to  use  this  example  as  a  template  for  the
individual configuration.
7.2.1
Compiler Switches
Compiler switches are used to enable/disable optional functionalities in order to save code
space and RAM.
In  the  following  table  you  will  find  a  complete  list  of  all  configuration  switches,  used  to
control the functional units that common of XCP Basic and XCP Professional. The default
values are bold.
Configuration switches
Value
Description
XCP_xxx_DAQ
ENABLE, DISABLE  Enables/disables synchronous
data acquisition.
XCP_xxx_DAQ_PRESCALER
ENABLE, DISABLE  Enables/disables the DAQ
prescaler.
XCP_xxx_DAQ_OVERRUN_INDICATION ENABLE, DISABLE  Enables/disables the DAQ
overrun detection.
2015, Vector Informatik GmbH
Version: 1.19.00
84 / 105

Technical Reference XCP Protocol Layer

XCP_xxx_DAQ_HDR_ODT_DAQ3
ENABLE, DISABLE  The 2 Byte DAQ/ODT XCP
Packet identification is used
instead of the PID.
Enabled: Relative ODT
number, absolute list number
(BYTE)
Disabled: Absolute ODT
number
XCP_xxx_DAQ_PROCESSOR_INFO
ENABLE, DISABLE  Plug & play mechanism for
the data acquisition processor.
XCP_xxx_DAQ_RESOLUTION_INFO
ENABLE, DISABLE  Plug & play mechanism for
the data acquisition resolution.
XCP_xxx_DAQ_EVENT_INFO
ENABLE, DISABLE  Plug & play mechanism for
the event definitions.
XCP_xxx_DAQ_TIMESTAMP
ENABLE, DISABLE  DAQ timestamps
XCP_xxx_DAQ_TIMESTAMP_FIXED
ENABLE, DISABLE  Slave always sends DTO
Packets in time stamped
mode. Otherwise are
timestamps used individual by
each DAQ-list.
kXcpDaqTimestampSize
DAQ_TIMESTAMP_BYTE,  The size of timestamps which
DAQ_TIMESTAMP_WORD,  can either be 1Byte, 2Bytes or
DAQ_TIMESTAMP_DWORD 4Bytes.
XCP_xxx_SEED_KEY
ENABLE, DISABLE  Seed & key access protection
XCP_xxx_CHECKSUM
ENABLE, DISABLE  Calculation of checksum
XCP_xxx_CRC16CCITT_REFLECTED
ENABLE, DISABLE  Enable/disable reflected
CRC16 CCITT checksum
calculation algorithm.
Also refer to 7.2.2.1 ‘Table of
Checksum Calculation
Methods’.
XCP_xxx_AUTOSAR_CRC_MODULE
ENABLE, DISABLE  Usage of CRC algorithms of
AUTOSAR CRC module.
XCP_xxx_PARAMETER_CHECK
ENABLE, DISABLE  Parameter check
XCP_xxx_SEND_QUEUE
ENABLE, DISABLE  Transmission send queue
(shall be used in conjunction
with synchronous data
acquisition and stimulation).
XCP_xxx_SEND_EVENT
ENABLE, DISABLE  Transmission of event packets
(EV)
XCP_xxx_USER_COMMAND
ENABLE, DISABLE  User defined command
XCP_xxx_TL_COMMAND
ENABLE, DISABLE  Transport Layer command
XCP_xxx_COMM_MODE_INFO
ENABLE, DISABLE  Communication mode info

3 The XCP Protocol allows three identification field types for DTOs: ‘absolute ODT number’, ‘relative ODT
number and absolute DAQ list number’, ‘empty identification field’ (not supported)
2015, Vector Informatik GmbH
Version: 1.19.00
85 / 105

Technical Reference XCP Protocol Layer

XCP_xxx_CALIBRATION_PAGE
ENABLE, DISABLE  Calibration data page
switching
XCP_xxx_PAGE_INFO
ENABLE, DISABLE  Calibration data page plug &
play mechanism
XCP_xxx_PAGE_COPY
ENABLE, DISABLE  Calibration data page copying
XCP_xxx_PAGE_FREEZE
ENABLE, DISABLE  Segment freeze mode
handling
XCP_xxx_DPRAM4
ENABLE, DISABLE  Supports the usage of dual
port RAM
XCP_xxx_GET_CONNECTION_STATE
ENABLE, DISABLE  Get connection state of XCP

The following table contains an additional list of all configuration switches, used to control
the  functional  units  that  are  only  available  in  XCP  Professional.  The  default  values  are
bold.
Configuration switches
Value
Description
XCP_xxx_BLOCK_UPLOAD
ENABLE,  Enables/disables the slave block
DISABLE  transfer.
XCP_xxx_BLOCK_DOWNLOAD
ENABLE,  Enables/disables the master block
DISABLE  transfer.
XCP_xxx_WRITE_PROTECTION
ENABLE,  Write access to RAM
DISABLE
XCP_xxx_READ_PROTECTION
ENABLE,  Read access to RAM
DISABLE
XCP_xxx_READ_EEPROM
ENABLE,  Read access to EEPROM
DISABLE
XCP_xxx_WRITE_EEPROM
ENABLE,  Write access to EEPROM
DISABLE
XCP_xxx_PROGRAMMING_WRITE_PROTECTION ENABLE,  Write access to flash
DISABLE
XCP_xxx_PROGRAM
ENABLE,  Flash programming
DISABLE
XCP_xxx_PROGRAM_INFO
ENABLE,  Flash programming plug & play
DISABLE  mechanism
XCP_xxx_BOOTLOADER_DOWNLOAD
ENABLE,  Flash programming with a flash
DISABLE  kernel
XCP_xxx_STIM
ENABLE,  Enables/disables data stimulation.
DISABLE  (also XCP_ENABLE_DAQ has to be
defined in order to use data
stimulation)
XCP_xxx_DAQ_RESUME
ENABLE,  Data acquisition resume mode.
DISABLE
XCP_xxx_SERV_TEXT
ENABLE,  Transmission of service request
DISABLE  codes

4 Not supported by XCP Professional
2015, Vector Informatik GmbH
Version: 1.19.00
86 / 105

Technical Reference XCP Protocol Layer

XCP_xxx_SERV_TEXT_PUTCHAR
ENABLE,  Putchar function for the
DISABLE  transmission of service request
messages
XCP_xxx_SERV_TEXT_PRINTF
ENABLE,  Print function for the transmission of
DISABLE  service request messages
XCP_xxx_MEM_ACCESS_BY_APPL
ENABLE,  Memory access by application
DISABLE
XCP_xxx_MODEL_PAGED
ENABLE,  Support for paging / banking
DISABLE
XCP_xxx_SHORT_DOWNLOAD
ENABLE,  Support for SHORT_DOWNLOAD
DISABLE  command
XCP_xxx_MODIFY_BITS
ENABLE,  Support for MODIFY_BITS
DISABLE  command
XCP_xxx_WRITE_DAQ_MULTIPLE
ENABLE,  Write DAQ multiple command
DISABLE
XCP_xxx_GET_XCP_DATA_POINTER
ENABLE,  Enable API for internal data access
DISABLE
XCP_xxx_CONTROL
ENABLE,  Enable API for en- / disable XCP
DISABLE  module
XCP_xxx_GET_SESSION_STATUS_API
ENABLE,  Enable API to acquire the current
DISABLE  session status
XCP_xx_CUSTOM_CRC
ENABLE,  Enable call-back for custom CRC
DISABLE  calculation
XCP_xxx_GET_ID_GENERIC
ENABLE,  ECU identification
DISABLE

The following table contains an additional list of all configuration switches, used to control
the functional units that are only available in XCP basic. The default values are bold.
Configuration switches
Value
Description
XCP_ENABLE_TESTMODE5  ENABLE,  Test mode that allows the output of debugging
DISABLE  information.
Not included in XCP Professional due to multiple MISRA
rule violations!

7.2.2
Configuration of Constant Definitions
The configuration of constant definitions is done as described below.
The default values are bold.
Constant definitions
Range
Default  Description
kXcpMaxCTO
8..255
8
Maximum length of XCP command transfer
objects (CTO).
The length of the CTO can be variable.
However it has to be configured according to the
used XCP Transport Layer.

5 Not supported by XCP Professional
2015, Vector Informatik GmbH
Version: 1.19.00
87 / 105

Technical Reference XCP Protocol Layer

kXcpMaxDTO
8..2556
8
Maximum length of XCP data transfer objects
(DTO).
The length of the DTO can be variable.
However it has to be configured according to the
used XCP Transport Layer.
kXcpDaqMemSize
0..
256
Define the amount of memory used for the DAQ
0xFFFF
lists and buffers.
Also refer to chapter 8 (Resource
Requirements).
kXcpSendQueueMinSize
1..0x7F  -
The minimum queue size required for DAQ. The
queue size is the unallocated memory reserved
by kXcpDaqMemSize.
kXcpMaxEvent
0..0xFF7  -
Number of available events in the slave (part of
event channel plug & play mechanism)
Also refer to chapter 7.2.6.
kXcpStimOdtCount
0..0xC0  0xC0
Maximum number of ODTs that may be used for
Synchronous Data Stimulation.
kXcpChecksumMethod
-
-
Checksum calculation method.
Refer to chapter 7.2.2.1 ‘Table of Checksum
Calculation Methods’ for valid values.
kXcpChecksumBlockSize  1 ..
256
Each call of XcpBackground calculates the
0xFFFF
checksum on the amount of bytes specified by
kXcpChecksumBlockSize.
XCP_TRANSPORT_LAYER_V
0..
-
Version of the XCP Transport Layer that is used.
ERSION
0xFFFF
(this version gets transferred to the MCS)
kXcpMaxSector
1..0xFF  -
Number of flash sectors
Also refer to chapter 7.2.8
kXcpMaxSegment
1
1
Number of memory segments
Also refer to chapter 7.2.9.
kXcpMaxPages
1..2
2
Number of pages
Also refer to chapter 7.2.9.

7.2.2.1
Table of Checksum Calculation Methods
Constant
Checksum calculation method
XCP_CHECKSUM_TYPE_ADD11
Add BYTE into a BYTE checksum, ignore overflows.
XCP_CHECKSUM_TYPE_ADD12
Add BYTE into a WORD checksum, ignore overflows
XCP_CHECKSUM_TYPE_ADD14
Add BYTE into a DWORD checksum, ignore overflows
XCP_CHECKSUM_TYPE_ADD22
Add WORD into a WORD checksum, ignore overflows, block
size must be modulo 2
XCP_CHECKSUM_TYPE_ADD24
Add WORD into a DWORD checksum, ignore overflows,
block size must be modulo 2

6 Implementation specific range. The range is 8..0xFFFF according to XCP specification [I], [II].
7 Implementation specific range. The range is 0..0xFFFE according to XCP specification [I], [II].
2015, Vector Informatik GmbH
Version: 1.19.00
88 / 105

Technical Reference XCP Protocol Layer

XCP_CHECKSUM_TYPE_ADD44
Add DWORD into DWORD, ignore overflows, block size
must be modulo 4
XCP_CHECKSUM_TYPE_CRC16CCITT  CRC16 CCITT checksum calculation algorithm
Both the standard and the reflected algorithm are supported.
Please refer to chapter 10.8 ‘Reflected CRC16 CCITT
Checksum Calculation Algorithm’.
The CRC16 CCITT algorithm of the AUTOSAR CRC module
is only supported by XCP Professional.
XCP_CHECKSUM_TYPE_CRC32
CRC32 checksum calculation algorithm
The CRC32 algorithm is only supported in XCP Professional
if the AUTOSAR CRC module is used.

7.2.3
Definition of Memory Qualifiers
The definition of the memory qualifiers has to be customized depending on the controller
and memory model.
Type
Default
Description
vuint8
unsigned char
Unsigned 8-bit identifier
vuint16
unsigned short
Unsigned 16-bit identifier
vuint32
unsigned long
Unsigned 32-bit identifier
V_MEMROM0

Addition qualifier to access data in ROM
MEMORY_ROM_NEAR
const
Fast data access in ROM
MEMORY_ROM
const
Default according to memory model in ROM
MEMORY_ROM_FAR
const
Slow addressing mode in ROM
MEMORY_NEAR

Short addressed RAM
MEMORY_NORMAL

Default addressed RAM
MEMORY_FAR

Far addressed RAM
P_MEM_ROM

Pointer to ROM
P_MEM_RAM

Pointer to RAM

7.2.4
Configuration of the CPU Type
To provide platform independent code platform, the CPU type has to be defined.
Configuration switches
Value
Description
C_CPUTYPE_xxxENDIAN
LITTLE,  Definition whether the CPU is little endian (Intel
BIG
format) or big endian (Motorola format).
XCP_xxx_UNALIGNED_MEM_ACCESS  ENABLE,  Enables / disables unaligned memory access.
DISABLE  If XCP_DISBLE_UNALIGNED_MEM_ACCESS is
defined WORDs are located on WORD aligned and
DWORD are located on DWORD aligned addresses.

2015, Vector Informatik GmbH
Version: 1.19.00
89 / 105

Technical Reference XCP Protocol Layer

7.2.5
Configuration of Slave Device Identification
The configuration of the slave device identification and automatic session configuration is
described within this chapter. Only one of the following options can be used at one time.
7.2.5.1
Identification by ASAM-MC2 Filename without Path and Extension
If  the  slave  device  identification  is  done  by  identification  with  an  ASAM-MC2  filename
without path and extension the filename length has to be defined:
#define kXcpStationIdLength length
and the station ID itself has to be defined as string:
V_MEMROM0 vuint8 MEMORY_ROM kXcpStationId[] = “station ID”
The range of kXcpStationIdLength is 0..0xFF.
7.2.5.2
Automatic Session Configuration with MAP Filenames
The  automatic  session  configuration  by  transferring  MAP  filenames  is  a  Vector  specific
extension that works with CANape and can be enabled by the “XcpGetIdGeneric” attribute
When  this  feature  is  enabled  the API  as  described  in  3.4.2  is  enabled.  This API  will  be
called, should CANape request the MAP filename, and must be implemented by the user
accordingly. This feature must explicitly be enabled in CANape as well!

Example


#define MAP_FORMAT 29
#define MAP_NAME   "xcpsim"

uint8 MapTest[500];
uint32 MapTestSize;

uint32 XcpAppl_GetIdData( MTABYTEPTR *pData, uint8 id )
{
  if( id == IDT_VECTOR_MAPNAMES )
  {
  MapTestSize =
sprintf((char*)MapTest,"%c%c%s.map",MAP_FORMAT,0,MAP_NAME);
  /* Result: MapTest = ”290xcpsim.map” */
  *pData = MapTest;
  return MapTestSize;
  }
  else
  {
  return 0; /* Id not available */
  }
}

‘MAP_FORMAT’ represents the format of the MAP file. (See table below)
‘0’ is a counter that is used as address extension. Please set this parameter to 0.
2015, Vector Informatik GmbH
Version: 1.19.00
90 / 105

Technical Reference XCP Protocol Layer

Table of MAP file formats:
  1 = "BorlandC 16 Bit" 29 = "Microsoft standard"
  2 = "M166" 30 = "ELF/DWARF 16 Bit"
  3 = "Watcom" 31 = "ELF/DWARF 32 Bit"
  4 = "HiTech HC05" 32 = "Fujitsu Softune 3..8(.mps)"
  6 = "IEEE" 33 = "Microware Hawk"
  7 = "Cosmic" 34 = "TI C6711"
  8 = "SDS"       35 = "Hitachi H8S"
  9 = "Fujitsu Softune 1(.mp1)" 36 = "IAR HC12"
  10 = "GNU" 37 = "Greenhill Multi 2000"
  11 = "Keil 16x" 38 = "LN308(MITSUBISHI) for M16C/80"
  12 = "BorlandC 32 Bit"      39 = "COFF settings auto detected"
  13 = "Keil 16x (static)" 40 = "NEC CC78K/0 v35"
  14 = "Keil 8051" 41 = "Microsoft extended"
  15 = "ISI" 42 = "ICCAVR"
  16 = "Hiware HC12" 43 = "Omf96 (.m96)"
  17 = "TI TMS470" 44 = "COFF/DWARF"
  18 = "Archimedes" 45 = "OMF96 Binary (Tasking C196)"
  19 = "COFF" 46 = "OMF166 Binary (Keil C166)"
  20 = "IAR"      47 = "Microware Hawk Plug&Play ASCII"
  21 = "VisualDSP" 48 = "UBROF Binary (IAR)"
  22 = "GNU 16x" 49 = "Renesas M32R/M32192 ASCII"
  23 = "GNU VxWorks" 50 = "OMF251 Binary (Keil C251)"
  24 = "GNU 68k" 51 = "Microsoft standard VC8"
  25 = "DiabData" 52 = "Microsoft VC8 Release Build (MATLAB DLL)"
  26 = "VisualDSP DOS" 53 = "Microsoft VC8 Debug Build (MATLAB DLL)"
  27 = "HEW SH7055" 54 = "Microsoft VC8 Debug file (pdb)"
  28 = "Metrowerks"

7.2.6
Configuration of the Event Channel Plug & Play Mechanism
The event channel plug & play mechanism is enabled with the switch
XCP_ENABLE_DAQ_EVENT_INFO
A prerequisite for the event channel plug & play mechanism is the general data acquisition
plug  &  play  mechanism.  If  the  mechanism  is  enabled  the  following  configurations  items
have top be defined as described below:
Constant
Range
Description
kXcpMaxEvent
0..0xFF8
Number of available events in the slave
(part of event channel plug & play mechanism)
If the event numbers do not start at 0 or are not
continuous this is the maximum used event channel
number plus 1.

8 Implementation specific range. The range is 0..0xFFFE according to XCP specification [I], [II].
2015, Vector Informatik GmbH
Version: 1.19.00
91 / 105

Technical Reference XCP Protocol Layer

kXcpEventName[]
kXcpMaxEvent  List with pointers to the event channel names that are
defined as strings.
kXcpEventNameLength[]  kXcpMaxEvent  Length of the event channel names without the
terminating char.
kXcpEventCycle[]
kXcpMaxEvent  Cycle time of the event channels in milliseconds.
kXcpEventDirection[]
kXcpMaxEvent  Direction of the event channels.
For XCP Basic valid values are:
-
kXcpEventDirectionDaq
For XCP Professional valid values are:
-
kXcpEventDirectionDaq
-
kXcpEventDirectionStim
-
kXcpEventDirectionDaqStim

Example

#define XCP_ENABLE_DAQ_EVENT_INFO
#define kXcpMaxEvent 3

V_MEMROM0  static  vuint8  MEMORY_ROM  kXcpEventName_0[]  =
"10ms";
V_MEMROM0  static  vuint8  MEMORY_ROM  kXcpEventName_1[]  =
"100ms DAQ";
V_MEMROM0  static  vuint8  MEMORY_ROM  kXcpEventName_2[]  =
"100ms STIM";
V_MEMROM0 MEMORY_ROM vuint8* MEMORY_ROM kXcpEventName[] =
{
  &kXcpEventName_0[0],
  &kXcpEventName_1[0],
  &kXcpEventName_2[0]
};

V_MEMROM0 vuint8 MEMORY_ROM kXcpEventNameLength[] =
{
  4,
  9,
  10
};

V_MEMROM0 vuint8 MEMORY_ROM kXcpEventCycle[] =
2015, Vector Informatik GmbH
Version: 1.19.00
92 / 105

Technical Reference XCP Protocol Layer

{
  10,
  100,
  100
};

V_MEMROM0 vuint8 MEMORY_ROM kXcpEventDirection[] =
{
  kXcpEventDirectionDaq,
  kXcpEventDirectionDaq,
  kXcpEventDirectionStim
};

7.2.7
Configuration of the DAQ Time Stamped Mode
Transmission  of  DAQ  timestamps  is  enabled  with  XCP_ENABLE_DAQ_TIMESTAMP.  If
XCP_ENABLE_DAQ_TIMESTAMP_FIXED is defined all DTO Packets will be transmitted in
time stamped mode.
Constant
Range
Description
kXcpDaqTimestampSize
DAQ_TIMESTAMP_BYTE,
This parameter defines the
DAQ_TIMESTAMP_WORD,
size of timestamps. It can
DAQ_TIMESTAMP_DWORD
either be 1 byte, 2 bytes or 4
bytes.
XcpDaqTimestampType
vuint8, vuint16 or
Type of the timestamp
vuint32
depends on the parameter
kXcpDaqTimestampSize.
kXcpDaqTimestampUnit
DAQ_TIMESTAMP_UNIT_1NS
Unit of the timestamp
DAQ_TIMESTAMP_UNIT_10NS
(1 ns, 10 ns .. 1 s)
DAQ_TIMESTAMP_UNIT_100NS
DAQ_TIMESTAMP_UNIT_1US

DAQ_TIMESTAMP_UNIT_10US

DAQ_TIMESTAMP_UNIT_100US
DAQ_TIMESTAMP_UNIT_1MS
DAQ_TIMESTAMP_UNIT_10MS
DAQ_TIMESTAMP_UNIT_100MS
DAQ_TIMESTAMP_UNIT_1S
kXcpDaqTimestampTicksPerUnit  0..0xFFFF
Time stamp ticks per unit

2015, Vector Informatik GmbH
Version: 1.19.00
93 / 105

Technical Reference XCP Protocol Layer

7.2.8
Configuration of the Flash Programming Plug & Play Mechanism
The flash programming plug & play mechanism is enabled with the switch
XCP_ENABLE_PROGRAM_INFO
If the plug & play mechanism is enabled the number of sectors and the start address and
end address of each sector has to be defined. The constants that have to be defined can
be found in the following table.
Constant
Range
Description
kXcpMaxSector
0..0xFF
Number of available flash sectors in the slave
kXcpProgramSectorStart[]  kXcpMaxSector  List with the start addresses of the sectors
kXcpProgramSectorEnd[]
kXcpMaxSector  List with the end address of the sectors

Example

#define XCP_ENABLE_PROGRAM_INFO
#define kXcpMaxSector 2

V_MEMROM0 vuint32 MEMORY_ROM kXcpProgramSectorStart [] =
{
  (vuint32)0x000000u,
  (vuint32)0x010000u,
};
V_MEMROM0 vuint32 MEMORY_ROM kXcpProgramSectorEnd [] =
{
  (vuint32)0x00FFFFu,
  (vuint32)0x01FFFFu,
};

7.2.9
Configuration of the Page Switching Plug & Play Mechanism
The page switching plug & play mechanism is enabled with the switch
XCP_ENABLE_PAGE_INFO
If  the  plug  &  play  mechanism  is  enabled  the  following  configurations  items  have  top  be
defined as described below:
Constant
Range
Description
kXcpMaxSegment
0x01
Number of memory segments
kXcpMaxPages
0x01..0x02
Number of pages
2015, Vector Informatik GmbH
Version: 1.19.00
94 / 105

Technical Reference XCP Protocol Layer

2015, Vector Informatik GmbH
Version: 1.19.00
95 / 105

Technical Reference XCP Protocol Layer

8  Resource Requirements
The  resource  requirements  of  the  XCP  Protocol  Layer  mainly  depend  on  the  micro
controller,  compiler  options  and  configuration.  Within  this  chapter  only  the  configuration
specific resource requirements are taken in consideration.

2015, Vector Informatik GmbH
Version: 1.19.00
96 / 105

Technical Reference XCP Protocol Layer

9  Limitations
9.1
General Limitations
The functional limitations of the XCP Professional Version are listed below:
>  Bit stimulation is not supported
>  Only dynamic DAQ list allocation supported
>  The interleaved communication model is not supported
>  Only default programming data format is supported
>  GET_SECTOR_INFO does not return sequence numbers
>  Program Verify and Program Format are not supported
>  DAQ and events numbers are limited to byte size
>  DAQ does not support address extension
>  DAQ-list and event channel prioritization is not supported
>  Event channels contain one DAQ-list
>  ODT optimization not supported
>  Assignments of CAN identifiers to DAQ lists is not supported
>  MAX_DTO is limited to 0xFF
>  The resume bits in DAQ lists are not set
>  STORE_DAQ, CLEAR_DAQ and STORE_CAL do not send an event message
>  Entering resume mode does not send an event message
>  Overload indication by an event is not supported
>  SERV_RESET is not supported
>  The following checksum types are not supported
>  XCP_CRC_16
>  XCP_CRC_32
>  XCP_USER_DEFINED
>  Maximum checksum block size is 0xFFFF
>  Page Info and Segment Info is not supported
>  Only one segment and two pages are supported
>  The seed size and key size must be equal or less MAX_CTO-2
Planned:
2015, Vector Informatik GmbH
Version: 1.19.00
97 / 105

Technical Reference XCP Protocol Layer

>  User defined checksum calculations
>  CRC16 and CRC32
9.2
Limitations of XCP Basic
The XCP Protocol Layer is available in two variants:
>  XCP Professional Version
>  XCP Basic Version
The XCP Professional Version is the ‘full version’, which  is also supported by the Vector
generation  tool  GENy.  The  XCP  Basic  Version  is  a  subset  of  the  ‘full  version’,  which  is
distributed freely via the internet and which has to be configured manually.
The XCP features that are available by the XCP Professional version but not by the XCP
Basic version are listed below:
>  Stimulation (Bypassing)
>  Bit stimulation9
>  Atomic bit manipulation
>  SHORT_DOWNLOAD
>  FLASH and EEPROM Programming
>  The block transfer communication mode
>  Resume mode
>  The transmission of service request packets
>  Memory write protection
>  Memory read protection
>  Programming write protection
>  Support of AUTOSAR CRC module
>  Access to internal data pointer
>  XCP deactivation
>  Open Command Interface
>  Transport Layer Commands
>  Configurable timestamp size
>  Disable Calibration


9 Not yet supported by XCP Professional
2015, Vector Informatik GmbH
Version: 1.19.00
98 / 105

Technical Reference XCP Protocol Layer

9.3
Limitations Regarding Platforms, Compilers and Memory Models
Even though XCP Professional and XCP Basic are Protocol Layers and therefore higher
software layers, they manipulate memory addresses and directly access the memory with
these addresses.
This  might  cause  issues  for  some  combinations  of  platforms,  compilers  and  memory
models.  The  following  list  provides  all  known  restrictions  on  platforms,  compilers  and
linkers:
>  CANoeOSEK Emulation is not supported

2015, Vector Informatik GmbH
Version: 1.19.00
99 / 105

Technical Reference XCP Protocol Layer

10  FAQ
10.1  Connection to MCS Not Possible

FAQ
After integration of XCP on CAN or integration of XCP Basic with a proprietary

CAN-Driver does the MCS (e.g. CANape) not connect with the XCP slave, even
though the CAN communication is working properly.

The XCP protocol allows transmitting XCP packets  with a variable  data length.  However
many OEMs require that all CAN messages sent within their automotive networks have to
have a static DLC. Therefore messages sent by the MCS with a DLC of less than 8  (e.g.
CONNECT  has  a  DLC  of  2)  might  be  discarded  by  the  ECU’s  CAN-Driver  and  the
connection is not possible.
Check  whether  your  MCS  supports  transmission  with  static  DLC.  This  is  supported  by
CANape since Version 5.5.

10.2  Invalid Time Stamp Unit

FAQ
If using data acquisition CANape reports an error due to an invalid timestamp

unit.

If you are using CANape 5.5.x or an earlier version please define
#define XCP_ENABLE_CANAPE_5_5_X_SUPPORT
in your user config file.

10.3  Support of small and medium memory model

FAQ
How is the XCP Protocol Layer configured in order to access the whole memory

in the small and medium memory model?

By  default  The  XCP  Protocol  Layer  accesses  the  memory  with  a  default  pointer.  I.e.  in
small and medium memory model a near pointer is used. If the far memory (e.g. code or
read-only  sections)  needs  to  be  accessed  via  the  XCP  Protocol  the  memory  qualifiers
have to be defined as far pointers by the user within the user config file.
Two memory qualifiers are used to access the memory:
2015, Vector Informatik GmbH
Version: 1.19.00
100 / 105

Technical Reference XCP Protocol Layer

#define MTABYTEPTR vuint8 XCP_MEMORY_FAR *
This pointer is used to access memory for standard read and write operations

#define DAQBYTEPTR vuint8 XCP_MEMORY_FAR *
This pointer is used to access memory for the Synchronous Data Acquisition

Depending  on  the  use  case,  microcontroller,  memory  model  and  compiler  either
XCP_MEMORY_FAR  or  both  memory  qualifiers  (DAQBYTEPTR  and  MTABYTEPTR)  have  to
be defined by the user.
10.4  Small memory model on ST10 / XC16X / C16X with Tasking Compiler

FAQ
How has XCP Protocol Layer to be configured in order to support small memory

model on the following microcontrollers: ST10, XC16X, C16X with Tasking
Compiler?

If  the  small memory model  is used  and the  two  least  significant  bits of  the  DPP  register
where the data of XCP is located is not equal the default DPP register value (i.e. the two
least significant bits of DPPx are unequal x, x=0..3) the configuration of the XCP Protocol
Layer has to be adapted.
There are two options available. Both have to be configured within the user config file:
Far access to the internal data of XCP:
#define FAR far

Disable type casts from pointers to integers :
#define XCP_ENABLE_NO_P2INT_CAST

10.5  Data Page Banking on Star12X / Metrowerks

FAQ
How has the XCP Protocol Layer to be configured in order to support data page

banking on the Star12X with Metrowerks compiler?

In  order  to  use  data  page  banking  the  following  definition  has  to  be  added  to  the  user
config file:
#define XCP_MEMORY_MODEL_PAGED
If this option is enabled far pointers are used for memory access, and address conversions
are carried out in the in the application callback template  _xcp_appl.c. These address
conversions have to adapted to the used derivative.

2015, Vector Informatik GmbH
Version: 1.19.00
101 / 105

Technical Reference XCP Protocol Layer

Please note
The data page banking support is implemented in the template _xcp_appl.c for

the MC9S12XDP512. For other Star12X derivatives the template has to be
adapted.

10.6  Memory model banked on Star12X / Cosmic

FAQ
How has the XCP Protocol Layer to be configured in order to support the access

to far pages in the banked memory model on the Star12X with Cosmic compiler?

In order to access far pages or support data page banking the following definitions have to
be added to the user config file:
#define XCP_MEMORY_MODEL_PAGED
#define XCP_ENABLE_MEM_ACCESS_BY_APPL
If this option is enabled far pointers are used for memory access, and address conversions
are carried out in the in the application callback template  _xcp_appl.c. These address
conversions have to adapted to the used derivative.

Please note
The data page banking support is implemented in the template _xcp_appl.c for

the MC9S12XDP512. For other Star12X derivatives the template has to be
adapted.

10.7  Can XCP memory be placed in far RAM?

FAQ
How can the internal XCP memory be placed in far RAM?

The  current  implementation  does  not  allow  the  XCP  memory  to  be  easily  placed  in  far
RAM.  What  you  can  do  is  to  compile  the  whole  component  in  the  respective  memory
model to allow far memory access.
10.8  Reflected CRC16 CCITT Checksum Calculation Algorithm

FAQ
How is the reflected CRC16 CCITT checksum calculation algorithm configured?

2015, Vector Informatik GmbH
Version: 1.19.00
102 / 105

Technical Reference XCP Protocol Layer

The XCP Protocol Layer supports both the standard CRC16 CCITT algorithm and the
reflected CRC16 CCITT algorithm. In order to use the reflected algorithm the following
definition has to be added to the user config file:
#define XCP_ENABLE_CRC16CCITT_REFLECTED

Please note
Up to CANape version 5.6.30.3 (SP3) the standard CRC16 CCITT algorithm is

not supported, but the reflected one.
However a user checksum calculation DLL can be used in order to use the
standard algorithm with former versions of CANape.

2015, Vector Informatik GmbH
Version: 1.19.00
103 / 105

Technical Reference XCP Protocol Layer

11  Bibliography
This manual refers to the following documents:
[I]  XCP -Part 1 - Overview
Version 1.0 of 2003-04-08
[II]  XCP -Part 2- Protocol Layer Specification
Version 1.0 of 2003-04-08
[III] XCP -Part 5- Example Communication Sequences
Version 1.0 of 2003-04-08
[IV] Technical Reference XCP on CAN Transport Layer
Version 1.4 of 2006-04-24
[V]  Technical Reference XCP on FlexRay Transport Layer
Version 1.0 of 2005-12-21
[VI] Technical Reference XCP on LIN Transport Layer
Version 1.0 of 2006-05-30
[VII]  AUTOSAR Specification of CRC Routines
Release 2.0.0 of 2006-04-28

2015, Vector Informatik GmbH
Version: 1.19.00
104 / 105

Technical Reference XCP Protocol Layer

12 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com

2015, Vector Informatik GmbH
Version: 1.19.00
105 / 105

Document Outline

24.7 - UserManual_XCP

User Manual

24.8 - UserManual_XCP_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27

24.9 - UserManual_XCPs

XCP - Universal
Measurement and
Calibration Protocol
User Manual
(Your First Steps)

Version 1.0.2

Vector Informatik GmbH, Ingerheimer Str. 24, 70499 Stuttgart
Tel. 0711/80670-0, Fax 0711/80670-399, Email can@vector.com
Internet http:\\www.vector.com

User Manual XCP - Universal Measurement and Calibration Protocol

1 / 27

Authors: Klaus Emmert
Version:
1.0.2
Status:
Released (in preparation/completed/inspected/released)

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

2 / 27
Motivation For This Work
The motivation for using the XCP Software Component is very simple. XCP is the
component that helps you to look in the ECU, to display values or set them. And
that is all working just via the underlying bus system as CAN, Ethernet, …you do
not need any development environment.
Together with CANape you have a great choice of how the data could be
displayed.

WARNING
All application code in any of the Vector User Manuals are for training
purposes only. They are slightly tested and designed to understand the basic
idea of using a certain component or a set of components.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

4 / 27
8 Index ............................................................................................................... 1

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

6 /  27
1  Welcome to the XCP User Manual
1.1  Beginners with XCP start here ?
Chapter 2
You need some information about this document?
Chapter 2
Chapter 3.1
What is XCP?

1.2  For Advanced Users
Chapter 4
Start reading here.
Chapter 5
8 Steps for Flash Bootloader integration.


1.3  Special topics
Chapter 6.1
Working with Data Acquisition Lists (DAQ)

1.4  Documents this one refers to…
CANape Manual

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

7 / 27
2 About This Document
This document gives you an understanding of the Universal Measurement And
Calibration Protocol. You will receive general information, a step-by-step tutorial to
get the XCP running and further information to use the amount of functionality that
XCP offers.
2.1
How This Documentation Is Set-Up
Chapter
Content
Chapter 1
The welcome page is to navigate in the document. The main parts of the document
can be accessed from here via hyperlinks
Chapter 2
It contains some formal information about this document, an explanation of legends
and symbols.
Chapter 3
In this chapter you get a brief introduction into the XCP and the Software Component.
Chapter 4
Here you find some more insight in the XCP Software Component.
Chapter 5
Here are the 8 steps for you to integrate the XCP Software Component and how to
connect these settings with your application.
Chapter 6
This chapter provides you with some further information and a deeper insight in the
XCP Software Component.
Chapter 7
In this last chapter there is a list of experiences with XCP.

2.2
Legend and Explanation of Symbols
You find these symbols at the right side of the document. Use this helpful feature to
find fast the topics, you need information about.
These areas
to the right of
Symbol
Meaning
the text
contain brief
items of

Follow the eye and you will be led to an example.
information
that will

Comments
facilitate your
and
You will find key words and information in short sentences in the margin. This will
explanation
search for
s
greatly simplify your search for topics.
specific
topics.

The footprints will lead you through the steps until you can use the XCP Software
Component.

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

8 /  27
3  XCP Software Component – An Overall View
3.1  What Is XCP
The XCP Calibration Protocol was standardized by the European ASAM working
committee for standardization of interfaces used in calibration and measurement
data acquisition. XCP is a higher level protocol used for communication between a
CANape is a PC
tool of Vector
measurement and calibration system (e.g. CANape) and an ECU.
Informatik GmbH
designed for
measurement
CANape is a PC tool of Vector Informatik GmbH designed for measurement and
and calibration.
calibration. To use CANape e.g. for CAN you need a PC card like CANcardXL to connect
To use CANape
you ECU to your PC (CANape) via CAN.
for CAN you need
a PC card like
CANcardXL for
XCP is a further development of the established CCP (CAN Calibration Protocol)
the CAN
using different media like CAN, Ethernet (TCP/IP, UDP/IP), USB, SCI. The future
connection
trends will be FlexRay, TTCAN, Firewire.
3.2  What Is the XCP Component
XCP is a CANbedded Software Component delivered as source code (.c, .h) and
can be parameterized via the Generation Tool.
osCAN
Application
Diagnostics
Universal
Layer
Measure-
Network
Interaction Layer
ment

Manage
And
Communication
ment
Calibration
Gener
ne ation Tool
Control
Protocol
Layer
Transport Protocol
CAN Driver
CAN Controller
Transceiver
CAN Bus

Figure 3-1  CANbedded Software Components Together With The XCP Component
3.3  Tools And Files – The Generation Tool
The Generation Tool is a PC Tool. It generates configuration files and signal
interface files for the CANbedded Software Components. The Generation Tool
needs the DBC file to generate the files.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

9 /  27
The DBC file normally is designed by the vehicle manufacturer and distributed to all
suppliers that develop an ECU.
In connection with the source code of each component and your application,
CANbedded can be compiled and linked (see Figure 3-2).

The standard
generation
process for
Vectors Software
Components.
CANdesc is a
completely
generated
Software
Component.

Figure 3-2  Generation Process For Vector CANbedded Software Components
3.4  What The Component Does
Basic Feature Of XCP
  Automatic Detection of ASAM MC2 Description
  Automatic Detection of Device Parameters (Plug&Play)
  Read/Write Access to Device Memory
  Checksum Calculation of Memory Areas
  Access Protection (Seed&Key)
  Emulation Memory Page Switching
  Synchronous, Time-Triggered and Event-Triggered Measurement Data
Acquisition
  Flash and EEProm Programming
Advanced Features Of XCP
  Block Transfer Mode For Upload, Download And Flashing Similar To ISO-TP
  Acquiring Measurement Data with Time Stamp and Time Synchronization
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

10 / 27
  Downloading Flash Programming Routines
  Dynamic DAQ Lists
  Cold Start Measuring (Start Measurement at Power-On)
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

11 / 27
4  XCP – A More Detailed View
You use XCP to “look” into an ECU, to read out any memory location you want to
using only the underlying bus system. There is no development environment or
emulator necessary. Together with e.g. CANape you can visualize this data in
many ways. See some examples in the figure below.
The XCP
Software

Component is
independent of all
Figure 4-1  Visualization Of Data Using CANape
other
CANbedded
To get this benefit you need to include the XCP Software Component in your
Software
Components
project. As you see in the Figure 3-1 you only need a Driver (in this specific
except for the
example it is the CAN Driver) to get XCP running.
driver.
4.1  Basic Mechanism of the XCP
Basically XCP uses only two messages, a Master and a Slave message. The
master message is sent from CANape to the ECU, the slave message from the
ECU to CANape. Via these two messages all communication for XCP between
CANape and the ECU is handled.
4.2  Measurement Modes
There are mainly two different measurement modes, the polling mode and an event
triggered mode (also called Data Acquisition Mode). The main difference between
both is the bus load.
4.2.1  Using XCP In Polling Mode
The Polling Mode is the easiest way to use the XCP Driver and needs no further
adaptation in your application except for the initialization of the XCP Software
Component.
The mechanism is very simple. CANape requests information via a request
message (Master Id). The Precopy Function for this message (more about precopy
mechanism see UserManual_CANDriver) calls the function XcpCommand to
interpret the content of the XCP message. Then XCP initiates the transmission of
the response message (Slave ID) containing the requested values.

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

12 / 27
XCP Polling Mode
Receive Message (Master ID) ECU
CANape
Transmit Message (Slave Id)

Figure 4-2  XCP Polling Mode Using Two Messages
As you see there are two messages necessary to get the values updated.
4.2.2  Using XCP For Data Acquisition / Event
Another way to get information from the ECU is to let the ECU send this
information on its own. This is the Data Acquisition mechanism (Event).
In the Generation Tool you can set the different timings you want to get the data
updated. The application has to call the functions XcpEvent(channel) with the
same call cycle as you did the setting in the Generation Tool. More about setting the
events…
The DAQ list in
In CANape you can assign this call cycle to a set of signals. This signal list (DAQ
the ECU needs
RAM memory.
list) is sent to the ECU and triggers the cyclic sending of all signals of the list.
You can define
the amount of
XCP Event Mode
memory that
should be
reserved for this

list in the
Generation Tool.
Receive Message ( Event List ) (Master ID)
ECU
CANape
Transmit Message( List Values)  (Slave ID)

Figure 4-3  XCP Event Mode
In this case the Receive Message is only necessary to initiate the DAQ
mechanism. Once initiated there is only one message necessary to get the values
updated.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

13 / 27
5  XCP IN 8 STEPS
STEP 1 :   INSTALLATION OF TOOL
Install the PC Generation Tool by following the online instructions.
STEP 2:
CANBEDDED SOFTWARE COMPONENTS
Extract the C and H files from your CANbedded Software Component delivery into your
application software structure.
STEP 3:
CONFIGURATION WITH GENERATION TOOL
Do the settings in the Generation Tool, especially the settings for XCP are described in
detail.
STEP 4:
GENERATE FILES
Generate the files in the appropriate folders.
STEP 5:
ADD CANBEDDED TO YOUR PROJECT
Add the CANbedded C and H files to your project or makefile.
STEP 6:
ADAPT YOUR APPLICATION FILES
Now your application files must be modified to use the CANbedded Software
Components (includes, cyclic calls, initialization) and do the call back functions.
STEP 7:
COMPILE AND LINK YOUR PROJECT
Compile and link the complete project and download it to your test hardware or
development environment.
STEP 8:
TEST IT VIA CANAPE
Via a appropriate Tester send diagnostic request messages and verify the response
messages.

Application Project
5 Makefile / Development Environment
6

.C .h Application Software
2

.C .h CANbedded Software Components
DBC
4
See the steps
ECU
3
Generate

.C .h
again in a more
database

CANbedded Software Component
Configuration
visual way.
1 Generation Tool
Compile
Link
7

.exe
.
8
CANape

Figure 5-1  8 Steps to CANdesc
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

14 / 27
5.1 STEP 1 Installation Of The Tool
The Generation Tool is delivered together with the CANbedded Software
Components.
Install the PC
Tool.
Extract the files to an appropriate folder and follow the installation instructions.
Generation Tool
Included with CANbedded

Software Component Delivery

Back to 8 Steps overview

5.2 STEP 2 Extract CANbedded Software Components
The amount of CANbedded Components in your delivery depends on your project.
Copy all C and H files that are necessary for the components into your application
project folder.
To use XCP it is only necessary to have a Driver. In this case we use CAN as bus protocol,
so we need a CAN Driver.
Refer to the corresponding UserManuals (e.g. CANDriver UserManual) to get
further information about the files of the different Software Components.

Back to 8 Steps overview

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

15 / 27
5.3  STEP 3 Configuration With The Generation Tool (GENy)
To use XCP we only need the CAN Driver and the XCP Software Component.
Switch these components on via Component Selection window.
It is very easy to get XCP running and you only have to do a few settings in the
Generation Tool.
The following settings only allow the polling mode of the XCP.
Select XCP in the components’ list.

Figure 5-2  Configuration In The Generation Tool For Basic XCP Usage
Make sure that at least these three settings are done. The Transport Layer on CAN
setting must be checked and the two Ids selected. Use the pull down menu to find
the appropriate messages.
Additionally make sure that the following settings are done correctly:
  Baud rate
  Acceptance filters
  Register Settings for the CAN Controller
  Path for the generated files

Back to 8 Steps overview

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

16 / 27
5.4 STEP 4 Generate Files
If you have done the setting in the previous step, hit the [Generate System]

button.
These are the fix files that form the xcp:
XcpProf.c
XcpProf.h

The follwoing XCP files are generated:
Xcp_cfg.h
Xcp_par.h
Xcp_par.c

These files are the specific adaptation to the CAN bus and must therefore only
used if the protocol is CAN.
Xcp_can.c
Xcp_can.h

In the window Generated Files you can check the file that the Generation Tool generates
and the path where these files are generated in.

Back to 8 Steps overview
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

17 / 27
5.5 STEP 5 Add CANbedded To Your Project
What to do in this step depends on your development environment. Perhaps you
work with a makefile?
Regardless this you have to add the files of CANbedded to your project. These are
the files of chapter 5.2 and the generated ones to the previous step.
Always make sure that the path you generate the files in and the path your compiler is
working on are the same!

At this point in time you are not able to compile and link the project. The files
should be complete but there are several adaptations for you to do in your
application.

Go on with the next step.

Back to 8 Steps overview.

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

18 / 27
5.6  STEP 6 Adapt Your Application Files
Now all files for XCP are included in your project and we can go on to do the
necessary adaptations in your application files.
These adaptations can be split in two categories:
Include, initialize
  Include, initialize and do the cyclic calls for the CANbedded Software
and call the
components
Components.
cyclically.
Then connect
  Connect XCP to your application.
CANdesc with
your application.
5.6.1  Including, Initialization And Cyclic Calls
As for all other CANbedded Components the XCP must be included and initialized.
To use XCP and its API you have to include the file XcpProf.h.
Include XcpProf.h;

To initialize XCP use this function call:
XcpInit( ); /*Interrupts must be disabled*/

Make sure that XcpInit is called after the call of CanInitPowerOn.
Normally the components are initialized from bottom up according to the layer model (see
Figure 3-1). Always do these initializations with disabled interrupts.
This is the correct order of initialization if you use CAN Driver and XCP:
CanInitPowerOn();
XcpInit();

5.6.2  Connect your application to the XCP
There is nothing more to do for the usage of XCP Software Component if you only
want to use the polling mode (see 4.2.1).
For the Data Acquisition Mode (see 4.2.2) there are a few additional settings to be
done. more…
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

19 / 27
5.7 STEP 7 Compile And Link Your Project
Now we have all includes, all initializations, the components do have the cyclic
calls of their task functions and all call-back functions are provided and
programmed.
Start the compiler or makefile and get the project compiled and linked.
Is it ok? No errors?

Gratulations, that’s it.

Go on to the next step and do the testing.

Back to 8 Steps overview.

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

20 / 27
5.8  STEP 8 Test It Via CANape
You arrived at this step, so you are able to compile and link. Do you already have
downloaded the code to your target platform?
Working with XCP most of the time you will spend doing the settings in CANape.
Start CANape.

Figure 5-3  Set Driver Configuration In CANape
Via Tools/Driver configuration in CANape you get to the window below.

2
1

Figure 5-4  XCP Driver Settings
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

21 / 27
Before testing the connection you have to do the [Configuration …] for the CAN
(n). There you have to set the two messages to communicate with the ECU.
CAN_ID_MASTER and CAN_ID_SLAVE as shown in the Figure 4-2.

Figure 5-5 Settings For XCP On CAN
A very important setting is the baud rate. Use [Change] to adapt this value to your
needs.
Now it is the time to test the connection (o).

Figure 5-6 ECU Is Online
The communication between CANape and your ECU is now working correctly. The
next step would be to select the variables or memory locations you want to get
shown in CANape. How to do this is explained in details in the Manual of the
CANape.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

22 / 27
6  Further Information
6.1  Settings For Using The Data Acquisition Mode / Events
As mentioned in 4.2 and 4.2.2 there is another mode besides the simple to handle
polling mode – the Data Acquisition Mode with the benefit of less bus load as
already described.
To realize this mode you have to do additional settings in the Generation Tool and
in your application. This can be divided into 3 steps:
n  Switch on Synchronous Data Acquisition and DAQ generation info and the
Event Info

Figure 6-1  Components / XCP
   Define Events in the Generation Tool (Name, Cycle)

Figure 6-2  Components / XCP
The first event with the No. 0 is predefined. To add further events use the Allocate
Items pull down menu and check the next Item.
Make sure that you check the next unused item. E.g. Item 1, Item 3 and Item 4 is not
allowed, because Item 2 is omitted.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

23 / 27

Figure 6-3  Components / XCP
For each Event (numbering starting with 0) you should define the Name and the
Cycle [ms].
Try to make this name expressive. This name will occur in the CANape list. It is much
easier for you if the name contains e.g. the cycle.

Remember to generate the files before compiling again !

   For each event call XcpEvent(x), x= 0, 1, …, n.
Now open your application file and add the calls of the function XcpEvent(x). For
each event you need one call of XcpEvent(x). The x is the No. of the event as it is
defined in the Generation Tool.
Make sure that you call the XcpEvent(x) function in the correct cycle time. In the
example we need 2 calls. XcpEvent(0) after any 10ms and XcpEvent(1) after any
20ms.
Now compile and link you project and transfer it to your target platform and start
your application.

   Assemble your DAQ lists in CANape
Open CANape and start it and stop it. We need this to transfer the DAQ information
from the ECU to CANape.
Now open Edit Measurement List via this button on the right side. You see all
selected signals in this window (Figure 6-4). In the pull down menu of the
Measuring mode you now find the two events My10msEvent and My20msEvent.
Assign these Events to any signal you want. The signals will be added to the DAQ
list and transferred any 10ms or 20ms to CANape without any further polling
message.
©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

24 / 27

Figure 6-4 Edit Measurement List In CANape

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

25 / 27
7
List Of Experiences
A list of experiences and problems encountered will be placed here soon, which
will help you to conduct focused troubleshooting.

7.1
Topic 1

Q:

A:

©2011, Vector Informatik GmbH

Version:
1.0.2

User Manual XCP - Universal Measurement and Calibration Protocol

1 / 27
8 Index
8 STEPS.................................................13
Initialization ............................................ 18
Advanced Features ..................................9
makefile.................................................. 17
application ..............................................18
Measurement Modes ............................. 11
Basic Feature ...........................................9
Motivation................................................. 2
CAN ..........................................................8
Polling Mode .......................................... 11
CANape ........................................8, 11, 23
SCI ........................................................... 8
CanInitPowerOn .....................................18
STEP 1 Installation Of The Tool ........... 14
CCP ..........................................................8
STEP 2 Extract CANbedded Software
Components ...................................... 14
compiler ..................................................17
STEP 3 Configuration With Generation
Data Acquisition......................................12
Tool (GENy)....................................... 15
Data Acquisition Mode ...........................22
STEP 4 Generate Files......................... 16
dbc-file ......................................................9
STEP 5 Add CANbedded To Your Project
DescInitPowerOn..................................18
........................................................... 17
development environment ......................17
STEP 6 Adapt Your Application Files .... 18
Ethernet ....................................................8
STEP 7 Compile And Link Your Project 19
Event ................................................12, 22
STEP 8 Test It Via CANape................... 20
Firewire.....................................................8
TTCAN ..................................................... 8
FlexRay ....................................................8
Universal Measurement And Calibration
Protocol XCP ....................................... 7
Further Information.................................22
USB.......................................................... 8
Generation Tool........................................8
XCP.......................................................... 8
Including, Initialization And Cyclic Calls .18

©2011, Vector Informatik GmbH

Version:
1.0.2

Document Outline

24.10 - Xcp Integration Manual

Integration Manual

For

Xcp

VERSION: 1

DATE: 02/02/17

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	02/02/17

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

Configuration REQUIREMeNTS

The Xcp component is provided with a template file for example Xcp application callback implementation. This template file can be used as a reference for the callbacks that need to be integrated into a given project using Xcp. This file can be found in the “tools/template/” folder of this component. For details on the callbacks, third party documentation found in this component can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

24.11 - Xcp Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Xcp

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Xcp_Vector_CANbedded_01.07.03_01.30.01_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation. Note: Basline names contains a combination of the xcp_can file version and the XcpProf file version.

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/03/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

25 - Vector Basic Software Support

Vector Basic Software Support

Component Documentation

25.1 - AN-ISC-2-1081_Interrupt_Control_VStdLib

Application Interrupt Control with VStdLib

25.2 - AN-ISC-2-1081_Interrupt_Control_VStdLib_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13

25.3 - AN-ISC-2-1081_Interrupt_Control_VStdLibs

Application Interrupt Control with VStdLib
Version 1.0
2008-08-06
Application Note AN-ISC-2-1081

Author(s) Patrick
Markl
Restrictions Restricted
Membership
Abstract
This application note explains how the application can control interrupt handling via the
VStdLib and which constraints apply.

Table of Contents

1.0
Overview ..........................................................................................................................................................1
1.1
Introduction....................................................................................................................................................1
2.0
Interrupt Control by Application .......................................................................................................................3
2.1
Constraints ....................................................................................................................................................3
2.1.1
Constraint 1: Nested Calls ..........................................................................................................................3
2.1.2
Constraint 2: Recursive Calls when Disabling CAN Interrupts...................................................................3
2.1.3
Constraint 3: No Locking when Disabling CAN Interrupts..........................................................................3
3.0
Solution ............................................................................................................................................................6
3.1.1
Nested Calls................................................................................................................................................6
3.1.2
No Locking of Interrupts..............................................................................................................................7
4.0
Referenced Documents .................................................................................................................................12
5.0
Contacts.........................................................................................................................................................13

1.0 Overview
This application note describes how the user can configure the interrupt control options of the VStdLib. Some
applications provide their own lock/unlock functions, which better fulfill the application’s needs. Because of this the
VStdLib provides a means which allows the application to use it’s own lock/unlock functions, instead of the
implementation provided by the VStdLib.
This application note describes the handling of this use case in more detail.
1.1 Introduction
The VStdLib provides functions to lock/unlock interrupts. There are three options to be set in the configuration tool,
as shown in figure1. The first option (Default) lets the VStdLib lock global interrupts. Depending on the hardware
plattform it is also possible to lock interrupts to a certain level. The lock is implemented by the VStdLib itself.

Figure 1: Possible configuration options for VStdLib interrupt control
1
Copyright © 2008 - Vector Informatik GmbH
Contact Information: www.vector-informatik.com or ++49-711-80 670-0

Application Interrupt Control with VStdLib

The second option (OSEK) is to configure the VStdLib in a way that locking of interrupts is done by means of
OSEK OS functions. The third and last option (User defined) requires the application to perform the
locking/unlocking functionality within callback functions.
This application note focusses mainly on the third option. It describes the way the application has to implement the
callback functions required by the VStdLib.

Figure 2: Configuration of interrupt control by application

Figure 2 shows the VStdLib configuration dialog, if interrupt control by application is configured. The user has to
enter the names of two functions in the dialog, which will be called by the VStdLib in order to lock/unlock interrupts.
If the user has specified the callback function names as shown in figure 2, the application must provide the
implementations of these two two functions. The prototypes are:

void ApplNestedDisable(void);
void ApplNestedRestore(void);

From now on these two function names will be used within this application note.
These two functions are called by the VStdLib, in case any Vector component requests a lock for a critical section.
The user has to make sure that the locking mechanism within these two functions is sufficient to protect data. This
depends heavily on the architecture of the application. The more priority levels exists, which call Vector functions,
the more restrictive the lock must be.

Please check the technical references of the other Vector components for restrictions regarding the call
context of the API functions.

2
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

2.0  Interrupt Control by Application
This configuration option is usually used, if a global lock is not desired by the user or special lock mechanisms are
used. Once this option is configured, there are two functions to be provided by the application. The user can
specify the names of these functions in the configuration dialog of the VStdLib. The VStdLib calls these functions
instead of directly locking/unlocking interrupts. This means, if any Vector component requests an interrupt lock, it is
finally performed by the application provided functions.
The first function is called, in order to perform a lock operation. It is expected, that the application function stores
the current interrupt state(or any other), in order to restore it later. The second function is to restore the previously
saved lock state.
The implementation of these two functions is up to the user. The user may lock just certain interrupt sources or set
a mutex, semaphore or whatever ensures consistent data and fulfills the call context requirements, described in the
Vector component specific technical references.
2.1 Constraints
The usage of Interrupt Control by Application has some constraints, which have to be taken into account. The
following chapters describe them.
2.1.1  Constraint 1: Nested Calls
It is expected that the two callback functions (ApplNestedDisable()/-Restore()) are implemented in a way that
nested calls are possible. This means if the function ApplNestedDisable() was called by some software component
it may happen that this function is called again from somewhere else. This has to be taken into account when
saving and restoring the interrupt state! The implementer of these two function can assume that the number of lock
and unlock calls is identical and nesting is balanced.
2.1.2  Constraint 2: Recursive Calls when Disabling CAN Interrupts
Instead of implementing an own lock mechanism, the user could configure interrupt control by application and call
the CAN driver’s CanCanInterruptDisable()/-Restore() functions. These two function simply disable CAN interrupts
for the given CAN channel. These two CAN driver functions protect the access to their state variables by means of
the VStdLib’s lock mechanism, which would again be implemented by the callbacks provided by the application.
This would cause an indirect recursion.

Please note that CanCanInterruptDisable()/Restore() shall not be called from
ApplNestedDisable()/Restore(). This application note does not provide a solution for this use case!

2.1.3  Constraint 3: No Locking when Disabling CAN Interrupts
One could think of letting the application directly modify the interrupt flags of the CAN controller, to overcome the
recursion, described in the previous chapter. But this would cause the CAN interrupts to be never locked, when
CanCanInterruptDisable() is called, by any component. The reason is that the application’s interrupt lock code
would interfere with the code in the CAN driver’s function CanCanInterruptDisable(). The following pseudo code
shows the way CanCanInterruptDisable() is implemented. It is assumed that ApplNestedDisable()/-Restore() are
implemented to allow nested calls.

3
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

/* CAN Interrupt will be never locked in this example!!! */
void CanCanInterruptDisable(CAN_CHANNEL_CANTYPE_ONLY)
{
ApplNestedDisable();
Lock CAN interrupts
ApplNestedRestore();
}

void ApplNestedDisable(void)
{
Save current CAN interrupt state();
Lock CAN Interrupts();
}

void ApplNestedRestore(void)
{
Restore CAN interrupts to previous state();
}

Figure 3 shows what happens in this case. The function CanCanInterruptDisable() calls ApplNestedDisable() in
order to protect an internal counter. This lock function disables the CAN interrupts, afterwards the CAN driver’s
function locks the CAN interrupts too. The next thing is to call ApplNestedRestore() which again is implemented by
the application and restores the previous CAN interrupt state – in this case enables the CAN interrupts. Now an
inconsistency exists. The code which called CanCanInterruptDisable() assumes locked CAN interrupts, but they
aren’t

4
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

sd FailedLock
Component
CAN Driver
Application
CAN Controller
CanCanInterruptDisable
VStdGlobalInterruptDisable
Lock CAN Interrupt
Lock CAN Interrupt
VStdGlobalInterruptRestore
Unlock CAN Interrupt

Figure 3: Sequence diagram of CanCanInterruptDisable()

5
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

3.0 Solution
This chapter proposes a solution and a code examples, to overcome the constraints 1 and 3 described in the
previous chapters.
3.1.1 Nested
Calls
Solving the first issue – nested calls – is simply done by introducation of a nesting counter. The callbacks
implemented by the application need to manage this counter. The counter is to be incremented, if the function to
lock interrupts is called and decremented if the unlock function is called. The application has to take care to
initialize this counter, before any Vector function is called, in order to ensure a consistent interrupt locking.
The interrupt state is to be modified only if the counter has the value zero. If the value is greater than zero, the
counter is just maintained. The following code example shows, how this nested counter could be implemented.

/* Global variable as nesting counter */
vuint8 gApplNestingCounter;

/* Must be called before the Vector components are initialized! */
void SomeApplicationInitFunction(void)
{
gApplNestingCounter = (vuint8)0;
}

void ApplNestedDisable(void)
{
/* check counter – lock if counter is 0 */
if((vuint8)0 == gApplNestingCounter)
{
/* Save current state and perform lock */
ApplicationSpecificSaveStateAndLock();
}
/* increment counter – do not disable if nested, because already done */
gApplNestingCounter++;
}

void ApplNestedRestore(void)
{
gApplNestingCounter--;
if((vuint8)0 == gApplNestingCounter)
{

6
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

ApplicationSpecificRestoreToPreviousState();
}
}

3.1.2 No Locking of Interrupts
Constraint 3 described a situation, in which the CAN interrupts are not locked at all. This is because the application
implements a lock function, which modifes the CAN interrupt registers with own code. To overcome this issue, a
global flag needs to be implemented. This global flag tells the application, when to lock or unlock CAN interrupts.
The flag is set within two additional callback functions to be implemented by the application. The prototypes of the
additional callbacks are:

void ApplCanAddCanInterruptDisable(CanChannelHandle channel);
void ApplCanAddCanInterruptRestore(CanChannelHandle channel);

The callback functions are called by the CAN driver from within the functions CanCanInterruptDisable() and
CanCanInterruptRestore() and have to be enabled by means of the preprocessor define
C_ENABLE_INTCTRL_ADD_CAN_FCT. This is done, by creating a user config file, which contains this definition.
More information about these two functions can be found in [1].
The sequence diagrams in figure 4 and figure 5 show the lock and unlocking procedure respectively.

7
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

sd InterruptControlByApplication_Lock
Component
CAN Driver
VStdLib
Application
CanCanInterruptDisable
CanNestedGlobalInterruptDisable
ApplDisableFunc
Lock if
Flag
cleared
Lock CAN Interrupts
ApplCanAddCanInterruptDisable
Set
Global
Flag
CanNestedGlobalInterruptRestore
ApplRestoreFunc
Unlock
if Flag
cleared

Figure 4: Sequence diagram for locking just CAN interrupts.

8
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

sd InterruptControlByApplication_UnLock
Component
CAN Driver
VStdLib
Application
CanCanInterruptRestore
VStdGlobalInterruptDisable
ApplDisableFunc
Lock if
Flag
cleared
Restore CAN Interrupts
ApplCanAddCanInterruptRestore
Clear Global Flag
VStdGlobalInterruptRestore
ApplRestoreFunc
Unlock
if Flag
cleared

Figure 5: Sequence diagram for unlocking just CAN interrupts

The following code example shows how to implement the handling of the global flag. If the function
CanCanInterruptDisable() is called, it calls the ApplNestedDisable(), in order to protect a counter. This function
locks CAN interrupts using own code. When ApplNestedDisable() returns, the CAN driver locks CAN interrupts too.
Afterwards ApplCanAddCanInterruptDisable() is called. This function is implemented by the application and sets
the global flag. Before the function CanCanInterruptDisable() returns, it calls ApplNestedRestore(). The application,
which implements the restore callback function has to check, if the global flag is set. If yes, the CAN interrupts
must not be unlocked!
If the function CanCanInterruptRestore() is called, first ApplNestedDisable() is called again. Then the CAN driver
unlocks the CAN interrupts (if its nesting counter reached the value zero) and calls the function
ApplCanAddCanInterruptRestore(). Within this function the flag is cleared. If ApplNestedRestore() is called now,
the flag is not set anymore and the restore of the CAN interrupts is performed.

9
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

Note that the application needs to implement also a nesting counter, if it uses own code to lock CAN interrupts, in
order to avoid the issue described by constraint 1. The following code example shows, how to implement the
nesting counter and the flag.

vuint8 gCanLockFlag;
vuint8 gApplNestingCounter;

void ApplicationInitFunction(void)
{
/* initialize the flags */
gCanLockFlag = (vuint8)0;
gApplNestingCounter = (vuint8)0;
}

void ApplNestedDisable(void)
{
if((vuint8)0 == gApplNestingCounter)
{
if((vuint8)0 == gCanLockFlag)
{
Save current CAN interrupt state();
Lock CAN Interrupts();
}
}
gApplNestingCounter++;
}

void ApplNestedRestore (void)
{
gApplNestingCounter--;
if((vuint8)0 == gApplNestingCounter)
{
if((vuint8)0 == gCanLockFlag)
{
Restore CAN interrupts to previous state();
}

10
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

}
}

void ApplCanAddCanInterruptDisable(CanChannelHandle channel)
{
gCanLockFlag = (vuint8)1;
}

void ApplCanAddCanInterruptRestore(CanChannelHandle channel)
{
gCanLockFlag = (vuint8)0;
}

11
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

4.0 Referenced Documents
The following table contains the referenced documents.

Referenced Documents
[1] TechnicalReference_CANDriver.pdf

12
Application Note AN-ISC-2-1081

Application Interrupt Control with VStdLib

5.0 Contacts

Vector Informatik GmbH
Vector CANtech, Inc.
VecScan AB
Ingersheimer Straße 24
39500 Orchard Hill Pl., Ste 550
Lindholmspiren 5
70499 Stuttgart
Novi, MI 48375
402 78 Göteborg
Germany
USA
Sweden
Tel.: +49 711-80670-0
Tel: +1-248-449-9290
Tel: +46 (0)31 764 76 00
Fax: +49 711-80670-111
Fax: +1-248-449-9704
Fax: +46 (0)31 764 76 19
Email: info@vector-informatik.de
Email: info@vector-cantech.com
Email: info@vecscan.com

Vector France SAS
Vector Japan Co. Ltd.
Vector Korea IT Inc.
168 Boulevard Camélinat
Seafort Square Center Bld. 18F
Daerung Post Tower III, 508
92240 Malakoff
2-3-12, Higashi-shinagawa,
Guro-gu, Guro-dong, 182-4
France
Shinagawa-ku
Seoul, 152-790
Tel: +33 (0)1 42 31 40 00
J-140-0002 Tokyo
Republic of Korea
Fax: +33 (0)1 42 31 40 09
Tel.: +81 3 5769 6970
Tel.: +82-2-2028-0600
Email: information@vector-france.fr
Fax: +81 3 5769 6975
Fax: +82-2-2028-0604

Email: info@vector-japan.co.jp
Email: info@vector-korea.com

13
Application Note AN-ISC-2-1081

25.4 - TechnicalReference_VStdLib

VStdLib Technical Reference

25.5 - TechnicalReference_VStdLib_GenericAsr

MICROSAR VStdLib

25.6 - TechnicalReference_VStdLib_GenericAsr

MICROSAR VStdLib

25.7 - TechnicalReference_VStdLib_GenericAsr_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26

25.8 - TechnicalReference_VStdLib_GenericAsr_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26

25.9 - TechnicalReference_VStdLib_GenericAsrs

MICROSAR VStdLib
Technical Reference

Generic implementation of the Vector Standard Library
Version 1.00.00

Authors
Torsten Kercher
Status
Released

Technical Reference MICROSAR VStdLib
Document Information

History
Author
Date
Version
Remarks
Torsten Kercher
2015-05-04
1.00.00
Creation

Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
1.6.0
[2]   AUTOSAR
AUTOSAR_SWS_DevelopmentErrorTracer.pdf
3.2.0

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

2015, Vector Informatik GmbH
Version: 1.00.00
2 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
1.00
Creation of the component.
2.00
Detach the component from core-based implementations, give optimized
routines and support operations on large data (> 65535 bytes).
Table 1-1   Component history

2015, Vector Informatik GmbH
Version: 1.00.00
5 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
2  Introduction
This  document  describes  the  functionality,  API  and  configuration  of  the  generic  Vector
Standard Library (VStdLib).

Supported AUTOSAR Release*:
4.x
Supported Configuration Variants:
pre-compile
Vendor ID:
VSTDLIB_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
VSTDLIB_MODULE_ID
255 decimal
(according to [1])
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

The  VStdLib  provides  a  hardware  independent  implementation  of  memory  manipulation
services used by several MICROSAR BSW components.
2.1
Architecture Overview
The following figure shows where the VStdLib is located in the AUTOSAR architecture.

Figure 2-1  AUTOSAR 4.x Architecture Overview
2015, Vector Informatik GmbH
Version: 1.00.00
6 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
The next figure shows the interfaces to adjacent modules of the VStdLib. These interfaces
are described in chapter 5.
class Module Structure
Module
MICROSAR BSW
module
Module
«use»
Det
«EmbeddedInterface»
VStdLib
«realize»
+  VStdLib_GetVersionInfo()
+  VStdLib_MemClr()
+  VStdLib_MemClrLarge()
«EmbeddedInterface»
+  VStdLib_MemClrMacro()
Det
+  VStdLib_MemCpy()
Module
+  VStdLib_MemCpy_s()
+  Det_ReportError()
«use
+  VStdLib_MemCpy16()
optionally»
+  VStdLib_MemCpy16Large()
«realize»
VStdLib
+  VStdLib_MemCpy32()
«EmbeddedInterface»
«use
+  VStdLib_MemCpy32Large()
(Compiler) Library
optionally»
+  VStdLib_MemCpyLarge()
+  VStdLib_MemCpyLarge_s()
+  VStdLib_MemCpyMacro()
+  VStdLib_MemCpyMacro_s()
+  VStdLib_MemSet()
+  VStdLib_MemSetLarge()
«realize»
+  VStdLib_MemSetMacro()
Module
(Compiler) Library

Figure 2-2  Interfaces to adjacent modules
2015, Vector Informatik GmbH
Version: 1.00.00
7 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
3  Functional Description
This chapter describes the general function of the component.
3.1
Features
The Vector Standard Library gives a standard interface for memory initialization and copy
services as described in  section 5.2. It provides a hardware independent implementation
of  this  interface,  but  also  allows  the  mapping  to  project  specific  implementations  for
optimization reasons.
3.2
Initialization and Main Functions
No initialization is necessary and no main functions are provided.
3.3
Error Handling
3.3.1
Development Error Reporting
By  default,  development  errors  are  reported  to  the  DET  using  the  service
Det_ReportError()  as  specified  in  [2],  if  development  error  reporting  is  enabled  (i.e.
pre-compile parameter VSTDLIB_DEV_ERROR_REPORT == STD_ON).
If  another  module  is  used  for  development  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError().
The reported VStdLib ID is 255. The service IDs identify the services which are described
in section 5.2. The following table presents the service IDs and the related services:
Service ID
Service
VSTDLIB_SID_MEM_SET (0x00)
VStdLib_MemClr(), VStdLib_MemSet()
VSTDLIB_SID_MEM_COPY (0x01)
VStdLib_MemCpy()
VSTDLIB_SID_MEM_COPY_16 (0x02)
VStdLib_MemCpy16()
VSTDLIB_SID_MEM_COPY_32 (0x03)
VStdLib_MemCpy32()
VSTDLIB_SID_MEM_COPY_S (0x04)
VStdLib_MemCpy_s()
VSTDLIB_SID_GET_VERSION_INFO (0x05)
VStdLib_GetVersionInfo()
Table 3-1   Service IDs
The errors reported to DET are described in the following table:
Error Code
Description
VSTDLIB_E_PARAM_POINTER (0x01)
API service used with NULL pointer parameter.
VSTDLIB_E_PARAM_SIZE (0x02)
VStdLib_MemCpy_s() used with invalid
destination size parameter.
Table 3-2   Errors reported to DET
3.3.2
Production Code Error Reporting
No production code error reporting is supported.

2015, Vector Informatik GmbH
Version: 1.00.00
8 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4  Integration
This  chapter  gives  necessary  information  for  the  integration  of  the  MICROSAR  VStdLib
into an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the VStdLib contains following static files. There are no dynamic files.
File Name
Description
vstdlib.c
This is the source file of the VStdLib.
vstdlib.h
This is the header file that contains the public API.
VStdLib_Cfg.h  This is the configuration header file, see chapter 6 for details.
Table 4-1   Static files
4.2
Include Structure
class IncludeStructure
MemMap.h
Std_Types.h
«include»
«include»
«include»
vstdlib.c
vstdlib.h
VStdLib_Cfg.h
«include»
«include»
«include»
Det.h

Figure 4-1  Include Structure
4.3
Critical Sections
No critical sections are implemented.
2015, Vector Informatik GmbH
Version: 1.00.00
9 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4.4
Compiler Abstraction and Memory Mapping
The  objects  (e.g.  variables,  functions,  constants)  are  declared  by  compiler  independent
definitions  –  the  compiler  abstraction  definitions.  Each  compiler  abstraction  definition  is
assigned to a memory section.
The  following  table  contains  the  memory  section  names  and  the  compiler  abstraction
definitions of the VStdLib and illustrates their assignment among each other.

Compiler Abstraction
Definitions

Memory Mapping
Sections
VSTDLIB_CODE
VSTDLIB_APPL_VAR
VSTDLIB_VAR_FAR
VSTDLIB_START_SEC_CODE



VSTDLIB_STOP_SEC_CODE
Table 4-2   Compiler Abstraction and Memory Mapping
The VStdLib declares no global variables or constants thus only a general CODE section
is provided for the memory mapping that is abstracted by VSTDLIB_CODE.
Due to the AUTOSAR compiler and memory abstraction the location of individual data and
the  width  of  pointers  are  not  known  during  development  time.  Hence  the  compiler
abstraction  definition  VSTDLIB_APPL_VAR  refers  to  variables  which  are  defined  by  the
application and not handled by the VStdLib memory mapping.
The function implementation of all memory manipulation services as described in section
5.2  abstracts  all  pointer  arguments  (independently  of  the  target  type)  with
VSTDLIB_VAR_FAR  to  allow  that  all  data  can  be  handled  by  far  accesses.  The  macro
implementation performs an in-place access, thus the unaltered pointer class of the caller
is used.

Note
For most 32bit MCUs it is not necessary to give any qualifiers with VSTDLIB_VAR_FAR
  to  change  the  pointer  class  as  these  platforms  commonly  use  32bit  pointers  that  can
address  the  whole  memory  by  default.  Please  note  that  both  RAM  and  ROM  are
accessed with this qualifier and an external implementation (see section 6.2.1) has to
be used if distinct pointers have to be qualified individually on the used target platform.

2015, Vector Informatik GmbH
Version: 1.00.00
10 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4.5
Integration Hints
>  Avoid overlapping destination and source memory areas  when using the copy services
as this may lead to unexpected results.
>  Consider  side  effects  if  macros  are  used:  If  either  destination  or  source  pointer  is
retrieved using a call to a function, this function might  be  invoked for nCnt times. It  is
recommended to use temporary pointers to avoid any side effects.
>  The  VStdLib  is  optimized  for  32-bit  MCUs.  When  using  a  controller  with  a  smaller  bit
width it is highly recommended to use an external implementation that is optimized for
this  architecture  (see  VSTDLIB_USE_LIBRARY_FUNCTIONS  in  section  6.2.1).  If  large
data  support  is  not  necessary  define  each  VSTDLIB_RUNTIME_OPTIMIZATION  and
VSTDLIB_SUPPORT_LARGE_DATA to STD_OFF as an alternative.

2015, Vector Informatik GmbH
Version: 1.00.00
11 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5  API Description
See Figure 2-2 for an interfaces overview.
5.1
Type Definitions
The  nCnt  parameter  of  all  memory  manipulation  services  is  of  type  VStdLib_CntType
that  equals  uint32_least  if  VSTDLIB_SUPPORT_LARGE_DATA  is  defined  to  STD_ON
(default setting) or uint16_least if it is explicitly defined to STD_OFF.

5.2
Services provided by VStdLib

5.2.1
VStdLib_GetVersionInfo
Prototype
void VStdLib_GetVersionInfo (Std_VersionInfoType *versioninfo)
Parameter
versioninfo [out]
Pointer to where to store the version information, must not be NULL.
Return code
void
none
Functional Description
Returns the version information of this module.
Returns version information, vendor ID and AUTOSAR module ID of the component.
Particularities and Limitations
The parameter 'versioninfo' has to be valid and reference an object of type Std_VersionInfoType.
Configuration Variant(s): VSTDLIB_VERSION_INFO_API == STD_ON
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-1   VStdLib_GetVersionInfo

2015, Vector Informatik GmbH
Version: 1.00.00
12 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.2
VStdLib_MemClr
Prototype
void VStdLib_MemClr (void *pDst, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to be initialized, must not be NULL.
nCnt [in]
Number of bytes to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to zero.
Sets nCnt bytes starting at pDst to zero.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON, else it is realized by a call to VStdLib_MemSet() with 'nPattern' == 0. The compatible definition
VStdLib_MemClrLarge() exists additionally (and solely) if VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-2   VStdLib_MemClr

2015, Vector Informatik GmbH
Version: 1.00.00
13 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.3
VStdLib_MemClrMacro
Prototype
void VStdLib_MemClrMacro (AnyPtrType *pDst, VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to be initialized, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to zero (macro implementation).
Sets nCnt blocks starting at pDst to zero (block-size is given by the type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-3   VStdLib_MemClrMacro

2015, Vector Informatik GmbH
Version: 1.00.00
14 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.4
VStdLib_MemSet
Prototype
void VStdLib_MemSet (void *pDst, uint8 nPattern, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to be initialized, must not be NULL.
nPattern [in]
The character to be used to initialize the memory.
nCnt [in]
Number of bytes to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to a specified pattern.
Sets nCnt bytes starting at pDst to the character nPattern.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemSetLarge() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-4   VStdLib_MemSet

2015, Vector Informatik GmbH
Version: 1.00.00
15 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.5
VStdLib_MemSetMacro
Prototype
void VStdLib_MemSetMacro (AnyPtrType *pDst, AnyIntType nPattern,
VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to be initialized, must be aligned
corresponding to its type and not be NULL.
nPattern [in]
The pattern to be used to initialize the memory (consider the correlation
between its type and the type of pDst).
nCnt [in]
Number of blocks to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to a specified pattern (macro implementation).
Sets nCnt blocks starting at pDst to nPattern (block-size is given by the type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-5   VStdLib_MemSetMacro

2015, Vector Informatik GmbH
Version: 1.00.00
16 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.6
VStdLib_MemCpy
Prototype
void VStdLib_MemCpy (void *pDst, const void *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, must not be NULL.
pSrc [in]
Pointer to the memory location to copy from, must not be NULL.
nCnt [in]
Number of bytes to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt bytes starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpyLarge() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-6   VStdLib_MemCpy

2015, Vector Informatik GmbH
Version: 1.00.00
17 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.7
VStdLib_MemCpy16
Prototype
void VStdLib_MemCpy16 (uint16 *pDst, const uint16 *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, 16-bit aligned and not NULL.
pSrc [in]
Pointer to the memory location to copy from, 16-bit aligned and not NULL.
nCnt [in]
Number of 16-bit blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt 16-bit blocks starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpy16Large() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-7   VStdLib_MemCpy16

2015, Vector Informatik GmbH
Version: 1.00.00
18 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.8
VStdLib_MemCpy32
Prototype
void VStdLib_MemCpy32 (uint32 *pDst, const uint32 *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, 32-bit aligned and not NULL.
pSrc [in]
Pointer to the memory location to copy from, 32-bit aligned and not NULL.
nCnt [in]
Number of 32-bit blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt 32-bit blocks starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpy32Large() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-8   VStdLib_MemCpy32

2015, Vector Informatik GmbH
Version: 1.00.00
19 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.9
VStdLib_MemCpy_s
Prototype
void VStdLib_MemCpy_s (void *pDst, VStdLib_CntType nDstSize, const void *pSrc,
VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, must not be NULL.
nDstSize [in]
Maximum number of bytes to modify in the destination (typically the size of the
destination object).
pSrc [in]
Pointer to the memory location to copy from, must not be NULL.
nCnt [in]
Number of bytes to copy.
Return code
void
none
Functional Description
Verifies the destination size and copies data from one memory location to another.
Uses VStdLib_MemCpy() to copy nCnt bytes starting at pSrc to another memory location starting at pDst, if
nDstSize is greater than or equal to nCnt.
Particularities and Limitations
The parameters 'pDst' and 'nDstSize' have to define a valid memory area.
Configuration Variant(s): The compatible definition VStdLib_MemCpyLarge_s() exists additionally (and
solely) if VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-9   VStdLib_MemCpy_s

2015, Vector Informatik GmbH
Version: 1.00.00
20 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.10  VStdLib_MemCpyMacro
Prototype
void VStdLib_MemCpyMacro (AnyPtrType *pDst, AnyPtrType *pSrc, VStdLib_CntType
nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to copy to, must be aligned
corresponding to its type and not be NULL.
pSrc [in]
Any typed pointer to the memory location to copy from, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another (macro implementation).
Copies nCnt blocks starting at pSrc to another memory location starting at pDst (block-size is given by the
type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-10   VStdLib_MemCpyMacro

2015, Vector Informatik GmbH
Version: 1.00.00
21 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.11  VStdLib_MemCpyMacro_s
Prototype
void VStdLib_MemCpyMacro_s (AnyPtrType *pDst, VStdLib_CntType nDstSize,
AnyPtrType *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to copy to, must be aligned
corresponding to its type and not be NULL.
nDstSize [in]
Maximum number of blocks to modify in the destination (typically the size of
the destination object).
pSrc [in]
Any typed pointer to the memory location to copy from, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to copy.
Return code
void
none
Functional Description
Verifies the destination size and copies data from one memory location to another (macro implementation).
Uses VStdLib_MemCpyMacro() to copy nCnt blocks starting at pSrc to another memory location starting at
pDst (block-size is given by the type of pDst), if nDstSize is greater than or equal to nCnt.
Particularities and Limitations
The parameters 'pDst' and 'nDstSize' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-11   VStdLib_MemCpyMacro_s

5.3
Services used by VStdLib
The following table lists used services that are provided by other components. For details
about prototypes and functionality refer to the documentation of the providing component.
Component
API
DET
Det_ReportError()
(Compiler) Library
Refer to section 6.2.2
Table 5-12   Services used by VStdLib
2015, Vector Informatik GmbH
Version: 1.00.00
22 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
6  Configuration
The Vector Standard Library is solely configured manually in a header file.
6.1
Configuration Variants
The VStdLib supports following configuration variants:
>  VARIANT-PRE-COMPILE
6.2
Manual Configuration in Header File
The configuration of the VStdLib is done statically within the file “VStdLib_Cfg.h”.

6.2.1
General configuration
Attribute Name
Values
Description
Default value
is typed bold
VSTDLIB_USE_LIBRARY_FUNCTIONS  STD_ON
If set to STD_ON all memory manipulation routines
STD_OFF
are mapped to external functions (e.g. compiler
libraries or other implementations that are
optimized for the target platform). This requires
additional configuration, refer to section 6.2.2.
If set to STD_OFF generic functions provided by
the VStdLib are used.
VSTDLIB_RUNTIME_OPTIMIZATION
STD_ON
If set to STD_ON optimized routines are used to
STD_OFF
increase the performance of the memory
manipulation functions (increases code size).
If set to STD_OFF code efficient routines are used
that increase runtime.
This setting is only relevant if VSTDLIB_USE_
LIBRARY_FUNCTIONS == STD_OFF.
VSTDLIB_USE_JUMPTABLES
STD_ON
If set to STD_ON jump tables are used to increase
STD_OFF
the performance of the memory manipulation
functions (runtime efficient in general).
If set to STD_OFF the jump tables are replaced by
loops. Use this setting if the compiler generates no
efficient code for the jump tables.
This setting is only relevant if
VSTDLIB_USE_LIBRARY_FUNCTIONS ==
STD_OFF and VSTDLIB_RUNTIME_
OPTIMIZATION == STD_ON.
VSTDLIB_DEV_ERROR_DETECT
STD_ON
If set to STD_ON the development error detection is
STD_OFF
enabled. In this case the pointer arguments of all
global module functions provided by the VStdLib
are checked. If any NULL_PTR is passed, these
functions return without performing any action.

2015, Vector Informatik GmbH
Version: 1.00.00
23 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
VSTDLIB_DEV_ERROR_REPORT
STD_ON
If set to STD_ON the development error reporting is
STD_OFF
enabled (requires VSTDLIB_DEV_ERROR_
DETECT == STD_ON). In this case the function
Det_ReportError() is called if any error is
detected.
VSTDLIB_VERSION_INFO_API
STD_ON
If set to STD_ON the function
STD_OFF
VStdLib_GetVersionInfo() is provided.
VSTDLIB_DUMMY_STATEMENT(v)
e.g. (v) = (v)  Expression that is used for dummy statements to
(void)(v)
avoid compiler warnings about unused identifiers.
Leave this definition empty to disable the usage of
dummy statements.
Table 6-1   General configuration

6.2.2
Additional configuration when using library functions
If  VSTDLIB_USE_LIBRARY_FUNCTIONS  ==  STD_ON  it  is  necessary  to  specify  library
functions  to  be  used  for  the  memory  manipulations.  See  the  corresponding  section  in
“VStdLib_Cfg.h” for details and an example mapping.

