This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Watchdog Interface

1: S-WdgIf_ReleaseNotes
2: S-WdgIf_ReleaseNotes_ind
3: S-WdgIf_ReleaseNotess
4: S-WdgIf_SafetyCase
5: S-WdgIf_SafetyCase_ind
6: S-WdgIf_SafetyCases
7: S-WdgIf_SafetyManual
8: S-WdgIf_SafetyManual_ind
9: S-WdgIf_SafetyManuals
10: S-WdgIf_UserManual
11: S-WdgIf_UserManual_ind
12: S-WdgIf_UserManuals
13: WdgIf Peer Review Checklists

Watchdog Interface

Component Documentation

1 - S-WdgIf_ReleaseNotes

Release Notes

2 - S-WdgIf_ReleaseNotes_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15

3 - S-WdgIf_ReleaseNotess

Ensuring Reliable Networks

Safe Watchdog Interface
Release Notes

Author:
TTTech
Security:
Confidential
Document number:
D-SAFEX-RP-70-014
Document version:
3.3.6
Date:
24.04.2015
Status:
released
Review:
VLE

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any from or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2009, TTTech Automotive GmbH. All rights reserved. Subject to change and corrections

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Document  Date
Responsible Person
Modification
Version
1.0.0
14.12.2011
VLE
Initial version for the S-WdgIf Subpackage 1.2.0
1.0.1
09.02.2012
VLE
Macro checks implemented
1.0.2
09.03.2012
JDU
Increased Subpackage version number (due to
new config generator)
1.0.3
13.04.2012
VLE
Update due to Release 1.7.0
1.0.4
25.05.2012
VLE
Update due to Release 1.8.0
1.0.5
07.09.2012
PPU
Update due to Release 1.9.0
2.0.3
25.10.2012
PPU
Test release 2.0.3 to check the delivery
structure. This is NOT a customer release!
3.0.1
16.11.2012
PPU
WdgIf_GetTickCounter() API changed therefore
also the major version changed to 3.
3.1.0
11.01.2013
PPU
Generators works now with unsupported Wdg
Drivers
3.1.1
05.04.2013
JDU
Configuration generator update
3.1.5
29.11.2013
JDU
Configuration generator update
3.2.0
19.02.2014
PPU
Autosar 4 update and bug fixes, beta version
3.3.0
21.03.2014
PPU
Update and bug fixes for Autosar 4 environment
compatibility. Backward compatibility to Autosar
3.1 environment added too.
3.3.1
10.04.2014
PPU
Generator bug fix for Autosar compatible driver
3.3.2
27.05.2014
PPU
Release for the AUTOSAR 4.0 and AUTOSAR
3.1 compatible S-WdgIf module
3.3.3
14.08.2014
PPU
Safety Case document release
3.3.4
24.11.2014
PPU
Bugfix release for WdgIf embedded code
3.3.5
20.02.2015
PPU
Bugfix release, Generator only
3.3.6
24.04.2015
PPU
Bugfix release, Generator only
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  4
1
Overview
The Safe Watchdog Interface (S-WdgIf) is the middle layer of the Safe Watchdog Manager Stack. The
Safe Watchdog Manager Stack is part of the service layer of the AUTOSAR architecture. The Safe
Watchdog Interface abstracts one or more Safe Watchdog Driver modules for the Safe Watchdog Manager
module.

The Safe Watchdog Interface consists of
  embedded software module and
  configuration generator.

The Safe Watchdog Interface is compatible to the WdgIf module as specified in the AUTOSAR 4.0 and
AUTOSAR 3.1 specifications but not fully compliant. For deviations and justifications please see the S-WdgIf
User Manual.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  5
2
Content of the Module Release

Title
Version*)
Author
Description
WdgIf/
3.3.6
TTTech
S-WdgIf Module
  S-WdgIf_ReleaseNotes.pdf

  Description/
3.3.6
TTTech

  WdgIf_Bswmd_A4.arxml

AUTOSAR 4.x file
  WdgIf_Bswmd.arxml

AUTOSAR 3.y file
  Doc_SafetyCase/
1.2.0

  S-WdgIf_SafetyCase.pdf

Safety Case document
  Doc_SafetyManual/
1.8.9

  S-WdgIf_SafetyManual.pdf

  Doc_TechRef/
1.9.4
TTTech

  S-WdgIf_UserManual.pdf

User Manual
  Generator/
3.3.27
TTTech

  LICENSE

  Wdg_If_Cfg_Gen.exe

S-WdgIf Configuration Generator
  GenTool_Ead/
1.0.0
TTTech

  Identifier.xml

  Identifier_A4.xml

  Implementation/
3.3.6
TTTech

  WdgIf.c

Watchdog Interface Code
  WdgIf.h

Watchdog Interface Code
  WdgIf_Cfg.h

Watchdog Interface Code
  WdgIf_Types.h

Watchdog Interface Code
*) Bold/blue version numbers are new artefacts delivered in this release. The non-bold artefacts are the
previously released compatible artifacts. All artefacts listed here are consistent.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  6
3
Quality level of current release
The content of this release is configuration generator only. As the configuration generator has QM
quality, for an ASIL application the output of the generator need to be verified, see Safety Manual for
S-WdgIf,  D-SAFEX-S-70-005.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  7
4
Change history
This chapter describes the changes in each released version.

4.1
Changes with version 3.3.6
Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
76479  G

Safe Execution - WdgIF Generator - Error
S
when generating function names for AS3
drivers delivered by TTTech
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
4.2
Changes with version 3.3.5
Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
44900  G

WdgIf: Multiple Wdg Modules and
S
WdgIfDevices are not allowed
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.3
Changes with version 3.3.4
Based on the ESCAN00079353 following changes in the S-WdgIf module was done:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
68905  E
wk44
AUTOSAR API –
S
Wdg_SetTriggerCondition has no
return value (ESCAN00079353)

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  8
69579  G
wk46
Mismatch re Vendor-ID and
S
WDGIF_USE_AUTOSAR_DRV_API is an
error condition
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.4
Changes with version 3.3.3
S-WdgIf module was not changed, only Safety Case document added.

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
65369  all

Release Management Tasks for 1.26.1 CW
S
31/2014

4.5
Changes with version 3.3.2
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
62326  all

Safe Execution Release 1.26.0 - Release
S
Management Tasks
(collection of issues for this release)

4.6
Changes with version 3.3.1
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
61768  G
Wk15
SafeExecution - Deactivate cross-cutting tests  S
to avoid problems with AS3-compatible Third-
Party Drivers

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  9

4.7
Changes with version 3.3.0
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
61023  G+E

Issue collection for Autosar4.x S-WdgM
S
issues and Autosar compatibility of the S-
WdgIf module.