Caution
If the external functionality is not able to handle more than 65535 bytes it is necessary
  to define VSTDLIB_SUPPORT_LARGE_DATA to STD_OFF.

It  has  to  be  ensured  that  the  specified  functions  are  able  to  copy  from  and  to  all
memory  locations  independently  of  the  pointer  length.  The  specified  functions  must
behave synchronously.

2015, Vector Informatik GmbH
Version: 1.00.00
24 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
7  Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
DET
Development Error Tracer
ECU
Electronic Control Unit
HIS
Hersteller Initiative Software
MCU
Microcontroller Unit
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR solution)
SWS
Software Specification
VStdLib
Vector Standard Library
Table 7-1   Abbreviations

2015, Vector Informatik GmbH
Version: 1.00.00
25 / 26
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

2015, Vector Informatik GmbH
Version: 1.00.00
26 / 26
based on template version 5.9.0

Document Outline

25.10 - TechnicalReference_VStdLib_GenericAsrs

MICROSAR VStdLib
Technical Reference

Generic implementation of the Vector Standard Library
Version 1.00.01

Authors
Torsten Kercher
Status
Released

Technical Reference MICROSAR VStdLib
Document Information

History
Author
Date
Version
Remarks
Torsten Kercher
2015-05-04
1.00.00
Creation
Torsten Kercher
2016-04-12
1.00.01
Update to new CI, no changes in content

Reference Documents
No.
Source
Title
Version
[1]   AUTOSAR
AUTOSAR_TR_BSWModuleList.pdf
1.6.0
[2]   AUTOSAR
AUTOSAR_SWS_DevelopmentErrorTracer.pdf
3.2.0

Caution
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector´s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.

© 2016 Vector Informatik GmbH
Version 1.00.01
2
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
1  Component History
The  component  history  gives  an  overview  over  the  important  milestones  that  are
supported in the different versions of the component.
Component Version  New Features
1.00
Creation of the component.
2.00
Detach the component from core-based implementations, give optimized
routines and support operations on large data (> 65535 bytes).
Table 1-1   Component history

© 2016 Vector Informatik GmbH
Version 1.00.01
5
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
2  Introduction
This  document  describes  the  functionality,  API  and  configuration  of  the  generic  Vector
Standard Library (VStdLib).

Supported AUTOSAR Release*:
4.x
Supported Configuration Variants:
pre-compile
Vendor ID:
VSTDLIB_VENDOR_ID
30 decimal
(= Vector-Informatik,
according to HIS)
Module ID:
VSTDLIB_MODULE_ID
255 decimal
(according to [1])
* For the precise AUTOSAR Release 4.x please see the release specific documentation.

The  VStdLib  provides  a  hardware  independent  implementation  of  memory  manipulation
services used by several MICROSAR BSW components.
2.1
Architecture Overview
The following figure shows where the VStdLib is located in the AUTOSAR architecture.

Figure 2-1  AUTOSAR 4.x Architecture Overview
© 2016 Vector Informatik GmbH
Version 1.00.01
6
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
The next figure shows the interfaces to adjacent modules of the VStdLib. These interfaces
are described in chapter 5.
class Module Structure
Module
MICROSAR BSW
module
Module
«use»
Det
«EmbeddedInterface»
VStdLib
«realize»
+  VStdLib_GetVersionInfo()
+  VStdLib_MemClr()
+  VStdLib_MemClrLarge()
«EmbeddedInterface»
+  VStdLib_MemClrMacro()
Det
+  VStdLib_MemCpy()
Module
+  VStdLib_MemCpy_s()
+  Det_ReportError()
«use
+  VStdLib_MemCpy16()
optionally»
+  VStdLib_MemCpy16Large()
«realize»
VStdLib
+  VStdLib_MemCpy32()
«EmbeddedInterface»
«use
+  VStdLib_MemCpy32Large()
(Compiler) Library
optionally»
+  VStdLib_MemCpyLarge()
+  VStdLib_MemCpyLarge_s()
+  VStdLib_MemCpyMacro()
+  VStdLib_MemCpyMacro_s()
+  VStdLib_MemSet()
+  VStdLib_MemSetLarge()
«realize»
+  VStdLib_MemSetMacro()
Module
(Compiler) Library

Figure 2-2  Interfaces to adjacent modules

© 2016 Vector Informatik GmbH
Version 1.00.01
7
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
3  Functional Description
This chapter describes the general function of the component.
3.1
Features
The Vector Standard Library gives a standard interface for memory initialization and copy
services as described in  section 5.2. It provides a hardware independent implementation
of  this  interface,  but  also  allows  the  mapping  to  project  specific  implementations  for
optimization reasons.
3.2
Initialization and Main Functions
No initialization is necessary and no main functions are provided.
3.3
Error Handling
3.3.1
Development Error Reporting
By  default,  development  errors  are  reported  to  the  DET  using  the  service
Det_ReportError()  as  specified  in  [2],  if  development  error  reporting  is  enabled  (i.e.
pre-compile parameter VSTDLIB_DEV_ERROR_REPORT == STD_ON).
If  another  module  is  used  for  development  error  reporting,  the  function  prototype  for
reporting the error can be configured by the integrator, but must have the same signature
as the service Det_ReportError().
The reported VStdLib ID is 255. The service IDs identify the services which are described
in section 5.2. The following table presents the service IDs and the related services:
Service ID
Service
VSTDLIB_SID_MEM_SET (0x00)
VStdLib_MemClr(), VStdLib_MemSet()
VSTDLIB_SID_MEM_COPY (0x01)
VStdLib_MemCpy()
VSTDLIB_SID_MEM_COPY_16 (0x02)
VStdLib_MemCpy16()
VSTDLIB_SID_MEM_COPY_32 (0x03)
VStdLib_MemCpy32()
VSTDLIB_SID_MEM_COPY_S (0x04)
VStdLib_MemCpy_s()
VSTDLIB_SID_GET_VERSION_INFO (0x05)
VStdLib_GetVersionInfo()
Table 3-1   Service IDs
The errors reported to DET are described in the following table:
Error Code
Description
VSTDLIB_E_PARAM_POINTER (0x01)
API service used with NULL pointer parameter.
VSTDLIB_E_PARAM_SIZE (0x02)
VStdLib_MemCpy_s() used with invalid
destination size parameter.
Table 3-2   Errors reported to DET
3.3.2
Production Code Error Reporting
No production code error reporting is supported.
© 2016 Vector Informatik GmbH
Version 1.00.01
8
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4  Integration
This  chapter  gives  necessary  information  for  the  integration  of  the  MICROSAR  VStdLib
into an application environment of an ECU.
4.1
Scope of Delivery
The delivery of the VStdLib contains following static files. There are no dynamic files.
File Name
Description
vstdlib.c
This is the source file of the VStdLib.
vstdlib.h
This is the header file that contains the public API.
VStdLib_Cfg.h  This is the configuration header file, see chapter 6 for details.
Table 4-1   Static files
4.2
Include Structure
class IncludeStructure
MemMap.h
Std_Types.h
«include»
«include»
«include»
vstdlib.c
vstdlib.h
VStdLib_Cfg.h
«include»
«include»
«include»
Det.h

Figure 4-1  Include Structure
4.3
Critical Sections
No critical sections are implemented.
© 2016 Vector Informatik GmbH
Version 1.00.01
9
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4.4
Compiler Abstraction and Memory Mapping
The  objects  (e.g.  variables,  functions,  constants)  are  declared  by  compiler  independent
definitions  –  the  compiler  abstraction  definitions.  Each  compiler  abstraction  definition  is
assigned to a memory section.
The  following  table  contains  the  memory  section  names  and  the  compiler  abstraction
definitions of the VStdLib and illustrates their assignment among each other.

Compiler Abstraction
Definitions

Memory Mapping
Sections
VSTDLIB_CODE
VSTDLIB_APPL_VAR
VSTDLIB_VAR_FAR
VSTDLIB_START_SEC_CODE



VSTDLIB_STOP_SEC_CODE
Table 4-2   Compiler Abstraction and Memory Mapping
The VStdLib declares no global variables or constants thus only a general CODE section
is provided for the memory mapping that is abstracted by VSTDLIB_CODE.
Due to the AUTOSAR compiler and memory abstraction the location of individual data and
the  width  of  pointers  are  not  known  during  development  time.  Hence  the  compiler
abstraction  definition  VSTDLIB_APPL_VAR  refers  to  variables  which  are  defined  by  the
application and not handled by the VStdLib memory mapping.
The function implementation of all memory manipulation services as described in section
5.2  abstracts  all  pointer  arguments  (independently  of  the  target  type)  with
VSTDLIB_VAR_FAR  to  allow  that  all  data  can  be  handled  by  far  accesses.  The  macro
implementation performs an in-place access, thus the unaltered pointer class of the caller
is used.

Note
For most 32bit MCUs it is not necessary to give any qualifiers with VSTDLIB_VAR_FAR
  to change the pointer class  as these platforms commonly use 32bit pointers that can
address  the  whole  memory  by  default.  Please  note  that  both  RAM  and  ROM  are
accessed with this qualifier and an external implementation (see section 6.2.1) has to
be used if distinct pointers have to be qualified individually on the used target platform.

© 2016 Vector Informatik GmbH
Version 1.00.01
10
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
4.5
Integration Hints
>  Avoid overlapping destination and source memory areas  when using the copy services
as this may lead to unexpected results.
>  Consider  side  effects  if  macros  are  used:  If  either  destination  or  source  pointer  is
retrieved using a call to a function, this function  might  be  invoked for nCnt times. It  is
recommended to use temporary pointers to avoid any side effects.
>  The  VStdLib  is  optimized  for  32-bit  MCUs.  When  using  a  controller  with  a  smaller  bit
width it is highly recommended to use an external implementation that is optimized for
this  architecture  (see  VSTDLIB_USE_LIBRARY_FUNCTIONS  in  section  6.2.1).  If  large
data  support  is  not  necessary  define  each  VSTDLIB_RUNTIME_OPTIMIZATION  and
VSTDLIB_SUPPORT_LARGE_DATA to STD_OFF as an alternative.

© 2016 Vector Informatik GmbH
Version 1.00.01
11
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5  API Description
See Figure 2-2 for an interfaces overview.
5.1
Type Definitions
The  nCnt  parameter  of  all  memory  manipulation  services  is  of  type  VStdLib_CntType
that  equals  uint32_least  if  VSTDLIB_SUPPORT_LARGE_DATA  is  defined  to  STD_ON
(default setting) or uint16_least if it is explicitly defined to STD_OFF.

5.2
Services provided by VStdLib

5.2.1
VStdLib_GetVersionInfo
Prototype
void VStdLib_GetVersionInfo (Std_VersionInfoType *versioninfo)
Parameter
versioninfo [out]
Pointer to where to store the version information, must not be NULL.
Return code
void
none
Functional Description
Returns the version information of this module.
Returns version information, vendor ID and AUTOSAR module ID of the component.
Particularities and Limitations
The parameter 'versioninfo' has to be valid and reference an object of type Std_VersionInfoType.
Configuration Variant(s): VSTDLIB_VERSION_INFO_API == STD_ON
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-1   VStdLib_GetVersionInfo

© 2016 Vector Informatik GmbH
Version 1.00.01
12
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.2
VStdLib_MemClr
Prototype
void VStdLib_MemClr (void *pDst, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to be initialized, must not be NULL.
nCnt [in]
Number of bytes to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to zero.
Sets nCnt bytes starting at pDst to zero.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON, else it is realized by a call to VStdLib_MemSet() with 'nPattern' == 0. The compatible definition
VStdLib_MemClrLarge() exists additionally (and solely) if VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-2   VStdLib_MemClr

© 2016 Vector Informatik GmbH
Version 1.00.01
13
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.3
VStdLib_MemClrMacro
Prototype
void VStdLib_MemClrMacro (AnyPtrType *pDst, VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to be initialized, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to zero (macro implementation).
Sets nCnt blocks starting at pDst to zero (block-size is given by the type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-3   VStdLib_MemClrMacro

© 2016 Vector Informatik GmbH
Version 1.00.01
14
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.4
VStdLib_MemSet
Prototype
void VStdLib_MemSet (void *pDst, uint8 nPattern, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to be initialized, must not be NULL.
nPattern [in]
The character to be used to initialize the memory.
nCnt [in]
Number of bytes to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to a specified pattern.
Sets nCnt bytes starting at pDst to the character nPattern.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemSetLarge() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-4   VStdLib_MemSet

© 2016 Vector Informatik GmbH
Version 1.00.01
15
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.5
VStdLib_MemSetMacro
Prototype
void VStdLib_MemSetMacro (AnyPtrType *pDst, AnyIntType nPattern,
VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to be initialized, must be aligned
corresponding to its type and not be NULL.
nPattern [in]
The pattern to be used to initialize the memory (consider the correlation
between its type and the type of pDst).
nCnt [in]
Number of blocks to initialize, pDst must be valid for this amount.
Return code
void
none
Functional Description
Initializes memory to a specified pattern (macro implementation).
Sets nCnt blocks starting at pDst to nPattern (block-size is given by the type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-5   VStdLib_MemSetMacro

© 2016 Vector Informatik GmbH
Version 1.00.01
16
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.6
VStdLib_MemCpy
Prototype
void VStdLib_MemCpy (void *pDst, const void *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, must not be NULL.
pSrc [in]
Pointer to the memory location to copy from, must not be NULL.
nCnt [in]
Number of bytes to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt bytes starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpyLarge() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-6   VStdLib_MemCpy

© 2016 Vector Informatik GmbH
Version 1.00.01
17
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.7
VStdLib_MemCpy16
Prototype
void VStdLib_MemCpy16 (uint16 *pDst, const uint16 *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, 16-bit aligned and not NULL.
pSrc [in]
Pointer to the memory location to copy from, 16-bit aligned and not NULL.
nCnt [in]
Number of 16-bit blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt 16-bit blocks starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpy16Large() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-7   VStdLib_MemCpy16

© 2016 Vector Informatik GmbH
Version 1.00.01
18
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.8
VStdLib_MemCpy32
Prototype
void VStdLib_MemCpy32 (uint32 *pDst, const uint32 *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, 32-bit aligned and not NULL.
pSrc [in]
Pointer to the memory location to copy from, 32-bit aligned and not NULL.
nCnt [in]
Number of 32-bit blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another.
Copies nCnt 32-bit blocks starting at pSrc to another memory location starting at pDst.
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Configuration Variant(s): This service is implemented externally if VSTDLIB_USE_LIBRARY_FUNCTIONS
== STD_ON. The compatible definition VStdLib_MemCpy32Large() exists additionally (and solely) if
VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-8   VStdLib_MemCpy32

© 2016 Vector Informatik GmbH
Version 1.00.01
19
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.9
VStdLib_MemCpy_s
Prototype
void VStdLib_MemCpy_s (void *pDst, VStdLib_CntType nDstSize, const void *pSrc,
VStdLib_CntType nCnt)
Parameter
pDst [out]
Pointer to the memory location to copy to, must not be NULL.
nDstSize [in]
Maximum number of bytes to modify in the destination (typically the size of the
destination object).
pSrc [in]
Pointer to the memory location to copy from, must not be NULL.
nCnt [in]
Number of bytes to copy.
Return code
void
none
Functional Description
Verifies the destination size and copies data from one memory location to another.
Uses VStdLib_MemCpy() to copy nCnt bytes starting at pSrc to another memory location starting at pDst, if
nDstSize is greater than or equal to nCnt.
Particularities and Limitations
The parameters 'pDst' and 'nDstSize' have to define a valid memory area.
Configuration Variant(s): The compatible definition VStdLib_MemCpyLarge_s() exists additionally (and
solely) if VSTDLIB_SUPPORT_LARGE_DATA == STD_ON.
Call context
>  ANY
>  This function is Synchronous
>  This function is Reentrant
Table 5-9   VStdLib_MemCpy_s

© 2016 Vector Informatik GmbH
Version 1.00.01
20
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.10  VStdLib_MemCpyMacro
Prototype
void VStdLib_MemCpyMacro (AnyPtrType *pDst, AnyPtrType *pSrc, VStdLib_CntType
nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to copy to, must be aligned
corresponding to its type and not be NULL.
pSrc [in]
Any typed pointer to the memory location to copy from, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to copy, pDst must be valid for this amount.
Return code
void
none
Functional Description
Copies data from one memory location to another (macro implementation).
Copies nCnt blocks starting at pSrc to another memory location starting at pDst (block-size is given by the
type of pDst).
Particularities and Limitations
The parameters 'pDst' and 'nCnt' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-10   VStdLib_MemCpyMacro

© 2016 Vector Informatik GmbH
Version 1.00.01
21
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
5.2.11  VStdLib_MemCpyMacro_s
Prototype
void VStdLib_MemCpyMacro_s (AnyPtrType *pDst, VStdLib_CntType nDstSize,
AnyPtrType *pSrc, VStdLib_CntType nCnt)
Parameter
pDst [out]
Any typed pointer to the memory location to copy to, must be aligned
corresponding to its type and not be NULL.
nDstSize [in]
Maximum number of blocks to modify in the destination (typically the size of
the destination object).
pSrc [in]
Any typed pointer to the memory location to copy from, must be aligned
corresponding to its type and not be NULL.
nCnt [in]
Number of blocks to copy.
Return code
void
none
Functional Description
Verifies the destination size and copies data from one memory location to another (macro implementation).
Uses VStdLib_MemCpyMacro() to copy nCnt blocks starting at pSrc to another memory location starting at
pDst (block-size is given by the type of pDst), if nDstSize is greater than or equal to nCnt.
Particularities and Limitations
The parameters 'pDst' and 'nDstSize' have to define a valid memory area.
Call context
>  ANY
>  This macro is Synchronous
>  This macro is Reentrant
Table 5-11   VStdLib_MemCpyMacro_s

5.3
Services used by VStdLib
The following table lists used services that are provided by other components. For details
about prototypes and functionality refer to the documentation of the providing component.
Component
API
DET
Det_ReportError()
(Compiler) Library
Refer to section 6.2.2
Table 5-12   Services used by VStdLib

© 2016 Vector Informatik GmbH
Version 1.00.01
22
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
6  Configuration
The Vector Standard Library is solely configured manually in a header file.
6.1
Configuration Variants
The VStdLib supports following configuration variants:
>  VARIANT-PRE-COMPILE
6.2
Manual Configuration in Header File
The configuration of the VStdLib is done statically within the file “VStdLib_Cfg.h”.

6.2.1
General configuration
Attribute Name
Values
Description
Default value
is typed bold
VSTDLIB_USE_LIBRARY_FUNCTIONS  STD_ON
If set to STD_ON all memory manipulation routines
STD_OFF
are mapped to external functions (e.g. compiler
libraries or other implementations that are
optimized for the target platform). This requires
additional configuration, refer to section 6.2.2.
If set to STD_OFF generic functions provided by
the VStdLib are used.
VSTDLIB_RUNTIME_OPTIMIZATION
STD_ON
If set to STD_ON optimized routines are used to
STD_OFF
increase the performance of the memory
manipulation functions (increases code size).
If set to STD_OFF code efficient routines are used
that increase runtime.
This setting is only relevant if VSTDLIB_USE_
LIBRARY_FUNCTIONS == STD_OFF.
VSTDLIB_USE_JUMPTABLES
STD_ON
If set to STD_ON jump tables are used to increase
STD_OFF
the performance of the memory manipulation
functions (runtime efficient in general).
If set to STD_OFF the jump tables are replaced by
loops. Use this setting if the compiler generates no
efficient code for the jump tables.
This setting is only relevant if
VSTDLIB_USE_LIBRARY_FUNCTIONS ==
STD_OFF and VSTDLIB_RUNTIME_
OPTIMIZATION == STD_ON.
VSTDLIB_DEV_ERROR_DETECT
STD_ON
If set to STD_ON the development error detection is
STD_OFF
enabled. In this case the pointer arguments of all
global module functions provided by the VStdLib
are checked. If any NULL_PTR is passed, these
functions return without performing any action.

© 2016 Vector Informatik GmbH
Version 1.00.01
23
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
VSTDLIB_DEV_ERROR_REPORT
STD_ON
If set to STD_ON the development error reporting is
STD_OFF
enabled (requires VSTDLIB_DEV_ERROR_
DETECT == STD_ON). In this case the function
Det_ReportError() is called if any error is
detected.
VSTDLIB_VERSION_INFO_API
STD_ON
If set to STD_ON the function
STD_OFF
VStdLib_GetVersionInfo() is provided.
VSTDLIB_DUMMY_STATEMENT(v)
e.g. (v) = (v)  Expression that is used for dummy statements to
(void)(v)
avoid compiler warnings about unused identifiers.
Leave this definition empty to disable the usage of
dummy statements.
Table 6-1   General configuration

6.2.2
Additional configuration when using library functions
If  VSTDLIB_USE_LIBRARY_FUNCTIONS  ==  STD_ON  it  is  necessary  to  specify  library
functions  to  be  used  for  the  memory  manipulations.  See  the  corresponding  section  in
“VStdLib_Cfg.h” for details and an example mapping.

Caution
If the external functionality is not able to handle more than 65535 bytes it is necessary
  to define VSTDLIB_SUPPORT_LARGE_DATA to STD_OFF.

It  has  to  be  ensured  that  the  specified  functions  are  able  to  copy  from  and  to  all
memory  locations  independently  of  the  pointer  length.  The  specified  functions  must
behave synchronously.

© 2016 Vector Informatik GmbH
Version 1.00.01
24
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
7  Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
Automotive Open System Architecture
BSW
Basis Software
DET
Development Error Tracer
ECU
Electronic Control Unit
HIS
Hersteller Initiative Software
MCU
Microcontroller Unit
MICROSAR
Microcontroller Open System Architecture (the Vector AUTOSAR solution)
SWS
Software Specification
VStdLib
Vector Standard Library
Table 7-1   Abbreviations

© 2016 Vector Informatik GmbH
Version 1.00.01
25
based on template version 5.9.0

Technical Reference MICROSAR VStdLib
8  Contact
Visit our website for more information on

>  News
>  Products
>  Demo software
>  Support
>  Training data
>  Addresses

www.vector.com

© 2016 Vector Informatik GmbH
Version 1.00.01
26
based on template version 5.9.0

Document Outline

25.11 - TechnicalReference_VStdLib_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21

25.12 - TechnicalReference_VStdLibs

VStdLib
Technical Reference

Vector Standard Library
Version 1.6.2

Authors
Patrick Markl, Timo Vanoni
Status
Released

Technical Reference VStdLib

1  Document Information
1.1
History
Author
Date
Version
Remarks
Patrick Markl
2008-02-06
1.0
Creation, merge from Application Note
Patrick Markl
2008-10-31
1.3
Fixed document version
Patrick Markl
2008-11-07
1.4
Added information about mixed VStdLib versions
Patrick Markl
2009-07-02
1.5
Updated assertion codes
Added chapter about QNX OS
Patrick Markl
2009-10-16
1.6
Described inclusion of OSEK OS header file
Timo Vanoni
2013-05-10
1.6.2
ESCAN00067020: The interrupt lock functions
do not work correctly for the user mode at
specific controller
Table 1-1   History of the Document

Please note
We have configured the programs in accordance with your specifications in the
  questionnaire. Whereas the programs do support other configurations than the one
specified in your questionnaire, Vector’s release of the programs delivered to your
company is expressly restricted to the configuration you have specified in the
questionnaire.
2013, Vector Informatik GmbH
Version: 1.6.2
2 / 21
based on template version 3.7

Technical Reference VStdLib

2  Introduction
The  basic  idea  of  the  VStdLib  is  to  provide  standard  functionality  to  different  Vector
components. This  includes  memory  copy  and  interrupt  locking  functions. The  VStdLib  is
also  a  means  to  provide  special  memory  copy  functions,  which  are  not  available  by
compiler libraries to the communication components.
The  VStdLib  is  designed  to  be  used  by  Vector  communication  components  only.  So  the
customer integrating the communication stack will probably not notice the VStdLib at all.
The VStdLib is highly hardware specific. This means some functions are only available on
certain  platforms.  This  includes  special  copy  functions  for  far,  near  or  huge  memory.  A
hardware  specific  VStdLib  does  not  necessarily  implement  all  possible  copy  function  for
the  corresponding  hardware  platform,  but  only  the  functions  required  by  the  Vector
software components.
The  VStdLib  also  provides  interrupt  lock  functions.  This  feature  depends  on  the
CANbedded CAN driver’s Reference Implementation (RI). The RI defines a certain feature
set to be supported by the CAN driver. CAN drivers which implement RI1.5 and higher do
not  provide  an  interrupt  locking  mechanism  as  previously  implementations  did
(CanGlobalInterruptDisable/CanGlobalInterruptRestore). These driver require a VStdLib to
provide  this  functionality,  although  the  API  CanGlobalInterruptDisable  and
CanGlobalInterruptRestore remains for compatibility. Please refer to the CANbedded CAN
driver technical reference for more information about your specific CAN driver.

2013, Vector Informatik GmbH
Version: 1.6.2
5 / 21
based on template version 3.7

Technical Reference VStdLib

3  Functional Description
The  VStdLib  provides  basically  two  main  functionalities  to  Vector  communication  stack
components.
>  Functions to copy memory
>  Functions to lock/unlock interrupts
Interrupt locking functionality is required for CAN drivers with a reference  implementation
1.5 or higher or MICROSAR stacks. Functions to copy memory are always provided. The
following table describes the API of the VStdLib which is used internally.

API Function
Description
VStdMemSet
Initializes default RAM memory to a certain
character.
VStdMemNearSet
Initializes near RAM memory to a certain character.
VStdMemFarSet
Initializes far RAM memory to a certain character.
VStdMemClr
Clears default RAM to zero.
VStdMemNearClr
Clears near RAM to zero.
VStdMemFarClr
Clears far RAM to zero.
VStdMemCpyRamToRam
Copies default RAM to default RAM.
VStdMemCpyRomToRam
Copies default ROM to default RAM.
VStdMemCpyRamToNearRam
Copies default RAM to near RAM.
VStdMemCpyRomToNearRam
Copies default ROM to near RAM.
VStdMemCpyRamToFarRam
Copies default RAM to far RAM.
VStdMemCpyRomToFarRam
Copies default ROM to far RAM.
VStdMemCpy16RamToRam
Copies default RAM to default RAM. The copying is
performed 16 bit wise.
VStdMemCpy16RamToFarRam
Copies default RAM to far RAM. The copying is
performed 16 bit wise.
VStdMemCpy16FarRamToRam
Copies far RAM to default RAM. The copying is
performed 16 bit wise.
VStdMemCpy32RamToRam
Copies default RAM to default RAM. The copying is
performed 32 bit wise.
VStdMemCpy32RamToFarRam
Copies default RAM to far RAM. The copying is
performed 32 bit wise.
VStdMemCpy32FarRamToRam
Copies far RAM to default RAM. The copying is
performed 32 bit wise.

2013, Vector Informatik GmbH
Version: 1.6.2
6 / 21
based on template version 3.7

Technical Reference VStdLib

Info
The API functions described in the following table contain “near” and “far” as parts of
  the API names. The meaning of near and far depends on the platform and the functions
are not necessarily implemented to work on near or far memory.
The wording “default RAM” or “default ROM” means RAM or ROM data which is not
explicitly declared to be near or far. These data inherit the current compiler memory
model settings.

Caution
One cannot be sure that a far to near copy routine (for instance) implements really a
  copying from far to near. This depends on the platform and the supported memory
models of the communication stack!
2013, Vector Informatik GmbH
Version: 1.6.2
7 / 21
based on template version 3.7

Technical Reference VStdLib

4  Integration
The  integration  of  the  VStdLib  is  straightforward.  As  the  other  Vector  components  the
VStdLib  is  to  be  configured  by  means  of  the  configuration  tool.  The  configuration  is
described in the next chapter. Chapter 6 describes some callback function which have to
be implemented by the application depending on the configuration.
In order to integrate the VStdLib simply add the file vstdlib.c as the other Vector software
components to the compile and link list.
4.1
CANbedded Particularities
If the VStdLib is integrated as part of a CANbedded stack the initialization of the VStdLib is
performed by the CAN or LIN driver automatically.
4.2
MICROSAR Particularities
If  a  MICROSAR  stack  is  integrated  the  VStdLib  is  not  initialized  by  any  of  the  software
components.  The  application  has  to  take  care  that  the  VStdLib’s  initialization  function  is
called  before  any  other  MICROSAR API  function  is  called.  The  following  code  example
shows how to initialize the VStdLib.

void InitRoutine(void)
{
  ...

  /* Initialize the VstLib */
  VStdInitPowerOn();

  /* Perform initialization of the other software components */
  ...

}

4.3
Mixing VStdLib Versions
If you receive different software component packages from Vector, it is possible that these
packages  contain  different  VStdLib  versions. A  general  rule  is  to  use  the  VStdLib  which
was received with the CAN driver package. In case you encounter any incompatibilities or
have questions, please contact the Vector support.

2013, Vector Informatik GmbH
Version: 1.6.2
8 / 21
based on template version 3.7

Technical Reference VStdLib

5  Configuration
It depends on the used communication software  if  the VStdLib has configurable options.
The  configuration  tool  provides  options  for  the  VStdLib  if  (as  previously  described)  the
used CAN driver has RI1.5 or higher or a MICROSAR stack is used.
The VStdLib is configured by means of the configuration tool. CANGen provides an own
dialog named VStdLib to configure  this component. In GENy these configuration options
are  found  in  the  hardware  options  dialog.  The  following  two  pictures  show  the
configuration dialogs in both tools. The first picture shows the dialog in GENy.

Figure 5-1  VStdLib configuration dialog in GENy

The next picture shows the configuration dialog of the VStdLib in the CANGen tool.

Figure 5-2  VStdLib configuration dialog in CANGen
2013, Vector Informatik GmbH
Version: 1.6.2
9 / 21
based on template version 3.7

Technical Reference VStdLib

The following table describes the different configuration items of the VStdLib dialogs.

Configuration Item
Description
Lock Mechanism
One can select the interrupt lock mechanism
used by the VStdLib. The VStdLib provides
four different types: Default, LockLevel, OSEK
and User.
The setting “OSEK” covers OSEK OS and
AUTOSAR OS.
Lock Level
If LockLevel was selected as Lock Mechanism
one can select the interrupt lock level used for
CANbedded components. The VStdLib will
lock interrupts up to the specified level. Higher
level interrupts remain unlocked.
Nested Disable
If “User” was selected as Lock Mechanism the
user can type in the name of the user defined
function which lock the interrupts.
Nested Restore
If “User” was selected as Lock Mechanism the
user can type in the name of the user defined
function which restores the interrupts to their
previous state.
Assertions
If this checkbox is enabled the VStdLib will call
an assertion function in case of a fatal error.

If one configures the option Lock Mechanism as “User” two function have to be provided.
The prototype of both functions is:

void UserFunction(void)

The  first  function  entered  under  the  option  “Nested  Disable”  is  expected  to  disable
interrupts  and  store  the  current  context  of  the  interrupt  state  (Current  I-Flag,  Current
Interrupt Lock Level, etc.) to a global variable.
The second function entered under “Nested Restore” is expected to restore the interrupts
to the previous state using the value which was saved in the context of “Nested Disable”.

Caution
The two functions must not implement a disable/enable mechanism but a
  disable/restore mechanism! Otherwise it may happen that interrupts remain locked until
the next Power On reset.

2013, Vector Informatik GmbH
Version: 1.6.2
10 / 21
based on template version 3.7

Technical Reference VStdLib

The configuration option  “User” can be used instead of the previously known CAN driver
option “Interrupt Control by Application”.

5.1
Usage with OSEK OS
If OSEK OS is configured as lock mechanism the VStdLib needs to include the header of
the OSEK OS. Since the header of the OSEK OS may have different names depending on
the OS supplier the VStdLib includes always the same header file. This header file has to
be provided by the user. The file’s name must be os.h. If the OSEK OS already provides a
file named like this nothing needs to be done (as long it provides the required prototypes).
Otherwise the user has to create a header file named os.h and include the corresponding
OSEK OS file.
If the VStdLib is configured to lock/unlock interrupts by means of OSEK OS the following
OSEK functions are called to implement the lock:
>  SuspendAllInterrupts
>  ResumeAllInterrupts

5.2
Usage with QNX OS
In case the VStdLib is used in a QNX OS environment two options for interrupt locking are
available.  Depending  on  the  way  CAN  interrupts  are  handled  (ISR,  Interrupt  Thread)
different locking mechanisms are needed.

In  case  the  CAN  interrupts  are  handled  by  an  interrupt  thread  the  locking  is  done  by
means of mutexes. These are not implemented by the VStdLib but the QWrap component.
Please refer to Figure 5-3 which shows the locking configuration in this case.

Figure 5-3  Locking configuration in case CAN events are handled in an interrupt thread
User defined locking is also required if the VStdLib is configured to run in the context of the
QNX startup code (minidriver). The MdWrap component  provides the same callbacks as
shown in Figure 5-3 also in that case. QWrap and MdWrap implement the same callback
names in case the same tool configuration is used to generate for the minidriver and the
fulldriver.

2013, Vector Informatik GmbH
Version: 1.6.2
11 / 21
based on template version 3.7

Technical Reference VStdLib

In  case  CAN  interrupts  are  handled  by  a  CAN  interrupt  routine  the  VStdLib  locking
functions disable/restore  the global interrupt flag.  Mutexes are not used. In this case the
configuration of the VStdLib must be set to Default as shown in Figure 5-4.

Figure 5-4  Configuration of the VStdLib in case of handling CAN events on interrupt level

2013, Vector Informatik GmbH
Version: 1.6.2
12 / 21
based on template version 3.7

Technical Reference VStdLib

6  API Description
This chapter describes the API of the VStdLib.

6.1
Initialization

VStdInitPowerOn
Prototype
void VStdInitPowerOn(void)
Parameter
None
-
Return code
None
-
Functional Description
Initializes the VStdLib component.
Particularities and Limitations
>  This function must be called once after PowerOn reset. This function must not be re-called
later.
>  The application must not call any other Vector communication stack function before this
function. This includes also the other VStdLib functions. In other words: The function
VStdInitPowerOn must be the very first Vector function being called after startup. Depending
on the architecture the caller must take care about interruptions of the init function which may
violate this requirement (OS task which calls another Vector function).
>  If the CANbedded stack is used this function is automatically called by the CAN or LIN driver.
>  In a MICROSAR communication stack is integrated this function has to be called by the
application before any other MICROSAR API function is called.

Call context
>  Task context

2013, Vector Informatik GmbH
Version: 1.6.2
13 / 21
based on template version 3.7

Technical Reference VStdLib

6.2
Interrupt Control

VStdSuspendAllInterrupts
Prototype
void VStdSuspendAllInterrupts(void)
Parameter
None
-
Return code
None
-
Functional Description
Disables all interrupts or locks interrupts to a certain lock level. This depends on the hardware platform.
The way interrupts are locked is to be configured in the configuration tool.
Particularities and Limitations
>  This function is designed to be called in a nested way (except User Interrupt Control is
configured).
>  Every call to VStdSuspendAllInterrupts must have a corresponding call to
VStdResumeAllInterrupts.
>  If User Interrupt Control is configured this function is redirected to the functions specified by
the user in the configuration tool. No nesting counter is implemented. The user may have to
take special care to handle this behavior.
>  Depending on the used OS this function may use either a global lock or a mutex.
>  Default implementation only works if corresponding flags can be modified (e.g. in privileged
mode).
Call context
>  No limitation

VStdResumeAllInterrupts
Prototype
void VStdResumeAllInterrupts(void)
Parameter
None
-
Return code
None
-
Functional Description
Resumes the interrupts which were locked using the API function VStdSuspendAllInterrupts.
2013, Vector Informatik GmbH
Version: 1.6.2
14 / 21
based on template version 3.7

Technical Reference VStdLib

Particularities and Limitations
>  This function must not be called without a corresponding call to VStdSuspendAllInterrupts.
>  If User Interrupt Control is configured this function is redirected to the functions specified by
the user in the configuration tool. No nesting counter is implemented. The user may have to
take special care to handle this behavior.
>  Depending on the used OS this function may use either a global lock or a mutex.
>  Default implementation only works if corresponding flags can be modified (e.g. in privileged
mode).
Call context
>  No limitation

6.3
Memory Functions
This  chapter  describes  not  all functions,  as they  do  all  the  same except  for  the memory
qualifiers of the source and destination locations.

VStdMemSet
Prototype
void VStdMemSet (void *pDest, vuint8 nPattern, vuint16 nCnt)
Parameter
pDest
The start address in memory which is to be initialized using the given
character.
nPattern
The character to be used to fill nCnt Bytes starting at address pDest.
nCnt
The number of Bytes to be filled using the given character.
Return code
None
-
Functional Description
This function fills nCnt Bytes starting at address pDest in memory using the character nPattern.
Particularities and Limitations
>  This function exists in three variants (default, near and far memory). Depending on the
platform these function may be implemented differently
Call context
>  No restriction

VStdMemSet
2013, Vector Informatik GmbH
Version: 1.6.2
15 / 21
based on template version 3.7

Technical Reference VStdLib

Prototype
void VStdMemClr (void *pDest, vuint16 nCnt)
Parameter
pDest
The start address in memory which is to be initialized to zero.
nCnt
The number of Bytes to be set to zero.
Return code
None
-
Functional Description
This function initializes nCnt Bytes starting at address pDest in memory to zero.
Particularities and Limitations
>  This function exists in three variants (default, near and far memory). Depending on the
platform these function may be implemented differently
Call context
>  No restriction

VStdMemSet
Prototype
void VStdMemCpy (void *pDest, void *pSrc, vuint16 nCnt)
Parameter
pDest
The destination address to which the data is copied.
pSrc
The source address from where the data is copied.
nCnt
The number of Bytes to be copied from start address pSrc to destination
address pDest.
Return code
None
-
Functional Description
This function copies a block of nCnt Bytes starting at memory location pSrc to another memory location
starting at address pDest.
Particularities and Limitations
>  This function exists in many variants. These variants implement different memory source and
destination locations.
>  The implementation of these functions is highly platform dependent
>  The memory blocks starting at pSrc and pDest must no overlap.
Call context
>  No restriction

2013, Vector Informatik GmbH
Version: 1.6.2
16 / 21
based on template version 3.7

Technical Reference VStdLib

6.4
Callback Functions

ApplVStdFatalError
Prototype
void ApplVStdFatalError (vuint8 nErrorNumber)
Parameter
nErrorNumber
This parameter describes the reason which caused the assertion.
Return code
None
-
Functional Description
This function is called by the VStdLib in case an assertion fails.
Particularities and Limitations
>  This function is to be implemented by the application.
>  If this function returns to the caller, it is not ensured that the calling functions finished
successfully. It has to be considered as a severe error if this function is called.
Call context
>  No restriction

2013, Vector Informatik GmbH
Version: 1.6.2
17 / 21
based on template version 3.7

Technical Reference VStdLib

7  Assertions
If  the  user  enables  the  option  “Assertions”  the  VStdLib  component  performs  additional
checks.  If  a  checked  condition  fails  the  assertion  function  ApplVStdFatalError  is  called.
The implementation of this function is to be provided by the application. This function has
an  errorcode  parameter  which  describes  the  reason  which  caused  the  assertion.  The
following table describes these reasons.

Errorcode
Description
kVStdErrorIntDisableTooOften
The called VStdLib interrupt locking function
exceeded a nesting call depth of 127.
kVStdErrorIntRestoreTooOften
The number of calls of the VStdLib interrupt
unlocking function was higher than the number of
nested interrupt lock calls.
kVStdErrorMemClrInvalidParameter
A memclr function of the VStdLib was called with an
invalid pointer parameter
kVStdErrorMemCpyInvalidParameter
A memcpy function of the VStdLib was called with an
invalid pointer parameter
kVStdErrorMemSetInvalidParameter
A memset function of the VStdLib was called with an
invalid pointer parameter
kVStdErrorUnexpectedLockState
A interrupt restore function of the VStdLib is called
but the interrupts are already unlocked. This state is
not expected and must never occur.

Caution
Note that some of the assertions exist solely in case the VStdLib is configured to use
  no library functions. In that case the missing library functionality is implemented directly
in the VStdLib source file.

Note
Not every assertion code is implemented on each hardware.

2013, Vector Informatik GmbH
Version: 1.6.2
18 / 21
based on template version 3.7

Technical Reference VStdLib

8  Limitations
8.1
Interrupt control does not work correctly in user mode
For  proper  functionality  it  is  required  that  the  interrupt  lock  functions  can  modify  the
relevant  bits  (e.g.  Interrupt  Level,  Interrupt  Enable)  in  the  corresponding  registers  (e.g.
processor status word).
If the specific controller supports any non-privileged mode (e.g. user mode) that does not
allow  access  to  the  relevant  registers  and  the  interrupt  lock  APIs  are  called  within  this
context the interrupt lock may not work as expected.
2013, Vector Informatik GmbH
Version: 1.6.2
19 / 21
based on template version 3.7

Technical Reference VStdLib

9  Glossary and Abbreviations
9.1
Glossary
Term
Description
User configuration file  A text file which is appended by the configuration tool to the generated
source files. If a user configuration file is required the technical reference
describes it and the contents.

9.2
Abbreviations
Abbreviation
Description
RI
Reference implementation of the CANbedded CAN driver. The reference
implementation defines the features a CAN driver must provide. From
Reference Implementation 1.5 (RI1.5) the interrupt locking functionality of
each CAN driver is moved to the VStdLib for the specific platform.
VStdLib
Vector Standard Library

2013, Vector Informatik GmbH
Version: 1.6.2
20 / 21
based on template version 3.7

Technical Reference VStdLib

10 Contact
Visit our website for more information on

> News
> Products
> Demo software
> Support
> Training data
> Addresses

www.vector-informatik.com
2013, Vector Informatik GmbH
Version: 1.6.2
21 / 21
based on template version 3.7

Document Outline

25.13 - VectorBswSuprt Integration Manual

Integration Manual

For

VectorBswSuprt

VERSION: 1

DATE: 02/01/17

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	02/01/17

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

Configuration REQUIREMeNTS

Note this component contains a superset of the different versions of the Vector VStdLib. The CANbedded SIP versions of these are in folders following a two-part version structure XX.XX.XX_YY.YY.YY. The AUTOSAR SIP versions of these are in folders following a standard version structure XX.XX.XX. Please note that projects that use both AUTOSAR and CANbedded pieces typically should use the CANbedded versions vs the AUTOSAR versions. The integrator is responsible for selecting the correct version for their particual project (usually driven by what was delivered for that particular program’s Vector SIP delivery) by using the appropriate Green Hills .gpj subproject as will as pointing the include search path to the appropriate subdirectory of this component.

Additionally, some versions of VStdLib are provided with a template file for configuration of the module. If these versions are applicable to the project integrating VStdLib, this template file should be copied into the project for inclusion in the build after adapting the template for the needs of the project. Additionally, the leading underscore should be removed from this file. This file can be found in the “tools/template/” folder of this component. For details on how to adapt, third party documentation found in this component can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

25.14 - VectorBswSuprt Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. VectorBswSuprt

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Suprt_Vector_Bsw_02.02.00

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#9536

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

02/03/17

Lead Peer Reviewer:

Rijvi

Approved by Reviewer(s):

Yes

Other Reviewer(s):

26 - Watchdog Driver

Watchdog Driver

Component Documentation

26.1 - AUTOSAR_WDG_Component_UserManual

AUTOSAR MCALR4.0 User's Manual

26.2 - AUTOSAR_WDG_Component_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54

26.3 - AUTOSAR_WDG_Component_UserManuals

AUTOSAR MCAL R4.0.3
User‟s Manual

WDG Driver Component Ver.1.0.4

Embedded User‟s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.

3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.

11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.  Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.

(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

3

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
ADC
Analog Digital Converter
ANSI
American National Standards Institute
API
Application Programming Interface
AUTOSAR
Automotive Open System ARchitecture
CAN
Controller Area Network
DEM
Diagnostic Event Manager
DET/Det
Development Error Tracer
DIO
Digital Input And Output
ECU
Electronic Control Unit
EEPROM
Electrical Erasable Programmable Read Only Memory
ID/Id
Identifier
ISR
Interrupt Service Routine
LIN
Local Interconnect Network
MCAL
Microcontroller Abstraction Layer
MCU
MicroController Unit
PWM
Pulse Width Modulation
RAM
Random Access Memory
ROM
Read Only Memory
SCI
Serial Communication Interface
SPI
Serial Peripheral Interface
WDG/wdg
WatchDog
WDT
WatchDog Timer
WDGIF
WatchDog Interface
CDD
Complex Device Driver

Definitions

Term
Represented by
Sl. No.
Serial Number
WDTAEVAC
Watchdog Timer Enable Register for Varying Activation Code
WDTAMD
Watchdog Timer Mode Register
WDTAWDTE
Watchdog Timer Enable Register for Fixed Activation Code
5

6

10

Introduction                                                                                                                            Chapter 1

Chapter 1
Introduction

The purpose of this document is to describe the information related to WDG
Driver Component for Renesas P1x microcontrollers.

This document shall be used as reference by the users of WDG Driver
Component. The system overview of complete AUTOSAR architecture is
shown in the below Figure:

Application Layer

AUTOSAR  RTE

System Services

On board Device Abstraction

WDG  Driver

Microcontroller

Figure 1-1  System Overview Of AUTOSAR Architecture

The WDG Component comprises embedded software and the Configuration
Tool to achieve scalability and configurability.

The WDG Generation Tool is a command line tool that accepts ECU
configuration description files as input and generates source and header files.
The configuration description is an ARXML file that contains information about
the configuration for Watchdog timer. The tool generates the
Wdg_59_DriverA_PBcfg.c and Wdg_59_DriverA_Cfg.h for Watchdog
Driver A.
11

Chapter 1                                                                                                                            Introduction

The Figure in the following page depicts the WDG Driver as part of layered
AUTOSAR MCAL Layer:

Microcontroller  Drivers
Memory Drivers
Communication  Drivers
I/O Drivers

In

Ex
In
te
Wa

t
r
te
e
n
GP
M
r
a
Fl
tc
r
P


n
C
R
n
l
PWM
CU
a

C
L
e
A
I
D
O
h
a
E
CU
o
A
T
l
I
A
x
DC
I
d
l

r

M

EP
N
R
O
R
F
N
o

e
F

g

l
ay

l
a

T
a

R

s
s

h
O
h

M

E
P

GP
W
x
F
E
L
CA
IC
P
Cl
o
M
t.
L
E
SPI
A
S
I
DI
w
N
W
     D          Micro
B
A
M
P
o
CU

C
U
DC
N
T
e
T
ck
US
S

RO

O

r

I
o

M

&
H

r

  Controller

Figure 1-2  System Overview Of The WDG Driver In AUTOSAR MCAL Layer

Watchdog Driver module provides the services for initializing, changing the
operation mode and triggering the watchdog.
12

Introduction                                                                                                                            Chapter 1

1.1.
Document Overview

The document has been segmented for easy reference. The table below
provides user with an overview of the contents of each section:

Section
Contents
Section 1 (Introduction)
This section provides an introduction and overview of WDG Driver
Component.
Section 2 (Reference Documents)  This section lists the documents referred for developing this document.
Section 3 (Integration And Build
This section explains the folder structure, Makefile structure for WDG
Process)
Driver Component. This section also explains about the Makefile
descriptions, Integration of WDG Driver Component with other
components, building the WDG Driver Component along with a sample
application.
Section 4 (Forethoughts)
This section provides brief information about the WDG Driver
Component, the preconditions that should be known to the user before it
is used, data consistency details, WDG State Diagram, WDTA 75% ISR
Usage Details, deviation list, Support For Different Interrupt Categories,
user-mode and supervisor mode API support list, register read-back.
Section 5 (Architecture Details)
This section describes the layered architectural details of the WDG
Driver Component.
Section 6 (Register Details)
This section describes the register details of WDG Driver Component.
Section 7 (Interaction Between
This section describes interaction of the WDG Driver Component with
The User And WDG Driver
the upper layers.
Component)
Section 8 (WDG Driver
This section provides information about the WDG Driver Component
Component Header And Source
source files is mentioned. This section also contains the brief note on the
File Description)
tool generated output file.
Section 9 (Generation Tool Guide)  This section provides information on the WDG Driver Component Code
Generation Tool.
Section 10 (Application
This section explains all the APIs provided by the WDG Driver
Programming Interface)
Component.
Section 11 (Development And
This section lists the DET and DEM errors.
Production Errors)
Section 12 (Memory
This section provides the typical memory organization, which must be
Organization)
met for proper functioning of component.
Section 13 (P1M Specific
This section provides the P1M Specific Information.
Information)
Section 14 (Release Details)
This section provides release details with version name and base
version.
13

Chapter 1 Introduction

14

Reference Documents                                                                                                       Chapter 2

Chapter 2
Reference Documents

Sl. No.
Title
Version
1.
Autosar R3.2
2.3.0
AUTOSAR_SWS_WatchdogDriver.pdf
2.
Autosar R4.0
2.5.0
AUTOSAR_SWS_WatchdogDriver.pdf
3.
AUTOSAR BUGZILLA (http://www.autosar.org/bugzilla)
-
Note: AUTOSAR BUGZILLA is a database, which contains concerns raised
against information present in AUTOSAR Specifications.
4.
r01uh0436ej0070_rh850p1x.pdf
  0.70

5.
AUTOSAR_SWS_CompilerAbstraction.pdf
  3.2.0
6.
AUTOSAR_SWS_MemoryMapping.pdf
  1.4.0
7.
AUTOSAR_SWS_PlatformTypes.pdf
  2.5.0
8.
AUTOSAR_BSW_MakefileInterface.pdf
  0.3

15

Chapter 2 Reference Documents

16

Integration And Build Process
Chapter 3

Chapter 3
Integration And Build Process

In this section the folder structure of the WDG Driver Component is explained.
Description of the Makefiles along with samples is provided in this section.

Remark The details about the C Source and Header files that are generated by the
WDG Driver Generation Tool are mentioned in the
“AUTOSAR_WDG_Tool_UserManual.pdf”.

3.1.
WDG Driver Component Makefile

The Makefile provided with the WDG Driver Component consists of the GNU
Make compatible script to build the WDG Driver Component in case of any
change in the configuration. This can be used in the upper level Makefile (of
the application) to link and build the final application executable.

3.1.1. Folder Structure

The files are organized in the following folders:

Remark Trailing slash „\‟ at the end indicates a folder

X1X\common_platform\modules\wdg\src\ Wdg_59_DriverA.c

\Wdg_59_DriverA_Irq.c

\Wdg_59_DriverA_Private.c

\Wdg_59_DriverA_Ram.c

\Wdg_59_DriverA_Version.c

X1X\common_platform\modules\wdg\include\Wdg_59_DriverA.h

\Wdg_59_DriverA_Debug.h

\Wdg_59_DriverA_Irq.h

\Wdg_59_DriverA_PBTypes.h

\Wdg_59_DriverA_Private.h

\Wdg_59_DriverA_Ram.h

\Wdg_59_DriverA_RegReadBack.h

\Wdg_59_DriverA_Types.h

\Wdg_59_DriverA_Version.h

X1X\P1x\modules\wdg\sample_application\<SubVariant>\make\<Complier>
\App_WDG_P1M_Sample.mak

 X1X\P1x\modules\wdg\sample_application\<SubVariant>\obj\<Complier>

 (Note: For example compiler can be ghs.)

X1X\P1x\modules\wdg\generator
17

Chapter 3 Integration And Build Process

\R403_WDG_P1x_BSWMDT.arxml

X1X\common_platform\modules\wdg\generator\Wdg_X1x.exe
X1X\P1x\common_family\generator
 \Sample_Application_P1x.trxml
 \P1x_translation.h

X1X\P1x\modules\wdg\user_manual

(User manuals will be available in this folder)
Notes:
1. <Compiler> can be ghs.

2. <SubVariant> can be P1M.

3. <AUTOSAR_version> should be 4.0.3.

18

Forethoughts
Chapter 4

Chapter 4
Forethoughts

4.1.
General

Following information will aid the user to use the WDG Driver Component
software efficiently:

•
The WDG Component does not enable or disable the ECU or
Microcontroller power supply. The upper layer should handle this
operation.

•
Option byte values required for the operation of watchdog will be flashed
through Start up code.

•
The WDG Component does not implement any scheduled functions.

•
WDG Component does not implement any Call Back Notification functions.

•
Example code mentioned in this document shall be taken only as a
reference for implementation.

•
The Watchdog hardware supports only Driver A. Hence, WDG Driver
Component is implemented as Driver A. WDG_DRIVER_INSTANCE
variable of Base Make file is updated for Driver A.

•
All development errors will be reported to Det by using the API
Det_ReportError() provided by DET.

•
All production errors will be reported to Dem by using the API
Dem_ReportErrorStatus() provided by DEM.

•
"It should be ensured that the respective clock source is switched ON
before Watchdog is set to corresponding Clock Unit in
Wdg_59_DriverA_Init() API.

•
The API Wdg_59_DriverA_SetTriggerCondition() initializes the trigger
counter global variable with timeout value divided by either slow or fast time
Value generated by the configuration.

•
For WDG Reset functionality in debug mode, unmask the reset in debug
mode during debug session with GHS command "target pinmask k".

•
The file Interrupt_VectorTable.c provided is just a Demo and not all
interrupts will be mapped in this file. So the user has to update the
Interrupt_VectorTable.c as per his configuration.

19

Chapter 4                                                                                               Forethoughts

4.2.
Preconditions

Following preconditions have to be adhered by the user, for proper
functioning of the WDG Driver Component:

•
The user should ensure that WDG Component API requests are invoked in
the correct and expected sequence along with correct input arguments.

•
User should ensure that the appropriate option bytes are flashed for the
configured mode in the watchdog driver module.

•
Validation of input parameters are done only when the static configuration
parameter WDG_59_DRIVERA_DEV_ERROR_DETECT is enabled.
Application should ensure that the right parameters are passed while
invoking the APIs when WDG_59_DRIVERA_DEV_ERROR_DETECT is
disabled.

•
A mismatch in the version numbers will result in compilation error. Ensure
that the correct versions of the header and the source files are used.

•
The files Wdg_59_DriverA_Cfg.h and Wdg_59_DriverA_PBcfg.c
generated using watchdog driver generation tool has to be linked along
with WDG Component source files.

•
File Wdg_59_DriverA_PBcfg.c generated for single configuration set using
Watchdog Driver Generation Tool can be compiled and linked
independently.

•
The WDG Component needs to be initialized before accepting any API
requests. Wdg_59_DriverA_Init should be called by the ECU State
Manager Module to initialize WDG Component. It should not be called
more than once.

4.3.
Data Consistency

To support the re-entrance and interrupt services, the AUTOSAR WDG
component will ensure the data consistency while switching the watchdog
mode and during the watchdog trigger routine. The WDG Driver component
will use SchM_Enter_Wdg and SchM_Exit_Wdg functions. The
SchM_Enter_Wdg function is called before the data needs to be protected
and SchM_Exit_Wdg function is called after the data is accessed.

The following exclusive areas along with scheduler services are used to
provide data integrity for shared resources:

  TRIGG_PROTECTION
  MODE_SWITCH_PROTECTION
The protection areas TRIGG_PROTECTION and
MODE_SWITCH_PROTECTION are used to protect the WDG
triggering and WDG mode switching respectively.

The functions SchM_Enter_Wdg and SchM_Exit_Wdg can be disabled by
disabling the configuration parameter „WdgCriticalSectionProtection‟.

20

Forethoughts
Chapter 4

4.4.
WDG State Diagram

The State diagram of WDG Driver is as shown below

Figure 4-1  State Diagram of WDG when WdgDisableAllowed is true

WDG Driver supports following modes when configuration parameter
WdgDisableAllowed is true.

1.WDGIF_OFF_MODE

2.WDGIF_SLOW_MODE

3.WDGIF_FAST_MODE

No Initialization

Wdg_59_DriverA_Init() with
                                                      Wdg_59_DriverA_Init() with
WDGIF_S LOW_MODE
                                                      WDGIF_FAST_MODE

FAST
SLOW

Figure 4-2  State Diagram of WDG when WdgDisableAllowed is false

21

Chapter 4                                                                                               Forethoughts

WDG Driver supports following modes when configuration parameter
WdgDisableAllowed is false

1.  WDGIF_SLOW_MODE

2.  WDGIF_FAST_MODE

Like shown in the above figures when WDG Driver is initialized by the API
Wdg_59_DriverA_Init(), the WDG Driver gets into one of the modes based on
the default value configured during configuration. Also the modes can be
changed by the API Wdg_59_DriverA_SetMode() only once after
Wdg_59_DriverA_Init(), if the current mode is WDGIF_OFF_MODE.

4.5.
WDTA 75% ISR Usage Details for R4.0.3

WDG Driver using '75% interrupt output' feature services the Watchdog
hardware to trigger watchdog hardware as long as the trigger condition is
valid. If the trigger condition becomes invalid the Wdg Driver stops triggering
and the watchdog expires.

  Maximum counter
value 0xFFFF
  75% of maximum
  counter value

Counter Value

Wdg_59_DriverA_Init()
75% of Time Period
  Reset Release
Wdg_59_DriverA_SetTriggerCondition()
Wdg_59_DriverA_SetTriggerCondition()

INTWDTn(75% Interrupt)

WDG Trigger



B
A
A

WDTAnTRES

Figure 4-3  WDG behavior during Data exchange with hardware

22

Forethoughts
Chapter 4

Figure 4-4 WDG behavior when Wdg_SetTriggerCondition is called

Note User should adjust the Timeout value in such a way that the corrections of 'A‟
and 'B' are considered while passing the 'timeout' value to API
'Wdg_59_DriverA_SetTriggerCondition‟.

The above figure illustrates the scenario where
Wdg_59_DriverA_SetTriggerCondition API
is called before the expiry of the Initial Timeout value.

The 75% duration calculation for one WDG trigger cycle in slow mode

WDTATCKI = 240 kHz

For example considering current mode settings = WDTATCKI/2^16

Period = 2^16/240k = 0.273 sec

Total window time = 273 msec

75% interrupt time = 204.7 msec

Generation tool will round off the 75% interrupt time “204.7 msec” to “205
msec” and rounded value is displayed on the command prompt. For the
above example the information on command prompt for slow mode will be
displayed as given below.
The duration of 75% of one WDG trigger cycle for slow mode is <205
msec>

If the timeout value passed by the API Wdg_59_DriverA_Settriggercondition
is 410 msec, then the counter value will be calculated in the WDG Driver as
2.

23

Chapter 4 Forethoughts

The duration of 75% of one WDG trigger cycle calculation for fast mode

WDTATCKI = 240 kHz

For example considering current mode settings = WDTATCKI/2^9

Period = 2^9/240k = 0.0021 sec

Total window time = 2.1 msec

75% interrupt time = 1.5 msec

Generation tool will round off the 75% interrupt time “1.5 msec” to “2 msec”
and rounded value is displayed on the command prompt. For the above
example the information on command prompt for fast mode will be displayed
as given below.

The duration of 75% of one WDG trigger cycle for fast mode is <2
msec>

If the timeout value passed by the API
Wdg_59_DriverA_Settriggercondition() is 50 msec, then the counter value
will be calculated in the WDG Driver as 25.

The API Wdg_59_DriverA_SetTriggerCondition() will not trigger the
watchdog hardware it will only calculate the trigger counter value.

In General the user should use the below formula while calculating the
Timeout Period by considering the corrections of 75% duration round off, A
and B values.

Timeout Period = (Trigger Count)* (75% of Time Period + A)+B

where „A” is the time required for the ISR to trigger the WDG hardware and

„B‟ is the time gap between Wdg_59_DriverA_SetTriggerCondition() execution
and next WDG trigger from 75% ISR.

4.6.
Deviation List

Table 4-1 WDG Driver Deviation List

Sl. No.
Description
AUTOSAR Bugzilla
1.
"WDG_SETTINGS_SLOW" and
-
"WDG_SETTINGS_FAST" is configured from the list of
clock selections (16 choices are possible) and depending
on the mode configured for "WDG_DEFAULT_MODE",
watchdog settings is initialized in the API
Wdg_59_DriverA_Init().
2.
The requirement 'WDG025' is handled in the generation
-
tool itself by the error 'ERR102009'.
3.
If the API Wdg_59_DriverA_SetTriggerCondition, is
-
invoked with the timeout value "0" will not result in
instantaneous watchdog reset of the ECU like mentioned
in WDG140, instead the trigger counter will be set to "0"
and watchdog reset will occur after the WatchDog counter
value has reached its maximum value.
4.
The API Wdg_59_DriverA_GetVersionInfo is
-
implemented as macro without DET error
Wdg_59_DriverA_E_PARAM_POINTER.

24

Forethoughts
Chapter 4

4.7.
User mode and supervisor mode

The below table specifies the APIs which can run in user mode, supervisor
mode or both modes

Table 4-2  Supervisor mode and User mode details

Sl.No
API Name
User Mode
Supervisor mode
1
Wdg_59_DriverA_Init
-
x
2
Wdg_59_DriverA_SetMode
x
x
3
Wdg_59_DriverA_SetTriggerCondition
x
x
4
Wdg_59_DriverA_GetVersionInfo
x
x

4.8.
Register Read-Back

Categorization of registers
Register  read-back  is  a  functional  safety  based  implementation  were  all  the
registers used in the module are categorized into two different category  which
are as fallows
1
Static registers.
2  Dynamic registers.
Static Registers:
Static registers is defined as the registers which are written only in
Wdg_59_DriverA_Init () API and not changed during runtime.
Dynamic Registers:
Dynamic register is defined as the register which are written during runtime
API‟s independently to that of it is used in Wdg_59_DriverA_Init ().
Table 4-3  Registers categorization definition

Static Registers
Dynamic Registers
HW
  Write-read-verify performed for each
Write-read-verify performed for each register
Register
register write. DEM report in case of
write. DEM report in case of error.
error.
RAM
Only for static registers same value
Write-read-verify performed for each register
mirror
as written to the register is written to
write. DEM report in case of error.
RAM mirror.

Register read-back
In register read-back implementation each register which is written in the WDG
timer is verified by doing read-back on that registers. However a global copy of
the  register  value  is  always  kept  in  the  RAM  for  static  registers  and  a  global
copy is not made for dynamic registers. These variables can be used to verify
the registers in CDD.
25

Chapter 4                                                                                               Forethoughts

In  the  below  table,  details  about  the  static  register,  global  mirror  variable  and
mask value to  be  used in  connective  with the register is provided. The Global
mask provided in the table is of logical “&” based mask
Table 4-4  Watchdog module Static Register Table
Sl.No.
Register
Global Mirror variable
Global Mask Variable
Name
1.
Wdg_59_DriverA_GulIMR1Mask
IMR0
Wdg_59_DriverA_GulIMR1Mirror
(0xFFFFFDFF)

26

Architecture Details
Chapter 5

Chapter 5
Architecture Details

The WDG Driver architecture is shown in the following figure. The WDG user
shall directly use the APIs to configure and execute the WDG conversions:

Watchdog Interface

Watchdog Driver

Hardware Registers

Figure 5-1 Watch Driver And Watchdog Interface Architecture

Watchdog Interface invokes the corresponding Driver. The Driver APIs will
access the hardware register of the Watchdog Timers for changing the mode
and trigger the Watchdog Timer.

Watchdog Driver component:

The Watchdog Driver component is composed of following modules:

•
Watchdog Driver Initialization module

•
Watchdog Driver SetMode module

•
Watchdog Driver SetTriggerCondition module

•
Watchdog Driver VersionInfo module

27

Chapter 5                                                                                  Architecture Details

The basic architecture of the Watchdog Driver component is illustrated in the
following figure:

Watch Dog Driver

Initialization Module
SetMode Module

SetTriggerCondition
VersionInfo Module
Module

Figure 5-2  Basic Architecture Of WDG Component

Watchdog Driver Initialization module:

This module initializes the watchdog driver and watchdog hardware. It
provides the API Wdg_59_DriverA_Init(). This API should be invoked before
the usage of any other APIs of Watchdog Driver Module.

Watchdog Driver SetMode module:

This module will handle the functionality for setting the modes. It provides the
API Wdg_59_DriverA_SetMode(). Following are the possible mode settings:

•
WDGIF_SLOW_MODE

•
WDGIF_FAST_MODE

Remark  The above settings are configured using the WDTAMD register. SetMode will
support mode switch as described in the chapter 4.4 WDG State Diagram.

SetMode API will set module‟s state to WDG_BUSY during execution and
reset the module‟s state to WDG_IDLE before return.

Watchdog Driver SetTriggerCondition module:

This module will handle the functionality to reset the watchdog timeout
counter according to the timeout value passed. It provides the API
Wdg_59_DriverA_SetTriggerCondition.

There are two types of Activation codes to trigger the Watchdog. They are

•
Fixed Activation Code.

•
Varying Activation code.

Depending on the Activation code chosen, this function has to trigger the
corresponding register.

•
WDTAWDTE register will be used for Fixed Activation Code.

•
WDTAEVAC register will be used for Varying Activation Code.

Watchdog Driver VersionInfo module:

This module will provide the current version of the Watchdog Driver Module. It
contains the API Wdg_59_DriverA_GetVersionInfo().

28

Registers Details
Chapter 6

Chapter 6
Registers Details

This section describes the register details of WDG Driver Component.

Table 6-1  Register Details

API Name
Registers
Config Parameter
Macro/Variable
Wdg_59_DriverA_Init
IMRn
WdgErrorModeSetting  WDG_59_DRIVERA_INTWDTIM
R_MASK
WDTAnMD
WdgDefaultMode
ucWdtamdDefaultValue.
Wdg_59_DriverA_SetMode
WDTAnMD
-
ucWdtamdSlowValue,
ucWdtamdFastValue
Autosar R4.0:
-
-
-
Wdg_59_DriverA_SetTriggerCon
dition
Wdg_59_DriverA_GetVersionInfo  -
-
-
Wdg_59_DriverATrigger
WDTAnEVAC  -
WDG_59_DRIVERA_RESTART -
WDG_59_DRIVERA_WDTAREF
_ADDRESS
WDTAnWDT
-
WDG_59_DRIVERA_RESTART
E
WDTAnREF
-
-

29

Chapter 6 Registers Details

30

Interaction Between The User And WDG Driver Component
Chapter 7

Chapter 7
Interaction Between The User And WDG

Driver Component

The details of the services supported by the WDG Driver Component to the
upper layer users are provided in the following sections:

7.1.
Services Provided By WDG Driver Component To the
User

The WDG Driver Component provides the following functions to upper layers:

•
To Initialize Watchdog Timer

•
To Set the Mode of the Watchdog Timer

•
To handle the functionality of calculating the trigger counter value

•
To Read the WDG Component Version Information.

31

Chapter 7 Interaction Between The User And WDG Driver Component

32

WDG Driver Component Header And Source File Description
Chapter 8

Chapter 8
WDG Driver Component Header And

Source File Description

This section explains the WDG Driver Component‟s C Source and C Header
files. These files have to be included in the project application while
integrating with other modules.

The C header file generated by WDG Driver Generation Tool:

•
Wdg_59_DriverA_Cfg.h

The C source file generated by WDG Driver Generation Tool:

•
Wdg_59_DriverA_PBcfg.c

The WDG Driver Component C header files:

•
Wdg_59_DriverA.h

•
Wdg_59_DriverA_Debug.h

•
Wdg_59_DriverA_Irq.h

•
Wdg_59_DriverA_PBTypes.h

•
Wdg_59_DriverA_Private.h

•
Wdg_59_DriverA_Ram.h

•
Wdg_59_DriverA_Types.h

•
Wdg_59_DriverA_Version.h

•
Wdg_59_DriverA_RegReadBack.h

The WDG Driver Component source files:

•
Wdg_59_DriverA.c

•
Wdg_59_DriverA_Irq.c

•
Wdg_59_DriverA_Private.c

•
Wdg_59_DriverA_Ram.c

•
Wdg_59_DriverA_Version.c

The port specific C header files:

•
Compiler.h

•
Compiler_Cfg.h

•
MemMap.h

•
Platform_Types.h

•
rh850_Types.h

33

Chapter 8 WDG Driver Component Header And Source File Description

The description of the WDG Driver Component files is provided in the table
below:

Table 8-1
Description Of The WDG Driver Component Files

File
Details
Wdg_59_DriverA_Cfg.h
This file is generated by the WDG Generation Tool for various WDG component
pre-compile time parameters. Generated macros and the parameters will vary
with respect to the configuration in the input ARXML file.
Wdg_59_DriverA_PBcfg.c
This file contains post-build configuration data. The structures related to WDG
Initialization are provided in this file. Data structures will vary with respect to
parameters configured.
Wdg_59_DriverA.h
This file provides extern declarations for all the WDG Component APIs. This file
provides service IDs of APIs, DET Error codes and type definitions for
Watchdog Driver initialization structure. This header file shall be included in
other modules to use the features of WDG Component.
Wdg_59_DriverA_Debug.h
This file provides Provision of global variables for debugging purpose.
Wdg_59_DriverA_Irq.h
This file contains the macro for the WDG Timer channels. It also contains the
external declaration for the interrupt functions used by WDG Driver component.
Wdg_59_DriverA_PBTypes.h
This file contains the macros used internally by the WDG Component code and
the structure declarations related to watchdog control registers.
Wdg_59_DriverA_Private.h
This file contains the declarations of the internally used functions.
Wdg_59_DriverA_Ram.h
This file contains the extern declarations for the global variables that are
defined in Wdg_59_DriverA_Ram.c file and the version information of the file.
Wdg_59_DriverA_Types.h
This file contains the common macro definitions and the data types required
internally by the WDG software component.
Wdg_59_DriverA_Version.h
This file contains the macros of AUTOSAR version numbers of all modules that
are interfaced to WDG.
Wdg_59_DriverA_RegReadBa This file contains the extern declarations for the global variables that are
ck.h
defined in Wdg_59_DriverA_Ram.c file for read-back functionality.
Wdg_59_DriverA.c
This file contains the implementation of all APIs.
Wdg_59_DriverA_Irq.c
This file contains the implementation of all the interrupt functions used by WDG
Driver Component.
Wdg_59_DriverA_Private.c
This file contains the definition of the internal functions that access the
hardware registers.
Wdg_59_DriverA_Ram.c
This file contains the global variables used by WDG Component.
Wdg_59_DriverA_Version.c
This file contains the code for checking version of all modules that are
interfaced to WDG.
Compiler.h
Provides compiler specific (non-ANSI) keywords. All mappings of keywords,
which are not standardized, and/or compiler specific are placed and organized
in this compiler specific header.
Compiler_Cfg.h
This file contains the memory and pointer classes.
MemMap.h
This file allows to map variables, constants and code of modules to individual
memory sections. Memory mapping can be modified as per ECU specific
needs.
Platform_Types.h
This file provides provision for defining platform and compiler dependent types.
rh850_Types.h
This file provides macros to perform supervisor mode (SV) write enabled
Register ICxxx and IMR register writing using OR/AND/Direct operation.

34

Generation Tool Guide
Chapter 9

Chapter 9
Generation Tool Guide

For information on the WDG Driver Component Code Generation Tool,
please refer “AUTOSAR_WDG_Tool_UserManual.pdf” document.
35

Chapter 9 Generation Tool Guide

36

Application Programming Interface

Chapter 10
Chapter 10  Application Programming Interface

This section explains the Data types and APIs provided by the WDG Driver
Component to the Upper layers.

10.1.  Imported Types

This section explains the Data types imported by the WDG Driver Component
and lists its dependency on other modules.

10.1.1. Standard Types

In this section all types included from the Std_Types.h are listed:

•
Std_ReturnType

•
Std_VersionInfoType

10.1.2. Other Module Types

In this section all types included from the WdgIf_Types.h and Dem.h are listed.

•
WdgIf_ModeType

•
WdgIf_Statustype

•
Dem_EventIdType

•
Dem_EventStatusType

10.2.  Type Definitions

This section explains the type definitions of WDG Driver Component
according to AUTOSAR Specification.
10.2.1. Wdg_59_DriverA_ConfigType

Name:
  Wdg_59_DriverA_ConfigType
Type:
Structure

Type
Name
Explanation

unit32
ulStartOfDbToc
Database start

value

uint16
usInitTimerCountValue
Trigger counter

value

uint16
usSlowTimeValue
SLOW mode

value of

WDTAMD

register

uint16
usFastTimeValue
FAST mode

value of

WDTAMD

register

Element:
uint8
ucWdtamdSlowValue
WDTAnMD
register value for
the Slow Mode.
37

Chapter 10

Application Programming Interface
Name:
  Wdg_59_DriverA_ConfigType
Type:
Structure
uint8
ucWdtamdFastValue
WDTAnMD
register value for
the Fast Mode.
uint16
usDefaultTimeValue
75% time value
of either slow or
fast mode in
milliseconds
uint8
ucWdtamdDefaultValue
Watchdog
default mode
WdgIf_ModeType
ddWdtamdDefaultMode
Default mode
value configured
by the user
Description:
This is the type of the data structure required for initializing the Watchdog Hardware unit.

10.3.
Function Definitions

This section explains the APIs provided by the WDG Driver Component.

Table 10-1
APIs provided by the WDG Driver Component

SI.No
   API’s

1.
Wdg_59_DriverA_Init
2.
Wdg_59_DriverA_SetMode
3.
Wdg_59_DriverA_SetTriggerCondition
4.
Wdg_59_DriverA_GetVersionInfo

38

Development And Production Errors

Chapter 11
Chapter 11  Development And Production Errors

In this section the development errors that are reported by the WDG Driver
Component are tabulated. The development errors will be reported only when
the pre compiler option WdgDevErrorDetect is enabled in the configuration.

11.1.  WDG Driver Component Development Errors

The following table contains the DET errors that are reported by WDG Driver
Component. These errors are reported to Development Error Tracer Module
when the WDG Driver Component APIs are invoked with wrong input
parameters or without initialization of the driver.

Table 11-1  DET Errors Of WDG Driver Component

Sl. No.
1
Error Code
WDG_59_DRIVERA_E_PARAM_CONFIG
Related API(s)
Wdg_59_DriverA_Init
Source of Error
When the API service is called with a configuration set which is not within the allowed
boundaries.
Sl. No.
2
Error Code
WDG_59_DRIVERA_E_PARAM_MODE
Related API(s)
Wdg_59_DriverA_SetMode
Source of Error
When the API service is called the Driver is not possible to change the mode.
Sl. No.
3
Error Code
WDG_59_DRIVERA_E_DRIVER_STATE
Related API(s)
Wdg_59_DriverA_SetMode, Wdg_59_DriverA_Trigger and
Wdg_59_DriverA_SetTriggerCondition.
Source of Error
If the API service is called when the driver state is not in idle state.
Sl. No.
4
Error Code
WDG_59_DRIVERA_E_INVALID_DATABASE
Related API(s)
Wdg_59_DriverA_Init
Source of Error
When the API service is called with wrong database.
Sl. No.
5
Error Code
WDG_59_DRIVERA_E_PARAM_TIMEOUT
Related API(s)
Wdg_59_DriverA_SetTriggerCondition
Source of Error
When the API service Wdg_59_DriverA_SetTriggerCondition is called with timeout
value greater maximum timeout value (WdgMaxTimeout).

11.2.  WDG Driver Component Production Errors

The following table contains the DEM errors that are reported by WDG
Component
39

Chapter 11

Development And Production Errors
Table 11-2 DEM Errors Of WDG Driver Component

Sl. No.
1
Error Code
WDG_59_DRIVERA_E_DISABLE_REJECTED
Related API(s)
Wdg_Init
Source of Error
If error during mode switch failed, the above error is reported to DEM
Sl. No.
2
Error Code
WDG_59_DRIVERA_E_MODE_FAILED
Related API(s)
Wdg_Init
Source of Error
When switching between the modes is failed above error is reported to DEM.
Sl. No.
3
Error Code
WDG_59_DRIVERA_ READBACK_FAILURE
Related API(s)
In Wdg_Init, Wdg_59_DriverA_SetMode and Wdg_59_DriverA_Trigger API read
back failure report DEM error.
Source of Error
Read back failure is caused whenever a register is written and the register is not
updated with the written value then this error is reported.

40

Memory Organization

Chapter 12
Chapter 12  Memory Organization

Following picture depicts a typical memory organization, which must be met for
proper functioning of WDG Component software.

ROM Section
WDG Driver Component
RAM  ect

Library  Object
es

Global RAM required for WDG functioning.
WDG Driver component APIs are placed in this

Segment Name:
code memory.

Y1
  NOINIT_RAM_UNSPECIFIED


X1

Segment Name:

WDG59_A_PUBLIC_CODE_ROM

Global bit RAM to be initialized by WDG

Driver.

Segment Name:
Y2

NOINIT_RAM_16BIT

WDG Driver code related to internal and ISR

functions are placed in this memory.

Global bit RAM to be initialized by WDG

Segment Name:
X2
Driver.

WDG_59_DRIVERA_FAST_CODE_ROM
Y3

Segment Name:

NOINIT_RAM_32BIT

Tool Generated Files

The const section in the file

Wdg_59_DriverA_PBCfg.c  is placed in this

memory.

Segment Name:
X3

WDG59_A_CFG_DBTOC_UNSPECIFIED

Figure 12-1  Memory Organization Of WDG Driver Component

ROM Section (X1, X2 and X3):

WDG59_A_PUBLIC_CODE_ROM (X1): API(s) of WDG Driver Component,
which can be located in code memory.

WDG_59_DRIVERA_FAST_CODE_ROM (X2): Internal and ISR functions of
WDG Driver Component code are placed in this code memory.

WDG59_A_CFG_DBTOC_UNSPECIFIED(X3):  This  section  consists  of
WDG  Component  database  generated  by  the  Watchdog  Driver  Generation
Tool  and  the  constant  structures  used  in  AUTOSAR  Renesas  WDG  Driver
Component. This can be located in code memory.

41

Chapter 12

Memory Organization
RAM Section (Y1, Y2 and Y3):

NOINIT_RAM_UNSPECIFIED (Y1): This section consists of the global RAM
variables that are used internally by WDG Component and other software
components. The specific sections of respective software components will
be merged into this RAM section accordingly.

NOINIT_RAM_16BIT (Y2): This section consists of the global RAM variables
of 16-bit size that are used internally by WDG Driver Component. This can be
located in data memory.

NOINIT_RAM_32BIT (Y3): This section consists of the global RAM variables
of 32-bit size that are used internally by WDG Driver Component. This can be
located in data memory.

•
X1, X2, Y1, Y2 and Y3 pertain to only WDG Component and do not
include memory occupied by Wdg_59_DriverA_PBCfg.c file generated
by Watchdog Driver Generation Tool.

•
User must ensure that none of the memory areas overlap with each other.
Even „debug‟ information should not overlap.

42

P1M Specific Information
Chapter 13

Chapter 13  P1M Specific Information

P1M supports following devices:

  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
  R7F701320
  R7F701321
  R7F701322
  R7F701323

13.1.  Interaction Between The User And WDG Driver
Component

13.1.1. ISR Function Mapping Interrupt Vector Table

The table below provides the list of handler addresses corresponding to the
hardware unit ISR(s) in WDG Driver Component. The user should configure
the ISR functions mentioned below:

Table 13-1  Interrupt Vector Table

Interrupt Source
Name of the ISR Function
Autosar R4.0 only
WDG_59_DRIVERA_TRIGGERFUNCTION_ISR
EI level mask able interrupt
WDG_59_DRIVERA_TRIGGERFUNCTION_CAT2_ISR

13.1.2. Translation Header File

P1x_translation.h supports following devices:

  R7F701304
  R7F701305
  R7F701310
  R7F701311
  R7F701312
  R7F701313
  R7F701314
  R7F701315
  R7F701318
  R7F701319
43

Chapter 13 P1M Specific Information

 R7F701320
 R7F701321
 R7F701322
 R7F701323

13.1.3. Parameter Definition File
Parameter definition files support information for P1M
Table 13-2 PDF information for P1M
PDF files
Devices supported
701304, 701305, 701310, 701311, 701312, 701313,
R403_WDG_P1M_04_05_10_to_1
701314, 701315, 701318, 701319, 701320, 701321,
5_18_to_23
701322, 701323

13.2. Sample Application

13.2.1 Sample Application Structure

The Sample Application is provided as reference to the user to understand the
method in which the WDG APIs can be invoked from the application.

Generic

V850
RH850
AUTOSAR TYPES
COMPILER

TYPES





 Devices

 COMMON
P1x
STUB
STUB
STUB
STUB


Dem

Det
SchM

WdgIf

WDG
WDG


 Sample
Sample
Application
Application
STUB


Os




Figure 13-1 Overview Of WDG Driver Sample Application

The Sample Application of the P1M is available in the path

X1X\P1x\modules\wdg\sample_application

The Sample Application consists of the following folder structure

 X1X\P1x\modules\wdg\definition\<AUTOSAR_version>\<SubVariant>
 \ R403_WDG_P1M_04_05_10_to_15_18_to_23.arxml
 X1X\P1x\modules\wdg\sample_application\<SubVariant>\<AUTOSAR_version>

 \src\WDG_59_DriverA_PBcfg.c

 \inc\WDG_59_DriverA_cfg.h
44

P1M Specific Information
Chapter 13


                                       \config\App_WDG_P1M_701304_Sample.one
                                       \config\App_WDG_P1M_701304_Sample.arxml
                                       \config\App_WDG_P1M_701304_Sample.html
                                                                            \config\App_WDG_P1M_701305_Sample.one
                                       \config\App_WDG_P1M_701305_Sample.arxml
                                                                        \config\App_WDG_P1M_701305_Sample.html
                                       \config\App_WDG_P1M_701310_Sample.one
                                                                  \config\App_WDG_P1M_701310_Sample.arxml
                                       \config\App_WDG_P1M_701310_Sample.html
                                                                \config\App_WDG_P1M_701311_Sample.one
                                       \config\App_WDG_P1M_701311_Sample.arxml
                                       \config\App_WDG_P1M_701311_Sample.html
                                       \config\App_WDG_P1M_701312_Sample.one
                                                                            \config\App_WDG_P1M_701312_Sample.arxml
                                       \config\App_WDG_P1M_701312_Sample.html
                                                                        \config\App_WDG_P1M_701313_Sample.one
                                       \config\App_WDG_P1M_701313_Sample.arxml
                                                                  \config\App_WDG_P1M_701313_Sample.html
                                       \config\App_WDG_P1M_701314_Sample.one
                                                              \config\App_WDG_P1M_701314_Sample.arxml
                                       \config\App_WDG_P1M_701314_Sample.html
                                       \config\App_WDG_P1M_701315_Sample.one
                                       \config\App_WDG_P1M_701315_Sample.arxml
                                                                            \config\App_WDG_P1M_701315_Sample.html
                                       \config\App_WDG_P1M_701318_Sample.one
                                                                        \config\App_WDG_P1M_701318_Sample.arxml
                                       \config\App_WDG_P1M_701318_Sample.html
                                                                    \config\App_WDG_P1M_701319_Sample.one
                                       \config\App_WDG_P1M_701319_Sample.arxml
                                       \config\App_WDG_P1M_701319_Sample.html
                                       \config\App_WDG_P1M_701320_Sample.one
                                                                            \config\App_WDG_P1M_701320_Sample.arxml
                                       \config\App_WDG_P1M_701320_Sample.html
                                                                        \config\App_WDG_P1M_701321_Sample.one
                                       \config\App_WDG_P1M_701321_Sample.arxml
                                                                    \config\App_WDG_P1M_701321_Sample.html
                                       \config\App_WDG_P1M_701322_Sample.one
                                                                \config\App_WDG_P1M_701322_Sample.arxml
                                       \config\App_WDG_P1M_701322_Sample.html
                                                            \config\App_WDG_P1M_701323_Sample.one
                                       \config\App_WDG_P1M_701323_Sample.arxml
                                       \config\App_WDG_P1M_701323_Sample.html

In the Sample Application all the WDG APIs are invoked in the following
sequence

When DriverA (WDTA0) is selected:

•
The API Wdg_59_DriverA_GetVersionInfo is invoked to get the version of
the WDG Driver module with a variable of Std_VersionInfoType, after the
call of this API the passed parameter will get updated with the WDG Driver
version details.

•
The API Wdg_59_DriverA_Init is invoked with a valid database address for
45

Chapter 13 P1x Specific Information

the proper initialization of the WDG Driver, all the WDG Driver control
registers and RAM variables will get initialized after this API is called.

•
The API Wdg_59_DriverA_SetMode is invoked with the mode which needs
to be set, this API changes the mode of the Watchdog.

The API Wdg_59_DriverA_SetTriggerCondition initializes the trigger counter
global variable with timeout value divided by either usSlowTimeValue or
usFastTimeValue based on the current mode of Watchdog'.

13.2.2 Building Sample Application

13.2.2.1 Configuration Example
This section contains the typical configuration which is used for measuring
RAM/ROM consumption, stack depth and throughput details.

Configuration Details:
App_WDG_<SubVariant>_<Device_Number>_Sample.html

The <Device Number> indicates the device to be compiled, which can be
701304, 701305, 701310, 701311, 701312, 701313, 701314, 701315, 701318,
701319, 701320, 701321, 701322 and 701323.
Remark In this typical configuration, all the conversion modes available for WDG
Driver Component are configured so that each API‟s throughput analysis could
be performed. Throughput is measured by toggling a port pin before invoking
the API and again toggling the same port pin after the execution of the API.
Following Opbyte setting shall be followed:

If Variable activation code is enabled, Opbyte value = 0x71DF3FEB.
If Variable activation code is disabled, Opbyte value = 0x719F3FEB.
In debug mode unmask the reset using GHS command "target pinmask".

13.2.2.2 Debugging The Sample Application

GNU Make utility version 3.81 or above must be installed and available in the
path as defined by the environment user variable “GNUMAKE” to complete the
build process using the delivered sample files.

•
Open a Command window and change the current working directory
to”make”directory present as mentioned in below path:

“X1X\P1x\common_family\make\<Complier>”

Now execute the batch file SampleApp.bat with following parameters

SampleApp.bat Wdg < AUTOSAR_version> <Device_Name>

•
After this, the tool output files will be generated with the configuration as
mentioned in App_WDG_<SubVariant>_<Device_Number>_Sample.html
file available in the path:
“X1X\P1x\modules\wdg\sample_application\<SubVariant>\<AUTOSAR_ve
rsion>\config”.

•
After this, all the object files, map file and the executable file
46

P1M Specific Information
Chapter 13

App_WDG_P1M_Sample.out will be available in the output folder

(“X1X\P1x\modules\wdg\sample_application\<SubVariant>\obj\
<Complier>”).
 (Note: For example compiler can be ghs.)

•
The executable can be loaded into the debugger and the sample application
can be executed.

Remark Executable files with „*.out‟ extension can be downloaded into the target
hardware with the help of Green Hills debugger.

•
If any configuration changes (only post-build) are made to the ECU
Configuration Description files
“X1X\P1x\modules\wdg\<SubVariant>\<AUTOSAR_version>
\config\App_WDG_<SubVariant>_<Device_name>_Sample.html”

•
The database alone can be generated by using the following commands.
make –f App_WDG_<SubVariant>_Sample.mak generate_wdg_config
make –f App_WDG_<SubVariant>_Sample.mak
App_WDG_<SubVariant>_Sample.s37

•
After this, a flashable Motorola S-Record file
App_WDG_<SubVariant>_Sample.s37 is available in the output folder.

Notes:
1.
<Compiler> can be ghs.

2.
<Device_name> can be 701304, 701305, 701310, 701311, 701312,
701313, 701314, 701315, 701318, 701319, 701320, 701321, 701322
and 701323.

3.
<AUTOSAR_version> can be 4.0.3.

4.
<SubVariant> can be P1M

13.3. Memory and Throughput for R4.0.3

13.3.1 ROM/RAM Usage
The details of memory usage for the typical configuration provided in Section
13.2.2.1 Configuration Example are provided in this section.

Table 13-8 ROM/RAM Details Without DET

Sl. No ROM/R Segment Name
Size in
AM
bytes for
701312

1.
ROM
WDG59_A_PUBLIC_CODE_ROM
262

WDG_59_DRIVERA_FAST_CODE_ROM
98

WDG59_A_CFG_DBTOC_UNSPECIFIED
16
2.
RAM
NOINIT_RAM_UNSPECIFIED
5

47

Chapter 13     P1M Specific Information

The details of memory usage for the typical configuration, with DET enabled
and all other configurations as provided in 13.2.2.1 Configuration Example are
provided in this section.

Table 13-9  ROM/RAM Details With DET

Segment Name
Size in
Sl. No  ROM/R
bytes for
AM
701312
1.
ROM
WDG59_A_PUBLIC_CODE_ROM
4 56

WDG_59_DRIVERA_FAST_CODE_ROM
106

WDG59_A_CFG_DBTOC_UNSPECIFIED
16
2.
RAM
NOINIT_RAM_UNSPECIFIED
5

13.3.2  Stack Depth

The worst-case stack depth for WDG Driver Component is 12 bytes for the
typical configuration provided in Section13.2.2.1 Configuration Example.

13.3.3  Throughput Details

The throughput details of the APIs for the configuration mentioned in the
Section13.2.2.1 Configuration Example are listed here. The clock frequency
used to measure the throughput is 80MHz for all APIs.

Table 13-10
Throughput Details Of The APIs

API Name
Throughput in
Remarks
Sl.
microsecond
No.
for 701312
1.
Wdg_59_DriverA0.587
Timing is measured with
_Init

default mode as
WDGIF_SLOW_MODE
2.
Wdg_59_DriverA0.175
Timing is  measured
_SetMode

with default mode as
WDGIF_SLOW_MODE
3.
Wdg_59_Driver 0.137
-
A_SetTriggerCo
n dition
4.
Wdg_59_DriverA0.12
-
_GetVersionInfo
5.
WDG_59_DRIV 13.59
-
ERA_TRIGGER
FUNCTION_ISR

48

  Release Details
Chapter 14

Chapter 14  Release Details

WDG Driver Software R4.0.3
Version: 1.0.9

49

Chapter 14 Release Details

50

Revision History

Sl.No
Description
Version
Date
1.
Initial Version
1.0.0
18-Oct-2013
2
Following changes are made:
1.0.1
04-Feb-2014
1. In chapter 2, Reference Documents and Device manual
version changed.
2.100 pin Device names are added.
3. Compiler version and options are changed.
4. ROM/RAM table is updated for 100 pin device.
5. Sample application folder path is updated for 100 pin
device.
3
Following changes are made:
1.0.2
26-Sep-2014
1. In chapter 2, Reference Documents and Device manual
version changed.
2 .In chapter 13, translation header file that supports
P1M devices are listed.
3. In chapter 13, sample application structure is modified
according to P1M supporting devices.
4. In chapter 13, 13.1.2 ISR Function Mapping Interrupt
Vector Table and 13.1.3 Parameter Definition File are
added.
5. In chapter 13, Throughput details and ROM/RAM Usage
are added.
4.
Headers are corrected in chaper10 and 11.
1.0.3
21-Nov-2014
5.
Following changes are made:
1.0.4
28-Apr-2015
1. Updated Chapter 4.1 to add notes.
2. Updated Chapter 13 to add new device support.
3. Removed sections for Compiler, Linker and Assembler.
4. Updated Chapter 13.3 with memory and throughput
details.
51

AUTOSAR MCAL R4.0.3 User's Manual
WDG Driver Component Ver.1.0.4
Embedded User’s Manual

Publication Date: Rev.0.01, April 28, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

http://www.renesas.com
Refer  to "http://www.renesas.com/" for the latest  and  de  tailed  information.
Renesas  Electronics  America  Inc.
2880  Scott  Boulevard  Santa  Clara,  CA 95050-2554, U.S.A.
Tel:   +1-408-588-6000, Fax:  +1-408-588-6130
Renesas  Electronics  Canada  Limited
1101  Nicholson  Road,  Newmarket,  Ontario  L3Y  9C3,  Canada
Tel:  +1-905-898-5441, Fax:  +1-905-898-3220
Renesas  Electronics  Europe  Limited
Dukes  Meadow,  Millboard  Road,  Bourne  End,  Buckinghamshire, SL8  5FH,  U.K
Tel:  +44-1628-585-100, Fax:  +44-1628-585-900
Renesas  Electronics  Europe  GmbH
Arcadiastrasse 10,  40472  Düsseldorf,  Germany
Tel:  +49-211-65030, Fax:  +49-211-6503-1327
Renesas  Electronics  (China)  Co.,  Ltd.
7th  Floor,  Quantum  Plaza,  No.27  ZhiChunLu  Haidian  District,  Beijing  100083,  P.R.China
Tel:  +86-10-8235-1155, Fax:  +86-10-8235-7679
Renesas  Electronics  (Shanghai)  Co.,  Ltd.
Unit  204,  205,  AZIA  Center,  No.1233  Lujiazui  Ring  Rd.,  Pudong  District,  Shanghai  200120,  China
Tel:  +86-21-5877-1818, Fax:  +86-21-6887-7858 / -7898
Renesas  Electronics  Hong  Kong  Limited
Unit  1601-1613,  16/F.,  Tower  2, Grand  Century  Place,  193  Prince  Edward  Road  West,  Mongkok,  Kowloon,  Hong  Kong
Tel:  +852-2886-9318, Fax:  +852  2886-9022/9044
Renesas  Electronics  Taiwan  Co.,  Ltd.
7F,  No.  363  Fu Shing  North  Road  Taipei,  Taiwan
Tel:  +886-2-8175-9600, Fax:  +886  2-8175-9670
Renesas  Electronics  Singapore  Pte.  Ltd.
1 harbourFront Avenue,  #06-10,  keppel  Bay  Tower,  Singapore  098632
Tel:  +65-6213-0200, Fax:  +65-6278-8001
Renesas  Electronics  Malaysia  Sdn.Bhd.
Unit  906,  Block  B, Menara  Amcorp,  Amcorp  Trade  Centre,  No.  18,  Jln  Persiaran  Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel:  +60-3-7955-9390, Fax:  +60-3-7955-9510
Renesas  Electronics  Korea  Co.,  Ltd.
11F.,  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080,  Korea
Tel:  +82-2-558-3737, Fax:  +82-2-558-5141

© 2015 Renesas  Electronics  Corporation.  All rights reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User‟s Manual

Document Outline

26.4 - AUTOSAR_WDG_Tool_UserManual

AUTOSAR MCAL R4.0 User's Manual

26.5 - AUTOSAR_WDG_Tool_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32

26.6 - AUTOSAR_WDG_Tool_UserManuals

AUTOSAR MCAL R4.0.3
User’s Manual

WDG Driver Component Ver.1.0.2

Generation Tool User’s Manual

Target Device:
RH850/P1x

All information contained in these materials, including products and product specifications,
represents information on the product at the time of publication and is subject to change by
Renesas Electronics Corp. without notice. Please review the latest information published by
Renesas Electronics Corp. through various means, including the Renesas Electronics Corp.
website (http://www.renesas.com).

www.renesas.com
Rev.0.01 Apr 2015

2

Notice

1.
All information included in this document is current as of the date this document is issued. Such information, however, is subject to

change without any prior notice. Before purchasing or using any Renesas Electronics products listed herein, please confirm the latest

product information with a Renesas Electronics sales office. Also, please pay regular and careful attention to additional and different

information to be disclosed by Renesas Electronics such as that disclosed through our website.

2.
Renesas Electronics does not assume any liability for infringement of patents, copyrights, or other intellectual property rights of third

parties by or arising from the use of Renesas Electronics products or technical information described in this document. No license,

express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas

Electronics or others.
   3.
You should not alter, modify, copy, or otherwise misappropriate any Renesas Electronics product, whether in whole or in part.

4.
Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of

semiconductor products and application examples.  You are fully responsible for the incorporation of these circuits, software, and

information in the design of your equipment.  Renesas Electronics assumes no responsibility for any losses incurred by

you or third parties arising from the use of these circuits, software, or information.

5.
When exporting the products or technology described in this document, you should comply with the applicable export control laws

and regulations and follow the procedures required by such laws and regulations.  You should not use Renesas Electronics products

or the technology described in this document for any purpose relating to military applications or use by the military, including but

not limited to the development of weapons of mass destruction.  Renesas Electronics products and technology may not be used for or

incorporated into any products or systems whose manufacture, use, or sale is prohibited under any applicable domestic or foreign

laws or regulations.

6.
Renesas Electronics has used reasonable care in preparing the information included in this document, but Renesas Electronics does

not warrant that such information is error free.  Renesas Electronics assumes no liability whatsoever for any damages incurred by

you resulting from errors in or omissions from the information included herein.

7.
Renesas Electronics products are classified according to the following three quality grades:  "Standard", "High Quality", and

"Specific".  The recommended applications for each Renesas Electronics product depends on the product's quality grade, as indicated

below.  You must check the quality grade of each Renesas Electronics product before using it in a particular application.  You may

not use any Renesas Electronics product for any application categorized as "Specific" without the prior written consent of Renesas

Electronics.  Further, you may not use any Renesas Electronics product for any application for which it is not intended without the

prior written consent of Renesas Electronics.  Renesas Electronics shall not be in any way liable for any damages or losses incurred by

you or third parties arising from the use of any Renesas Electronics product for an application categorized as "Specific" or for which

the product is not intended where you have failed to obtain the prior written consent of Renesas Electronics.  The quality grade of

each Renesas Electronics product is "Standard" unless otherwise expressly specified in a Renesas Electronics data sheets or data

books, etc.

"Standard":
Computers; office equipment; communications equipment; test and measurement equipment; audio and visual

equipment; home electronic appliances; machine tools; personal electronic equipment; and industrial robots.

"High Quality": Transportation equipment (automobiles, trains, ships, etc.); traffic control systems; anti-disaster systems; anti- crime

systems; safety equipment; and medical equipment not specifically designed for life support.

"Specific":
Aircraft; aerospace equipment; submersible repeaters; nuclear reactor control systems; medical equipment or

systems for life support (e.g. artificial life support devices or systems), surgical implantations, or healthcare

intervention (e.g. excision, etc.), and any other applications or purposes that pose a direct threat to human life.

8.
You should use the Renesas Electronics products described in this document within the range specified by Renesas Electronics,

especially with respect to the maximum rating, operating supply voltage range, movement power voltage range, heat radiation

characteristics, installation and other product characteristics. Renesas Electronics shall have no liability for malfunctions or damages

arising out of the use of Renesas Electronics products beyond such specified ranges.

9.
Although Renesas Electronics endeavors to improve the quality and reliability of its products, semiconductor products have specific

characteristics such as the occurrence of failure at a certain rate and malfunctions under certain use conditions. Further, Renesas

Electronics products are not subject to radiation resistance design.  Please be sure to implement safety measures to guard them against

the possibility of physical injury, and injury or damage caused by fire in the event of the failure of a

Renesas Electronics product, such as safety design for hardware and software including but not limited to redundancy, fire control

and malfunction prevention, appropriate treatment for aging degradation or any other appropriate measures.  Because the evaluation

of microcomputer software alone is very difficult, please evaluate the safety of the final products or system manufactured by you.

10.
Please contact a Renesas Electronics sales office for details as to environmental matters such as the environmental compatibility of

each Renesas Electronics product.  Please use Renesas Electronics products in compliance with all applicable laws and regulations

that regulate the inclusion or use of controlled substances, including without limitation, the EU RoHS Directive.  Renesas Electronics

assumes no liability for damages or losses occurring as a result of your noncompliance with applicable laws and regulations.
   11.  This document may not be reproduced or duplicated, in any form, in whole or in part, without prior written consent of Renesas

Electronics.

12.
Please contact a Renesas Electronics sales office if you have any questions regarding the information contained in this

document or Renesas Electronics products, or if you have any other inquiries.


(Note 1)  "Renesas Electronics" as used in this document means Renesas Electronics Corporation and also includes its majority- owned

subsidiaries.

(Note 2)  "Renesas Electronics product(s)" means any product developed or manufactured by or for Renesas Electronics.

4

Abbreviations and Acronyms

Abbreviation / Acronym
Description
API
Application Programming Interface
AUTOSAR
AUTomotive Open System ARchitecture
BSWMDT
Basic Software Module Description Template
DEM
Diagnostic Event Manager
ECU
Electronic Control Unit
ID/Id
Identifier
MCAL
MicroController Abstraction Layer
MCU
MicroController Unit
WDG/Wdg
Watchdog Driver
WDTA
Window Watchdog Timer A
XML
eXtensible Mark-up Language

Definitions

Terminology
Description
BSWMDT File
This file contains Common Published Information of WDG driver.
ECU Configuration Description
Input file to WDG Driver Generation Tool. It is generated by ECU
File
Configuration Editor.
Sl.No.
Serial Number
Translation XML File
This file contains the translation and device specific header file path.

5

6

List of Figures

Figure 3-1 Overview of WDG Driver Generation Tool ................................................................ 13

List of Tables

Table 5-1 Output Files Description ............................................................................................ 17

8

Introduction Chapter 1

Chapter 1
Introduction

The Watchdog Driver provides services for initialization, changing the
operation mode and triggering the Watchdog.

The WDG Driver module comprises of two sections as Embedded Software
and the Generation Tool to achieve scalability and configurability.

The document describes the features of the WDG Driver Generation Tool.
WDG Driver Generation Tool is a command line tool that extracts information
from ECU Configuration Description File and BSWMDT File and generates
WDG Driver C Source and C Header files (Wdg_59_Driver<A>_Cfg.h and
Wdg_59_Driver<A>_PBcfg.c).

This document contains information on the options, input and output files of the
WDG Driver Generation Tool. In addition, this manual covers a step-by-step
procedure for the usage of tool. ECU Configuration Description File contains
information about WDG configuration.

Remark Based on the value for the parameter ‘VendorApiInfix’, WDG Generation Tool
generates Wdg_59_DriverA_Cfg.h and Wdg_59_DriverA_PBcfg.c files.
Hence in this document ‘Wdg_59_Driver<A>_Cfg.h and Wdg_59
_Driver<A>_PBcfg.c’ term is used.

1.1
Document Overview

This user manual is organized as given in the table below:

Section
Contents
Section 1 (Introduction)
Provides an introduction to the document and explains how information
is organized in this manual.
Section 2 (Reference)
Provides a list of documents referred while developing this document.
Section 3 (WDG Driver
Provides the WDG Driver Generation Tool Overview.
Generation Tool Overview)
Section 4 (Input Files)
Provides information about ECU Configuration Description File.
Section 5 (Output Files)
Explains the output files that are generated by the WDG Driver
Generation Tool.
Section 6 (Precautions)
Contains precautions to be taken during configuration of ECU
Configuration Description File.
Section 7 (User Configuration
Describes about user configuration validation done by the WDG Driver
Validation)
Generation Tool.
Section 8 (Messages)
Describes all the Error/Warning/Information messages of R4.0.3 which
helps the user to understand the probable reason for the same.
Section 9 (Notes)
Provides notes to help the user to understand this document better.

9

Chapter 1 Introduction

10

Reference
Chapter 2

Chapter 2
Reference

2.1
Reference Documents

The following table lists the documents referred to create this document:

Sl. No Title
Version
1.
Autosar R4.0
2.5.0

AUTOSAR_SWS_WatchdogDriver.pdf
2.
P1x Parameter Definition File
1.0.3
R403_WDG_P1M_04_05_10_to_15_18_to_23.arxml

2.2
Trademark Notice

Microsoft and Windows are trademarks/registered trademarks of Microsoft
Corporation.

11

Chapter 2
Reference

12

WDG Driver Generation Tool Overview
Chapter 3

Chapter 3
WDG Driver Generation Tool Overview

WDG Driver Generation Tool overview is shown below.

ECU

Configuration

Wdg_59_Driver<A
Description File,
WDG Driver
>_Cfg.h and
BSWMDT File,
Generation
Wdg_59_Driver<A
Translation XML
Tool
>_PBcfg.c
File and
Configuration
XML File

Figure 3-1 Overview of WDG Driver Generation Tool

WDG Driver Generation Tool is a command line tool that extracts, analyzes
the configuration details provided in the input file and validates correctness of
the data and provides scalability and configurability for WDG Driver module. It
accepts ECU Configuration Description File(s), BSWMDT File, Translation
XML File and Configuration XML File as input and displays appropriate
context sensitive error messages for wrong input and exits. Tool creates the
Log file (Wdg.log) that contains the list of Error/Warning/Information
messages in the output directory.

For the error free input file, the tool generates the following output files:
Wdg_59_Driver<A>_Cfg.h and Wdg_59_Driver<A>_PBcfg.c

Wdg_59_Driver<A>_Cfg.h will be compiled and linked with WDG Driver
Component. Wdg_59_Driver<A>_PBcfg.c will be compiled and linked
separately from the other C Source files and placed in flash.

Remark
•
In case of errors the generation tool returns a 1, in case of no errors the
generation tool returns a 0.

•
WDG Driver Generation Tool uses “Common Published Information” from
WDG module specific BSWMDT File. WDG module specific BSWMDT File
should not be updated manually since it is “Static Configuration” file.

13

Chapter 3 WDG Driver Generation Tool Overview

14

Input Files
Chapter 4

Chapter 4
Input Files

WDG Driver Generation Tool accepts ECU Configuration Description File(s),
BSWMDT File, Translation XML File and Configuration XML File as input.
WDG Driver Generation Tool needs information about WDG Driver module.
Hence ECU Configuration Description File should contain configuration of
WDG Driver module. Generation Tool ignores any other AUTOSAR
component configured in the ECU Configuration Description File. ECU
Configuration Description File can be generated using configuration editor.

ECU Configuration Description File must comply with AUTOSAR standard
ECU Configuration Description File format.

Remark The detailed explanation about the parameters and containers are found in
Parameter Definition File mentioned in the Reference Documents section.

15

Chapter 4 Input Files

16

Output Files
Chapter 5

Chapter 5
Output Files

WDG Driver Generation Tool generates configuration details in C Header and
C Source files (Wdg_59_Driver<A>_Cfg.h, Wdg_59_Driver<A>_PBcfg.c).

The content of each output file is given in the table below:

Table 5-1 Output Files Description

Output File
Details
Wdg_59_Driver<A
This file contains pre-compile time parameters. This file also contains the macro
>_Cfg.h
definitions for development error detect, version info API, compile switch to allow/
forbid disabling Watchdog Driver during runtime and Watchdog Driver Id. This file also
contains information for maximum Watchdog Timer timeout, Minimum Watchdog
Timer timeout, configuration set handles, resolution of Watchdog time out period and
Watchdog trigger mode.
Wdg_59_Driver<A
This file contains post-build configuration data.
>_PBcfg.c

Remark Output files generated by WDG Driver Generation Tool should not be modified
or edited manually.

17

Chapter 5 Output Files

18

Precautions
Chapter 6

Chapter 6
Precautions

•  ECU Configuration Description File and BSWMDT File must comply with
AUTOSAR standard for R4.0.3 ECU Configuration Description File and
BSWMDT File respectively.

•  The input file must contain WDG Driver, MCU Driver and DEM component
related configuration.

•  Default Translation XML File (Wdg_X1x.trxml) should be present in same
location of Wdg_X1x.exe when the variant specific trxml file is not given as
input in command line.

•  Default Configuration XML File (Wdg_X1x.cfgxml) must be present in same
location of Wdg_X1x.exe.

•  If Translation XML File is not provided on the command line,
Wdg_X1x.trxml  which is present in same location of Wdg_X1x.exe is
considered as ‘default’ Translation XML File.

•  If Configuration XML File is not provided on the command line,
Wdg_X1x.cfgxml which is present in same location of Wdg_X1x.exe is
considered as ‘default’ Configuration XML File.

•  Translation XML File should contain the file extension ‘.trxml’.

•  Configuration XML File should contain the file extension ‘.cfgxml’.

•  All the function names and the string values configured should follow C
syntax for variables. It can only contain alphanumeric characters and “_”. It
should start with an alphabet.

•  If the output files generated by WDG Driver Generation Tool are modified
externally, then they may not produce the expected results or may lead to
error/warning/Information messages.

•  Short Name for a container should be unique within a name space.

•  C Source and C Header files will be generated by the Watchdog Driver
Generation Tool based on the configuration of the parameters ‘VENDOR-
ID’ and ‘VENDOR-API-INFIX’ in the WDG Driver specific BSWMDT File.

•  An error free ECU Configuration Description File generated from
configuration editor has to be provided as input to the WDG Driver
Generation Tool. Otherwise Tool may not produce the expected results or
may lead to errors/warnings/information.

•  User has to make sure that the respective device specific configuration file
is used, otherwise Tool may not produce the expected results or may lead
to errors/warnings/information messages.

•  The description file should always be generated using AUTOSAR specified
configuration editor and it should not be edited manually.

Remark  Please refer the WDG Component User Manual for deviations from AUTOSAR
specifications, if any.

19

Chapter 6 Precautions

20

User Configuration Validation
Chapter 7

Chapter 7
User Configuration Validation

This section provides help to analyze the error, warning and information
messages displayed during the execution of WDG Driver Generation Tool. It
ensures conformance of input files with syntax and semantics. It also
performs validation on the input file for correctness of the data.

For more details on list of Error/Warning/Information messages that are
displayed as a result of input file validation, refer Chapter 8 “Messages”.

The Generation Tool displays errors or warning or information when the user
has configured incorrect inputs. The format of Error/Warning/Information
message is as shown below.

• ERR/WRN/INF<mid><xxx>: <Error/Warning/Information Message>.

where,
<mid>: 102 - WDG Driver Module Id (102) for user configuration checks.
000 - for command line checks.
<xxx>: 001-999 - Message Id.

• File Name: Name of the file in which the error has occurred.

• Path: Absolute Path of the container in which the parameter is present.

‘File Name’ and ‘Path’ need not be present for all Error/Warning/Information
messages.

21

Chapter 7 User Configuration Validation

22

Messages
Chapter 8

Chapter 8
Messages

The messages help to identify the syntax or semantic errors in the ECU
Configuration Description File. Hence it ensures validity and correctness of
the information available in the ECU Configuration Description File.

The following section gives the list of error, warning and information
messages displayed by the Generation Tool.

8.1  Error Messages

ERR102001: Number of fields is not same for the entity 'Structure Name'.

This error occurs, if the number of fields is not same in the structure that is to
be generated in the output file.

ERR102002: Field 'Field Name' is empty in the entity 'Structure Name'.

This error occurs, if the structure fields that are to be generated in the output
file are empty.

ERR102003: 'WDG Driver' Component is not present in the input file(s).

This error occurs, if WDG Driver Component is not present in the input ECU
Configuration Description File(s).

ERR102004: The parameter 'parameter name' in the container 'container
name' should be configured.

This error occurs, if any of the mandatory configuration parameter(s)
mentioned below is (are) not configured in ECU Configuration Description File.
The list of mandatory parameters with respect to container is listed below:

Parameter Name
Container Name
WdgDevErrorDetect

WdgDisableAllowed

WdgIndex

WdgVersionInfoApi
WdgGeneral

WdgVaryingActivationCodeMode

WdgTriggerLocation

WdgDeviceName

WdgInitialTimeout

WdgRunArea

23

Chapter 8
Messages

Parameter Name
Container Name
WdgMaxTimeout

WdgGeneral
WdgCriticalSectionProtection

WdgVersionCheckExternalModules

WdgClockRef

WdgRegReadBackEnable
WdgTriggerMode
WdgPublishedInformation
WdgClkSettingsFast
WdgSettingsFast
WdgClkSettingsSlow
WdgSettingsSlow
-
WdgSettingsOff
WdgDefaultMode
WdgSettingsConfig

ERR102005: The reference path <path> provided for the parameter
‘Parameter Name’ within the container ‘Container Name’ is incorrect.

This error occurs, if path provided for the reference parameters mentioned in
the below table are incorrect:

Parameter Name
Container Name
WdgClockRef
WdgGeneral
WDG_E_DISABLE_REJECTED
WdgDemEventParameterRefs
WDG_E_MODE_FAILED
WDG_E_TRIGGER_TIMEOUT
WDG_E_READBACK_FAILURE

ERR102006: The value configured for the parameter
‘WdgClkSettingsFast’ in the container ‘WdgSettingsFast’ and value of
the parameter ‘WdgClkSettingsSlow’ in the container ‘WdgSettingsSlow’
are same.

This error occurs, if the value configured for the parameter
WdgClkSettingsFast in the container WdgSettingsFast and value of the
parameter WdgClkSettingsSlow in the container WdgSettingsSlow are same.

ERR102007: The value configured for the parameter
‘WdgClkSettingsSlow’ in the container ‘WdgSettingsSlow’ is faster
(valid configuration should be WdgClkSettingsSlow > WdgSettingsFast)
than the value of the parameter ‘WdgClkSettingsFast’ in the container
‘WdgSettingsFast’.

This error occurs, if the value configured for the parameter
WdgClkSettingsSlow in the container WdgSettingsSlow is faster than the
value of the parameter WdgClkSettingsFast in the container
WdgSettingsFast.

ERR102008: The value of the parameter ‘WdgInitialTimeout’ is greater
than the value of the parameter ‘WdgMaxTimeout’.

This error occurs, if the value of the parameter WdgInitialTimeout is greater
than the value of the parameter WdgMaxTimeout.

24

Messages
Chapter 8

ERR102009: The value of the parameter ‘WdgDisableAllowed’ should
not be <false> since the value of the parameter ‘WdgDefaultMode’ is
configured as <WDGIF_OFF_MODE>.

This error occurs, if the value of the parameter WdgDisableAllowed is false
and the value of the parameter WdgDefaultMode is configured as
WDGIF_OFF_MODE.

ERR102010: The total instances of ‘WdgSettingsConfig’ container per
WDTA instance is more than <1>.

This error occurs, if the total instance of WdgSettingsConfig container per
WDTA instance is more than 1.

ERR102011: The macro definition <Macro name> is not found in
<Translation Header File name> translation C Header File. The macro
label format should be 'Macro format'.

This error occurs, if the macro definitions “RENESAS_ICWDTA<WDG
instance>NMI_IMR” and “RENESAS_ICWDTA<WDG instance>_IMR” are not
present in Translation Header File.

ERR102012: "DriverA" or "DriverB" WDG instance is not present in
input ECU Configuration Description File(s). "DEFINITION-REF" tags in
WDG specific ECU Configuration Description File should contain
"DriverA/ Wdg" or "DriverB/Wdg".

This error occurs, if “DriverA” or “DriverB” WDG instance is not present in
description file.

 Note: P1x device supports only one instance i.e. DriverA.

ERR102014: The reference to BSWMDT file 'MODULE-DESCRIPTION-
REF' should not refer to the same 'VendorApiInfix' for two different WDG
drivers. 'VendorApiInfix' should be unique for each hardware driver.

This error occurs, if the value of ‘VendorApiInfix’ is not unique for each
hardware driver.

ERR102015: The value configured for the parameter 'WdgIndex' is same
for all the configured WDG drivers. The value of WdgIndex should be
unique for each hardware driver.

This error occurs, if the value configured for the parameter WdgIndex is same
for all the configured WDG drivers.

ERR102016: The short name of the container ‘WdgSettingsConfig’
should be unique across the Drivers.

This error occurs, if the short name of WdgSettingsConfig container is not
same across the Drivers.

25

Chapter 8
Messages

ERR102017: The parameter 'WDG_E_READBACK_FAILURE' in the
container ‘WdgDemEventParameterRefs’ should be should be configured
since parameter 'WdgRegReadBackEnable' in container 'WdgGeneral' is
not configured as 'DISABLED'.

This error will occur, if the parameter 'WDG_E_READBACK_FAILURE' in
the container WdgDemEventParameterRefs’ is not configured when
parameter 'WdgRegReadBackEnable' in container 'WdgGeneral' is not
configured as 'DISABLED'.

8.2 Warning Messages

WRN102001: The value of the parameter 'WdgInitialTimeout' is
configured as <0> and 'WdgDefaultMode' is not configured as
<WDGIF_OFF_MODE>. Hence, Watchdog hardware will be enabled
directly after Wdg Module initialization and WDG counter will expire
after <calculated_value in msec>.

This warning occurs, if WdgInitialTimeout parameter is configured as 0 and
WdgDefaultMode is not configured as WDGIF_OFF_MODE.

8.3 Information Messages

INF102001: The duration of 75% of one WDG trigger cycle for slow mode
is <slow_time_value msec>.

This information occurs to provide 75% interrupt time for slow mode. In this
information message ‘slow_time_value’ will be evaluated as follows:

slow_value = Power factor from WdgClkSettingsSlow slow_time_value =
integer ((0.75((2slow_value)/clock))/1000)

INF102002: The duration of 75% of one WDG trigger cycle for fast mode
is <fast_time_value msec>.

This information occurs to provide 75% interrupt time for fast mode. In this
information message ‘fast_time_value’ will be evaluated as follows:

fast_value = Power factor from WdgClkSettingsFast fast_time_value = integer
((0.75((2fast_value)/clock))/1000)

26

  Notes


  Chapter 9

Chapter 9
Notes

“Generation Tool” and “Tool” terminologies are used interchangeably to refer
WDG Driver Generation Tool.

27

Chapter 9

Notes

28

Revision History

Sl.No. Description
Version
Date
1.
Initial Version
1.0.0
18-Oct-2013
2.
Following changes are made:
1.0.1
26-Sep-2014
1. Chapter 2 is updated for addition of PDF reference.
2. WdgRegReadBackEnable parameter is added in ERR102004 error
message table.
3. A note is added for ERR102012 error message.
4. WdgDemEventParameterRefs container and its parameters are added in
the table of error message ERR102005.
5. Error message ERR102017 is added newly.
6. Error messages ERR102015 and ERR102016 are rephrased.
7. Chapter 6 Precautions is updated.
3.
Following change is made:
1.0.2
28-Apr-2015
1. Updated Chapter 2 to add PDF reference.

29

AUTOSAR MCAL R4.0.3 User's Manual
WDG Driver Component Ver.1.0.2
Generation Tool User's Manual

Publication Date: Rev.0.01, April 28, 2015

Published by: Renesas Electronics Corporation

SALES  OFFICES

Refer  to
for the latest  and  detailed

SALES OFFICES
http://www.renesas.com
Renesas  Electronics America

2880
Ref   Sc
er  tot t
" B
htou
tp l
: e
// var
wwd
w S
.r ant
en a
e
s C
a lar
s.ca,
o   CA
m/"
for  the  latest  and
detailed information.
Tel:
Fax:

Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i Ca
cs  n
A ad
mea
ri ca Inc.
1101  N
2880  ic
S h
c ol
ot s
t  on
B  Road
oulev ,
ar N
d ew
Sam
nt ar
a  ket
Cl ,a O
ra nt
,  ar
CAi o  L3Y
9505
0 9C
-253,
5  4, U.S.A.
Tel
T :
el:   +1-408-588-60 Fa
00,  x:
F  ax:  +1-408-588-
6130
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i Eur
cs  ope
Cana  da Limit
ed
Dukes
1101   M
N e
i adow
chols ,
o M
n  il
R lboar
oad,  d
N R
e oad
wm ,
a r B
k ou
et, r ne
O
nt E
a nd,
rio
L3Y  9C3,  Canada  SL8  5FH,
Tel
T :
el:  +1-905-898-5441, F
  a
F x:
a
x:  +1-905-898-3220
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i E
c ur
s Eope
ur

ope Limited
Dukes  Me
1
adow 0,
,
M4047
illbo 2
a r D
d üs
R seldor
oad,  f,
B G
ouer
r m
ne  any
End,  Buckinghamshire, SL8  5FH,  U.K
Tel
T :
el:  +44-1628-585- Fa
10 x:
0, Fax:  +44-1628-585  -900
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o cns
i (
c C
s h
  i
E na
ur )  C
ope o
  .,
G  mbH
7th
A  r F
c loor
adi ,
asQ
tr ua
as nt
s um
e 1
0,P
  laza,
40472 N
  o.
D 27
üs
s Z
elhi
d Chun
orf,  Lu
Ger H
m aidi
any an

  District,  Beijing  100083,

Tel
T :
el:  +49-211-65030, F F
a a
x:x:

+49-211-6503-13

27
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i (S
cs ha
(Cngha
hina i
) ) Co
Co., .,
   Ltd.
Uni
7t t
h 204
  Flo ,  205,
or,  Q
u A
a ZI
nt A
umC
  en
Pl t
a er
z ,
a  ,  No.
N 1
o. 233
27
Z L
hiuj
Ciaz
h ui
un   Ri
Lu  n
Hg
ai Rd
dia .,
n  P
Diudong
strict,   D
Be istr
ijin ict
g  ,  Shangh
100083,  ai
P.   200120
R.China ,

Tel
T :
el:  +86-10-8235-11
F
55, a
  x:
Fa x:  +86-10-8235-76 /
79

Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i Ho
cs  n
( g
S   K
ha ong
n

ghai) Co.,
Ltd.
Unit
Uni 1601
t
-
204,161

3,
205,   16/
AZ F
I .
A ,   To
C w
ent er
er  , 2,

N G
o. rand
1233 C
  ent
Luji ur
az y
ui Pl
  a
Ri c
n e
g ,  193
Rd.,    P
P rince  E
udong   dw
Dis ar
tri d
c   R
t,   o
S ad
ha   W
ng es
ha ti,   Mongk
200120,ok
   ,
C K
hiow
na l oon,  Hong

Tel
T :
el:  +86-21-5877-18 Fa
18 x:
,
F+
a 85
x:  2
+86-21-6887-78

58 / -7898
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i Tai
cs  w
H an
ong  C
Ko.,
ong  L
imited
7F,
UnN
it o.
    36
16
3
01
- Fu
161Shi
3,  ng
16/  N
F.,or
  t
T h
o  R
w oad
er

2, Tai
Gr pei,
and
  Century  Place,  193  Prince  Edward Road  West,  Mongkok, Kowloon, Hong  Kong
Tel
T :
el:  +852-2886-9318,  F
F a
a x:
x:
  +
+ 886
852
  2886-9022/
9044
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i S
c i
s n
  ga
Tai p
w or
an e Pt
Co., e
  .
Ltd.
1 7F,  No.  363
A
Fu ven
Shi u
n e,
g   #06
Nort -10,
h  R   Kep
oad  p
T el
ai
p Ba
ei, y
TTo
ai w
w er,
an
  Singapore 098632
Tel
T :
el:  +886-2-8175- F
96 ax:
00
, Fax:  +886  2-

8175-9670
Ren
R esas
en
  E
esas  le
El ct
e r
c o
t n
r i
o c
ns
i M
cs al
Sa
i ysi
ngaa
pore Pte.  L
td.
Un
1 i t  906
harb ,  Bl
our o
F c
r k  B,
ont
A M
v e
e nar
nue a
,
# Amc
06- o
10 rp
,  ,
K  A
ep mc
pel o
  rp
Ba T
y  rade
Tow  C
er,en
  t
S r
i e,
n
g No.
apo  r 18
e  ,  Jl
09 n
86 Per
32  siaran Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,

Tel
T :
el:  +65-6213-0200,  Fa
Fa x:
x:
  +65-6278-8001
Ren
R esas
en
  E
esas  le
El ctr
ec o
t n
r i
o c
ns
i Ko
cs  re
M a
al
a Co.
ysi ,
a Sd
n.Bhd.
11F.
Un ,
i
t Sam
906,i k
B Lav
loc i
k e
  d'
B,  or
M  B
en ldg.
ar ,
a
  720
Amc -2
o
rp,  Amcorp  Trade  Centre,  No.
S
18, e
  oul
Jln   135
Per -
s 080
iara,
n Barat,  46050  Petaling  Jaya,  Selangor  Darul  Ehsan,  Malaysia
Tel
T :
el:  +60-3-7955-93 Fa
90, x:

Fax:  +60-3-7955-
9510

Renesas Electronics Korea  Co.,  Ltd.
11F.  Samik  Lavied'  or Bldg.,  720-2  Yeoksam-Dong, Kangnam-Ku, Seoul  135-080, Korea

Tel:  +82-2-558-3737, Fax:  +82-2-558-5141



© 2010 Renesas  Electronics  Corporation.  All rights

Colophon

© 2015  Renesas  Electronics  Corporation.  All rights  reserved.
Colophon  1.0

AUTOSAR MCAL R4.0.3

User’s Manual

Document Outline

26.7 - Wdg Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Wdg

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. Wdg_Renesas_Ar4.0.3_01.00.09_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3181

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

27 - Watchdog Interface

Watchdog Interface

Component Documentation

27.1 - S-WdgIf_ReleaseNotes

Release Notes

27.2 - S-WdgIf_ReleaseNotes_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15

27.3 - S-WdgIf_ReleaseNotess

Ensuring Reliable Networks

Safe Watchdog Interface
Release Notes

Author:
TTTech
Security:
Confidential
Document number:
D-SAFEX-RP-70-014
Document version:
3.3.6
Date:
24.04.2015
Status:
released
Review:
VLE

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any from or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2009, TTTech Automotive GmbH. All rights reserved. Subject to change and corrections

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Document  Date
Responsible Person
Modification
Version
1.0.0
14.12.2011
VLE
Initial version for the S-WdgIf Subpackage 1.2.0
1.0.1
09.02.2012
VLE
Macro checks implemented
1.0.2
09.03.2012
JDU
Increased Subpackage version number (due to
new config generator)
1.0.3
13.04.2012
VLE
Update due to Release 1.7.0
1.0.4
25.05.2012
VLE
Update due to Release 1.8.0
1.0.5
07.09.2012
PPU
Update due to Release 1.9.0
2.0.3
25.10.2012
PPU
Test release 2.0.3 to check the delivery
structure. This is NOT a customer release!
3.0.1
16.11.2012
PPU
WdgIf_GetTickCounter() API changed therefore
also the major version changed to 3.
3.1.0
11.01.2013
PPU
Generators works now with unsupported Wdg
Drivers
3.1.1
05.04.2013
JDU
Configuration generator update
3.1.5
29.11.2013
JDU
Configuration generator update
3.2.0
19.02.2014
PPU
Autosar 4 update and bug fixes, beta version
3.3.0
21.03.2014
PPU
Update and bug fixes for Autosar 4 environment
compatibility. Backward compatibility to Autosar
3.1 environment added too.
3.3.1
10.04.2014
PPU
Generator bug fix for Autosar compatible driver
3.3.2
27.05.2014
PPU
Release for the AUTOSAR 4.0 and AUTOSAR
3.1 compatible S-WdgIf module
3.3.3
14.08.2014
PPU
Safety Case document release
3.3.4
24.11.2014
PPU
Bugfix release for WdgIf embedded code
3.3.5
20.02.2015
PPU
Bugfix release, Generator only
3.3.6
24.04.2015
PPU
Bugfix release, Generator only
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  4
1
Overview
The Safe Watchdog Interface (S-WdgIf) is the middle layer of the Safe Watchdog Manager Stack. The
Safe Watchdog Manager Stack is part of the service layer of the AUTOSAR architecture. The Safe
Watchdog Interface abstracts one or more Safe Watchdog Driver modules for the Safe Watchdog Manager
module.

The Safe Watchdog Interface consists of
  embedded software module and
  configuration generator.

The Safe Watchdog Interface is compatible to the WdgIf module as specified in the AUTOSAR 4.0 and
AUTOSAR 3.1 specifications but not fully compliant. For deviations and justifications please see the S-WdgIf
User Manual.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  5
2
Content of the Module Release

Title
Version*)
Author
Description
WdgIf/
3.3.6
TTTech
S-WdgIf Module
  S-WdgIf_ReleaseNotes.pdf

  Description/
3.3.6
TTTech

  WdgIf_Bswmd_A4.arxml

AUTOSAR 4.x file
  WdgIf_Bswmd.arxml

AUTOSAR 3.y file
  Doc_SafetyCase/
1.2.0

  S-WdgIf_SafetyCase.pdf

Safety Case document
  Doc_SafetyManual/
1.8.9

  S-WdgIf_SafetyManual.pdf

  Doc_TechRef/
1.9.4
TTTech

  S-WdgIf_UserManual.pdf

User Manual
  Generator/
3.3.27
TTTech

  LICENSE

  Wdg_If_Cfg_Gen.exe

S-WdgIf Configuration Generator
  GenTool_Ead/
1.0.0
TTTech

  Identifier.xml

  Identifier_A4.xml

  Implementation/
3.3.6
TTTech

  WdgIf.c

Watchdog Interface Code
  WdgIf.h

Watchdog Interface Code
  WdgIf_Cfg.h

Watchdog Interface Code
  WdgIf_Types.h

Watchdog Interface Code
*) Bold/blue version numbers are new artefacts delivered in this release. The non-bold artefacts are the
previously released compatible artifacts. All artefacts listed here are consistent.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  6
3
Quality level of current release
The content of this release is configuration generator only. As the configuration generator has QM
quality, for an ASIL application the output of the generator need to be verified, see Safety Manual for
S-WdgIf,  D-SAFEX-S-70-005.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  7
4
Change history
This chapter describes the changes in each released version.

4.1
Changes with version 3.3.6
Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
76479  G

Safe Execution - WdgIF Generator - Error
S
when generating function names for AS3
drivers delivered by TTTech
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
4.2
Changes with version 3.3.5
Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
44900  G

WdgIf: Multiple Wdg Modules and
S
WdgIfDevices are not allowed
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.3
Changes with version 3.3.4
Based on the ESCAN00079353 following changes in the S-WdgIf module was done:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
68905  E
wk44
AUTOSAR API –
S
Wdg_SetTriggerCondition has no
return value (ESCAN00079353)

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  8
69579  G
wk46
Mismatch re Vendor-ID and
S
WDGIF_USE_AUTOSAR_DRV_API is an
error condition
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.4
Changes with version 3.3.3
S-WdgIf module was not changed, only Safety Case document added.

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
65369  all

Release Management Tasks for 1.26.1 CW
S
31/2014

4.5
Changes with version 3.3.2
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
62326  all

Safe Execution Release 1.26.0 - Release
S
Management Tasks
(collection of issues for this release)

4.6
Changes with version 3.3.1
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
61768  G
Wk15
SafeExecution - Deactivate cross-cutting tests  S
to avoid problems with AS3-compatible Third-
Party Drivers

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  9

4.7
Changes with version 3.3.0
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
61023  G+E

Issue collection for Autosar4.x S-WdgM
S
issues and Autosar compatibility of the S-
WdgIf module.

4.8
Changes with version 3.2.0
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
59931  G+E

API and generator points for AUTOSAR 4,
S
reported by Vector

4.9
Changes with version 3.1.5
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
58478  G
Wk 48
MPC5643L_ATA5021 is no “third-party” driver  S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.10  Changes with version 3.1.1
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  10
Nr.
in Wk
status
51694  G
Wk 5
`#include WdgIf.h` in `WdgIf_Lcfg.c`
S
52056  G
Wk 7
Avoid ugly linebreaks inside comments
S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.11  Changes with version 3.1.0
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
50131  G
Wk45
WdgM and WdgIf config generators must
S
work together with unsupported Wdg Drivers
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.12  Changes with version 3.0.1
S-WdgIf module changes and corrections:

Embedded Code changes:
  [48993] WdgIf_GetTickCounter(ptr) API changed to WdgIf_GetTickCounter(void)

Generator changes:
  none

Documentation changes:
  Documentation updated according to [48993]

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  11
4.13  Changes with Release 1.9.0: S-WdgIf SubPackage 2.0.2
  Internal modifications to match AUTOSAR’s null pointer macro
4.14  Changes with Release 1.8.0: S-WdgIf SubPackage 1.4.0
  Internal modifications to match AUTOSAR’s null pointer macro
4.15  Changes with Release 1.7.0: S-WdgIf SubPackage 1.3.0
  Support for internal tick counter (provided by an S-Wdg driver)
4.16  Changes with Release 1.6.0: S-WdgIf Subpackage 1.2.1
  Internal modifications to config generator
4.17  Changes with Release 1.5.0: S-WdgIf Subpackage 1.2.0
  Checks for completeness of AUTOSAR macros (such as STD_ON) implemented
4.18  Changes with Release 1.2.0: S-WdgIf Subpackage
  This is the initial implementation of the Safe Watchdog Interface.

  The code generator for the S-WdgIf has no further changes in its hardware-independent part.

  The code generator for the S-WdgIf has implemented support for further hardware platforms and/or
changes in its hardware-specific part so that the S-WdgIf can be linked to a specific S-Wdg driver.
For further information please refer to the S-Wdg release notes.
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  12
5
Test status
Integration test of the generator were performed. A total of 93 integration test cases were executed.

All test results are positive.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  13
6
Known issues, limitations, updates
Known issues:
  No known issues.

Functional limitations of current version:
  No known limitations.
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  14
7
Differences to AUTOSAR specification
Depending on the configuration parameter ‘WdgIfUseAutosarDrvApi’ the  API to the Wdg driver is either
AUTOSAR or TTTech compatible. For details see S-WdgIf User Manual.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  15
8
Abbreviation and glossary
Acronym /
Term
Meaning
S-WdgIf
Safe Watchdog Interface (TTTech product, platform independent module)
S-Wdg
Safe Watchdog Driver (TTTech product, platform dependent module)
WdgIf
Watchdog Interface (module according AUTOSAR specification)
Wdg
Watchdog Driver (module according AUTOSAR specification)

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

27.4 - S-WdgIf_SafetyCase

Safety Case

27.5 - S-WdgIf_SafetyCase_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8

27.6 - S-WdgIf_SafetyCases

Ensuring Reliable Networks

Safe Watchdog Interface
Safety Case

Author:
TTTech
Reviewer(s):
PPU
Reference:
D-SAFEX-IN-70-002
Security:
Confidential
Version:
1.2.0
Date:
2014-11-20
Status:
Released

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2010, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Version
Date
Responsible Person
Modification
0.1.0
2012-07-02
PPU
Creation
0.2.0
2012-07-19
PPU
Corrected ISO/DIS -> ISO
0.3.0
2012-09-27
PPU
Added S-WdgM Stack chapter
0.4.0
2012-10-01
PPU
Versions of artefacts updated
1.0.0
2012-10-01
PPU
Version of this document updated
1.0.1
2012-10-03
PPU
Document derived from common
Safety Case document ver. 1.0.0. It contains
now the S-WdgIf unit only.
Content against 1.0.0 not changed.
1.0.2
2012-10-04
PPU
In the chapter 2 the RAD reference removed
and the provided ISO lifecycles added.
1.0.3
2012-11-16
PPU
Update of the collected document versions.
1.0.4
2012-11-19
PPU
Update after issue50199.
1.0.5
2013-01-11
PPU
Update after second TÜV assessment
1.1.0
2014-07-28
VLE
Update of the collected document versions
(issue65369)
1.1.1
2014-08-13
VLE
Update after PPU review.
1.2.0
2014-11-20
VLE
Update of the collected document versions
(issue69469)

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 4
1
Purpose of this Document
This document represents the safety case for the Safe Watchdog Interface unit. The Safe
Watchdog Interface is a part of the Safe Watchdog Manager Stack.

It references all relevant documents to provide evidence that the software units have been
developed according to ISO26262 requirements for an ASIL D software unit [ISO].

2
Software Safety Lifecycle Documentation
The software units represent SEooC units according to ISO26262. The following software safety
lifecycles were executed as part of the development process of the software units:

Concept phases:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)

Product development at the system level:
  4-6 Technical Safety Concept *)
  4-7 System Design *)

Product development at the software level:
  6-5: Initiation of product development at the software level *)
  6-8: Software unit design and implementation *)
  6-9: Software unit testing *)

Supporting processes:
  8-7 Configuration management
  8-8 Change management
  8-9 Verification
  8-10 Documentation
  8-11 Confidence in the use of software tools

*) As far as related to the S-WdgIf as SEooC

Part 6-6 deals with safety requirements, which are always defined on system level. For the
development of the SEooC, we have made assumptions on the safety requirements, which are
described in the corresponding SEooC safety manuals. The system integrator must verify that the
SEooC fits to the actual system safety requirements.

The other software safety lifecycle phases described by ISO26262 have to be executed by the
system integrator.

The following subsections list the software safety lifecycle artifacts of the software units:
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 5
  Safety manuals as .pdf files,
  Source code delivered to customer as pointer to the code location,
  Requirement, design documentation, and test specification as references to the respective
documents in the MKS repository. They are identified by MKS document id and the document
version number,
  Test results as .doc or .pdf files

The customer delivery contains user manuals, safety manuals and source code. All other artifacts
can be audited by the customer on request – either on-site in TTTech Vienna development
location, or via teleconference (e.g. Webex).

The verification and confirmation measures as required by ISO26262 has been executed as
described in the Software Project Plan.

The evidence for the execution of all verification and confirmation measures as required by
ISO26262 are version-controlled in the following directory:
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/certification/sqa/s-wdgm/evidence

The conformity of the development processes of the S-WdgM Stack with ISO 26262 has
been assessed in a process audit [AUDIT_S-WdgM].

2.1
Safe Watchdog Interface
2.1.1  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Interface. The SRD
represents the software unit high-level requirements as required by ISO 26262 – 6, clause 6.

Document Title
Safe Watchdog Interface - Software Requirements Document
Document Version
1.0.8
Document Number
D-SAFEX-S-70-002
Location
MKS 125936
Label
Release_1_26_3

2.1.2  Unit Design Document (UDD)
The UDD represents the software unit design specification as required by ISO 26262 – 6, clause 8.

Document Title
Safe Watchdog Interface - Unit Design Document
Document Version
1.0.9
Document Number
D-SAFEX-D-70-001
Location
MKS ID 125939
Label
Release_1_26_3
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 6
2.1.3  Source Code
The source code of the software unit is written in the C programming language.
Title
Safe Watchdog Interface - Source Code
Version
3.3.6
Location
http://tttechsvn.vie.at.tttech.ttt/branches/For_SAFEEXE_SERIES_Release_1
_26_3/SW/msp-watchdog-if

The exact contents of the Source Code and configuration management tags are described in
[RAD].

The HIS metrics and the MISRA rule check are performed with the tool QA-C.
The HIS metrics report can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_3/S-WdgIf/
All HIS metrics violations are justified in the respective source files.

The results of the MISRA-check can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_3/S-WdgIf/
All violations are justified. The justifications are provided as comments in the respective source
files.

2.1.4  Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262 – 6, clause 9 . The UTS demonstrates 100% requirements coverage.

Document Title
Safe Watchdog Interface - Unit Test Specification
Document Version
1.0.11
Document Number
D-SAFEX-V-70-002
Location
MKS ID 125942
Label
Release_1_26_3
2.1.5  Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed
and that 100% MC/DC coverage is achieved.

Document Title
Safe Watchdog Interface - Unit Test Report
Document Version
1.0.5
Document Number
D-SAFEX-V-70-006
Location
\\fileserver.vie.at.tttech.ttt\projects\certification\tttech-
automotive\release\S-WdgM\S-WdgIf\UTR\UTR_WdgIf_D-SAFEX-V-70-
006_V_1_0_5\UTR_WdgIf_D-SAFEX-V-70-006_V_1_0_5.pdf

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 7
2.1.6  Safety Manual (SM)
The Safety Manual (SM) contains the requirements for the integrator of the software unit. All
requirements described in this document must be followed. In specific, the SM describes for which
configuration (configuration parameters, used hardware, compiler and linker settings) the software
unit has been tested according to ISO 26262 requirements. Moreover, the SM describes which SW
safety lifecycle requirements and recommendations of ISO 26262 were not executed during the
development of the software unit. These requirements and recommendations have to be
considered by the integrator of the software unit.

Document Title
Safe Watchdog Interface - Safety Manual
Document Version
1.8.9
Document Number
D-SAFEX-S-70-005
Locations
MKS 232906
Label
Release_1_26_3

2.1.7  Event Tree Analysis (ETA)
The ETA is the event tree analysis that was performed as part of the Safe Watchdog Manager (S-
WdgIf ) software development according to the requirements and recommendations of ISO 26262

Document Title
Safe Watchdog Interface - Event Tree Analysis
Document Version
1.0.0
Document Number
D-SAFEX-S-70-012
Locations
MKS ID 263814
Label
Release_1_26_3

3
Summary
The evidence in sections
   “Software Safety Lifecycle Documentation”
and the assessment reports [AUDIT_S-WdgM] shows that the S-WdgIf unit has been developed as
a SEooC component according to ISO26262:2011 and can be used for up to ASIL D.

It is safe to integrate the SW unit into safety-related systems developed according to ISO
26262:2011, if the requirements that are described in the Safety Manual (SM) are fulfilled by the
system integrator.

4
Abbreviations and Glossary
Acronym / Term
Meaning
API
Application Programmer Interface
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 8
Acronym / Term
Meaning
ASIL
Automotive Safety Integrity Level
HIS
Herstellerinitiative Software
ISO
International Standard
MC/DC
Modified Condition/Decision Coverage
MISRA
Motor Industry Software Reliability Association
MKS
MKS Integrity software tool made by MKS Software Inc.
SEooC
Safety Element out of Context according to ISO 26262-10
SW
Software Specification
5
References
5.1
Documents Available on Request
The following documents are not part of the customer delivery. The documents can be made
available in video conferences (e.g., WebEx) or in on-site audits at the development center of
TTTech in Vienna. If necessary, please contact the TTTech Automotive Support at
support@tttech-automotive.com.

[AUDIT_S-WdgM]
TÜV NORD – Institut für Fahrzeugtechnik & Mobilität,

A/
Report on the Functional Safety Audit for TTTech’s Safe Watchdog
Manager Stack (ISO 26262 / ASIL D)
1.  Report-No: 8109170322-B01, Version 1.0, 2012-07-18
2.  Report-No: 8109170322-B02, Version 1.0  2012-12-20

B/
Functional Safety Assessment Report of “Safe Watchdog Manager
Stack” conformity against ISO26262, ASIL D.
3.  Report-No: 8109170322-B04, Version 1.0 2013-02-25
[COMPL]
TTTech Computertechnik AG, ISO_DIS_26262_Compliance.xls, D-INT-CL-
70-001
[TT_ASDM_322]
TTTech Automotive GmbH, Automotive Software Development Manual,
V3.2.2, D-100-T-70-001

5.2
Other Documents
[ISO]
International Organization for Standardization, International Standard
ISO26262 Road vehicles – Functional safety (all parts), 2011

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

27.7 - S-WdgIf_SafetyManual

Safety Manual

27.8 - S-WdgIf_SafetyManual_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48

27.9 - S-WdgIf_SafetyManuals

Ensuring Reliable Networks
Safe Watchdog Interface
Safety Manual

Author:
TTTech Automotive GmbH
Security:
Company Confidential
Document number:
D-SAFEX-S-70-005
Version:
1.8.9
Date:
22.05.2014
Status:
ALM_Published
MKS ID:
232906

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com

No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive GmbH. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive GmbH
undertakes no further obligation in relation to this document.

© 2014, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 1
Revision History
30.05.2012 V1.0.0 Creation (based on MKS 185841)
27.06.2012 V1.1.0 Reviewed. Some information still open.
03.07.2012 V1.2.0 Added config generation and verification process
05.07.2012 V1.3.0 Added requirements from ETA and Check against System Specification
06.07.2012 V1.3.1 Ready for Release 1.8.2
13.08.2012 V1.3.2 Feedback from Hella-Audit, some texts more precise
10.09.2012 V1.3.3 Added chapter "S-WdgIf Generator - Verification".
13.09.2012 V1.3.4 Dissolved ETA section. Corrected review findings.
15.09.2012 V1.3.5 Safe Watchdog Interface ASIL Release
17.09.2012 V1.8.1 issue48784 (new version)
06.11.2012 V1.8.2 updated according to WdgIf_GetTickCounter() (issue49948)
07.11.2012 V1.8.3 updated after review (issue49948)
03.04.2014 V1.8.4 Update after customer review, changes summarised in the issue52277
24.04.2014 V1.8.5 Updated parts related to AS driver compatibility (issue62032:msg467581, issue59785)
Updated 240758: parameter WdgIfUseAutosarDrvApi
Updated 260205: added vendor ID (WD driver function names)
Added 555654: parameter WDGIF_USE_AUTOSAR_DRV_API
Updated 289398: API differences (WDGIF_USE_AUTOSAR_DRV_API)
Updated 234584, 235159, 283153: API compatibility
(WDGIF_USE_AUTOSAR_DRV_API)
Added 556326, changed 289394, 289398, 289412, 289455: Description of the <drv>
shortcut
Changed 233039, 234584, 235159, 283153: added vendor-id string
08.05.2014 V1.8.6 Updated according to the review remarks (issue62032:msg469458,
issue62032:msg469460)
12.05.2014 V1.8.7 Updated according to the review remarks (issue62032:msg472152)
14.05.2014 V1.8.8 Updated according to the review remarks (issue62032:msg473209)
22.05.2014 V1.8.9 Language Review (issue63157)

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech Automotive GmbH
TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 3

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 4
-
Category:
Comment
Keywords:

ID:
552152
LEGAL DISCLAIMER
THE INFORMATION GIVEN IN THIS SAFETY MANUAL IS GIVEN AS SUPPORT FOR THE
INTEGRATION OF THE TTTECH SAFETY MODULE INTO A SYSTEM ONLY AND SHALL NOT BE
REGARDED AS ANY DESCRIPTION OR WARRANTY OF A CERTAIN FUNCTIONALITY, CONDITION
OR QUALITY OF THE TTTECH SAFETY MODULE. THE RECIPIENT OF THIS SAFETY MANUAL MUST
VERIFY ANY FUNCTION DESCRIBED HEREIN IN THE REAL APPLICATION.

TTTECH PROVIDES THE SAFETY MANUAL FOR THE SAFETY MODULE "AS IS" AND WITH ALL
FAULTS AND HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, ACCURACY OR COMPLETENESS, OR OF RESULTS
TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK, AS TO THE QUALITY, USE
OR PERFORMANCE OF THE SAFETY MANUAL, REMAINS WITH THE RECIPIENT. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW TTTECH SHALL IN NO EVENT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT
NOT LIMITED TO LOSS OF DATA, DATA BEING RENDERED INACCURATE, BUSINESS
INTERRUPTION OR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF
THE USE OR INABILITY TO USE THE SAFETY MANUAL, EVEN IF TTTECH HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

TTTECH MAKES NO WARRANTY OF ITS PRODUCTS, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW DISCLAIMS ALL LIABILITIES OR
DAMAGES RESULTING FROM OR ARISING OUT OF THE APPLICATION OR USE OF THESE
PRODUCTS.

-
Category:
Comment
Keywords:

ID:
552151
Legal Notice
The information contained in this safety manual does not affect or change any General Terms and
Conditions of TTTech and/or any agreements existing between TTTech and the recipient regarding the
product concerned.

The reader acknowledges that this safety manual may not be reproduced, stored in a retrieval system,
transmitted, changed, or translated, in whole or in part, without the express written consent of TTTech.

The reader acknowledges that any and all of the copyrights, trademarks, trade names, patents (whether
registrable or not) and other intellectual property rights embodied in or in connection with this safety manual
are and will remain the sole property of TTTech or the respective right holder. Nothing contained in this
legal notice, the safety manual or in any TTTech web site shall be construed as conferring to the recipient
any license under any intellectual property rights, whether explicit, by estoppel, implication, or otherwise.

This safety manual and respective products are subject to change.

The product is only allowed to be used in the scope as described in section "System Assumptions". Please
note that based on the current state of the arts in science it is impossible to develop software that is bug-
free in all applications.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 5

Category:
Comment
Keywords:

ID:
552153
We Listen to Your Comments
If there is any information in this document that is wrong, unclear or missing?
Your feedback will help us to continuously improve the quality of this document. Please contact TTTech
Automotive GmbH support if you have questions, change requests or suggestions for improvement related
to the Safety Module or documentation. The TTTech Automotive GmbH support can be reached via the
following e-mail address: support@tttech.com.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 6
1  Introduction
1.1  Purpose of this Document
Category:
Comment
Keywords:

ID:
233001
This document is the Software Safety Manual for the software component Safe Watchdog Interface (S-
WdgIf). The S-WdgIf was developed by TTTech as an SEooC according to ISO 26262 (2011) for use in
safety related items up to ASIL D (see [ISO26262]). This document contains the requirements that have to
be satisfied to integrate and apply the S-WdgIf into a safety-related item.

-
Category:
Comment
Keywords:

ID:
233003
The S-WdgIf is a part of the S-WdgM Stack. It contains also a S-WdgIf Configuration Generator to generate
configuration dependent S-WdgIf code.

-
Category:
Comment
Keywords:

ID:
233005
This document contains the requirements that have to be met to:
  install the S-WdgIf Generator,
  generate the S-WdgIf code with the S-WdgIf Configuration Generator,
  integrate the S-WdgIf code into an AUTOSAR system, and
  to apply the S-WdgIf within an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
233019
Note: This document just describes requirements for the S-WdgIf. This document does not provide a full
description of how to create a safe system. For example, this document is not concerned with hardware
architectural metrics that may have an influence on software running on this hardware. These
considerations are not specific to the S-WdgIf and are thus beyond the scope of this manual.

-
Category:
Comment
Keywords:

ID:
559910
The S-WdgIf was developed according to AUTOSAR version 3.1.4 [AS_WDGIF_SWS_3_1] and AUTOSAR
version 4.0.1 [AS_WDGIF_SWS]. The S-WdgIf is compatible with both AUTOSAR versions but not fully
compliant. For the deviations see [TT_WDGIF_UM].

-
1.1.1  Target Audience and Responsibilities
Category:
Comment
Keywords:

ID:
233007
The requirements are intended for the (system) integrator, who is responsible for the generation of the S-
WdgIf configuration, the integration of the S-WdgIf in(to) a safety-related item and its application.

-
Category:
Requirement
Keywords:

ID:
233009
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be an expert in the area of functional safety with deep knowledge of ISO 26262 (see
[ISO26262]). Moreover, the integrator needs to know:
  the AUTOSAR architecture,
  the ANSI C programing language, and
  the S-WdgIf User Manual [TT_WDGIF_UM]).

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 7

-
Category:
Comment
Keywords:

ID:
233011
The integrator shall ensure that all requirements defined in this Safety Manual are fulfilled in the integrated
item.

-
Category:
Requirement
Keywords:

ID:
233013
Label:

Safety relevant:

Related To:

Related To':

The integrator shall also follow the instructions in:
  the Safety Manual for the S-WdgM (see [TT_WDGM_SM]) and
  the Safety Manual for the used S-Wdg drivers (see the driver specific Safety Manual. Examples can be
found in section "References" at the end of this document) which describe the other parts of the S-
WdgM Stack.

-
1.1.2  Structure of this Document
Category:
Comment
Keywords:

ID:
233017
Requirements are explicitly marked as "Requirement" in this document. All requirements described in this
document shall be considered by the integrator. Explanatory text that does not represent an explicit
requirement is marked as "Comment".

-
Category:
Comment
Keywords:

ID:
554241
Note: Document items of the type "Comment" do not represent explicit action items for the integrator,
however, the integrator is advised to ensure that there are no contradictions between the comment and the
intended S-WdgIf usage.

-
Category:
Comment
Keywords:

ID:
554243
Comments related to a requirement are placed below the related requirement.

-
Category:
Comment
Keywords:

ID:
554242
Note: Requirements in this document shall be treated either as safety related or need not be treated as
safety related, depending on the S-WdgIf use case:
  If the S-WdgIf is used to monitor a safety related application then for each used S-WdgIf functionality all
corresponding requirements shall be treated as safety related.
  If the S-WdgIf is used to monitor a QM application then the SM requirements need not be treated as
safety related.

As a consequence, the field "Safety relevant" for each requirement is always empty.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 8

Category:
Comment
Keywords:

ID:
554244
The list shows some keywords used in requirements and their explanation:

Key Word
Description
must, shall, required, is responsible for, is the
Requirement is mandatory.
responsibility of
shall not
Requirement is a prohibition.
table 1


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 9
2  Terms
Category:
Comment
Keywords:

ID:
260274

A tool (like DaVinci Configurator Pro) that creates a Safe
Configuration Tool
Watchdog Interface configuration.
The escalation of a detected fault to the Watchdog by a
Error Escalation
Watchdog reset or omittance of the Watchdog trigger.
Safe Watchdog Driver
The lower and hardware dependent software layer of the S-

WdgM Stack. It controls the Watchdog device.
The middle and hardware independent software layer of the S-
Safe Watchdog Interface
WdgM Stack.
Safe Watchdog Interface
The part of the S-WdgIf code that is generated by the S-WdgIf
Configuration
Generator from an ECU description file.
A tool from TTTech that generates the S-WdgIf Configuration out
Safe Watchdog Interface
of an ECU description file. In this document the name is
Configuration Generator
abbreviated to "S-WdgIf Generator". The tool is part of the S-
WdgIf package.
The upper and hardware independent software layer of the S-
Safe Watchdog Manager
WdgM Stack. It communicates with the application through RTE.
The stack comprises the S-WdgM, the Safe Watchdog Interface
Safe Watchdog Manager Stack  and the Safe Watchdog driver(s).
A set of elements that relates at least a sensor, a controller and
System
an actuator with one another (see [ISO26262], part1). In this
document, the MCU is part of the system.
A Watchdog device is the hardware that provides the watchdog
Watchdog (device)
function. It can be an internal watchdog (on the MCU) or an
external device.
The "WD Mode" defines the period timeout. It is set with
WD Mode
WdgIf_SetMode () and can be "slow", "fast" or "off" (WD
disabled). Do not confuse with "WD Trigger Mode".
The "WD Trigger Mode" defines the WD trigger window (start and
WD Trigger Mode
length) together with the "WD Mode". It is set with
WdgM_SetMode ().
table 2


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 10
3  Notations
Category:
Comment
Keywords:

ID:
233039

Notation  Description
Italic text is a placeholder for a name or text pattern. E.g.: In Wdg_infix_Init (), the text infix is a
text
placeholder for the actual name of the used WD driver.
A placeholder with this name is interpreted as follows:
  In case of an AUTOSAR 3.1 environment, the placeholder infix stands for the name of
infix
the configured WD device.
  In case of an AUTOSAR 4.0 environment, the placeholder infix stands for the pattern
vendor-id_device-name, where vendor-id is the ID of the vendor of the WD driver and
device-name is the name of the configured WD device.
table 3


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 11
4  Abbreviations
Category:
Comment
Keywords:

ID:
233047

API
Application Programming Interface
ASIL
Automotive Safety Integrity Level
AUTOSAR
Automotive Open System Architecture
BSW
Basic Software (AUTOSAR term)
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Engine Control Unit
ISO
International Organization for Standardization
MCU
Microcontroller Unit
MPU
Memory Protection Unit. Usually this is part of the Microcontroller.
MemMap
Memory Mapping (for Memory Management)
QM
Quality Managed (Software)
SM
Safety Manual
SPI
Serial Peripheral Interface (Module)
S-Wdg
Safe Watchdog Driver (from TTTech)
S-WdgM
Safe Watchdog Manager (from TTTech)
S-WdgIf
Safe Watchdog Interface (from TTTech)
The "S-WdgM Stack" comprises the S-WdgM, the S-WdgIf and the used Safe
S-WdgM Stack
Watchdog driver(s).
WD
Watchdog
WdgM
Watchdog Manager according to the AUTOSAR 4.0 specification
WdgIf
Watchdog Interface according to the AUTOSAR 4.0 specification
table 4


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 12
5  Safe Watchdog Interface Overview
Category:
Comment
Keywords:

ID:
233043
For an overview of and more details about
  the S-WdgIf,
  the other S-WdgM Stack components, and
  the S-WdgIf Generator
see the according user manuals and Safety Manuals:
  for the S-WdgM: [TT_WDGM_UM], [TT_WDGM_SM],
  for the S-WdgIf: [TT_WDGIF_UM] and this document, or
  for the S-Wdg drivers: the according Safety Manual.

See section "References" at the end of this document.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 13
6  System Assumptions
Category:
Comment
Keywords:

ID:
270643
The system assumptions are a subset of the S-WdgM system assumptions (see [TT_WDGM_SM]).

-
Category:
Comment
Keywords:

ID:
559912
The S-WdgIf is designed for integration into an AUTOSAR 3.1.4 and 4.0.1 system. However, it is not
restricted to these AUTOSAR versions. The software module can also be integrated into other versions of
AUTOSAR and other system SW architectures, provided that the integration related requirements listed in
the Safety Manual are met.

-
6.1  Assumptions in this Document
Category:
Comment
Keywords:

ID:
282959
The following requirements and comments are placed in the according context in this document. They may
be interpreted as system assumptions or not - depending on the circumstances the system is developed
and applied:

Requirement
Description
Quality level degradation by external interfaces to 3rd
260213, 234568, 235165, 237306
party modules. *1).
Quality level degradation by external interfaces to S-
260213
WdgM Stack modules *2).
236022
S-WdgIf functionality affected by other SW.
260197, 260217, 236258, 236382
WD driver and WD device.
236356
Memory sections, access rights.
236044, 237369, 236430, 236434
Memory corruption.
260205
External Interfaces.
table 5

*1) The 3rd party modules are not part of the S-WdgM Stack.
*2) The external interfaces between S-WdgM, S-WdgIf and S-Wdg do not have to be verified if:
  the modules are part of the same S-WdgM Stack release,
  the modules are not altered by the integrator, and
  the modules are integration tested by TTTech.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 14
7  S-WdgIf Function Requirements
Category:
Comment
Keywords:

ID:
270650
For the system requirements that the S-WdgM Stack fulfills, see[TT_WDGM_SM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 15
8  S-WdgIf Configuration
Category:
Comment
Keywords:

ID:
233053
The S-WdgIf Configuration is the part of the S-WdgIf code that is generated with the S-WdgIf Generator out
of a given ECU description file.
This section lists the safety requirements for the creation of a S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
233055
For a description of
  the configuration fields in the ECU description file and
  how to create S-WdgIf code out of the ECU description file
see [TT_WDGIF_UM].

-
8.1  Configuration Check-List
Category:
Comment
Keywords:

ID:
233059
The S-WdgIf Generator performs basic checks on the ECU description file when it generates the S-WdgIf
Configuration.
The following list provides instructions for manual checks of safety relevant configuration values that cannot
be performed by the S-WdgIf Generator.

-
8.1.1  General Requirements
Category:
Requirement
Keywords:

ID:
234105
Label:

Safety relevant:

Related To:

Related To':

The integrator shall set the configuration parameters according to the project specification.

-
Category:
Requirement
Keywords:

ID:
552162
Label:

Safety relevant:

Related To:

Related To':

The ECU description file that serves as input for the generation of the S-WdgIf Configuration files shall
comply to the AUTOSAR schema defined in comment 559910 above.

-
Category:
Comment
Keywords:

ID:
554249
Note: These are the AUTOSAR versions for which the S-WdgIf was developed and tested.

-
Category:
Comment
Keywords:

ID:
554878
The AUTOSAR version used for S-WdgIf integration tests is defined in [TT_WDGS_ITR].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 16
8.1.2  Compiler Settings
Category:
Requirement
Keywords:

ID:
240758
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264807,__MKSID__264811,__MKSID__55284
3
The following fields in the ECU description file shall be "true" if the according feature shall be enabled,
otherwise "false":

Field
Feature
WdgIfVersionInfoApi
Enable Version API.
WdgIfDevErrorDetect
Enable Development error detection.
WdgIfUseAutosarDrvApi
Enable AUTOSAR compatible WD driver API.
table 6


-
Category:
Requirement
Keywords:

ID:
240769
Label:

Safety relevant:

Related To:

Related To':

If an internal HW tick counter is used, then the field WdgIfInternalTickCounterRef shall be defined such that
is refers to a WD driver, otherwise the field WdgIfInternalTickCounterRef is omitted.

-
Category:
Comment
Keywords:

ID:
240773
If WdgIfInternalTickCounterRef is a S-WdgIf information and refers to a WD driver, the driver must
  support an internal tick counter and
  its parameter WdgInternalTickCounter must be "true".

This is checked automatically by the S-WdgIf Configuration Generator.

-
8.1.3  Post Build Configuration and Application Settings
Category:
Comment
Keywords:

ID:
240764
This section provides a check list for the various aspects and configuration fields that must be considered
for post build configuration of the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
240766
For further information on configuration fields see [TT_WDGIF_UM].

-
Category:
Requirement
Keywords:

ID:
260197
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the configuration has
  only one WD driver and
  only one WD device for the driver
defined.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 17
Category:
Comment
Keywords:

ID:
242221
The current implementation of the S-WdgM Stack supports only one WD device per WD driver. If configured
so, the S-WdgIf Generator yields an error message.

-
Category:
Comment
Keywords:

ID:
260225
As a consequence, the device index that is passed to the WD driver functions is always 0.

-
Category:
Requirement
Keywords:

ID:
260199
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that the names of the WD driver functions in the generated S-WdgIf
configuration match the actual names of the functions in the WD driver.

-
Category:
Requirement
Keywords:

ID:
260205
Label:

Safety relevant:

Related To:

Related To':

In case a Watchdog Driver is used that is not implemented by TTTech, the integrator shall make sure that
the WD driver supports the following functions:
  Wdg_infix_SetMode () and
  Wdg_infix_SetTriggerWindow () or Wdg_infix_SetTriggerCondition ().

-
Category:
Comment
Keywords:

ID:
260201
The S-WdgIf Generator fills the placeholder (infix) automatically.

-
Category:
Requirement
Keywords:

ID:
260217
Label:

Safety relevant:

Related To:

Related To':

If an internal HW tick counter is configured (i.e. WdgIfInternalTickCounterRef is defined),
then the integrator shall make sure that the WD driver supports the function Wdg_infix_GetTickCounter ().

-
Category:
Requirement
Keywords:

ID:
260213
Label:

Safety relevant:

Related To:

Related To':

In case a Watchdog Driver is used that is not implemented by TTTech, the integrator shall verify that the
functions that are offered by the WD driver (listed in section "Expected Interface", Comment 234584) and
called from the S-WdgIf do not degrade the quality level of the S-WdgIf below the required quality level.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 18
9  S-WdgIf Configuration Generator
Category:
Comment
Keywords:

ID:
234331
This section lists the safety requirements for the installation and application of the S-WdgIf Generator.

-
Category:
Comment
Keywords:

ID:
234333
For information on how to use the S-WdgIf Generator, see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
234335
Note: the S-WdgIf Generator is not ASIL-D and iIts output cannot be trusted. The generated files must be
verified manually as described in "S-WdgIf Generator - Verification".

-
9.1  S-WdgIf Generator - Installation
Category:
Requirement
Keywords:

ID:
234339
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator is installed and used on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgIf Generator.

-
Category:
Comment
Keywords:

ID:
234341
The S-WdgIf Generator has been tested on Windows 7 with Service Pack 1.

-
9.2  S-WdgIf Generator - Application
Category:
Requirement
Keywords:

ID:
234345
Label:

Safety relevant:

Related To:

Related To':

The selected output path for the generated S-WdgIf code (runtime argument "OUTPUT-DIRECTORY") shall
be empty before the S-WdgIf Generator is started.

-
Category:
Comment
Keywords:

ID:
234347
If the output path is not empty, code from previous generation runs may be accidentally integrated into the
AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
263318
The names of the generated files are listed on standard error (stdout).

-
Category:
Requirement
Keywords:

ID:
234349
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator aborts the generation process with an error, the (partially) generated output files
shall not be used in an AUTOSAR system.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 19

-
Category:
Comment
Keywords:

ID:
234351
Error messages start with "Error" and they are displayed on standard error (stderr).
If successful, the S-WdgIf Generator returns error level 0, otherwise an error level higher than 0 is returned.

-
Category:
Requirement
Keywords:

ID:
234353
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator displays a warning message, the integrator shall ensure that the cause of the
warning does not invalidate the generated S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
234355
Warning messages start with "Warning" and are displayed on standard error (stderr).
If successful (although with a warning), the S-WdgIf Generator returns error level 0, otherwise an error level
higher than 0 is returned.

-
Category:
Comment
Keywords:

ID:
234359
TTTech provides a sample demonstration configuration with four supervised entities. The files may be used
by the integrator, but they are intended for demonstration only.

-
Category:
Comment
Keywords:

ID:
234361
The S-WdgIf Generator is not configurable. The S-WdgIf Generator process is controlled by the input
arguments only.

-
9.3  S-WdgIf Generator - Verification
Category:
Comment
Keywords:

ID:
289334
This section describes how to verify the generated files manually.

-
Category:
Requirement
Keywords:

ID:
289342
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297368
Check that the set of generated files is complete. It consists of:
  WdgIf_Cfg_Features.h,
  WdgIf_Lcfg.h, and
  WdgIf_Lcfg.c.

-
9.3.1  Check of WdgIf_Cfg_Features.h
Category:
Requirement
Keywords:

ID:
289346
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264811
If - and only if - WdgIfVersionInfoApi in the ECU Description file is "true",
then WDGIF_VERSION_INFO_API shall be set STD_ON, otherwise STD_OFF.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 20
Category:
Requirement
Keywords:

ID:
555654
Label:

Safety relevant:

Related To:
__MKSID__552843
Related To':

If - and only if - WdgIfUseAutosarDrvApi in the ECU Description file is "true",
then WDGIF_USE_AUTOSAR_DRV_API shall be set STD_ON, otherwise STD_OFF.

-
Category:
Requirement
Keywords:

ID:
289352
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264807
If - and only if - WdgIfDevErrorDetect in the ECU Description file is "true",
then WDGIF_DEV_ERROR_DETECT shall be set STD_ON, otherwise STD_OFF.

-
Category:
Requirement
Keywords:

ID:
289356
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264814
If - and only if - an internal tick counter is referenced with WdgIfInternalTickCounterRef in the ECU
Description file,
then WDGIF_INTERNAL_TICK_COUNTER shall be set STD_ON, otherwise STD_OFF.

-
9.3.2  Check of WdgIf_Lcfg.h
Category:
Requirement
Keywords:

ID:
289360
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297372
The file shall contain a pre processor command as follows:

#define WDGIF_NUMBER_OF_WATCHDOGS 1


-
Category:
Comment
Keywords:

ID:
289362
In the current version of the S-WdgIf, the number of used watchdogs is restricted to one.

-
9.3.3  Check of WdgIf_Lcfg.c
Category:
Requirement
Keywords:

ID:
289388
Label:

Safety relevant:

Related To:

Related To':

The header file named "Wdg_infix.h" shall be included.

-
Category:
Comment
Keywords:

ID:
289390
In the current version of the S-WdgIf, the number of used WD drivers is restricted to one.

-
Category:
Requirement
Keywords:

ID:
289392
Label:

Safety relevant:

Related To:

Related To':

The file "WdgIf_Lcfg.h" shall be included.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 21

-
Category:
Requirement
Keywords:

ID:
289394
Label:

Safety relevant:

Related To:

Related To':
__MKSID__58842
The following structures shall be defined:
  "WdgIf_InterfaceFunctionsType infix_functions",
  "WdgIf_InterfaceFunctionsPerWdgDeviceType WdgIf_FunctionsPerWdg
[WDGIF_NUMBER_OF_WATCHDOGS]" (an array of structures), and
  "WdgIf_InterfaceType WdgIf_Interface".


-
Category:
Requirement
Keywords:

ID:
289406
Label:

Safety relevant:

Related To:

Related To':

The structures listed in 289394 above shall be memory mapped to
WDGIF_START_SEC_CONST_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
289398
Label:

Safety relevant:

Related To:

Related To':
__MKSID__55578,__MKSID__55580
The structure "infix_functions" shall contain the following field values (and in this order):
  "Wdg_infix_SetMode" and
  "Wdg_infix_SetTriggerWindow" if WDGIF_USE_AUTOSAR_DRV_API is set to STD_OFF and
"Wdg_infix_SetTriggerCondition" if WDGIF_USE_AUTOSAR_DRV_API is set to STD_ON.


-
Category:
Comment
Keywords:

ID:
289410
The fields refer to the functions of the used WD driver to set the WD trigger.

-
Category:
Requirement
Keywords:

ID:
289412
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297362,__MKSID__297324
The array WdgIf_FunctionsPerWdg shall contain a single array item with the following field values (in this
order):
  "&infix_functions" and
  "0".


-
Category:
Comment
Keywords:

ID:
289414
The value 0 refers to the position of each WD (starting with 0) assigned to the WD driver referred to by infix.
There is only one WD configurable for a driver.

-
Category:
Requirement
Keywords:

ID:
289455
Label:

Safety relevant:

Related To:

Related To':
__MKSID__55582,__MKSID__297312,__MKSID__239282
The structure WdgIf_Interface shall contain the following field values:
  "WDGIF_NUMBER_OF_WATCHDOGS",

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 22
  "WdgIf_FunctionsPerWdg", and
  "Wdg_infix_GetTickCounter" if - and only if - WDGIF_INTERNAL_TICK_COUNTER is set to STD_ON.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 23
10 Safe Watchdog Interface
Category:
Comment
Keywords:

ID:
234556
This section lists the safety requirements for the integration and application of the S-WdgIf code in/into an
AUTOSAR system.