4.8
Changes with version 3.2.0
S-WdgIf module changes and corrections:

Issue
Area
Found  Issue title
Release
Nr.
in Wk
status
59931  G+E

API and generator points for AUTOSAR 4,
S
reported by Vector

4.9
Changes with version 3.1.5
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
58478  G
Wk 48
MPC5643L_ATA5021 is no “third-party” driver  S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.10  Changes with version 3.1.1
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  10
Nr.
in Wk
status
51694  G
Wk 5
`#include WdgIf.h` in `WdgIf_Lcfg.c`
S
52056  G
Wk 7
Avoid ugly linebreaks inside comments
S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.11  Changes with version 3.1.0
S-WdgIf module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
50131  G
Wk45
WdgM and WdgIf config generators must
S
work together with unsupported Wdg Drivers
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

4.12  Changes with version 3.0.1
S-WdgIf module changes and corrections:

Embedded Code changes:
  [48993] WdgIf_GetTickCounter(ptr) API changed to WdgIf_GetTickCounter(void)

Generator changes:
  none

Documentation changes:
  Documentation updated according to [48993]

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  11
4.13  Changes with Release 1.9.0: S-WdgIf SubPackage 2.0.2
  Internal modifications to match AUTOSAR’s null pointer macro
4.14  Changes with Release 1.8.0: S-WdgIf SubPackage 1.4.0
  Internal modifications to match AUTOSAR’s null pointer macro
4.15  Changes with Release 1.7.0: S-WdgIf SubPackage 1.3.0
  Support for internal tick counter (provided by an S-Wdg driver)
4.16  Changes with Release 1.6.0: S-WdgIf Subpackage 1.2.1
  Internal modifications to config generator
4.17  Changes with Release 1.5.0: S-WdgIf Subpackage 1.2.0
  Checks for completeness of AUTOSAR macros (such as STD_ON) implemented
4.18  Changes with Release 1.2.0: S-WdgIf Subpackage
  This is the initial implementation of the Safe Watchdog Interface.

  The code generator for the S-WdgIf has no further changes in its hardware-independent part.

  The code generator for the S-WdgIf has implemented support for further hardware platforms and/or
changes in its hardware-specific part so that the S-WdgIf can be linked to a specific S-Wdg driver.
For further information please refer to the S-Wdg release notes.
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  12
5
Test status
Integration test of the generator were performed. A total of 93 integration test cases were executed.

All test results are positive.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  13
6
Known issues, limitations, updates
Known issues:
  No known issues.

Functional limitations of current version:
  No known limitations.
Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  14
7
Differences to AUTOSAR specification
Depending on the configuration parameter ‘WdgIfUseAutosarDrvApi’ the  API to the Wdg driver is either
AUTOSAR or TTTech compatible. For details see S-WdgIf User Manual.

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Interface

Document Title:  Release Notes
Ref.:  D-SAFEX-RP-70-014
Page  15
8
Abbreviation and glossary
Acronym /
Term
Meaning
S-WdgIf
Safe Watchdog Interface (TTTech product, platform independent module)
S-Wdg
Safe Watchdog Driver (TTTech product, platform dependent module)
WdgIf
Watchdog Interface (module according AUTOSAR specification)
Wdg
Watchdog Driver (module according AUTOSAR specification)

Date:   24.04.2015
File name:  S-WdgIf_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.3.6
Author:
TTTech

4 - S-WdgIf_SafetyCase

Safety Case

5 - S-WdgIf_SafetyCase_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8

6 - S-WdgIf_SafetyCases

Ensuring Reliable Networks

Safe Watchdog Interface
Safety Case

Author:
TTTech
Reviewer(s):
PPU
Reference:
D-SAFEX-IN-70-002
Security:
Confidential
Version:
1.2.0
Date:
2014-11-20
Status:
Released

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2010, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Version
Date
Responsible Person
Modification
0.1.0
2012-07-02
PPU
Creation
0.2.0
2012-07-19
PPU
Corrected ISO/DIS -> ISO
0.3.0
2012-09-27
PPU
Added S-WdgM Stack chapter
0.4.0
2012-10-01
PPU
Versions of artefacts updated
1.0.0
2012-10-01
PPU
Version of this document updated
1.0.1
2012-10-03
PPU
Document derived from common
Safety Case document ver. 1.0.0. It contains
now the S-WdgIf unit only.
Content against 1.0.0 not changed.
1.0.2
2012-10-04
PPU
In the chapter 2 the RAD reference removed
and the provided ISO lifecycles added.
1.0.3
2012-11-16
PPU
Update of the collected document versions.
1.0.4
2012-11-19
PPU
Update after issue50199.
1.0.5
2013-01-11
PPU
Update after second TÜV assessment
1.1.0
2014-07-28
VLE
Update of the collected document versions
(issue65369)
1.1.1
2014-08-13
VLE
Update after PPU review.
1.2.0
2014-11-20
VLE
Update of the collected document versions
(issue69469)

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 4
1
Purpose of this Document
This document represents the safety case for the Safe Watchdog Interface unit. The Safe
Watchdog Interface is a part of the Safe Watchdog Manager Stack.

It references all relevant documents to provide evidence that the software units have been
developed according to ISO26262 requirements for an ASIL D software unit [ISO].

2
Software Safety Lifecycle Documentation
The software units represent SEooC units according to ISO26262. The following software safety
lifecycles were executed as part of the development process of the software units:

Concept phases:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)

Product development at the system level:
  4-6 Technical Safety Concept *)
  4-7 System Design *)

Product development at the software level:
  6-5: Initiation of product development at the software level *)
  6-8: Software unit design and implementation *)
  6-9: Software unit testing *)

Supporting processes:
  8-7 Configuration management
  8-8 Change management
  8-9 Verification
  8-10 Documentation
  8-11 Confidence in the use of software tools

*) As far as related to the S-WdgIf as SEooC

Part 6-6 deals with safety requirements, which are always defined on system level. For the
development of the SEooC, we have made assumptions on the safety requirements, which are
described in the corresponding SEooC safety manuals. The system integrator must verify that the
SEooC fits to the actual system safety requirements.

The other software safety lifecycle phases described by ISO26262 have to be executed by the
system integrator.

The following subsections list the software safety lifecycle artifacts of the software units:
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 5
  Safety manuals as .pdf files,
  Source code delivered to customer as pointer to the code location,
  Requirement, design documentation, and test specification as references to the respective
documents in the MKS repository. They are identified by MKS document id and the document
version number,
  Test results as .doc or .pdf files

The customer delivery contains user manuals, safety manuals and source code. All other artifacts
can be audited by the customer on request – either on-site in TTTech Vienna development
location, or via teleconference (e.g. Webex).

The verification and confirmation measures as required by ISO26262 has been executed as
described in the Software Project Plan.

The evidence for the execution of all verification and confirmation measures as required by
ISO26262 are version-controlled in the following directory:
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/certification/sqa/s-wdgm/evidence

The conformity of the development processes of the S-WdgM Stack with ISO 26262 has
been assessed in a process audit [AUDIT_S-WdgM].