-
10.1 API Specification
Category:
Comment
Keywords:

ID:
234560
This section describes the imported types and definitions and the expected interface. It also describes
safety related aspects of types, definitions and functions implemented in the S-WdgIf.
Some types, definitions and interfaces depend on the used S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
234562
For more information see [TT_WDGIF_UM].
For more information about types, definitions and functions implemented in the S-Wdg drivers, see the
Safety Manuals of the drivers. Safety Manuals and User Manuals of the drivers tested by TTTech can be
found in section "References" at the end of this document.

-
Category:
Comment
Keywords:

ID:
234564
For further requirements related to imported types, definitions and interfaces, see section "S-WdgIf
Integration" below.

-
Category:
Comment
Keywords:

ID:
234566
The integrator is responsible for the correct import of the types and definitions that are listed in section
"Imported Types and Definitions" below.

-
Category:
Requirement
Keywords:

ID:
234570
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct application of the interface functions.

-
Category:
Requirement
Keywords:

ID:
234572
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that all external functions that are called from within the S-WdgIf
code are imported from the correct versions of AUTOSAR.

-
Category:
Comment
Keywords:

ID:
559643
For the supported AUTOSAR versions, see comment 559910 above.

-
Category:
Comment
Keywords:

ID:
546265
The external functions are defined in section "Expected Interface" below.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 24
Category:
Requirement
Keywords:

ID:
234574
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR files or any other files different from S-WdgIf files shall not redefine any
identifier that is defined in the S-WdgIf code. E.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
234568
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no external interface of the S-WdgIf listed in this section degrades the quality
level of the S-WdgIf below the required quality level.

-
Category:
Comment
Keywords:

ID:
559038
The external interfaces are defined in section "Expected Interface" below.

-
Category:
Comment
Keywords:

ID:
234576
For example, if an external function of quality level ASIL C is called by the S-WdgIf, it degrades the quality
level of the S-WdgIf to ASIL C (if no precautions were taken), although the required quality level is ASIL D.

-
10.1.1
Expected Interface
Category:
Comment
Keywords:

ID:
234580
This section lists the external functions that are called by the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
234582
For an overview of functions that are called by the S-WdgIf see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
234584
The following functions of the WD driver in the lower layer are called:

Function
Module
Wdg_infix_SetMode () *)
WD Driver
Wdg_infix_SetTriggerWindow ()
WD Driver
or Wdg_infix_SetTriggerCondition() **) ***)
table 7

*) If the function WdgIf_SetMode () is called with parameter DeviceIndex=i, then it calls the function that is
configured for the i-th WD - referred to by infix - in the S-WdgIf configuration for the configuration field
Wdg_infix_SetMode.

**) If the function WdgIf_SetTriggerWindow () or WdgIf_SetTriggerCondition () is called with parameter
DeviceIndex=i, then it calls the function that is configured for the i-th WD - referred to by infix - in the S-
WdgIf configuration for the configuration field Wdg_infix_SetTriggerWindow.

***) If the configuration parameter WdgIfUseAutosarApi is set to "true", then the S-WdgIf expects the WD
driver to provide the function Wdg_infix_SetTriggerWindow () (which is the AUTOSAR API compatibility
mode). Otherwise, the S-WdgIf expects the WD driver to provide the function

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 25
Wdg_infix_SetTriggerCondition () (which is the TTTech API compatibility mode).

-
Category:
Comment
Keywords:

ID:
235159
Some functions are called by the S-WdgIf depending on the compiler switches as listed here:

Compiler Switch
Function
Module
WDGIF_DEV_ERROR_DETECT is  Appl_Det_ReportError () *)
DET
set to STD_ON
WDGIF_INTERNAL_TICK_COUNTE Wdg_infix_GetTickCounter () **)
WD Driver
R is set to STD_ON
If set to STD_ON, then Wdg_infix_SetTriggerWindow ()
WDGIF_USE_AUTOSAR_DRV_API  is called, otherwise Wdg_infix_SetTriggerCondition () is WD Driver
called ***)
table 8

*) This is a wrapper function. See section "Implementation of Wrapper Function Appl_Det_ReportError ()"
below for information.

**) If the function WdgIf_GetTickCounter () is called with WDGIF_INTERNAL_TICK_COUNTER set to
STD_ON, then it calls the function that is configured in the S-WdgIf configuration for the configuration field
Wdg_infix_GetTickCounter.

***) WDGIF_USE_AUTOSAR_DRV_API is set to STD_ON for the AUTOSAR compatibility mode and set to
STD_OFF for the TTTech compatibility mode.

-
10.1.1.1
Implementation of Wrapper Function Appl_Det_ReportError ()
Category:
Comment
Keywords:

ID:
238269
The function Det_ReportError () may not meet the required quality level and need to be wrapped so that
freedom from interference with the S-WdgIf is guaranted. The according wrapper function is called
Appl_Dem_ReportError (). The S-WdgIf calls the function Appl_Dem_ReportError () instead of
Dem_ReportError ().

-
Category:
Comment
Keywords:

ID:
260666
Note: Det_ReportError () is only called if WDGIF_DEV_ERROR_DETECT is set to STD_ON.

-
Category:
Requirement
Keywords:

ID:
260664
Label:

Safety relevant:

Related To:

Related To':

The wrapper function Appl_Det_ReportError () shall be declared in a separate header-file named
Appl_Det.h. This header file shall include Det.h for the wrapped AUTOSAR function.

-
Category:
Requirement
Keywords:

ID:
235165
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that a call of this function does not degrade the S-WdgIf below the required
quality level.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 26
-
Category:
Comment
Keywords:

ID:
235862
For this reason, the integrator is advised to revise the necessity of the expected interfaces.

-
10.1.2
Imported Types and Definitions
Category:
Comment
Keywords:

ID:
235866
This section lists the types and definitions that are imported by the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
235886
The following types and definitions are imported from Platform_Types.h and used:
Types:
uint8
uint16
uint32

-
Category:
Comment
Keywords:

ID:
235888
The following types and definitions are imported from Std_Types.h and used:
Types:
Std_VersionInfoType (only if WDGIF_VERSION_INFO_API is set to STD_ON)
Std_ReturnType
Definitions:
STD_ON
STD_OFF

-
Category:
Comment
Keywords:

ID:
235890
The following definitions are imported from "Compiler.h" and used:
Definitions:
AUTOMATIC
FUNC
NULL_PTR
P2CONST
P2FUNC
P2VAR
VAR

-
Category:
Comment
Keywords:

ID:
235892
The following definitions are imported from "Compiler_Cfg.h" and used:
WDGIF_APPL_DATA
WDGIF_CODE
WDGIF_CONST
WDGIF_APPL_CONST
WDGIF_VAR

-
Category:
Comment
Keywords:

ID:
235894
The following definitions are imported from "MemMap.h" and used:
In WdgIf.c:
WDGIF_START_SEC_CODE

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 27
WDGIF_STOP_SEC_CODE
In WdgIf_Lcfg.c:
WDGIF_START_SEC_CONST_UNSPECIFIED
WDGIF_STOP_SEC_CONST_UNSPECIFIED


-
10.1.3
Error Handling
Category:
Comment
Keywords:

ID:
235916
This section describes the error codes that are set by the S-WdgIf (using the DET mechanism) and the
return values from S-WdgIf API functions..

-
10.1.3.1
DET Errors
Category:
Comment
Keywords:

ID:
235920
DET Errors are intended to support the development of an application. During software development, the
compiler directive WDGIF_DEV_ERROR_DETECT is usually set to STD_ON. Once the software is safe
enough so that no further DET error can occur, the option is deactivated. For safety reasons the DET errors
that are returned by the S-WdgIf are listed here.

-
Category:
Comment
Keywords:

ID:
235896
If the compiler switch WDGIF_DEV_ERROR_DETECT is set to STD_ON, then the S-WdgIf reports the
following development errors using the function Appl_Det_ReportError ():

DET Error
Code
Description
A WD device is referenced that is not defined in the S-WdgIf
WDGIF_E_PARAM_DEVICE  0x01
configuration. *)
WdgIf_GetVersionInfo () is called with NULL-pointer as
WDGIF_E_PARAM_PTR
0x02
parameter.
table 9

*) Possible reasons are:
  the pointer to the WdgIf configuration is NULL,
  the device index is higher than the number of WDs in the WdgIf configuration, and
  the pointer to the referenced WD function is NULL.

The DET errors are defined in WdgIf.h.

-
Category:
Comment
Keywords:

ID:
235868
The definition WDGIF_E_PARAM_DEVICE is an AUTOSAR definition (see [AS_WDGIF_SWS]).
The definition WDGIF_E_PARAM_PTR is TTTech specific.

-
Category:
Requirement
Keywords:

ID:
235932
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for making sure that - once the compiler switch
WDGIF_DEV_ERROR_DETECT is set to STD_OFF - no error relevant to DET can occur.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 28

-
10.1.3.2
Return Values
Category:
Comment
Keywords:

ID:
235936
The following functions return E_NOT_OK in case an error occured:

Function
Comment
WdgIf_SetMode ()
DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetMode () of the WD driver returned
E_NOT_OK.
WdgIf_SetTriggerCondition ()  DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetTriggerWindow () of the WD driver
returned E_NOT_OK.
WdgIf_SetTriggerWindow ()
DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetTriggerWindow () of the WD driver
returned E_NOT_OK.
table 10


-
Category:
Comment
Keywords:

ID:
235938
The return codes are handled by the S-WdgIf function that calls one of the functions above.

-
10.2 Functional Specification
Category:
Comment
Keywords:

ID:
283401
A detailed functional specification of the S-WdgIf module is provided in [TT_WDGIF_UDD].

-
Category:
Requirement
Keywords:

ID:
236022
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that the S-WdgIf functionality is not unintentionally affected by
other software (especially the AUTOSAR SW). This is, e.g., manipulation of local variables of S-WdgIf
functions.

-
Category:
Comment
Keywords:

ID:
287742
This includes:
  memory corruption (see section "S-WdgIf Application" below),
  source code modifications, and
  API function calls with wrong parameters.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 29

10.3 S-WdgIf Configuration
Category:
Comment
Keywords:

ID:
236026
The S-WdgIf has two kinds of configuration:
  pre-processor options and
  link-time configuration data.

-
Category:
Comment
Keywords:

ID:
236032
The pre-processor options are generated out of an ECU configuration using the S-WdgIf Generator (coded
in the generated file WdgIf_Cfg_Features.h).
They activate or deactivate certain S-WdgIf features and cannot be altered during runtime.
See section "S-WdgIf Configuration Generator" in this document for details on the S-WdgIf Generator and
its application.
See [TT_WDGIF_UM] for details on the pre-processor options.

-
Category:
Comment
Keywords:

ID:
236034
The link-time configuration data is also generated out of the ECU configuration using the S-WdgIf Generator
(coded in the generated files WdgIf_Lcfg.h and WdgIf_Lcfg.c).
The link-time configuration defines the used WD devices with links to the device specific functions and
cannot be altered during runtime.
See section "S-WdgIf Configuration Generator" above for details on the S-WdgIf Generator and its
application.
See [TT_WDGIF_UM] for more information about on the link-time configuration data.

-
Category:
Comment
Keywords:

ID:
236042
The integrator is responsible for generation and verification of configuration data as depicted in section "S-
WdgIf Configuration Generator" above.

-
Category:
Requirement
Keywords:

ID:
236044
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the configuration data is not altered, e.g. through erroneous HW.

-
Category:
Comment
Keywords:

ID:
236046
This can be realized - for example - with ECC ROM/FLASH checks, cyclical ROM/FLASH checks, and start
up ROM/FLASH checks.

-
10.4 File Structure
Category:
Comment
Keywords:

ID:
236055
For information about the S-WdgIf file structure see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
236057
The following table shows the files that are only included when the according compiler directive is set to
STD_ON:

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 30

Include File
Compiler Directive
Det.h
WDGIF_DEV_ERROR_DETECT
table 11


-
Category:
Comment
Keywords:

ID:
236061
See also the requirement 234574 for File inclusion.

-
10.5 S-WdgIf Integration
Category:
Comment
Keywords:

ID:
236065
This section describes how to integrate the S-WdgIf into a safety-relevant system.

-
Category:
Requirement
Keywords:

ID:
236240
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to demonstrate that the generated S-WdgIf configuration is sufficient
for the considered system.

-
Category:
Requirement
Keywords:

ID:
236256
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct integration of the S-WdgIf code on the system level as described
in this section.

-
Category:
Requirement
Keywords:

ID:
236258
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the chosen WD device(s), which is internal or external, meets the system's
safety requirements.

-
Category:
Comment
Keywords:

ID:
236260
For single oscillator MCU's (where the watchdog clock is derived from the CPU main clock) it is
recommended to use an external watchdog device with its own oscillator as well.

-
10.5.1
Import from AUTOSAR Definitions into S-WdgIf
Category:
Requirement
Keywords:

ID:
236264
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct implementation of all types and definitions that are imported
from AUTOSAR header files and used by the S-WdgIf code according to AUTOSAR specifications.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 31
Category:
Comment
Keywords:

ID:
554231
See also section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236266
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the AUTOSAR header files for the import of the AUTOSAR types
and definitions.

-
Category:
Comment
Keywords:

ID:
236268
For a list of imported AUTOSAR types and definitions and the related header files, see section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236270
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR header files into the S-WdgIf code shall not redefine any identifier that is
defined within the S-WdgIf code. This prohibits, for example, redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
236272
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the correct code of used AUTOSAR functions. That is, correct in
version and functionality.

-
Category:
Comment
Keywords:

ID:
236274
For a list of used AUTOSAR functions, see section "Expected Interface" above.

-
Category:
Requirement
Keywords:

ID:
236276
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Std_Types.h according to the comments in section
"Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236278
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Platform_Types.h according to the comments in
section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236280
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Compiler.h and a file Compiler_Cfg.h according to the
comments in section "Imported Types and Definitions" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 32
Category:
Comment
Keywords:

ID:
236282
Note: Some other integrated products provide their own contents for Compiler_Cfg.h. They need to be
merged into the file Compiler_Cfg.h of the system.

-
Category:
Requirement
Keywords:

ID:
236284
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file MemMap.h according to the AUTOSAR
specifications.

-
Category:
Comment
Keywords:

ID:
236600
In contrast to the S-WdgM, there is no configuration dependent memory management. All memory
management definitions for the S-WdgIf are located in MemMap.h.

-
Category:
Comment
Keywords:

ID:
236286
Note: Some other integrated products provide their own contents for MemMap.h. They need to be merged
into the file Memmap.h file for the system.

-
Category:
Comment
Keywords:

ID:
236290
TTTech provides example files for
  MemMap.h (which includes the files WdgM_MemMap.h or WdgM_OSMemMap.h, and
Wdg_MemMap.h) and
  demo_MemMap.h (with the memory mapping definitions of the complete S-WdgM Stack).

-
Category:
Comment
Keywords:

ID:
561554
The file WdgM_MemMap.h is used in AUTOSAR 3.1 enviroments.
The file WdgM_OSMemMap.h is used in AUTOSAR 4.0 enviroments.

-
10.5.2
Memory Mapping
Category:
Comment
Keywords:

ID:
236350
This section lists the requirements for the memory mapping of the S-WdgIf data and code (including the
generated S-WdgIf code).

-
Category:
Requirement
Keywords:

ID:
236762
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the inclusion of the correct MemMap.h file into the S-WdgIf code.

-
Category:
Requirement
Keywords:

ID:
236356
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct assignment of S-WdgIf data and code (including the generated
S-WdgIf code) to the various memory sections according to the memory mapping keywords provided by the
S-WdgIf.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 33
Category:
Comment
Keywords:

ID:
236612
For the memory sections that are supported by the S-WdgIf see comment 235894 in section "Imported
Types and Definitions" above.

-
10.5.3
S-WdgIf Files
Category:
Requirement
Keywords:

ID:
236360
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297368
The integrator shall ensure that only
  files of a single delivered package and
  files generated with tools of this package
are installed.

These are the files:
  WdgIf_Cfg_Features.h (generated),
  WdgIf_Lcfg.h (generated),
  WdgIf_Lcfg.c (generated),
  WdgIf_Cfg.h,
  WdgIf_Types.h,
  WdgIf.h, and
  WdgIf.c.

-
10.5.4
Compilation and Linkage
Category:
Requirement
Keywords:

ID:
236366
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation of the S-WdgIf code with a compiler that is compliant to ANSI
ISO/IEC 9899:1990.

-
Category:
Comment
Keywords:

ID:
236370
The generated code is compliant to ANSI ISO/IEC 9899:1990. It is also known as "ANSI C (C89)" and "ISO
C (C90)".

-
Category:
Requirement
Keywords:

ID:
236374
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation and linkage of the S-WdgIf into the AUTOSAR system in
accordance with the system requirements.

-
Category:
Requirement
Keywords:

ID:
236378
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the compiled and linked target binary is correctly loaded into the target
system.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 34
-
10.5.5
S-WdgM Stack Requirements
Category:
Comment
Keywords:

ID:
555505
This section lists the requirements for the S-WdgM Stack that must be met for safe functioning of the S-
WdgIf.

-
Category:
Requirement
Keywords:

ID:
236382
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the S-WdgIf communicates with
  an internal WD device (MCU inside) or
  an external WD device.

-
Category:
Comment
Keywords:

ID:
558045
The communication between the S-WdgIf and the WD driver can be tested with negative integration tests.

-
Category:
Comment
Keywords:

ID:
236384
For ASIL C and D systems, it is recommended to use an external WD device with independent time based
clock, reset circuit and power path.

-
Category:
Comment
Keywords:

ID:
236386
See
  ISO 26262 (see [ISO26262], part 6, section 7.4.14, table 4/1d) and
  Microcontroller manufacturer recommendation(see e.g. [TI_SPNU511_UM] section 5.3.6).

-
Category:
Requirement
Keywords:

ID:
237306
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the communication path to the external WD does not degrade the quality
level below the required quality level.

-
Category:
Comment
Keywords:

ID:
554234
The requirement 237306 above is only relevant when an external WD is used.
Note: The communication path to the external WD could be e.g. a SPI driver.

-
Category:
Requirement
Keywords:

ID:
237369
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the S-WdgIf program code - including configuration code - can not be
corrupted.

-
Category:
Comment
Keywords:

ID:
554832
This can be realized - for example - with ECC ROM/FLASH checks, cyclical ROM/FLASH checks, and start
up ROM/FLASH checks.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 35
10.6 S-WdgIf Application
Category:
Comment
Keywords:

ID:
236760
In contrast to the S-WdgM, the S-WdgIf API functions are not called from application level.
Except WdgIf_GetVersionInfo (), all S-WdgIf functions are called by the S-WdgM.
However, there are a few requirements to be considered on system level.

-
Category:
Comment
Keywords:

ID:
261300
The S-WdgIf does not alter data that is passed through from or to the S-WdgM.
Only the contents of the variable whose address is passed as parameter to WdgIf_GetVersionInfo () is
altered.

-
Category:
Requirement
Keywords:

ID:
236428
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct handling and escalation of errors detected by the S-WdgIf code via
DET monitoring.

-
Category:
Comment
Keywords:

ID:
236756
Returned error codes are handled by the caller of the function that returns a DET error.

-
Category:
Requirement
Keywords:

ID:
236430
Label:

Safety relevant:

Related To:

Related To':

The data that is used by the S-WdgIf, especially the S-WdgIf Configuration data, shall not be modified by
any other SW of the system.

-
Category:
Requirement
Keywords:

ID:
236432
Label:

Safety relevant:

Related To:

Related To':

It shall be considered that the S-WdgIf code has no mechanism for detecting and/or correcting the following
errors:
  corruption of the S-WdgIf memory for constants,
  corruption of the S-WdgIf code memory, and
  corruption of the S-WdgIf local RAM memory (i.e. the local variables placed on the stack).

-
Category:
Requirement
Keywords:

ID:
236434
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the address spaces that are listed in the requirement above and for
which the S-WdgIf offers no mechanism for error detection and error correction can not be corrupted.

-
Category:
Comment
Keywords:

ID:
236438
If a mechanism for detecting/correcting of such manipulations is implemented in the application level or
system level, then it should also cover the S-WdgIf code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 36
10.6.1
S-WdgIf API Functions
Category:
Comment
Keywords:

ID:
262246
There are no function specific requirements for the S-WdgIf API functions, except WdgIf_GetVersionInfo ().
However, some requirements concern all functions need to be met.

-
Category:
Comment
Keywords:

ID:
262301
The considered API functions/macros are:
  WdgIf_Setmode (),
  WdgIf_SetTriggerCondition (),
  WdgIf_SetTriggerWindow (),
  WdgIf_GetTickCounter (), and
  WdgIf_GetVersionInfo () (macro).

-
Category:
Requirement
Keywords:

ID:
262242
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to verify the correctness of parameters passed to the S-WdgIf API
functions. Especially, that parameters are not modified when passed from S-WdgM API functions to S-
WdgIf API functions .

-
Category:
Requirement
Keywords:

ID:
262243
Label:

Safety relevant:

Related To:

Related To':

Some S-WdgIf API functions have a pointer to data as argument. The integrator is responsible that this data
is not modified by code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
262244
This concerns WdgIf_GetVersionInfo ().
Note: A wrong pointer could cause data corruption inside of the module that calls this macro.

-
Category:
Requirement
Keywords:

ID:
262247
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct error escalation if a S-WdgIf API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
262248
For the list of functions hat return E_NOT_OK, see comment 235936 in subsection "Return Values" in
section "Error Handling" above.

-
Category:
Requirement
Keywords:

ID:
262238
Label:

Safety relevant:

Related To:

Related To':

The integrator shall retrieve the current version of the S-WdgIf using WdgIf_GetVersionInfo () only.

-
Category:
Comment
Keywords:

ID:
262240
WdgIf_GetVersionInfo () is only available if WDGIF_VERSION_INFO_API is set to STD_ON.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 37

-
Category:
Requirement
Keywords:

ID:
265954
Label:

Safety relevant:

Related To:
__MKSID__263878
Related To':

WdgIf_GetVersionInfo () shall be called with a correct pointer (e.g. use a pointer of type
Std_VersionInfoType without a type cast).

-
10.6.2
Memory Access
Category:
Comment
Keywords:

ID:
236784
The S-WdgIf does not access the hardware registers directly. The hardware could be accessed by calls of
the S-Wdg driver functions. The access of registers by the S-Wdg driver is platform and implementation
dependent and "supervisor" or "privileged" MCU mode may be necessary.

-
10.6.3
Concurrent Function Calls
Category:
Comment
Keywords:

ID:
283153
The following table shows which functions may run concurrently:

figure 1

HW
The interruption is HW dependent and only allowed if interruption of the corresponding WD driver
function is allowed. The corresponding function is:
  for WdgIf_SetMode (): Wdg_infix_SetMode (),
  for WdgIf_SetTriggerCondition (): Wdg_infix_SetTriggerWindow () or
Wdg_infix_SetTriggerCondition () (depending on the AUTOSAR version)
  for WdgIf_SetTriggerWindow (): Wdg_infix_SetTriggerWindow () or
Wdg_infix_SetTriggerCondition () (depending on the AUTOSAR version)
  for WdgIf_GetTickCounter (): Wdg_infix_GetTickCounter ()

Y
Interruption is allowed

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 38
Y(ptr)   Interruption is allowed only if the pointers, given as an output parameter to the function, are
different
Y(reg)   Interruption is allowed only if the function Wdg_infix_GetTickCounter () is implemented as a pure
HW register read.
table 12


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 39
11 Safety Lifecycle Tailoring
Category:
Comment
Keywords:

ID:
234297
This section describes which phases of the S-WdgIf product safety lifecycle according to [ISO26262] were
executed by TTTech during the development and which phases have to be executed by the integrator.

-
Category:
Comment
Keywords:

ID:
234299
The S-WdgIf is a software unit representing a safety element out of context (SEooC) according to
[ISO26262], part 10. The SW requirements of the S-WdgIf are based on [AS_WDGIF_SWS] and
[TT_WDGIF_SRD] with deviations listed in [TT_WDGIF_UM]. The architectural design is documented in
[TT_WDGIF_UDD].

-
Category:
Comment
Keywords:

ID:
234301
The following ISO 26262 phases were executed by TTTech:
  3-7 (Hazard analysis and risk assessment *)),
  3-8 (Functional Safety Concept *)),
  4-6 (Technical Safety Concept *)),
  4-7 (System Design *)),
  6-5 (Initiation of product development at SW level),
  6-8 (Software unit design and implementation), and
  6-9 (Software unit tests).

*) As far as related to the S-WdgIf as SEooC.

All other ISO phases were not executed by TTTech and they are the responsibility of the integrator.

-
Category:
Requirement
Keywords:

ID:
234303
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-6 (Specification of SW safety
requirements) to identify the system's SW safety requirements.

-
Category:
Requirement
Keywords:

ID:
234305
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-7 (SW architectural design) that
covers S-WdgIf code.

-
Category:
Comment
Keywords:

ID:
234311
The S-WdgIf code does not impose any special restrictions on the SW architecture design except for the
requirements in this document.

-
Category:
Requirement
Keywords:

ID:
234313
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262, part 6, clause 8.4.5, b) to verify that the
software unit design of the S-WdgIf is complete with respect to the software safety requirements and the

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 40
software architecture through traceability

-
Category:
Requirement
Keywords:

ID:
234315
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO/DIS 26262 phase 6-10 (SW integration and testing) to
verify that S-WdgIf code is correctly integrated into the system.

-
Category:
Requirement
Keywords:

ID:
234319
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of phase ISO/DIS 26262 6-11 (Verification of SW safety
requirements) to verify the safety requirements that are related to the S-WdgIf code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 41
12 Qualification
Category:
Comment
Keywords:

ID:
234207
The S-WdgIf has been developed according to the requirements in [ISO26262] as specified in section
"Safety Lifecycle Tailoring" above. It can be integrated in systems up to ASIL D, provided that all
requirements in this document are fulfilled.

-
Category:
Comment
Keywords:

ID:
234209
The hardware dependent qualification data for the S-WdgIf for each platform can be found in the S-Wdg
drivers' Safety Manuals.

-
Category:
Comment
Keywords:

ID:
234211
The S-WdgM Stack Safety Case [TT_WDGS_SC] lists all S-WdgIf qualification documents.

-
Category:
Comment
Keywords:

ID:
234213
The S-WdgIf unit tests are specified in [TT_WDGIF_UTS].
The S-WdgIf tests of the unit test framework are specified in [TT_WDGS_UTS].
The integration tests of the S-WdgM Stack are specified in [TT_WDGS_ITS].

-
Category:
Comment
Keywords:

ID:
260894
The environments and S-WdgIf Configurations of integration tests that have been conducted by TTTech
can be found in the Safety Manual of the various S-Wdg drivers (e.g. [TT_WDGDR_platform_SM], where
platform is the used platform. See also section "References" at the end of the document).

-
Category:
Requirement
Keywords:

ID:
234215
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the qualification of the S-WdgIf code for the used environment. This means
that the S-WdgIf code must be integration tested against this environment.

The environment comprises:
  the target CPU,
  the compiler and linker,
  the compiler and linker settings,
  S-WdgIf pre-compile configurations, and
  the used WDs and WD drivers.

-
Category:
Requirement
Keywords:

ID:
234217
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf is used in an environment that differs in any way from the environment it has been tested with
(according to [TT_WDGS_ITS] and [TT_WDGIF_UTS]), then the integrator shall analyze the consequences
of the differences and conduct corresponding tests (see [ISO26262] part 6, clause 9, in particular
[ISO26262] clause 9.4.6).

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 42
Category:
Comment
Keywords:

ID:
234219
TTTech offers qualification of the S-WdgIf for customer-specific configurations.

-
Category:
Requirement
Keywords:

ID:
265956
Label:

Safety relevant:

Related To:
__MKSID__263827,_
Related To':

_MKSID__263846,__
MKSID__263860
The integrator shall run integration tests with the generated configurations for S-WdgM and S-WdgIf.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 43
13 Resource Requirements
Category:
Comment
Keywords:

ID:
234197
The memory consumption and runtime consumption of the S-WdgIf depends on the chosen HW, which
itself is chosen by the used S-Wdg driver.
The resource requirements of the complete S-WdgM Stack can be found in the Safety Manual of the
according S-Wdg driver.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 44
14 Constraints and known Problems
Category:
Comment
Keywords:

ID:
290609
For known problems see the Release Notes document delivered with this software module.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 45
15 References
Category:
Comment
Keywords:

ID:
234117
[ISO26262] ISO26262, Internation Standard, Road vehicles- Functional safety, First edition 2011-11-15

-
Category:
Comment
Keywords:

ID:
234119
[TT_WDGM_SM] TTTech Automotive GmbH, Safe Watchdog Manager - Safety Manual, D-SAFEX-S-70-
001

-
Category:
Comment
Keywords:

ID:
234121
[TT_WDGDR_MPC56xx_SM] TTTech Automotive GmbH, Safe Watchdog Driver for MPC56xx - Safety
Manual, D-MSP-M-70-022

-
Category:
Comment
Keywords:

ID:
554844
[TT_WDGDR_SAFETCORE_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TriCore and
SafeTcore - Safety Manual, D-SAFEX-S-70-013

-
Category:
Comment
Keywords:

ID:
234125
[TT_WDGDR_TMS570LS3x_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TMS570LS3x -
Safety Manual, D-SAFEX-S-70-015

-
Category:
Comment
Keywords:

ID:
234123
[TT_WDGDR_V850E2PJ4_SM] TTTech Automotive GmbH, Safe Watchdog Driver for V850E2PJ4 - Safety
Manual, D-SAFEX-S-70-029

-
Category:
Comment
Keywords:

ID:
554842
[TT_WDGDR_TMS570LS_TPS65381_SM] TTTech Automotive GmbH, Safe Watchdog Driver for
TMS570LS_TPS65381 - Safety Manual,
D-SAFEX-S-70-038

-
Category:
Comment
Keywords:

ID:
554840
[TT_WDGDR_MPC5643L_ATA5021_SM] TTTech Automotive GmbH, Safe Watchdog Driver for
MPC5643L_ATA5021 - Safety Manual, D-SAFEX-S-70-049

-
Category:
Comment
Keywords:

ID:
234127
[TT_WDGS_SC] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Safety Case, D-SAFEX-IN-
70-001

-
Category:
Comment
Keywords:

ID:
234129
[TT_WDGM_UM] TTTech Automotive GmbH, Safe Watchdog Manager - User Manual, D-MSP-M-70-001

-
Category:
Comment
Keywords:

ID:
234131
[TT_WDGIF_UM] TTTech Automotive GmbH, Safe Watchdog Interface - User Manual, D-MSP-M-70-006

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 46
Category:
Comment
Keywords:

ID:
234133
[TT_WDGDR_MPC56xx_UM] TTTech Automotive Gmbh, Safe Watchdog Driver (MPC56xx) - User Manual,
D-MSP-M-70-008

-
Category:
Comment
Keywords:

ID:
234135
[TT_WDGDR_SAFETCORE_UM] Safe Watchdog Driver (SafeTcore) - User Manual, D-MSP-M-70-007

-
Category:
Comment
Keywords:

ID:
234137
[TT_WDGDR_TMS570LS3x_UM] TTTech Automotive GbmH, Safe Watchdog Driver (TMS570LS3x) - User
Manual, D-MSP-M-70-010

-
Category:
Comment
Keywords:

ID:
234143
[AS_WDGM_SWS] AUTOSAR, Specification of Watchdog Manager, Version 2.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234145
[AS_WDGIF_SWS] AUTOSAR, Specification of Watchdog Interface, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
559938
[AS_WDGIF_SWS_3_1] AUTOSAR, Specification of Watchdog Interface, Version 2.2.2, Release 3.1,
Revision 1

-
Category:
Comment
Keywords:

ID:
234147
[AS_WDGDR_SWS] AUTOSAR, Specification of Watchdog Driver, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
237766
[AS_RTE_SWS] AUTOSAR, Specification of RTE, Version 3.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234149
[AS_STDTYP_SWS] AUTOSAR, Specification of Standard Types, Version 1.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234151
[AS_COMABS_SWS] AUTOSAR, Specification of Compiler Abstraction, Version 3.0.0, Release 4.0,
Revision 1

-
Category:
Comment
Keywords:

ID:
234153
[AS_PLTFM_SWS] AUTOSAR, Specification of Platform Types, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234155
[AS_MEM_SWS] AUTOSAR, Specification of Memory Mapping, Version 1.2.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234177
[TI_SPNU511_UM] Texas Instruments, Safety Manual for TMS570LS31x/21x and RM48x Hercules™
ARM® Safety Critical Microcontrollers - User's Guide, Literature Number: SPNU511A, February 2012

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 47
15.1 Internal Documents
Category:
Comment
Keywords:

ID:
283409
The following referenced documents are internal TTTech Automotive GmbH document. For inspection,
please contact TTTech Automotive GmbH:

-
Category:
Comment
Keywords:

ID:
283417
[TT_WDGIF_ETA] TTTech Automotive GmbH, Safe Watchdog Interface - Event Tree Analysis, D-SAFEX-
S-70-012

-
Category:
Comment
Keywords:

ID:
283419
[TT_WDGIF_SRD] ] TTTech Automotive GmbH, Safe Watchdog Interface - Software Requirements
Document, D-SAFEX-S-70-002

-
Category:
Comment
Keywords:

ID:
283421
[TT_WDGIF_UDD] TTTech Automotive GmbH, Safe Watchdog Interface - Unit Design Document, D-
SAFEX-D-70-001

-
Category:
Comment
Keywords:

ID:
283423
[TT_WDGIF_UTS] TTTech Automotive Gmbh, Safe Watchdog Interface - Unit Test Specification, D-
SAFEX-V-70-002

-
Category:
Comment
Keywords:

ID:
283427
[TT_WDGS_UTS] TTTech Automotive Gmbh, Safe Watchdog Manager Stack - Unit Test Specification -
Test Framework, D-SAFEX-V-70-008

-
Category:
Comment
Keywords:

ID:
283425
[TT_WDGS_ITS] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test
Specification, D-SAFEX-V-01-001

-
Category:
Comment
Keywords:

ID:
554880
[TT_WDGS_ITR] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test Report, D-
SAFEX-V-01-002

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

27.10 - S-WdgIf_UserManual

Safe Watchdog Interface

27.11 - S-WdgIf_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21

27.12 - S-WdgIf_UserManuals

Safe Watchdog Interface
User Manual
Version:
1.9.4
Date:
21.05.2014
Document number:
D-MSP-M-70-006
TTTech Autom otive Gm bH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, support@tttech-automotiv e.com
The data in this document may  not be altered or amended without special notif ication f rom TTTech Automotiv e GmbH. TTTech Automotiv e GmbH
undertakes no f urther obligation in relation to this document. The sof tware described in it can only  be used if  the customer is in possession of  a general
license agreement or single license.
Using and copy ing is only  allowed in concurrence with the specif ications stipulated in the contract. Under no circumstances may  any  part of  this
document be copied, reproduced, transmitted, stored in a retriev al sy stem, or translated into another language without written permission of  TTTech
Automotiv e GmbH.
The names and designations used in this document are trademarks or brands belonging to the respectiv e owners.
© 2011 - 2014 TTTech Automotiv e GmbH. All rights reserv ed.                                                                                 Subject to changes and
corrections.
TTTech Automotiv e GmbH Conf idential and Proprietary  Inf ormation

Introduction
Page
3
1
Introduction
The Safe Watchdog Interface (S-WdgIf) is a part of the Safe Watchdog Manager
Stack.
Note: This is a user manual and does not cover safety-related topics. For safety-related
projects that need to fulfill ISO 26262 requirements, refer to the Safe Watchdog
Interface Safety Manual [5] 20 .
Note: The <infix> placeholder used in this document stands for the infix part of the
names of the Watchdog driver functions to which the S-WdgIf interfaces. Depending on
the version of the used AUTOSAR environment, the S-WdgIf can consist of the
following:
In AUTOSAR 4.0 compatible environment, the S-WdgIf consists of the vendor ID and
device name strings, where vendo ID is the ID of the vendor of the Watchdog driver
and device name is the name of the configured Watchdog driver device .
In AUTOSAR 3.1 compatible environment, the S-WdgIf consists of the device name
string, where device name is the name of the configured Watchdog driver device
2
Safe Watchdog Interface
2.1
Basic Functionality of the S-WdgIf
The S-WdgIf was developed according AUTOSAR version 4.0.1 [2] 20 and adapted for
the AUTOSAR 3.1.4 environment [1] 20 . The S-WdgIf is compatible with both
AUTOSAR versions, but not fully compliant. For the deviations, see section Deviations
from the AUTOSAR Watchdog Interface 5 .
The S-WdgIf is designed to be integrated into an AUTOSAR 3.1.4 and 4.0.1 system.
However, it is not restricted to this AUTOSAR version. The software module can also be
integrated into other versions of AUTOSAR and other system software architectures if
the integration related requirements listed in the Safe Watchdog Interface Safety
Manual [5] 20 are met.
The S-WdgIf provides a standard interface to all the configured watchdog devices. The
Safe Watchdog Manager (S-WdgM) accesses each configured watchdog through its
Device Index.
The S-WdgIf is hardware-independent and abstracts one or more Safe Watchdog
Driver modules for the S-WdgM. The S-WdgM calls the S-WdgIf with a device index
parameter (DeviceIndex). It is translated by the S-WdgIf into a S-Wdg driver
instance. If necessary, additional driver parameters are provided.
Figure 1 shows the layered structure of the S-WdgM. The attached watchdog devices
can be internal, external, or both.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
4
Applications
Safe Watchdog
Manager user API
BSW’s
System

API
Safe Watchdog
Manager
Safe
Watchdog
Safe Watchdog
Manager
Interface
Stack
Safe
Safe
Watchdog
Watchdog
Hardware
Driver 2
Driver 1
dependent
part
Software
Hardware
External
Internal
Watchdog
Watchdog
device
device

Fig. 1: Layered structure of the Safe Watchdog M anager
2.2
Extensions to the AUTOSAR Watchdog Interface
The S-WdgIf implements and extends the AUTOSAR Watchdog Interface module. It
implements the following two interfaces to the Watchdog Driver:
AUTOSAR-compatible interface
o Wdg_<infix>_SetTriggerCondition()
o Wdg_<infix>_SetMode()
TTTech-compatible interface
o Wdg_<infix>_SetTriggerWindow()
o Wdg_<infix>_SetMode()
Switching between the two interfaces with the watchdog driver is done by setting the
parameter
6
WdgIfUseAutosarDrvApi
in a correspoding way. For details, see
section Integration with Fully AUTOSAR Compliant Drivers 5 and the description of
parameter
6
WdgIfUseAutosarDrvApi
in section Configuration Parameters for
the S-WdgIf 5 .
Function WdgIf_GetTickCounter() is an additional extension to AUTOSAR,
providing
access
to
the
corresponding
S-Wdg
function
Wdg_<infix>_GetTickCounter(), if supported by the hardware and if the
configuration parameter
7
WdgIfInternalTickCounterRef
is set in a
correspoding
way.
For
details,
see
the
description
of
parameter
7
WdgIfInternalTickCounterRef
in section Configuration Parameters for the
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
5
S-WdgIf 5 .
2.3
Deviations from the AUTOSAR Watchdog Interface
For safety reasons, the S-WdgIf module should not depend on external modules. This is
why the AUTOSAR module Development Error Tracer (DET) is called in the
presence
of
development
errors
only
if
the
preprocessor
switch
8
WDGIF_DEV_ERROR_DETECT
 is set to STD_ON.
The S-WdgIf calls function
15
Appl_Det_ReportError()
in order to report
detected DET errors instead of calling function
15
Det_ReportError()
specified in
AUTOSAR. For details, see section Expected Interfaces 15 .
2.4
Integration with Fully AUTOSAR Compliant Drivers
In order to integrate the S-WdgIf with a fully AUTOSAR-compliant watchdog driver set
the configuration parameter
6
WdgIfUseAutosarDrvApi
to STD_ON. This will
result in the following:
The AUTOSAR Wdg_<infix>_SetMode() is called out of WdgIf_SetMode().
The
Wdg_<infix>_SetTriggerCondition()
is
called
out
of
WdgIf_SetTriggerCondition().
The
Wdg_<infix>_SetTriggerCondition()
is
called
out
of
WdgIf_SetTriggerWindow() as well, however, the parameter WindowStart is
not passed.
Note:
If
the
S-WdgM
is
the
caller
of
the
S-WdgIf
(i.e.,
function
WdgIf_SetTriggerWindow() is used to service the watchdog device), then the
parameter WindowStart (WdgMTriggerWindowStart) has no effect, because it
cannot be passed to an AUTOSAR-compliant driver. It is then good practice to set it to
0, because this would be the functional meaning of its absence.
For more information about the configuration parameter WdgIfUseAutosarDrvApi
6 , see section Configuration Parameters for the S-WdgIf 5 .
2.5
Configuration Parameters for the S-WdgIf
Parameter Name
WdgIfDeviceIndex
Path
WdgIf/WdgIfDevice/WdgIfDeviceIndex
Group
Watchdog device
Type
Integer
Range
0...65535
Compatibility
AUTOSAR
Description
Represents the Watchdog Device ID so that it can be
referenced by the S-WdgM.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
6
Parameter Name
WdgIfDriverRef
Path
WdgIf/WdgIfDevice/WdgIfDriverRef
Group
Watchdog device
Type
Reference
Range
n.a.
Compatibility
AUTOSAR
Description
Reference to the Watchdog driver of this Watchdog Device.
Parameter Name
WdgIfDevErrorDetect
Parameter Name
WDGIF_DEV_ERROR_DETECT
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfDevErrorDetect
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR
Description
Pre-processor switch for enabling the development error
reporting.
Parameter Name
WdgIfVersionInfoApi
Parameter Name
WDGIF_VERSION_INFO_API
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfVersionInfoApi
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR
Description
Pre-processor switch to enable/disable the service returning
the version information.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
7
Parameter Name
WdgIfUseAutosarDrvApi
Parameter Name
WDGIF_USE_AUTOSAR_DRV_API
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfUseAutosarDrvApi
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
Pre-processor  switch  to  enable/disable  the  use  of  fully
AUTOSAR-compliant driver API functions.
Parameter Name
WdgIfInternalTickCounterRef
Parameter Name
WDGIF_INTERNAL_TICK_COUNTER
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfInternalTickCounterRef
Group
Preprocessor
Type
Reference
Range
n.a.
Compatibility
TTTech
Description
If  this  parameter  references  a  driver  which  implements  an
internal
tick
counter
then
the
function

WdgIf_InternalTickCounter() is compiled and can
be  used  by  the  S-WdgM.  Otherwise  the  API  is  not
compiled. Note:  If a driver is selected, then it  must  support
the
internal
tick
counter,
and
its
parameter
WdgInternalTickCounter must be set to TRUE.
2.6
Configuring the S-WdgIf in the ECU Description File
Apart from the preprocessor options the user must add a WdgIfDevice  container  to
the  S-WdgIf  module  in  the  ECU  description  file.  This  container  has  two  attributes:
WdgIfDeviceIndex  shall  be  set  to  zero,  and  WdgIfDriverRef 6  points  must
be selected so that it points to the Watchdog driver being used.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
8
2.7
Preprocessor Options
Option
Description
WDGIF_DEV_ERROR_DETECT
Enables  or  disables  calls  to  DET  in  case  of
development
errors.
Corresponds
to
ECU
description option
6
WdgIfDevErrorDetect
.
STD_ON: Development errors are checked and
reported to DET
STD_OFF: Development errors are checked but
not reported to DET
WDGIF_VERSION_INFO_API
Enables the version info API for  compiling  (can be
disabled in order to save resources).  Corresponds
to
ECU
description
option

8
WdgIfVersionInfoApi
.
STD_ON: The S-WdgIf API for version information
is provided.
STD_OFF: The S-WdgIf API for version
information is not provided.
WDGIF_INTERNAL_TICK_COUNTER
Enables  or  disables  the  usage  of  an  internal  tick
counter  in  the  S-WdgIf.  Corresponds  to  ECU
description
option

8
WdgIfInternalTickCounterRef
.
If
a
driver  is  referenced  the  usage  of  an  internal  tick
counter is enabled, otherwise disabled.
WDGIF_USE_AUTOSAR_DRV_API
Enables  or  disables  the  use  of  fully  AUTOSAR-
compliant driver API functions.
STD_ON:
AUTOSAR-compliant
driver
API
functions  are  used.  Note:  The  parameter
WindowStart
(WdgMTriggerWindowStart) of the  S-WdgM
configuration is then ignored. Therefore, it is good
practice to set it to 0.
STD_OFF:  TTTech driver API functions are used.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
9
2.8
File Structure
Figure 2 gives an overview of the file structure of the S-WdgIf.

Fig. 2: File structure of the S-WdgIf
The  implementation  of  the  S-WdgIf  module  is  in  the  file  WdgIf.c.  File  WdgIf.c
provides  an interface  to  the  upper  layer,  the  S-WdgM,  and  includes  the  header  file
WdgIf.h.  The  header  files  WdgIf_Types.h  and  Std_Types.h  are  included
indirectly through the WdgIf.h.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page 10
File
Description
WdgIf_Types.h
S-WdgIf  and  common  Safe  Watchdog  Stack  type
definitions
WdgIf_Cfg.h
Pre-compile time definitions
MemMap.h
Is included directly in the  module  implementation files
to organize code, data and constants in the memory.
Appl_Det.h
Appl_Det.h is included instead of Det.h, because
the  reporting  of  development  errors  is  not  done  by
directly calling  the  DET service  Det_ReportError
15
()
,  but  by  calling  the  user-defined  service
Appl_Det_ReportError() 15 .
Note:  This  service  could  just  be  a  direct  call  to  the
external  module  DET,  but  could  also  perform  more
complex operations such as switching the  OS  context
before calling DET.
WdgIf_Lcfg.c and
These files contain the generated configuration.
WdgIf_Lcfg.h
WdgIf_Cfg_Features.h
Is generated and contains all preprocessor options for
the S-WdgIf module.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page 11
3
API Description
This section describes the types, functions and interfaces that are imported or provided
by the S-WdgIf software layer.
3.1
Type Definitions
This section describes the types of the parameters passed to the API functions of the
S-WdgIf.
Name
WdgIf_InterfaceFunctionsType
Type
Structure
Elements
Std_ReturnType (*
Pointer to the platform-specific SetMode
Wdg_SetMode) (uint8,
function
WdgIf_ModeType)
void (*
Pointer to the platform-specific
Wdg_SetTriggerWindow)
SetTriggerWindow function
(uint8, uint16, uint16)
Description
Provides pointers to the platform-specific APIs
Name
WdgIf_InterfaceFunctionsPerWdgDeviceType
Type
Structure
Elements
const
Pointers to the platform-specific
WdgIf_InterfaceFunctions
functions
Type* WdgFunctions
const uint8 WdgInstance
Index of the physical watchdog instance
within this platform
Description
Connects platform-dependent functions to a physical watchdog in
order to allow several watchdogs of the same platform to work
simultaneously (e.g., external watchdogs).
Name
WdgIf_InterfaceType
Type
Structure
Elements
const uint8 NumOfWdgs
Number of watchdogs supported in the
S-WdgIf
const
Reference to the functions and physical
WdgIf_InterfaceFunctionsPerW
watchdog indices
dgDeviceType*
WdgFunctionsPerDevice
#if
Function pointer to the
(WDGIF_INTERNAL_TICK_COUNTER
GetTickCounter driver function if the
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 12
== STD_ON)
internal tick counter is switched on
uint32 (*Wdg_GetTickCounter)
(void)
#endif
Description
Main S-WdgIf configuration structure.
Name
WdgIf_ModeType
Type
Enumeration
Range
WDGIF_OFF_MODE: Watchdog disabled
WDGIF_SLOW_MODE: Long timeout period (slow
triggering)
WDGIF_FAST_MODE: Short timeout period (fast
triggering)
Description
Mode of the Watchdog
3.2
S-WdgIf Functions
Syntax
Std_ReturnType WdgIf_SetMode
(uint8 DeviceIndex, WdgIf_ModeType Mode)
Service ID
0x01
[hex]
Sync/Async
Synchronous
Reentrant?
No
Parameters
DeviceIndex: Identifies the watchdog instance.
(in)
Mode: One of the following statically configured modes:
o WDGIF_OFF_MODE: Watchdog disabled
o WDGIF_SLOW_MODE: Long timeout period (slow triggering)
o WDGIF_FAST_MODE: Short timeout period (fast triggering)
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Description
This function maps the SetMode service to the corresponding
physical watchdog implementation according to the parameter
DeviceIndex.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 13
Syntax
Std_ReturnType WdgIf_SetTriggerCondition
(uint8 DeviceIndex, uint16 Timeout)
Service ID[hex]
0x02
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
DeviceIndex: Identifies the watchdog instance.
Timeout: Timeout value in milliseconds for setting the trigger
counter.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Description
This function maps the SetTriggerCondition service to
the corresponding physical watchdog implementation according
to the parameter DeviceIndex.
Syntax
Std_ReturnType WdgIf_SetTriggerWindow
(uint8 DeviceIndex, uint16 WindowStart,
uint16 Timeout)
Service ID[hex]
0x04
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
DeviceIndex: Identifies the watchdog instance.
WindowStart: Minimum time until next watchdog service is
allowed in milliseconds.
Timeout: Timeout value in milliseconds for setting the trigger
counter.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 14
Description
This function maps the SetTriggerWindow service to the
corresponding physical watchdog implementation according to
the parameter DeviceIndex.
Syntax
void WdgIf_GetVersionInfo
(Std_VersionInfoType* VersionInfoPtr)
Service ID[hex] 0x03
Sync/Async
Synchronous
Reentrant?
No
Parameters (in) VersionInfoPtr: Pointer to where to store the version
information of this module.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
void
Description
This function is implemented as a macro and returns the version
information about this module. This function is only enabled if the
preprocessor switch WDGIF_VERSION_INFO_API 8 is
STD_ON.
Syntax
uint32 WdgIf_GetTickCounter (void)
Service ID[hex]
none
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
TickCounter: Pointer to where to store the tick counter
value provided by the driver.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
The current hardware tick counter of type uint32.
Description
This function returns the current hardware tick counter.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 15
3.3
Expected Interfaces
This section describes the expected interfaces to external modules used by the S-WdgIf
and their activation conditions.
Function
Description
Appl_Det_ReportError()
If the preprocessor option
8
WDGIF_DEV_ERROR_DETECT
is set to
STD_ON, the S-WdgIf references the function
Appl_Det_ReportError() of the DET
API.
Note: If the pre-compiler option
WDGIF_DEV_ERROR_DETECT is set to
STD_OFF, the S-WdgIf is self-contained and
does not call any functions from external
modules.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 16
4
S-WdgIf Configuration
This section describes the configuration of the S-WdgIf.
4.1
Link Time Configuration
The link time configuration for the S-WdgIf is configured in the ECU description file, e.g.,
by a tool such as DaVinci Configurator Pro . Basically, link time configuration
contains all information needed for mapping each underlying watchdog driver to a
device index. The configuration can be generated by the S-WdgIf configuration
generator, described in section The S-WdgIf Configuration Generator 16 .
4.2
S-WdgIf Configuration Generator
The S-WdgIf generator is a Microsoft Windows console application that can be
launched from a command prompt window by entering the command
Wdg_If_Cfg_Gen.exe. The S-WdgIf generator reads the S-WdgIf module
information from the AUTOSAR ECU description file (*.arxml) and generates
configuration structures for the S-WdgIf.
Note: Alternatively, you can use the DaVinci Configurator from Vector Informatik
GmbH.
To use the S-Wdg generator, enter the following command in a command prompt
window:
Wdg_If_Cfg_Gen.exe [options] <ECU-DESC-FILE> <OUTPUT-DIR>
<BSWMD_DIR>
[options]
Description
--version
Show the application version number and exits.
-h/--help
Shows this help message and exits.
Parameter
Description
<ECU-DESC-FILE>
The ECU description file (*.arxml). It is generated by
a development tool (e.g.,from the DaVinci tool chain).
<OUTPUT-DIR>
The destination folder for the generated output. You
must specify this parameter.
<BSWMD_DIR>
The directory in which the Configuration Generator
recursively searches for the BSWMD file(s) that
describe the used Watchdog drivers.
The respective configuration for the S-WdgIf is exported to two files:
WdgIf_Lcfg.c
WdgIf_Lcfg.h
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 17
4.3
Error Messages
The generator will show an error message in the command prompt window and quit if
something goes wrong during configuration generation.
4.3.1
Basic Errors
Error
Error Message
No.
1
Bad call syntax.
2
Cannot open ECU description file `%s`.
3
Cannot convert float parameter `%s/%s` to an Watchdog ticks.
4
Cannot convert `%s` to a numerical value.
5
Fatal error.
6
Method `%s` must be implementd by subclass of `%s`.
7
Missing WdgM data.
4.3.2
Semantic Errors
Error
Error Message
No.
1007
Missing non-zero value for `RTICLK_khz`.
1008
Non-supported platform `%s`.
1009
%s platform: Bad WDGIF_SLOW_MODE configuration:
InitialTimeout_ms = %d > %d = SlowModeMax_ms.
1010
%s platform: Bad WDGIF_SLOW_MODE configuration:
InitialWindowStart_ms = %d > %d = SlowModeMax_ms.
1011
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialTimeout_ms = %d > %d = FastModeMax_ms.
1012
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialWindowStart_ms = %d > %d = FastModeMax_ms.
1013
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialWindowStart_ms = %d >= %d = InitialTimeout_ms.
1014
WDGIF_OFF_MODE not supported for %s.
1022
`Wdg/WdgSettingsConfig/WdgRtiKhz` must be a non-zero value.
1023
`Wdg/WdgSettingsConfig/WdgFpiKhz` must be a non-zero value.
1024
Missing or unsupported driver. (Also verify the ECU description
file's AUTOSAR XML namespace).
1030
`/Wdg/WdgSettingsConfig/fSIRCkhz` must be a non-zero value.
1032
Cannot generate code for unknown driver `%s`.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 18
Verify module having `DEFINITION-REF` ending with `.../Wdg`.
1033
Watchdog IF references unknown driver `%s`.
Verify module reference having a `DEFINITION-REF` ending with
`...WdgIf/WdgIfDevice/WdgIfDriverRef.
1041
No device found for Watchdog `%s`. Verify elements defined
by `..WdgIf/WdgIfDevice`.
1042
Device for `%s` platform has no device index.
Verify elements defined by `.../WdgIfDeviceIndex`.
1046
Error trying to identify the Watchdog's platform
1047
Error trying to generate Wdg_MemMap.h.
1067
No default `WdgDefaultMode` defined.
1074
The specified ticks per second value for the used WdgMmode
(%d Hz) and the RTI clock frequency (%d Hz) must satisfy
the following condition: 0 < ticks_per_second <= rti_hz / 2.
1077
The `MPC5643L_MC33904` platform requires `WdgInitialTimeout`
= 12 [ms].
1078
The `MPC5643L_MC33904` platform requires `WdgWindowStart`
= 6 [ms].
1079
One of the WdgMTrigger elements associated with WdgMWatchdog
`%s` has a WdgMTriggerConditionValue value which does not
match the WdgInitialTimeout (%d ms) defined for the `%s` driver.
1080
One of the WdgMTrigger elements associated with WdgMWatchdog
`%s` has a WdgMTriggerWindowStart value which does not
match the `WdgWindowStart` (%d ms) defined for the `%s` driver.
1087
There are more than 1 watchdogs with an internal tick counter
(%s)
1088
`%s` has an active internal tick counter but the Watchdog
Interface
does not reference it via `WdgIfInternalTickCounterRef`.
1089
The driver (`%s`) referenced by the Watchdog Interface via
`WdgIfInternalTickCounterRef` has no active internal tick
counter.
1117
`/Wdg/WdgSettingsConfig/SysClkKhz` must be a non-zero value.
1118
MPC56xx: using an internal tick counter requires configuring
`STMdebugModeControl`.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 19
5
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
AUTOSAR  (AUTomotive  Open  System  ARchitecture)  is  a
worldwide  development  partnership  of  car  manufacturers,
suppliers  and  other  companies  from  the
electronics,
semiconductor and software industry.
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Electronic Control Unit
MCU
Microcontroller Unit
S-Wdg
Safe Watchdog Driver (implementation by TTTech)
S-WdgIf
Safe Watchdog Interface (implementation by TTTech)
S-WdgM
Safe Watchdog Manager (implementation by TTTech)
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 20
6
References
[1]
AUTOSAR, Specification of Watchdog Interface. V. 2.2.2, Rel. 3.1, Rev. 1
[2]
AUTOSAR, Specification of Watchdog Interface. V. 2.3.0, Rel. 4.0, Rev. 1
[3]
TTTech Automotive GmbH, Safe Watchdog Manager, Safety Manual, V. 2.0.2
[4]
TTTech Automotive GmbH, Safe Watchdog Manager, User Manual, V. 1.8.0
[5]
TTTech Automotive GmbH, Safe Watchdog Interface, Safety Manual, V. 1.8.0
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Interface
Page 21
Index
- M -
MemMap.h     10
- A -
- P -
Abbreviations     19
API Description     11
Preprocessor Options     8
Appl_Det.h     10
Appl_Det_ReportError     10
- S -
Appl_Det_ReportError()     15
- B -
Safe Watchdog Interface     3
Std_Types.h     9
S-WdgIf Configuration     16
Basic Functionality of the S-WdgIf     3
S-WdgIf Configuration Generator     16
S-WdgIf Functions     12
- C -
- T -
Configuration Parameters for the S-WdgIf     5
Type Definitions     11
- D -
- W -
Det_ReportError     10
Det_ReportError()     15
WdgIf.c.     9
Deviations from the AUTOSAR Watchdog Interface
WdgIf.h     9
5
WdgIf_Cfg.h     10
WdgIf_Cfg_Features.h     10, 11
- E -
WDGIF_DEV_ERROR_DETECT     6, 8, 15
WdgIf_GetTickCounter     5
ECU Description Configuration     7
WdgIf_GetTickCounter()     14
Error messages
WdgIf_GetVersionInfo()     14
basic errors     17
WdgIf_InterfaceFunctionsPerWdgDeviceType     11
semantic errors     17
WdgIf_InterfaceType     11
Expected Interfaces     15
WDGIF_INTERNAL_TICK_COUNTER     7, 8
WdgIf_InternalTickCounter()     7
- F -
WdgIf_Lcfg.c     10
WdgIf_Lcfg.h     10
WdgIf_ModeType     12
File Structure     9
WdgIf_SetMode()     12
- I -
WdgIf_SetTriggerCondition()     13
WdgIf_SetTriggerWindow()     13
WdgIf_Types.h     10
Introduction     3
WDGIF_USE_AUTOSAR_DRV_API     7, 8
WDGIF_VERSION_INFO_API     6, 8
- L -
WdgIfDevErrorDetect     6, 8
WdgIfDriverRef     6, 7
Link Time Configuration     16
WdgIfInternalTickCounterRef     7, 8
WdgIfVersionInfoApi     6, 8
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Document Outline

27.13 - WdgIf Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgIf

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgIf_Vector_Ar4.0.3_03.03.06_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3182

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

28 - Watchdog Manager

Watchdog Manager

Component Documentation

28.1 - S-WdgM_ReleaseNotes

Release Notes

28.2 - S-WdgM_ReleaseNotes_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26

28.3 - S-WdgM_ReleaseNotess

Ensuring Reliable Networks

Safe Watchdog Manager
Release Notes

Author:
TTTech
Security:
Confidential
Document number:
D-SAFEX-RP-70-012
Document Version:
3.4.6
Date:
21.11.2014
Status:
released
Review:
JDU

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any from or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2009, TTTech Automotive GmbH. All rights reserved. Subject to change and corrections

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  2
Approval
Name
Function
Signature
PPU
Project Manager

TGA
Head of Software Department

MAL
Quality Manager

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Document  Date
Responsible Person  Modification
Version
0.9.0
09.06.2011
PPU
Version for Series Release 0.9
0.9.1
17.06.2011
PPU
Integration with DaVinci tool chain.
1.0.0
15.07.2011
PPU
Integration with DaVinci tool chain.
1.1.0
19.08.2011
PPU
Version for Series Release 1.1
1.2.0
07.09.2011
PPU
Version 1.2.0, TMP570LS3xx related release
1.3.0
16.09.2011
PPU
Version 1.3.0, MPC56xx (MPC5604B) release
1.3.1
06.12.2011
PPU
Version 1.3.1, Wdg_MPC56xx_bswmd.arxml
changed only
1.4.0
14.12.2011
PPU
New software release and document split. Watchdog
Manager,  Interface  and  Driver  becomes  own
Release documents.
1.5.0
10.02.2012
PPU
Version 1.5.0
1.6.0
08.03.2012
PPU
Release 1.6.0
1.7.0
13.04.2012
PPU
Release 1.7.0
1.8.0
21.11.2014
PPU
Release 1.8.0
1.8.1
12.06.2012
PPU
Release  1.8.1  did  not  contain  WdgM  module.  It
contains the MPC56xx driver only.
1.8.2
13.07.2012
PPU
Release 1.8.2, BugFixes, Manager release only
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  3
1.9.0
07.09.2012
PPU
Release 1.9.0, Code only
1.9.1
15.09.2012
PPU
Release 1.9.1, Documentation only
1.9.2
21.09.2012
PPU
Release 1.9.2, Style sheet update
1.9.3
02.10.2012
PPU
Release 1.9.3, S-WdgM Verifier - update,
S-WdgM_UserManual  - document update
S-WdgM_Stack_SafetyCase - document new
2.0.7
25.10.2012
PPU
Test  release  2.0.7  to  check  the  delivery  structure.
This is NOT a customer release!
3.0.3
16.11.2012
PPU
Cumulative module update.
(The major version changed to 3 because of the API
change in function (WdgIf_GetTickCounter())
3.1.0
11.01.2013
PPU
Release 1.11.0, embedded code not changed
3.1.1
27.02.2013
PPU
Release 1.13.0, Verifier update only
3.2.0
05.04.2013
JDU
Release 1.14.0, generator update only
3.3.2
29.11.2013
PPU
Release 1.21.0, generator only
3.4.0
19.02.2014
PPU
Autosar 4 update and bug fixes, beta version
3.4.1
21.03.2014
PPU
Update  and  bug  fixes  for  Autosar  4  environment
compatibility.  Backward  compatibility  to  Autosar  3.1
environment added too.
3.4.2
10.04.2014
PPU
Generator bug fix for Autosar compatible driver
3.4.3
27.05.2014
PPU
Release  for  the  AUTOSAR  4.0  and  AUTOSAR  3.1
compatible S-WdgM module
3.4.4
14.08.2014
PPU
Safety Case document for previous version 3.4.3
released only.
3.4.5
04.11.2014
PPU
S-WdgM Generator correction only
3.4.6
21.11.2014
PPU
S-WdgM Generator correction only
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  5

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  6
1
Overview
The Safe Watchdog Manager (S-WdgM) is upper software layer of the Safe Watchdog Manager Stack.
The S-WdgM Stack is part of the service layer of the AUTOSAR architecture. The S-WdgM monitors the
program flow and timing constrains of so-called Supervised Entities. When it detects a violation of the pre-
configured program flow and timing values, it takes a number of configurable actions to recover from this
state.

The Safe Watchdog Manager Stack consists of the following embedded software modules:
  Safe Watchdog Manager software module (hardware independent)
  Safe Watchdog Interface software module (hardware independent)
  Safe Watchdog Driver software module (hardware dependent),

and the Safe Watchdog Manager Stack configuration generators:
  Safe Watchdog Manager configuration generator (hardware independent)
  Safe Watchdog Interface configuration generator (hardware independent)
  Safe Watchdog Driver configuration generator (hardware dependent)

and the Safe Watchdog Manager Stack configuration verifier
  Safe Watchdog Manager configuration verifier (hardware independent)

This document represents the release notes for the Safe Watchdog Manager module only.

The Safe Watchdog Manager is compatible to the WdgM module as specified in the AUTOSAR 4.0 and
AUTOSAR 3.1 specifications but not fully compliant. For deviations and justifications please see the S-
WdgM User Manual.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  7
2
Content of the Module Release

Title
Version*)
Author
Description
WdgM/
3.4.6

S-WdgM Module
  S-WdgM_ReleaseNotes.pdf

  Description/
3.3.3
TTTech

  WdgM_Bswmd_A4.arxml

For AUTOSAR 4.0.x environment
  WdgM_Bswmd.arxml

For AUTOSAR 3.1.y environment
  Doc_SafetyManual/
2.3.28

  S-WdgM_SafetyManual.pdf

  Doc_SafetyCase/
1.1.0

  S-WdgM_SafetyCase.pdf

  Doc_TechRef/
3.3.1
TTTech

  S-WdgM_UserManual.pdf

User Manual
  Generator/
3.3.15
TTTech

  LICENSE

  Wdg_Mgr_Cfg_Gen.exe

  GenTool_Ead/
2.0.12
TTTech

  SWC_WdgM_A4.xsl

For AUTOSAR 4.0.x environment
  SWC_WdgM.xsl

For AUTOSAR 3.1.y environment
  Identifier.xml

  Generation.xml

  Generation_A4.xml

  Implementation/
3.3.3
TTTech

  WdgM.c

Watchdog Manager - Main
  WdgM_Checkpoint.c

Watchdog Manager - Checkpoint
  WdgM_Cfg.h

Watchdog Manager -
Configuration structures
  WdgM.h

Watchdog Manager - API
declaration
  Verifier/
1.2.11
TTTech

  wdgm_verifier.dll

S-WdgM Configuration Verifier
  libwdgm_verifierdll.a

S-WdgM Configuration Verifier lib
  wdgm_verifier.h

S-WdgM Configuration Verifier
  wdgm_verifier_types.h

S-WdgM Configuration Verifier
  wdgm_verifier_version.h

S-WdgM Configuration Verifier
  verify_wdgm_header.xsl

S-WdgM Configuration Verifier
  verify_wdgm_source.xsl

S-WdgM Configuration Verifier
  VerifierTools/
1.0.0

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  8
  MinGW/
5.1.6
MinGW

   w32api-3.13-mingw32-dev.tar.gz

   mingwrt-3.15.2-mingw32-dll.tar.gz

   mingwrt-3.15.2-mingw32-dev.tar.gz

    MinGW-5.1.6.exe

   mingw.ini

   gcc-core-3.4.5-20060117-3.tar.gz
3.4.5

   binutils-2.19.1-mingw32-bin.tar.gz

  xsltproc/
1.0.0
xsltproc

   zlib1.dll

   xsltproc.exe

   libxslt.dll

   libxml2.dll

   libexslt.dll

   iconv.dll

*) Bold version numbers are new artefacts in this release. The non-bold artefacts are the previously released
compatible artifacts. All artefacts listed here are consistent.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  9
3
Change history
This chapter describes the changes in each released version.

3.1
Changes with version 3.4.6
Issue Nr.
Area
Found  Issue title
Release
Wk
status
69689
G
wk47
`WdgM_PBcfg.h` shall #include `WdgM_Cfg.h`
S
The issue description (issue69689):
The file `WdgM_PBcfg.h` uses a type `WdgM_ConfigType` but does not #include the header file where that
type is defined. This situation causes normally no problems because the corresponding C source file
`WdgM_PBcfg.h` has the following #include directive:
  #include "WdgM.h"
  #include "WdgM_PBcfg.h"
Where "WdgM.h" includes the necessary `WdgM_Cfg.h`.

The current release improved this point and the `WdgM_PBcfg.h` includes the `WdgM_Cfg.h` directly.

3.2
Changes with version 3.4.5
S-WdgM module was not changed in this release, the Safety Case document was added only.

Issue Nr.
Area
Found  Issue title
Release
Wk
status
68941
G
44
Safe Execution - Remove Cross Cutting Checks in
S
/2014
the WdgM Config Generator
68932
G
44/
Wdg Config Generator RH850P1x_TLE4473
S
2014
missing paramterers
The change description (issue68941):
The cross-cutting checks are removed from S-WdgM Generator. The Watchdog Manager
Config Generator should not attempt to verify the Watchdog Driver's data because this is on this level not
necessary. The removed cross-check parameters are the following:
  WdgGeneral/WdgInitialTimeout
  WdgSettingsConfig/WdgWindowStart
  WdgSettingsConfig/WdgSlowModeMax
  WdgSettingsConfig/WdgFastModeMax

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  10

Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

3.3
Changes with version 3.4.4
S-WdgM module was not changed in this release, the Safety Case document was added only.

Issue Nr.
Area
Found  Issue title
Release
Wk
status
65369
D

Release Management Tasks for 1.26.1 CW
S
31/2014

3.4
Changes with version 3.4.3
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
62326
all

Safe Execution Release 1.26.0 - Release
S
Management Tasks
(include collection of issues for this release)

3.5
Changes with version 3.4.2
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
61768
G
Wk15
SafeExecution - Deactivate cross-cutting tests to
S
avoid problems with AS3-compatible Third-Party
Drivers

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  11
3.6
Changes with version 3.4.1
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
61023
G+E

Issue collection for Autosar4.x S-WdgM issues and
S
Autosar compatibility of the S-WdgIf module.

3.7
Changes with version 3.4.0
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
59931
G+E

API and generator points for AUTOSAR 4, reported
S
by Vector

3.8
Changes with version 3.3.2
S-WdgM module changes and corrections

Issue Nr.
Area
Found   Issue title
Release
status
58478
G
Wk 48
MPC5643L_ATA5021 is no “third-party” driver
S
58479
G
Wk 48
Add hint re need to provide driver data in EDF
S

3.9
Changes with version 3.2.0
S-WdgM module changes and corrections:

Issue Nr.
Area
Found   Issue title
Release
status
51893
G
Wk 6
Different checks for third-party drivers
S
51859
G
Wk 6
Use symbolic IDs for SEs and CPs
S
52428
G
Wk 10
#define constants moved from source to header file
S
52577
G
Wk 11
Do not assume system-wide unique CP names
S

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  12
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  13
3.10  Changes with version 3.1.2

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
52577  G
Wk6
“Do not assume system-wide unique CP
O
names”: If there are 2 or more checkpoints
with the same name in different Supervised
Entities then the generator can generate
wrong configurations.

3.11  Changes with version 3.1.1
S-WdgM module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
52281  V
Wk08
Deactivate the test 36. The test is obsolete.
S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

3.12  Changes with version 3.1.0

S-WdgM module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
50917  V

Test 73, The Verifier doesn’t read the
S
WDGM_STATE_CHANGE_NOTIFICATION
Correctly.
50131  G
Wk45
WdgM and WdgIf config generators must
S
work together with unsupported Wdg Drivers
49656  V

Verifier - Sorting of parameters might make
S
test results wrong.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title: Release Notes
Doc.No: D-SAFEX-RP-70-012
Page 14
48637 G
Wk36
CP ID is used as CFG array ID,
S

(when the CP ID’s are not sorted, then the
generator stops generating)
51164
D
Wk02
Safety Manual update
S
51222
D
Wk02
Safety Case update (version numbers)
S
Release status:
S … solved, O … open, C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
3.13 Changes with version 3.0.3
S-WdgM module changes and corrections:

Issue
Area Found
Issue title
Release
Nr.
in Wk
status
50131 G
Wk45
WdgM and WdgIF config generators must
S partly
work together with unsupported Wdg Drivers
49950 E
Wk45
WdgM: line 792: warning (dcc:1516):
S
parameter CallerID is never used
49735 E
Wk44
WdgM: The
S
WdgM_GlobalSuspendInterrupts() should be
defined "extern" and renamed to
GlobalSuspendInterrupts()
49837 E
Wk44
Common Suspend/Restore Interrupt routines
S
shall be used
48420 E
Wk44
Deactivating an active SE should rise in some
S
cases DET report
48667 G
Wk43
Generator shall generate constants with 'u'
S
sufix
48637 G
Wk 36
The CP and SE IDs must be strict ordered.
O
Change Otherwise the Generator rises an error.
request
48601 SWC
Uneven implementation of port defined
S
argument values for port interface
<WdgM_GlobalMode>
48993 E

WdgIf_GetTickCounter() writes to WdgM
S
global memory
48818 G

S-WdgM Code segment fixed in the
S
WdgM_MemMap.h file
Release status:
Date: 21.11.2014
File name: S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version: 3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  15
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

3.14  Changes with version 2.0.7
Test release for new versioning and delivery structure. This is not a customer version. Used internally only.

S-WdgM module changes and corrections:

Embedded Code changes:
  none

Generator changes:
  none

Verifier changes:
  none

Documentation changes:
  none

DaVinci interface changes:
  None

3.15  Changes with TTTech Release 1.9.3: S-WdgM Subpackage 2.0.6
This release contains an update of the Watchdog Manager Configuration Verifier. The release is compatible
with the embedded code basis of the release 1.9.0 and documentation release 1.9.1 and 1.9.2

Embedded Code changes:
  none

Generator changes:
  none

Verifier changes:
  Report file header corrected (“TTTech Internal Use only” removed).
  [46858] Verify all relevant WdgM global settings
  [48716] Detect NULL pointers
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title: Release Notes
Doc.No: D-SAFEX-RP-70-012
Page 16

Documentation changes:
 S-WdgM User Manual - update
 S-WdgM Stack Safety Case - new

DaVinci interface changes:
 None

Open issues in this release:
Issue
Area
Issue title
Release
Nr.
1.9.3
48993
E
WdgIf_GetTickCounter() writes to WdgM global memory
O
48818
G
S-WdgM Code segment fixed in the WdgM_MemMap.h file
O
48601
SWC
Uneven implementation of port defined argument values for port
O
interface <WdgM_GlobalMode>
Release:
S … solved, O … open, C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

3.16 Changes with TTTech Release 1.9.2: S-WdgM Subpackage 2.0.5
This release contains an update of the Watchdog Manager SWC_WdgM.xsl file only. The release is
compatible with the embedded code basis of the release 1.9.0 and documentation release 1.9.1

Embedded Code changes:
 none

Generator changes:
 none

Verifier changes:
 none

Documentation changes:
 none

DaVinci interface changes:
 [47956] SWC_WdgM.xsl file changed because of problem with the WdgMTimebaseSource
parameter. The selection of the WDGM_INTERNAL_HARDWARE_TICK was not possible.
Date: 21.11.2014
File name: S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version: 3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  17
3.17  Changes with Release 1.9.1: S-WdgM Subpackage 2.0.4
This release contains S-WdgM documentation and S-WdgM Verifier only. The documentation in this release
is compatible with the embedded code basis of the release 1.9.0 (Subpackage 2.0.3)

Embedded Code changes:
  none

Generator changes:
  none

Verifier issues:
  See the chapter “Known issues, limitations, updates”

Documentation changes:
  [48745] S-WdgM Safety Manual Formal Review
  [48722] S-WdgM User Manual Review
3.18  Changes with Release 1.9.0: S-WdgM Subpackage 2.0.3
Open issues in this release:
Issue
Area
Issue title
Release
Nr.
1.9.0
48624
E
MPC56xx Driver – MISRA issues.
S
48607
E
WdgIf Interface – MISRA issues.
S
48583
E
WdgM Manager – MISRA issues.
S
47956
SWC  Removed unused runnable entities.
S
47459
E
WdgM_MainFunction should have a reentrancy check.
O
47828
E
Service IDs of an API function differ from AUTOSAR
S
47832
E
A global transition to a deactivated SE doesn’t produce a
O
error response.
48320
E, G
The first Supervision cycle should have definable Alive
S
test.
48320]
E
The ProgramFlowViolationCnt is wrongly incremented
S
48298
E, G
The OS Partition Reset makes compile warning problem
S
46101
T
WdgM: Unit test for the Autosar 3.1 compatibility
S
46382
V
Defines are not checked for correct value (STD_ON,
S
STD_OFF)
46977
SWC  WdgM: Each Entity may have zero or more End
S
Checkpoints
47905
SWC  Location of xxx_SEC_CONST_UNSPECIFIED +
S
xxx_SEC_CODE
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  18
47386
SWC  Special Handling for Callback in Service Component
O
Description
47990
SWC  The WdgM_SetMode() need to be added to the 3.1
S
compatibility mode
47956
SWC  WdgM Generator creates runnable trigger which is not
S
configured
42841
SWC  Service Component always has all version's APIs
S
47328
E
S-WdgM: initialize uninitialized local variable,
S
47131
E
Cover combined X-Y-Monitoring violations in status
S
FAILED
44842
E
WdgM: Magic constants should not be used when not
O
necessary (Disable automatically generated typedefs)
45280
G
Wdgx: The RAM sections of WdgM, Wdg should be
S
related to an Application only
45566
E
WdgM: Configuration checks only if
O
WdgMDevErrorDetect is off
45709
E
Safe WdgM - Alive Counter overrun
S
45814
E
WdgM: Update Copyright information in embedded codes
S
45827
E
WdgM: Add AUTOSAR _AR_ Version macros
S
46044
E
S-WdgM: protect sensitive data accesses from interrupts
S
46383
E
ascSC is assumed to be defined but this is not checked
S
46388
E
INVALID_OSAPPLICATION is not necessarily 0xFF in
S
Os.h
46464
E
WdgM: remove not used code when API_3_1 selected
O
46816
E
Safe WdgM - error from WdgIf during initialization
C
46819
G
S-WdgM: 0xFFFF tolerance values prevent from going to
S
EXPIRED
46820
E
WdgM: AUTOSAR Compiler abstraction
S
46993
E
WdgM: Fixing the external function names
S
46574
G
avoid division by zero if Ticks/second = 0
S
46794
G
reject multiple DM elements for one transition
S

46920
G
checkpoint attribute "startsAGlobalTransition" is now
S
correctly computed
44628
G
remove compiler warning ({{0}, {1}, ..} instead of {0, 1}
S

47177
G
reject configurations not having a 1:1:1 relationship for
S
driver/interface/watchdog
47058
G
disable OS Partition Reset in generator
S

Release:
S … solved, O … open,  C … Closed as obsolete
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  19

Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  20

3.19  Changes with Release 1.8.2: S-WdgM Subpackage 1.8.2
Embedded Code BugFixies:
  [47131] - Cover combined X-Y-Monitoring violations in status FAILED
  [45709] - Safe WdgM -  Alive Counter overrun
  [45827] - WdgM: Add AUTOSAR _AR_ Version macros
  [46044] - S-WdgM: protect sensitive data accesses from interrupts
  [45280] - Wdgx: The RAM sections of WdgM, Wdg should be related to an Application only
  [47328] - S-WdgM: initialize uninitialized local variables

Configuration Generator BugFixies:

  [46574]: avoid division by zero if Ticks/second = 0
  [46794]: reject multiple DM elements for one transition
  [46920]: checkpoint attribute "startsAGlobalTransition" is now correctly computed
  [44628]: remove compiler warning ({{0}, {1}, ..} instead of {0, 1}
  [47177]: reject configurations not having a 1:1:1 relationship for driver/interface/watchdog
  [47058]: disable OS Partition Reset in generator

3.20  Changes with Release 1.8.0: S-WdgM Subpackage 1.8.0
  The Safety Manual revorked, the not safety related informations are moved to the User Manual.
  [45700] Trigger Mode implemented (Simplified SetMode() function)
  [45927] RememberedEntityId replaced by global transition flags
  [45959] Periodicity of deadline and program flow  tolerances repaired
  [46206] Minor changes to increase test coverage

3.21  Changes with Release 1.7.0: S-WdgM Subpackage 1.7.0
  [45210] Hardware TickCounter implemented
  [45572] WdgM_GetLocalStatus() adapted, WdgMEnableEntityDeactivation flag was moved
  [45663] tick_count_diff calculation repaired
  [45388] Mcu_PerformReset() removed from WdgM_MainFunciton.
3.22  Changes with Release 1.6.0: S-WdgM Subpackage 1.6.0
  [44418] Checksum for configuration added
  [44978] SE deactivation/activation variable protection in the GS memory added
  [45008] Partition reset partly corrected, the Entity reset was added.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  21
  [45066] Refactoring, MISRA check corrections

3.23  Changes with Release 1.5.0: S-WdgM Subpackage 1.5.0
  [43770] The write access of the MainFunction() to the entity memory removed.
  [44107] Deadline, Program flow monitoring debouncing parameters optimization
  [43913] MainFunction() interrupted by Checkpoint() corrections
  [44257] Check for Number of S-WdgM Ticks in SupervisionCycle added
  [43912] The direct reset (hardware reg. access) was removed from CheckpointReached()
3.24  Changes with Release 1.4.0: S-WdgM Subpackage 1.4.0
  The documentation structure was changed. Each module (Manager, Interface and Driver) has now
an own User Manual, Safety Manual and Release Notes. The changes mentioned in this chapter
represents the S-WdgM changes only.
   [42537] WDGM_DEM_SUPERVISION_REPORT define moved to WdgM_Cfg_Feature.h file
   [42797] Compiler warnings removed, the SE deactivation/activation simplified
   [42943] SE Deactivation/Activation issue removed
   [43092] global transitions repaired – internal global transition flag introduced
   [43881] Unused variable removed
3.25  Changes with Release 1.3.1: WdgM Subpackage 1.3.1
The Wdg_MPC56xx_bswmd.arxml file was changed only. The xml element Wdg_Impl was removed from the
file by Mr. Kalmbach at Vector. The element causes a problem in GENy.
3.26  Changes with Release 1.3.0
Embedded code:
  [42477] Notification in GLOBAL_STATE_STOPPED was not necessary and was removed
  [42503] Error message to DEM in GLOBAL_STATE_STOPPED is now reported correctly
  [42509] Check for a valid global transition repaired in the case of a local initial checkpoint.
  [42249] Added the new MPC56xx family platform, new S-Wdg driver created

Generators:
  Added new MPC56xx family platform
3.27  Changes with Release 1.2.0: WdgM Subpackage 1.2.0
Embedded code:
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title: Release Notes
Doc.No: D-SAFEX-RP-70-012
Page 22
 For the global Disable/Enable interrupts the AUTOSAR Schedule Manager interface is now used
instead of the operating system interface. (Now the SchM_WdgM.h needs to be included)
 When the RTE is used, then the S-WdgM uses the defines and typedefs generated by RTE instead
of the S-WdgM internal typedefs and defines (switchable with WDGM_USE_RTE)
 Primary Reset path instead of Secondary reset path is used when the
WDGM_IMMEDIATE_RESET==STD_ON is selected. This change was done to guarantee safe
reset. (The previously used external Mcu_PerformReset() function is a QM function)
 The Timebase Tick counter check (stuck-in and negative count) was corrected in the
WdgM_MainFunction()
 Similar to the S-WdgM the S-Wdg has now a Wdg_MemMap.h file. So it is possible to place the
Wdg variables to a memory section predefined by DaVinci Configurator.
Generators:
 better error handling
 XSLT Stylesheet now includes `WdgM_MainFunction` and `WdgM_UpdateTickCount` as runnables.
 Drivers/platforms now can be identified correctly regardless of the SHORT-NAMEs chosen by users

ECU description file change:
Release 1.2.0 uses SUB-PACKAGEs for organizing platform-related data inside ECU description file.
ECU description files created for previous versions have to be adapted slightly - otherwise the code
generators may not be able to find the platform data. Please follow these steps:

1. Open the ECU Description file with a text editor
2. Find <DEFINITION-REF> elements in the ECU description file containing `/TTTECH/Wdg` or
`/TTTECH/WdgImpl`
3. Replace the `TTTECH/Wdg` substring with `TTTech/TMS570LS3x/Wdg` and /TTTECH/WdgImpl`
with /TTTECH/TMS570LS3x/WdgImpl`
4. Save your changes

3.28 Changes with Release 1.1.0: WdgM Subpackage 1.1.0
Embedded code:
 The AUTOSAR 3.1 functionality Deactivate / Activate entity was implemented.
 The Callback Notification was implemented.
 The entities initialization in the WdgM_Init() was corrected.
 The Timebase Tick overrun correction was removed on places where it wasn’t necessary
 The MPC5604B Safe Watchdog driver was implemented
o Note: the MPC5604B internal watchdog’s registers (module SWT) can only be accessed in
one of the supervisor modes. This means that the WdgM_MainFunction(), which periodically
triggers the watchdog, must run in a supervisor mode!
o This first version of the MPC5604B Safe Watchdog driver was developed and tested using
the Freescale CodeWarrior Compiler 5.9.0.
o Following configuration sets were verified: fSIRCkhz=128, interruptThenReset=false,
hardLock=false, stopModeControl=true, debugModeControl=true, WdgDevErrorDetect=true,
WdgDemReport=true, WdgDisableAllowed=true, WdgVersionInfoApi=true.
Date: 21.11.2014
File name: S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version: 3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  23

Generators:
Wdg_Mgr_Cfg_Gen.exe generates code to support supervised entity activation/deactivation and
callback notifications.
Wdg_If_Cfg_Gen.exe generates code for the MPC5604B driver and corresponding interface.
3.29  Changes with Release 1.0.0: WdgM Subpackage 1.0.0
  The Safe Watchdog Interface embedded code was split in to two modules:
1.  Safe Watchdog  Interface, is now hardware independent
2.  Safe Watchdog Driver, is hardware dependent
  The Mode switch through the WdgM_Init was removed.
  There is now possibility to disable interrupts while the Global shared data are manipulated
  Some enum definitions in the S-WdgM API (like LOCAL_STATUS_OK) was changed to AUTOSAR
specified #defines
  Changes in the generators:
  The generators generates now additionally WdgM_Cfg_Features.h,WdgIf_Cfg_Features.h,
Wdg_TMS570LS3x_Cfg_Features.h files.
  The generators generates now additionally WdgM_MemMap.f file.
  Changes in the bswmd and swc files:
  Feature definitions are added (defined in the …Cfg_Features.h files)
  Software version and vendor info was added
  Obsolete 3.1 items was deleted
  DEFINITION-REF elements now contains paths beginning with TTTECH instead of AUTOSAR
  The bswmd files are now schema compliant.
  At typedefs WdgM_CheckpointIdType,  WdgM_SupervisedEntityIdType was the maximum value
changed to 65535.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  24
4
Test status
The S-WdgM integration tests based on the issue 69689 were performed. No findings.

All test results are positive.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  25
5
Known issues, limitations, updates
Known issues:
For known issues please see the chapter “Change history” above.

Functional limitations of current version:
Not known.

Updates:
Current release represents a S-WdgM module for AUTOSAR 4.0.x and AUTOSAR 3.1.y.

Note, that the S-WdgM Configuration generator reads the AUTOSAR version from ECU description file and
generates a define “#define WDGM_AUTOSAR_4_x STD_ON” in case of Autosar 4.x. Dependent on this
define the embedded code uses the appropriate Autosar 4.0.x functionality.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  26
6
Abbreviation and glossary
Acronym /
Term
Meaning
CP
Checkpoint
EDF
ECU Description File (.arxml file used as input to the configuration generator)
SE
Supervised Entity
OS
Operating System
SCx
Scalability Class (of an Operating System)
S-WdgM
Safe Watchdog Manager (TTTech product, platform independent part)
S-WdgIf
Safe Watchdog Interface (TTTech product, is the platform independent part)
S-Wdg
Safe Watchdog Driver (TTTech product, is the platform dependent part)
WdgM
Watchdog Manager  (module according AUTOSAR specification)
[xxxxx]
TTTech internal issue tracking number.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

28.4 - S-WdgM_SafetyManual

Safety Manual

28.5 - S-WdgM_SafetyManual_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95

28.6 - S-WdgM_SafetyManuals

Ensuring Reliable Networks
Safe Watchdog Manager
Safety Manual

Author:
TTTech Automotive GmbH
Security:
Company Confidential
Document number:
D-SAFEX-S-70-001
Version:
2.3.28
Date:
26.05.2014
Status:
ALM_Published
MKS ID:
228403

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com

No  part  of  the  document  may  be  reproduced  or  transmitted  in  any  form  or  by  any  means,  electronic  or  mechanical,  for  any  purpose,  without  the  written  permission  of  TTTech
Automotive GmbH. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive GmbH
undertakes no further obligation in relation to this document.

© 2014, TTTech Automotive GmbH. All rights reserved.                                                                                                                                           Subject to changes and corrections

TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 1
Revision History
17.06.2011 V0.9.4 Draft
15.07.2011 V1.0.0 Safe Watchdog Manager Series Release
12.08.2011 V1.1.0 Safe Watchdog Manager Series Release
07.09.2011 V1.2.0 Safe Watchdog Manager Series Release
16.09.2011 V1.3.0 Safe Watchdog Manager Series Release
16.11.2011 V1.3.1 Safe Watchdog Manager - separating S-Wdg drivers
13.12.2011 V1.4.0 Safe Watchdog Manager - Series Release
10.02.2012 V1.5.0 Safe Watchdog Manager - Series Release
17.02.2012 V1.5.1 Safe Watchdog Manager - Series Release (Patch Release)
09.03.2012 V1.6.0 Safe Watchdog Manager - Series Release
13.04.2012 V1.7.0 Safe Watchdog Manager - Series Release
08.05.2012 V1.7.1 Safe Watchdog Manager
05.05.2012 V2.0.0 Copied from MKS 64019 to MKS 228043. Hierarchie restructured. Labeled for review.
24.05.2012 V2.0.1 Labeled for review.
25.05.2012 V2.0.2 Safe Watchdog Manager - Series Release V1.8.0
27.06.2012 V2.1.0 Reviewed. Some information still open
03.07.2012 V2.2.0 Added config generation and verification process
03.07.2012 V2.2.1 Added timing constraints (issue47259)
05.07.2012 V2.3.0 Added requirements from ETA and Check against System Specification
06.07.2012 V2.3.1 Ready for Release 1.8.2
07.08.2012 V2.3.2 Feedback from Hella-Audit, some texts more precise
23.08.2012 V2.3.3 added system assumptions, S-WdgM requ., AUTOSAR 3.1 info, manual checks
10.09.2012 V2.3.4 Traced requirements from ETA. Dissolved section "Requirements derived from ETA
process"
13.09.2012 V2.3.5 After walkthrough review
13.09.2012 V2.3.6 Added manual tests
15.09.2012 V2.3.7 Safe Watchdog Manager ASIL Release
15.10.2012 V2.3.8 Added system assumption regarding critical sections (297946,297948), issue49890
Added reentrancy, issue49459 (WDGM_E_REENTRANCY)
05.12.2012 V2.3.9   228523 - Added Safety Manager
313849 - Added the 'Safety related requirement' behavior
315317, 315319 - Additional requirements (Safe Execution, Lock Step)
230020 - Relation to the SEooC
14.01.2013 V2.3.10 324187, XSLT processor, issue51325
239057, 239065, 239067 corrected
313849 'S-Wdg' corrected to 'S-WdgM'
24.04.2013 V2.3.11 issue 53646: 358190 - Alive counter necessary
07.11.2013 V2.3.12 In the item 230126 the missing ISO 'part 6' was added.
02.04.2014 V2.3.13 Issue 59785 (partly): After discussion with customer following comments added: 542988,
544495
Issue 58655: 228813, 228815, 260615, 260617 (Win7 test)
Issue 52760, 62290, 61812, 59931
05.05.2014 V2.3.14 Changed points according EEB remarks, issue 52087
05.05.2014 V2.3.15 Improvements base is the customer OIL list, issue 59785
07.05.2014 V2.3.16 Issue 52087, 52760, 59785 : review points corrected
13.05.2014 V2.3.17 Issue 52087, 52760 corrected
14.05.2014 V2.3.18 Issue 59785 corrected
14.05.2014 V2.3.19 Issue 62591 corrected
14.05.2014 V2.3.20 Issue 62589 corrected

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 2
15.05.2014 V2.3.21 Issue 62290 corrected
15.05.2014 V2.3.22 Issue 53646 corrected
15.05.2014 V2.3.23 Issue 62290 corrected
15.05.2014 V2.3.24 Issue 59785, 62589, 62591corrected
16.05.2014 V2.3.25 Issue 62724 corrected
22.05.2014 V2.3.26 Issue 63131: Language Review
23.05.2014 V2.3.27 Issue 62724 corrected
26.05.2014 V2.3.28 Issues corrected:52168, 62591, 53646, 50833, 58842

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 5
-
Category:
Comment
Keywords:

ID:
545205
LEGAL DISCLAIMER
THE INFORMATION GIVEN IN THIS SAFETY MANUAL IS GIVEN AS SUPPORT FOR THE
INTEGRATION OF THE TTTECH SAFETY MODULE INTO A SYSTEM ONLY AND SHALL NOT BE
REGARDED AS ANY DESCRIPTION OR WARRANTY OF A CERTAIN FUNCTIONALITY, CONDITION
OR QUALITY OF THE TTTECH SAFETY MODULE. THE RECIPIENT OF THIS SAFETY MANUAL MUST
VERIFY ANY FUNCTION DESCRIBED HEREIN IN THE REAL APPLICATION.

TTTECH PROVIDES THE SAFETY MANUAL FOR THE SAFETY MODULE "AS IS" AND WITH ALL
FAULTS AND HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, ACCURACY OR COMPLETENESS, OR OF RESULTS
TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK, AS TO THE QUALITY, USE
OR PERFORMANCE OF THE SAFETY MANUAL, REMAINS WITH THE RECIPIENT. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW TTTECH SHALL IN NO EVENT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT
NOT LIMITED TO LOSS OF DATA, DATA BEING RENDERED INACCURATE, BUSINESS
INTERRUPTION OR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF
THE USE OR INABILITY TO USE THE SAFETY MANUAL, EVEN IF TTTECH HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

TTTECH MAKES NO WARRANTY OF ITS PRODUCTS, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW DISCLAIMS ALL LIABILITIES OR
DAMAGES RESULTING FROM OR ARISING OUT OF THE APPLICATION OR USE OF THESE
PRODUCTS.

-
Category:
Comment
Keywords:

ID:
545219
Legal Notice
The information contained in this safety manual does not affect or change any General Terms and
Conditions of TTTech and/or any agreements existing between TTTech and the recipient regarding the
product concerned.

The reader acknowledges that this safety manual may not be reproduced, stored in a retrieval system,
transmitted, changed, or translated, in whole or in part, without the express written consent of TTTech.

The reader acknowledges that any and all of the copyrights, trademarks, trade names, patents (whether
registrable or not) and other intellectual property rights embodied in or in connection with this safety manual
are and will remain the sole property of TTTech or the respective right holder. Nothing contained in this
legal notice, the safety manual or in any TTTech web site shall be construed as conferring to the recipient
any license under any intellectual property rights, whether explicit, by estoppel, implication, or otherwise.

This safety manual and respective products are subject to change.

The product is only allowed to be used in the scope as described in section "System Assumptions". Please
note, that based on the current state of the arts in science it is impossible to develop software that is bug-
free in all applications.

-
Category:
Comment
Keywords:

ID:
545221
We Listen to Your Comments

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 6
Is there any information in this document that you feel is wrong, unclear or missing?
Your feedback will help us to continuously improve the quality of this document. Please contact TTTech
Automotive support if you have questions, change requests or suggestions for improvement related to the
SCM product or documentation. TTTech Automotive support can be reached via the following e-mail
address: support@tttech.com.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 7
1  Purpose of this Document
Category:
Comment
Keywords:

ID:
228517
This document is the Software Safety Manual for the software component Safe Watchdog Manager (S-
WdgM). The S-WdgM was developed by TTTech as an SEooC according to ISO 26262 (2011) for use in
safety related items up to ASIL D (see [ISO26262]). This document contains the requirements that have to
be met to integrate and apply the S-WdgM into a safety-related item.

-
Category:
Comment
Keywords:

ID:
228519
The S-WdgM is part of the S-WdgM Stack. It contains also a S-WdgM Configuration Generator and a S-
WdgM Verifier to generate and verify configuration dependent S-WdgM code.

-
Category:
Comment
Keywords:

ID:
228521
The document contains the requirements that have to be satisfied to
  install the S-WdgM Generator,
  generate S-WdgM code with the S-WdgM Configuration Generator,
  integrate the S-WdgM code into an AUTOSAR system, and
  to apply the S-WdgM within an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
228533
Note: The document describes requirements for the S-WdgM only. It does not provide a full description of
how to create a safe system. For example, it is not concerned with hardware architectural metrics that may
have an influence on software running on that hardware. These considerations are not specific to the S-
WdgM and are thus beyond the scope of this manual.

-
Category:
Comment
Keywords:

ID:
231307
The S-WdgM was developed according to AUTOSAR version 4.0.1 [AS_WDGM_SWS] and adapted for the
AUTOSAR 3.1.4 [AS_WDGM_SWS_3_1] environment, too. The S-WdgM is compatible with both
AUTOSAR versions but not fully compliant. For the deviations see [TT_WDGM_UM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 8
2  Introduction
2.1  Target Audience and Responsibilities
Category:
Comment
Keywords:

ID:
228523
This document addresses the Safety Manager and (system) integrator. The integrator is the person who
implements the requirements, is responsible for the generation of S-WdgM Configuration code, the
integration of the S-WdgM into a safety-related item and its application.

-
Category:
Requirement
Keywords:

ID:
228525
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be an expert in the area of functional safety with deep knowledge of ISO 26262 (see
[ISO26262]).

Moreover, the integrator needs to know
  the AUTOSAR architecture,
  the ANSI C programing language, and
  the S-WdgM User Manual [TT_WDGM_UM]).

-
Category:
Requirement
Keywords:

ID:
228529
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that all requirements defined in this Safety Manual are fulfilled in the integrated
item.

-
Category:
Requirement
Keywords:

ID:
228537
Label:

Safety relevant:

Related To:

Related To':

The integrator shall also follow the instructions in
  the Safety Manual for the S-WdgIf (see [TT_WDGIF_SM]) and
  the Safety Manual for the used S-Wdg drivers (see the driver specific Safety Manual. Safety Manuals
for some drivers can be found in section "References" at the end of this document)
which describe the other components of the S-WdgM Stack.

-
2.2  Structure of this Document
Category:
Requirement
Keywords:

ID:
228527
Label:

Safety relevant:

Related To:

Related To':

Requirements are explicitly marked as "Requirement" in this document. All requirements described in this
document shall be considered by the integrator. Explanatory text that does not represent an explicit
requirement is marked as "Comment".

-
Category:
Comment
Keywords:

ID:
314003
Note: The document items of type "Comment" do not represent explicit action items for the integrator,

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 9
however, the integrator has to ensure that there are no contradictions between the comment and the intend
S-WdgM usage.

-
Category:
Comment
Keywords:

ID:
313849
Note: Requirements in this document shall be treated either as safety related or need not be treated as
safety related, depending on the S-WdgM use case:
  If the S-WdgM is used to monitor a safety related application, then for each used S-WdgM functionality
all corresponding requirements in this document shall be treated as safety related.
  If the S-WdgM is used to monitor a QM application then the requirements in this document need not be
treated as safety related.

As a consequence, the field "Safety relevant" in the requirements are empty.

-
Category:
Comment
Keywords:

ID:
555645
The list shows some keywords used in requirements and their explanation:

Key Word
Description
Must, Shall, Required, Is responsible for, Is the
Requirement is mandatory.
responsibility of
Shall not
Requirement is a prohibition.
May
Requirement is optional.
table 1


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 10
3  Terms
Category:
Comment
Keywords:

ID:
228565

A kind of monitoring that checks whether a Checkpoint in the
Alive Supervision
application code has been passed an allowed number of times
(with tolerances) within a time interval.
An Application Context is the smallest set of data used by an
application that must be saved to allow application interruption at
Application Context
a given time, and a continuation of this application at the point
where it has been interrupted.
A point in the control flow of a Supervised Entity which reports to
Checkpoint
the Safe Watchdog Manager when it is passed.
A tool (like DaVinci Configurator Pro) that creates a Safe
Configuration Tool
Watchdog Manager configuration.
A kind of monitoring that checks whether the execution time
Deadline Monitoring
between two Checkpoints is within expected limits (with
tolerances).
The last Checkpoint in the program flow of a Supervised Entity.
When the End Checkpoint has been passed, the S-WdgM
End Checkpoint
assumes that the Supervised Entity has been left. An entity can
have more than one End Checkpoint (e.g, in the "then" and "else"
clause of an "if" statement).
The escalation of a detected fault to the WD by a Watchdog reset
by calling a S-WdgIf API function or omittance of the Watchdog
trigger.
Error Escalation
The Error Escalation marks the point in time when the S-WdgM
Fault Reaction Time ends and the reaction time of the WD driver
and WD itself starts.
The time from the occurrence of a fault to the detection by the S-
WdgM. The detection is indicated by a status change from
WDGM_LOCAL_STATUS_OK or
WDGM_GLOBAL_STATUS_OK to another state.
S-WdgM Fault Detection Time
The duration of the S-WdgM Fault Detection Time in dependence
of the S-WdgM Configuration is explained in this document.
The S-WdgM Fault Detection Time is also called "diagnostic test
interval" in [ISO26262].
The time from fault detection to the error escalation to the WD
driver (through the S-WdgIf).
The duration of the S-WdgM Fault Reaction Time in dependence
of the S-WdgM Configuration is explained in this document.
Note: The S-WdgM Safety Manual can only discuss the part of
the Fault Reaction Time interval at the S-WdgM level. This part of
S-WdgM Fault Reaction Time
the Fault Reaction Time is prefixed with "S-WdgM".
The S-WdgM Fault Reaction Time is
  the Fault Reaction Time according to [ISO26262] minus
  the reaction time of the WD driver and the WD itself.

For calculation of the WD driver see the according Safety
Manual.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 11
The absence of cascading failures between two or more
Freedom from interference
elements that could lead to the violation of a safety requirement.
See [ISO26262], part1.
The status that summarizes the Local Monitoring Status of all
Global Monitoring Status
Supervised Entities. It indicates whether the S-WdgM has found
an error so far.
In the context of this document a Global Transition is a transition
Global Transition
between two Checkpoints of two different Supervised Entities.
The first Checkpoint in the control flow of a Supervised Entity.
The monitoring of a Supervised Entitiy starts when the Initial
Initial Checkpoint
Checkpoint is passed. A Supervised Entity has exactly one Initial
Checkpoint.
A status that represents the current state of supervision of a
Local Monitoring Status
single Supervised Entity. It indicates whether the S-WdgM has
found an error so far.
In the context of this document a Local Transition is a transition
Local Transition
between two Checkpoints of the same Supervised Entity.
In the context of the S-WdgM Stack the terms Monitoring and
Monitoring / Supervision
Supervision are synonyms.
The generic term for Alive Supervision, Deadline monitoring and
Monitoring Feature
Program Flow Monitoring.
The Local OK-Status is present, when the local status is
WDGM_LOCAL_STATUS_OK.
Local/Global OK-Status
The Global OK-Status is present, when the global status is
WDGM_GLOBAL_STATUS_OK
A kind of monitoring that checks whether the Checkpoints in a
Program Flow Monitoring
Supervised Entity are passed in an expected order.
Safe Watchdog Driver
The lower and hardware dependent software layer of the S-

WdgM Stack. It controls the Watchdog device.
The middle and hardware independent software layer of the S-
Safe Watchdog Interface
WdgM Stack.
Safe Watchdog Manager
The part of the S-WdgM code that is generated by the S-WdgM
Configuration
Generator out of an ECU description file.
This TTTech tool generates a S-WdgM Configuration out of an
Safe Watchdog Manager
ECU description file. In this document the name is abbreviated to
Configuration Generator
"S-WdgM Generator". The tool is part of the S-WdgM package.
The upper and hardware independent software layer of the S-
Safe Watchdog Manager
WdgM Stack. It communicates with the application through RTE.
The stack comprises the S-WdgM, the Safe Watchdog Interface
Safe Watchdog Manager Stack  and the Safe Watchdog driver(s).
A software entity that is monitored by the S-WdgM. Each
Supervised Entity has an identifier. A Supervised Entity is defined
as a set of Checkpoints that are (directly or indirectly) connected
by Local Transitions within a software component or basic
Supervised Entity
software module. There may be zero, one or more Supervised
Entities in a software component or basic software module.

Additional TTTech note:Each Supervised Entity has a state that
is based on the reports from all its Checkpoints.
Supervision Cycle
The time period of the S-WdgM in which the cyclic supervision

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 12
algorithm is executed. At the end of a cycle, the function
WdgM_MainFunction () is called and - depending on the
configuration - Alive Supervision, Deadline Supervision and/or
Program Flow Supervision are performed. See also "Reference
Cycle".
A set of elements that relates at least a sensor, a controller and
System
an actuator with one another (see [ISO26262], part1). In this
document, the MCU is part of the system.
Each kind of monitoring has its own Reference Cycle, which is a
multiple of the Supervision Cycle. At the end of the Reference
Cycle, the according kind of monitoring checks whether an error
Reference Cycle
has occured.
For example: If the Reference Cycle for Deadline Supervision is 5
times the Supervision Cycle, then every 5th call of
WdgM_MainFunction () checks for deadline violations.
The S-WdgM measures the deadline of a Transition in Timebase
Timebase Tick
Ticks. It is also called S-WdgM Tick. The Timebase Tick can be
provided either by the S-WdgM itself or by an external source.
The generic term for the different kinds of fault that the S-WdgM
can detect using a Monitoring Feature:
  omittance of an operation,
Timing Fault
  unrequested execution of an operation,
  operation executed too early,
  operation executed too late, and
  operations executed in the wrong sequence.
A Watchdog device is the hardware part that provides the
Watchdog (device)
Watchdog function. It can be an internal watchdog (on the MCU)
or an external device.
The "WD Mode" represents watchdog property. According
AUTOSAR it can have the value:
WD Mode
  "slow",
  "fast", and
  "off" (WD disabled).
The "WD Trigger Mode" defines the WD trigger window and
consist of:
  the window start time,
  the window end time, and
WD Trigger Mode
  the WD mode (slow, fast, off)

It can be set with the function WdgM_SetMode (). For details see
[TT_WDGM_UM] and [TT_WDGDR_platform_UM] (where
platform is the used platform).
table 2


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 13
4  Notations
Category:
Comment
Keywords:

ID:
228609

Notation   Description
Italic text is a placeholder for a certain name or pattern. E.g.: In Wdg_platform_Init (), the text
text
platform is a placeholder for the name of (a) specific platform(s).
AS3: text
The text after "AS3:" is relevant for AUTOSAR 3.1 environments only.
AS4: text
The text after "AS4:" is relevant for AUTOSAR 4.0 environments only.
table 3


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 14
5  Abbreviations
Category:
Comment
Keywords:

ID:
228549

API
Application Programming Interface
AS3
AUTOSAR 3.1 (environment)
AS4
AUTOSAR 4.0 (environment)
ASIL
Automotive Safety Integrity Level
AUTOSAR
Automotive Open System Architecture
BSW
Basic Software (AUTOSAR term)
BswM
BSW module
CP
Checkpoint
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECC
Error Checking (and) Correction
ECU
Engine Control Unit
ISO
International Organization for Standardization
MCU
Microcontroller Unit
MPU
Memory Protection Unit. Usually it is a part of the Microcontroller.
MemMap
Memory Mapping (for Memory Management)
QM
Quality Managed (Software)
RTE
Run-Time Environment
SC
SupervisionCycle
SchM
Schedule Manager module according to AUTOSAR 4.0 specification
SE
Supervised Entity
SM
Safety Manual
SW-C, SWC
Software Component
S-Wdg
Safe Watchdog Driver (from TTTech)
S-WdgM
Safe Watchdog Manager (from TTTech)
S-WdgIf
Safe Watchdog Interface (from TTTech)
WD
Watchdog
WdgM
Watchdog Manager according to the AUTOSAR 4.0 specification
WdgIf
Watchdog Interface according to the AUTOSAR 4.0 specification
table 4


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 15
6  Safe Watchdog Manager Overview
Category:
Comment
Keywords:

ID:
228613
For an overview of and more details about
  the S-WdgM,
  the other S-WdgM Stack components,
  the S-WdgM Generator, and
  the S-WdgM Verifier
see the according user manuals and Safety Manuals:
  for the S-WdgM: [TT_WDGM_UM] and this document,
  for the S-WdgIf: [TT_WDGIF_UM] and [TT_WDGIF_SM], and
  for the S-Wdg drivers: the according Safety Manual. See also section "References" at the end of this
document.

-
Category:
Comment
Keywords:

ID:
555650
The Safe Watchdog Manager can be integrated into AUTOSAR 3.1.4 and AUTOSAR 4.0.1 environments.
The S-WdgM code differs between the AUTOSAR versions.
The S-WdgM must be configured for the used AUTOSAR version with the preprocessor switch
WDGM_AUTOSAR_4_x. This switch is automatically generated by the S-WdgM Configuration Generator.

-
Category:
Comment
Keywords:

ID:
559886
The S-WdgM is designed for integration into an AUTOSAR version 3.1.4 or AUTOSAR version 4.0.1
system. However, the S-WdgM is not restricted to this AUTOSAR versions. The software module can also
be integrated into other versions of AUTOSAR and other system SW architectures, provided that the
integration related requirements listed in the Safety Manual are satisfied.

-
Category:
Comment
Keywords:

ID:
562764
The Safe Watchdog Manager can also be switched to a "S-WdgM AUTOSAR 3.1 compatibility mode".
In this mode the behaviour of S-WdgM functions is as defined for the AUTOSAR 3.1 Watchdog Manager.
The mode is set with the preprocessor switch WDGM_AUTOSAR_3_1_X_COMPATIBILITY. The default
value is STD_OFF. On the ECU description file level, the WdgMSupportedAutosarAPI parameter is used.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 16
7  System Assumptions
Category:
Comment
Keywords:

ID:
270633
The S-WdgM module has been developed as a Safety Element out of Context (SEooC) according to ISO
26262. This means that the development was based on assumptions about the target environment where it
shall be integrated. The integrator has to assure that these assumptions are fulfilled by the system.

The assumptions are listed as requirements in this section. Further requirements in this Safety Manual that
may be considered assumptions (depending on the application of the system) are listed in section
"Assumptions in this Document" below.

-
Category:
Requirement
Keywords:

ID:
282827
Label:

Safety relevant:

Related To:
__MKSID__283135
Related To':

The system specification shall be designed to tolerate the occurrence of timing faults. Also a certain
(configurable but always greater than 0) time delay from the occurrence of faults to the safe state must be
acceptable.

-
Category:
Comment
Keywords:

ID:
282829
The S-WdgM reacts on timing faults after they occurred. The detection and reaction time also depends on
the S-WdgM Configuration.
The S-WdgM is not designed for systems where timing fault shall not occur at all.

-
Category:
Requirement
Keywords:

ID:
282805
Label:

Safety relevant:

Related To:
__MKSID__262696,_
Related To':

_MKSID__263095
The MCU shall provide computational resources to execute software components within their specification.

-
Category:
Requirement
Keywords:

ID:
282785
Label:

Safety relevant:

Related To:
__MKSID__262682,_
Related To':

_MKSID__262690,__
MKSID__263089,__
MKSID__263091,__
MKSID__283504,__
MKSID__283399,__
MKSID__283508
The software execution environment shall be able to run software according to requirements of up to the
system's required ASIL.
This also includes:
  free from interference among the SW components (see 282807),
  supervision by an extern measures (see 282795),
  the hardware shall consist of an MCU with all required hardware to run according to system
specifications (i.e. safe HW to detect/avoid e.g. bit-flips by means of start up checks, cyclical checks,
ECC check, ....), and
  the hardware shall be composed of components that are qualifiable up to the desired ASIL of the
system.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 17
Category:
Requirement
Keywords:

ID:
297946
Label:

Safety relevant:

Related To:

Related To':

The software execution environment shall provide methods for mutual exclusion.

-
Category:
Comment
Keywords:

ID:
297948
Such methods are disabling of interrupts, locks, semaphores etc.
Especially disabling of interrupts is often used to gain exclusive access to resources or perform multiple
operations atomically.

-
Category:
Requirement
Keywords:

ID:
282807
Label:

Safety relevant:

Related To:
__MKSID__263115,_
Related To':

_MKSID__283536,__
MKSID__261192
The software platform shall provide an execution environment that is capable of running multiple software
components with freedom from interference from each other.

-
Category:
Comment
Keywords:

ID:
282809
The S-WdgM and the supervised application are considered as separate SW components with freedom
from (unintended) interference. Freedom from interference can be achieved by e.g. a microcontroller with
MPU.

-
Category:
Requirement
Keywords:

ID:
282795
Label:

Safety relevant:

Related To:
__MKSID__262661,_
Related To':

_MKSID__263099,__
MKSID__263109,__
MKSID__283504,__
MKSID__283508
The integrator shall analyze, what safety measures are required in case of timing violations
  of the calls of the S-WdgM and
  during execution of the S-WdgM.

-
Category:
Comment
Keywords:

ID:
561887
The timing violations described above are not handled by S-WdgM internally and must be handled
externally if necessary.

The timing violation can be caused by e.g.
  slower/faster running MCU oscillator or
  a delay by too many high priority tasks.

-
Category:
Comment
Keywords:

ID:
282797
An internal WD can detect timing violations of S-WdgM calls and S-WdgM executions. However, an internal
WD may have the same time base (oscillator) as the CPU that executes the S-WdgM and therefore may not
be able to detect failures of the time base.
An external WD with an independent time base may be necessary.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 18
Category:
Requirement
Keywords:

ID:
315317
Label:

Safety relevant:

Related To:

Related To':

The MCU shall execute the given software correctly.

-
Category:
Comment
Keywords:

ID:
315319
This requirement can be achieved e.g. by using a lockstep MCU.

-
Category:
Requirement
Keywords:

ID:
282791
Label:

Safety relevant:

Related To:
__MKSID__262674
Related To':

In case a software timing fault has been detected and escalated to the system by the S-WdgM, the system
shall initiate the safe state within acceptable time tolerances.

-
Category:
Comment
Keywords:

ID:
282793
The S-WdgM initiates a fault reaction by discontinuation of WD triggering or by a WD reset. It is the
integrators responsibility to ensure that the WD itself leads to a safe state in time.
Note; The S-WdgM detection and reaction time is also delayed depending on the S-WdgM Configurations.

-
Category:
Requirement
Keywords:

ID:
283375
Label:

Safety relevant:

Related To:
__MKSID__283514,_
Related To':

_MKSID__283518
The connected (used) Watchdog (or a hardware that provide the watchdog function) shall work correctly.

-
Category:
Requirement
Keywords:

ID:
282789
Label:

Safety relevant:

Related To:
__MKSID__262604,_
Related To':

_MKSID__263117,__
MKSID__283508,__
MKSID__283504,__
MKSID__261244
The MCU shall be able to perform a safe startup to the point of where the S-WdgM is safely initialized.

-
Category:
Requirement
Keywords:

ID:
566080
Label:

Safety relevant:

Related To:

Related To':

The RAM memory correctness shall be checked at ECU startup time. An ECC or comparable check shall
be used at run-time.

-
Category:
Requirement
Keywords:

ID:
265876
Label:

Safety relevant:

Related To:
__MKSID__283397
Related To':

The FLASH memory correctness shall be checked at ECU startup time. An ECC or comparable check shall
be used at run-time.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 19
Category:
Comment
Keywords:

ID:
263975
The generated code contains a checksum over some significant fields (e.g. version) to check that:
  the generated code belongs to the S-WdgM code according to version information and
  the generated code is not overwritten by other code at the flashing process.

The checksum is checked with every run of the function WdgM_Init (). A failed check yields
WDGM_E_PARAM_CONFIG.

Note: The checksum does not cover the complete configuration and cannot thoroughly detect when the
configuration memory is corrupted (like bitflips).

-
7.1  Assumptions in this Document
Category:
Requirement
Keywords:

ID:
282887
Label:

Safety relevant:

Related To:

Related To':

The following requirements are located in the according context in this document. They may be interpreted
as system assumptions or not - depending on the circumstances the system is developed and applied:

Requirement
Description
Chosen monitoring features and configuration meet
231900, 230957
the system's safety requirements.
260470, 231825, 229211, 236796, 230793
Quality level degradation by external interfaces.
230494
S-WdgM functionality affected by other SW.
260490, 231403, 231419
Quality level degradation by SE deactivation.
260207, 231823, 231547, 231549, 231609
WD driver and WD device.
231277, 231281, 231454, 231462, 231972, 231203    Memory sections, access rights.
231480
Memory corruption.
231207
WdgM_MainFunction () in separated task.
table 5


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 20
8  S-WdgM Function Requirements
Category:
Comment
Keywords:

ID:
270655
The section lists the system requirements that the S-WdgM Stack fulfills.
They are derived from [TT_WDGM_TSR] and [TT_WDGM_SD].
Since the S-WdgM function requirements are not requirements for the system or integrator, they are put
here as comments and marked with "S-WdgM Requirement".

-
Category:
Comment
Keywords:

ID:
282811
(S-WdgM Requirement)
The S-WdgM shall be able to detect software timing faults:
  There shall be methods to detect timing faults within a software components.
  There shall be methods to detect timing faults among software components.

-
Category:
Comment
Keywords:

ID:
282813
The S-WdgM is able to detect program flow violations, Alive Counter violations and deadline violations.
They cover the following kinds of faults:
  omittance of an operation (program flow, Alive Counter),
  unrequested execution of an operation (program flow, Alive Counter),
  operation executed too early (Alive Counter, deadline),
  operation executed too late (Alive Counter, deadline), and
  operations executed in the wrong sequence (program flow).

-
Category:
Comment
Keywords:

ID:
282815
(S-WdgM Requirement)
The S-WdgM shall escalate a detected SW timing fault to the system:
There shall be methods to escalate detected faults so that a corresponding safety measure is triggered.

-
Category:
Comment
Keywords:

ID:
282817
The S-WdgM initiates a fault reaction by discontinuation of WD triggering or by a WD reset. It is the
integrators responsibility to ensure that the WD itself leads to a safe state in time.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 21
9  S-WdgM Configuration
Category:
Comment
Keywords:

ID:
228629
The S-WdgM Configuration code is the part of the S-WdgM code that is generated with the S-WdgM
Generator out of a given ECU description file.
This section lists the safety requirements for the creation of S-WdgM Configuration code.

-
Category:
Comment
Keywords:

ID:
228631
For a description of
  the configuration fields in the ECU description file and
  how to generate S-WdgM code out of the ECU description file
see [TT_WDGM_UM].

-
9.1  Configuration Check-List
Category:
Comment
Keywords:

ID:
228713
The S-WdgM Generator performs basic checks on the contents of the ECU description file when generating
the S-WdgM Configuration code.
The following sections provide instructions for manual checks of safety relevant configuration values that
cannot be performed by the S-WdgM Generator itself.

-
Category:
Requirement
Keywords:

ID:
231900
Label:

Safety relevant:

Related To:

Related To':

If a subset of the S-WdgM monitoring features is used, then the integrator shall verify that the chosen
monitoring features satisfy the system's safety requirements.

-
9.1.1  General Requirements
Category:
Requirement
Keywords:

ID:
228717
Label:

Safety relevant:

Related To:

Related To':

The integrator shall set the configuration parameters according to the project specification.

-
Category:
Requirement
Keywords:

ID:
260470
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no non-S-WdgM function that is called from within the S-WdgM degrades the
quality level of the S-WdgM below the required quality level.

-
Category:
Comment
Keywords:

ID:
544495
The used non-S-WdgM functions are listed in section "Expected Interface" below.

-
Category:
Comment
Keywords:

ID:
260476
Example: If the functions GlobalSuspendInterrupts () and GlobalRestoreInterruts () are implemented for QM

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 22
level and the S-WdgM calls these functions, then the S-WdgM is degraded to QM level.

-
Category:
Requirement
Keywords:

ID:
284187
Label:

Safety relevant:

Related To:

Related To':

The ECU description file that serves as input for the generation of the S-WdgM Configuration code shall
follow the XML schema of the used AUTOSAR version. The supported AUTOSAR versions are defined in
the 231307.

-
Category:
Comment
Keywords:

ID:
284517
The corresponding XML schema can be found in www.autosar.org.

-
9.1.2  Pre-Compile Settings
Category:
Requirement
Keywords:

ID:
228722
Label:

Safety relevant:

Related To:

Related To':

The following fields in the ECU description file shall be "true" if the according feature shall be enabled,
otherwise "false":

Field
Feature
WdgMVersionInfoApi
Enable Version API.
WdgMDevErrorDetect
Enable Development error detection.
WdgMDemReport
Enable DEM calls in case of production errors.
Check whether a caller of WdgM_SetMode () is authorized to call the
function. Also check that the S-WdgM was initialized when the
WdgMDefensiveBehavior
function WdgM_MainFunction () is called.
Note: The AUTOSAR 3.1 version of WdgM_SetMode () does not
check the caller.
Enable an immediate WD reset in case of a Alive Supervision
WdgMImmediateReset
violation, a Deadline violation or a ProgramFlow violation.
WdgMOffModeEnabled
Enable deactivation of a WD device.
AS3: Call SchM_Enter_WdgM () and SchM_Exit_WdgM ()
AS4: Call SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA_0() and
WdgMUseOsSuspendInterrupt
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_0()
The functions suspend and resume interrupts.
WdgMSecondResetPath
Call Mcu_PerformReset () if a WD trigger or a WD reset fails.
WdgMTickOverrunCorrection
Correct the tick counter when the value overflows.
WdgMEntityDeactivationEnabled
Enable deactivation and activation of SEs.
WdgMStateChangeNotification
Invoke a callback function when local or global state changes.
WdgMUseRte
Use the RTE-generated defines and typedefs.
Make a DEM call when global state
WdgMDemSupervisionReport
WDGM_GLOBAL_STATUS_STOPPED is reached.
Do not evaluate Alive Counters from the first SC (in the first call of
WdgMFirstCycleAliveCounterReset   WdgM_MainFunction ()).
table 6



Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 23
-
Category:
Requirement
Keywords:

ID:
228883
Label:

Safety relevant:

Related To:

Related To':

The value of WdgMTimebaseSource shall be set according to the required source of time ticks:

WdgMTimebaseSource
Description
An internal time source for Deadline Monitoring is selected.
WDGM_INTERNAL_SOFTWARE_TICK (0)  The tick counter is incremented each time the
WdgM_MainFunction() is invoked.
An internal time source for Deadline Monitoring is selected.
WDGM_INTERNAL_HARDWARE_TICK (1)  The tick counter value is read from an MCU's internal
hardware counter.
An external time source for Deadline Monitoring is selected.
The tick counter is incremented each time the
WDGM_EXTERNAL_TICK (2)
WdgM_UpdateTickCount() function is invoked. The function
is implemented in the S-WdgM.
table 7


-
Category:
Comment
Keywords:

ID:
239167
The field WdgMTimebaseSource is a WdgM information. If it is set to
WDGM_INTERNAL_HARDWARE_TICK, then the configuration generator checks whether the referred
driver has an active tick counter.

-
Category:
Requirement
Keywords:

ID:
230215
Label:

Safety relevant:

Related To:

Related To':

In case the S-WdgM internal hardware tick counter is used, the integrator shall make sure that the MCU's
internal hardware counter updates the tick counter according to the system specifications.

-
Category:
Comment
Keywords:

ID:
270693
In case of an internal hardware tick counter, the S-WdgM updates the tick counter using the MCU's internal
hardware counter.

-
Category:
Requirement
Keywords:

ID:
238968
Label:

Safety relevant:

Related To:

Related To':

If UseOSsuspendinterrupts is "false", then the integrator is responsible for the implementation of the
functions
  GlobalSuspendInterrupts () and
  GlobalRestoreInterrupts ().

-
Category:
Requirement
Keywords:

ID:
260490
Label:

Safety relevant:

Related To:

Related To':

The integrator shall consider:
If WdgMEntityDeactivationEnabled is "true",

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 24
then a SW component that calls the functions
  WdgM_DeactivateSupervisionEntity() and
  WdgM_ActivateSupervisionEntity()
degrade the quality level of the S-WdgM to the quality level of their caller(s).

-
Category:
Comment
Keywords:

ID:
260491
Example: If two components are used with quality level ASIL-B and QM, then the S-WdgM is degraded to
QM level.

-
Category:
Comment
Keywords:

ID:
260496
The functions WdgM_DeactivateSupervisionEntity() and WdgM_ActivateSupervisionEntity() degrade
because a faulty activation or deactivation process for a SE call may compromise the monitoring features.

-
Category:
Comment
Keywords:

ID:
261042
A partition reset with BswM_WdgM_RequestPartitionReset () is not supported by the S-WdgM.

-
9.1.3  Post Build Configuration and Application Settings
Category:
Comment
Keywords:

ID:
239045
This section provides a check list for the various aspects and configuration fields that must be considered
for implementation and post build configuration of the monitoring features.

-
Category:
Comment
Keywords:

ID:
239073
For further information on configuration fields see [TT_WDGM_UM]. For information on configuration of S-
WdgM Fault Detection Times and S-WdgM Fault Reaction Times, see section "S-WdgM Fault Detection
Time and S-WdgM Fault Reaction Time Evaluation" below.

-
Category:
Requirement
Keywords:

ID:
260207
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the configuration defines
  only one WD driver and
  only one WD device for the driver.

-
Category:
Comment
Keywords:

ID:
260209
The current implementation of the S-WdgM Stack supports only one WD device per WD driver. If configured
otherwise, the S-WdgM Generator yields an error message.

-
Category:
Comment
Keywords:

ID:
260211
The current implementation of the S-WdgM Stack supports one WD driver and one WD device per driver. If
configured otherwise, the S-WdgIf Generator yields an error message.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 25
Category:
Requirement
Keywords:

ID:
260219
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that all API functions of the S-WdgIf that require a device index, use 0 as
device index.

-
Category:
Comment
Keywords:

ID:
260221
The index counting for the WD device starts with 0.

-
Category:
Requirement
Keywords:

ID:
238981
Label:

Safety relevant:

Related To:
__MKSID__261186
Related To':

The integrator shall
  partition the supervised application code into SEs,
  configure the OSApplication ID per SE,
  place CPs per SE (including Initial CPs and - if necessary - End CPs),
  place global CP (including Initial CPs and - if necessary - End CPs),
  configure Deadline Monitoring,
  configure Alive Supervision, and
  configure Program Flow Monitoring
according to the system requirements for S-WdgM monitoring.

-
Category:
Requirement
Keywords:

ID:
358190
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be aware that, if
  the execution does not hit any CP in a SE and
  no Alive Supervision is configured for this SE,
then the S-WdgM will not detect this violation.


-
Category:
Comment
Keywords:

ID:
565654
For periodic SE, this can be solved by configuration of Alive Supervision for the SE.
For non periodic SE, Alive Supervision can not be used.

-
Category:
Requirement
Keywords:

ID:
239047
Label:

Safety relevant:

Related To:

Related To':

For the notification of state changes, the integrator shall set
  WdgMLocalStateChangeCbk (per SE) and
  WdgMGlobalStateChangeCbk
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239049
Label:

Safety relevant:

Related To:

Related To':

For the activation/deactivation of SEs, the integrator shall set

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 26
  WdgMEnableEntityDeactivation (per SE) and
  WdgMInitialStatus (per SE)
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239051
Label:

Safety relevant:

Related To:
__MKSID__283870,_
Related To':

_MKSID__284614,__
MKSID__261172,__
MKSID__261176,__
MKSID__261174,__
MKSID__261178
For the scheduling of WdgM_MainFunction () calls, the integrator shall set
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMTriggerWindowStart (per WD Trigger Mode), and
  WdgMTriggerConditionValue (per WD Trigger Mode)
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239053
Label:

Safety relevant:

Related To:

Related To':

For correct handling of WD Trigger Modes the integrator shall set
  WdgMAllowedCallers,
  WdgMInitialTriggerModeId (for SetMode ()), and
  WdgMWatchdogMode
according to the system requirements.

-
9.1.3.1  Alive Monitoring
Category:
Requirement
Keywords:

ID:
239055
Label:

Safety relevant:

Related To:
__MKSID__261186
Related To':

The integrator shall
  define Alive Supervision for every CP,
  set WdgMExpectedAliveIndications per WdgMSupervisionReferenceCycle properly, and
  set the interval [WdgMMinMargin, WdgMMaxMargin] narrow enough
so that Alive Supervision violations are detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239057
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMSupervisionReferenceCycle (perCP),
  WdgMFailedSupervisionRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 27

-
9.1.3.2  Deadline Monitoring
Category:
Requirement
Keywords:

ID:
239063
Label:

Safety relevant:

Related To:

Related To':

The integrator shall
  define Deadline Monitoring for every CP and
  set the interval [WdgMDeadlineMin, WdgMDeadlineMax] narrow enough,
so that Deadline violations are detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239065
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMDeadlineReferenceCycle (per SE),
  WdgMFailedDeadlineRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

-
9.1.3.3  Program Flow Monitoring
Category:
Requirement
Keywords:

ID:
239071
Label:

Safety relevant:

Related To:

Related To':

The integrator shall define Program Flow Monitoring for every CP, so that program flow violations are
detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239067
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMProgramFlowReferenceCycle (per SE),
  WdgMFailedProgramFlowRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

-
9.1.3.4  Configuration Restrictions for S-WdgM AUTOSAR 3.1 Compatibility Mode
Category:
Comment
Keywords:

ID:
284790
If WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON, then the S-WdgM behaves as defined
for the AUTOSAR 3.1 Watchdog Manager. In this case further configuration restrictions shall be considered.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 28
Note: The S-WdgM Generator or S-WdgM Verifier do not check the following restrictions.

-
Category:
Requirement
Keywords:

ID:
284792
Label:

Safety relevant:

Related To:

Related To':

If WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON,
then the following restrictions must be considered:
  for all SEs WdgMSupportedAutosar is set to API_3_1 (in the ECU description file),
  there is only exactly one CP allowed for each SE,
  this CP must be defined as Initial CP and as End CP,
  every CP must have a Alive Supervision defined, and
  there are no local and global transitions allowed.

-
9.1.4  S-WdgM Fault Detection Time and S-WdgM Fault Reaction Time
Evaluation
Category:
Comment
Keywords:

ID:
231587
The time span from a fault occurrence to the system's reaction depends on the S-WdgM Configuration
parameters. This section shows how the different configuration timing parameters add up to the actual
delay from the fault occurrence to the error escalation.

-
Category:
Comment
Keywords:

ID:
239236
A further description of the configuration parameters and examples can be found in [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231597
Definition:
The time span from the fault occurrence to the error escalation by the S-WdgM to the WD driver (through S-
WdgIf) is the sum of
1.  the S-WdgM Fault Detection Time and
2.  the S-WdgM Fault Reaction Time.

In [ISO26262], the S-WdgM Fault Detection Time is called "diagnostic test interval".

-
Category:
Comment
Keywords:

ID:
239636
The time spans of the different monitoring features do not affect each other (except of course, that the error
escalation of one monitoring violation aborts the monitoring of all other violations.)

-
9.1.4.1  S-WdgM Fault Detection Time
Category:
Comment
Keywords:

ID:
260591
The S-WdgM Fault Detection Time is evaluated differently for the various monitoring features as shown in
this section.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 29

Category:
Comment
Keywords:

ID:
239252
The S-WdgM Fault Detection Time spans
  from fault occurrence
  to fault detection (when the S-WdgM switches from a Local or Global OK-Status to another state). The
state change happens within the WdgM_MainFunction ().

-
Category:
Comment
Keywords:

ID:
239560
The S-WdgM Fault Detection Time is differently defined for the various monitoring features.

-
9.1.4.1.1 Alive Supervision
Category:
Comment
Keywords:

ID:
239284
Assume that a fault occurs that leads to an Alive Counter violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the alive count and
  from the call of this CP to the next call of WdgM_MainFunction() at the end of the current
SupervisionReferenceCycle.

-
Category:
Comment
Keywords:

ID:
239300
Because a SupervisionReferenceCycle is a multiple of the SC, there may be other call(s) of
WdgM_MainFunction () between the CP call and the end of the SupervisionReferenceCycle, but only the
WdgM_MainFunction () call at the end of the SupervisionReferenceCycle detects the Alive Counter
violation.

-
Category:
Comment
Keywords:

ID:
239285
In the best case, the S-WdgM Fault Detection Time is less or equal a SupervisionReferenceCycle. This is
when
  the fault occurs,
  the according CP is called afterwards, and
  the WdgM_MainFunction is called at the end of the SupervisionReferenceCycle
within the same SupervisionReferenceCycle.

-
Category:
Comment
Keywords:

ID:
239286
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SupervisionReferenceCycles. That is, when the CP is not called within every
SupervisionReferenceCycle.

-
9.1.4.1.2 Deadline Supervision
Category:
Comment
Keywords:

ID:
239240
Assume that a fault occurs that leads to a Deadline Violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the deadline and
  from call of this CP to the next call of WdgM_MainFunction () at the end of the current SC.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 30
Category:
Comment
Keywords:

ID:
239242
In the best case, the S-WdgM Fault Detection Time is less or equal a SC. This is when
  the fault occurs,
  the CP that checks for Deadline Violation*) is called afterwards and
  the WdgM_MainFunction () is called at the end of the SC
within the same SC.

*) Deadline Monitoring includes at least 2 CPs: The first CP starts the timer, the second CP checks the
timer for violation of the deadline constraints.

-
Category:
Comment
Keywords:

ID:
239244
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SCs. That is, when the CP is not called within every SC.

-
9.1.4.1.3 Program Flow Supervision
Category:
Comment
Keywords:

ID:
239268
Assume that a fault occurs that leads to a Program Flow violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the program flow and
  from the call of this CP to the next call of WdgM_MainFunction () at the end of the current SC.

-
Category:
Comment
Keywords:

ID:
239269
In the best case, the S-WdgM Fault Detection Time is less or equal a SC. This is when
  the fault occurs,
  the according CP is called afterwards and
  WdgM_MainFunction () is called at the end of the SC
within the same SC.

-
Category:
Comment
Keywords:

ID:
239270
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SCs. That is, when the CP is not called within every SC.

-
9.1.4.2  S-WdgM Fault Reaction Time
Category:
Comment
Keywords:

ID:
231805
The S-WdgM Fault Reaction Time spans
  from the end of the S-WdgM Fault Detection Time
  to the error escalation to the WD driver (through the S-WdgIf) (by trigger omittance or invokation of a
WD reset by calling WdgIf_SetTriggerWindow(driver, 0, 0) for each driver).

-
Category:
Comment
Keywords:

ID:
239578
Note: This section does not discuss WD resets due to a S-WdgM error (like DET errors). S-WdgM errors
always lead to immediate WD resets by call of ImmediateWatchdogReset ().

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 31
Category:
Comment
Keywords:

ID:
239580
Note: In the context of the S-WdgM, the S-WdgM Fault Reaction Time ends with the call of the according S-
WdgIf functions
  WdgIf_SetTriggerWindow () and
  Mcu_PerformReset () (if the WD cannot be served correctly).

Be aware that there may be some (configured or HW related) delay from a function call to the actual system
reset. See the manuals of the according S-Wdg drivers.

-
Category:
Comment
Keywords:

ID:
239616
The following assumptions take place here:
  A violation continues from one Reference Cycle (according to the monitoring feature) to the next until
the error is escalated. Discontinuation of a violation before error escalation results in a recovery to the
OK-Status.
  The monitored SEs are always active. Deactivation of a SE aborts the S-WdgM monitoring of this SE.
Activation of a SE resumes the monitoring with OK-Status.

-
Category:
Comment
Keywords:

ID:
239658
There are two kinds of tolerances involved in the S-WdgM fault reaction time span:
  the number of tolerated Reference Cycles per monitoring feature (defined by
WdgMFailedSupervisionRefCycleTol, WdgMFailedDeadlineRefCycleTol and
WdgMFailedProgramFlowRefCycleTol, respectively) and
  the number of SupervisionCycles waiting until the actual error escalation takes place (defined by
WdgMExpiredSupervisionCycleTol).

-
Category:
Comment
Keywords:

ID:
239662
Once the S-WdgM Fault Reaction Time has expired, the error escalation is performed as follows:
If WDGM_IMMEDIATE_RESET is set to STD_ON,
then by the call of WdgIf_SetTriggerWindow(driver, 0, 0) for each WdgM driver to invoke an immediate WD
reset,
otherwise by omittance of the WD trigger.

Note: Some WDs do no support an immediate reset. If not supported, then the WD trigger is still omitted
and the system resets after the WD timeout expired.

-
Category:
Comment
Keywords:

ID:
239634
The S-WdgM Fault Reaction Times of the different monitoring features do not affect each other (except of
course, that the error escalation of one monitoring violation aborts all other monitoring violations.)

-
Category:
Comment
Keywords:

ID:
239582
Notation:
Within this section, the following notation is introduced:

"MF(i) is the i-th run of MainFunction () from the begin of the S-WdgM Fault Reaction Time."

MF(0) is the run of MainFunction () where the S-WdgM Fault Detection Time ends and the Fault Reaction
Time starts.
MF(1) is 1 SC later.
MF(sc) is sc SCs after MF(0).

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 32

-
Category:
Comment
Keywords:

ID:
239584
The S-WdgM Fault Reaction Time is evaluated differently for the various monitoring features as shown in
the following sections.

-
9.1.4.2.1 Alive Supervision
Category:
Comment
Keywords:

ID:
239644
The error escalation is conducted in
MF (i), which is i SCs after MF(0),
where
i = (WdgMSupervisionReferenceCycle * WdgMFailedSupervisionRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-
9.1.4.2.2 Deadline Supervision
Category:
Comment
Keywords:

ID:
239650
The error escalation is conducted in
MF (i), which is i SCs after MF(0),
where
i = (WdgMDeadlineReferenceCycle * WdgMFailedDeadlineRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-
9.1.4.2.3 Program Flow Supervision
Category:
Comment
Keywords:

ID:
239654
The error escalation is conducted in
MF (i), which is i SupervisionCycles after MF(0),
where
i = (WdgMProgramFlowReferenceCycle * WdgMProgramFlowDeadlineRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 33
10 S-WdgM Configuration Generator
Category:
Comment
Keywords:

ID:
228807
This section lists the safety requirements for the installation and application of the S-WdgM Generator.
It also lists the safety requirements for the verification of the S-WdgM Generators results.

-
Category:
Comment
Keywords:

ID:
228809
For information on how to use the S-WdgM Generator, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
228635
Note: The S-WdgM Generator is not ASIL-D. Its output cannot be trusted, hence additional checks are
required by use of the S-WdgM Verifier, which is part of the S-WdgM package.

-
10.1 S-WdgM Generator - Installation
Category:
Requirement
Keywords:

ID:
228813
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator is installed and used on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgM Generator.

-
Category:
Comment
Keywords:

ID:
228815
The S-WdgM Generator has been tested on Windows 7 with Service Pack 1.

-
10.2 S-WdgM Generator - Application
Category:
Requirement
Keywords:

ID:
228823
Label:

Safety relevant:

Related To:

Related To':

The selected output path for the generated S-WdgM code (runtime argument "OUTPUT-DIRECTORY")
shall be empty before the S-WdgM Generator is started.

-
Category:
Comment
Keywords:

ID:
228825
If the output path is not empty, code from previous generation runs may be accidentally integrated into the
AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
263300
The generated files are listed on standard error (stdout).

-
Category:
Requirement
Keywords:

ID:
228827
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator aborts the generation process with an error, the (partially) generated output files

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 34
shall not be used in an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
228829
Error messages start with "Error" and are displayed on standard error (stderr).
If successful, the S-WdgM Generator returns error level 0, otherwise an error level higher than 0 is returned.

-
Category:
Requirement
Keywords:

ID:
228831
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator displays a warning message, the integrator shall ensure that the cause of the
warning does not invalidate the generated S-WdgM Configuration.

-
Category:
Comment
Keywords:

ID:
228833
Warning messages start with "Warning" and are displayed on standard error (stderr).
If successful (even with warning), the S-WdgM Generator returns error level 0, otherwise an error level
higher than 0 is returned.

-
Category:
Comment
Keywords:

ID:
229689
In case of an error free application of the generator, the generated S-WdgM Configuration files in the output
directory are:
  WdgM_PBCfg.c
  WdgM_PBCfg.h
  AS3: WdgM_MemMap.h, or
  AS4: WdgM_OSMemMap.h
  WdgM_Cfg_Features.h

-
Category:
Comment
Keywords:

ID:
231187
TTTech provides a sample demonstration configuration with four SEs. The files may be used by the
integrator, but are intended for demonstration only.

-
Category:
Comment
Keywords:

ID:
228837
The S-WdgM Generator is not configurable. The S-WdgM Generator process is controlled by the input
arguments only.

-
10.3 S-WdgM Generator - S-WdgM Configuration Verification
Category:
Comment
Keywords:

ID:
229705
This section lists the safety requirements for the verification of the S-WdgM Configuration (i.e. the
generated C- and Header-files) of the S-WsgM Generator run.

-
Category:
Comment
Keywords:

ID:
228843
This section describes how the output of the S-WdgM Generator is to be checked so that the output has
ASIL-D quality.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 35
Category:
Comment
Keywords:

ID:
290318
The verification process consists of the following steps, which are explained in details in the following
sections:
  creation of S-WdgM Info files out of the ECU Description file (for the Verifier build),
  build (compilation) of the Verifier,
  Verifier run and manual check of Verifier report,
  manual checks (which can not be performed by the Verifier) and
  check of system specifications against the S-WdgM Info files.

-
Category:
Requirement
Keywords:

ID:
291126
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use the same ECU Description file for verification that was used for the generation of
the S-WdgM Configuration files, which are verified.

-
Category:
Requirement
Keywords:

ID:
260615
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Verification process is performed on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgM Verification process.

-
Category:
Comment
Keywords:

ID:
260617
The S-WdgM has been tested on Windows 7 with Service Pack 1.

-
10.3.1
Check S-WdgM Configuration against ECU Configuration
Category:
Requirement
Keywords:

ID:
228865
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that all applied files in the verification process are of the same delivered S-
WdgM package.

-
Category:
Comment
Keywords:

ID:
228871
Do not use files of different S-WdgM package versions.

-
Category:
Requirement
Keywords:

ID:
228877
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that all files that are applied in the verification process are unaltered:
  files that are delivered by TTTech are unaltered,
  files created during the verification process are unaltered from creation to application.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 36
10.3.1.1
Creation of S-WdgM Info Files
Category:
Requirement
Keywords:

ID:
232265
Label:

Safety relevant:

Related To:

Related To':

The S-WdgM Info files are a header and a C file with the ECU Description information as C code which is
checked against the generated files.

They shall be named
  wdgm_verifier_info.h and
  wdgm_verifier_info.c

(See Requirement 229681and Comment 263659 for details)

-
Category:
Requirement
Keywords:

ID:
229673
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use an XSLT Processor, which fulfills the requirements in [ISO26262], part 8, clause
11.4.

-
Category:
Comment
Keywords:

ID:
324187
The S-WdgM package of TTTech contains an ISO26262 classified XSLT processor named "xsltproc.exe".

-
Category:
Comment
Keywords:

ID:
263574
The verifier has been tested with xsltproc.exe which uses libxslt V1.1.26 (Win32).

-
Category:
Comment
Keywords:

ID:
269546
The required XSL transformations do not use any XSLT 2.0 features; therefore, a XSLT 1.0 compliant
processor can be used; e.g., XML Spy, xsltproc or Xalan.

-
Category:
Comment
Keywords:

ID:
269548
The following examples assume that xsltproc is being used. The command-line syntax for Xalan is very
similar. XML Spy is a GUI program.

-
Category:
Requirement
Keywords:

ID:
229681
Label:

Safety relevant:

Related To:

Related To':

The integrator shall perform two XSL transformations:

The integrator shall call the XSLT processor to apply the verify_wdgm_header.xsl stylesheet (part of the
package) to the ECU description file and store the transformation's result in the file wdgm_verifier_info.h.

The integrator shall call the XSLT processor to apply the verify_wdgm_source.xsl stylesheet (part of the
package) to the ECU description file and store the result in the file wdgm_verifier_info.c.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 37

Category:
Comment
Keywords:

ID:
263659
If xstlproc.exe is used as XSLT processor, the syntax for the two calls is:
  xsltproc.exe verify_wdgm_header.xsl ECU-description-file >wdgm_verifier_info.h
  xsltproc.exe verify_wdgm_source.xsl ECU-description-file >wdgm_verifier_info.c

-
10.3.1.2
Verifier Compilation
Category:
Comment
Keywords:

ID:
228857
The S-WdgM Verifier executable is created as follows:

-
Category:
Requirement
Keywords:

ID:
229683
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use a compiler/linker for compilation/linkage, which fulfills the requirements in
[ISO26262], part 8, clause 11.4.

-
Category:
Comment
Keywords:

ID:
232263
TTTech has tested with gcc 3.4.5.

-
Category:
Requirement
Keywords:

ID:
270666
Label:

Safety relevant:

Related To:

Related To':

The integator shall make sure that the AUTOSAR- and S-WdgM Stack files used for compilation of the
Verifier are the files used in the system where the S-WdgM is integrated.

-
Category:
Comment
Keywords:

ID:
263812
This is a list of files needed for building the Verifier (other files may be required for compilation depending
on the environment and configuration options):

S-WdgM header files:
  WdgM.h
  WdgM_Cfg.h

S-WdgIf header files:
  WdgIf_Cfg.h
  WdgIf_Types.h

Created S-WdgM "Info file" (XSLT result):
  wdgm_verifier_info.h

Generated S-WdgM header files:
  WdgM_Cfg_Features.h
  AS3: WdgM_MemMap.h, or
  AS4: WdgM_OSMemMap.h
  WdgM_PBcfg.h

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 38
Files from the S-WdgM Stack package:
  wdgm_verifier.h
  wdgm_verifier_types.h
  wdgm_verifier_version.h

List of platform specific files:
  Compiler.h
  Compiler_Cfg.h
  MemMap.h
  Os.h
  Os_MemMap.h
  Platform_Types.h
  Std_Types.h
  Rte_Compiler_Cfg.h (if RTE is used)
  Rte_MemMap.h (if RTE is used)
  Rte_Type (if RTE is used)

-
Category:
Comment
Keywords:

ID:
263833
The set of include commands (-Ipath) for all include paths to these files is referred to verify-includes.

-
Category:
Requirement
Keywords:

ID:
263825
Label:

Safety relevant:

Related To:

Related To':

For the compilation process, the following files must be compiled and linked:
The generated C file:
  WdgM_PBcfg.c
Created S-WdgM Info file:
  wdgm_verifier_info.c
Files from the S-WdgM Stack package:
  wdgm_verifier.dll
  libwdgm_verifierdll.a

-
Category:
Requirement
Keywords:

ID:
269558
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that the output files of the S-WdgM Generator are used as input for the S-WdgM
Verifier executable - and no other file.

-
Category:
Requirement
Keywords:

ID:
269560
Label:

Safety relevant:

Related To:

Related To':

Do not use S-WdgM Generator output files from previous generation processes, like from former versions of
the S-WdgM package.

-
Category:
Comment
Keywords:

ID:
264066
The syntax for the compilation call is:

gcc -Wall wdgm_verifier_info.c callbacks.c WdgM_PBcfg.c verify-includes -Ldll-path -lwdgm_verifierdll -o

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 39
wdgm_verifier.exe

where
  verify-includes is a placeholder for the path(s) of include files as described above and
  dll-path is a placeholder for the path where wdgm_verifier.dll and libwdgm_verifierdll.a are located.

-
Category:
Comment
Keywords:

ID:
229699
In case of an error free application of the compiler/linker the output is a S-WdgM Verifier executable
(wdgm_verifier.exe).

-
10.3.1.3
Verifier Run
Category:
Comment
Keywords:

ID:
229691
When the S-WdgM Verifier executable has been built, it has to be executed.
The S-WdgM Verifier writes a verification report to standard output 'stdout'.
This report must be reviewed as stated in this section and section "Manual Verification Checks" below.

-
Category:
Requirement
Keywords:

ID:
229695
Label:

Safety relevant:

Related To:

Related To':

The integrator shall run the S-WdgM Verifier executable as follows:
wdgm_verifier.exe > verifier_report.txt.

-
Category:
Requirement
Keywords:

ID:
228861
Label:

Safety relevant:

Related To:

Related To':

The integrator shall review the output report of the S-WdgM Verifier executable run as follows:

If
  there is a summary titled "S U M M A R Y" at the end of the verification result and
  the summary shows all tests as PASSED,
then
the verification process ends with no error and the generated files can be considered correct
otherwise
the verification failed.

-
Category:
Comment
Keywords:

ID:
263882
If a test in the summary shows FAILED, then check the test information in the result:
Each test shows
  a description and
  the test result.

-
10.3.2
Manual Verification Checks
Category:
Comment
Keywords:

ID:
284770
The following checks can not be performed automatically but need to be done manually as described here.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 40
-
Category:
Requirement
Keywords:

ID:
284772
Label:

Safety relevant:

Related To:

Related To':

For the following arrays in WdgM_PBcfg.c, the array length must match the number of items in the array:
 WdgMTransition
 WdgMGlobalTransition
 all arrays named StartsGlobalTransition_se_cp_i (for a SE se, a CP cp and an integer i)
 WdgMCheckPoint
 WdgMSupervisedEntity
 WdgMTriggerMode
 WdgMWatchdogDevice

-
Category:
Comment
Keywords:

ID:
284774
Some array lengths are encapsulated with defines like "WdgMCheckPoint [NR_OF_CHECKPOINTS]". The
defines can be found at the top of file WdgM_PBcfg.c.

-
Category:
Requirement
Keywords:

ID:
290776
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, WdgMTicksPerSecond and WdgMTriggerWindowStart in array WdgMTriggerMode shall
meet the condition
round (WdgMTicksPerSecond * WdgMTriggerWindowStart * 0.001) <= 65535
where
round (x) rounds x to the closest integer value (e.g. round(3.3)=3, round(3.5)=4, round(3.7)=4).

-
Category:
Requirement
Keywords:

ID:
290778
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, WdgMTicksPerSecond and WdgMTriggerTimeout in array WdgMTriggerMode shall
meet the condition
round (WdgMTicksPerSecond * WdgMTriggerTimeout * 0.001) <= 65535
where
round (x) rounds x to the closest integer value (e.g. round(3.3)=3, round(3.5)=4, round(3.7)=4).

-
Category:
Requirement
Keywords:

ID:
290780
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294315
In WdgM_PBcfg.c, check the array WdgMTransition:
For each item in the array:
CheckpointSourceId shall be set to an index that is in the range 0..NrOfCheckpoints-1;
where NrOfCheckpoints is the value of the struct member "NrOfCheckpoints" of the corresponding
Supervised Entity; i.e., that Supervised Entity where the local transition starts and ends.

-
Category:
Comment
Keywords:

ID:
290782
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech Automotive GmbH
TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 41
Category:
Requirement
Keywords:

ID:
290784
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294323
In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
CheckpointSourceId shall be set to an index that is in the range 0..NrOfCheckpoints-1;
where NrOfCheckpoints is the value of the struct member "NrOfCheckpoints" of the corresponding
Supervised Entity; i.e. that Supervised Entity where the global transition starts.

-
Category:
Comment
Keywords:

ID:
290788
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290790
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294313
In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
EntitySourceId shall be set to an index that is in the range 0..WDGM_NR_OF_ENTITIES-1.

-
Category:
Comment
Keywords:

ID:
290801
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290792
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
Field WdgMCheckpointLocInitialId shall be set to 0.

-
Category:
Requirement
Keywords:

ID:
290804
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294082
In WdgM_PBcfg.c, check the array WdgMSupervisedEntity :
For each item in the array:
Field WdgMCheckpointRef shall have a value of form &WdgMCheckPoint [i], where i is in range
0..WDGM_NR_OF_CHECKPOINTS-1.

-
Category:
Comment
Keywords:

ID:
290806
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290808
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, check the array WdgMSupervisedEntity :
For each item in the array:
WdgMCheckpointLocInitialId shall be set to an index that is within the length of array WdgMCheckPoint.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 42
Category:
Comment
Keywords:

ID:
290812
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290814
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array triggers:
For each item in the array:
Field WdgMTriggerModeId shall be equal to the position of the item in the array,
where the first item is considered to have position 0.

-
Category:
Comment
Keywords:

ID:
290816
I.e. the first item has WdgMTriggerModeId set to 0, the next item has WdgMTriggerModeId set to 1, and so
on.

-
Category:
Requirement
Keywords:

ID:
290818
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array deadline_supervisions:
There shall be no two items in the array with
  the same source entity and
  the same source CP and
  the same destination entity and
  the same destination CP.

-
Category:
Requirement
Keywords:

ID:
290820
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array deadline_supervisions:
For each item in the array, there shall exist a transition
  in local_transitions or
  in global_transitions
so that all for fields
  source entity
  source CP
  destination entity
  destination CP
are pairwise equal.

-
Category:
Comment
Keywords:

ID:
290794
That is: for every deadline supervision item there shall be a Local Transition or Global Transition defined.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 43

Category:
Requirement
Keywords:

ID:
290796
Label:

Safety relevant:

Related To:

Related To':

Check if
  array WdgMCheckPoint in WdgM_PBcfg.c and
  array alive_supervisions in wdgm_verifier_info.c
match to each other:

For each item CP_item in WdgMCheckPoint:
If WdgMAliveLRef is unequal NULL_PTR (i.e. Alive Supervision is configured),
then
there shall be an item AS_item in array alive_supervisions so that:
  source entity in AS_item matches the SE to which the CP in CP_item belongs,
  source CP in AS_item matches the CP referred in CP_item
  alive indications in AS_item matches WdgMExpectedAliveIndications in CP_item,
  minimum margin in AS_item matches WdgMMinMargin in CP_item
  maximum margin in AS_item matches WdgMMaxMargin in CP_item
  supervision Reference Cycle in AS_item matches WdgMSupervisionReferenceCycle in CP_item
  Otherwise (if WdgMAliveLRef is equal NULL_PTR i.e. no Alive Supervision is configured),
then
no AS_item in array alive _supervision shall exist that matches CP_item in all 6 fields as described
below.

-
Category:
Requirement
Keywords:

ID:
555550
Label:

Safety relevant:

Related To:

Related To':
__MKSID__552565
In wdgm_verifier_info.c, check the line "AUTOSAR Version: AUTOSAR namespace"

If the ECU description file is AUTOSAR 4.0 compliant then
AUTOSAR namespace shall be a 4.0 namespace
else If the ECU description file is AUTOSAR 3.1 compliant then
AUTOSAR namespace shall be a 3.1 namespace

-
Category:
Comment
Keywords:

ID:
560002
An example for an AUTOSAR namespace:

AS4: "http://autosar.org/schema/r4.0"
AS3: "http://autosar.org/3.1.4"

-
Category:
Requirement
Keywords:

ID:
555591
Label:

Safety relevant:

Related To:
__MKSID__304557,_
Related To':

_MKSID__304553,__
MKSID__304567
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the global memory
segment of the S-WdgM:
  StatusG,
  EntityStatusG_seid, for every defined SE seid, and
  Alive_CounterG_acid, for every Alive Counter acid if Alive Counters are configured for the respective

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 44
supervised entity.

The declarations must be memory mapped using the following defines:
  WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
555593
Label:

Safety relevant:

Related To:

Related To':
__MKSID__304565,__MKSID__304563,__MKSID__30456
1
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the global shared
memory segment of the S-WdgM:
  StatusGS,
  EntityGS, and
  GlobalTransitionFlagsGS, which exists only if Global Transitions are defined in the system.

The declarations must be memory mapped using the following defines:
  WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
555599
Label:

Safety relevant:

Related To:
__MKSID__304559,_
Related To':

_MKSID__304555
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the entity local data
memory segment of the S-WdgM:
  EntityStatusL_seid, for every defined SE seid, and
  Alive_CounterL_acid, for every Alive Counter acid if Alive Counters are configured for the respective
SE.

The declaration of EntityStatusL_seid must be memory mapped using the following defines:
  WDGM_seid_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_seid_STOP_SEC_VAR_NOINIT_UNSPECIFIED

The declaration of AliveCounterL_acid must be memory mapped using the following defines:
  WDGM_acid_START_SEC_VAR_NOINIT_32BIT and
  WDGM_acid_STOP_SEC_VAR_NOINIT_32BIT.

-
Category:
Requirement
Keywords:

ID:
565665
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.h, check that constant value WDGM_NR_OF_WATCHDOGS matches the actual number
of configured Watchdog devices.

-
Category:
Requirement
Keywords:

ID:
565673
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.h, check that constant value WDGM_NR_OF_TRIGGER_MODES matches the actual
number of configured Watchdog Manager Trigger Modes.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 45

-
Category:
Requirement
Keywords:

ID:
566072
Label:

Safety relevant:

Related To:

Related To':

Check that the constant value WDGM_NR_OF_ALLOWED_CALLERS matches the number of IDs of
modules which the WdgM_SetMode function.

-
Category:
Requirement
Keywords:

ID:
566082
Label:

Safety relevant:

Related To:

Related To':

If WDGM_NR_OF_ALLOWED_CALLERS is greater than zero, check that the struct member
WdgMCallersRef` in WdgM_ConfigType points to an array of WdgM_CallersType which has a length of
WDGM_NR_OF_ALLOWED_CALLERS

-
Category:
Requirement
Keywords:

ID:
566084
Label:

Safety relevant:

Related To:

Related To':

If WDGM_NR_OF_ALLOWED_CALLERS is zero, check that that the struct member WdgMCallersRef` in
WdgM_ConfigType is set to NULL.

-
10.3.3
Check System Specifications against S-WdgM Info Files
Category:
Comment
Keywords:

ID:
265499
As part of the verification process, the generated files wdgm_verifier_info.c must be checked against the
system specification, which served as base for the ECU description.

-
Category:
Comment
Keywords:

ID:
265501
The following instructions show how to extract the data to be checked from the wdgm_verifier_info.c file.
This involves analysis of C-source code and assumes basic knowledge in the programming language.

-
Category:
Comment
Keywords:

ID:
265504
Check the generated Local Transitions as follows:

-
Category:
Comment
Keywords:

ID:
265508
Find the C-struct array named "local_transition".

-
Category:
Comment
Keywords:

ID:
265522
The array holds all Local Transitions of all SEs.
Each Local Transition lt is given as a C-struct containing the following values (in this order):
  the name of the source SE of lt
  the name of the source CP of lt
  the name of the destination SE of lt and
  the name of the destination CP of lt.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 46
Category:
Requirement
Keywords:

ID:
265526
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check that each lt is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265528
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check also that no local transition stated in the System Specification is missing in the
array "local_transitions".

-
Category:
Comment
Keywords:

ID:
265587
Check the generated Global Transitions as follows:

-
Category:
Comment
Keywords:

ID:
265589
Find the C-struct array named "global_transition".

-
Category:
Comment
Keywords:

ID:
265591
The array holds all Global Transitions of all SEs.
Each Global Transition gt is given as a C-struct containing the following values (in this order):
  name of the source SE of gt
  name of the source CP of gt
  name of the destination SE of gt and
  name of the destination CP of gt.

-
Category:
Requirement
Keywords:

ID:
265593
Label:

Safety relevant:

Related To:

Related To':

Check that each gt is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265595
Label:

Safety relevant:

Related To:

Related To':

Check also that no Global Transition stated in the System Specification is missing in the array
"global_transitions".

-
Category:
Comment
Keywords:

ID:
265597
Check the CPs as follows:

-
Category:
Comment
Keywords:

ID:
265599
For each defined SE named se find the C-struct array named "se_se_cp_list".

-
Category:
Comment
Keywords:

ID:
265601
The array holds all CPs of all SEs.
Within se_se_cp_list, each CP cp that is associated to se is given as a C-struct containing the following
values (in this order):

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 47
  ID of se
  ID of cp
  name of se and
  name of cp.

-
Category:
Requirement
Keywords:

ID:
265603
Label:

Safety relevant:

Related To:

Related To':

Check that each cp is defined in se as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265605
Label:

Safety relevant:

Related To:

Related To':

Check also that no CP for se stated in the System Specification is missing in the array "se_se_cp_list".

-
Category:
Comment
Keywords:

ID:
265607
At the end you have checked all CPs of all SEs.

-
Category:
Comment
Keywords:

ID:
265611
Check the SEs as follows:

-
Category:
Comment
Keywords:

ID:
265613
Find the C-struct array named "entities".

-
Category:
Comment
Keywords:

ID:
265615
The array holds information about all SEs.
Each SE se is given as a C-struct containing the following values (in this order):
  ID of se
  name of se
  number of CPs associated to se and
  a reference se_se_cp_list, which refers to a list of CPs for se that has been checked in step "Check the
CPs as follows" (265597) above.

-
Category:
Requirement
Keywords:

ID:
265617
Label:

Safety relevant:

Related To:

Related To':

Check that each se is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265619
Label:

Safety relevant:

Related To:

Related To':

Check also that no SE stated in the System Specification is missing in the array "entities".

-
Category:
Comment
Keywords:

ID:
265621
Check the deadline supervisions as follows:


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 48
-
Category:
Comment
Keywords:

ID:
265623
Find the C-struct array named "deadline_supervisions".

-
Category:
Comment
Keywords:

ID:
265625
The array holds information about all transitions with Deadline Supervision.
Each deadline supervision dl is given as a C-struct containing the following values (in this order):
  name of the source SE of dl
  name of the source CP of dl
  name of the destination SE of dl
  name of the destination CP of dl
  minimum value of the deadline interval of dl and
  maximum value of the deadline interval of dl.

-
Category:
Requirement
Keywords:

ID:
265627
Label:

Safety relevant:

Related To:

Related To':

Check that each defined dl is as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265629
Label:

Safety relevant:

Related To:

Related To':

Check also that no deadline supervision stated in the System Specification is missing in the array
"deadline_supervisions".

-
Category:
Comment
Keywords:

ID:
265639
Check the Alive Supervision as follows:

-
Category:
Comment
Keywords:

ID:
265641
Find the C-struct array named "alive_supervisions".

-
Category:
Comment
Keywords:

ID:
265643
The array holds information about all transitions with Alive Supervision.
Each Alive Supervision as is given as a C-struct containing the following values (in this order):
  name of the source SE of al
  name of the source CP of al
  number of expected alive indications per Reference Cycle of al
  minimum value of the alive indication margin of al and
  maximum value of the alive indication margin of al.

-
Category:
Requirement
Keywords:

ID:
265645
Label:

Safety relevant:

Related To:

Related To':

Check that each defined al is as stated in the System Specification.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 49
Category:
Requirement
Keywords:

ID:
265647
Label:

Safety relevant:

Related To:

Related To':

Check also that no Alive Supervision stated in the System Specification is missing in the array
"alive_supervisions".

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 50
11 Safe Watchdog Manager
Category:
Comment
Keywords:

ID:
228907
This section lists the safety requirements for the integration and application of the S-WdgM code in(to) an
AUTOSAR system.

-
11.1 API Specification
Category:
Comment
Keywords:

ID:
228909
This section describes the imported types and definitions and the expected interface. It also describes
safety related aspects of types, definitions and functions implemented in the S-WdgM.
Some types, definitions and interfaces depend on the used S-WdgM Configuration.


-
Category:
Comment
Keywords:

ID:
229196
For a detailed description of types, definitions and functions implemented in S-WdgM, see
[TT_WDGM_UM].
For a detailed description of types, definitions and functions imported from S-WdgIf, see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
229302
For further requirements related to imported types, definitions and interfaces, see section "Integration".

-
Category:
Requirement
Keywords:

ID:
229304
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct import of the types and definitions that are listed in this section.

-
Category:
Requirement
Keywords:

ID:
229306
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct application of the interface functions.

-
Category:
Comment
Keywords:

ID:
542988
Correct in this context means that the interface functions are used in accordance with the requirements
given in this document. See also section "Application Level API Functions" below.

-
Category:
Requirement
Keywords:

ID:
229744
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that all external functions that are called from within the S-WdgM
code are imported from the correct versions of AUTOSAR.

-
Category:
Comment
Keywords:

ID:
558694
The external functions are listed in section "Expected Interface" below. The correct AUTOSAR version is
defined in 231307.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 51

-
Category:
Requirement
Keywords:

ID:
229746
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR files or any other files different from S-WdgM files shall not redefine any
identifier that is defined in the S-WdgM code. E.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
231825
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no external interface with the S-WdgM degrades the quality level of the S-
WdgM below the required quality level.

-
Category:
Comment
Keywords:

ID:
231827
For example, if an external function of quality level ASIL C is called by the S-WdgM, it degrades the quality
level of the S-WdgM to ASIL C (if no precautions were taken), although the required quality level is ASIL D.

-
Category:
Comment
Keywords:

ID:
558698
The external interface is listed in section "Expected Interface" below.

-
11.1.1
Expected Interface
Category:
Comment
Keywords:

ID:
229201
This section lists external functions that are called by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
229715
For a scheme with interaction of the S-WdgM with external functions, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
234840
The following functions of the lower WdgIf layer are called independent to the chosen S-WdgM
configuration:

Function
Module
WdgIf_SetMode ()
WdgIf
WdgIf_SetTriggerWindow ()
WdgIf
table 8


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 52

Category:
Comment
Keywords:

ID:
229726
Some functions are called by the S-WdgM depending on the compiler switches as listed here:

Compiler Switch
Function
Module
WDGM_DEM_REPORT is set to
Appl_Dem_ReportErrorStatus () **)
DEM
STD_ON
WDGM_DEV_ERROR_DETECT is set  Appl_Det_ReportError () **)
DET
to STD_ON
WDGM_SECOND_RESET_PATH  is set Appl_Mcu_PerformReset () **)
Mcu
to STD_ON
AS3: SchM_Enter_WdgM () and SchM_Exit_WdgM ()
AS4:
WDGM_USE_OS_SUSPEND_INTERR SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA_0 ()  SchM
UPT is set to STD_ON
and
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_0 ()
WDGM_STATE_CHANGE_NOTIFICATI WdgM_GlobalStateChangeCbk () *),
ON is set to STD_ON
WdgM_LocalStateChangeCbk ()
*)
WDGM_TIMEBASE_SOURCE is set to
WDGM_INTERNAL_HARDWARE_TICK WdgIf_GetTickCounter ()
WdgIf

table 9

If a compiler switch is set differently, the according function is not called by the S-WdgM.

*) The actual name of the function is defined by the S-WdgM configuration fields
WdgM_GlobalStateChangeCbk and WdgM_LocalStateChangeCbk, respectively. The actual module
depends on the system architecture.

**) This is a wrapper function. See the next section for information.

-
11.1.1.1
Implementation of Wrapper Functions for the Expected Interface
Category:
Comment
Keywords:

ID:
238249
Some functions of the expected interface may not meet the required quality level and need to be wrapped
so that freedom from interference with the S-WdgM is guaranteed. These functions are:

Function
Wrapper function
Dem_ReportErrorStatus ()
Appl_Dem_ReportErrorStatus ()
Det_ReportError ()
Appl_Det_ReportError ()
Mcu_PerformReset ()
Appl_Mcu_PerformReset ()
table 10


-
Category:
Comment
Keywords:

ID:
260668
Note: Whether a function is called or not depends on the configuration's compiler switches.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 53
Category:
Requirement
Keywords:

ID:
238245
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the implementation of each wrapper function as follows:
1.  the wrapper function serves as wrapper for the call of the according external function,
2.  the wrapper function guarantees freedom from interference with the S-WdgM code and data when the
according function is called, and
3.  the quality level of the wrapper function is sufficient for the required quality level of the system.

-
Category:
Requirement
Keywords:

ID:
259941
Label:

Safety relevant:

Related To:

Related To':

The wrapper function shall be declared in a separate header-file, which shall include the header file for
wrapped AUTOSAR function as follows:

Wrapper Function
Declared In Header File
Header File includes
Appl_Dem_ReportErrorStatus ()   Appl_Dem.h
Dem.h
Appl_Det_ReportError ()
Appl_Det.h
Det.h
Appl_Mcu_PerformReset ()
Appl_Mcu.h
Mcu.h
table 11


-
Category:
Requirement
Keywords:

ID:
229211
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify:
If a function in 234840, 229726, 238249, and 259941above is called, then the quality level of the S-WdgM is
not degraded below the required quality level.


-
Category:
Comment
Keywords:

ID:
260560
If a subset of these functions is called, then the quality level of the S-WdgM is degraded to the quality level
of the function in this subset that has the lowest quality level.