2.1
Safe Watchdog Interface
2.1.1  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Interface. The SRD
represents the software unit high-level requirements as required by ISO 26262 – 6, clause 6.

Document Title
Safe Watchdog Interface - Software Requirements Document
Document Version
1.0.8
Document Number
D-SAFEX-S-70-002
Location
MKS 125936
Label
Release_1_26_3

2.1.2  Unit Design Document (UDD)
The UDD represents the software unit design specification as required by ISO 26262 – 6, clause 8.

Document Title
Safe Watchdog Interface - Unit Design Document
Document Version
1.0.9
Document Number
D-SAFEX-D-70-001
Location
MKS ID 125939
Label
Release_1_26_3
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 6
2.1.3  Source Code
The source code of the software unit is written in the C programming language.
Title
Safe Watchdog Interface - Source Code
Version
3.3.6
Location
http://tttechsvn.vie.at.tttech.ttt/branches/For_SAFEEXE_SERIES_Release_1
_26_3/SW/msp-watchdog-if

The exact contents of the Source Code and configuration management tags are described in
[RAD].

The HIS metrics and the MISRA rule check are performed with the tool QA-C.
The HIS metrics report can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_3/S-WdgIf/
All HIS metrics violations are justified in the respective source files.

The results of the MISRA-check can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_3/S-WdgIf/
All violations are justified. The justifications are provided as comments in the respective source
files.

2.1.4  Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262 – 6, clause 9 . The UTS demonstrates 100% requirements coverage.

Document Title
Safe Watchdog Interface - Unit Test Specification
Document Version
1.0.11
Document Number
D-SAFEX-V-70-002
Location
MKS ID 125942
Label
Release_1_26_3
2.1.5  Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed
and that 100% MC/DC coverage is achieved.

Document Title
Safe Watchdog Interface - Unit Test Report
Document Version
1.0.5
Document Number
D-SAFEX-V-70-006
Location
\\fileserver.vie.at.tttech.ttt\projects\certification\tttech-
automotive\release\S-WdgM\S-WdgIf\UTR\UTR_WdgIf_D-SAFEX-V-70-
006_V_1_0_5\UTR_WdgIf_D-SAFEX-V-70-006_V_1_0_5.pdf

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 7
2.1.6  Safety Manual (SM)
The Safety Manual (SM) contains the requirements for the integrator of the software unit. All
requirements described in this document must be followed. In specific, the SM describes for which
configuration (configuration parameters, used hardware, compiler and linker settings) the software
unit has been tested according to ISO 26262 requirements. Moreover, the SM describes which SW
safety lifecycle requirements and recommendations of ISO 26262 were not executed during the
development of the software unit. These requirements and recommendations have to be
considered by the integrator of the software unit.

Document Title
Safe Watchdog Interface - Safety Manual
Document Version
1.8.9
Document Number
D-SAFEX-S-70-005
Locations
MKS 232906
Label
Release_1_26_3

2.1.7  Event Tree Analysis (ETA)
The ETA is the event tree analysis that was performed as part of the Safe Watchdog Manager (S-
WdgIf ) software development according to the requirements and recommendations of ISO 26262

Document Title
Safe Watchdog Interface - Event Tree Analysis
Document Version
1.0.0
Document Number
D-SAFEX-S-70-012
Locations
MKS ID 263814
Label
Release_1_26_3

3
Summary
The evidence in sections
   “Software Safety Lifecycle Documentation”
and the assessment reports [AUDIT_S-WdgM] shows that the S-WdgIf unit has been developed as
a SEooC component according to ISO26262:2011 and can be used for up to ASIL D.

It is safe to integrate the SW unit into safety-related systems developed according to ISO
26262:2011, if the requirements that are described in the Safety Manual (SM) are fulfilled by the
system integrator.

4
Abbreviations and Glossary
Acronym / Term
Meaning
API
Application Programmer Interface
Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-002
Page 8
Acronym / Term
Meaning
ASIL
Automotive Safety Integrity Level
HIS
Herstellerinitiative Software
ISO
International Standard
MC/DC
Modified Condition/Decision Coverage
MISRA
Motor Industry Software Reliability Association
MKS
MKS Integrity software tool made by MKS Software Inc.
SEooC
Safety Element out of Context according to ISO 26262-10
SW
Software Specification
5
References
5.1
Documents Available on Request
The following documents are not part of the customer delivery. The documents can be made
available in video conferences (e.g., WebEx) or in on-site audits at the development center of
TTTech in Vienna. If necessary, please contact the TTTech Automotive Support at
support@tttech-automotive.com.

[AUDIT_S-WdgM]
TÜV NORD – Institut für Fahrzeugtechnik & Mobilität,

A/
Report on the Functional Safety Audit for TTTech’s Safe Watchdog
Manager Stack (ISO 26262 / ASIL D)
1.  Report-No: 8109170322-B01, Version 1.0, 2012-07-18
2.  Report-No: 8109170322-B02, Version 1.0  2012-12-20

B/
Functional Safety Assessment Report of “Safe Watchdog Manager
Stack” conformity against ISO26262, ASIL D.
3.  Report-No: 8109170322-B04, Version 1.0 2013-02-25
[COMPL]
TTTech Computertechnik AG, ISO_DIS_26262_Compliance.xls, D-INT-CL-
70-001
[TT_ASDM_322]
TTTech Automotive GmbH, Automotive Software Development Manual,
V3.2.2, D-100-T-70-001

5.2
Other Documents
[ISO]
International Organization for Standardization, International Standard
ISO26262 Road vehicles – Functional safety (all parts), 2011

Last Change: 2014-11-20
Author: TTTech
Version: 1.2.0
© TTTech Automotive GmbH

7 - S-WdgIf_SafetyManual

Safety Manual

8 - S-WdgIf_SafetyManual_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48

9 - S-WdgIf_SafetyManuals

Ensuring Reliable Networks
Safe Watchdog Interface
Safety Manual

Author:
TTTech Automotive GmbH
Security:
Company Confidential
Document number:
D-SAFEX-S-70-005
Version:
1.8.9
Date:
22.05.2014
Status:
ALM_Published
MKS ID:
232906

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com

No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive GmbH. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive GmbH
undertakes no further obligation in relation to this document.

© 2014, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 1
Revision History
30.05.2012 V1.0.0 Creation (based on MKS 185841)
27.06.2012 V1.1.0 Reviewed. Some information still open.
03.07.2012 V1.2.0 Added config generation and verification process
05.07.2012 V1.3.0 Added requirements from ETA and Check against System Specification
06.07.2012 V1.3.1 Ready for Release 1.8.2
13.08.2012 V1.3.2 Feedback from Hella-Audit, some texts more precise
10.09.2012 V1.3.3 Added chapter "S-WdgIf Generator - Verification".
13.09.2012 V1.3.4 Dissolved ETA section. Corrected review findings.
15.09.2012 V1.3.5 Safe Watchdog Interface ASIL Release
17.09.2012 V1.8.1 issue48784 (new version)
06.11.2012 V1.8.2 updated according to WdgIf_GetTickCounter() (issue49948)
07.11.2012 V1.8.3 updated after review (issue49948)
03.04.2014 V1.8.4 Update after customer review, changes summarised in the issue52277
24.04.2014 V1.8.5 Updated parts related to AS driver compatibility (issue62032:msg467581, issue59785)
Updated 240758: parameter WdgIfUseAutosarDrvApi
Updated 260205: added vendor ID (WD driver function names)
Added 555654: parameter WDGIF_USE_AUTOSAR_DRV_API
Updated 289398: API differences (WDGIF_USE_AUTOSAR_DRV_API)
Updated 234584, 235159, 283153: API compatibility
(WDGIF_USE_AUTOSAR_DRV_API)
Added 556326, changed 289394, 289398, 289412, 289455: Description of the <drv>
shortcut
Changed 233039, 234584, 235159, 283153: added vendor-id string
08.05.2014 V1.8.6 Updated according to the review remarks (issue62032:msg469458,
issue62032:msg469460)
12.05.2014 V1.8.7 Updated according to the review remarks (issue62032:msg472152)
14.05.2014 V1.8.8 Updated according to the review remarks (issue62032:msg473209)
22.05.2014 V1.8.9 Language Review (issue63157)

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 3

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 4
-
Category:
Comment
Keywords:

ID:
552152
LEGAL DISCLAIMER
THE INFORMATION GIVEN IN THIS SAFETY MANUAL IS GIVEN AS SUPPORT FOR THE
INTEGRATION OF THE TTTECH SAFETY MODULE INTO A SYSTEM ONLY AND SHALL NOT BE
REGARDED AS ANY DESCRIPTION OR WARRANTY OF A CERTAIN FUNCTIONALITY, CONDITION
OR QUALITY OF THE TTTECH SAFETY MODULE. THE RECIPIENT OF THIS SAFETY MANUAL MUST
VERIFY ANY FUNCTION DESCRIBED HEREIN IN THE REAL APPLICATION.

TTTECH PROVIDES THE SAFETY MANUAL FOR THE SAFETY MODULE "AS IS" AND WITH ALL
FAULTS AND HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, ACCURACY OR COMPLETENESS, OR OF RESULTS
TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK, AS TO THE QUALITY, USE
OR PERFORMANCE OF THE SAFETY MANUAL, REMAINS WITH THE RECIPIENT. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW TTTECH SHALL IN NO EVENT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT
NOT LIMITED TO LOSS OF DATA, DATA BEING RENDERED INACCURATE, BUSINESS
INTERRUPTION OR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF
THE USE OR INABILITY TO USE THE SAFETY MANUAL, EVEN IF TTTECH HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

TTTECH MAKES NO WARRANTY OF ITS PRODUCTS, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW DISCLAIMS ALL LIABILITIES OR
DAMAGES RESULTING FROM OR ARISING OUT OF THE APPLICATION OR USE OF THESE
PRODUCTS.

-
Category:
Comment
Keywords:

ID:
552151
Legal Notice
The information contained in this safety manual does not affect or change any General Terms and
Conditions of TTTech and/or any agreements existing between TTTech and the recipient regarding the
product concerned.

The reader acknowledges that this safety manual may not be reproduced, stored in a retrieval system,
transmitted, changed, or translated, in whole or in part, without the express written consent of TTTech.

The reader acknowledges that any and all of the copyrights, trademarks, trade names, patents (whether
registrable or not) and other intellectual property rights embodied in or in connection with this safety manual
are and will remain the sole property of TTTech or the respective right holder. Nothing contained in this
legal notice, the safety manual or in any TTTech web site shall be construed as conferring to the recipient
any license under any intellectual property rights, whether explicit, by estoppel, implication, or otherwise.

This safety manual and respective products are subject to change.

The product is only allowed to be used in the scope as described in section "System Assumptions". Please
note that based on the current state of the arts in science it is impossible to develop software that is bug-
free in all applications.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 5

Category:
Comment
Keywords:

ID:
552153
We Listen to Your Comments
If there is any information in this document that is wrong, unclear or missing?
Your feedback will help us to continuously improve the quality of this document. Please contact TTTech
Automotive GmbH support if you have questions, change requests or suggestions for improvement related
to the Safety Module or documentation. The TTTech Automotive GmbH support can be reached via the
following e-mail address: support@tttech.com.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 6
1  Introduction
1.1  Purpose of this Document
Category:
Comment
Keywords:

ID:
233001
This document is the Software Safety Manual for the software component Safe Watchdog Interface (S-
WdgIf). The S-WdgIf was developed by TTTech as an SEooC according to ISO 26262 (2011) for use in
safety related items up to ASIL D (see [ISO26262]). This document contains the requirements that have to
be satisfied to integrate and apply the S-WdgIf into a safety-related item.

-
Category:
Comment
Keywords:

ID:
233003
The S-WdgIf is a part of the S-WdgM Stack. It contains also a S-WdgIf Configuration Generator to generate
configuration dependent S-WdgIf code.

-
Category:
Comment
Keywords:

ID:
233005
This document contains the requirements that have to be met to:
  install the S-WdgIf Generator,
  generate the S-WdgIf code with the S-WdgIf Configuration Generator,
  integrate the S-WdgIf code into an AUTOSAR system, and
  to apply the S-WdgIf within an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
233019
Note: This document just describes requirements for the S-WdgIf. This document does not provide a full
description of how to create a safe system. For example, this document is not concerned with hardware
architectural metrics that may have an influence on software running on this hardware. These
considerations are not specific to the S-WdgIf and are thus beyond the scope of this manual.

-
Category:
Comment
Keywords:

ID:
559910
The S-WdgIf was developed according to AUTOSAR version 3.1.4 [AS_WDGIF_SWS_3_1] and AUTOSAR
version 4.0.1 [AS_WDGIF_SWS]. The S-WdgIf is compatible with both AUTOSAR versions but not fully
compliant. For the deviations see [TT_WDGIF_UM].

-
1.1.1  Target Audience and Responsibilities
Category:
Comment
Keywords:

ID:
233007
The requirements are intended for the (system) integrator, who is responsible for the generation of the S-
WdgIf configuration, the integration of the S-WdgIf in(to) a safety-related item and its application.

-
Category:
Requirement
Keywords:

ID:
233009
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be an expert in the area of functional safety with deep knowledge of ISO 26262 (see
[ISO26262]). Moreover, the integrator needs to know:
  the AUTOSAR architecture,
  the ANSI C programing language, and
  the S-WdgIf User Manual [TT_WDGIF_UM]).