-
Category:
Comment
Keywords:

ID:
229728
For this reason, the integrator is advised to revise the necessity of the expected interfaces.

-
11.1.2
Imported Types and Definitions
Category:
Comment
Keywords:

ID:
229213
This section lists the types and definitions that are imported by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
229296
The following types and definitions are imported from Platform_Types.h and used:
Types:
uint8
uint16

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 54
uint32
boolean
Definitions:
TRUE
FALSE

-
Category:
Comment
Keywords:

ID:
229310
The following types and definitions are imported from Std_Types.h and used:
Types:
Std_ReturnType
Definitions:
STD_ON
STD_OFF

-
Category:
Comment
Keywords:

ID:
235906
The type Std_VersionInfoType is not included, because the WdgM_GetVersionInfo () is implemented as
macro.

-
Category:
Comment
Keywords:

ID:
229312
The following definitions are imported from "Compiler.h" and used:
Definitions:
AUTOMATIC
CONST
FUNC
NULL_PTR
P2CONST
P2FUNC
P2VAR
VAR

-
Category:
Comment
Keywords:

ID:
229318
The following definitions are imported from "Compiler_Cfg.h" and used:
WDGM_CODE
WDGM_CONST
WDGM_APPL_CONST
WDGM_APPL_DATA
WDGM_APPL_VAR
WDGM_VAR

-
Category:
Comment
Keywords:

ID:
290334
The following definitions are imported from " SchM_WdgM.h" and used:
WDGM_EXCLUSIVE_AREA_0

-
Category:
Comment
Keywords:

ID:
290336
The following definitions are imported from " WdgIf_Types.h" and used:
WDGIF_OFF_MODE

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 55
Category:
Comment
Keywords:

ID:
290332
If WDGM_USE_RTE is set to STD_ON, then the following definitions are imported from "Rte_Type.h" (for
AS3) or "Rte_WdgM_Type.h" (for AS4):
WDGM_LOCAL_STATUS_OK
WDGM_LOCAL_STATUS_FAILED
WDGM_LOCAL_STATUS_EXPIRED
WDGM_LOCAL_STATUS_DEACTIVATED
WDGM_GLOBAL_STATUS_OK
WDGM_GLOBAL_STATUS_FAILED
WDGM_GLOBAL_STATUS_EXPIRED
WDGM_GLOBAL_STATUS_STOPPED
WDGM_GLOBAL_STATUS_DEACTIVATED

-
Category:
Comment
Keywords:

ID:
229314
The following definitions are imported from "MemMap.h" (and indirectly from "WdgM_MemMap.h" (for AS3)
or "WdgM_OSMemMap.h" (for AS3)) and used:

In WdgM.c:
WDGM_GLOBAL_START_SEC_VAR_32BIT
WDGM_GLOBAL_STOP_SEC_VAR_32BIT
WDGM_GLOBAL_START_SEC_VAR_BOOLEAN
WDGM_GLOBAL_STOP_SEC_VAR_BOOLEAN
WDGM_START_SEC_CODE
WDGM_STOP_SEC_CODE

In WdgM_Checkpoint.c:
WDGM_START_SEC_CODE
WDGM_STOP_SEC_CODE

In WdgM_PBcfg.c (generated):
WDGM_SEseid_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_START_SEC_VAR_NOINIT_32BIT
WDGM_SEseid_STOP_SEC_VAR_NOINIT_32BIT
(for a SE with WdgMSupervisedEntityId seid) and
WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_START_SEC_CONST_UNSPECIFIED
WDGM_STOP_SEC_CONST_UNSPECIFIED

-
Category:
Comment
Keywords:

ID:
290088
If a SE with WdgMSupervisedEntityId seid belongs to an application (WdgMAppTaskRef for SE seid is set
to appl_name),
then the following defines in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) are redefined:
WDGM_SEseid_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_START_SEC_VAR_NOINIT_32BIT
WDGM_SEseid_STOP_SEC_VAR_NOINIT_32BIT
is redefined to

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 56
appl_name_START_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_STOP_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_START_SEC_VAR_NOINIT_32BIT
appl_name_STOP_SEC_VAR_NOINIT_32BIT
respectively.

-
Category:
Comment
Keywords:

ID:
290118
If the S-WdgM component belongs to an application (WdgMGlobalMemoryAppTaskRef is set to
appl_name),
then the following defines in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) are redefined:
WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_START_SEC_VAR_32BIT
WDGM_GLOBAL_STOP_SEC_VAR_32BIT
WDGM_GLOBAL_START_SEC_VAR_BOOLEAN
WDGM_GLOBAL_STOP_SEC_VAR_BOOLEAN
is redefined to
appl_name_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_GLOBAL_START_SEC_VAR_32BIT
appl_name_GLOBAL_STOP_SEC_VAR_32BIT
appl_name_GLOBAL_START_SEC_VAR_BOOLEAN
appl_name_GLOBAL_STOP_SEC_VAR_BOOLEAN
respectively.

-
Category:
Comment
Keywords:

ID:
290889
Defines for global shared data are also redefined:
WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED
is redefined to
GlobalShared_START_SEC_VAR_NOINIT_UNSPECIFIED
GlobalShared_STOP_SEC_VAR_NOINIT_UNSPECIFIED

-
Category:
Comment
Keywords:

ID:
229730
The following types are imported from "WdgIf_Types.h" (through "WdgM_Cfg.h") and used:
Type:
WdgIf_ModeType

-
Category:
Requirement
Keywords:

ID:
229235
Label:

Safety relevant:

Related To:

Related To':

If the configuration parameter WDGM_USE_RTE is set to STD_ON, then the integrator shall ensure that
the following types are defined as shown in this table:

Type
Allowed Value
WdgM_SupervisedEntityIdType
uint8, uint16
WdgM_CheckpointIdType
uint8, uint16
WdgM_ModeType
uint8
WdgM_LocalStatusType
uint8

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 57
WdgM_GlobalStatusType
uint8
table 12

No other value is allowed.

-
Category:
Comment
Keywords:

ID:
229707
The S-WdgM assumes that "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) is the source of these
types and includes "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) if - and only if -
WDGM_USE_RTE is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
237635
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Comment
Keywords:

ID:
229288
If the configuration parameter WDGM_USE_RTE is set to STD_OFF, then the types are defined by the S-
WdgM as shown in this table:

Type
Value
WdgM_SupervisedEntityIdType
uint16
WdgM_CheckpointIdType
uint16
WdgM_ModeType
uint8
WdgM_LocalStatusType
uint8
WdgM_GlobalStatusType
uint8
table 13


-
Category:
Requirement
Keywords:

ID:
229264
Label:

Safety relevant:

Related To:

Related To':

If the configuration parameter WDGM_USE_RTE is set to STD_ON, then the integrator shall ensure that
the following definitions are set as shown in the following table:

Definition
Value
WDGM_LOCAL_STATUS_OK
0
WDGM_LOCAL_STATUS_FAILED
1
WDGM_LOCAL_STATUS_EXPIRED
2
WDGM_LOCAL_STATUS_DEACTIVATED  4
WDGM_GLOBAL_STATUS_OK
0
WDGM_GLOBAL_STATUS_FAILED
1
WDGM_GLOBAL_STATUS_EXPIRED
2
WDGM_GLOBAL_STATUS_STOPPED
3
WDGM_GLOBAL_STATUS_DEACTIVATED  4
table 14


-
Category:
Comment
Keywords:

ID:
229709
The S-WdgM assumes that "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) is the source of these

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 58
types and includes "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) if - and only if -
WDGM_USE_RTE is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
237637
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Comment
Keywords:

ID:
229292
If the configuration parameter WDGM_USE_RTE is set to STD_OFF then the status definitions are
implemented by the S-WdgM with the values shown in the table above in requirement 229264.

-
11.1.3
Error Handling
Category:
Comment
Keywords:

ID:
229752
This section describes the error codes set by the S-WdgM using the DET or DEM mechanism and the
return values from S-WdgM API functions.

-
11.1.3.1
DET Errors
Category:
Comment
Keywords:

ID:
229766
DET Errors are intended to support the development of an application. During software development, the
compiler directive WDGM_DEV_ERROR_DETECT is usually set to STD_ON. Once the software is safe
enough so that no further DET error can occur, the option is deactivated. For safety reasons the DET
defines are listed here.

-
Category:
Comment
Keywords:

ID:
229742
If the compiler switch WDGM_DEV_ERROR_DETECT is set to STD_ON, then the S-WdgM reports the
following development errors through the function Appl_Det_ReportError ():

Error
Code   Description
WDGM_E_NO_INIT
0x10   Uninitialized S-WdgM.
WDGM_E_PARAM_CONFIG
0x11   Invalid S-WdgM Configuration.
Invalid mode parameter (currently not used by the S-
WDGM_E_PARAM_MODE
0x12   WdgM).
WDGM_E_PARAM_SEID
0x13   Wrong ID number of the SE.
WDGM_E_NULL_POINTER
0x14   Null pointer parameter.
WDGM_E_DISABLE_NOT_ALLOWED  0x15   Disabled Watchdog is not allowed.
WDGM_E_CPID
0x16  Invalid CP ID number.
Using deprecated API service (currently not used by
WDGM_E_DEPRECATED
0x17   S-WdgM).
WDGM_E_TIMEBASE
0x28   Timebase counter failure.
WDGM_E_PARAM_STATE
0x29   Invalid S-WdgM state.
The WdgIf_SetMode(mode) function was called with
WDGM_E_WDGIF_MODE
0x2A   an invalid mode parameter.
WDGM_E_MEMORY_FAILURE
0x2B  Corrupted S-WdgM memory.
WDGM_E_REENTRANCY
0x2C   Reentrancy not allowed.
table 15

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 59

These definitions are defined in WdgM.h.

-
Category:
Comment
Keywords:

ID:
229750
The definitions from 0x10 to 0x17 are AUTOSAR definitions (see [AS_WDGM_SWS]).
The definition from 0x28 to 0x2B are TTTech specific.

-
Category:
Requirement
Keywords:

ID:
229760
Label:

Safety relevant:

Related To:
__MKSID__284531,_
Related To':

_MKSID__284549,__
MKSID__261279,__
MKSID__261146,__
MKSID__261148,__
MKSID__261150,__
MKSID__263904,__
MKSID__283924,__
MKSID__261198,__
MKSID__261210,__
MKSID__261212,__
MKSID__268923,__
MKSID__284038,__
MKSID__284042,__
MKSID__268925,__
MKSID__284050,__
MKSID__268927,__
MKSID__284054,__
MKSID__268929,__
MKSID__284056,__
MKSID__268931,__
MKSID__284062,__
MKSID__268933,__
MKSID__284066,__
MKSID__268935
The integrator is responsible to make sure that - once the compiler switch WDGM_DEV_ERROR_DETECT
is set to STD_OFF - no DET related error can occur.

-
11.1.3.2
DEM Errors
Category:
Comment
Keywords:

ID:
229748
ECU description fileIf the compiler switch WDGM_DEM_REPORT is set to STD_ON, then the S-WdgM
reports the following production errors through the function Appl_Dem_ReportErrorStatus():

Error
Code    Description
AS3: WDGM_E_MONITORING *)
The system reached status
AS4: DemConf_DemEventParameter_WDGM_E_MONI 0x30u   WDGM_GLOBAL_STATUS_STOPPED
TORING **)

AS3: WDGM_E_IMPROPER_CALLER *)
The function is not permitted to call
AS4: DemConf_DemEventParameter_WDGM_E_IMPR 0x33u   WdgM_SetMode ().
OPER_CALLER **)
table 16

*) Note: The error definitions are defined in Dem.h
**) Note: The error definition and error code are defined by the user in the ECU description file and can

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 60
vary.

-
Category:
Requirement
Keywords:

ID:
229756
Label:

Safety relevant:

Related To:
__MKSID__261188,_
Related To':

_MKSID__261190
The integrator is responsible for correct handling and escalation of errors related to DEM according to the
system requirements.

-
11.1.3.3
Return Values
Category:
Comment
Keywords:

ID:
229772
The following functions return E_NOT_OK in case an error occured:

Function
Comment
WdgM_CheckpointReached ()
Monitoring update failed.
WdgM_GetLocalStatus ()
Returning current monitoring status failed.
WdgM_GetGlobalStatus ()
Returning current monitoring status failed.
WdgM_PerformReset ()
Immediate reset of at least one Watchdog failed (if
WDGM_SECOND_RESET_PATH is set to STD_ON).
WdgM_GetMode ()
Returning current WD Trigger Mode failed.
WdgM_SetMode ()
Changing to new WD Trigger Mode failed.
WdgM_DeactivateSupervisionEntity ()
Deactivating SE failed.
WdgM_ActivateSupervisionEntity ()
Activating SE failed.
table 17


-
Category:
Requirement
Keywords:

ID:
229782
Label:

Safety relevant:

Related To:
__MKSID__284531,_
Related To':

_MKSID__261188,__
MKSID__261190
The integrator is responsible for correct handling and escalation of errors (according to the system
requirements) indicated by the return value E_NOT_OK.

-
11.2 Functional Specification
Category:
Comment
Keywords:

ID:
283403
A detailed functional specification of the S-WdgM module is provided in [TT_WDGM_UDD].

-
Category:
Requirement
Keywords:

ID:
230494
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that the S-WdgM functionality is not unintentionally affected by
other software (especially the AUTOSAR application). This is, e.g., modification of data like tolerance value,
counters, etc. that are used by the S-WdgM.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 61
-
Category:
Comment
Keywords:

ID:
287738
This includes:
  memory corruption (see section "S-WdgM Application"),
  source code modification (intended and unintended), and
  API function calls with wrong parameters (see sections "Requirements For All Application Level API
Functions" and "Requirements For All System Level API Functions" below).

-
11.3 S-WdgM Configuration
Category:
Comment
Keywords:

ID:
230543
The S-WdgM differs between two kinds of configuration:
  pre-processor options and
  post-build configuration data.

-
Category:
Comment
Keywords:

ID:
230545
The pre-processor options are generated out of an ECU configuration using the S-WdgM Generator (coded
in the generated file WdgM_Cfg_Features.h).
They activate or deactivate certain S-WdgM features and cannot be altered during runtime.
See section "S-WdgM Configuration Generator" above for details on the S-WdgM Generator and its
application.
See [TT_WDGM_UM] for details on the pre-processor options.

-
Category:
Comment
Keywords:

ID:
230547
The post-build configuration data is also generated out of the ECU configuration using the S-WdgM
Generator (coded in the files WdgM_PBcfg.h and WdgM_PBcfg.c).
It defines certain values that affect the S-WdgM functionality (like tolerances or cycle length).
The S-WdgM can switch among these configurations at runtime. However, the current version of the S-
WdgM supports only one mode. The configuration data itself can not be altered at runtime.
See section "S-WdgM Configuration Generator" above for details on the S-WdgM Generator and its
application.
See [TT_WDGM_UM] for details on the post-build configuration data.

-
Category:
Requirement
Keywords:

ID:
230549
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for checking the pre-processor and post-build configuration values for the S-
WdgM for plausibility and suitability for the system requirements (concerning correct function and timing
behaviour) as depicted in section "Configuration Check-List" above.

-
Category:
Requirement
Keywords:

ID:
230532
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for generation and verification of configuration data as depicted in section "S-
WdgM Configuration Generator" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 62
Category:
Requirement
Keywords:

ID:
230551
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the configuration data is not altered at runtime, e.g. by erroneous HW.

-
Category:
Comment
Keywords:

ID:
230553
This can be realized - for example - with ECC ROM checks, cyclical ROM checks, and start up ROM
checks.

-
11.4 File Structure
Category:
Comment
Keywords:

ID:
230234
For information about the S-WdgM file structure, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
230236
The following table shows the files that are only included when the according compiler directive is set to
STD_ON:

Include File
Compiler Directive
Mcu.h
WDGM_SECOND_RESET_PATH
Det.h
WDGM_DEV_ERROR_DETECT
Dem.h
WDGM_DEM_REPORT
AS3: Rte_Type.h
WDGM_USE_RTE
AS4: Rte_WdgM_Type.h
SchM_WdgM.h
WDGM_USE_OS_SUSPEND_INTERRUPT
table 18


-
Category:
Comment
Keywords:

ID:
230373
Also note that the configuration dependent memory mapping definitions for the S-WdgM are defined in the
file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4), which is generated by the S-WdgM
Generator. The configuration independent memory mapping definitions are defined in MemMap.h

The file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) is included into MemMap.h, which
is itself included into the S-WdgM source code.

Using the definitions in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4), the integrator can
place the status variables of each SE in a separate address space (e.g., if the SE is part of an OS
application then its data is placed in the same context as the application's data).

-
Category:
Comment
Keywords:

ID:
230242
See also the requirement 229746 for File inclusion.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 63
11.5 S-WdgM Integration
Category:
Comment
Keywords:

ID:
230951
This section describes how to integrate the S-WdgM into a safety-relevant system.

-
Category:
Requirement
Keywords:

ID:
230957
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to demonstrate that
  the failure detection mechanisms provided by the S-WdgM and
  the generated S-WdgM configuration
are sufficient for the considered system.

-
Category:
Requirement
Keywords:

ID:
230953
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct integration of the S-WdgM code
  on application level and
  on system level.

-
Category:
Comment
Keywords:

ID:
558706
The integration of the S-WdgM is correct, when all system requirements are satisfied.

-
Category:
Requirement
Keywords:

ID:
231823
Label:

Safety relevant:

Related To:
__MKSID__283518,_
Related To':

_MKSID__283514
The integrator shall verify that the chosen WD device - internal or external - meets the system's safety
requirements.

-
Category:
Comment
Keywords:

ID:
231896
For single oscillator MCU's (where the watchdog clock is derived from CPU main clock) it is recommended
to use an external watchdog device with its own oscillator as well.

-
11.5.1
Import from AUTOSAR Definitions into S-WdgM
Category:
Requirement
Keywords:

ID:
230955
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct implementation of all types and definitions that are imported
from AUTOSAR header files and used by the S-WdgM code according to AUTOSAR specifications.

-
Category:
Requirement
Keywords:

ID:
230969
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the AUTOSAR header files for the import of the AUTOSAR types
and definitions.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 64

-
Category:
Comment
Keywords:

ID:
230971
For a list of imported AUTOSAR types and definitions and the related header files, see section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
230979
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR header files into S-WdgM code shall not redefine any identifier that is defined
within the S-WdgM code. This prohibits, e.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
230981
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the correct code of used AUTOSAR functions. That is, correct in
version and functionality.

-
Category:
Comment
Keywords:

ID:
230983
For a list of used AUTOSAR functions, see section "Expected Interface" above.
For the AUTOSAR version see 231307.

-
Category:
Requirement
Keywords:

ID:
231015
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Std_Types.h according to the descriptions and
requirements in section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231069
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Platform_Types.h according to the descriptions and
requirements in section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231017
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Compiler.h and a file Compiler_Cfg.h according to the
descriptions and requirements in section "Imported Types and Definitions" above.

-
Category:
Comment
Keywords:

ID:
230977
Note that some other integrated products, provide their own contents for Compiler_Cfg.h. They need to be
merged into the systems Compiler_Cfg.h.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 65
Category:
Requirement
Keywords:

ID:
231025
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file MemMap.h according to AUTOSAR specifications.

-
Category:
Comment
Keywords:

ID:
231075
Some other integrated products, provide their own contents for MemMap.h. They need to be merged into
the system's MemMap.h file.

-
Category:
Requirement
Keywords:

ID:
260767
Label:

Safety relevant:

Related To:

Related To':

The integrator shall include the generated file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for
AS4) in the file MemMap.h.

-
Category:
Requirement
Keywords:

ID:
260828
Label:

Safety relevant:

Related To:

Related To':

The integrator shall place the inclusion of WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4)
before Os_MemMap.h in MemMap.h.

-
Category:
Comment
Keywords:

ID:
260769
WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) contains S-WdgM configuration dependent
definitions. See also section "Memory Mapping" below.

-
Category:
Comment
Keywords:

ID:
231077
TTTech provides example files for MemMap.h (with include commands of WdgM_MemMap.h (for AS3)
or WdgM_OSMemMap.h (for AS4)) and a file demo_MemMap.h (with the memory mapping definitions of
the complete S-WdgM Stack).

-
11.5.2
Memory Mapping
Category:
Comment
Keywords:

ID:
231283
This section lists the requirements for the memory mapping of the S-WdgM data and code (also the
generated S-WdgM code). For a detailed description on how to manage S-WdgM memory sections, see
[TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231029
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for
  the generation of the file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS3) as described
in section "S-WdgM Configuration Generator" above and
  its inclusion into the file MemMap.h which is itself included into the S-WdgM code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 66
Category:
Comment
Keywords:

ID:
231484
TTTech provides a sample file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4).

-
Category:
Requirement
Keywords:

ID:
231277
Label:

Safety relevant:

Related To:

Related To':

The integrator is also responsible for the correct assignment of data and code of the S-WdgM (including the
generated S-WdgM code) to the various memory sections according to the memory mapping keywords
provided by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231289
For the memory sections that are supported by the S-WdgM see comment 229314 in section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231281
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign the data for each SE to the corresponding address space of the SWC address
area where the SE is located.

-
Category:
Comment
Keywords:

ID:
290510
See parameter WdgMAppTaskRef in [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231454
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign global data to a address space with
  read access for all tasks and applications and
  read/write access for the S-WdgM.

-
Category:
Requirement
Keywords:

ID:
231462
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign global shared data to an address space with read/write access for all tasks and
applications.

-
Category:
Comment
Keywords:

ID:
290512
See parameter WdgMGlobalMemoryAppTaskRef in [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231474
All S-WdgM global shared data is protected by the S-WdgM against corruption

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 67
Category:
Requirement
Keywords:

ID:
231972
Label:

Safety relevant:

Related To:
__MKSID__261238,_
Related To':

_MKSID__261216
In a system that uses MCU memory protection, the S-WdgM global data and variables shall be placed in a
separate memory section that can not be corrupted by other software modules or hardware failures.

-
11.5.3
S-WdgM Files
Category:
Requirement
Keywords:

ID:
231035
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that only
  files of a single delivered package and
  files generated with tools of this package
are installed:

These are the files:
  WdgM_PBCfg.h (generated),
  WdgM_PBCfg.c (generated),
  WdgM_Cfg_Features.h (generated),
  WdgM_Cfg.h,
  WdgM.h,
  WdgM.c, and
  WdgM_Checkpoint.c

-
Category:
Requirement
Keywords:

ID:
230229
Label:

Safety relevant:

Related To:

Related To':

The loaded S-WdgM Configuration shall be compatible with the S-WdgM embedded code.

-
Category:
Comment
Keywords:

ID:
289588
The S-WdgM performs a version check with every call of WdgM_Init ().

-
11.5.4
Compilation and Linkage
Category:
Requirement
Keywords:

ID:
230959
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation of the S-WdgM code with a compiler that is compliant to ANSI
ISO/IEC 9899:1990.

-
Category:
Comment
Keywords:

ID:
230963
The generated code is compliant to ANSI ISO/IEC 9899:1990. It is also known as "ANSI C (C89)" and "ISO
C (C90)".


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 68
Category:
Requirement
Keywords:

ID:
230991
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct compilation and linkage of the S-WdgM into the AUTOSAR system.

-
Category:
Requirement
Keywords:

ID:
231079
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the compiled and linked target binary is correctly loaded into the target
system.

-
11.5.5
S-WdgM Stack Requirements
Category:
Requirement
Keywords:

ID:
231547
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the S-WdgM communicates with least
  an internal WD device (MCU inside) or
  an external WD device.

-
Category:
Requirement
Keywords:

ID:
231549
Label:

Safety relevant:

Related To:

Related To':

For ASIL D systems, an external monitoring facility shall be used.

-
Category:
Comment
Keywords:

ID:
231551
This is highly recommended in ISO 26262 (see [ISO26262], part 6, section 7.4.14, table 4/1d).

-
Category:
Requirement
Keywords:

ID:
236796
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the communication path to the external WD does not degrade the quality
level below the required quality level.

-
11.6 S-WdgM Application
Category:
Comment
Keywords:

ID:
230581
This section lists the requirements for the application of the S-WdgM.
For requirements for the S-WdgM Generator see section "S-WdgM Generator" above.

-
Category:
Comment
Keywords:

ID:
230584
For an overview of the application of the S-WdgM monitoring features see [TT_WDGM_UM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 69
Category:
Requirement
Keywords:

ID:
230164
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct inclusion of all S-WdgM header files in the AUTOSAR
application that declare the S-WdgM API functions.

-
Category:
Comment
Keywords:

ID:
230586
This includes:
  WdgM_PBCfg.h (generated),
  WdgM_Cfg_Features.h (generated),
  WdgM_Cfg.h, and
  WdgM.h.

-
Category:
Requirement
Keywords:

ID:
230588
Label:

Safety relevant:

Related To:

Related To':

The application shall check the return values (if any) of the S-WdgM API functions to detect errors.

-
Category:
Comment
Keywords:

ID:
230609
In case a S-WdgM API function call fails, a DET report is made (if configured so) and an error code is
returned.

-
Category:
Requirement
Keywords:

ID:
230597
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct handling and escalation of errors that are detected by the S-WdgM
code. This includes:
  error codes indicating that a S-WdgM API function was not successful and
  application errors releaved by S-WdgM monitoring features.

-
Category:
Requirement
Keywords:

ID:
230226
Label:

Safety relevant:

Related To:
__MKSID__283536,_
Related To':

_MKSID__261228
The following memory sections shall not be corrupted or manipulated neither by a HW failure nor by a SW
bug in any SW other than S-WdgM:
  S-WdgM local entity data memory and
  S-WdgM global data memory.

-
Category:
Comment
Keywords:

ID:
289546
This can be achieved by using e.g. ECC and placing the data to a trusted memory area protected by the
MPU.

-
Category:
Comment
Keywords:

ID:
558862
For the memory section description of
  local entity memory section,
  global memory section, and

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 70
  global shared memory section
see section "Memory Sections" in [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
230607
Label:

Safety relevant:

Related To:

Related To':

The following memory sections shall not be corrupted or manipulated neither by a HW failure nor by a SW
bug in any SW other than S-WdgM:
  S-WdgM configuration memory and
  S-WdgM program code memory.

-
Category:
Comment
Keywords:

ID:
558768
This can be achieved by using e.g. ECC, startup and run-time memory checks.

-
Category:
Comment
Keywords:

ID:
230617
It shall be considered that the S-WdgM code has no mechanism for detecting and/or correcting the
following errors:
  corruption of the Local Entity memory,
  corruption of the Global S-WdgM memory,
  corruption of the S-WdgM memory for constants,
  corruption of the S-WdgM code memory, and
  corruption of the used hardware registers.

Note: The S-WdgM itself has no direct access to hardware registers. The registers can be accessed by
calls of external functions. These functions are listed in section "Expected Interfaces" above.

-
Category:
Requirement
Keywords:

ID:
231480
Label:

Safety relevant:

Related To:
__MKSID__283399,_
Related To':

_MKSID__261192
The integrator shall guarantee that address spaces for which the S-WdgM offers no mechanism for error
detection and error correction can not be corrupted.

-
Category:
Comment
Keywords:

ID:
231317
The S-WdgM has mechanisms for detection of unintended manipulations of its own variables placed in the
Global Shared memory. If the memory is manipulated, then a reset is performed.

-
Category:
Comment
Keywords:

ID:
230615
If a mechanism for detection/correction of such manipulations is implemented in the application level or
system level, then it should also cover the S-WdgM code.

-
11.6.1
Application Level API Functions
Category:
Comment
Keywords:

ID:
230729
This section lists the requirements for the S-WdgM API functions on application level.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 71
11.6.1.1
WdgM_GetMode ()
Category:
Requirement
Keywords:

ID:
230813
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current WD Trigger Mode using WdgM_GetMode () only.

-
Category:
Comment
Keywords:

ID:
236520
The WD trigger mode is not fully AUTOSAR 4.0.1 and AUTOSAR 3.1.4 compatible.
It considers only the following configuration fields:
  WdgMTriggerConditionValue
  WdgMTriggerWindowStart
  WdgMWatchdogMode

-
11.6.1.2
WdgM_SetMode ()
Category:
Requirement
Keywords:

ID:
231776
Label:

Safety relevant:

Related To:

Related To':

The application developer shall set the current WD Trigger Mode using WdgM_SetMode () only.

-
Category:
Comment
Keywords:

ID:
231778
The WD Trigger Mode is not fully AUTOSAR 4.0.1 and AUTOSAR 3.1.4 compatible.
The function WdgM_SetMode () considers only the following configuration fields for a new configuration:
  WdgMTriggerConditionValue
  WdgMTriggerWindowStart
  WdgMWatchdogMode

-
Category:
Comment
Keywords:

ID:
283836
Note: The function WdgM_SetMode () can also be used in AUTOSAR 3.1 compatibility mode. See
[TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
289522
Label:

Safety relevant:

Related To:
__MKSID__284058
Related To':

If WdgMDefensiveBehavior is set to "true", then the integrator shall check the DEM reports for the error
WDGM_E_IMPROPER_CALLER, which indicates calls of WdgM_SetMode () by unauthorized callers.

Otherwise the integrator shall make sure that unauthorized calls of WdgM_SetMode () can not occur.

-
11.6.1.3
WdgM_CheckpointReached ()
Category:
Requirement
Keywords:

ID:
230815
Label:

Safety relevant:

Related To:

Related To':

The application developer shall indicate to the S-WdgM that a certain point in application code has been
reached using WdgM_CheckpointReached () only.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 72

-
Category:
Comment
Keywords:

ID:
230817
WdgM_CheckpointReached () performs the following steps:
  all defined Alive Supervision counters are updated,
  Deadline Monitoring is performed, and
  Program Flow Monitoring is performed.

-
Category:
Comment
Keywords:

ID:
283838
Note: The function WdgM_CheckpointReached () is not defined in AUTOSAR 3.1 compatibility mode and
replaced by the function WdgM_UpdateAliveCounter ().

-
11.6.1.4
WdgM_GetLocalStatus ()
Category:
Requirement
Keywords:

ID:
230733
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current local monitoring status using WdgM_GetLocalStatus
() only.

-
11.6.1.5
WdgM_GetGlobalStatus ()
Category:
Requirement
Keywords:

ID:
230739
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current global monitoring status using WdgM_GetGlobalStatus
() only.

-
11.6.1.6
WdgM_PerformReset ()
Category:
Requirement
Keywords:

ID:
230757
Label:

Safety relevant:

Related To:

Related To':

The integrator shall initiate an immediate Watchdog reset from application level only using
WdgM_PerformReset ().

-
Category:
Comment
Keywords:

ID:
230761
Note: This function is hardware dependent. Some WD drivers do not support an immediate reset. Check the
according S-Wdg driver documentation (see also the reference list for example drivers in this document).


-
11.6.1.7
WdgM_LocalStateChangeCbk, WdgM_GlobalStateChangeCbk
Category:
Comment
Keywords:

ID:
231768
The identifiers WdgM_LocalStateChangeCbk and WdgM_GlobalStateChangeCbk are not function names.
They are fields of the S-WdgM Configuration holding pointers to the actual callback functions.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 73
The functions are implemented by the integrator. They are the alternative to RTE notification. RTE
notifications are not supported by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
237639
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Requirement
Keywords:

ID:
230793
Label:

Safety relevant:

Related To:

Related To':

The SW component that implements the callback functions shall be developed with at least the same
quality level as required for the system.

-
Category:
Comment
Keywords:

ID:
230801
Note: The quality level of the S-WdgM is degraded to the quality level of the callback function. An error in
the callback function may corrupt the function integrity of the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231877
If the application that calls the callback function is in a different memory section than the S-WdgM,
then the OS feature "Trusted Function" may be necessary to perform the callback.

-
Category:
Comment
Keywords:

ID:
230891
The function referred to by WdgM_LocalStateChangeCbk is only invoked if
WDGM_STATE_CHANGE_NOTIFICATION is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
239606
The function referred to by WdgM_GlobalStateChangeCbk is only invoked,
if WDGM_STATE_CHANGE_NOTIFICATION is set to STD_ON,
except when the new status is WDGM_GLOBAL_STATUS_STOPPED and WDGM_IMMEDIATE_RESET
is set to STD_ON (an immediate system reset need not be notified).

-
11.6.1.8
WdgM_ActivateSupervisionEntity ()
Category:
Requirement
Keywords:

ID:
231399
Label:

Safety relevant:

Related To:

Related To':

The integrator shall activate the monitoring of a SE using WdgM_ActivateSupervisionEntity () only.

-
Category:
Requirement
Keywords:

ID:
231400
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible that the activation of a SE does not
  compromise the systems performance or
  the systems availability (i.e. no unintended resets)

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 74
Category:
Comment
Keywords:

ID:
231401
The activation is performed from within WdgM_MainFunction () at the end of a SC.

-
Category:
Requirement
Keywords:

ID:
231403
Label:

Safety relevant:

Related To:

Related To':

The software component(s) that call WdgM_ActivateSupervisionEntity () shall be developed with at least the
same quality level as required by the system safety requirements.

-
Category:
Comment
Keywords:

ID:
231404
A missing activation of a SE may violate safety requirements.

-
Category:
Comment
Keywords:

ID:
231402
For more information on WdgM_ActivateSupervisionEntity (), see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231405
WdgM_ActivateSupervisionEntity () is only available if WDGM_ENTITY_DEACTIVATION_ENABLED is set
to STD_ON.

-
11.6.1.9
WdgM_DeactivateSupervisionEntity ()
Category:
Requirement
Keywords:

ID:
231415
Label:

Safety relevant:

Related To:

Related To':

The integrator shall deactivate the monitoring of a SE using WdgM_DeactivateSupervisionEntity () only.

-
Category:
Requirement
Keywords:

ID:
231416
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible that deactivation of a SE does not compromise system safety requirements.

-
Category:
Comment
Keywords:

ID:
231417
The deactivation is performed from within WdgM_MainFunction () at the end of a SC.

-
Category:
Requirement
Keywords:

ID:
231419
Label:

Safety relevant:

Related To:

Related To':

The software component(s) that call WdgM_DeactivateSupervisionEntity () shall be developed with at least
the same quality level as required by the system safety requirements.

-
Category:
Comment
Keywords:

ID:
231420
An unintended deactivation of a SE may violate safety requirements.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 75
Category:
Requirement
Keywords:

ID:
288603
Label:

Safety relevant:

Related To:
__MKSID__284070
Related To':

The integrator shall guarantee that a SE is *not* deactivated while its local Initial CP has been hit but one of
its local End CP has not yet been hit.

-
Category:
Comment
Keywords:

ID:
288605
That is, the program flow of the SE is currently monitored somewhere between the local Initial CP and a
local End CP. A deactivation in this moment may corrupt data that is used to monitor the SE.

-
Category:
Comment
Keywords:

ID:
231418
For more information on WdgM_DeactivateSupervisionEntity, () see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231421
WdgM_DeactivateSupervisionEntity () is only available if WDGM_ENTITY_DEACTIVATION_ENABLED is
set to STD_ON.

-
11.6.1.10
S-WdgM AUTOSAR 3.1 compatibility mode Functions
Category:
Comment
Keywords:

ID:
231387
This section lists safety requirements of functions that are only available in AUTOSAR 3.1 compatibility
mode.

-
Category:
Comment
Keywords:

ID:
562709
In the "S-WdgM AUTOSAR 3.1 compatibility mode" the S-WdgM emulates the functionality of the
AUTOSAR 3.1 Watchdog Manager.
This mode is active when the parameter WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON.

-
11.6.1.10.1  WdgM_UpdateAliveCounter ()
Category:
Requirement
Keywords:

ID:
283846
Label:

Safety relevant:

Related To:

Related To':

The application developer shall indicate to the S-WdgM that a certain point in application code has been
reached using WdgM_UpdateAliveCounter () only.

-
Category:
Comment
Keywords:

ID:
283852
This function replaces WdgM_CheckpointReached ().

-
11.6.1.10.2  WdgM_SetMode ()
Category:
Requirement
Keywords:

ID:
283850
Label:

Safety relevant:

Related To:

Related To':

The application developer shall set the current WD Trigger Mode using WdgM_SetMode () only.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 76

-
Category:
Requirement
Keywords:

ID:
283856
Label:

Safety relevant:

Related To:

Related To':

Note: The AUTOSAR 3.1 version of this function has not parameter CallerID, hence there is no check
whether the caller is authorized to call the function or not.

-
11.6.1.11
Requirements For All Application Level API Functions
Category:
Requirement
Keywords:

ID:
230613
Label:

Safety relevant:

Related To:
__MKSID__284040,_
Related To':

_MKSID__284048,__
MKSID__284052
It is the responsibility of the integrator to verify the correctness of parameters passed to S-WdgM
application level API functions.

-
Category:
Requirement
Keywords:

ID:
230735
Label:

Safety relevant:

Related To:
__MKSID__284040,_
Related To':

_MKSID__284048,__
MKSID__284052
Some S-WdgM API function have a pointer to data as argument. The integrator is responsible that such
data is not modified by the application or code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
230737
This includes:
  WdgM_GetMode (),
  WdgM_GetLocalStatus (), and
  WdgM_GetGlobalStatus ().

-
Category:
Requirement
Keywords:

ID:
230751
Label:

Safety relevant:

Related To:
__MKSID__284060,_
Related To':

_MKSID__284064,__
MKSID__284068,__
MKSID__284072,__
MKSID__283934
The integrator is responsible for a correct error escalation if a S-WdgM API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
230753
For the list of functions that return E_NOT_OK, see comment 229772 in subsection "Return Values" in
section "Error Handling" above.

-
Category:
Requirement
Keywords:

ID:
230222
Label:

Safety relevant:

Related To:

Related To':

If the RTE invokes an W-SgdM API function, the RTE code shall not corrupt SWC's memory.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 77

-
11.6.2
System Level API Functions
Category:
Comment
Keywords:

ID:
230731
This section lists the requirements for the S-WdgM API functions in the system layer.

-
Category:
Comment
Keywords:

ID:
230819
Note: The system level API functions are not visible in the application layer. The system functions are
invoked by the BSW modules. The RTE does not generate interfaces for these functions.

-
11.6.2.1
WdgM_Init ()
Category:
Requirement
Keywords:

ID:
230821
Label:

Safety relevant:

Related To:

Related To':

The integrator shall initialize (all parts of the) the S-WdgM (data) using WdgM_Init () only.

-
Category:
Requirement
Keywords:

ID:
265946
Label:

Safety relevant:

Related To:
__MKSID__261148,_
Related To':

_MKSID__261150
WdgM_Init () shall be called with correct parameter (i.e. the pointer to the according configuration).

-
Category:
Comment
Keywords:

ID:
290640
Besides the DET reports, a WdgM_Init() function failure can be checked indirectly by reading the global
pointer variable g_wdgm_cfg_ptr. In case of an error the pointer is NULL

-
Category:
Requirement
Keywords:

ID:
265886
Label:

Safety relevant:

Related To:
__MKSID__261062,_
Related To':

_MKSID__261130
The integrator shall check the integrity of the S-WdgM Configuration before invoking the WdgM_Init()
function.

-
Category:
Requirement
Keywords:

ID:
265884
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check the loaded S-WdgM code for manipulation before invoking the WdgM_Init()
function.

-
Category:
Comment
Keywords:

ID:
270674
This includes - for example - checks for bitflips.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 78
Category:
Requirement
Keywords:

ID:
230841
Label:

Safety relevant:

Related To:

Related To':

Any S-WdgM monitoring (e.g. any call of WdgM_CheckpointReached ()) shall be performed after the S-
WdgM initialization.

-
Category:
Requirement
Keywords:

ID:
230843
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for passing the appropriate S-WdgM Configuration to WdgM_Init () (i.e. so that
no safety requirement is violated).

-
Category:
Requirement
Keywords:

ID:
231163
Label:

Safety relevant:

Related To:

Related To':

The WdgM_Init() function shall be called after the initialization functions of the used S-Wdg drivers (named
Wdg_platform_Init (), where platform is the used platform).

-
Category:
Comment
Keywords:

ID:
231179
The initialization function(s) of the S-Wdg driver(s) activate the WD device.

-
Category:
Comment
Keywords:

ID:
264615
Note: Some platforms activate the WD automatically once it is powered.

-
Category:
Requirement
Keywords:

ID:
231169
Label:

Safety relevant:

Related To:
__MKSID__261244
Related To':

The function WdgM_Init() shall be called after the memory protection is activated.

-
Category:
Requirement
Keywords:

ID:
231171
Label:

Safety relevant:

Related To:

Related To':

All other S-WdgM API functions shall only be called after WdgM_Init() has successfully initialized the S-
WdgM.

-
Category:
Requirement
Keywords:

ID:
265944
Label:

Safety relevant:

Related To:
__MKSID__261279
Related To':

The function WdgM_Init () shall be called after Wdg_platform_Init ().

-
Category:
Comment
Keywords:

ID:
231181
After execution of WdgM_Init() all monitoring features are fully operational.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 79
Category:
Requirement
Keywords:

ID:
264609
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be aware that the system's SW is not monitored by the S-WdgM until the S-Wdg device
is initialized.

-
Category:
Requirement
Keywords:

ID:
264611
Label:

Safety relevant:

Related To:
__MKSID__283878,_
Related To':

_MKSID__261176,__
MKSID__261170
The integrator is responsible that the initialization of the WD device and the S-WdgM is performed correctly
and in time.

-
Category:
Requirement
Keywords:

ID:
289548
Label:

Safety relevant:

Related To:
__MKSID__285029
Related To':

The integrator shall consider:
If WdgM_Init () is called during monitoring by the S-WdgM (i.e. after the initial SC),
then all information about pending violations gets lost.
There will be no further DEM report for pending violations.

-
Category:
Comment
Keywords:

ID:
289550
In this context, "pending violations" are violations that have already been detected by the S-WdgM but have
not yet been escalated to the lower S-WdgM Stack levels and no DEM error has been reported so far.
The time duration of pending depends on the S-WdgM Configuration fields, like the number of tolerated
Reference Cycles.

-
11.6.2.2
WdgM_MainFunction ()
Category:
Requirement
Keywords:

ID:
265950
Label:

Safety relevant:

Related To:
__MKSID__261170,_
Related To':

_MKSID__261172,__
MKSID__261174,__
MKSID__261176
The function WdgM_MainFunction () shall be called at the end of every SC.

-
Category:
Requirement
Keywords:

ID:
231209
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that WdgM_MainFunction () is correctly scheduled by the operating system
(if used) and is always called as scheduled.

-
Category:
Comment
Keywords:

ID:
231780
If WdgM_MainFunction () is not called in time then the WD is not triggered in time and performs a system
reset.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 80
Category:
Requirement
Keywords:

ID:
231183
Label:

Safety relevant:

Related To:

Related To':

The first call of WdgM_MainFunction () shall be inside the initial trigger window of the WD.

-
Category:
Comment
Keywords:

ID:
264607
The time between the WD initialization and its first trigger by function WdgM_MainFunction (SC #0) shall
match the system requirements. This time can be configured in the S-Wdg driver configuration (see the
User Manual of the according S-Wdg driver. Not all platforms support the configuration of the time for the
first S-Wdg trigger.

-
Category:
Comment
Keywords:

ID:
231185
Otherwise the safe state is initiated.

-
Category:
Comment
Keywords:

ID:
232459
For details on the initial trigger window see [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231609
Label:

Safety relevant:

Related To:
__MKSID__283870
Related To':

The integrator shall guarantee that the WdgM_MainFunction() is not executed faster as defined by the
system design.

-
Category:
Comment
Keywords:

ID:
231191
This can be achieved e.g. by using a windowed watchdog device.
When the WdgM_MainFunction() is executed faster as defined, then the S-WdgM reaction times (reset) are
not as expected.
A trigger of the Watchdog outside the defined window leads to a reset. This feature is HW dependent. See
the Safety Manual for the WD driver. Safety Manuals for some drivers can be found in section "References"
at the end of this document.

-
Category:
Requirement
Keywords:

ID:
231207
Label:

Safety relevant:

Related To:

Related To':

The function WdgM_MainFunction() shall be executed in a task that is different to the tasks that are
monitored by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231370
Avoid influence or corruption of WdgM_MainFunction() by another task.

-
11.6.2.3
WdgM_UpdateTickCount ()
Category:
Comment
Keywords:

ID:
231611
This function has been added by TTTech and not part of AUTOSAR.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 81
Category:
Requirement
Keywords:

ID:
230857
Label:

Safety relevant:

Related To:
__MKSID__284091,_
Related To':

_MKSID__261214
If the configuration parameter WDGM_TIMEBASE_SOURCE is set to WDGM_EXTERNAL_TICK,
then the Time Base Tick Counter shall be updated using WdgM_UpdateTickCount () every
1/WdgMTicksPerSecond part of a second.

-
Category:
Requirement
Keywords:

ID:
230873
Label:

Safety relevant:

Related To:
__MKSID__284091,_
Related To':

_MKSID__261214
If the configuration parameter WDGM_TIMEBASE_SOURCE is set to WDGM_EXTERNAL_TICK,
then the developer is responsible for calling WdgM_UpdateTickCount () periodically in an interval that is
short enough for successful Deadline Monitoring and long enough so that the system safety is not
compromised.

-
Category:
Requirement
Keywords:

ID:
230213
Label:

Safety relevant:

Related To:

Related To':

In case an external tick counter is used, the integrator shall avoid
  forward jumps,
  stuck-at,
  negative counting, and
  jitter
of the S-WdgM Timebase Tick counter.

-
Category:
Comment
Keywords:

ID:
290532
They can influence the expected accuracy of the deadline measurement.

-
Category:
Comment
Keywords:

ID:
230875
The Timebase Tick counter delivers the time base for Deadline Monitoring. It can be - for example - called
from a task with fixed time period and high priority.

-
Category:
Comment
Keywords:

ID:
230877
If WDGM_TIMEBASE_SOURCE is set to WDGM_INTERNAL_SOFTWARE_TICK,
then WdgM_UpdateTickCount () is called from within WdgM_MainFunction () once at every call of
WdgM_MainFunction ().

-
Category:
Comment
Keywords:

ID:
236538
If WDGM_TIMEBASE_SOURCE is set to WDGM_INTERNAL_HARDWARE_TICK,
then the S-WdgM does not provide the function WdgM_UpdateTickCount (). The counter value is read from
the hardware through the S-WdgIf function WdgIf_GetTickCounter (). See [TT_WDGIF_UM] and
[TT_WDGIF_SM].
This feature is HW dependent. See the Safety Manual specific for the driver. Safety Manuals for some
drivers can be found in section "References" at the end of this document.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 82
11.6.2.4
WdgM_GetVersionInfo ()
Category:
Requirement
Keywords:

ID:
230895
Label:

Safety relevant:

Related To:

Related To':

The integrator shall retrieve the current version of the S-WdgM using WdgM_GetVersionInfo () only.

-
Category:
Comment
Keywords:

ID:
230897
WdgM_GetVersionInfo () is only available if WDGM_VERSION_INFO_API is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
230899
WdgM_GetVersionInfo () is a C macro.

-
11.6.2.5
Requirements For All System Level API Functions
Category:
Requirement
Keywords:

ID:
231321
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to verify the correctness of parameters that are passed to the S-
WdgM system level API functions.

-
Category:
Requirement
Keywords:

ID:
230831
Label:

Safety relevant:

Related To:

Related To':

Some S-WdgM API functions have a pointer to data as argument. The integrator is responsible that such
data is not modified by the system or code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
230832
This includes:
  WdgM_Init ()
  WdgM_GetVersionInfo ()
  WdgM_GetLocalStatus()
  WdgM_GetGlobalStatus()
  WdgM_GetMode()

-
Category:
Requirement
Keywords:

ID:
230833
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct error escalation if a S-WdgM API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
230835
For the list of functions that return E_NOT_OK, see comment 229772 in subsection "Return Values" in
section "Error Handling" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 83
Category:
Requirement
Keywords:

ID:
230885
Label:

Safety relevant:

Related To:

Related To':

The following functions - although available - are for S-WdgM internal processing and shall not be used:
  GlobalSuspendInterrupts ()
  GlobalRestoreInterrupts ()
  WdgM_SetTickCount ()
  WdgM_WriteRememberedEntityId ()
  WdgM_WriteGlobalActivityFlag ()
  WdgM_WriteGlobalTransitionFlag ()
  WdgM_ReadGlobalTransitionFlag ()
  WdgM_ReadRememberedEntityId ()

-
11.6.3
Memory Access
Category:
Comment
Keywords:

ID:
231145
This section lists the requirements related to memory access of the various S-WdgM API functions.

-
Category:
Requirement
Keywords:

ID:
231203
Label:

Safety relevant:

Related To:
__MKSID__261230
Related To':

The S-WdgM API functions shall be granted the required access rights to the various memory sections as
depicted in the following table.

-
Category:
Comment
Keywords:

ID:
231147
The following table shows the required access rights for each S-WdgM API function according to the
memory sections.
A description of the memory sections can be found in [TT_WDGM_UM].


   Memory Section
S-WdgM local  S-WdgM global  S-WdgM global  MCU
Function
SE memory
memory
shared memory  Register (3)
WdgM_Init () (1)
read, write
read, write
read, write
read, write
WdgM_MainFunction ()
read
read, write
read
read, write
WdgM_CheckpointReached ()
read, write
read
read, write
-----
WdgM_UpdateTickCount () (2)
-----
read, write
-----
-----
WdgM_PerformReset ()
-----
write
-----
read, write
WdgM_GetLocalStatus ()
read
-----
-----
-----
WdgM_GetGlobalStatus ()
-----
read
-----
-----
WdgM_GetMode ()
-----
read
-----
-----
WdgM_SetMode ()
-----
write
-----
-----
WdgM_DeactivateSupervisionEntity ()  -----
-----
write
-----
WdgM_ActivateSupervisionEntity ()
-----
-----
write
-----
table 19

(1) The function WdgM_Init () initializes all internal S-WdgM variables and the S-WdgM variables in the
contexts of the SEs.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 84
(2) The Timebase Tick counter belongs to the S-WdgM global variables.
(3) MCU Register access. The S-WdgM does not access the hardware registers directly. The hardware is
accessed by calling the WD driver or MCU driver functions. The register access is platform and
implementation dependent and may imply "supervisor MCU mode" or "privileged MCU mode". See the
driver's User Manual and Safety Manual for details.

-
Category:
Comment
Keywords:

ID:
231149
Note: The MMU or MPU - if running on the target system - need to be configured accordingly.

-
Category:
Requirement
Keywords:

ID:
284909
Label:

Safety relevant:

Related To:
__MKSID__261230
Related To':

The integrator shall check the MMU/MPU error messages if MMU or MPU is used.

-
Category:
Comment
Keywords:

ID:
284911
For the case that a S-WdgM API function is denied required memory access.

-
11.6.4
Concurrent Function Calls
Category:
Requirement
Keywords:

ID:
283147
Label:

Safety relevant:

Related To:
__MKSID__284600,_
Related To':

_MKSID__284608
The following table shows which functions may run concurrently:


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 85

figure 1

"Y" is for "Yes" (may run concurrently) and
"N" is for "No" (may not run concurrently)
*1) Allowed only if running in different application contexts.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 86
12 Safety Lifecycle Tailoring
Category:
Comment
Keywords:

ID:
230008
This section describes which phases of the S-WdgM product safety lifecycle according to [ISO26262] were
executed by TTTech during the development and which phases have to be executed by the integrator.

-
Category:
Comment
Keywords:

ID:
230016
The S-WdgM is a software unit representing a safety element out of context (SEooC) according to
[ISO26262], part 10. The SW requirements of the S-WdgM are based on [AS_WDGM_SWS] and
[TT_WDGM_SRD] with deviations listed in [TT_WDGM_UM]. The architectural design is documented in
[TT_WDGM_UDD].

-
Category:
Comment
Keywords:

ID:
230020
The following ISO 26262 phases that are relevant for the integrator were executed by TTTech:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)
  4-6 Technical Safety Concept *)
  4-7 System Design *)
  6-5 Initiation of product development at SW level *),
  6-8 Software unit design and implementation *) and
  6-9 Software unit tests *).

*) As far as related to the S-WdgM as SEooC.

-
Category:
Requirement
Keywords:

ID:
230022
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-6 (Specification of SW safety
requirements) to identify the system's SW safety requirements.

-
Category:
Requirement
Keywords:

ID:
230024
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-7 (SW architectural design) that
covers S-WdgM code.

-
Category:
Comment
Keywords:

ID:
230026
The S-WdgM code does not impose any special restrictions on the SW architecture design except for the
requirements in this document.

-
Category:
Requirement
Keywords:

ID:
230030
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262, part 6, clause 8.4.5, b) to verify that the
software unit design of the S-WdgM is complete with respect to the software safety requirements and the
software architecture through traceability.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 87
-
Category:
Requirement
Keywords:

ID:
230040
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-10 (SW integration and testing) to
verify that S-WdgM code is correctly integrated into the system.

-
Category:
Requirement
Keywords:

ID:
230042
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of phase ISO 26262 6-11 (Verification of SW safety
requirements) to verify the safety requirements that are related to S-WdgM code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 88
13 Qualification
Category:
Comment
Keywords:

ID:
230060
The S-WdgM has been developed according to the requirements in [ISO26262] as specified in section
"Safety Lifecycle Tailoring" above. It can be integrated in systems up to ASIL D, provided that all
requirements in this document are fulfilled.

-
Category:
Comment
Keywords:

ID:
228543
The hardware dependent qualification data and required resources for each platform are part of the WD
drivers' Safety Manual.

-
Category:
Comment
Keywords:

ID:
230093
The S-WdgM Stack Safety Case [TT_WDGS_SC] lists all S-WdgM qualification documents.

-
Category:
Comment
Keywords:

ID:
230128
om The S-WdgM unit tests are specified in [TT_WDGM_UTS].
The S-WdgM tests of the unit test framework are specified in [TT_WDGS_UTS].
The integration tests of the S-Wdg Stack are specified in [TT_WDGS_ITS].


-
Category:
Comment
Keywords:

ID:
260892
The environments and S-WdgM Configurations of integration tests that have been conducted by TTTech
can be found in the Safety Manual of the various S-Wdg drivers (e.g. [TT_WDGDR_platform_SM], where
platform is the used platform. See also section "References" at the end of the document).

-
Category:
Requirement
Keywords:

ID:
230124
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the qualification of the S-WdgM code for the used environment. This
means that the S-WdgM code must be integration tested against these environment.

The environment comprises:
  the target CPU,
  the compiler and linker,
  the compiler and linker settings,
  S-WdgM Stack pre-compile configurations,
  the used WDs and S-Wdg drivers, and
  the AUTOSAR software stack.

-
Category:
Requirement
Keywords:

ID:
283952
Label:

Safety relevant:

Related To:

Related To':

Integration tests shall also cover the detection and escalation of all kinds of violations (by means of
"negative tests").

This comprises:
  deadline violations (Local and Global Transitions, min.deadline violations, max. deadline violations),

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 89
  program flow violations (Local and Global Transitions), and
  Alive Counter violations (min. Alive Counter violation, max. Alive Counter violations).

-
Category:
Requirement
Keywords:

ID:
230126
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM is used in an environment that differs in any way from the environment it has been tested
with (see the list below), then the integrator shall analyze the consequences of the differences and conduct
corresponding tests (see [ISO26262] part 6, clause 9, in particular [ISO26262] part 6, clause 9.4.6).

The TTTech test environments are defined in
  the S-Wdg driver Safety Manual [TT_WDGDR_platform_SM] (if a TTTech driver for this
platform exists),
(and in detail in:)
  the Integration Test Specification [TT_WDGS_ITS], and
  the Unit Test Specification [TT_WDGM_UTS].

-
Category:
Comment
Keywords:

ID:
231613
TTTech offers qualification of the S-WdgM for customer-specific configurations.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 90
14 Resource Requirements
Category:
Comment
Keywords:

ID:
230150
The memory consumption and runtime consumption of the S-WdgM depends on the chosen HW, which
itself is chosen by the used S-Wdg driver.
The resource requirements of the complete S-WdgM Stack can be found in the according S-Wdg Safety
Manual.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 91
15 Constraints And Known Problems
Category:
Comment
Keywords:

ID:
290553
For known problem see the Release Notes delivered with this software module.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 92
16 References
Category:
Comment
Keywords:

ID:
229559
[ISO26262] ISO26262, Internation Standard, Road vehicles- Functional safety, First edition 2011-11-15

-
Category:
Comment
Keywords:

ID:
229814
[TT_WDGIF_SM] TTTech Automotive GmbH, Safe Watchdog Interface - Safety Manual, D-SAFEX-S-70-
003

-
Category:
Comment
Keywords:

ID:
229604
[TT_WDGDR_MPC56xx_SM] TTTech Automotive GmbH, Safe Watchdog Driver for MPC56xx - Safety
Manual, D-MSP-M-70-022

-
Category:
Comment
Keywords:

ID:
229606
[TT_WDGDR_SAFETCORE_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TriCore and
SafeTcore - Safety Manual, D-SAFEX-S-70-013

-
Category:
Comment
Keywords:

ID:
229612
[TT_WDGDR_TMS570LS3x_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TMS570LS3x -
Safety Manual, D-SAFEX-S-70-015

-
Category:
Comment
Keywords:

ID:
230103
[TT_WDGS_SC] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Safety Case, D-SAFEX-IN-
70-001

-
Category:
Comment
Keywords:

ID:
229551
[TT_WDGM_UM] TTTech Automotive GmbH, Safe Watchdog Manager - User Manual, D-MSP-M-70-001

-
Category:
Comment
Keywords:

ID:
229626
[TT_WDGIF_UM] TTTech Automotive GmbH, Safe Watchdog Interface - User Manual, D-MSP-M-70-006

-
Category:
Comment
Keywords:

ID:
229628
[TT_WDGDR_MPC56xx_UM] TTTech Automotive Gmbh, Safe Watchdog Driver (MPC56xx) - User Manual,
D-MSP-M-70-008

-
Category:
Comment
Keywords:

ID:
229630
[TT_WDGDR_SAFETCORE_UM] Safe Watchdog Driver (SafeTcore) - User Manual, D-MSP-M-70-007

-
Category:
Comment
Keywords:

ID:
229634
[TT_WDGDR_TMS570LS3x_UM] TTTech Automotive GbmH, Safe Watchdog Driver (TMS570LS3x) - User
Manual, D-MSP-M-70-010

-
Category:
Comment
Keywords:

ID:
229521
[AS_WDGM_SWS] AUTOSAR, Specification of Watchdog Manager, Version 2.0.0, Release 4.0, Revision 1

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 93

-
Category:
Comment
Keywords:

ID:
555639
[AS_WDGM_SWS_3_1] AUTOSAR, Specification of Watchdog Manager, Version 1.2.2, Release 3.1,
Revision 1

-
Category:
Comment
Keywords:

ID:
229535
[AS_WDGIF_SWS] AUTOSAR, Specification of Watchdog Interface, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
229537
[AS_WDGDR_SWS] AUTOSAR, Specification of Watchdog Driver, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
237643
[AS_RTE_SWS] AUTOSAR, Specification of RTE, Version 3.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230108
[AS_STDTYP_SWS] AUTOSAR, Specification of Standard Types, Version 1.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230110
[AS_COMABS_SWS] AUTOSAR, Specification of Compiler Abstraction, Version 3.0.0, Release 4.0,
Revision 1

-
Category:
Comment
Keywords:

ID:
230112
[AS_PLTFM_SWS] AUTOSAR, Specification of Platform Types, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230114
[AS_MEM_SWS] AUTOSAR, Specification of Memory Mapping, Version 1.2.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
229557
[TI_SPNU511_UM] Texas Instruments, Safety Manual for TMS570LS31x/21x and RM48x Hercules™
ARM® Safety Critical Microcontrollers - User's Guide, Literature Number: SPNU511A, February 2012

-
16.1 Internal Documents
Category:
Comment
Keywords:

ID:
283456
The following referenced documents are internal TTTech Automotive GmbH document. For inspection,
please contact TTTech Automotive GmbH:

-
Category:
Comment
Keywords:

ID:
283458
[TT_WDGM_ETA] TTTech Automotive GmbH, Safe Watchdog Manager - Event Tree Analysis, S-SAFEX-
S-70-001

-
Category:
Comment
Keywords:

ID:
283460
[TT_WDGM_SD] TTTech Automotive GmbH, Safe Watchdog Manager - System Design, D-SAFEX-D-70-
007

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 94

-
Category:
Comment
Keywords:

ID:
283476
[TT_WDGM_TSR] TTTech Automotive GmbH, Safe Watchdog Manager - Technical Safety Requirements,
D-SAFEX-S-70-021

-
Category:
Comment
Keywords:

ID:
283462
[TT_WDGM_SRD] TTTech Automotive GmbH, Safe Watchdog Manager - Software Requirements
Document, D-SAFEX-S-70-004

-
Category:
Comment
Keywords:

ID:
283464
[TT_WDGM_UDD] TTTech Automotive GmbH, Safe Watchdog Manager - Unit Design Document, D-
SAFEX-D-70-002

-
Category:
Comment
Keywords:

ID:
283468
[TT_WDGM_UTS] TTTech Automotive Gmbh, Safe Watchdog Manager - Unit Test Specification, D-
SAFEX-V-70-001

-
Category:
Comment
Keywords:

ID:
283472
[TT_WDGS_ITS] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test
Specification, D-SAFEX-V-01-001

-
Category:
Comment
Keywords:

ID:
283474
[TT_WDGS_ITR] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test Report, D-
SAFEX-V-01-002

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

28.7 - S-WdgM_Stack_SafetyCase

Safety Case

28.8 - S-WdgM_Stack_SafetyCase_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12

28.9 - S-WdgM_Stack_SafetyCases

Ensuring Reliable Networks

Safe Watchdog Manager Stack
Safety Case

Author:
TTTech
Reviewer(s):
VLE
Reference:
D-SAFEX-IN-70-001
Security:
Confidential
Version:
1.1.0
Date:
14.08.2014
Status:
Released

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2010, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Version
Date
Responsible Person
Modification
0.1.0
2012-07-02
PPU
Creation
0.2.0
2012-07-19
PPU
Corrected ISO/DIS -> ISO
0.3.0
2012-09-27
PPU
Added S-WdgM Stack chapter
0.4.0
2012-10-01
PPU
Versions of artefacts updated
1.0.0
2012-10-01
PPU
Version of this document updated
1.0.1
2012-10-03
PPU
Document split to three module dependent
documents: S-WdgM, S-WdgIf, S-Wdg
Content against 1.0.0 not changed
1.0.2
2012-10-04
PPU
In the chapter 2 the RAD reference removed
and the provided ISO lifecycles added.
1.0.3
2012-11-16
PPU
Version of the documents updated.
1.0.4
2012-11-19
PPU
Version of the documents updated.
1.0.5
2012-11-19
PPU
Version of the documents updated.
1.0.80
2014-03-03
PPU
Based on ver. 1.0.4, the Verifier versions
updated only.
1.1.0
2014-08-14
PPU
Versions of artefacts updated for release
1.26.1

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 4
1
Purpose of this Document
This document represents the safety case for the Safe Watchdog Manager Stack. In detail it
covers following areas:
  Safe Watchdog Manager Stack (the common parts)
  Safe Watchdog Manager

The other units of the Safe Watchdog Manager Stack – the Safe Watchdog Interface and the
Safe Watchdog Driver have separate safety case documents.

The safety case references all relevant documents to provide evidence that the software units
have been developed according to requirements of ISO26262:2011 (see [ISO]) for an ASIL D
SEooC software component.

The creation of the proof of due diligence document for the whole watchdog safety concept is the
responsibility of the integrator of the Safe Watchdog Manager Stack (S-WdgM Stack) and is not
part of this safety case document.

2
Assumptions on S-WdgM Stack as SEooC
2.1
Assumptions on scope
According to ISO 26262:2011-10, clause 9.2.4.2, Step 1a, the following assumptions on scope of
the software component as an SEooC were made:
  S-WdgM Stack is integrated into an AUTOSAR 4 or compatible software architecture
  S-WdgM Stack must not unintentionally interfere with other software components
  S-WdgM Stack expects that the executing hardware is working correctly

3
Software Safety Lifecycles
The software units represent SEooC units according to ISO26262. The following software safety
lifecycles were executed as part of the development process of the software units:

Concept phases:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)

Product development at the system level:
  4-6 Technical Safety Concept *)
  4-7 System Design *)

Product development at the software level:
  6-5: Initiation of product development at the software level *)
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 5
  6-8: Software unit design and implementation *)
  6-9: Software unit testing *)

Supporting processes:
  8-7 Configuration management
  8-8 Change management

*) As far as related to the S-WdgM Stack as SEooC

Part 6-6 deals with safety requirements, which are always defined on system level. For the
development of the SEooC, we have made assumptions on the safety requirements, which are
described in the corresponding SEooC safety manuals. The system integrator must verify that the
SEooC fits to the actual system safety requirements.

The other software safety lifecycle phases described by ISO26262 have to be executed by the
system integrator.

4
Software Safety Lifecycle Documentation
The following subsections list the software safety lifecycle artifacts of the software units:
  Safety manuals as .pdf files with references to the MKS repository,
  Source code delivered to customer as pointer to the code location,
  Requirement, design documentation, and test specification as references to the respective
documents in the MKS repository. They are identified by MKS document id the document
version number and the document label.
  Test results as .doc or .pdf files

The customer delivery contains
  User manuals
  Safety manuals and
  Source code

All other artifacts can be audited by the customer on request – either on-site in TTTech Vienna
development location, or via teleconference (e.g. Webex).

The verification and confirmation measures as required by ISO26262:2011 has been executed as
described in the Software Project Plan (SPP).

The evidence for the execution of all verification and confirmation measures as required by
ISO26262 are version-controlled in the following directory:
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/certification/sqa/s-wdgm/evidence

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 6
The conformity of the development processes of the S-WdgM Stack with ISO 26262:2011
has been assessed in a process audit [AUDIT_S-WdgM].

4.1
Safe Watchdog Manager Stack
This chapter contains common documents related to all three units
  Safe Watchdog Manager
  Safe Watchdog Interface
  Safe Watchdog Driver
4.1.1  Software Project Plan (SPP)
The SPP contains all planning activities for all software units. It also represents the “Safety Plan”
as required by ISO26262. Chapter VI of the SPP also contains the software tool qualification plan
and software tool qualification report as required by ISO26262 - 8 clause 11.

Document Title
Safe Watchdog Manager Stack Software Project Plan
Document Version
0.7.0
Document Number
D-SAFEX-P-70-001
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/03_planning&risk-management/S-WdgM_SPP_V_0_7_0.doc
4.1.2  Functional Safety Concept (FSC)
This document reflects the functional safety concept according to ISO26262 3-8 Functional Safety
Concept.
It is the top-level document for the Safe Watchdog Manager Stack and therefore also includes
assumptions on the ISO 26262:2011 work product 3-7 Hazard analysis and risk assessment in the
scope of this SEooC.

Document Title
Safe Watchdog Manager Stack Functional Safety Concept
Document Version
0.2.0
Document Number
D-SAFEX-S-70-006
Location
MKS ID 262558
Label
Release_1_26_1
4.1.3  Technical Safety Requirements (TSR)
This document describes the technical safety requirements that are assumed for a system using
the Safe Watchdog Manager Stack. The technical safety requirements are relevant for the system
integrator.

Document Title
Safe Watchdog Manager Stack - Technical Safety Requirements
Document Version
0.2.0
Document Number
D-SAFEX-S-70-021
Location
MKS ID 262750
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 7
Label
Release_1_26_1
4.1.4  System Design (SD)
This document reflects the system design document according to ISO 26262:2011 [ISO] 4-7
System Design for the system using the Safe Watchdog Manager Stack. It is based on the
technical safety requirements document [TSR] of the ISO 26262:2011 [ISO] work product 4-6
Technical Safety Requirements in the scope of this SEooC.

Document Title
Safe Watchdog Manager Stack - System Design Specification
Document Version
0.2.0
Document Number
D-SAFEX-D-70-007
Location
MKS ID 263048
Label
Release_1_26_1
4.1.5  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Manager Stack. The SRD
represents the software unit high-level requirements as required by ISO 26262:2011 – 6, clause 6.

Document Title
Safe Watchdog Manager Stack - Software Requirements Document
Document Version
1.0.5
Document Number
D-SAFEX-D-70-024
Location
MKS ID 264112
Label
Release_1_26_1

4.1.6  Software Architecture Document (SAD)
This document describes the software architecture of the Safe Watchdog Manager Stack.

Document Title
Safe Watchdog Manager Stack - Software Architecture Document
Document Version
1.0.2
Document Number
D-SAFEX-S-70-016
Location
MKS ID 266056
Label
Release_1_26_1
4.1.7  Integration Test Specification (ITS)
This document describes the Integration Test, that verifies the Watchdog Manager, Watchdog
Interface and Watchdog Driver which are compatible with other AUTOSAR components and shows
the expected behaviour at runtime.

Document Title
Safe Watchdog Manager Stack - Integration Test Specification
Document Version
2.1.2
Document Number
D-SAFEX-V-01-001
Location
MKS ID 61036
Label
Release_1_26_1    *1)
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 8
4.1.8  Integration Test Report (ITR)
This document contains a detailed integration test report of the Safe Watchdog Manager Stack
according to the requirements of ISO 26262:2011

Document  Safe Watchdog Manager Stack - Integration Test Report
Title
Document  2.0.21
Version
Document  D-SAFEX-V-01-002
Number
Location
MKS ID 280966
Label
Release_1_26_1   *1)
Location
\\fileserver.vie.at.tttech.ttt\sw-development\software-
PDF
releases\external\TTX\2014\safe_execution_V1_26_0_2014_05_27\
_internal_documents\integration_test\safe_execution_integration_test_report_v1_26_0.pdf
  *1)  The S-WdgM and S-WdgIf Integration test was executed on the V850PJ4 platform (evaluation board) in the 1.26.0
TTTech Release. The S-Wdg driver integration test was executed on the R7F701353 customer platform with the
TLE4473 watchdog at the 1.25.0 TTTech Release.
4.2
Safe Watchdog Manager
This chapter contains documents related to Safe Watchdog Manager module.
4.2.1  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Manager. The SRD
represents the software unit high-level requirements as required by ISO 26262:2011 – 6, clause 6.

Document Title
Safe Watchdog Manager Software Requirements Document
Document Version
1.0.10
Document Number
D-SAFEX-S-70-004
Location
MKS ID 53448
Label
Release_1_26_1

4.2.2  Unit Design Document (UDD)
The UDD represents the software unit design specification as required by ISO 26262:2011 – 6,
clause 8.

Document Title
Safe Watchdog Manager Unit Design Document
Document Version
1.0.6
Document Number
D-SAFEX-D-70-002
Location
MKS ID 53535
Label
Release_1_26_1
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 9
4.2.3  Source Code
The source code of the software unit is written in the C programming language.
Title
Safe Watchdog Manager Source Code
Version
3.3.2
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/SW/msp-watchdog-mgr

The HIS metrics and the MISRA rule check are performed with the tool QA-C.
The HIS metrics report can be found in the files
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_0.
All HIS metrics violations are justified in the respective source files.

The results of the MISRA-check can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_0
All violations are justified. The justifications are provided as comments in the respective source
files.
4.2.4  Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262:2011 – 6, clause 9 . The UTS demonstrates 100% requirements coverage.

Document Title
Safe Watchdog Manager Unit Test Specification
Document Version
1.0.22
Document Number
D-SAFEX-V-70-001
Location
MKS ID 61477
Label
Release_1_26_1
4.2.5  Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262:2011 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed
and that 100% MC/DC coverage is achieved.

Document Title
Safe Watchdog Manager Unit Test Report
Document Version
1.0.4
Document Number
D-SAFEX-V-70-005
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/04_technical-documents/Reviews/S-WdgM/UTR/S-WdgM-
Stack_UTR_WdgM_D-SAFEX-V-70-005_V_1 0 4.pdf

4.2.6  Safety Manual (SM)
The Safety Manual (SM) contains the requirements for the integrator of the software unit. All
requirements described in this document must be followed. In specific, the SM describes for which
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 10
configuration (configuration parameters, used hardware, compiler and linker settings) the software
unit has been tested according to ISO 26262:2011 requirements. Moreover, the SM describes
which SW safety lifecycle requirements and recommendations of ISO 26262:2011 were not
executed during the development of the software unit. These requirements and recommendations
have to be considered by the integrator of the software unit.

Document Title
Safe Watchdog Manager Safety Manual
Document Version
2.3.28
Document Number
D-SAFEX-S-70-001
Locations
MKS ID 228403
Label
Release_1_26_1
4.2.7  Safe Watchdog Manager Verifier
4.2.7.1
Software Requirements Document (SRD)
This document lists the requirements to be fulfilled by the Safe Watchdog Manager Configuration
Verifier.

Document Title
Safe Watchdog Manager Verifier Software Requirements Document
Document Version
1.0.2
Document Number
D-SAFEX-S-70-007
Location
MKS ID 239129
Label
Release_1_26_1

4.2.7.2
Source Code
The verifier source code is written in the C programming language. It is delivered as a .dll file.

Title
Safe Watchdog Manager Verifier Source Code
Version
1.2.11
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/SW/msp-watchdog-mgr-config/src/C

4.2.7.3
Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262:2011 – 6, clause 9.

Document Title
Safe Watchdog Manager Verifier Unit Test Specification
Document Version
1.0.3
Document Number
D-SAFEX-V-70-009
Location
MKS ID 313571
Label
Release_1_26_1
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 11
4.2.7.4
Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262:2011 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed.

Document Title
Safe Watchdog Manager Verifier Unit Test Report
Document Version
1.0.1
Document Number
D-SAFEX-V-70-010
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/04_technical-documents/Unit_Test_Reports/S-WdgM-
Stack_UTR_WdgMVerifier_D-SAFEX-V-70-010_V_1.0.1.doc
5
Summary
The evidence in sections
  “Assumptions on S-WdgM Stack as SEooC”,
  “Software Safety Lifecycles”
  “Software Safety Lifecycle Documentation”
and the assessment reports [AUDIT_S-WdgM] shows that the S-WdgM Stack has been developed
as a SEooC component according to ISO26262:2011 and can be used for up to ASIL D.

It is safe to integrate the SW unit into safety-related systems developed according to ISO
26262:2011, if the requirements that are described in the Safety Manual (SM) are fulfilled by the
system integrator.
6
Abbreviations and Glossary
Acronym / Term
Meaning
API
Application Programmer Interface
ASIL
Automotive Safety Integrity Level
HIS
Herstellerinitiative Software
HW
Hardware
ISO
International Standard
MC/DC
Modified Condition/Decision Coverage
MISRA
Motor Industry Software Reliability Association
MKS
MKS Integrity software tool made by MKS Software Inc.
SEooC
Safety Element out of Context according to ISO 26262:2011-10
SM
Safety Manual
SW
Software
7
References
7.1
Documents Available on Request
The following documents are not part of the customer delivery. The documents can be made
available in video conferences (e.g., WebEx) or in on-site audits at the development center of
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 12
TTTech in Vienna. If necessary, please contact the TTTech Automotive Support at
support@tttech-automotive.com.

[AUDIT_S-WdgM]
TÜV NORD – Institut für Fahrzeugtechnik & Mobilität,

A/
Report on the Functional Safety Audit for TTTech’s Safe Watchdog
Manager Stack (ISO 26262 / ASIL D)
1.  Report-No: 8109170322-B01, Version 1.0, 2012-07-18
2.  Report-No: 8109170322-B02, Version 1.0  2012-12-20

B/
Functional Safety Assessment Report of “Safe Watchdog Manager
Stack” conformity against ISO26262, ASIL D.
Report-No: 8109170322-B04, Version 1.0 2013-02-25
[COMPL]
TTTech Computertechnik AG, ISO_DIS_26262_Compliance.xls, D-INT-CL-
70-001

7.2
Other Documents
[ISO]
International Organization for Standardization, International Standard
ISO26262 Road vehicles – Functional safety (all parts), 2011

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

28.10 - S-WdgM_UserManual

Safe Watchdog Manager

28.11 - S-WdgM_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133

28.12 - S-WdgM_UserManuals

Safe Watchdog Manager
User Manual
Version:
3.3.1
Date:
22.05.2014
Document number:
D-MSP-M-70-001
TTTech Autom otive Gm bH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, support@tttech-automotiv e.com
The data in this document may  not be altered or amended without special notif ication f rom TTTech Automotiv e GmbH. TTTech Automotiv e GmbH
undertakes no f urther obligation in relation to this document. The sof tware described in it can only  be used if  the customer is in possession of  a general
license agreement or single license.
Using and copy ing is only  allowed in concurrence with the specif ications stipulated in the contract. Under no circumstances may  any  part of  this
document be copied, reproduced, transmitted, stored in a retriev al sy stem, or translated into another language without written permission of  TTTech
Automotiv e GmbH.
The names and designations used in this document are trademarks or brands belonging to the respectiv e owners.
© 2011 - 2014 TTTech Automotiv e GmbH. All rights reserv ed.                                                                                 Subject to changes and
corrections.
TTTech Automotiv e GmbH Conf idential and Proprietary  Inf ormation

Introduction
Page
4
1
Introduction
The  Safe  Watchdog  Manager  (S-WdgM)  Stack  provides  software  modules  to
monitor the correct functioning of safety-relevant activities in systems  with software
modules of mixed criticality, such as
newly developed safety-related functions,
legacy functions, and
basic software.
The S-WdgM Stack is designed to be used in automotive ECUs.
The S-WdgM Stack has three software modules
Safe Watchdog Manager (S-WdgM)
Safe Watchdog Interface (S-WdgIf)
Safe Watchdog Driver (S-Wdg)
The S-WdgM can run on single-core and multi-core systems.
This  user  manual  describes  the  S-WdgM,  which  is  an  AUTOSAR  basic  software
module  that  is  part  of  the  AUTOSAR  service  layer.  The  S-WdgM  checks  the  logical
program  flow and  temporal behavior  of  the  program  flow  of  safety-relevant  functions.
Safety-relevant  functions  use  checkpoint  calls  to  send  life  signs  to  the  S-WdgM.
Internal or external watchdog hardware is used independently from the system  CPU to
monitor
if the system is still alive,
if the system functions properly, and
if the system shows the correct temporal behavior and logical program flow.
The S-WdgM was developed according to AUTOSAR version 4.0 r1 [1] 128. However,
its functionality can be restricted to the functionality described by AUTOSAR 3.1 r4 in
the AUTOSAR 3.1 compatibility mode.
The S-WdgM is designed to be integrated into AUTOSAR 3.1.4 or 4.0.1 compatible
environments. However, it is not restricted to these AUTOSAR versions only. The
software module can also be integrated into other versions of AUTOSAR and other
system software architectures if the integration-related requirements listed in the Safe
Watchdog Manager Safety Manual [5] 128 are met.
The  S-WdgM  is  compatible  with the  AUTOSAR  4.0  r1  Watchdog  Manager,  but  not
fully  compliant.  For  deviations  from  the  AUTOSAR  4.0  r1  specification,  see  Section
Deviations from the AUTOSAR 4.0 r1 Watchdog Manager 34 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
5
This user manual does not cover safety-related topics. For safety-related requirements
for  integration and  application of  the  S-WdgM,  refer  to  the  Safe  Watchdog  Manager
Safety Manual [5] 128.
1.1
Architecture Overview
The  S-WdgM  Stack  consists  of  the  hardware-independent  modules  Safe
Watchdog  Manager  and  Safe  Watchdog  Interface  and  a  hardware-dependent
module, the Safe Watchdog Driver.
Figure 1 shows the S-WdgM Stack with its modules in an AUTOSAR environment.
“Safe”
“Safe”
“Q M”
“QM”
S WC
S WC
Ch eck poi nt
C heck po int
S WC
SWC
“S af e
“Saf e
Co mp on ent  1 ”
Co m pon en t 2 ”
RTE
)
S
4
Y
s
/
S
r
3
e
C
COM
S
Safe W atc hdog
iv
(
r
t
”
S
SafeContext
G
n
i
R
O
Manager
A
o
D
I
D
p
C
D
x
k
c
fe
e
a
J1939TP
le
h
S
p
C
“
m
Safe W atc hdog
M
o
E
O
I
M
I nterfac e
C
fe
T
N
S
a
I
R
P
O
L
F
I
S
N
M
A
1
C
Safe
P
C
W atchdog
X
Dri ver
CA L
EXT
Internal
Microc ontroller
W atc hdog
External
Safety  Rel ated
Autosar
N on-s afety  related
Ch eck ing /P r ot ect ion
W atc hdog
Fu nct ion
F unction
Basic  SW  Component
Function
Fig 1: Safe Watchdog M anager Stack in an AUTOSAR environment
The S-WdgM controls, through the S-WdgIf and the S-Wdg, the hardware-implemented
watchdog controller, which can be one or more internal watchdog controllers or external
watchdog devices.
Note: A watchdog device requires a hardware-dependent S-Wdg driver.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
6
Figure  2  shows  the  layered  structure  of  the  S-WdgM  Stack.  The  attached  watchdog
device can be internal or external.

Applications
Safe Watchdog
Manager use r API
BSW’s
System

API
Safe Watchdog
Manager
Safe
Watchdog
Safe Watchdog
Manager
Interface
Stack
Safe
Safe
Watchdog
Watchdog
Hardware
Driver 2
Driver 1
dependent
part
Software
Hardware
E xternal
Internal
Watchdog de vice
Watchdog
device
Fig. 2: Layered structure of the Safe Watchdog M anager
The  S-WdgM  monitors  the  program  flow  and  timing  constraints  of  so-called
supervised entities (SE). The SEs are software entities (like application software) that
are  supervised  by  the  S-WdgM.  When  the  S-WdgM  detects  a  violation  of  the
preconfigured  program  flow  or  the  timing  values,  it  takes  a  number  of  configurable
actions  to  log  that  violation  and/or  go  to  a  safe  state  (for  details,  see  Section  Safe
Watchdog  Manager  (S-WdgM) 9 ).  The  S-WdgM  communicates  with  the  system  via
the Safe Watchdog Application Interface (API) (see Section API Description) 73 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
7
1.2
Use Cases
The  S-WdgM  monitors  the  user  software  at  runtime  and  compares  the  preconfigured
logical and temporal constraints  with the  actual logical and  temporal behavior.  The  S-
WdgM can monitor the following violations:
timing violation (checked by deadline monitoring and alive monitoring)
program flow violation (checked by program flow monitoring)
The S-WdgM periodically triggers the watchdog device through its interface (S-WdgIf)
and  driver  layer  (S-Wdg).  When the  S-WdgM  detects  a  fault  in  the  program  flow  or
timing, then it stops the watchdog triggering, or it initiates a reset of the microcontroller
immediately or after a delay, depending on the S-WdgM configuration.
The S-WdgM monitors the following software and hardware faults:
The supervised entity is executed but the execution was not requested.
The supervised entity was not executed but the execution was requested.
The execution of the supervised entity started too early or too late.
The  execution time  of  a  a  supervised  entity  or  part  of  a  supervised  entity  or  many
supervised entities is longer or shorter than expected.
The  program  flow  of  a  a  supervised  entity  or  part  of  a  supervised  entity  or  many
supervised entities differs from expected program flow.
The reaction of the S-WdgM to detected faults can be configured as follows:
S-WdgM sends information about the detected fault.
S-WdgM initiates a reset of the microcontroller after a watchdog timeout.
S-WdgM initiates an immediate reset of the microcontroller.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
8
1.3
Safe Watchdog Manager Stack Content
The Safe Watchdog Manager Stack consists of:
Embedded code:
Safe Watchdog Manager (S-WdgM) software module
Safe Watchdog Interface (S-WdgIf) software module
Safe Watchdog Driver (S-Wdg) software modules
A part of the embedded code is generated out of a given ECU configuration.
S-WdgM Configuration Generators (which generate a part of the embedded code
out of a given ECU configuration):
Safe Watchdog Manager Generator
Safe Watchdog Interface Generator
Safe Watchdog Driver Generator
Safe Watchdog Manager Configuration Verifier
Configuration example:
An example of an ECU configuration and the generated code.
Documentation:
User Manuals covering the
o Safe Watchdog Manager,
o Safe Watchdog Interface, and
o Safe Watchdog Drivers
Safety Manuals covering the
o Safe Watchdog Manager
o Safe Watchdog Interface
o Safe Watchdog Drivers
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
9
2
Safe Watchdog Manager (S-WdgM)
The  S-WdgM  monitors  safety-relevant  applications  on  the  ECU.  The  S-WdgM  is  a
basic  software  module  at  the  service  layer  of  the  standardized  basic  software
architecture of AUTOSAR.  The  S-WdgM  monitors  the  program  flow of  a  configurable
number of so-called supervised entities (SE). When the  S-WdgM  detects  a  violation
of  the  preconfigured  temporal  or  logical  constraints  in  the  program  flow,  it  takes  a
number  of  configurable  actions  to  log  the  fault  and  to  go  to  a  safe  state  after  a
configurable  time  delay.  The  safe  state  is  reached  by  resetting  the  watchdog  or  by
omitting watchdog triggering.
Every supervised entity has a defined control flow. Significant points in this control flow
are represented by checkpoints (CP). This means the control flow  can be  modeled
as a graph, with the checkpoints being the nodes and the pieces of code in between
being the transitions (see Figure  4 for an example).
The  S-WdgM  configuration  defines  the  allowed  transitions  between  the  checkpoints,
and the timing constraints for these transitions
within every supervised entity and
between checkpoints of different supervised entities.
The  supervised  entities  have  to  report  to  the  S-WdgM  when  they  have  reached  a
checkpoint.  Thus,  the  developer  has  to  insert  calls  at  the  checkpoints  that  pass  this
information to the S-WdgM.
The  S-WdgM  functionality  partially  deviates  from  the  AUTOSAR  requirements.  For
details, refer to Section Deviations from the AUTOSAR 4.0 r1 Watchdog Manager 34 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 10
2.1
File Structure
Figure 3 gives an overview of the S-WdgM module.