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 7

-
Category:
Comment
Keywords:

ID:
233011
The integrator shall ensure that all requirements defined in this Safety Manual are fulfilled in the integrated
item.

-
Category:
Requirement
Keywords:

ID:
233013
Label:

Safety relevant:

Related To:

Related To':

The integrator shall also follow the instructions in:
  the Safety Manual for the S-WdgM (see [TT_WDGM_SM]) and
  the Safety Manual for the used S-Wdg drivers (see the driver specific Safety Manual. Examples can be
found in section "References" at the end of this document) which describe the other parts of the S-
WdgM Stack.

-
1.1.2  Structure of this Document
Category:
Comment
Keywords:

ID:
233017
Requirements are explicitly marked as "Requirement" in this document. All requirements described in this
document shall be considered by the integrator. Explanatory text that does not represent an explicit
requirement is marked as "Comment".

-
Category:
Comment
Keywords:

ID:
554241
Note: Document items of the type "Comment" do not represent explicit action items for the integrator,
however, the integrator is advised to ensure that there are no contradictions between the comment and the
intended S-WdgIf usage.

-
Category:
Comment
Keywords:

ID:
554243
Comments related to a requirement are placed below the related requirement.

-
Category:
Comment
Keywords:

ID:
554242
Note: Requirements in this document shall be treated either as safety related or need not be treated as
safety related, depending on the S-WdgIf use case:
  If the S-WdgIf is used to monitor a safety related application then for each used S-WdgIf functionality all
corresponding requirements shall be treated as safety related.
  If the S-WdgIf is used to monitor a QM application then the SM requirements need not be treated as
safety related.

As a consequence, the field "Safety relevant" for each requirement is always empty.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 8

Category:
Comment
Keywords:

ID:
554244
The list shows some keywords used in requirements and their explanation:

Key Word
Description
must, shall, required, is responsible for, is the
Requirement is mandatory.
responsibility of
shall not
Requirement is a prohibition.
table 1


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 9
2  Terms
Category:
Comment
Keywords:

ID:
260274

A tool (like DaVinci Configurator Pro) that creates a Safe
Configuration Tool
Watchdog Interface configuration.
The escalation of a detected fault to the Watchdog by a
Error Escalation
Watchdog reset or omittance of the Watchdog trigger.
Safe Watchdog Driver
The lower and hardware dependent software layer of the S-

WdgM Stack. It controls the Watchdog device.
The middle and hardware independent software layer of the S-
Safe Watchdog Interface
WdgM Stack.
Safe Watchdog Interface
The part of the S-WdgIf code that is generated by the S-WdgIf
Configuration
Generator from an ECU description file.
A tool from TTTech that generates the S-WdgIf Configuration out
Safe Watchdog Interface
of an ECU description file. In this document the name is
Configuration Generator
abbreviated to "S-WdgIf Generator". The tool is part of the S-
WdgIf package.
The upper and hardware independent software layer of the S-
Safe Watchdog Manager
WdgM Stack. It communicates with the application through RTE.
The stack comprises the S-WdgM, the Safe Watchdog Interface
Safe Watchdog Manager Stack  and the Safe Watchdog driver(s).
A set of elements that relates at least a sensor, a controller and
System
an actuator with one another (see [ISO26262], part1). In this
document, the MCU is part of the system.
A Watchdog device is the hardware that provides the watchdog
Watchdog (device)
function. It can be an internal watchdog (on the MCU) or an
external device.
The "WD Mode" defines the period timeout. It is set with
WD Mode
WdgIf_SetMode () and can be "slow", "fast" or "off" (WD
disabled). Do not confuse with "WD Trigger Mode".
The "WD Trigger Mode" defines the WD trigger window (start and
WD Trigger Mode
length) together with the "WD Mode". It is set with
WdgM_SetMode ().
table 2


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 10
3  Notations
Category:
Comment
Keywords:

ID:
233039

Notation  Description
Italic text is a placeholder for a name or text pattern. E.g.: In Wdg_infix_Init (), the text infix is a
text
placeholder for the actual name of the used WD driver.
A placeholder with this name is interpreted as follows:
  In case of an AUTOSAR 3.1 environment, the placeholder infix stands for the name of
infix
the configured WD device.
  In case of an AUTOSAR 4.0 environment, the placeholder infix stands for the pattern
vendor-id_device-name, where vendor-id is the ID of the vendor of the WD driver and
device-name is the name of the configured WD device.
table 3


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 11
4  Abbreviations
Category:
Comment
Keywords:

ID:
233047

API
Application Programming Interface
ASIL
Automotive Safety Integrity Level
AUTOSAR
Automotive Open System Architecture
BSW
Basic Software (AUTOSAR term)
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Engine Control Unit
ISO
International Organization for Standardization
MCU
Microcontroller Unit
MPU
Memory Protection Unit. Usually this is part of the Microcontroller.
MemMap
Memory Mapping (for Memory Management)
QM
Quality Managed (Software)
SM
Safety Manual
SPI
Serial Peripheral Interface (Module)
S-Wdg
Safe Watchdog Driver (from TTTech)
S-WdgM
Safe Watchdog Manager (from TTTech)
S-WdgIf
Safe Watchdog Interface (from TTTech)
The "S-WdgM Stack" comprises the S-WdgM, the S-WdgIf and the used Safe
S-WdgM Stack
Watchdog driver(s).
WD
Watchdog
WdgM
Watchdog Manager according to the AUTOSAR 4.0 specification
WdgIf
Watchdog Interface according to the AUTOSAR 4.0 specification
table 4


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 12
5  Safe Watchdog Interface Overview
Category:
Comment
Keywords:

ID:
233043
For an overview of and more details about
  the S-WdgIf,
  the other S-WdgM Stack components, and
  the S-WdgIf Generator
see the according user manuals and Safety Manuals:
  for the S-WdgM: [TT_WDGM_UM], [TT_WDGM_SM],
  for the S-WdgIf: [TT_WDGIF_UM] and this document, or
  for the S-Wdg drivers: the according Safety Manual.

See section "References" at the end of this document.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 13
6  System Assumptions
Category:
Comment
Keywords:

ID:
270643
The system assumptions are a subset of the S-WdgM system assumptions (see [TT_WDGM_SM]).

-
Category:
Comment
Keywords:

ID:
559912
The S-WdgIf is designed for integration into an AUTOSAR 3.1.4 and 4.0.1 system. However, it is not
restricted to these AUTOSAR versions. The software module can also be integrated into other versions of
AUTOSAR and other system SW architectures, provided that the integration related requirements listed in
the Safety Manual are met.

-
6.1  Assumptions in this Document
Category:
Comment
Keywords:

ID:
282959
The following requirements and comments are placed in the according context in this document. They may
be interpreted as system assumptions or not - depending on the circumstances the system is developed
and applied:

Requirement
Description
Quality level degradation by external interfaces to 3rd
260213, 234568, 235165, 237306
party modules. *1).
Quality level degradation by external interfaces to S-
260213
WdgM Stack modules *2).
236022
S-WdgIf functionality affected by other SW.
260197, 260217, 236258, 236382
WD driver and WD device.
236356
Memory sections, access rights.
236044, 237369, 236430, 236434
Memory corruption.
260205
External Interfaces.
table 5

*1) The 3rd party modules are not part of the S-WdgM Stack.
*2) The external interfaces between S-WdgM, S-WdgIf and S-Wdg do not have to be verified if:
  the modules are part of the same S-WdgM Stack release,
  the modules are not altered by the integrator, and
  the modules are integration tested by TTTech.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 14
7  S-WdgIf Function Requirements
Category:
Comment
Keywords:

ID:
270650
For the system requirements that the S-WdgM Stack fulfills, see[TT_WDGM_SM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 15
8  S-WdgIf Configuration
Category:
Comment
Keywords:

ID:
233053
The S-WdgIf Configuration is the part of the S-WdgIf code that is generated with the S-WdgIf Generator out
of a given ECU description file.
This section lists the safety requirements for the creation of a S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
233055
For a description of
  the configuration fields in the ECU description file and
  how to create S-WdgIf code out of the ECU description file
see [TT_WDGIF_UM].

-
8.1  Configuration Check-List
Category:
Comment
Keywords:

ID:
233059
The S-WdgIf Generator performs basic checks on the ECU description file when it generates the S-WdgIf
Configuration.
The following list provides instructions for manual checks of safety relevant configuration values that cannot
be performed by the S-WdgIf Generator.

-
8.1.1  General Requirements
Category:
Requirement
Keywords:

ID:
234105
Label:

Safety relevant:

Related To:

Related To':

The integrator shall set the configuration parameters according to the project specification.

-
Category:
Requirement
Keywords:

ID:
552162
Label:

Safety relevant:

Related To:

Related To':

The ECU description file that serves as input for the generation of the S-WdgIf Configuration files shall
comply to the AUTOSAR schema defined in comment 559910 above.

-
Category:
Comment
Keywords:

ID:
554249
Note: These are the AUTOSAR versions for which the S-WdgIf was developed and tested.

-
Category:
Comment
Keywords:

ID:
554878
The AUTOSAR version used for S-WdgIf integration tests is defined in [TT_WDGS_ITR].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 16
8.1.2  Compiler Settings
Category:
Requirement
Keywords:

ID:
240758
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264807,__MKSID__264811,__MKSID__55284
3
The following fields in the ECU description file shall be "true" if the according feature shall be enabled,
otherwise "false":

Field
Feature
WdgIfVersionInfoApi
Enable Version API.
WdgIfDevErrorDetect
Enable Development error detection.
WdgIfUseAutosarDrvApi
Enable AUTOSAR compatible WD driver API.
table 6


-
Category:
Requirement
Keywords:

ID:
240769
Label:

Safety relevant:

Related To:

Related To':

If an internal HW tick counter is used, then the field WdgIfInternalTickCounterRef shall be defined such that
is refers to a WD driver, otherwise the field WdgIfInternalTickCounterRef is omitted.

-
Category:
Comment
Keywords:

ID:
240773
If WdgIfInternalTickCounterRef is a S-WdgIf information and refers to a WD driver, the driver must
  support an internal tick counter and
  its parameter WdgInternalTickCounter must be "true".

This is checked automatically by the S-WdgIf Configuration Generator.

-
8.1.3  Post Build Configuration and Application Settings
Category:
Comment
Keywords:

ID:
240764
This section provides a check list for the various aspects and configuration fields that must be considered
for post build configuration of the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
240766
For further information on configuration fields see [TT_WDGIF_UM].

-
Category:
Requirement
Keywords:

ID:
260197
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the configuration has
  only one WD driver and
  only one WD device for the driver
defined.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 17
Category:
Comment
Keywords:

ID:
242221
The current implementation of the S-WdgM Stack supports only one WD device per WD driver. If configured
so, the S-WdgIf Generator yields an error message.

-
Category:
Comment
Keywords:

ID:
260225
As a consequence, the device index that is passed to the WD driver functions is always 0.

-
Category:
Requirement
Keywords:

ID:
260199
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that the names of the WD driver functions in the generated S-WdgIf
configuration match the actual names of the functions in the WD driver.

-
Category:
Requirement
Keywords:

ID:
260205
Label:

Safety relevant:

Related To:

Related To':

In case a Watchdog Driver is used that is not implemented by TTTech, the integrator shall make sure that
the WD driver supports the following functions:
  Wdg_infix_SetMode () and
  Wdg_infix_SetTriggerWindow () or Wdg_infix_SetTriggerCondition ().

-
Category:
Comment
Keywords:

ID:
260201
The S-WdgIf Generator fills the placeholder (infix) automatically.

-
Category:
Requirement
Keywords:

ID:
260217
Label:

Safety relevant:

Related To:

Related To':

If an internal HW tick counter is configured (i.e. WdgIfInternalTickCounterRef is defined),
then the integrator shall make sure that the WD driver supports the function Wdg_infix_GetTickCounter ().

-
Category:
Requirement
Keywords:

ID:
260213
Label:

Safety relevant:

Related To:

Related To':

In case a Watchdog Driver is used that is not implemented by TTTech, the integrator shall verify that the
functions that are offered by the WD driver (listed in section "Expected Interface", Comment 234584) and
called from the S-WdgIf do not degrade the quality level of the S-WdgIf below the required quality level.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 18
9  S-WdgIf Configuration Generator
Category:
Comment
Keywords:

ID:
234331
This section lists the safety requirements for the installation and application of the S-WdgIf Generator.

-
Category:
Comment
Keywords:

ID:
234333
For information on how to use the S-WdgIf Generator, see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
234335
Note: the S-WdgIf Generator is not ASIL-D and iIts output cannot be trusted. The generated files must be
verified manually as described in "S-WdgIf Generator - Verification".

-
9.1  S-WdgIf Generator - Installation
Category:
Requirement
Keywords:

ID:
234339
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator is installed and used on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgIf Generator.

-
Category:
Comment
Keywords:

ID:
234341
The S-WdgIf Generator has been tested on Windows 7 with Service Pack 1.

-
9.2  S-WdgIf Generator - Application
Category:
Requirement
Keywords:

ID:
234345
Label:

Safety relevant:

Related To:

Related To':

The selected output path for the generated S-WdgIf code (runtime argument "OUTPUT-DIRECTORY") shall
be empty before the S-WdgIf Generator is started.

-
Category:
Comment
Keywords:

ID:
234347
If the output path is not empty, code from previous generation runs may be accidentally integrated into the
AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
263318
The names of the generated files are listed on standard error (stdout).