Fig. 3: File structure of the S-WdgM module
Note: The file structure shown in Figure 3 corresponds to the integration of the S-WdgM
in an AUTOSAR 3.1 environment. The differences between an AUTOSAR 3.1 and an
AUTOSAR 4.0 environment are described below in the following two tables.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 11
The following files are part of the S-WdgM:
File
Description
WdgM.c
Implementation of  the  S-WdgM,  defines  the  API  for  the
Service Layer of the BSW-Layer.
WdgM_Checkpoint.c
Implementation of  the  S-WdgM,  defines  the  API  for  the
Application Layer.
WdgM.h
Header  file  of  the  S-WdgM,  provides  API  function
declarations.
WdgM_Cfg.h
Provides  defines  and  declarations  for  the  S-WdgM
configuration identifiers
WdgM_MemMap.h or
The  file  is  generated  and  contains  defines  for  the
WdgM_OSMemMap.h
memory management of the S-WdgM code and data.
The  integrator  can  place  the  status  variables  of  every
supervised  entity  in  a  separate  RAM  sector  (see  also
Section Memory Sections 95 ).  The  file  is  included  in the
AUTOSAR MemMap.h file.
Note: The name of this generated file is
WdgM_MemMap.h in an AUTOSAR 3.1 environment
and
WdgM_OSMemMap.h in an AUTOSAR 4.0
environment.
WdgM_Cfg_Features.h The file  is  generated  and  contains  S-WdgM  precompile
directives.
WdgM_PBcfg.h
The file is generated and contains  the  declaration of  the
S-WdgM configuration.
WdgM_PBcfg.c
The  file  is  generated  and  contains  the  S-WdgM
configuration.
The following files are included by the S-WdgM, but are not part of the S-WdgM:
File
Description
WdgIf_Types.h
Provides the declaration of the S-WdgIf API.
Std_Types.h
AUTOSAR file
Compiler.h
AUTOSAR file
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 12
Compiler_Cfg
Contains compiler abstraction macros
PlatformTypes.h
AUTOSAR file
MemMap.h
AUTOSAR file. Includes WdgM_MemMap.h.
Appl_Det.h
Provides
API
to
a
wrapper
function
for
Det_ReportError().*
Appl_Dem.h
Provides
API
to
a
wrapper
function
for
Dem_ReportErrorStatus().*
Note:  In  an  AUTOSAR  4.0  environment,  this  file  is
indirectly included by WdgM.c. It  is  included  through the
generated file WdgM_Cfg_Features.h.
Appl_Mcu.h
Provides
API
to
a
wrapper
function
for
Mcu_PerformReset().*
Rte_Type.h or
Provides generated RTE type definitions for the WdgM.
Rte_WdgM_Type.h
Note: The name of this generated file is
Rte_Type.h in an AUTOSAR 3.1 environment and
Rte_WdgM_Type.h in an AUTOSAR 4.0
environment.
SchM_WdgM.h
Provides  the  API of  the  Schedule  Manager  for  entering
and exiting an exclusive area.
*) The services
Det_ReportError(),
Dem_ReportErrorStatus() and
Mcu_PerformReset()
may  not  meet  the  quality  level  required  for  the  S-WdgM.  These  services  must  be
wrapped  by  a  wrapper  service  that  has  the  same  name  as  the  corresponding
AUTOSAR service with the prefix Appl_, which guarantees freedom from interference.
The  implementation  of  the  wrapper  service  is  not  part  of  the  S-WdgM.  The  Safe
Watchdog Manager Safety Manual [5] 128 provides a guideline on how to implement the
wrapper.
NOTE:  A  wrapper  could  be  just  a  direct  call  to  the  corresponding  module,  but  that
wrapper could also perform more complex operations such as switching the OS context
before calling the service.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 13
2.2
Basic Functionality of the S-WdgM
As described in AUTOSAR [1], the S-WdgM is a basic software module that monitors
the program flow of supervised entities (SE).
2.2.1
Supervised Entity and Program Flow Supervision
A supervised entity is a software part that is monitored by the  S-WdgM.  There  is  no
fixed  relationship  between supervised  entities  and  the  architectural  building  blocks  in
AUTOSAR.
The  checkpoints  mark  important  steps  during  the  execution  of  an  algorithm.  At  the
checkpoint, a supervised entity calls  the  function
78
WdgM_CheckpointReached()
directly (if  no  runtime  environment  is  present)  or  with a  wrapper  function  (if  a  runtime
environment  is  present),  with  that  wrapper  function  being  provided  by  the  runtime
environment.  The  checkpoints  are  connected  by    transitions.  Local  transitions  bind
Checkpoints to a closed graph. These graphs represent the program flow.
The S-WdgM knows which program  flow is  correct  and  decides  if  a  supervised  entity
behaves as expected or violates the predefined rules.
The question of how to identify the checkpoints for an algorithm  is  a  trade-off  between
performance and code block size per checkpoint:
The more checkpoints an algorithm has, the  better  is  the  representation of  the  code
structure. But this has an adverse effect on performance.
However, if an algorithm has  only a  few checkpoints,  then there  are  code  segments
and program flow branches that are not represented. In this case, performance will be
better, but not everything will be monitored.
A  supervised  entity can represent  an  algorithm,  a  function,  or  –  in  the  case  of  an
operating system – an entire task. In the AUTOSAR definition, a supervised entity can
be distributed over more than one task or application. There can be several supervised
entities for the same task. However, the S-WdgM implementation does not support the
distribution of one supervised entity over more  than one  task  or  application when they
run in different contexts. The S-WdgM expects that at least one supervised entity and at
least one checkpoint are defined.
Figure    4  shows  the  example
of  a
simple
supervised
entity  called
temperature_control:
Supervised  entity  temperature_control  has  six  checkpoints  (illustrated  by
ovalboxes), which are connected by directed transitions (illustrated by arrows).
As  can  be  seen  in  Figure    4,  it  is  possible  to  reach  the  checkpoint
temperature_needs_correction after the checkpoint read_temperature.

However,  reaching  the  checkpoint  heater_adjusted_successfully  after  the
checkpoint read_temperature would be a violation of the program flow.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 14
Fig. 4: Example of a simple supervised entity with a control flow
Use program flow monitoring
Control  (program)  flow  monitoring  is  highly  recommended  by  ISO  26262-6  (7.4.14).
Apart from its main feature, which is to detect logical errors in the monitored algorithms,
program flow monitoring increases the  probability of  detecting  illegal program  counter
jumps within the whole system.
It  is  possible  to  tolerate  program  flow  violations  within  a  supervised  entity  for  a
certain  amount  of  monitoring  cycles.  it  is  possible  to  define  a  program  flow
reference cycle (a multiple of the S-WdgM monitoring cycle) and a tolerance, which is
a number of program flow reference cycles, during which program flow violations should
be tolerated  for  the  supervised  entity.  If  a  program  flow violation is  detected  for  more
program  flow  reference  cycles  than  the  defined  tolerance,  then  the  supervised  entity
changes its status from FAILED to EXPIRED.
The  necessary  configuration  parameters  to  tolerate  program  flow  violations  of  a
supervised entity are:
59
WdgMFailedProgramFlowRefCycleTol
:This
parameter
contains
the
acceptable amount of program flow violations for this supervised entity.
60
WdgMProgramFlowReferenceCycle
:This  parameter  contains  the  amount  of
supervision cycles to be used as  reference  by the  program  flow supervisions  of  this
supervised entity.
Note:  The  program  flow  reference  cycle  for  a  supervised  entity  starts  with  the  first
detected  program  flow  violation  and  not  with  the  S-WdgM  startup.  Hence,  the  first
program  flow  reference  cycle  starts  with  the  transition  of  the  supervised  entity  from
status OK to FAILED. If no program flow violation is detected for a whole program flow
reference cycle within the tolerance then the supervised entity recovers and changes its
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 15
status  from  FAILED  to  OK.  Otherwise,  if  the  tolerance  is  exhausted  and  the  program
flow violations continue, then the supervised entity changes its status to EXPIRED. It can
be  said  that  the  program  flow  reference  cycle  is  processed  only  during  the  status
FAILED  –  it  starts  with  the  first  detected  program  flow  violation.  The  program  flow
reference cycle is restarted with each following transition from OK to FAILED, and it is
not processed during the status OK, EXPIRED or DEACTIVATED.
2.2.2
Deadline Monitoring
The main purpose of deadline monitoring is to check the temporal, dynamic behavior
of  the  supervised  entity.  However,  it  would  also  strongly  increase  the  probability  of
detecting random jumps or irregular updates of the timebase tick  counter,  which might
otherwise degrade system integrity without being discovered.
The  temporal  behavior  of  the  supervised  entities  can  be  monitored  by  assigning
deadlines to transitions.
A
deadline
is  defined
through  a
maximum
deadline
(parameter

69
WdgMDeadlineMax
)
and
a
minimum
deadline
(parameter

WdgMDeadlineMin 69 ).  The  destination  checkpoint  of  a  transition  should  not  be
reached before the minimum time or  after  the  maximum  time  after  which the  source
checkpoint  of  that  transition  was  reached.  Otherwise  the  S-WdgM  will  detect  a
deadline violation. Apart from a maximum deadline  time  it  is  strongly recommended
to  use  a  minimum  deadline  time  as  well,  where  applicable.  This  allows  discovering
timebase tick counter errors implicitly. Deadlines are good for discovering crashed
tasks or infinite loops. If the destination  checkpoint  is  never  reached  because  the
task ended with an error or is stuck in a loop, this would cause a deadline violation.
A transition is considered to violate its deadline if  the  destination checkpoint  is  not
hit  within  the  configured  deadline  interval.  A  deadline  is  assigned  to  an  already
defined transition by specifying the  same  source  and  destination checkpoints  as  for
the
transition.
The
corresponding
deadline
parameters
are

WdgMDeadlineStartRef 70  and WdgMDeadlineStopRef 70 .
Note: A transition should be defined either as a local or a global transition.
As for local transitions, the source and destination checkpoints belong to the same
supervised entity.
As for global transitions, the source and destination checkpoints belong to different
supervised entities.
An example  of  a  supervised  entity with deadlines  defined  for  its  transitions  is  given
below.
Note:  The  first  deadline  is  defined  to  have  a  minimum  of  0  and  a  maximum  of  2
(seconds).  Hence,  CP1  must  be  reached  no  later  than  2  seconds  after  CP0.  The
second  deadline  implies  that  CP2  must  be  reached  no  earlier  than  1  and  no  later
than 3 seconds after CP1. Otherwise a deadline violation will be detected.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 16

Fig. 5: Example of a simple supervised entity with deadlines
Note: Deadline violation is detected
when the next checkpoint is reached outside the defined deadline or
within the
85
WdgM_MainFunction()
if the next checkpoint is not reached at all
(or has not been reached yet) and the maximum deadline has already expired.
A  slightly  more  complex  situation  is  when  several  transitions  go  out  of  the  same
checkpoint. In this case, deadline violations  are  detected  in the  same  manner  when
the next checkpoint is reached outside the defined deadlines. However, if none of the
next  checkpoints  is  reached,  the  WdgM_MainFunction() 85  detects  a  deadline
violation only after the maximum of maximum deadlines of all outgoing transitions has
elapsed, which is shown in Figure 6. If the program gets stuck after CP0, the deadline
violation is detected within the  next  main function that  is  executed  not  earlier  than 5
seconds after reaching CP0.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 17
Fig. 6: Example of multiple outgoing transitions with deadlines
A special case is a hybrid situation when some of the outgoing transitions have
deadlines and others do not. In this case, the main function detects a deadline
violation if none of the next checkpoints is reached within the maximum of maximum
deadlines in order to detect blocked supervised entities. No deadline violation will be
detected after the maximum has expired, however, if the checkpoint without deadline
is reached before the main function. If none of the CP1, CP2 is reached after CP0
( 7), then the next
85
WdgM_MainFunction()
(executed at least 2 seconds after
CP0 is reached) detects a deadline violation. If, however, CP1 is reached after 2
seconds, but before the next WdgM_MainFunction() 85 , no deadline violation
would be detected.
Note: To avoid this ambiguous situation it is a good practice to define deadlines for
all outgoing transitions of a checkpoint (or for none of them).
Fig. 7: Example of a the case where only one of several outgoing transitions has a deadline
The rules for deadline violation detection also apply to global transitions or to the case
of local transitions mixed with global transitions at a checkpoint.
It is possible  to  tolerate  deadline  violations  within a  supervised  entity for  a  certain
amount  of  monitoring  cycles.  It  is  possible  define  a  deadline  reference  cycle  (a
multiple  of  the  S-WdgM  monitoring  cycle)  and  a  tolerance,  which  is  a  number  of
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 18
deadline reference cycles, during which deadline violations should be tolerated for the
supervised  entity.  If  a  deadline  violation  is  detected  for  more  deadline  reference
cycles than the  defined  tolerance,  then the  supervised  entity changes  its  status  from
FAILED to EXPIRED.
The  necessary  configuration  parameters  to  tolerate  deadline  violations  of  a
supervised entity are:
58
WdgMFailedDeadlineRefCycleTol
:
This
parameter
contains
the
acceptable amount of violated deadlines for this supervised entity.
WdgMDeadlineReferenceCycle 59 :  This  parameter  contains  the  amount  of
supervision  cycles  to  be  used  as  reference  by  the  deadline  supervisions  of  this
supervised entity.
Note:  The  deadline  reference  cycle  for  a  supervised  entity  starts  with  the  first
detected  deadline  violation  and  not  with  the  S-WdgM  start  up.  Hence,  the  first
deadline  reference  cycle  starts  with  the  transition  of  the  supervised  entity  from  the
status  OK  to  FAILED.  If  no  deadline  violation  is  detected  for  a  whole  deadline
reference cycle within the tolerance, then the supervised entity recovers and changes
its  status  from  FAILED  to  OK.  Otherwise,  if  the  tolerance  is  exhausted  and  the
deadline  violations  continue,  then  the  supervised  entity  changes  its  status  to
EXPIRED. It can be said that the  deadline  reference  cycle  is  processed  only during
the status FAILED – it starts with the  first  detected  deadline  violation.  The  deadline
reference cycle is restarted with each following transition from OK to FAILED, and it is
not processed during the status OK, EXPIRED or DEACTIVATED.
2.2.3
Alive Supervision
Aliveness monitors the frequency of hits of checkpoints. For example, the  algorithm
could expect a sensor to report its measurements on a regular basis, and a certain task
needs to process this data periodically. If a task stops reporting (alive sign is lost or too
infrequent) or starts reporting too often, then the aliveness of that task is violated.
Alive  supervision  is  associated  with  a  checkpoint  in  a  supervised  entity.  If  you
need  to  monitor  only  the  frequency  with  which  a  task  is  called,  you  can  make  it  a
supervised entity that contains only one checkpoint with the corresponding aliveness
parameters.
Note:  Irregular  calls  of  the  S-WdgM  main  function  or  the  omission  of  calls  of
78
WdgM_CheckPointReached()
would  most  likely result  in  aliveness  violation.
When  alive  monitoring  for  a  checkpoint  is  activated,  then  that  checkpoint  must  be
regularly  called  for  the  entire  period  during  which  the  supervised  entity  is  active,
otherwise  aliveness  violation will be  detected.    In the  first  supervision cycle,  the  Alive
counter
evaluation
can
be
suppressed
by
the
parameter

48
WdgMFirstCycleAliveCounterReset
.
It is important to consider which aliveness parameters are better for a specific situation.
The  example  below  shows  how  to  choose  the  appropriate  alive  supervision
parameters.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 19
Let a supervised entity with one checkpoint monitor the aliveness of a task.
The S-WdgM has a period of 20ms, one S-WdgM tick is 1ms.
The task is periodic with a fixed period of 30ms.
The aliveness parameters that must be set are:
o
65
WdgMExpectedAliveIndications
:
Defines  how  many  alive  indications  (checkpoint  reached  calls)  are  expected
within one supervision reference cycle.
o
66
WdgMSupervisionReferenceCycle
:
Defines the supervision reference cycle length as a number of supervision cycles
(
99
WdgMSupervisionCycle
).
o
66
WdgMMinMargin
:
Defines the lower tolerance of expected alive indications.
o
66
WdgMMaxMargin
:
Defines the upper tolerance of expected alive indications.
o Hence, the allowed number of indications is in the range
WdgMSupervisionReferenceCycle is in the range
[WdgMExpectedAliveIndications - WdgMMinMargin,
WdgMExpectedAliveIndications + WdgMMaxMargin]
Note: In contrast to the deadline and program flow reference cycle the alive supervision
cycle begins with the S-WdgM startup. The alive  supervision in the  very first  cycle  can
be influenced by the parameter WdgMFirstCycleAliveCounterReset 48 . This is
because  each  alive  counter  is  evaluated  once  per  supervision  reference  cycle.  This
means that the supervision reference cycle is processed from the system startup on and
during  the  status  OK  and  FAILED  of  the  corresponding  supervised  entity.  If  the
supervised entity is in the status EXPIRED, then the supervision reference  cycle  is  not
needed  anymore.  If  the  supervised  entity  is  in  the  status  DEACTIVATED,  then  the
supervision reference cycle is frozen. It is restarted if the supervised  entity is  activated
again.
There are several ways for monitoring the task given in the example above. Below, one
variant is given:
Set
WdgMExpectedAliveIndications=1
WdgMSupervisionReferenceCycle=1
WdgMMinMargin=1
WdgMMaxMargin=0
This means the S-WdgM should expect 1 or 0 (WdgMExpectedAliveIndications
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 20
-  WdgMMinMargin)  occurrences  within  one  supervised  reference  cycle,  which  is
fixed to 20ms (which is one S-WdgM supervision cycle).
Figure  8 illustrates this example.
CP:
EAI = 1
n
n
n
n
n
o
o
o
o
o
i
SRC=1
i
i
i
i
t
t
t
t
t
c
min=1
c
c
c
c
n
CP
n
CP n
n
CP
n
u
u
u
u
u
max=0
F
F
F
F
F
n
n
n
n
n
i
i
i
i
i
a
a
a
a
a
M
M
M
M
M
_
_
_
_
_
M
M
M
M
M
g
g
g
g
g
d
d
d
d
d
W
W
W
W
W
   time
S-WdgM period
20ms
Task period
      30ms
Supervision
20ms
reference
cycle
Number of alive
1
1
1
0
indications per
supervision cycle

Fig. 8: A task being monitored during one S-WdgM  supervision cycle (20ms)
However, if the task stops being executed  it  will not  be  detected,  because  zero  alive
indications  per  supervised  reference  cycle  are  tolerated.  Therefore,  this  choice  of
setting aliveness parameters is not very good.
Below, a second variant is given:
Set
WdgMExpectedAliveIndications=2
WdgMSupervisionReferenceCycle=2
WdgMMinMargin=1
WdgMMaxMargin=0
This means the S-WdgM should expect  1  or  2  alive  indications  within one  supervised
reference  cycle,  which  is  fixed  to  40ms  (and  which  is  two  S-WdgM  supervision
cycles).
Figure  9 illustrates this example.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 21
CP:
EAI = 2
n
n
n
n
n
o
o
o
o
o
i
SRC=2
i
i
i
i
t
t
t
t
t
c
min=1
c
c
c
c
n
CP
n
CP n
n
CP
n
u
u
u
u
u
max=0
F
F
F
F
F
n
n
n
n
n
i
i
i
i
i
a
a
a
a
a
M
M
M
M
M
_
_
_
_
_
M
M
M
M
M
g
g
g
g
g
d
d
d
d
d
W
W
W
W
W
   time
S-WdgM period
20ms
Task period
      30ms
supervision
40ms
reference
cycle
Number of alive
2
1
indications per
supervision cycle

Fig. 9: A task being monitored during two S-WdgM  supervision cycles (40ms)
This  configuration  solves  the  problem  of  detecting  the  disappearance  of  the  task.
However, the reaction time for error detection doubles from 20 to 40ms.
A third variant would be to set the supervision reference  cycle  to  the  least  common
multiple of the S-WdgM supervision cycle and the task period. In the example given
above  this  would  be  60ms  (three  S-WdgM  supervision  cycles).  In  this  case,  we
expect  exactly 2  alive  indications.  Hence,  the  minimum  and  maximum  margins  are
both 0.
Note:  The task period and the S-WdgM supervision cycle must  be  synchronized
and started with an offset to each other (e.g., scheduled in an operating system).
2.2.4
More Details on Checkpoints and Transitions
Every supervised entity has one initial checkpoint. The number  of  end  checkpoints
can be  zero,  one  or  more  than  one.  If  the  supervised  entity  contains  only  one  single
checkpoint, then it should be both an initial and  an end  checkpoint.  Local  transitions
are defined by their source and  destination  checkpoints,  which must  belong  to  the
same  supervised  entity.  Those  local  transitions  are  specified  in  the  parameters
68
WdgMLocalTransitionSourceRef
and  WdgMLocalTransitionDestRef
67 .
After initialization of the S-WdgM, all supervised entites are passive.
Note:
This
has
nothing
to
do
with
the
supervised
entity
state

82
WDGM_LOCAL_STATUS_DEACTIVATED
.
A supervised entity becomes active when its local initial checkpoint has been called. In
the  example  of  the  supervised  entity  temperature_control  (see  Section
Supervised  Entity  and  Program  Flow  Supervision 13  and  Figure    4),  the  initial
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 22
checkpoint  is  read_temperature.  Only  if  the  supervised  entity  is  active,  its
checkpoints  (other  than the  initial checkpoint)  may  be  reached,  otherwise  a  program
flow  violation  occurs.  Reaching  an  end  checkpoint,  the  supervised  entity  is  set  to
passive state, and it can be activated again only through the initial checkpoint.
Reaching the initial checkpoint again after the supervised entity has been activated is a
program flow violation.
Local  reflexive  transitions  (from  a  checkpoint  to  itself)  are  allowed  only  when
configured.  The  reflexive  transitions  cannot  be  defined  for  local  initial  or  local  end
checkpoints.
Local initial checkpoints are not allowed to have local incoming transitions.
Local end checkpoints are not allowed to have local outgoing transitions.
2.2.5
Global Transitions
It is possible to represent program flow dependencies  between supervised  entities  by
using  so-called  global  transitions.  Global  transitions  are  defined  for  the  S-WdgM
configuration  by  their  source  and  destination  checkpoints,  which  must  belong  to
different  supervised  entities  and  which  are  specified  by  the  parameters
69
WdgMGlobalTransitionSourceRef
and

68
WdgMGlobalTransitionDestRef
. The end  checkpoint  of  an supervised  entity
is usually connected to the initial checkpoint of another supervised entity,  expressing  a
logical  dependency  between  them.  However,  global  transitions  are  allowed  between
any two checkpoints of any two supervised entities.
One  must  keep  in mind  several things  when defining  a  global  transition  between  two
arbitrary checkpoints:
If the source of the global transition is not a local end checkpoint, then the source entity
will  remain  active.  Program  flow  violation  would  occur  if  its  initial  checkpoint  were
reached again.
If the destination checkpoint of the global transition is not a local initial checkpoint., the
destination entity may not be active. Program flow violation would occur if a non-initial
checkpoint of an inactive supervised entity were reached.
Exactly  one  global  initial  checkpoint  must  be  defined.  The  first  global  transition
passed must have that checkpoint as a source.
It is possible to define one or several global end checkpoints or none. Once the global
end  checkpoint  served  as  a  destination  checkpoint  of  a  global  transition,  no  more
global  transitions  are  allowed  (unless  they  are  started  with  the  global  initial
checkpoint).
Figure 10 shows a global transition between two supervised entities:
The pressure_sensor_task gets the pressure value.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 23
The control_pressure_task calculates a reaction and reacts to  the  measured
pressure. However, it can start only after  the  first  task  (pressure_sensor_task)
has finished and after the pressure value has been obtained. This relation is shown by
a global transition (see dotted arrow).
Some transitions in Figure 10 have comments that show deadlines in milliseconds.
Deadlines can also be defined for global transitions (see dotted arrow), where 1..5ms
means  that  the  second  task  (control_pressure_task)  should  start  not  later
than 5ms, but not earlier than 1ms after the first task has finished.
Fig. 10: Global transition between two supervised entities
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 24
2.2.6
Global Transitions and Program Flow
In general the,  program  flow does  not  differ  between local and  global  transitions.  But
what seems intuitive for local transitions might not be so obvious for global transitions..
This section gives examples that show the usage of local and  global transitions  with a
focus on program flow split.
From the perspective of the S-WdgM, the program flow is  the  consecutive  reaching  of
checkpoints.  The  start  of  each  program  flow  must  be  a  local  initial  checkpoint.  The
program flow propagates through local transitions within the boundaries of a supervised
entity  and  through  global  transitions  within  the  boundaries  of  the  whole  system.  The
program flow might eventually come to an end at a local end checkpoint, or never come
to an end if a program flow loop occurs.
A very important feature is  that  it  is  not  allowed  to  split  the  program  flow.  This  means
that  the  program  flow is  allowed  to  take  only  one  transition  at  each  checkpoint  from
which more than one local or global transition comes out.
2.2.6.1
Example of an Incorrect Global Transition Split
Figure  11  shows  that  after  checkpoint  cp0_1  the  program  flow  must  decide  to  take
either  the  global  transition  cp1_0  or  cp2_0.  Reaching  cp2_0  immediately  after
reaching cp1_0 would result in a program flow violation.

Fig. 11: Incorrect global transition split
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 25
2.2.6.2
Example of an Incorrect Program Split in the Middle of an Entity
Figure 12 shows another example. Let us assume that the program flow reaches cp0_0
and  then  cp0_1.  Afterward  the  program  flow  decides  to  take  the  global  transition
reaching  cp1_0  instead  of  taking  the  local transition.  Now,  if  the  local  transition  took
place afterward  (by reaching  cp0_2),  a  program  flow violation would  occur.  However,
cp0_2 can be reached via the global transition if the program flow comes from cp1_1.

Fig. 12: Incorrect program split in the middle of an entity
Note:  It  is  easy  to  create  configurations  with  complex  global  transitions  that  do  not
make much sense in a real system. For example, if "jumping out" of a supervised entity
from a  checkpoint  that  is  not  a  local end  checkpoint,  one  must  keep  in mind  that  this
supervised entity is still active (local activity flag is still true), and it cannot be restarted
by reaching  its  local initial  checkpoint  again.  Thus,  it  is  recommended  to  use  global
transitions  carefully  and  let  them  start  only  at  local  end  checkpoints  of  a  supervised
entity and end at a local initial checkpoint of some other entity. Exceptions to this  must
be analyzed thoroughly,  with respect  to  the  program  flow and  the  local activity of  both
supervised entities.
2.2.7
S-WdgM Supervision Cycle
The supervision cycle is the  time  period  in which the  cyclic  supervision algorithm  is
executed.  At  the  end  of  each  supervision  cycle,  the  main  function,
85
WdgM_MainFunction()
,  is  called.  This  function  evaluates  the  checkpoint  data
gathered  in  the  previous  period  and  triggers  the  Watchdog  if  no  violation  has  been
detected. Function WdgM_MainFunction() also checks for violations depending on
the reference cycle defined for the respective monitoring feature.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 26
Example:  If
60
WdgMProgramFlowReferenceCycle
=3,  then  the  check  for
program flow violation is done in every third call of WdgM_MainFunction().
The shorter this period and the reference cycles, the shorter the reaction time of the S-
WdgM, but the more processor time is consumed.
Note: Aliveness supervision is strongly connected to this period. The expected number
of  alive  indications  for  a  certain  checkpoint  refers  to  the  last  supervision  cycle
(configurable  for  the  checkpoint),  which  is  expressed  in  the  number  of  supervision
cycles.
Figure 13 shows a time span with 3 supervision cycles. In each cycle, CP1 and CP2 are
hit once. Once the S-WdgM main function is  called,  the  window for  the  next  watchdog
trigger
is
defined
by

77
WdgMTriggerWindowStart
and

77
WdgMTriggerConditionValue
.
WD
WD
WD
trigger
trigger
t rigger

n
n
n
Entity 1
Entit y 1
Ent it y 1
tio
tio
tio
c
c
c
n
n
n
u
u
u
CP1
CP2
F
CP1
CP2
F
C P1
C P2
F
it
in
in
in
a
a
In

a
_
M
M
M
M
M
M
M
g
g
g
g
d
d
d
d
W
W
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
Explanations:
Trigger window
CP1,  CP2:       Checkpoint  1  and 2
WD t rigger:     Point  where  the watchdog t rigger occurs
Entity1:             Entity wit h t wo checkpoints
Green bar:     Time window  where  re-t riggering is allowed

Fig. 13: S-WdgM  supervision cycle
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 27
2.2.8
S-WdgM Stack Fault Reaction Time
The  S-WdgM  distinguishes  between the  fault  detection  time  and  the  fault  reaction
time.
The fault detection time spans from the occurrence of an error to the point in time
when that  error  is  detected  and  communicated  to  the  system  (via  DET  or  callback
functions).
The fault reaction time  spans  from  the  detection  of  an error  to  the  actual system
reset.
If a program flow violation or a deadline violation occur, the source checkpoint and
the  destination checkpoint  report  to  the  S-WdgM  when hit.  At  the  end  of  the  current
supervision  cycle,  the  S-WdgM  main  function,
85
WdgM_MainFunction()
,  is
called and the violation is detected (ie. the configured destination checkpoint was hit too
late or not at all) and communicated to the system.
If an alive counter violation occurs, it is also the  S-WdgM  main function that  detects
and communicates the violation at the end of the supervision reference cycle of the
alive supervision.
Once a violation has been detected, the S-WdgM can (depending on the configuration)
immediately go to a safe state (ie. reset the WS or discontinue triggering the WD) or
allow a configurable number of violations in a row and, hence, delay the safe state
for this amount of supervision reference cycles.
The decision whether to trigger or reset the WD or not is made within the S-WdgM main
function. This function also performs the trigger and reset.
The  shortest  fault  detection  and  reaction  time  can  be  achieved  by  configuring  an
immediate reset. However, the time still depends on what  occurs  first  in a  supervision
cycle, the fault or the hit of the checkpoint.
Figure  14  shows  a  scenario  with  a  fault  occurring  first.  The  checkpoint  registers  the
fault,  and  at  the  end  of  the  current  supervision  cycle,  the  fault  is  detected,
communicated, with the system being reset.
Note:  For  alive  supervision,  the  detection  is  at  the  end  of  the  current  supervision
reference cycle.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 28
WD
trigger

n
n
n
o
o
o
i
i
i
t
t
t
c
c
c
n
n
n
u
u
u
F
CP
F
CP
F
n
n
n
i
i
i
a
a
a
M
M
M
M
M
M
g
g
g
d
Fault
d
d
W
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
S-WdgM fault detection ti me  S-WdgM fault reacti on  tim e
S-WdgM  Stack
mi nimum reacti on  tim e
CP …  Checkpoint  with Alive monitoring
RESET
- The WdgMSupervisionReferenceCycle = WdgMSupervisionCycle
- The Watchdog is triggered inside the WdgM_MainFunction().
- The green  line represents t he  time window   when the  Watchdog can be triggered.
- WdgMImmediateReset = TRUE
Fig. 14: The S-WdgM  Stack minimum reaction time

Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 29
Figure  15.  shows  a  scenario  with  a  checkpoint  being  hit  first.  The  fault  cannot  be
detected before the next checkpoint is hit, which is  due  to  the  subsequent  supervision
cycle.  As  a  consequence,  violation,  detection,  communication  and  system  reset  are
done in the second following call of the S-WdgM main function.
Note: For alive supervision, the detection is at the end of the next supervision reference
cycle for alive supervision.

n
n
CP not  called
n
o
o
o
i
i
wit hin expected
i
t
t
t
c
c
time int erval
c
n
n
n
u
u
u
F
CP
F
CP
F
n
n
n
i
i
i
a
a
a
M
M
M
M
M
M
g
g
g
d
d
d
W
Fault
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
S-WdgM  fault  detection time
S-WdgM faul t  reaction ti me
S-WdgM Stack maximum reaction  time
CP  …  Checkpoint  wit h Alive monitoring
- In the pict ure,  WdgMSupervisionReferenceCycle = WdgMSupervisionCycle
RESET
- The Watchdog is triggered inside the WdgM_MainFunction().
- The green  line represents t he  time window   when the Watchdog can be triggered.
- The ‘S-WdgM Fault detection time’ is equal  to I SO26262  ‘Diagnostic test interval’
- The ‘ault reacti on  tim e is the S-WdgM  Fault reaction time + the S-Wdg Fault reaction
time.

Fig. 15: The S-WdgM  Stack maximum reaction time
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 30
2.2.9
Reset Path and Safe State
The  safe  state  is  entered  as  a  result  of  an  MCU  reset.  The  S-WdgM  builds  its
functionality on a  reliable  and  robust  reset  path.  The  S-WdgM  default  reset  path
uses the Watchdog Device itself through the S-WdgIF. The Watchdog Device can be
either  an  external  chip  or  an  MCU-internal  controller.  The  system  integrator  can
additionally
set
a
secondary
path
by
adding
the
parameter

WDGM_SECOND_RESET_PATH = STD_ON. The secondary reset path is used when
the Safe Watchdog Interface returns an error response. This error response can be
caused by communication errors to the external Watchdog device.
Figure 16 shows the primary and secondary reset path.
S-WdgM    API
BSW’s

Safe Watchdog
Manager
Secondary
reset path
Safe Watchdog
Interface

Mcu
Safe Watchdog
driver
Driver
Primary
reset path
Software
Hardware
E xterna l
          I
nt
er
n
al               I
n
t
e
r
n
al
          MCU
Watchdog
Watchdog
Reset
device
device

Fig. 16: Primary and secondary reset path of the S-WdgM
The  S-WdgM  uses  the  primary  reset  path  for  a  regular  Watchdog-initiated  reset
and also for an immediate MCU reset. The primary reset  path is  the  preferred  path,
because  it  is  part  of  the  S-WdgM  software  and  thus  safe.  The  MCU  driver  with  the
AUTOSAR function
89
Appl_Mcu_PerformReset()
must guarantee  freedom  from
interference.
The secondary reset path is optional. It is used when the primary reset path signals
a fault.
The S-WdgM safe state is the MCU reset state.
Note: The S-WdgM safe state is not necessarily the system safe state.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 31
The S-WdgM can invoke the safe state in two ways:
MCU reset after watchdog timeout by discontinuing watchdog triggering.
Immediate MCU reset by an immediate watchdog reset. The immediate reset can be
configured.  See  parameter
39
WDGM_IMMEDIATE_RESET
in  Section  S-WdgM
Global Preprocessor Settings 38 .
2.2.10 S-WdgM Local Entity State
Every supervised  entity has  a  local  state  that  expresses  the  occurrence  of  detected
violations:
State OK
No violation has been detected
State FAILED
A  violation  has  been  detected,  the  reset  is  pending  within  a  delay
time (maybe 0 ticks) and the violation repeats.
State EXPIRED A  violation  has  repeated  throughout  the  delay  time.  A  reset  is
inevitable.
AUTOSAR allows configuring a tolerance delay after an alive counter violation has been
detected. See [1] for detailed  information.  AUTOSAR does  not  allow configuring  such
tolerances  for  program  flow and  deadline  violations.  The  S-WdgM  allows  configuring
such tolerances for all three monitoring features described below:
Once  a  violation  has  been  detected,  the  S-WdgM  changes  its  state  from  OK  to
FAILED and starts a so-called tolerance time, which is configured as follows:
The  tolerance  time  is  the  supervision  reference  cycle  (according  to  the  monitoring
feature) multiplied by a supervision reference cycle tolerance value.
As  long  as  the  violation repeats  within the  tolerance  time  at  least  every supervision
reference cycle, the S-WdgM stays in the state FAILED.
If  the  violation does  not  occur  in  a  supervision  reference  cycle  within  the  tolerance
delay, the S-WdgM returns to the state OK as if  no  violation had  happened.  Only the
status change is logged.
If the violation has repeated to the end of the tolerance time, the  S-WdgM  enters  the
state EXPIRED.
Figure 17 shows the state changes  in dependence  of  the  configured  reference  cycles
and reference cycle tolerances.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 32

Fig. 17: M odified state machine
Note: The AUTOSAR implementation can be simulated for deadline and program flow
violations with
reference cycle = reference cycle tolerance = 0.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 33
The exact names of the configuration fields for the tolerance delay are:
Monitoring
Reference Cycle
Reference Cycle Tolerance
Alive Supervision
WdgMSupervisionReferenceCycle
WdgMFailedSupervisionRefCycleTol
66
57
Program Flow Monitoring WdgMProgramFlowReferenceCycle
WdgMFailedProgramFlowRefCycleTol
60
59
Deadline Monitoring
WdgMDeadlineReferenceCycle 59
WdgMFailedDeadlineRefCycleTol 58
Note:
60
WdgMProgramFlowReferenceCycle
and
59
WdgMFailedProgramFlowRefCycleTol
must both be 0 or unequal to 0.
59
WdgMDeadlineReferenceCycle
and
58
WdgMFailedDeadlineRefCycleTol
must both be 0 or unequal to 0.
2.2.11 S-WdgM Global State
The  local  states  are  periodically  summarized  in  an    S-WdgM  global  state.  If  all
supervised  entities  have  the  state  OK,  then the  global state  is  OK.  When at  least  one
supervised  entity  changes  to  the  state  FAILED,  then  the  global  state  becomes
FAILED.  When  at  least  one  supervised  entity  changes  to  the  state  EXPIRED,  the
global  state  becomes  EXPIRED.  Once  the  global  state  is  EXPIRED,  the  S-WdgM
continues the delay until it enters the state STOPPED. This is  when the  S-WdgM  stops
triggering the Watchdog (or resets it). The delay is the supervision  cycle  multiplied
by  the  configurable  expired  supervision  cycle  tolerance
(parameter
53
WdgMExpiredSupervisionCycleTol
).
Once  in  the  state  STOPPED,  the  S-WdgM  brings  the  system  to  the  safe  state  by
performing  a  system  reset  through  the  S-WdgIf  module  and,  thus,  through  the
watchdog(s)  in the  system.  If  the  preprocessor  option WDGM_SECOND_RESET_PATH
45  is set to STD_ON and the S-WdgIf reports a failure, then the system goes into a safe
state through the MCU module (see Section S-WdgM Global Preprocessor Settings 38 )
.
2.3
Integration in AUTOSAR 3.1 and 4.0 Environments
The S-WdgM implements functionality described in AUTOSAR 4.0r1. However, the S-
WdgM can be integrated in AUTOSAR 3.1 and AUTOSAR 4.0 environments. To this
end, a special preprocessor switch is automatically generated by the configuration
generator. That preprocessor switch cannot be altered manually. This is
WDGM_AUTOSAR_4_x (STD_ON / STD_OFF), which is placed in the generated
file WdgM_Cfg_Features.h. The value of the preprocessor switch is determined by
the configuration generator according to the provided ECUC file, more specifically
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 34
according to the XML default name space of the ECUC file (attribute xmlns).
For AUTOSAR 3.1: WDGM_AUTOSAR_4_x is generated to STD_OFF, which
prepares the embedded code for a compilation in an AUTOSAR 3.1 environment. If
the AUTOSAR version is not 3.1, but any other 3.x, the configuration generator
additionally outputs a warning during this process.
For AUTOSAR 4.0: WDGM_AUTOSAR_4_x is generated to STD_ON, which prepares
the embedded code for a compilation in an AUTOSAR 4.0 environment. If the
AUTOSAR version is not 4.0, but any other 4.x, the configuration generator
additionally outputs a warning during this process.
For any other AUTOSAR version (smaller than 3 or greater than 4), the configuration
generator generates no code and exits with an error message.
Note: The integration of the S-WdgM in an AUTOSAR 3.1 environment must be
differentiated from the AUTOSAR 3.1 compatibility mode described in this document.
The integration into an AUTOSAR environment refers only to the software environment
in which the S-WdgM interacts, whereas the AUTOSAR 3.1 compatibility mode is a
special operation mode of the module itself selected at pre-compile time. In this
special mode, the functionality is reduced to the functionality described by the
AUTOSAR 3.1. For more information refer to AUTOSAR version 3.1 r1 [7] 128.
2.4
Deviations from the AUTOSAR 4.0 r1 Watchdog Manager
The  S-WdgM  is  compatible  with the  AUTOSAR  4.0  r1  Watchdog  Manager,  but  not
fully compliant. This has the following reasons:
The  AUTOSAR  specification  does  not  define  functionality  comprehensively  and
precisely enough for implementation (e.g., global transitions).
The AUTOSAR specification does not contain certain functionality (e.g., program flow,
deadline monitoring recovering).
The AUTOSAR specification defines an approach that is very complex to be handled
by the user or consumes too much run time (S-WdgM mode switching).
The  AUTOSAR  specification  does  not  fully  consider  safety  requirements  (e.g.,
windowed Watchdog Trigger).
Below you can find  the  deviations  from  the  AUTOSAR 4.0  r1  Watchdog  Manager  in
detail:
2.4.1
Entities, Checkpoints and Transitions
For periodical watchdog triggering at least one supervised entity and one checkpoint
should be defined.
In contrast to AUTOSAR, local activity flags of the supervised entities are set back to
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 35
FALSE  every  time  an  end  checkpoint  of  this  supervised  entity  is  reached.
Analogously,  the  global activity flag  is  set  back  to  FALSE  as  soon as  a  global  end
checkpoint is reached.
Local  initial  checkpoints  cannot  have  incoming  local  transitions,  but  they  can  have
incoming global transitions.
Local  end  checkpoints  cannot  have  outgoing  local  transitions,  but  they  can  have
outgoing global transitions.
If global transitions are used, then there must be exactly one global initial checkpoint.
The  global initial checkpoint  should  be  called  before  any other  global  checkpoint  is
invoked.
If a non-initial checkpoint of an supervised entity is reached and this supervised entity
is not active, then this is considered to be a program flow violation in this supervised
entity.
If a checkpoint is the source for a local and a global transition, then only one of the two
transitions  can occur.  The  other  one  is  considered  a  program  flow violation.  This  is
because  the  program  flow  cannot  split  into  2  paths.  If,  for  example,  a  new  task  is
started from a CP1 (global transition to CPnew) and the original task continues (local
transition to CP2), then the sequence following the sequences of checkpoint hits is not
allowed:
o     CP->CPnew->CP2 and
o     CP->CP2->CPnew.
If a local initial checkpoint is the destination checkpoint for a global transition, then the
checkpoint must be hit by following the global transition. There is a dilemma, though: If
several  supervised  entities  form  a  cycle  of  transitions,  with  each  supervised  entity
entered via a global transition from the previous supervised entity, then there is no way
to start the cycle, because no local initial checkpoint is allowed to be hit in a way other
than via  the  global transition.  The  solution  is  an  exception  in  the  S-WdgM:  A  local
initial checkpoint can be hit, not  coming  through the  global transition,  if  it  is  also  the
global initial checkpoint.
As  in AUTOSAR,  the  S-WdgM  needs  a  time  source  in order  to  measure  transition
deadlines.  Whereas  AUTOSAR  does  not  define  the  source  for  ticks,  the  S-WdgM
allows the user to choose between three Tick sources:
o Internal software source,
o Internal hardware source,
o External tick source
For  details  see  Section  Deadline  Measurement  and  Tick  Counter 100  and  the
description  of  parameter
44
WdgMTimebaseSource
in  Section  S-WdgM  Global
Preprocessor Settings 38 .
The checkpoint and entity identifiers are zero-based and increase the list of integer
numbers without gaps.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 36
Deadline monitoring is bound to program flow. Only if program flow transitions are
configured, it is possible to configure transition deadlines.
The local/global end checkpoint does not need to be defined.
Currently only one checkpoint with an alive counter is supported per supervised entity.
This is recommended in the AUTOSAR 4.0 r1 Watchdog Manager specification,
since the functionality is not consistently described.
2.4.2
Tolerances
The S-WdgM allows tolerance delay for all three monitoring features. In AUTOSAR,
this is restricted to alive supervision. Tolerance delay allows recovering from program
flow and deadline violations as well as from alive counter violations.
The
interpretation
of
the
AUTOSAR
parameter

53
WdgMExpiredSupervisionCycleTol
implements
a
delay
of
(WdgMExpiredSupervisionCycleTol  +  2)  supervision  cycles.  The  S-
WdgM
implements
a
delay
of
WdgMExpiredSupervisionCycleTol
supervision cycles. This allows configuring no delay, with the tolerance value set to
0.
2.4.3
Watchdog and Reset
The  AUTOSAR Watchdog  Manager  supports  several watchdog  drivers  and  several
watchdog  devices  per  watchdog  driver.  However,  the  TTTech  S-WdgM  Stack
supports  only  one  watchdog  driver  and  only  one  watchdog  device  per  watchdog
driver.
For safety reasons, the S-WdgM uses the  primary watchdog  reset  as  an immediate
reset  (WDGM_IMMEDIATE_RESET  =  STD_ON)  .  In  contrast,  the  AUTOSAR  Watchdog
Manager uses the external function Appl_Mcu_PerformReset().
The
S-WdgM
does
not
support
a
partition
reset
with

BswM_WdgM_RequestPartitionReset().
2.4.4
API
The  S-WdgM  function  WdgM_SetMode()  switches  the  trigger  mode  only.  This
relates to the fields
o
56
WdgMTriggerConditionValue
o WdgMTriggerWindowStart 56
o
55
WdgMWatchdogMode
.
It does not change the set of supervised entities. This can be simulated by activating
and deactivating different sets  of  supervised  entities  for  different  modes.  Note:  Full
support of the function is too time expensive at runtime and too complex (not safe) to
implement and to configure.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 37
For  safety  and  complexity  reasons,  the  function  WdgM_DeInit()  is  not
implemented.
The S-WdgM provides the functions WdgM_DeactivateSupervisionEntity()
81
and
82
WdgM_ActivateSupervisionEntity()
for  deactivating  and
activating of the SE.  These functions are not AUTOSAR 4.0 r1 compatible.
The S-WdgM uses only direct callback notification for a local and global state change.
The RTE notification is not implemented.
Due  to  implementation  complexity  and  verification  difficulty,  the  S-WdgM  does  not
support RTE Mode Ports.
The S-WdgM checks the configuration independently of the WdgMDevErrorDetect
38  parameter. This parameter enables/disables the DET calls only.
The ECU Description Configuration constraints are described in Section Assumptions/
Constraints 72 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 38
2.5
Configuration Parameters for the S-WdgM
This  Section  contains  a  brief  description  of  the  configuration  parameters  for  the  S-
WdgM, sorted according to their functionality. The path to each parameter  or  option is
the  exact  ECU  description  file  path.  The  parameters  are  placed  inside  the  ECU
description  file.  The  S-WdgM  Configuration  Generator 102  uses  the  parameters  to
generate configuration structures.
The list includes functions defined in AUTOSAR 4.0 r1 and functions added by TTTech.
For AUTOSAR 3.1 functions and a comparison of AUTOSAR 4.0 r1 and AUTOSAR 3.1
functions, see Section AUTOSAR 3.1 Compatibility 90 .
2.5.1
S-WdgM Global Preprocessor Settings
Parameter Name
WdgMDevErrorDetect
Parameter Name
WDGM_DEV_ERROR_DETECT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  development
error detection and reporting. This parameter must be  used
to  remove  unneeded  code  segments  regarding  DET
features.
true: Development error detection is enabled.
false: Development error detection is disabled.
Parameter Name
WdgMDemReport
Parameter Name
WDGM_DEM_REPORT
(Embedded Code)
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 39
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor  switch enables/disables  calls  to  DEM  in
case of production error detection.
true: DEM calls enabled in case of production errors.
false: DEM calls disabled in case of production errors.
Parameter Name
WdgMImmediateReset
Parameter Name
WDGM_IMMEDIATE_RESET
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  the  immediate
watchdog  reset  feature  in  case  of  alive,  deadline  or
program  flow fault.  When  it  is  enabled  and  the  S-WdgM
recognizes a fault (i.e., the S-WdgM global state changes to
WDGM_GLOBAL_STATUS_STOPPED),  then the  S-WdgM  does  not
wait for the watchdog  device  timeout,  but  invokes  the  reset
immediately.
The parameter can be configured to perform an MCU reset
if the immediate reset fails.
Note:  Not all hardware  platforms  can invoke  an immediate
reset.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 40
true: Perform an immediate watchdog reset.
false: Discontinue watchdog trigger and wait for
watchdog timeout.
Parameter Name
WdgMOffModeEnabled
Parameter Name
WDGM_OFF_MODE_ENABLED
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch enables/disables the selection of
WDGIF_MODE_OFF for the watchdog mode. When enabled,
the watchdog device can be deactivated.
Note: On the same hardware platform, the watchdog cannot
be deactivated once it has been activated.
true: WDGIF_MODE_OFF is allowed.
false: WDGIF_MODE_OFF is disallowed.
Parameter Name
WdgMVersionInfoApi
Parameter Name
WDGM_VERSION_INFO_API
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 41
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch enables/disables  the  API function
92
WdgM_GetVersionInfo()
.
Note: WdgM_GetVersionInfo() is a macro.
true: Version API is enabled.
false: Version API is disabled.
Parameter Name
WdgMDefensiveBehavior
Parameter Name
WDGM_DEFENSIVE_BEHAVIOR
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  the  defensive
behavior of the Watchdog Manager module.
WdgM_SetMode() 76  checks  whether  the  caller  is
authorized.
85
WdgM_MainFunction()
checks if  the  S-WdgM  has
been initialized.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 42
Parameter Name
WdgMUseRte
Parameter Name
WDGM_USE_RTE
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch instructs  the  S-WdgM  to  use  the
defines  and  typedefs  generated  by  the  RTE.  The  RTE-
generated defines and typedefs save S-WdgM configuration
RAM.
Note:  Section  S-WdgM  Type  Definitions 73  covers  the
types and defines that can be imported from the RTE.
true:  The S-WdgM  uses  the  RTE-generated  defines  and
typedefs.
false: The S-WdgM uses its own defines and typedefs.
Parameter Name
WdgMDemSupervisionReport
Parameter Name
WDGM_DEM_SUPERVISION_REPORT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 43
Compatibility
AUTOSAR 4.0 r1
(renamed from WdgMDemAliveSupervisionReport)
Description
This preprocessor switch enables/disables the call to DEM if
the
S-WdgM
has
reached
the
state

WDGM_GLOBAL_STATE_STOPPED.
true: The DEM call is performed.
false: The DEM call is not performed.
Parameter Name
WdgMUseOsSuspendInterrupt
Parameter Name
WDGM_USE_OS_SUSPEND_INTERRUPT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch controls how interrupts are
suspended and resumed within the S-WdgM.
true:
For AUTOSAR 3.1 (WDGM_AUTOSAR_4_x is
STD_OFF), the S-WdgM uses
- function SchM_Enter_WdgM() to suspend
interrupts,
- function SchM_Exit_WdgM() to resume
interrupts.
For AUTOSAR 4.0 (WDGM_AUTOSAR_4_x is
STD_ON), the S-WdgM uses
- function
SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA
_0() to suspend interrupts,
- function
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 44
0() to resume interrupts.
false:
The user must define
- function GlobalSuspendInterrupts() to
suspend interrupts,
- function GlobalRestoreInterrupts() to
resume interrupts.
Parameter Name
WdgMTimebaseSource
Parameter Name
WDGM_TIMEBASE_SOURCE
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
integer
Range
WDGM_EXTERNAL_TICK
WDGM_INTERNAL_SOFTWARE_TICK
WDGM_INTERNAL_HARDWARE_TICK
Compatibility
TTTech
Description
This  preprocessor  switch  defines  the  source  for  the  S-
WdgM Tick.
Note:
The  precision  of  the  transition  deadline  measurement  is
based on this Tick.
When  the  deadline  measurement  is  not  used,  the  S-
WdgM Tick counter is internally not  used,  and  it  need  not
be incremented.  In this  case,  to  save  run-time  resources,
the  parameter  WdgMTimebaseSource  should  be  set
to WdgMInternalSoftwareTick, which is  the  default
value. See also parameter WdgMTicksPerSecond .
The parameters:
WDGM_EXTERNAL_TICK:
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 45
An  external  clock  source  (through  the  API  function
87
WdgM_UpdateTickCount()
).  The  S-WdgM  tick
counter is incremented every time this function is called by
the system.
WDGM_INTERNAL_SOFTWARE_TICK:
The  S-WdgM  Tick  Counter  is  incremented  every  time
85
WdgM_MainFunction()
is called.
WDGM_INTERNAL_HARDWARE_TICK:
The  Tick  source  is  the  MCU  hardware  counter.  The
frequency  of  the  MCU  hardware  counter  is  given  by  the
parameter  WdgMTicksPerSecond.  The  tick  is  queried
by the S-WdgM through the S-WdgIf API.
Note:  Not all hardware platforms support  this  feature.  For
details, refer to the S-Wdg Driver documentation.
Parameter Name
WdgMSecondResetPath
Parameter Name
WDGM_SECOND_RESET_PATH
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This preprocessor switch allows an MCU reset if a WD
command (trigger or reset) fails. This second reset path is
performed by calling Appl_Mcu_PerformReset().
Note:
Appl_Mcu_PerformReset()
itself
calls
Mcu_PerformReset(), which triggers the reset.
true: The MCU is reset with Appl_Mcu_PerformReset
() when the primary reset path signals an error.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 46
false: The MCU is not reset.
Parameter Name
WdgMTickOverrunCorrection
Parameter Name
WDGM_TICK_OVERRUN_CORRECTION
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables/disables  the  32-bit  S-
WdgM Tick Counter overflow detection and correction.
true: The Tick counter overflow is corrected.
false: The Tick counter overflow is not corrected.
Note:  Depending  on  the  frequency  with  which  the  Tick
Counter is incremented, the counter can overflow or not. See
parameter  WdgMTimebaseSource 44
for
additional
information.
The  Tick  Counter  overflow detection and  correction  is  only
used
when
WDGM_TIMEBASE_SOURCE
=
WDGM_EXTERNAL_TICK.
If not set to true, the check of the tick counter for jumps and
jitter may be incorrect.
The parameter must be set to true when the  external Tick
source is used and the Tick counter (32bit) can overflow.
Example: The tick counter is incremented every millisecond.
Then the overflow happens after 49 days.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 47
Parameter Name
WdgMEntityDeactivationEnabled
Parameter Name
WDGM_ENTITY_DEACTIVATION_ENABLED
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables  entity  deactivation.  This
functionality  is  not  specified  in  AUTOSAR  4.0  r1  and  can
violate  system  safety  (see  the   S afe  W atchdog  M anager
Safety
Manual
[5] 128,
parts

WdgM_DeactivateSupervisionEntity() 81
and
82
WdgM_ActivateSupervisionEntity()
).
See
also
parameter

WdgMEnableEntityDeactivation 61 .
true: An entity can be deactivated.
false: An entity cannot be deactivated.
The default value is false.
Parameter Name
WdgMStateChangeNotification
Parameter Name
WDGM_STATE_CHANGE_NOTIFICATION
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 48
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables  local  and  global  state
change  callback  notifications.  There  are  different  callbacks
for local and global state notifications.
true: Any local or global state change invokes a callback.
false:  No  callbacks  are  performed.  See  also  the
parameters

49
WdgMGlobalStateChangeCbk
and
WdgMLocalStateChangeCbk 63 .
Parameter Name
WdgMCallerId
Path
WdgM/WdgMGeneral/WdgMCallerIds/
Group
General
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter defines one valid CallerId for the callers that
have permission to call the function WdgM_SetMode().
Parameter Name
WdgMFirstCycleAliveCounterReset
Parameter Name
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
General
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 49
Range
false/true
Compatibility
TTTech
Description
This parameter  decides  if  the  Alive  counters  are  evaluated
in the first supervision cycle.
true:  The  Alive  counters  are  not  evaluated  in  the  first
supervision cycle
false:  The  Alive  counters  are  evaluated  in  the  first
supervision cycle
2.5.2
S-WdgM General Settings
Parameter Name
WdgMGlobalStateChangeCbk
Path
WdgM/WdgMGeneral/
Group
General
Type
Reference
Compatibility
TTTech
Description
This is the parameter for a callback function for notifying the
system  of  the  S-WdgM  global  state  change.  The  S-WdgM
has  only  one  callback  function  for  the  global  state.  In  a
safety-relevant environment, the callback function can cause
safety degradation. For details, refer to the  Safe  Watchdog
Manager Safety Manual [5] 128.
Parameter Name
WdgMGlobalMemoryAppTaskRef
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Reference
Multiplicity
0, 1
Compatibility
TTTech
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 50
Description
This is the parameter for a reference to an OS application or
task where the S-WdgM is running.
Note: When OS SC3 (OS with memory protection) is used,
the global variables of the S-WdgM should be placed in the
same  memory  segment  where  the  S-WdgM  context  is
running.
Example:  The  application  name  is  incorporated  into  the
corresponding
MemMap
defines
in
the
file

WdgM_MemMap.h  in  an  AUTOSAR  3.1  environment  or
WdgM_OSMemMap.h in an AUTOSAR 4.0 environment.
Parameter Name
WdgMModeId
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...255
Compatibility
AUTOSAR 4.0 r1 / TTTech
Description
This is the parameter for the S-WdgM mode. The S-WdgM,
in contrast  to  the  AUTOSAR  WdgM,  uses  only  one  mode.
This parameter is kept for compatibility reasons only,  and  it
is not used by the S-WdgM.
Parameter Name
WdgMInitialTriggerModeId
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...255
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 51
Compatibility
TTTech
Description
This  is  the  parameter  for  the  S-WdgM  initial  trigger  mode.
The  S-WdgM  trigger  mode  is  a  restricted  version  of  the
AUTOSAR mode. It only sets the fields:
WdgMTriggerConditionValue
WdgMTriggerWindowStart
WdgMWatchdogMode
When  more  than  one  Watchdog  device  is  used,  then  this
parameter addresses the first Watchdog only.
For details, refer to the function WdgM_SetMode().
Parameter
Name WdgMTriggerModeId
(ECU)
Path (ECU)
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
0...254
Compatibility
TTTech
Description
This  parameter  contains  a  unique  identifier  of  the  trigger
mode.
Parameter Name
WdgMTicksPerSecond
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Float
Unit
Hz
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 52
Compatibility
TTTech
Description
This parameter defines the number of S-WdgM Ticks per
second. It is the rate by which the S-WdgM Tick Counter is
incremented. This parameter is used in two ways:
1. The system environment that periodically calls the
function WdgM_UpdateTickCount() for deadline
monitoring.
See
also
parameter
WdgMTimebaseSource.
2. The S-WdgM Configuration Generator that calculates min
and max parameters for the transition deadlines.
Note:
When
the
S-WdgM
Tick
source
is
WDGM_INTERNAL_SOFTWARE_TICK, then the following
relation must be obeyed:
(1 / WdgMTicksPerSecond [Hz])
= WdgMSupervisionCycle [s]
For
the
Tick
sources
WDGM_INTERNAL_HARDWARE_TICK
and
WDGM_EXTERNAL_TICK, the following relation must be
obeyed:
(1 / WdgMTicksPerSecond [Hz])
<= WdgMSupervisionCycle [s]
The parameter WdgMTicksPerSecond must not be
zero.
Parameter Name
WdgMSupervisionCycle
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Float
Range
0 < WdgMSupervisionCycle
Unit
second
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 53
Description
This  parameter  defines  the  schedule  period  of  the  main
function, WdgM_MainFunction(). It is the time period in
which the S-WdgM performs cyclic supervision, and also the
watchdog trigger period. The parameter is important for  the
system that calls the function WdgM_MainFunction().
Parameter Name
WdgMExpiredSupervisionCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter defines a further delay of the violation
escalation to the Watchdog after the S-WdgM reached the
status WDGM_LOCAL_STATUS_EXPIRED (in numbers of
supervision cycles).
Parameter Name
WdgMGlobalCheckpointFinalRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision/
Group
General
Type
Reference
Multiplicity
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  final  global
checkpoint.
Note:  There  might  be  no,  one  or  several  global  end
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 54
checkpoints.
Parameter Name
WdgMGlobalCheckpointInitialRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision/
Group
General
Type
Reference
Multiplicity
0, 1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the global initial
checkpoint.
Note: If global transitions are defined, then exactly one
global initial checkpoint must be defined.
Parameter Name
WdgMWatchdogName
Path
WdgM/WdgMGeneral/WdgMWatchdog/
Group
Watchdog device
Type
String
Range
N/A
Compatibility
AUTOSAR 4.0 r1
Description
This parameter is a symbolic name of the Watchdog. It is
used as a comment only.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 55
Parameter Name
WdgIfDeviceRef
Path
WdgM/WdgMGeneral/WdgMWatchdog/
Group
Watchdog device
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter  for  a  reference  to  a  device  container
(WdgIfDevice)  of  the  S-WdgIf.  This  container  contains
data  and  a  reference  that  represents  the  connection of  the
S-WdgM to the Watchdog device through the S-WdgIf.
Parameter Name
WdgMWatchdogMode
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Enumeration
Range
WDGIF_FAST_MODE
WDGIF_OFF_MODE
WDGIF_SLOW_MODE
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the watchdog mode for a
referenced watchdog in the S-WdgM.
Implementation type: WdgIf_ModeType.
Note:  Not  all  hardware  platforms  support  all  watchdog
modes.  For  details,  see  the  User  Manual of  the  respective
S-Wdg Driver.
Note: Do not confuse this parameter with the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 56
Trigger Mode (WdgMModeID 50 ).
Parameter Name
WdgMTriggerConditionValue
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
1...65535
Unit
ms
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  defines  the  latest  possible  time  where  the
next watchdog trigger is accepted (window end).
Note:  Not  all  hardware  platforms  allow  changing  this
parameter during runtime. For details, see the  User  Manual
of the respective S-Wdg Driver.
Parameter Name
WdgMTriggerWindowStart
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
0...65535
Unit
ms
Compatibility
TTTech
Description
This parameter defines the earliest time after which the next
watchdog trigger is accepted (window start).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 57
Note:  Not  all  hardware  platforms  allow  changing  this
parameter  during  runtime.  On  some  platforms,  this
parameter is not avaliable or set to zero. For details, see the
User Manual of the respective S-Wdg Driver.
Parameter Name
WdgMTriggerWatchdogRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Reference
Multiplicity
0...255
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  configured
watchdog.
2.5.3
S-WdgM Supervised Entity Options
Parameter Name
WdgMFailedSupervisionRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  contains  the  acceptable  number  of  failed
alive  indications  for  this  supervised  entity  in  a  row  (i.e.,  at
least one violation per supervision reference cycle in a row).
Note:  This parameter should be set to 0  if  no  alive  counter
is configured for this supervised entity, because nothing can
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 58
be  tolerated.  If  there  is  an  alive  counter  in  this  supervised
entity,  then  the  parameter  can  be  0  (no  alive  counter
violations tolerated) or positive.
Parameter Name
WdgMSupervisedEntityInitialMode
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Enumeration
Range
WDGM_LOCAL_STATUS_DEACTIVATED,
WDGM_LOCAL_STATUS_OK,
WDGM_LOCAL_STATUS_FAILED
Compatibility
TTTech
Description
This  is  the  initial  local  monitoring  status  of  the  supervised
entity.
Parameter Name
WdgMFailedDeadlineRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
TTTech
Description
This parameter contains  the  acceptable  number  of  violated
deadlines for this supervised entity in a row (i.e., at least one
violation per WdgMDeadlineReferenceCycle in a row).
Note:  If  a  positive  tolerance  for  deadline  violations  is
entered, then the user must enter a positive  reference  cycle
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 59
for  the  violations  (WdgMDeadlineReferenceCycle),
because  the  tolerance  is  defined  in  terms  of  reference
cycles. The tolerance can also  be  0.  In this  case  a  positive
reference cycle would make no sense,  because  there  is  no
reference cycle if no violations are tolerated.
Parameter Name
WdgMDeadlineReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65535
Compatibility
TTTech
Description
This  parameter  contains  the  number  of  supervision  cycles
that  define  a  cycle  for  the  deadline  monitoring  of  this
supervised entity.
Note:
If
the
deadline
reference
cycle
tolerance
(WdgMFailedDeadlineRefCycleTol) is set  to  0,  then
this  parameter  must  be  0  as  well.  This  is  because  the  first
detected  violation  would  cause  the  supervised  entity  to
change its status  to  EXPIRED  and  then no  reference  cycle
could  exist.  If  the  deadline  reference  cycle  tolerance  is
positive,  then  this  parameter  must  be  positive  as  well,
because the tolerance is defined  as  a  number  of  reference
cycles which cannot be of zero duration.
Parameter Name
WdgMFailedProgramFlowRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 60
Compatibility
TTTech
Description
This parameter contains the acceptable number of program
flow violations for this supervised entity in a row (i.e., at least
one  violation  per  WdgMProgramFlowReferenceCycle
in a row).
Note:  If  a  positive  tolerance  for  program  flow  violations  is
entered, then the user must enter a positive  reference  cycle
for
the
violations
(WdgMProgramFlowReferenceCycle),  because  the
tolerance  is  defined  in  terms  of  reference  cycles.  The
tolerance  can  also  be  0.  In  this  case  a  positive  reference
cycle would make no sense, because  there  is  no  reference
cycle if no violations are tolerated.
Parameter Name
WdgMProgramFlowReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65535
Compatibility
TTTech
Description
This  parameter  contains  the  number  of  supervision  cycles
that  define  a  cycle  for  the  program  flow monitoring  of  this
supervised entity.
Note:  If  the  program  flow  reference  cycle  tolerance
(WdgMFailedProgramFlowRefCycleTol)  is  set  to  0,
then this parameter must be  0  as  well.  This  is  because  the
first detected violation would  cause  the  supervised  entity to
change its status  to  EXPIRED  and  then no  reference  cycle
could  exist.  If  the  deadline  reference  cycle  tolerance  is
positive,  then  this  parameter  must  be  positive  as  well,
because  tolerance  is  defined  as  a  number  of  reference
cycles which cannot be of zero duration.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 61
Parameter Name
WdgMLocalStatusSupervisedEntityRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the supervised entity
for which the parameters of this container are set.
Parameter Name
WdgMSupervisedEntityId
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the identifier of the supervised
entity for which the parameters of this container are set.
Parameter Name
WdgMEnableEntityDeactivation
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 62
Range
false/true
Compatibility
TTTech
Description
This  parameter  enables  the  deactivation  and  activation  of
this  supervised  entity.  See  also  the  preprocessor  switch
47
WdgMEntityDeactivationEnabled
.
This functionality is not specified in AUTOSAR 4.0 r1 and
can violate system safety (see the Safe Watchdog Manager
Safety Manual [5] 128, parts
WdgM_DeactivateSupervisionEntity() and
WdgM_ActivateSupervisionEntity()).
true:  Supervised  entity  deactivation  and  activation  is
enabled.
- For
activation,
function
WdgM_ActivateSupervisionEntity() 82  must
be used.
- For
deactivation,
function
WdgM_DeactivateSupervisionEntity() 81
must be used
false:  Entity  deactivation  and  activation  for  this
supervised entity is disabled.
Parameter Name
WdgMSupportedAutosarAPI
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Enumeration
Range
API_4_0
API_3_1
Compatibility
TTTech
Description
This parameter defines the S-WdgM API compatibility.
API_4_0: The AUTOSAR 4.0 r1 API is selected.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 63
API_3_1: The AUTOSAR 3.1 API is selected.
The system can be either AUTOSAR4.0 r1 or AUTOSAR
3.1. Mixed variants are not allowed. When one supervised
entity in a system is AUTOSAR 3.1 then all the other
supervised entities must be AUTOSAR 3.1 as well.  For
details, refer to Section AUTOSAR 3.1 Compatibility 90 .
Parameter Name
WdgMLocalStateChangeCbk
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Function name
Multiplicity
0, 1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a  callback  function used  to  inform
about a local state change of a supervised entity.
The S-WdgM has one callback function for every supervised
entity.
Note:  In a safety-relevant environment, the callback function
can  cause  safety  degradation.  For  details,  see  the  Safe
Watchdog Manager Safety Manual [5] 128.
Parameter Name
WdgMLocalCheckpointFinalRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
0...65535
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 64
Description
This  is  the  reference  to  an  end  checkpoint  for  this
supervised entity.
Parameter Name
WdgMLocalCheckpointInitialRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  reference  to  the  initial  checkpoint  for  this
supervised entity.
Parameter Name
WdgMAppTaskRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
0, 1
Compatibility
TTTech
Description
This is the reference to an OS application (task) to which this
supervised entity belongs. In case of OS SC3, the local data
of the supervised entity must be placed in the same memory
segment  as  the  application (task)  of  which  this  supervised
entity is a part.
The  S-WdgM  Configuration  Generator 102  enables  memory
mapping of the supervised entity local data so that it can be
put  into  the  memory  segment  of  the  referred  task  or
application (task) using memory mapping.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 65
2.5.4
S-WdgM Checkpoint Options
Parameter Name
WdgMCheckpointId
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMCheckpoint/
Group
Checkpoint
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the identifier of the checkpoint that
is unique over the supervised entity.
2.5.5
Alive Counter Options
Parameter Name
WdgMExpectedAliveIndications
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of expected alive
indications within a supervision reference cycle, according
to the corresponding supervised entity.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 66
Parameter Name
WdgMMaxMargin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of alive indications that
are acceptable in addition to the expected indications
(WdgMExpectedAliveIndications)
within
the
corresponding supervision reference cycle.
Parameter Name
WdgMMinMargin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of alive indications that
are acceptable to be missing from the expected indications
(WdgMExpectedAliveIndications)
within
the
corresponding supervision reference cycle.
Parameter Name
WdgMSupervisionReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 67
Group
Alive counter
Type
Integer
Range
1...65535
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  defines  the  supervision  reference  cycle
length
as
a
number
of
supervision
cycles
(WdgMSupervisionCycle).
Parameter Name
WdgMAliveSupervisionCheckpointRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  checkpoint  for
which this alive supervision  is configured.
2.5.6
S-WdgM Local Transition Options
Parameter Name
WdgMLocalTransitionDestRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMLocalTransition/
Group
Local transition
Type
Reference
Multiplicity
1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 68
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  destination
checkpoint of a local transition within this supervised entity.
Parameter Name
WdgMLocalTransitionSourceRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMLocalTransition/
Group
Local transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  source
checkpoint of a local transition within this supervised entity.
2.5.7
S-WdgM Global Transition Options
Parameter Name
WdgMGlobalTransitionDestRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision
/WdgMGlobalTransition/
Group
Global transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  destination
checkpoint of a global transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 69
Parameter Name
WdgMGlobalTransitionSourceRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision
/WdgMGlobalTransition/
Group
Global transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the source
checkpoint of a global transition.
2.5.8
S-WdgM Local and Global Deadline Options
Parameter Name
WdgMDeadlineMax
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Float
Range
0.0...((1/WdgMTicksPerSecond)
*
65535)
seconds
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the longest time span after which
the deadline is still considered to be met.
Note: The time span is counted from the point in time when
the source checkpoint of the transition is reached.
Parameter Name
WdgMDeadlineMin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 70
Group
Local or global deadline
Type
Float
Range
0.0...((1/WdgMTicksPerSecond)
*
65535)
seconds
Compatibility
AUTOSAR 4.0 r1
Description
This parameter  contains  the  shortest  time  span after  which
the deadline is considered to be met.
Note: The time span is counted from the point in time when
the source checkpoint of the transition is reached.
Parameter Name
WdgMDeadlineStartRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  source
checkpoint for deadline monitoring.
Note:  The  start  and  stop  references  of  a  deadline  must
match an existing local or global transition.
Parameter Name
WdgMDeadlineStopRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Reference
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 71
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the destination
checkpoint for deadline monitoring.
Note: The start and stop references of a deadline must
match an existing local or global transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 72
2.6
ECU Description Configuration
2.6.1
Assumptions/Constraints
There  is  a  WdgMTrigger  element  for  every  WdgMWatchdog  element;  i.e.,  the
former
WdgMTriggerWatchdogRef
always
"points"
to
an
existing
WdgMWatchdog element.
For the purpose of navigating within the  ECU description file,  we  assume  that  every
referenced element is identified by its SHORT-NAME element.
Example:  A  WdgMTrigger  element  WdgMTriggerWatchdogRef  attribute  is  a
reference  to  a  WdgMWatchdog  SHORT-NAME  element  and  not  to  its
WdgMWatchdogName element.
We  expect  the  Checkpoint  IDs  to  create  a  zero-based,  monotonically  increasing
sequence of integers with no gaps.
We  expect  that  every  WdgMMode  element  has  a
maximum  of  one
WdgMProgramFlowSupervision  subelement,  which  in  turn  has  exactly  one
WdgMGlobalCheckpointInitialRef subelement.
We
expect
that
the
WdgMSupervisedEntityId
attribute
of
all
SupervisedEntity  instances  in  one  ECU  description  file  builds  a  zero-based,
monotonically increasing  sequence  of  integers  with no  gaps.  This  is  a  requirement
because the embedded code uses the Entity ID  as  an array index when accessing
WdgMSupervisedEntity.
The  ECU description files  to  be  used  for  configuring  the  Watchdog  Manager  must
belong to the XML namespace "http://autosar.org/3.1.4".
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 73
2.7
API Description
The S-WdgM software module is the top level layer of the Safe Watchdog Manager
Stack.  The  S-WdgM  software  module  contains  the  core  functionality  with  supervised
entity  state  machines  and  calculation  of  the  S-WdgM  global  state.  The  S-WdgM
communicates on one side through its user API with the Application Layer (optionally
using RTE) and through its system API with the Basic Software Components (BSW)
and, on the other side, with the S-WdgIf layer.
2.7.1
S-WdgM Type Definitions
This Section describes the types of parameters passed to the API functions of the S-
WdgM.
Name
WdgM_ConfigType
Type
Structure
Range
N/A
Description
This is the type for the S-WdgM configuration structure. This
structure  is  generated  by  the  S-WdgM  Configuration
Generator 102.
Name
WdgM_SupervisedEntityIdType
Type
uint16
Range
0...65534
Description
This  is  the  type  for  an  individual  supervised  entity  for  the
Safe Watchdog Manager.
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 74
Name
WdgM_CheckpointIdType
Type
uint16
Range
0...65534
Description
This  is  the  type  for  a  checkpoint  in  the  context  of  a
supervised entity for the S-WdgM.
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_ModeType
Type
uint8
Range
0...255
Description
This  is  the  type  for  the  ID  of  a  trigger  mode  that  was
configured for the S-WgM. The current trigger mode can be
retrieved with WdgM_GetMode().
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_LocalStatusType
Type
uint8
Range
WDGM_LOCAL_STATUS_OK = 0
WDGM_LOCAL_STATUS_FAILED = 1
WDGM_LOCAL_STATUS_EXPIRED = 2
WDGM_LOCAL_STATUS_DEACTIVATED = 4
Description
This is the type for the local monitoring state of a supervised
entity."The current local state of a supervised entity can be
retrieved with WdgM_GetLocalStatus().
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 75
Note: If configuration parameter WDGM_USE_RTE is set to
STD_ON, then this type is imported, otherwise it is
generated..
Name
WdgM_GlobalStatusType
Type
uint8
Range
WDGM_GLOBAL_STATUS_OK = 0,
WDGM_GLOBAL_STATUS_FAILED = 1,
WDGM_GLOBAL_STATUS_EXPIRED = 2,
WDGM_GLOBAL_STATUS_STOPPED = 3,
WDGM_GLOBAL_STATUS_DEACTIVATED = 4
Description
This is the type for the global monitoring state. It summarizes
the local states of all supervised entities. The  current  global
state can be retrieved with WdgM_GetGlobalStatus().
Note: If  configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_TimeBaseTickType
Type
uint32
Range
0...232-1
Description
This is the type for the Timebase Tick.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 76
Name
Std_VersionInfoType
Type
Structure
Range
N/A
Description
This is the parameter type of function
92
WdgM_GetVersionInfo()
.
2.7.2
S-WdgM Application Level API Functions
This Section describes the S-WdgM  API  functions  that  are  imported  or  provided  by
the S-WdgM software module.
Syntax
Std_ReturnType WdgM_SetMode
(WdgM_ModeType Mode, uint16 CallerID)
Service ID[hex]
0x03
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
Mode: The ID  of the Trigger Mode to which the S-WdgM must be
set.
CallerID:  ID  of  the  caller  allowed  to  call  the  function
WdgM_SetMode().  The  allowed  caller  is  defined  in  the
configuration.
The
caller
ID
is
checked
if
WdgMDefensiveBehavior is true.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK: The new Trigger Mode has been successfully set.
E_NOT_OK: The setting of the new Trigger Mode failed.
Compatibility
AUTOSAR 4.0 r1 / TTTech
Description
This  functions  sets  the  Trigger  Mode  of  the  S-WdgM.  The  S-
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 77
WdgM  Trigger  Mode  is  a  set  of  Watchdog  trigger  times  and
Watchdog  mode.  The  S-WdgM  can  have  one  or  more  Trigger
Modes  for  every watchdog.  In contrast  to  AUTOSAR,  where  the
Mode  represents  a  set  of  entities  with  all  entity-specific
parameters,  the  S-WdgM  Trigger  Mode  only  sets  the  following
parameters:
WdgMTriggerConditionValue
WdgMTriggerWindowStart
WdgMWatchdogMode
Note: A change to trigger mode with ID Mode sets all
configured watchdogs to the trigger mode with ID Mode. As a
consequence, all watchdogs must have configured the same
number of Trigger Modes.
This  function can be  used  to  increase  the  S-WdgM  supervision
cycle in an MCU sleep mode.
Syntax
Std_ReturnType
WdgM_GetMode(WdgM_ModeType*
Mode)
Service ID[hex]
0x0b
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) Mode:  Pointer  to  the  current  Trigger  Mode  ID  of  the  Watchdog
Manager
Return value
Std_ReturnType:
E_OK: Current Trigger Mode successfully returned.
E_NOT_OK: Returning current Trigger Mode failed.
Compatibility
AUTOSAR 4.0 r1/TTTech
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 78
Description
Returns  the  current  Trigger  Mode  of  the  S-WdgM.  The  S-WdgM
Trigger  Mode  represents  one  Watchdog  trigger  time  and  mode
setting.
Syntax
Std_ReturnType WdgM_CheckpointReached
(WdgM_SupervisedEntityIdType SEID,
WdgM_CheckpointIdType CheckpointID)
Service ID[hex]
0x0e
Sync/Async
Synchronous
Reentrant?
Yes, reentrant in the context of a different supervised entity.
Parameters (in)
SEID:  Identifier  of  the  supervised  entity  that  reports  a
checkpoint.
CheckpointID:  Identifier  of  the  checkpoint  within  a
supervised entity that has been reached.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK: Checkpoint monitoring successful.
E_NOT_OK:  Checkpoint  monitoring  fault.  Returned  in  the
following cases
o WDGM_E_NO_INIT:  Uninitialized  S-WdgM  (DET  code
0x10)
o WDGM_E_PARAM_SEID:  Wrong  Id  number  of  the
supervised entity (DET code 0x13)
o WDGM_E_CPID:  Invalid  checkpoint  ID  number  (DET  code
0x16)
o WDGM_E_PARAM_STATE:  Invalid  S-WdgM  state.  Reset
will be invoked (DET code 0x29).
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 79
Description
Indicates  to  the  S-WdgM  that  a  checkpoint  within  a  supervised
entity has been reached.
Syntax
Std_ReturnType WdgM_GetLocalStatus
(WdgM_SupervisedEntityIdType SEID,
WdgM_LocalStatusType* Status)
Service ID[hex]
0x0c
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
SEID:  Identifier  of  the  supervised  entity whose  monitoring  state
is returned.
Parameters  (in/ None
out)
Parameters (out) Status:  Pointer  to  the  local  monitoring  state  of  the  given
supervised entity.
Return value
Std_ReturnType:
E_OK: Current monitoring state successfully returned.
E_NOT_OK: Returning the current monitoring state failed.
Compatibility
AUTOSAR 4.0 r1
Description
Returns the monitoring state of the given supervised entity.
Note:  The  S-WdgM  updates  the
state
inside
the