-
Category:
Requirement
Keywords:

ID:
234349
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator aborts the generation process with an error, the (partially) generated output files
shall not be used in an AUTOSAR system.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 19

-
Category:
Comment
Keywords:

ID:
234351
Error messages start with "Error" and they are displayed on standard error (stderr).
If successful, the S-WdgIf Generator returns error level 0, otherwise an error level higher than 0 is returned.

-
Category:
Requirement
Keywords:

ID:
234353
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf Generator displays a warning message, the integrator shall ensure that the cause of the
warning does not invalidate the generated S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
234355
Warning messages start with "Warning" and are displayed on standard error (stderr).
If successful (although with a warning), the S-WdgIf Generator returns error level 0, otherwise an error level
higher than 0 is returned.

-
Category:
Comment
Keywords:

ID:
234359
TTTech provides a sample demonstration configuration with four supervised entities. The files may be used
by the integrator, but they are intended for demonstration only.

-
Category:
Comment
Keywords:

ID:
234361
The S-WdgIf Generator is not configurable. The S-WdgIf Generator process is controlled by the input
arguments only.

-
9.3  S-WdgIf Generator - Verification
Category:
Comment
Keywords:

ID:
289334
This section describes how to verify the generated files manually.

-
Category:
Requirement
Keywords:

ID:
289342
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297368
Check that the set of generated files is complete. It consists of:
  WdgIf_Cfg_Features.h,
  WdgIf_Lcfg.h, and
  WdgIf_Lcfg.c.

-
9.3.1  Check of WdgIf_Cfg_Features.h
Category:
Requirement
Keywords:

ID:
289346
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264811
If - and only if - WdgIfVersionInfoApi in the ECU Description file is "true",
then WDGIF_VERSION_INFO_API shall be set STD_ON, otherwise STD_OFF.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 20
Category:
Requirement
Keywords:

ID:
555654
Label:

Safety relevant:

Related To:
__MKSID__552843
Related To':

If - and only if - WdgIfUseAutosarDrvApi in the ECU Description file is "true",
then WDGIF_USE_AUTOSAR_DRV_API shall be set STD_ON, otherwise STD_OFF.

-
Category:
Requirement
Keywords:

ID:
289352
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264807
If - and only if - WdgIfDevErrorDetect in the ECU Description file is "true",
then WDGIF_DEV_ERROR_DETECT shall be set STD_ON, otherwise STD_OFF.

-
Category:
Requirement
Keywords:

ID:
289356
Label:

Safety relevant:

Related To:

Related To':
__MKSID__264814
If - and only if - an internal tick counter is referenced with WdgIfInternalTickCounterRef in the ECU
Description file,
then WDGIF_INTERNAL_TICK_COUNTER shall be set STD_ON, otherwise STD_OFF.

-
9.3.2  Check of WdgIf_Lcfg.h
Category:
Requirement
Keywords:

ID:
289360
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297372
The file shall contain a pre processor command as follows:

#define WDGIF_NUMBER_OF_WATCHDOGS 1


-
Category:
Comment
Keywords:

ID:
289362
In the current version of the S-WdgIf, the number of used watchdogs is restricted to one.

-
9.3.3  Check of WdgIf_Lcfg.c
Category:
Requirement
Keywords:

ID:
289388
Label:

Safety relevant:

Related To:

Related To':

The header file named "Wdg_infix.h" shall be included.

-
Category:
Comment
Keywords:

ID:
289390
In the current version of the S-WdgIf, the number of used WD drivers is restricted to one.

-
Category:
Requirement
Keywords:

ID:
289392
Label:

Safety relevant:

Related To:

Related To':

The file "WdgIf_Lcfg.h" shall be included.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 21

-
Category:
Requirement
Keywords:

ID:
289394
Label:

Safety relevant:

Related To:

Related To':
__MKSID__58842
The following structures shall be defined:
  "WdgIf_InterfaceFunctionsType infix_functions",
  "WdgIf_InterfaceFunctionsPerWdgDeviceType WdgIf_FunctionsPerWdg
[WDGIF_NUMBER_OF_WATCHDOGS]" (an array of structures), and
  "WdgIf_InterfaceType WdgIf_Interface".


-
Category:
Requirement
Keywords:

ID:
289406
Label:

Safety relevant:

Related To:

Related To':

The structures listed in 289394 above shall be memory mapped to
WDGIF_START_SEC_CONST_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
289398
Label:

Safety relevant:

Related To:

Related To':
__MKSID__55578,__MKSID__55580
The structure "infix_functions" shall contain the following field values (and in this order):
  "Wdg_infix_SetMode" and
  "Wdg_infix_SetTriggerWindow" if WDGIF_USE_AUTOSAR_DRV_API is set to STD_OFF and
"Wdg_infix_SetTriggerCondition" if WDGIF_USE_AUTOSAR_DRV_API is set to STD_ON.


-
Category:
Comment
Keywords:

ID:
289410
The fields refer to the functions of the used WD driver to set the WD trigger.

-
Category:
Requirement
Keywords:

ID:
289412
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297362,__MKSID__297324
The array WdgIf_FunctionsPerWdg shall contain a single array item with the following field values (in this
order):
  "&infix_functions" and
  "0".


-
Category:
Comment
Keywords:

ID:
289414
The value 0 refers to the position of each WD (starting with 0) assigned to the WD driver referred to by infix.
There is only one WD configurable for a driver.

-
Category:
Requirement
Keywords:

ID:
289455
Label:

Safety relevant:

Related To:

Related To':
__MKSID__55582,__MKSID__297312,__MKSID__239282
The structure WdgIf_Interface shall contain the following field values:
  "WDGIF_NUMBER_OF_WATCHDOGS",

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 22
  "WdgIf_FunctionsPerWdg", and
  "Wdg_infix_GetTickCounter" if - and only if - WDGIF_INTERNAL_TICK_COUNTER is set to STD_ON.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 23
10 Safe Watchdog Interface
Category:
Comment
Keywords:

ID:
234556
This section lists the safety requirements for the integration and application of the S-WdgIf code in/into an
AUTOSAR system.

-
10.1 API Specification
Category:
Comment
Keywords:

ID:
234560
This section describes the imported types and definitions and the expected interface. It also describes
safety related aspects of types, definitions and functions implemented in the S-WdgIf.
Some types, definitions and interfaces depend on the used S-WdgIf Configuration.

-
Category:
Comment
Keywords:

ID:
234562
For more information see [TT_WDGIF_UM].
For more information about types, definitions and functions implemented in the S-Wdg drivers, see the
Safety Manuals of the drivers. Safety Manuals and User Manuals of the drivers tested by TTTech can be
found in section "References" at the end of this document.