WdgM_MainFunction() every supervision cycle.
Syntax
Std_ReturnType WdgM_GetGlobalStatus
(WdgM_GlobalStatusType* Status)
Service ID[hex]
0x0d
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 80
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) Status: Pointer to global monitoring state of the S-WdgM.
Return value
Std_ReturnType:
E_OK: Current global monitoring state successfully returned.
E_NOT_OK: Watchdog reset failed.
Compatibility
AUTOSAR 4.0 r1
Description
Returns the global monitoring state of the S-WdgM.
Note:
The
S-WdgM
updates
the
state
inside
the
WdgM_MainFunction() every supervision cycle.
Syntax
Std_ReturnType WdgM_PerformReset(void)
Service ID[hex]
0x0f
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK:  This  value  will  not  be  returned  because  the  reset  is
activated, and the routine does not return.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 81
E_NOT_OK: The function has failed.
Compatibility
AUTOSAR 4.0 r1
Description
Instructs the S-WdgM to cause an immediate watchdog reset.
Note:
This  function is  hardware-dependent.  Some  watchdogs  do  not
support  an  immediate  reset.  Check  the  S-Wdg  Driver
documentation.
This  function  can  may  direct  access  to  hardware  registers.
Access  to  hardware  registers  can be  dependent  on  hardware
platforms and software architectures. Hence, the application that
calls  WdgM_PerformReset()  must  have  the  corresponding
access rights.
Syntax
Std_ReturnType
WdgM_DeactivateSupervisionEntity
(WdgM_SupervisedEntityIdType SEID)
Re-entrant?
Yes
Parameters (in)
SEID:  ID  of  the  supervised  entity  to  be  deactivated.  Range
[0...N]
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK:  Marking  the  supervised  entity  for  deactivation  was
successful.
E_NOT_OK:  Marking  the  supervised  entity  for  deactivation
failed.
Compatibility
TTTech, AUTOSAR 3.1
Note: Defined in the AUTOSAR 3.1 specification. This function is
no longer available in the AUTOSAR 4.0 r1 specification.
Description
The function marks an entity for deactivation. An entity can only be
deactivated when its local state is WDGM_LOCAL_STATUS_OK or
WDGM_LOCAL_STATUS_FAILED.
The
deactivation
itself
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 82
happens  at  the  end  of  the  supervision  cycle  inside  the
WdgM_MainFunction(). When an entity is deactivated then its
checkpoints are not evaluated  anymore  and  the  entity local state
is WDGM_LOCAL_STATUS_DEACTIVATED.
Note:
When an entity is deactivated, the global transitions to this entity
are not evaluated.
Using this function can degrade system safety. The deactivation
of  entity  supervision  in  safety-related  products  needs  special
attention to avoid unintended supervised entity deactivation.
The  function  WdgM_DeactivateSupervisionEntity()
can  deactivate  a  supervised  entity  only  before  its  initial
checkpoint  was  passed  or  after  its  end  checkpoint  was
passed. The focus here is on entities that are spread over more
than one supervision cycles. Note:  The local program flow of  a
supervised  entity  may  span  over  more  than  one  supervision
cycle. Those active entities cannot be deactivated while running.
Deactivating active SEs leads to a DEM error report.
In  the  same  call  of  WdgM_MainFunction(),  first  the
supervised  entity  is  deactivated,  then  the  local  states  of  all
supervised entities and the global state are set.
After  SE  deactivation  the  function  WdgM_GetLocalStatus
() can be used to check the SE local state.
This  function  is  only  available  if  the  preprocessor  switch
WdgMEntityDeactivationEnabled  is set to true  and  if
the entity option
61
WdgMEnableEntityDeactivation
is
set to true.
Syntax
Std_ReturnType WdgM_ActivateSupervisionEntity
(WdgM_SupervisedEntityIdType SEID)
Parameters (in)
SEID: Supervised entity identifier.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 83
E_OK:  Marking  the  supervised  entity  for  activation  was
successful.
E_NOT_OK: Marking the supervised entity for activation failed.
Compatibility
TTTech, AUTOSAR 3.1
Note:  Defined in the AUTOSAR 3.1 specification, this function is
no longer available in the AUTOSAR 4.0 r1 specification.
Description
The  function marks  an entity for  activation.  An entity can only be
activated when its local state is WDGM_LOCAL_STATUS_DEACTIVATED.
The  activation itself  happens  at  the  end  of  the  supervision  cycle
inside the WdgM_MainFunction().
Note:
This function can degrade system safety. The activation of entity
supervision in safety-related products needs special attention to
avoid unintended supervised entity deactivation.
In  the  same  call  of  WdgM_MainFunction(),  first  the  local
states of all supervised entities and the global state are set, then
the supervised entity is activated.
After  SE  activation  the  function  WdgM_GetLocalStatus()
can be used to check the SE local state.
This  function  is  only  available  if  the  preprocessor  switch
WdgMEntityDeactivationEnabled  is set to true  and if the entity
option WdgMEnableEntityDeactivation is set to true.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 84
2.7.3
Callback Functions
Global state callback
When  WDGM_STATE_CHANGE_NOTIFICATION  ==  STD_ON  and  the  S-WdgM
global  state  changes,  then  the  callback  routine  defined  by  the  parameter
WdgMGlobalStateChangeCbk 49  is called.
Local state callback
When WDGM_STATE_CHANGE_NOTIFICATION == STD_ON and the local state of a
supervised  entity  changes,  then  the  callback  routine  defined  by  the  parameter
63
WdgMLocalStateChangeCbk
is called.
2.7.4
S-WdgM System Level API Functions
This section describes the function definitions of the S-WdgM system level interface.
The system level interface functions are not  visible  in the  AUTOSAR application layer.
The  system  functions  are  directly  invoked  by  the  BSW  modules.  The  RTE  does  not
generate interfaces for these functions.
Syntax
void
WdgM_Init(const
WdgM_ConfigType*
ConfigPtr)
Service ID[hex]
0x00
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
ConfigPtr: Pointer to post-build configuration data
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Compatibility
AUTOSAR 4.0 r1
Description
The  WdgM_Init()  function  initializes  the  S-WdgM.  After  the
execution of this function, monitoring is activated according to the
configuration  of  ConfigPtr.  This  function  can  be  used  during
monitoring, too, but note that all pending violations are lost.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 85
Syntax
void WdgM_GetVersionInfo
(Std_VersionInfoType* VersionInfo)
Service ID[hex]
0x02
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) VersionInfo: Pointer to where to store the version information
of the S-WdgM module.
Return value
None
Compatibility
AUTOSAR 4.0 r1
Description
The  WdgM_GetVersionInfo()  function  returns  information
about the version of this module. This includes the module ID, the
vendor ID, and the vendor-specific version number.
Syntax
void WdgM_MainFunction(void)
Service ID[hex]
0x08
Timing
FIXED_CYCLIC
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 86
Compatibility
AUTOSAR 4.0 r1
Description
This  function  evaluates  monitoring  data  gathered  from  the  hit
checkpoints in all supervised entities during the supervision cycle.
Depending on the violation found (if there is any), the
local state of the supervised entities and
the S-WdgM global state
are evaluated again.
Depending on the resulting global state:
the WD is triggered, or
the WD trigger discontinues (safe state), or
the WD is reset (safe state).
The function must run at the end of every supervision cycle. It may
be called by the Basic Software Scheduler or a  task  with a  fixed
period time.
The  WdgM_MainFunction()  function  is  not  reentrant.  To
prevent data inconsistency when it is interrupted by itself (e.g., due
to  schedule  overload),  the  function  checks  if  it  is  executed
concurrently. If this function is  started  before  its  last  instance  has
finished, it raises a development error.
Note:
Alive  counter  violations  are  detected  at  the  end  of  every  alive
supervision reference cycle,
program  flow  violations  are  detected  at  the  end  of  every
supervision cycle,
continued  program  flow  violations  are  detected  at  the  end  of
every program flow supervision cycle.
deadline violations are detected at the end of every supervision
cycle,
continued of deadline violations are detected at the end of every
deadline supervision cycle.
See also the Safe Watchdog Manager Safety Manual [5] 128 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 87
Syntax
void WdgM_UpdateTickCount(void)
Service ID[hex]
None
Timing
FIXED_CYCLIC
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Compatibility
TTTech
Description
This function increments the S-WdgM Timebase Tick Counter by
one.
When
the
precompile
configuration
parameter

44
WdgMTimebaseSource
is  set  to  WDGM_EXTERNAL_TICK,
then this function needs to be called periodically from outside  the
S-WdgM.
The Timebase Tick Counter  delivers  the  time  base  for  deadline
monitoring.  In  the  AUTOSAR  environment,  this  function  can  be
called,  for  example,  from  a  task  with fixed  time  period  and  high
priority.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 88
2.7.5
Expected Interfaces
This  section describes  the  expected  interfaces  to  external modules  used  by  the  S-
WdgM at BSW level (see Figure 18) and describes how to use  the  external interfaces
with regard to safety (for detailed requirements on how to  use  external interfaces,  see
the Safe Watchdog Manager Safety Manual [5] 128).
Note: The external modules are AUTOSAR-defined modules.
RTE
S-WdgM
Safe Watchdog  Notification
Application Level
API
WdgM_Init()

WdgM_GetVersionInfo()
S-WdgM
WdgM_MainFunction()
BSW
WdgM_UpdateTickCount()*
(EcuM)
WdgM_GetTickCount()
(SchM)
Appl_Dem_ReportErrorStatus()*

Dem
Appl_Det_ReportError()*

Det
Appl_Mcu_PerformReset() *

Mcu
SchM_Enter_WdgM()*
SchM_Exit_WdgM() *

SchM
WdgIf_SetMode()
WdgIf_SetTriggerWindow()
WdgIf_GetTickCounter()*

*
S-WdgIF
Optional interface

Fig. 18: Expected interfaces to external modules
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 89
Function
Description
Appl_Dem_ReportErrorStatus()
If  the  precompiler  switch  WdgMDemReport  is  set  to
STD_ON,
the
S-WdgM
calls
the
function
Dem_ReportErrorStatus()  through  the  wrapper
Appl_Dem_ReportErrorStatus().
Safety  aspect:  The  DEM  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
Appl_Det_ReportError()
If the precompiler switch WdgMDevErrorDetect is  set
to
STD_ON,
the
S-WdgM
calls
the
function
Det_ReportError()
through
the
wrapper
Appl_Det_ReportError().
Safety  aspect:  The  DET  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
Appl_Mcu_PerformReset()
If  the  precompiler  switch  WDGM_SECOND_RESET_PATH
is
STD_ON,
the
S-WdgM
calls
the
function
Mcu_PerformReset()
through
the
wrapper
Appl_Mcu_PerformReset().
Safety  aspect:  The  MCU  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
SchM_Enter_WdgM() and
If
the
precompiler
switch
WdgMUseOsSuspendInterrupt is set to STD_ON, the
SchM_Exit_WdgM()
S-WdgM calls  the functions  SchM_Enter_WdgM() and
SchM_Exit_WdgM().
Safety  aspect:  The  SCHM  module  may  not  meet  the
required quality  level.  See  the  Safe  Watchdog  Manager
Safety Manual [5] 128  for more information.
Note: If the precompiler switches
WdgMDevErrorDetect,
WdgMDemReport,
WdgMUseOsSuspendInterrupt,
WdgMImmediateReset and
WDGM_SECOND_RESET_PATH
are set to false, the S-WdgM module does not call the corresponding function(s).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 90
Note:  The  functions  listed  in the  table  above  may not  meet  the  required  quality  level
and,  thus,  must  be  wrapped  in order  to  ensure  freedom  from  interference  with the  S-
WdgM.  The  integrator  must  implement  the  Appl_...()  functions  according  to  the
requirements specified in the Safe Watchdog Manager Safety Manual [5] 128.
Note:  The  system  integrator  must  revise  the  necessity  of  the  expected  interfaces.  A
called external function may degrade the quality level of the S-WdgM below the required
quality level.
2.7.6
AUTOSAR 3.1 Compatibility Mode
If the parameter
62
WdgMSupportedAutosarAPI
is set to API_3_1 , the S-WdgM
is compiled in the AUTOSAR 3.1 compatibility mode. This means that its functionality is
reduced to the functionality described by AUTOSAR 3.1.
The AUTOSAR 3.1 compatibility mode has the following configuration restrictions:
Exactly one checkpoint must be defined for a supervised entity.
The checkpoint must have an initial attribute and an end attribute.
An Alive counter must be defined for the checkpoint.
Local and global transitions are not allowed.
The AUTOSAR 4.0 r1 supervised entities are not allowed.
Note: the AUTOSAR 3.1 compatibility mode must be differentiated from the AUTOSAR
environment  version  in  which  the  S-WdgM  is  integrated.  The  compatibility  mode  is
related only to the functionality of the module.
2.7.6.1
User API
If  the  parameter  WdgMSupportedAutosarAPI 62  is  set  to  API_3_1  (embedded  macro
WDGM_AUTOSAR_3_1_X_COMPATIBILITY = STD_ON),  then the  S-WdgM  provides  the
AUTOSAR 3.1 functions described in the table below. The table also shows the internal
mapping of the AUTOSAR 3.1 to the AUTOSAR 4.0 r1 functions:
S-WdgM in AUTOSAR 3.1
WdgM_SetMode(Mode)
compatibility mode
Native S-WdgM function
WdgM_SetMode(Mode, CallerID)
Note
The  CallerID  =  0  is  added  in  the  S-WdgM  embedded
code.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 91
S-WdgM in AUTOSAR 3.1
WdgM_GetMode(*Mode)
compatibility mode
Native S-WdgM function
WdgM_GetMode(*Mode)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_UpdateAliveCounter(SEID)
compatibility mode
Native S-WdgM function
WdgM_CheckpointReached(SEID, CPID)
Note
The CPID = 0 is added in the S-WdgM embedded code
S-WdgM in AUTOSAR 3.1
WdgM_GetAliveSupervisionStatus(SEID, *status)
compatibility mode
Native S-WdgM function
WdgM_GetLocalStatus(SEID, *status)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_GetGlobalStatus(*status)
compatibility mode
Native S-WdgM function
WdgM_GetGlobalStatus(*status)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_ActivateAliveSupervision(SEID)
compatibility mode
Native S-WdgM function
WdgM_ActivateSupervisionEntity(SEID)
Note
The function name is redefined in the file WdgM_swc.arxml.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 92
S-WdgM in AUTOSAR 3.1
WdgM_DeactivateAliveSupervision(SEID)
compatibility mode
Native S-WdgM function
WdgM_DeactivateSupervisionEntity(SEID)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_GssChangeCbk(status)
compatibility mode
Native S-WdgM function
WdgM_GlobalStateChangeCbk(status)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_IssChangeCbk(status)
compatibility mode
Native S-WdgM function
WdgM_LocalStateChangeCbk(status)
Note
The function name is redefined in the file WdgM_swc.arxml.
2.7.6.2
System API
S-WdgM in AUTOSAR 3.1
WdgM_Init(&Config)
compatibility mode
Native S-WdgM function
WdgM_Init(&Config)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_GetVersionInfo(&versioninfo)
compatibility mode
Native S-WdgM function
WdgM_GetVersionInfo(&versioninfo)
Note
The function signature is the same.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 93
S-WdgM in AUTOSAR 3.1
WdgM_Cbk_GptNotification()
compatibility mode
Native S-WdgM function
WdgM_UpdateTickCount()
Note
In
the
AUTOSAR
3.1
environment
the
WdgM_UpdateTickCount()
function is not used,
because it is used in the AUTOSAR 4.0 r1 deadline
monitoring only.
S-WdgM in AUTOSAR 3.1
WdgM_MainFunction_AliveSupervision()
compatibility mode
Native S-WdgM function
WdgM_MainFunction()
Note
In the AUTOSAR 3.1 and AUTOSAR 4.0 r1 environment,
the native S-WdgM function (WdgM_MainFunction()
85 ) must be called.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 94
3
Integration
3.1
Initialization of the S-WdgM
In a safety-related system, the initialization of the Watchdog device should be done as
soon as possible after system start (at least before a QM task may compromise the
initialization process). The Watchdog device starts the counter for the next expected
trigger.
Note: The ways how the Watchdog device is initialized, configured, and how it reacts
are platform-dependent and can be different. See the corresponding S afe W atchdog
D river U ser M anual.
The time between the initialization of the S-Wdg and the first triggering in function
WdgM_MainFunction() (Supervision cycle 0) must match the Watchdog
requirements. This time can be adapted in the S-Wdg configuration by changing the
initial S-Wdg trigger window to meet the operating system start time requirements (see
Figure 19).
 Supervision cycle 0
 Supervision cycle 1
 Supervision cycle 2

o
)
)

(
(
i
n
n
n
t
o
o
c
tio

i
)
i
n
t
t
a
(
c
c
u

t

F
w
liz
n
n
i

)
n
n
)
(
u
u
F
F
i
flo
itia
I
(
t
n
n
_
S
i

i

i
a

m

>
O
n
M
ra
In
a
a
)
…
_
I
x
y
x
z
x
y
z
M
M
_
_
_
_
_
_
_
_
g
U
(
<
t
_
_
n
_
r
M
_
k
k
k
k
k
k
k
M

M
M
ro
C
i
g
a
g
s
g
s
s
s
g
s
s
s
g
)
P
a
a
a
a
a
a
a
M
a
d
t
d
d
d
d
(
m
W
S
W
T
W
T
T
T
W
T
T
T
W
n
0
t ime
OS is running
Init. WD level
WD reload level

e
lu
a
r v
te
n
u
o
c
D
W
WD res et level
t ime
Trigger
Trigger
WD not initialized
WD initial trigger window
window
 window
Reset
Reset
Res et
window
window
window

Fig. 19: Start phase of the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 95
The y-axis in Figure 21 shows the WD counter value, which is reset after each trigger.
Then the countdown runs until the S-Wdg is triggered again (within the WD initial
trigger window or Trigger window) or 0 (WD Reset level) is reached (i.e., the
window has been missed) so that a reset is performed.
Notes:
Not all hardware platforms can configure a different trigger time for the first
supervision cycle (cycle 0).
In the first supervision cycle, the Alive counter evaluation can be suppressed by the
parameter WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET 48 .
The functions
84
85
WdgM_Init()
and WdgM_MainFunction()
functions can be
placed inside a task, too.
The function Wdg_<...>_Init() can be placed before main().
For safety reasons the S-WdgM uses windowed triggering mode. This means that
watchdog triggering outside the defined window time causes a reset.
After the execution of function WdgM_Init()the supervision of configured entities is
activated and the checkpoints can be executed (called).
3.2
Memory Sections
Memory segmentation into sections is especially important when memory protection is
used in the system.
The S-WdgM uses three basic RAM data sections:
1. Memory sections for local data of every SE: This section contains local
information about every supervised entity and, if defined, also the Alive counters.
These variables are used by the WdgM_CheckpointReached() function and are
part of the private SWC (task, application) memory and written only in the context of
this SWC.
Note: The S-WdgM does not protect this memory section.
2. Memory sections for global data: This section contains the S-WdgM global data
such as S-WdgM global status and Timebase Tick counter. It is a S-WdgM private
memory.
Note: In the AUTOSAR environment, where QM and Safety-related modules are
used together, the S-WdgM global data should be placed in a so-called trusted
memory section to guarantee its safety and integrity.
3. Memory sections for global shared data: This section contains data such as the
last active entity. This memory must be writable for all SWCs using the
WdgM_CheckpointReached() function and for the WdgM_Init() function. As
this is a memory where all the QM SWCs could write, the S-WdgM variables are
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 96
protected  (stored  double-inverted)  by the  S-WdgM  itself.  The  S-WdgM  checks  the
correctness  of  these  variables  with  read  operations.  If  a  fault  is  detected,  the  S-
WdgM initiates a reset.
Figure 20 shows the memory usage of the S-WdgM.
S-WdgM RAM  memory map
SWC’ s   pri vate memory
SWC’ s   pri vate memory
SWC’ s   pri vate memory
section
1
S-WdgM local  enti ty mem ory
Write:  Chec kpointReached,
WdgM_I nit

S-WdgM  Gl obal memory

section
Read: all
2
Write:  S-WdgM
S-WdgM Global shared  memory

section
Read: all
3
Write:  all
Fig. 20: M emory usage of the S-WdgM

Local entity memory:  Local  entity  data  is  supervised  entity  private  data.  This  is  the
data where the function
78
WdgM_CheckpointReached()
writes.
The S-WdgM Configuration Generator 102  provides defines so  that  the  status  variables
of every supervised entity can be placed in a separate RAM section. The declaration of
every  entity  starts  with  the  defines  WDGM_SEi_START_SEC_VAR_*  and  ends  with
WDGM_SEi_STOP_SEC_VAR_*, where i is the ID of the supervised entity.
Theses  defines  are  in  the  generated  file  WdgM_MemMap.h  in  an  AUTOSAR  3.1
environment or WdgM_OSMemMap.h in an AUTOSAR 4.0 environment. Hence, it must
be included in the file MemMap.h.
If  the  entity  is  linked  to  an  OS  task  (through  its  ECU  description  parameter
WdgMAppTaskRef 64 ),  then  the  supervised  entity  data  is  placed  in  a  section
embedded
in
appl_name_START_SEC_VAR_*
and
appl_name_STOP_SEC_VAR_*, where appl_name  is the name of the  application.
In this case, the integrator must make sure to  include  the  file  Os_MemMap.h  after  the
file WdgM_MemMap.h in file MemMap.h.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 97
Global memory:  Global  data  are  private  S-WdgM  variables.  The  memory  mapping
defines
are
WDGM_GLOBAL_START_SEC_VAR_*
and
WDGM_GLOBAL_STOP_SEC_VAR_*.
This section can be mapped to an OS application (through its ECU description
parameter
49
WdgMGlobalMemoryAppTaskRef
). For this mapping, the defines
appl_name_START_SEC_VAR_* and appl_name_STOP_SEC_VAR_* are used,
where appl_name is the name of the application. In this case, the integrator must
make sure to include the file Os_MemMap.h after the file WdgM_MemMap.h in file
MemMap.h.
As this section is internally  not protected by the S-WdgM, it should be in a memory area
where it cannot be corrupted.
Global  shared  memory:  Global  shared  data  should  be  placed  in  a  RAM  section
where all tasks can read and write to that data.
The  memory  mapping  defines  are  WDGM_GLOBAL_SHARED_START_SEC_VAR_*
and  WDGM_GLOBAL_SHARED_STOP_SEC_VAR_*.  These  variables  are  internally
protected by the S-WdgM.
3.3
Timing Setup
The timing of the S-WdgM is defined by
the calling period of function
85
WdgM_MainFunction()
and,
the count period of the S-WdgM Tick Counter (for Deadline Monitoring).
Every time when the function
85
WdgM_MainFunction()
is invoked,
the Alive counters are evaluated,
running deadlines are checked for violations,
checkpoint fault indications are evaluated and, finally,
the S-WdgM global status of all supervised entities is calculated.
Note:  The  time  period  during  which  the  function
85
WdgM_MainFunction()
is
called, is the S-WdgM supervision cycle. This cycle time is also used for the periodic
triggering of the Watchdog device. The period of this cycle  determines  the  shortest  S-
WdgM  reaction time.  For  example:  If  the  S-WdgM  reaction  time  should  be  not  more
than 10 ms, the supervision cycle time should be set to 10 ms or shorter.
Figure 21 shows the S-WdgM timing configuration parameters. The parameters can be
set by a Configuration Tool.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 98
Oscillator  (f_osc)
System environment (OS)
S-WdgM Configuration – timing parameters

WdgMTicksPerSecond [Hz]
Scheduler
WdgMSupervisionCycle [s]
WdgMTriggerWindowStart [ms]

WdgMTriggerConditionValue [ms]
)
*1

t
n
u

S-Wdg Configuration – timing parameters
o
n
C
o
k
i
)
c
t
i
c
WdgWindowStart [s]
T
n
r  *2
e
u
t
F
te
a
n
e
WdgInitialTimeout [s]
d
i
m
p
a
U
M
ra
_
_
a
M
M
p
g
g
k
d
d
ic
f_wdg
W
W
T

Watchdog
Safe  Watchdog
trigger
Safe Watchdog
t rigger
device
Manager
Driver
Tick  (*2

MCU counter
*1) Used for  external Tick source
*2) Used for  internal hardware  Tick  source

Fig. 21: Time base of the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 99
Two  configuration  parameters  shown  in  Figure  21  are  used  by  the  System
Environment only. The Scheduler uses these parameters and periodically calls
function WdgM_MainFunction() 85  and,
if defined, also function WdgM_UpdateTickCounter().
All the other parameters are used by the S-WdgM and S-Wdg.
Configuration Parameter
Description
WdgMSupervisionCycle
This parameter defines the time period in which the S-
WdgM  performs  cyclic  supervision.  This  is  the  time
period  in which  function  WdgM_MainFunction() 85
is  called.  The  user  of  this  parameter  is  the  system
environment
that
periodically
calls
function
WdgM_MainFunction().  The  Watchdog  device  is
triggered with every call of WdgM_MainFunction().
WdgMTicksPerSecond
This parameter defines the frequency by which the  S-
WdgM Tick counter is incremented.
If  the  external  Tick  counter  is  selected,  the  user  of
this  parameter  is  the  system  environment  that
periodically
calls
function
WdgM_UpdateTickCount() 87 .
If the internal hardware Tick counter is selected, this
parameter  configures  the  frequency  of  the  MCU
counter.
The parameter
51
WdgMTicksPerSecond
must not
be zero.
WdgMTriggerWindowStart
This  parameter  defines,  for  all  supervision  cycles
(except  for  the  first),  the  lower  limit  of  the  Watchdog
trigger  window.  If  the  Watchdog  triggered  before,  a
reset is caused. This parameter is in milliseconds. The
user is the S-WdgM.
WdgMTriggerConditionValue This  parameter  defines,  for  all  supervision  cycles
(except  for  the  first),  the  upper  limit  of  the  Watchdog
trigger window. If the Watchdog is not triggered in time,
a  reset  is  caused.  This  parameter  is  in  milliseconds.
The user is the S-WdgM.
WdgWindowStart
This  parameter  defines,  for  the  first  supervision  cycle,
the  minimum  window  time  after  which  watchdog
triggering  is  allowed.  This  parameter  is  used  by  the
Safe Watchdog Driver only.
WdgInitialTimeout
This  parameter  defines,  for  the  first  supervision  cycle,
the  upper  limit  of  the  Watchdog  trigger  window.  If  the
Watchdog  is  not  triggered  in  time,  a  reset  is  caused.
This  parameter  is  used  by  the  Safe  Watchdog  Driver
only  (see  the  corresponding  Safe  Watchdog  Driver
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 100
User Manual).
3.3.1
Deadline Measurement and Tick Counter
The transition time between two checkpoints is measured in Ticks. The Tick Counter
delivers  a  time  base  for  Deadline  Monitoring.  The  Tick  counter  is  the  smallest
deadline time unit for the S-WdgM. There are three possible Tick sources (see Figure
22):
Internal  hardware  Tick  source:  The  tick  source  is  an  S-WdgM  internal  source
derived  from  the  MCU  hardware  counter.  If  the  internal  hardware  Tick  source  is
selected, the frequency is set by the parameter WdgMTicksPerSecond.
Internal  software  Tick  source:  The  Tick  source  is  software-based  where  the
internal  counter  is  incremented  every  time  the  S-WdgM  main  function
(WdgM_MainFunction())  is  called.  If  the  internal  software  Tick  source  is
selected, the frequency is the same as WdgM_MainFunction() is called.
External Tick source:  The Tick  must  be  counted  externally by calling  the  S-WdgM
function WdgM_UpdateTickCount().  If  the  external  Tick  source  is  selected,  the
system  integrator  is  responsible  for  calling  the  function  on  a  regular  basis.  The  S-
WdgM  internally  checks  if  the  number  of  Ticks  corresponds  with  the  Supervision
Cycle.
Note:
The
Tick
source
can
be
selected
by  setting
the
parameter
WdgMTimebaseSource.
The
default
parameter
value
is
WDGM_INTERNAL_SOFTWARE_TICK.

Safe Watchdo g
Once per SupervisionCycle
Manager
Int ernal  software

Syst em API :
WdgM_UpdateTickCount()
external
c lock
Tick Counter

Int ernal  hardware

Safe Watchdo g
Driver
Tick source  switch parameter:
WdgMTmebaseSource

MCU counter

Fig. 22: S-WdgM  Tick source selection for deadline monitoring
The Ticks per second must be configured for the S-WdgM to translate the  monitored
deadlines  from  seconds  (as  stored  in  the  AUTOSAR  ECU  description  files)  to  S-
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 101
WdgM ticks. This conversion is done during configuration generation for the S-WdgM,
with the deadlines being stored in the generated configuration as S-WdgM ticks.
Note:
Non-integer  ticks  are  not  allowed.  If  a  deadline  cannot  be  converted  into  an integer
number of S-WdgM ticks, the S-WdgM Configuration Generator will report an error.
For an internal software Tick source and an external Tick source the internal Tick
counter is initialized to 1.
Examples
Let a S-WdgM Tick be 2 ms. If there is a deadline of 3 ms, it cannot be converted to
S-WdgM ticks without loss of accuracy. It will be between 1 and 2 S-WdgM ticks.
Let a S-WdgM Tick be 1 ms (i.e., the parameter  WdgMTicksPerSecond  is  set  to
1000).  A  deadline  of  0.002s=2ms  is  then translated  to  2  S-WdgM  ticks.  But  a
deadline of 0.0005s=0.5ms cannot be translated to an integer number of S-WdgM
ticks.
Note:  There is a trade-off between the S-WdgM Tick resolution and performance. The
shorter  the  Tick  length,  the  finer  the  deadlines  that  can  be  monitored.  However,  the
performance gets worse due to more frequent calls to the WdgM_UpdateTickCount
() function.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 102
4
Configuration Generation
4.1
S-WdgM Configuration Generator
The S-WdgM Configuration Generator is a Microsoft Windows console application
that can be launched from a command prompt window by entering the command
Wdg_Mgr_Cfg_Gen.exe. The S-WdgM Configuration Generator reads the S-WdgM
module information from the AUTOSAR ECU description file (*.arxml) and
generates configuration structures for the S-WdgM.
Note: Safety requirements must be considered for the generation process. These
requirements are listed in the Safe Watchdog Manager Safety Manual [5] 128, which
also gives a detailed description of a verification process for the generated files using a
separate tool. This verification process is mandatory for safety-related systems.
To use the S-WdgM Configuration Generator, enter the following command in a
command prompt window:
Wdg_Mgr_Cfg_Gen.exe [options] <ECU-DESC-FILE> <OUTPUT-DIR>
[options]
Description
--version
Shows the application version number and license
information, and then exits.
-h/--help
Shows this help message and exits.
Parameter
Description
<ECU-DESC-FILE>
The ECU description file (*.arxml). It is generated by
a tool like the DaVinci Configurator, for example.
<OUTPUT-DIR>
The destination folder for the generated output. You
must specify this parameter.
The S-WdgM Configuration Generator was developed and tested for MS Windows 7
and can be integrated into a graphical configuration environment. The following DLLs
must be present in the system:
OLEAUT32.dll
USER32.dll
POWRPROF.dll
SHELL32.dll
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 103
ole32.dll
WSOCK32.dll
ADVAPI32.dll
WS2_32.dll
VERSION.dll
KERNEL32.dll
The installer for this DLL is available at the Microsoft Download Center.
4.1.1
S-WdgM Configuration Verification
The S-WdgM Verifier is a TTTech tool for the verification  of  the  generated  S-WdgM
configuration. The S-WdgM Verifier is delivered as a DLL (wdgm_verifier.dll)
that must be compiled with the configuration files produced by the generator and the
files  produced  by  the  XSLT  Processor.  The  compilation  result  is  a  Windows
Verifier.exe
program.  Running
the
Verifier  generates  a
report  file
(verifier_report.txt) that contains the result of the verification.
Figure 23 shows the workflow of the S-WdgM Verifier build. For details, refer to the
Safe Watchdog Manager Safety Manual [5] 128.
Wdg* Config Generator
Wdg* Config
Lcfg*.c, *.h
System
Config
XSL File
Verifier
Report
Specs
Tool *1
ECU Descr. File
Info File
XSLT Processor
Gene ration Path
Manual
Validation
User Verification
Path
*1 DaVinci Configu rator

Fig. 23: Workflow of the S-WdgM  Configuration Verifier build
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 104
4.1.1.1
Installing the S-WdgM Verifier
To run the S-WdgM Verifier an XSLT Processor and a working gcc environment are
required.
The XSLT Processor can be installed by installing  the  Configuration  Tool  (DaVinci
Configurator), and it consists of following files:
iconv.dll,
libexslt.dll,
libxml2.dll,
libxslt.dll,
zlib1.dll,
xsltproc.exe.
The  recommended  way  to  install  gcc  is  to  install  the  MinGW  environment  with  the
provided  installer  program  (MinGW-5.1.6.exe)  for  Windows  7.  To  install  gcc
proceed as follows:
1. Start  the  installer  program,  accept  the  license  terms  and  click  Next  until  you  are
prompted to select a configuration.
2. When  prompted,  select  Minimal  configuration.  There  is  no  need  to  select  any
check boxes.
3. Complete the installation process after accepting the default settings.
4. Having  installed  gcc,  add  the  c:\MinGW\bin  directory  to  your  search  path  by
entering  the  command  set  PATH=%PATH%;c:\MinGW\bin  in  a  command
prompt  window.  Alternatively you can edit  Environment  Variables  in  the  System
Properties dialog (Start > Control Panel > System).
To verify that gcc is working, open a new command prompt window and enter gcc --
version to let gcc show its version number.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 105
4.2
Workflow
Figure 24 shows the workflow of how to  generate  and  apply a  configuration for  the  S-
WdgM.

Fig. 24: Workflow of configuration generation and application for the S-WdgM
The  S-WdgM  Configuration  Generator  is  the  application  that  generates  the
configuration for  the  S-WdgM.  The  input  used  to  generate  a  configuration is  an ECU
description  file  (*.arxml).  The  ECU  description  file  contains  the  configured
AUTOSAR  WdgM,  WdgIf  and  Wdg  modules.  The  S-WdgM  configuration  can  be
created and configured in several ways.
If you use the Vector tools  DaVinci Configurator Pro (DVC) and DaVinci Developer,
the workflow to generate the configuration is as follows:
DVC  is  configured  such  that  it  uses  the  external  generator  S-WdgM  Configuration
Generator  to  generate  the  configuration  for  the  modules  S-WdgM,  S-WdgIf  and  S-
Wdg.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 106
During configuration generation, the S-WdgM Configuration Generator is
automatically invoked and produces the configuration *.c and *.h files.
If necessary, DaVinci Developer can be used to configure the runtime
environment (RTE) for the S-WdgM. You can configure the software components
that need to call S-WdgM functions, with the tool generating the respective RTE
configuration files.
If you do not use the Vector tools mentioned above the workflow to create a
configuration is as follows:
Start a command prompt window and enter the following command:
Wdg_Mgr_Cfg_Gen.exe <ecu_descr_file> <output_directory>
where <ecu_descr_file> is the name of the respective ECU description file
(*.arxml) and
<output_directory> is the directory where to create the respective *.c and
*.h files.
The S-WdgM code generator generates a configuration file, WdgM_PBcfg.c (see
Section Configuration Generation 102), where all S-WdgM variables are defined and
assigned to various memory sections (see Section Memory Sections 95 ).
The S-WdgM code generator also generates the file WdgM_MemMap.h in an
AUTOSAR 3.1 environment or WdgM_OSMemMap.h in an AUTOSAR 4.0 environment,
where the S-WdgM memory sections defined in the WdgM_PBcfg.c file are assigned
to user-defined application sections or other system sections. The relation between
memory sections and applications can be defined with a tool such as DaVinci
Configurator
using
the
parameters
WdgMAppTaskRef
and
WdgMGlobalMemoryAppTaskRef.
The following example of a WdgM_MemMap.h file places the status variables for a
supervised entity with index 1 to the application memory section called
Application_1_START_SEC_VAR_NOINIT_UNSPECIFIED
and
Application_1_STOP_SEC_VAR_NOINIT_UNSPECIFIED:
/* Supervised Entity SE1 */
#ifdef WDGM_SE1_START_SEC_VAR_NOINIT_UNSPECIFIED
#undef WDGM_SE1_START_SEC_VAR_NOINIT_UNSPECIFIED
#define Application_1_START_SEC_VAR_NOINIT_UNSPECIFIED
#endif
#ifdef WDGM_SE1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#undef WDGM_SE1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#define Application_1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#endif
If no application is assigned with the parameters WdgMAppTaskRef or
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 107
WdgMGlobalMemoryAppTaskRef, then the prefix is WDGM_ instead of the
application name.
All global shared data used by the S-WdgM are protected by S-WdgM against
corruption.
4.3
Output Files
The following output files are generated for the respective platform type
(<platform>), where <platform> is the respective hardware platform used,
e.g., MPC5604 or TMS570LS3xx:
WdgM_PBCfg.c
WdgM_PBCfg.h
WdgM_MemMap.h (in an AUTOSAR 3.1 environment) or WdgM_OSMemMap.h (in
an AUTOSAR 4.0 environment)
WdgM_Cfg_Features.h
The file WdgM_PBCfg.c contains the main configuration structure with the default
name WdgMConfig_Mode0. This configuration name should be used by the
initialization function, i.e., by call WdgM_Init(&WdgMConfig_Mode0). If necessary,
the non-standard AUTOSAR name WdgMConfig_Mode0 can be renamed to
WdgMConfigSet in the Configuration Tool (e.g, DaVinci).
Since the S-WdgM Configuration Generator is not trusted, the generated code must be
verified. For details on the configuration verification process, refer to the Safe
Watchdog Manager Safety Manual [5] 128.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 108
4.4
Error Messages
The generator will show an error message in the command prompt window and quit if
something goes wrong during configuration generation.
4.4.1
Basic Errors
Error
Error Message
No.
1
Bad call syntax.
2
Cannot open ECU description file `%s`.
3
Cannot convert float parameter `%s/%s` to an Watchdog ticks.
4
Cannot convert `%s` to a numerical value.
5
Fatal error.
6
Method `%s` must be implementd by subclass of `%s`.
7
Missing WdgM data.
4.4.2
Semantic Errors
Error
Error Message
No.
1001
Checkpoint IDs belonging to Supervised Entity `%s` are not a
zero-based list of increasing integers without gaps.
1002
No WdgMMode elements found.
1003
Supervised Entity `%s`: local transition starts at Checkpoint
with an ID %d.
1004
No WdgMMode element with WdgMModeId %d found.
1005
ECU Description File has no `WdgM` element.
1006
Referencing non-existing checkpoint `%s`.
1015
No value found for parameter defined by `%s` in `Element `%s`.
1016
Supervised Entity `%s` has no checkpoints.
1017
Supervised Entity `%s` defines local transitions
for alien checkpoint(s) `%s`.
1018
Local Transition `%s` references alien checkpoint `%s`.
1019
Local Transition `%s` references wrong destination entity `%s`.
1020
Local Transition `%s` references wrong source entity `%s`.
1021
Cannot convert float parameter `%s/%s` (%.6f [s]) to an integral
number of Watchdog ticks. (Using %.2f ticks per second).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 109
1025
Ignoring `WdgMGeneral/WdgMNumberOfSupervisedEntities`.
1026
Found more than one `WdgMMode` elements;
generating code for mode with ID %d.
1027
Cannot find top level element %s.
1028
No value found for `#define %s`. Verify element defined by `.../%
s`.
1029
No `.../WdgM/WdgMGeneral/WdgMWatchdog` elements found.
1031
No transition found for WdgMDeadlineSupervision `%s`
between Supervised Entity `%s`, Checkpoint `%s` and
Supervised Entity `%s`, Checkpoint `%s`.
1034
Found a `REFERENCE-VALUE` element defined by `%s`
without a `VALUE-REF` child element.
1035
Cannot find `REFERENCE-VALUE` element defined by `%s`.
1036
Checkpoint `%s` has no ID.
1037
Checkpoint `%s` has no `VALUE` element for its ID.
1038
Missing `SHORT-NAME` element.
1039
No global initial Supervised Entity found.
1040
Program Flow Supervision has no checkpoint defined by %s.
1043
Watchdog `%s` has no `WdgMTrigger` element assigned to it.
1044
Cannot identify driver.
1045
No `WdgMLocalStatusParams` element found.
1048
Cannot find checkpoint ID for `%s/%s`.
1049
Cannot find checkpoint ID for `%s/%s`.
1050
Cannot find checkpoint ID for `%s`.
1051
`%s` is an AUTOSAR 3.1 Supervised Entity and therefore shall
have exactly one checkpoint and this checkpoint shall have
its ID set to 0.
1052
Supervised Entity `%s`: `WdgMFailedProgramFlowRefCycleTol` is
positive (%d) but `WdgMProgramFlowRefCycle` is not (%d).
1053
Supervised Entity `%s`: Zero tolerance for program flow
violations -
`WdgMProgramFlowRefCycle` set to %d and
`WdgMFailedProgramFlowRefCycleTol` set to zero.
1054
Supervised Entity `%s`: `WdgMFailedDeadlineRefCycleTol` is
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 110
positive (%d) but `WdgMDeadlineReferenceCycle` is not (%d).
1055
Supervised Entity `%s`: Zero tolerance for dealine violations -
`WdgMDeadlineReferenceCycle` set to %d and
`WdgMFailedDeadlineRefCycleTol` set to zero.
1056
WdgMAliveSupervision `%s` (checkpoint `%s`):
`WdgMSupervisionReferenceCycle` (%d) must be a positive value.
1057
Supervised Entity `%s`: `WdgMFailedSupervisionRefCycleTol` set
to a positive value (%d) but there is no alive counter attached
to any of its checkpoints.
1058
Mandatory `LocalStatusParams` data is missing.
1059
Shortest maximum deadline (%s: %f seconds) is shorter than
`WdgMSupervisionCycle` (%f seconds).
1060
Mode with ID `%d`
(`WdgMTicksPerSecond`: %d; `WdgMSupervisionCycle`: %f)
fails to meet timing requirement
`(1 / WdgMTicksPerSecond) <= WdgMSupervisionCycle`.
1061
Watchdog `%s`, trigger mode ID %s: the requirement
`WdgMTriggerWindowStart <= WdgMSupervisionCycle <=
WdgMTriggerConditionValue` is not fulfilled
1062
Verify that every Supervised Entity has a unique ID.
1063
No local incoming transitions defined for checkpoint `%s` in
Supervised Entity `%s`. Reaching `%s` will trigger a Program
Flow violation.
1064
Supervised Entity `%s` has no initial checkpoint.
1065
Callback function(s) `%s` will never be executed because
`WDGM_STATE_CHANGE_NOTIFICATION` is turned off.
1066
`WDGM_STATE_CHANGE_NOTIFICATION` is turned on but there is
no callback function defined. Verify the
`WdgMGlobalStateChangeCbk`
and `WdgMLocalStateChangeCbk` values
1068
Ensure that Supervised Entities have callback functions with
a unique name.
1069
Local end checkpoint %s/%s must not be the source
of a local transition.
1070
Local init checkpoint %s/%s must not be the destination
of a local transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 111
1071
The Supervised Entity IDs are not a zero-based list of integers
without gaps.
1072
The watchdog driver is called in the context of the watchdog
manager and its global variables must be placed in the
same section as the watchdog manager's global variables
in the presence of memory protection!
(The watchdog driver global variables are placed in `%s`
and the watchdog manager global variables are placed in `%s`).
1073
This driver configuration generator supports %s -- %s is not
supported.
1075
The targeted precision (%d ticks per second) is too high; please
lower the resolution (`.../WdgMMode/WdgMTicksPerSecond`).
1076
There is no WdgMTrigger element associated to Watchdog `%s`.
1081
No drivers found
1082
No Watchdog Interface devices found
1083
Watchdog IF device `%s` references non-existing Watchdog `%s`
1084
Watchdog `%s` references non-existing Watchdog IF device `%s`
1085
`WdgMTicksPerSecond` must not be zero if the Watchdog Manager
uses an external tick counter source for deadline monitoring.
1086
Supervised Entity `%s` contains more than one checkpoint
having an alive counter
1090
No Supervised Entities found!
1091
Transition `%s` references non existing checkpoint `%s` in entity
`%s`.
1092
ECU Description File references non-existing checkpoint `%s` in
Supervised Entity `%s`.
1093
Supervised Entity `%s` contains references to non-existing
checkpoint(s) `%s`.
1094
Global Transition `%s` has non-existing Entity `%s` as source.
1095
Global Transition `%s` has non-existing Entity `%s` as
destination.
1096
WdgMDeadlineSupervision `%s`: `WdgMDeadlineMin` (%s)
is greater than `WdgMDeadlineMax` (%s).
1097
The `%s` value (%s [s]) of `%s` must not be greater than %s [s].
1098
For the INTERNAL_SOFTWARE_TICK the `(1 / WdgMTicksPerSecond[Hz])
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 112
= WdgMSupervisionCycle[s]` relation must be kept;
the configured values for `WdgMTicksPerSecond` (%s) and
`WdgMSupervisionCycle` (%s) do not fulfill this requirement.
1099
This ECU Description File's AUTOSAR version (%s) is
not compatible with the version supported by
this configuration generator (%s)
1100
This ECU Description File's AUTOSAR version (%s) has a different
minor number than the version supported by this configuration
generator (%s)
1101
Watchdog Driver `%s` is configured to have an active
tick counter but the Watchdog Manager is not configured
to have an internal HW timebase.
1102
The Watchdog Manager is configured to use an internal
HW counter but the Watchdog Interface is not.
1103
The Watchdog Interface is configured to use an internal
HW counter but the Watchdog Manager is not
1104
The Watchdog Manager is configured to use an internal HW
tick counter but the Watchdog driver `%s` has no active
tick counter.
1105
Error while reading list of `WdgMCallerIds`
1106
The Watchdog Manager is configured to use an internal HW
tick counter but the Watchdog Interface does not reference
any Watchdog Driver at all.
1107
The Watchdog Manager is not configured to use an internal HW
tick counter but the Watchdog Interface has a reference to
a Watchdog Driver with an internal tick counter.
1108
Every `WdgWatchdog` has to have the same number (either %d
or %d) of associated `WdgMTrigger` elements.
1109
Verify that the Trigger Modes belonging to each trigger have IDs
building a zero-based integer sequence without any gaps
1110
Invalid `WdgMInitialTriggerModeId` value (%d).
1111
The `SafeTcore` platform requires `WdgWindowStart` = 0 [ms].
(Current value: %s)
1112
`WdgMWatchdogMode` is set to `WDGIF_OFF_MODE`:
`WdgMTriggerConditionValue` and `WdgMTriggerWindowStart`
will be ignored
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 113
1113
Ticks per second must be greater than zero
1114
Multiple `WdgMDeadlineSupervision` elements defined for
the transition from %s/%s to %s/%s
1115
OS partition reset is currently not supported.
1116
The current version supports only configurations having only one
Watchdog, one IF device and one driver.
1119
The value 65535; e.g., 2^16 -1, must not be assigned to any
of these elements: `WdgMFailedDeadlineRefCycleTol`,
`WdgMFailedProgramFlowRefCycleTol` and
`WdgMFailedSupervisionRefCycleTol`.
1120
Cannot find a VALUE element for
`...WdgMConfigSet/WdgMMode/WdgMInitialTriggerModeId’
1121
Cannot find a VALUE element for
...WdgMConfigSet/WdgMMode/WdgMTrigger/WdgMTriggerModeId`
1122
Global transition connecting checkpoints `%s` and `%s`
in the same entity `%s` is not allowed.
1123
`WdgMSupervisionCycle` (%s) is not greater than zero
1124
Watchdog `%s`, trigger mode ID %s: `WdgMTriggerConditionValue`
is not greater than zero.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 114
5
Appendix
List of Generator and Verifier checks.
5.1
Watchdog Manager Configuration Verifier Requirements
5.1.1
General Remarks
The verifier detects three kinds of errors:
1. deltas between the ECU Description File (EDF) and the generated configuration,
2. errors in the configuration which might have a negative impact on the  embedded
code (worst case could be to make it crash),
3. integrity checks already required to be implemented by the generator.
5.1.2
General Requirements
The  S-WdgM  Verifier  must  handle  a  (broken)  configuration  with  no  supervised
entities at all (even though the S-WdgM Configuration Generator would not generate a
configuration out of an EDF with no supervised entities at all).
The S-WdgM Verifier must handle a (broken) configuration with no checkpoints at all
(even though the S-WdgM Configuration Generator would not generate  a  configuration
out of an EDF with no checkpoints at all).
5.1.3
Deltas the S-WdgM Verifier Must Detect between the EDF and the Generated
Configuration
Test No. Requirement
Test 1
The  number  of  CPs  according  to  the  EDF  and  the  number  of  CPs  referenced  by  SEs
entities must match.
Test 2
The  number  of  CPs  according  to  the  EDF  and  the  number  of  CPs  stored  in  the
NrOfAllCheckpoints member of the main structure must match.
Test 3
The number of  local  transitions  according  to  the  EDF  must  match  the  number  of  local
transitions referenced by CPs according to the corresponding NrOfLocalTransitions
members.
Test 4
The number of global transitions  according to the EDF must  match the number of global
transitions
referenced
by
CPs
according
to
the
corresponding
NrOfGlobalTransitions members.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 115
Test 5
The  number  of  SEs  according  to  the  EDF  must  match  the  value  of  the
NrOfSupervisedEntities member of the main structure.
Test 17
The  NrOfStartedGlobalTransitions  value  of  a  CP  must  match  the  number  of
global transitions having that CP as a starting point according to the EDF.
Test 19
If an alive supervision is defined for a CP,  then the WdgMExpectedAliveIndications
65  member of that CP must  match the number of expected alive indications  of the alive
supervision, as specified in the EDF.
Test 20
If an alive supervision is  defined for a CP,  then the WdgMMinMargin 66  member of that
CP  must  match  the  corresponding  attribute  (.../WdgMMinMargin)  in  the  alive
supervision, as specified in the EDF.
Test 21
If an alive supervision is defined for a CP,  then the   WdgMMaxMargin 66  member of that
CP  must  match  the  corresponding  attribute  (.../WdgMMaxMargin)  in  the  alive
supervision, as specified in the EDF.
Test 22
If
an
alive
supervision
is
defined
for
a
CP,
then
the
WdgMSupervisionReferenceCycle 66  member  of  that  CP  must  match  the
corresponding  attribute  (.../WdgMSupervisionReferenceCycle)  in  the  alive
supervision, as specified in the EDF.
Test 27
The  NrOfLocalTransitions  value  of  a  CP  must  be  set  to  the  number  of  local
transitions having that CP as a destination point according to the EDF.
Test 28
The  NrOfGlobalTransitions  value  of  a  CP  must  be  set  to  the  number  of  global
transitions having that CP as a destination point according to the EDF.
Test 32
If no alive supervision is defined for a CP,  then the WdgMExpectedAliveIndications
65  member of that CP must be zero (see Test 19).
Test 33
If no alive supervision is defined for a CP,  then the WdgMMinMargin 66  member of that
CP must be zero (see Test 20).
Test 34
If no alive supervision is  defined for a CP,  then the WdgMMaxMargin 66  member of that
CP must be zero (see Test 21).
Test 35
If
no
alive
supervision
is
defined
for
a
CP,
then
the
WdgMSupervisionReferenceCycle 66  member of that  CP  must  be  zero  (see  Test
22).
Test 37
WdgM_TransitionType->WdgMDeadlineMin 69  must  match  the  corresponding
value in the EDF.
Test 38
WdgM_TransitionType->WdgMDeadlineMax 69  must  match  the  corresponding
value in the EDF.
Test 39
WdgM_GlobalTransitionType->WdgMDeadlineMin 69
must
match
the
corresponding value in the EDF.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 116
Test 40
WdgM_GlobalTransitionType->WdgMDeadlineMax 69
must
match
the
corresponding value in the EDF.
Test 41
The  WdgMitialStatus  value  of  each  SE  must  match  the  value  entered  as
WdgMSupervisedEntityInitialMode 58
for  the
WdgMLocalStatusParams
element assigned to the SE.
Test 42
For
every
entity:
X
must
match
Y,
where
X
is
the
WdgMFailedSupervisionRefCycleTol 57  member  of  an  SE  in  the  generated
configuration and Y is  the element  WdgMFailedSupervisionRefCycleTol 57  in the
WdgMLocalStatusParams defined for the same entity in the EDF.
Test 43
For every entity: X must match Y, where X is the WdgMFailedDeadlineRefCycleTol
58
member  of  an  SE  in  the  generated  configuration  and  Y  is  the  element
WdgMFailedDeadlineRefCycleTol 58  in  the  WdgMLocalStatusParams  defined
for the same entity in the EDF.
Test 44
For every entity: X must match Y, where  X is the WdgMDeadlineReferenceCycle 59
member of a that  supervised entity  in the  generated  configuration  and  Y  is  the  element
WdgMDeadlineReferenceCycle 59  in  the  WdgMLocalStatusParams  defined  for
the same entity in the EDF.
Test 45
For
every
entity:
X
must
match
Y,
where

X
is
the
WdgMFailedProgramFlowRefCycleTol 59  member  of  an  SE  in  the  generated
configuration and Y is  the element  WdgMFailedProgramFlowRefCycleTol 59  in the
WdgMLocalStatusParams defined for the same entity in the EDF.
Test 46
For
every
entity:
X
must
match
Y,
where

X
is
the
WdgMProgramFlowReferenceCycle 60  member  of  a  that  supervised  entity  in  the
generated configuration and Y is  the element  WdgMProgramFlowReferenceCycle 60
in the WdgMLocalStatusParams defined for the same entity in the EDF.
Test 47
Each  SE  in  the  generated  configuration  must  have  its  OSApplication  set  to
WDGM_INVALID_OSAPPLICATION.
Test 85
The set of relations between alive supervisions and CPs in the EDF is  the same as  in the
generated configuration file,  i.e.  each CP  has  on both sides  either  the  same  or  no  alive
supervision associated. Note: Related to Error 1092 111.
Test 86
In the generated configuration file, for each SE: All CPs  that  are referenced in the SE  are
defined  (in  array  WdgMCheckPoint).  Note:  This  includes  the  check  for  references  by
CP-ID and references by address to CP-list item (related to Error 1093) 111 .
Test 89
The  WdgMGeneral
parameter  WdgMVersionInfoApi 40
and  the
constant
WDGM_VERSION_INFO_API 40  defined in WdgM_Cfg_Features.h must match.
Test 90
The  WdgMGeneral
parameter  WdgMDevErrorDetect 38
and  the
constant
WDGM_DEV_ERROR_DETECT 38  defined in WdgM_Cfg_Features.h must match.
Test 91
The
WdgMGeneral
parameter
WdgMDemReport 38
and
the
constant
WDGM_DEM_REPORT 38  defined in WdgM_Cfg_Features.h must match.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 117
Test 92
The  WdgMGeneral  parameter  WdgMDefensiveBehavior 41  and  the  constant
WDGM_DEFENSIVE_BEHAVIOR 41  defined in WdgM_Cfg_Features.h must match.
Test 93
The  WdgMGeneral
parameter  WdgMImmediateReset 39
and  the
constant
WDGM_IMMEDIATE_RESET 39  defined in WdgM_Cfg_Features.h must match.
Test 94
The  WdgMGeneral
parameter  WdgMOffModeEnabled 40
and  the
constant
WDGM_OFF_MODE_ENABLED 40  defined in WdgM_Cfg_Features.h must match.
Test 95
The  WdgMGeneral  parameter  WdgMUseOsSuspendInterrupt 43  and  the  constant
WDGM_USE_OS_SUSPEND_INTERRUPT 43  defined  in  WdgM_Cfg_Features.h  must
match.
Test 96
The  WdgMGeneral
parameter  WdgMTimebaseSource 44
and  the
constant
WDGM_TIMEBASE_SOURCE 44  defined in WdgM_Cfg_Features.h must match.
Test 97
The  WdgMGeneral  parameter  WdgMSecondResetPath 45
and  the  constant
WDGM_SECOND_RESET_PATH 45  defined in WdgM_Cfg_Features.h must match.
Test 98
The  WdgMGeneral  parameter  WdgMTickOverrunCorrection 46  and  the  constant
WDGM_TICK_OVERRUN_CORRECTION 46  defined  in  WdgM_Cfg_Features.h  must
match.
Test 99
The  WdgMGeneral  parameter  WdgMEntityDeactivationEnabled 47  and  the
constant
WDGM_ENTITY_DEACTIVATION_ENABLED 47
defined
in
WdgM_Cfg_Features.h must match.
Test 100
The  WdgMGeneral  parameter  WdgMStateChangeNotification 47
and  the
constant
WDGM_STATE_CHANGE_NOTIFICATION 47
defined
in
WdgM_Cfg_Features.h must match.
Test 101
The  WdgMGeneral  parameter  WdgMUseRte 42  and  the  constant  WDGM_USE_RTE 42
defined in WdgM_Cfg_Features.h must match.
Test 102
The  WdgMGeneral  parameter  WdgMDemSupervisionReport 42  and  the  constant
WDGM_DEM_SUPERVISION_REPORT 42  defined  in  WdgM_Cfg_Features.h  must
match.
Test 103
The  WdgMGeneral  parameter  WdgMFirstCycleAliveCounterReset 48  and  the
constant
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET 48
defined
in
WdgM_Cfg_Features.h must match.
Test 104
The value WDGM_GLOBAL_TRANSITIONS in WdgM_Cfg_Features.h must  be STD_ON
if the configuration includes global transitions and STD_OFF otherwise.
Test 105
The value WDGM_AUTOSAR_3_1_X_COMPATIBILITY in WdgM_Cfg_Features.h must
be STD_ON if there is  at  least  one SE  with  its  attribute  WdgMSupportedAutosarAPI
62  set to the enumeration value API_3_1. Otherwise this value must be STD_OFF.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 118
Test 106
The  value  WDGM_MULTIPLE_TRIGGER_MODES  must  be  STD_ON  if  WdgMTrigger
elements  have  more  than  one  WdgMTriggerMode  subelement.  Otherwise  this  value
must be STD_OFF. Note: It is required elsewhere that  all triggers  have the same amount
of trigger modes. Therefore you can take any trigger for performing this test.
5.1.4
Integrity Checks
Test No. Requirement
Test 18
If the WdgMIsEndCheckpointGlobal value of a CP is TRUE, then that CP must not  be
the source of any global transition.
Test 23
The WdgMAliveLRef value of a CP  must  only  be NULL_PTR  if  and  only  if  there  is  no
alive supervision defined for that CP.
Test 24
The WdgMAliveGRef value of a CP  must  only  be NULL_PTR  if  and  only  if  there  is  no
alive supervision defined for that CP.
Test 25
The WdgMDeadlineMonitoring value of a CP  must  be set  to TRUE if that  CP  is  the
source  or  destination  of  at  least  one  transition  with  associated  deadline  monitoring.
Otherwise this value will be set to FALSE.
Test 26
The WdgMOutgoingDeadlineMax value of a CP must be set  to the maximum deadline
associated to any of the transitions having that CP as a starting point.
Test 29
The  WdgMLocalTransitionRef  member  of  a  CP  must  be  set  to  NULL_PTR  if  and
only if there are no local transitions having that CP as a destination point.
Test 30
The WdgMGlobalTransitionsRef member of a CP  must  be set  to NULL_PTR if and
only if there are no global transitions having that CP as a destination point.
Test 31
The WdgMStartsAGlobalTransition value of a CP must be set to TRUE if that CP is
the starting point of a global transition. Otherwise this value must be set to FALSE.
Test 48
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedProgramFlowRefCycleTol 59
is
greater
than
zero,
or
WdgMProgramFlowReferenceCycle 60  is zero (see Error 1053 109)
Test 49
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedDeadlineRefCycleTol 58
is
zero,
or
WdgMDeadlineReferenceCycle 59  is greater than zero (see Error 1054 109 ).
Test 50
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedDeadlineRefCycleTol 58
is
greater
than
zero,
or
WdgMDeadlineReferenceCycle 59  is zero (see Error 1055 110).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 119
Test 51
The following condition must be fulfilled for systems with internal software timebase
source: The shortest WdgMDeadlineMax 69
greater zero value among all
WdgMDeadlineSupervision
elements
must
be
greater
or
equal
to
WdgMSupervisionCycle 52 (see Error 1059 110 ).
Test 52
The following condition must be fulfilled: 1 / WdgMTicksPerSecond 51 ) <=
WdgMSupervisionCycle 52 (see Error 1060 110 ).
Test 53
The WdgMSupervisionCycle 52 stored in the EDF must be greater than zero (see
Error 1123 113).
Test 54
The following condition must be fulfilled: 0 < ticks_per_second <= rti_hz / 2.
Test 55
The targeted precision must
fulfill the following condition:
int
(round
(ticks_per_second * window_start * 0.001)) <= 65535. Note: 65535 is
the maximum 16-bit integer (see Error 1075 111).
Test 56
The targeted precision must
fulfill the following condition:
int
(round
(ticks_per_second * condition_value * 0.001)) <= 65535. Note: 65535
is the maximum 16-bit integer (see Error 1075 111 ).
Test 57
Each WdgMWatchdog element must have a WdgMTrigger value associated to it (see
Error 1076 111).
Test 58
In each SE, there must be a maximum of one CP having an alive counter (see Error 1086
111 ).
Test 59
Make sure that transitions reference existing CPs (see Error 1091 111).
Test 60
Make sure that global transitions reference only existing SEs as source (see Error 1094
111 ).
Test 61
Make sure that global transitions reference only existing SEs as destination (see Error
1095 111).
Test 62
The minimum deadline of each WdgMDeadlineSupervision element must be less or
equal to the maximum deadline (see Error 1096 111 ).
Test 63
No deadline value must be greater than (1 / tps) * MAX_16_BIT_VALUE (see
Error 1097 111).
Test 64
The following condition must be fulfilled for configurations with an internal software tick
counter source: (1 / WdgMTicksPerSecond[Hz]) = WdgMSupervisionCycle
[s] (see Error 1098 111 ).
Test 65
The trigger modes belonging to each trigger must build a zero-based list of increasing
integers without a gap (see Error 1109 112).
Test 66
Every transition must have no more than one WdgMDeadlineSupervision element
assigned to it (see Error 1114 113).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 120
Test 67
The WdgMProgramFlowMonitoring boolean value of an SE must  be true if and only  if
there are local or global transitions starting or ending in any of the CPs of that SE.
Test 87
All defined Watchdog devices in the EDF must  have the same number of WdgMTrigger
elements. Note: Not necessarily the same modes with respect to mode settings.
Test 88
The following condition must  be fulfilled:  (WdgMFailedProgramFlowRefCycleTol =
0) OR (WdgMProgramFlowRefCycle > 0). Note: Related to Error 1052 109.
Test 107
The WdgMTriggerTimeout field in each element  in  the  WdgMTriggerMode  array  (of
type WdgM_TriggerModeType) must have a value greater than zero (Error 1124 113 ).
5.1.5
Errors To Be Detected by the Verifier to Protect the Embedded Code
Test No. Requirement
Test 6
The WdgMSupervisedEntityRef value of the   main structure shall be a NULL pointer
if and only if the number of SEs according to the EDF is zero.
Test 7
The EntityStatusLRef member of each SE must not be a NULL pointer.
Test 8
The EntityStatusGRef member of each SE must not be a NULL pointer.
Test 9
The WdgMAliveLRef member of each checkpoint  shall be NULL_PTR if and only  if the
member WdgMAliveGRef in the same SE is NULL_PTR.
Test 10
The main WdgM_ConfigType structure shall have its DataGSRef member set to a non-
NULL pointer.
Test 11
The main WdgM_ConfigType structure shall have its  DataGRef member set  to a non-
NULL pointer.
Test 12
The main WdgM_ConfigType structure shall have its  EntityGSRef  member  set  to  a
non-NULL pointer.
Test 13
The  main  WdgM_ConfigType  structure  shall  have  its  GlobalTransitionFlagsGS
member set to NULL if and only if there are no global transitions.
Test 14
The  value  of  WdgM_GlobalTransitionType->GlobalTransitionFlagId  must
match the position of the current element in the WdgM_GlobalTransitionType array.
Test 15
The EntityStatusLRef member of each SE must point to a unique variable.
Test 16
The EntityStatusGRef member of each SE must point to a unique variable.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 121
Test 68
The CPs  belonging to each SE  must  have IDs  that  build a  zero-based  list  of  increasing
integers without a gap (see Error 1001 108).
Test 69
Each SE must have at least one CP (see Error 1016 108 ).
Test 70
There  must  be  either  a  global  transition  or  a  local  transition  for  every
WdgMDeadlineSupervision element (see Error 1031 109).
Test 71
The ID of each SE  must  be unique  (see  Error  1062 110).  Note:  Actually  superseded  by
handling of Error 1071 111 . See below.
Test 72
Each SE must have an initial checkpoint (see Error 1064 110).
Test 73
There must  be at  least  one callback  function for the SEs  or for the main structure if  the
flag WDGM_STATE_CHANGE_NOTIFICATION 47  is set to STD_ON (see Error 1066 110).
Test 74
The number of SEs must not be zero (see Error 1090 111 ).
Test 75
The  WdgM_LocalStateChangeCbk  member  of  each  SE  must  point  to  the  callback
function configured for that  SE  according  to  the  EDF.  Otherwise  this  member  must  be
NULL_PTR (see Error 1066 110 ).
Test 76
The  WdgM_GlobalStateChangeCbk  member  of  the  main  structure  must  be
NULL_PTR if no callback function was configured for signaling a global  state change (see
Error 1066 110).
Test 77
The callback functions assigned to SEs must have a unique name (see Error 1068 110 ).
Test 78
CPs  defined as  local end CPs  must  not  have outgoing local  transitions  (see  Error  1069
110 ).
Test 79
CPs defined as local initial CPs must not have incoming local transitions  (see Error 1070
110 ).
Test 80
The SE  IDs  must  build a zero-based list  of increasing integers  without  a  gap  (see  Error
1071 111).
Test 81
If the WdgMFailedSupervisionRefCycleTol 57  of an SE is  set  to  greater  than
zero, then there shall be an alive supervision counter associated to one of the CPs  of that
SE (see Error 1057 110).
Test 82
Each CP configured to be an SE initial CP must have CP ID = 0.
Test 83
The STD_OFF and STD_ON constants must be defined as zero (0) and one (1).
Test 84
The value for WdgMTicksPerSecond 51  must be greater than zero.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 122
6
Abbreviations
Abbreviation
Description
API
Application Programming Interface
ASIL
Automotive Safety Integrity Level
BswM
Basic Software Module
CP
Checkpoint
DEM
Diagnostic Event Manager
DET
Development Error Tracer
DVC
DaVinci Configurator Pro (by Vector Informatik GmbH)
ECU
Electronic Control Unit
EDF
ECU Description File
ISO
International Organization for Standardization
MCU
Microcontroller Unit
N/A
Not available
OS
Operating System
QM
Quality Managed Software (software development process)
RTE
Run-Time Environment
SCHM
Schedule Manager module (according AUTOSAR 4.0 r1)
SE
Supervised Entity
SEID
Supervised Entity Identifier
SW-C, SWC
Software Component
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 123
Abbreviation
Description
S-Wdg
Safe Watchdog Driver (implementation by TTTech)
S-WdgIf
Safe Watchdog Interface (implementation by TTTech)
S-WdgM
Safe Watchdog Manager (implementation by TTTech)
WD
Watchdog
WdgM
AUTOSAR 4.0 r1 Watchdog Manager
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 124
7
Glossary
Term
Description
Alive Indications
An indication provided by a Supervised Entity Alive counter
to signal its aliveness to the S-WdgM.
Alive Monitoring
A kind of S-WdgM monitoring (supervision) that checks if a
Supervised Entity is executed sufficiently often and  not  too
often.
Checkpoint
A point in the control flow of  a  supervised  entity where  the
activity is reported to the S-WdgM.
Closed Graph
A closed graph is a directed graph where every Checkpoint
is reachable, starting from the local initial Checkpoint.
Configuration Tool
A  tool  used  for  creating  a  S-WdgM  configuration,  e.g,
DaVinci Configurator Pro.
Container
Refers  to  the  AUTOSAR  term  "container".  Represents  a
structure with different parameters.
Deadline Monitoring
Kind of S-WdgM monitoring (supervision) that checks if the
execution time between two Checkpoints is lower or higher
as the configured limits.
Destination
End point of a transition.
Checkpoint
End Checkpoint
The  last  Checkpoint  that  is  monitored  for  a  Supervised
Entity.  After  passing  the  End  Checkpoint,  the  S-WdgM
expects  that  the  entity  is  not  monitored.  To  start  the
monitoring  again  the  Initial  Checkpoint  must  be  passed
first.  A  Supervised  Entity  can  have  zero  or  more  End
Checkpoints.
Error
Discrepancy between a computed, observed or measured
value or condition, and the true, specified or theoretically
correct value or condition.
Failure
Termination of the ability of an element, to perform a
function as required.
Fault
Abnormal condition that can cause an element or an item to
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 125
fail.
Fault Detection Time
See. S-WdgM Fault Detection Time.
Fault Reaction Time
The  Fault  Reaction  Time  is  the  S-WdgM  Fault  Reaction
Time plus the S-Wdg Fault Reaction Time.
Global
Monitoring Status  that  summarizes  the  Local  Monitoring  Status  of  all
Status
supervised entities.
Global Transition
A global transition is a transition between two  checkpoints
in  the  logical  program  flow  (i.e.,  source  and  destination
checkpoint),  where  the  checkpoints  belong  to  different
supervised entities.
Initial Checkpoint
The  first  Checkpoint  that  is  monitored  in  the  Supervised
Entity. The  monitoring  of  a  Supervised  Entity must  start  at
this Checkpoint. A Supervised Entity has exactly one  Initial
Checkpoint.
Local
Monitoring Status that represents the current result of supervision of  a
Status
single Supervised Entity.
Local Transition
A  Local  Transition  is  the  transition  between  two
checkpoints (i.e., source and destination checkpoint) in the
logical program flow in the same Supervised Entity.
Program
Flow Kind of S-WdgM monitoring (supervision) that checks if the
Monitoring
inspected software is executed  in a  predefined  sequence.
This sequence is defined by the user and collected in the S-
WdgM configuration.
S-WdgM
Fault The  time-span  from  the  occurrence  of  a  fault  to  the
Detection Time
detection of  the  fault  by  the  S-WdgM.  The  detection  of  a
fault
is
indicated
by  a
change
of
the
state
WDGM_LOCAL_STATE_OK
or
WDGM_GLOBAL_STATE_OK to a different state.
It is called diagnostic test interval in [6] 128 , part1.
S-WdgM
Tick Tick  Counter  is  used  for  deadline  monitoring  time
(Counter)
measurement.
Depending
on
the
parameter
WdgMTimebaseSource  the Tick Counter is  incremented
by 1 for each supervision cycle or, for higher precision, with
the API function WdgM_UpdateTickCounter() or with
a hardware counter.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 126
Safe State
The Safe State is the operating mode of an item without an
unreasonable level of risk ([6] 128, part1).
Safe
Watchdog The  software  module  consisting  of  Safe  Watchdog
Manager Stack
Manager,  Safe  Watchdog  Interface  and  Safe  Watchdog
Driver.
Safe
Watchdog The hardware-independent upper software layer of the Safe
Manager
Watchdog Manager Stack.
(S-WdgM)
Safe
Watchdog The  hardware-independent  middle  software  layer  of  the
Interface
Safe Watchdog Manager Stack.
(S-WdgIf)
Safe  Watchdog  Driver The  hardware-dependent  lowest  layer  of  the  Safe
(S-Wdg)
Watchdog Manager Stack. Controls the Watchdog device.
Source Checkpoint
Start point of a transition.
Supervised Entity
A  software  entity that  is  monitored  by  the  S-WdgM.  Each
supervised  entity  has  exactly  one  identifier.  A  supervised
entity denotes a collection of checkpoints within a software
component or basic software  module.  There  may be  zero,
one or more supervised entities in a software component or
basic  software  module.  Each  entity  has  a  state  that  is
based  on the  states  reported  from  all  its  checkpoints.  All
checkpoints  of  one  entity  belong  to  the  same  memory
context.
Supervision Cycle
The  time  period  of  the  S-WdgM  in  which  the  cyclic
supervision algorithm is performed.
Supervision
The number of Supervision Cycles used as a  reference  by
Reference Cycle
Alive,  Deadline  and  Program  Flow  Supervision  for
periodic supervision. Every kind of supervision has its own
reference cycle.
Timebase Tick
The  S-WdgM  measures  the  deadline  of  a  Transition  in
Timebase  Ticks.  (In  the  context  of  this  document  also
referred to as S-WdgM Tick.)
Note:  The  Timebase  Tick  is  provided  either  by  the  S-
WdgM itself, or it can be provided by an external source.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 127
Trigger Mode
The  S-WdgM  Trigger  Mode  is  a  set  of  Watchdog  trigger
times and Watchdog mode. One  Trigger  Mode  is  a  group
of the following three parameters:
WdgMTriggerWindowStart
WdgMTriggerConditionValue
WdgMWatchdogMode
Each  Watchdog  device  can  have  one  or  more  Trigger
Modes.
Watchdog Device
The  Watchdog  Device  is  the  hardware  part  which
represents the watchdog  functionality.  It  can be  an internal
watchdog  integrated  on  the  MCU  chip,  or  it  can  be  an
external watchdog device outside the MCU.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 128
8
References
[1]
AUTOSAR, Specification of Watchdog Manager. 080. V. 2.0.0. Rel. 4.0. Rev. 1.
[2]
AUTOSAR, Specification of Watchdog Interface. 041. V. 2.3.0. Rel. 4.0. Rev. 1.
[3]
AUTOSAR, Specification of Watchdog Driver. 039. V. 2.3.0. Rel. 4.0. Rev. 1.
[4]
TTTech Automotive GmbH, Safe Watchdog Interface, User Manual. D-MSP-M-70-006.
[5]
TTTech Automotive GmbH, Safe Watchdog Manager, Safety Manual. D-SAFEX-S-70-001.
[6]
ISO 26262-2011, Road vehicles – Functional safety. International Standard.
International Organization for Standardization (ISO), 2011.
[7]
AUTOSAR, Specification of Watchdog Manager. 080. V. 1.2.2. Rel. 3.1. Rev. 1.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

References
Page 129
9
License Information
The S-WdgM Configuration Generator is copyright TTTech Automotive GmbH © 2011 –
2012. All rights reserved. The use of the software is subject to TTTech's Standard
Software License Terms for Embedded Software and Software Tools provided together
with the software. In case you don't have access to TTTech's Standard Software
License Terms please contact office@tttech-automotive.com
The S-WdgM Configuration Generator was developed with the Python programming
language (Copyright © 2001-2012 Python Software Foundation; All Rights Reserved) -
For Python parts of the software see PYTHON SOFTWARE FOUNDATION LICENSE
VERSION 2 in the LICENSE file provided with this software.
The S-WdgM Configuration Generator includes the lxml library (Copyright © 2004 Infrae.
All rights reserved) - for the lxml library see the full license text in the LICENSE file
provided with this software.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 130
Index
Entities, checkpoint, transitions     34
Error messages     108
basic errors     108
semantic errors     108
- A -
- F -
Abbreviations     122
Alive counter violation     27
Fault detection time     27
Alive indications     26
Fault reaction time     27
Alive supervision     33
Aliveness     18
- G -
Aliveness parameters     19
Aliveness supervision     26
Global data     97
Aliveness violation     18
Global memory     97
API description     73
Global shared data     97
type definitions     73
Global shared memory     97
Appl_Dem.h     12
Global state     33, 39, 40, 41, 42, 43, 44, 45
Appl_Det.h     12
WdgMExpiredSupervisionCycleTol     33
Appl_Mcu.h     12
Global transitions     15, 22
Appl_Mcu_PerformReset     89
WdgMGlobalTransitionDestRef     22
AUTOSAR 3.1 and 4.0 Compatibility     33
WdgMGlobalTransitionSourceRef     22
Glossary     124
- C -
- I -
Checkpoint     9, 18
destination checkpoint     21
Initial checkpoint     21
end checkpoint     21
Integration     94
initial checkpoint     21
deadline measurement     100
local initial checkpoint     22
initialization of the S-WdgM     94
CheckpointID     78
memory sections     95
Compiler.h     11
tick counter     100
Compiler_Cfg     12
timing setup     97
Configuration generation     102
Introduction     4
output files     107
architecture overview     5
workflow     105
use cases     7
- D -
- L -
Deadline     15
local end checkpoint     22
Deadline monitoring     33
Local entity data     96
Deadline reference cycle     17
Local entity memory     96
Deadline violation     17, 27
Local reflexive transition     22
Default reset path     30
Local state     31
Dem_ReportErrorStatus()     12
Local transition     15, 21
Destination checkpoint     15
Det_ReportError()     12
- M -
- E -
Maximum deadline
WdgMDeadlineMax     15, 69
End checkpoint     21
Maximum reaction time     29
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 131
MCU reset     30
local entity state     31
MCU reset state     30
local transition options     67
Mcu_PerformReset()     12
program flow supervision     13
MemMap.h     12
reset path     30
Minimum deadline
safe state     30
WdgMDeadlineMin     15, 69
supervised entity     13
Minimum reaction time     28
supervised entity options     57
supervision cycle     25
- N -
SchM_WdgM.h     12
Secondary reset path     30
SEID     78
Node     9
Std_Types.h     11
- P -
Std_VersionInfoType     76
Supervised entity     6, 9, 13, 18
Supervision cycle     25
PlatformTypes.h     12
main function     25
Primary reset path     30
WdgM_MainFunction()     25
Program flow monitoring     33
WdgMTriggerConditionValue     26, 77
Program flow reference cycle     14
WdgMTriggerWindowStart     26, 77
Program flow violation     27
Supervision reference cycle     31
Program flow violations     14
S-WdgM     9, 122
application level API functions     76
- R -
callback functions     84
expected interfaces     88
Reference cycle     33
system level API functions     84
Reference cycle tolerance     33
type definitions     73
Rte_Type.h     12
S-WdgM supervision cycle     19, 25
Rte_WdgM_Type.h     12
S-WdgM Verifier     103
- S -
- T -
Safe state     27, 30
Tolerance value     31
Safe Watchdog Manager     9
Tolerances     36
alive counter options     65
Transition     9, 15
alive supervision     18
global     15
API description     73
local     15
basic functionality     13
local reflexive     22
checkpoint options     65
WdgMDeadlineStartRef     15, 70
configuration parameters     38
WdgMDeadlineStopRef     15, 70
deadline monitoring     15
deviations from AUTOSAR 4.0 r1     34
- W -
ECU description configuration     72
fault reaction time     27
Watchdog and Reset     36
file structure     10
WDGIF_MODE_OFF     40
general settings     49
WdgIf_Types.h     11
global deadline options     69
WdgIfDeviceRef     55
global preprocessor settings     38
WdgInitialTimeout     99
global state     33
WdgM.c     11
global transition options     68
WdgM.h     11
global transitions     22
WdgM_ActivateAliveSupervision(SEID)     91
local deadline options     69
WdgM_ActivateSupervisionEntity()     37, 47, 82
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 132
WdgM_Cbk_GptNotification()     93
WDGM_STATE_CHANGE_NOTIFICATION     47
WdgM_Cfg.h     11
WdgM_SupervisedEntityIdType     73
WdgM_Cfg_Features.h     11, 33
WDGM_TICK_OVERRUN_CORRECTION     46
WdgM_Checkpoint.c     11
WdgM_TimeBaseTickType     75
WdgM_CheckpointIdType     74
WdgM_UpdateAliveCounter(SEID)     91
WdgM_CheckpointReached()     13, 18, 78, 96
WdgM_UpdateTickCounter()     99
WdgM_ConfigType     73
WdgMAliveSupervisionCheckpointRef     67
WdgM_DeactivateAliveSupervision(SEID)     92
WdgMAppTaskRef     64
WdgM_DeactivateSupervisionEntity()     37, 47, 81
WdgMCallerId     48
WdgM_Delnit()     37
WdgMCheckpointId     65
WDGM_DEM_REPORT     38
WdgMConfig_Mode0     107
WDGM_DEV_ERROR_DETECT     38
WdgMDeadlineMax     15, 69
WDGM_E_CPID     78
WdgMDeadlineMin     15, 69
WDGM_E_NO_INIT     78
WdgMDeadlineReferenceCycle     18, 33, 59
WDGM_E_PARAM_SEID     78
WdgMDeadlineStartRef     15, 70
WDGM_E_PARAM_STATE     78
WdgMDeadlineStopRef     15, 70
WDGM_ENTITY_DEACTIVATION_ENABLED     47
WdgMDefensiveBehavior     41
WDGM_EXTERNAL_SOFTWARE_TICK     44
WdgMDemReport     38
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET
WdgMDemSupervisionReport     42
48, 95
WdgMDevErrorDetect     37, 38
WdgM_GetAliveSupervisionStatus(SEID, *status)
WdgMEnableEntityDeactivation     47, 61
91
WdgMEntityDeactivationEnabled     47
WdgM_GetGlobalStatus()     79
WdgMExpectedAliveIndications     19, 65
WdgM_GetGlobalStatus(*status)     91
WdgMExpiredSupervisionCycleTol     33, 53
WdgM_GetLocalStatus()     79
WdgMFailedDeadlineRefCycleTol     18, 33, 58
WdgM_GetMode()     77
WdgMFailedProgramFlowRefCycleTol     14, 33, 59
WdgM_GetMode(*Mode)     91
WdgMFailedSupervisionRefCycleTol     33, 57
WdgM_GetVersionInfo()     92
WdgMFirstCycleAliveCounterReset     18, 48
WDGM_GLOBAL_STATE_STOPPED     43
WdgMGlobalCheckpointFinalRef     53
WdgM_GlobalStatusType     75
WdgMGlobalCheckpointInitialRef     54
WdgM_GssChangeCbk(status)     92
WdgMGlobalMemoryAppTaskRef     49
WDGM_IMMEDIATE_RESET     31, 39
WdgMGlobalStateChangeCbk     49, 84
WdgM_Init(&Config)     92
WdgMGlobalTransitionDestRef     22, 68
WdgM_Init()     95
WdgMGlobalTransitionSourceRef     22, 69
WDGM_INTERNAL_HARDWARE_TICK     45
WdgMImmediateReset     39
WDGM_INTERNAL_SOFTWARE_TICK     45
WdgMInitialTriggerModeId     50
WdgM_IssChangeCbk(status)     92
WdgMLocalCheckpointFinalRef     63
WDGM_LOCAL_STATUS_DEACTIVATED     21, 82
WdgMLocalCheckpointInitialRef     64
WDGM_LOCAL_STATUS_FAILED     81
WdgMLocalStateChangeCbk     63, 84
WDGM_LOCAL_STATUS_OK     81
WdgMLocalStatusSupervisedEntityRef     61
WdgM_LocalStatusType     74
WdgMLocalTransitionDestRef     21, 67
WdgM_MainFunction()     25, 27, 95, 97
WdgMLocalTransitionSourceRef     21, 68
WdgM_MainFunction_AliveSupervision()     93
WdgMMaxMargin     19, 66
WdgM_MemMap.h     11, 50, 96, 106
WdgMMinMargin     19, 66
WdgM_ModeType     74
WdgMModeID     50, 56
WdgM_OSMemMap.h     11, 50, 96, 106
WdgMOffModeEnabled     40
WdgM_PBcfg.c     11
WdgMProgramFlowReferenceCycle     14, 26, 33, 60
WdgM_PBcfg.h     11
WdgMSecondResetPath     45
WdgM_PerformReset()     80
WdgMStateChangeNotification     47
WDGM_SECOND_RESET_PATH     30, 33, 45
WdgMSupervisedEntityId     61
WdgM_SetMode()     76
WdgMSupervisedEntityInitialMode     58
WdgM_SetMode(Mode)     90
WdgMSupervisionCycle     19, 52, 53, 99
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 133
WdgMSupervisionReferenceCycle     19, 33, 66
WdgMSupportedAutosarAPI     62, 90
WdgMTickOverrunCorrection     46
WdgMTicksPerSecond     51, 99
WdgMTimebaseSource     44
WdgMTriggerConditionValue     26, 56, 77, 99
WdgMTriggerModeId     51
WdgMTriggerWatchdogRef     57
WdgMTriggerWindowStart     26, 56, 77, 99
WdgMUseOsSuspendInterrupt     43
WdgMUseRte     42
WdgMVersionInfoApi     40
WdgMWatchdogMode     55, 77
WdgMWatchdogName     54
WdgWindowStart     99
- Z -
Zero alive indication     20
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Document Outline

28.13 - WdgM Integration Manual

Integration Manual

For

WdgM

VERSION: 1

DATE: 01/15/16

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	01/15/16

Table of Contents

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4.2 Configuration Files to be provided by Integration Project 7

Summary Sheet
Synergy Project
Source Code
PolySpace
Integration Manual

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

NxtrWdgM_Init

NxtrWdgM_Init is a trusted function interface for WdgM_Init. This is currently needed because an include order issue prevents the Os from visibility to the configuration structure passed into WdgM_Init, so the trusted function cannot be directly called. This function is only needed in a project if the WdgM_Init function is called from a non-trusted application task context (which is the typical scenario).

If this function is needed (based on if WdgM_Init needs to be called from a non-trusted task context), the following needs to be done for integration:

Include NxtrWdgM.gpj as a subrproject in the integration project gpj file.
Configure the Os with a trusted function call named “NxtrWdgM_Init”. This has a void return with no passed parameters (void).
In the startup sequence when WdgM_Init would need to be called, the trusted function needs to be called “Call_NxtrWdgM_Init”

If this function is not needed (if WdgM_Init already is called from a trusted task context), the integrator can exclude NxtrWdgM.gpj from the integration project gpj file and WdgM_Init API can be directly called.

Configuration REQUIREMeNTS

Configuration of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger
NxtrWdgM_Init	See section 3.2 for details on if this function is required

Runnable	Scheduling Requirements	Trigger

.

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

<This section is for appendix>

28.14 - WdgM Peer Review Checklists

Overview

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgM

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgM_Vector_Ar4.0.3_03.03.03_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3183

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Source Code

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

NxtrWdgM.c

Source File Revision:

1

Header File Name:

NxtrWdgM.h

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. 1

MDD Name:

N/A

Revision:

N/A

FDD/SCIR/DSR/FDR/CM Name:

N/A

Revision:

N/A

Quality Check Items:

Rationale is required for all answers of No