-
Category:
Comment
Keywords:

ID:
234564
For further requirements related to imported types, definitions and interfaces, see section "S-WdgIf
Integration" below.

-
Category:
Comment
Keywords:

ID:
234566
The integrator is responsible for the correct import of the types and definitions that are listed in section
"Imported Types and Definitions" below.

-
Category:
Requirement
Keywords:

ID:
234570
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct application of the interface functions.

-
Category:
Requirement
Keywords:

ID:
234572
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that all external functions that are called from within the S-WdgIf
code are imported from the correct versions of AUTOSAR.

-
Category:
Comment
Keywords:

ID:
559643
For the supported AUTOSAR versions, see comment 559910 above.

-
Category:
Comment
Keywords:

ID:
546265
The external functions are defined in section "Expected Interface" below.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 24
Category:
Requirement
Keywords:

ID:
234574
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR files or any other files different from S-WdgIf files shall not redefine any
identifier that is defined in the S-WdgIf code. E.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
234568
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no external interface of the S-WdgIf listed in this section degrades the quality
level of the S-WdgIf below the required quality level.

-
Category:
Comment
Keywords:

ID:
559038
The external interfaces are defined in section "Expected Interface" below.

-
Category:
Comment
Keywords:

ID:
234576
For example, if an external function of quality level ASIL C is called by the S-WdgIf, it degrades the quality
level of the S-WdgIf to ASIL C (if no precautions were taken), although the required quality level is ASIL D.

-
10.1.1
Expected Interface
Category:
Comment
Keywords:

ID:
234580
This section lists the external functions that are called by the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
234582
For an overview of functions that are called by the S-WdgIf see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
234584
The following functions of the WD driver in the lower layer are called:

Function
Module
Wdg_infix_SetMode () *)
WD Driver
Wdg_infix_SetTriggerWindow ()
WD Driver
or Wdg_infix_SetTriggerCondition() **) ***)
table 7

*) If the function WdgIf_SetMode () is called with parameter DeviceIndex=i, then it calls the function that is
configured for the i-th WD - referred to by infix - in the S-WdgIf configuration for the configuration field
Wdg_infix_SetMode.

**) If the function WdgIf_SetTriggerWindow () or WdgIf_SetTriggerCondition () is called with parameter
DeviceIndex=i, then it calls the function that is configured for the i-th WD - referred to by infix - in the S-
WdgIf configuration for the configuration field Wdg_infix_SetTriggerWindow.

***) If the configuration parameter WdgIfUseAutosarApi is set to "true", then the S-WdgIf expects the WD
driver to provide the function Wdg_infix_SetTriggerWindow () (which is the AUTOSAR API compatibility
mode). Otherwise, the S-WdgIf expects the WD driver to provide the function

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 25
Wdg_infix_SetTriggerCondition () (which is the TTTech API compatibility mode).

-
Category:
Comment
Keywords:

ID:
235159
Some functions are called by the S-WdgIf depending on the compiler switches as listed here:

Compiler Switch
Function
Module
WDGIF_DEV_ERROR_DETECT is  Appl_Det_ReportError () *)
DET
set to STD_ON
WDGIF_INTERNAL_TICK_COUNTE Wdg_infix_GetTickCounter () **)
WD Driver
R is set to STD_ON
If set to STD_ON, then Wdg_infix_SetTriggerWindow ()
WDGIF_USE_AUTOSAR_DRV_API  is called, otherwise Wdg_infix_SetTriggerCondition () is WD Driver
called ***)
table 8

*) This is a wrapper function. See section "Implementation of Wrapper Function Appl_Det_ReportError ()"
below for information.

**) If the function WdgIf_GetTickCounter () is called with WDGIF_INTERNAL_TICK_COUNTER set to
STD_ON, then it calls the function that is configured in the S-WdgIf configuration for the configuration field
Wdg_infix_GetTickCounter.

***) WDGIF_USE_AUTOSAR_DRV_API is set to STD_ON for the AUTOSAR compatibility mode and set to
STD_OFF for the TTTech compatibility mode.

-
10.1.1.1
Implementation of Wrapper Function Appl_Det_ReportError ()
Category:
Comment
Keywords:

ID:
238269
The function Det_ReportError () may not meet the required quality level and need to be wrapped so that
freedom from interference with the S-WdgIf is guaranted. The according wrapper function is called
Appl_Dem_ReportError (). The S-WdgIf calls the function Appl_Dem_ReportError () instead of
Dem_ReportError ().

-
Category:
Comment
Keywords:

ID:
260666
Note: Det_ReportError () is only called if WDGIF_DEV_ERROR_DETECT is set to STD_ON.

-
Category:
Requirement
Keywords:

ID:
260664
Label:

Safety relevant:

Related To:

Related To':

The wrapper function Appl_Det_ReportError () shall be declared in a separate header-file named
Appl_Det.h. This header file shall include Det.h for the wrapped AUTOSAR function.

-
Category:
Requirement
Keywords:

ID:
235165
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that a call of this function does not degrade the S-WdgIf below the required
quality level.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 26
-
Category:
Comment
Keywords:

ID:
235862
For this reason, the integrator is advised to revise the necessity of the expected interfaces.

-
10.1.2
Imported Types and Definitions
Category:
Comment
Keywords:

ID:
235866
This section lists the types and definitions that are imported by the S-WdgIf.

-
Category:
Comment
Keywords:

ID:
235886
The following types and definitions are imported from Platform_Types.h and used:
Types:
uint8
uint16
uint32

-
Category:
Comment
Keywords:

ID:
235888
The following types and definitions are imported from Std_Types.h and used:
Types:
Std_VersionInfoType (only if WDGIF_VERSION_INFO_API is set to STD_ON)
Std_ReturnType
Definitions:
STD_ON
STD_OFF

-
Category:
Comment
Keywords:

ID:
235890
The following definitions are imported from "Compiler.h" and used:
Definitions:
AUTOMATIC
FUNC
NULL_PTR
P2CONST
P2FUNC
P2VAR
VAR

-
Category:
Comment
Keywords:

ID:
235892
The following definitions are imported from "Compiler_Cfg.h" and used:
WDGIF_APPL_DATA
WDGIF_CODE
WDGIF_CONST
WDGIF_APPL_CONST
WDGIF_VAR

-
Category:
Comment
Keywords:

ID:
235894
The following definitions are imported from "MemMap.h" and used:
In WdgIf.c:
WDGIF_START_SEC_CODE

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 27
WDGIF_STOP_SEC_CODE
In WdgIf_Lcfg.c:
WDGIF_START_SEC_CONST_UNSPECIFIED
WDGIF_STOP_SEC_CONST_UNSPECIFIED


-
10.1.3
Error Handling
Category:
Comment
Keywords:

ID:
235916
This section describes the error codes that are set by the S-WdgIf (using the DET mechanism) and the
return values from S-WdgIf API functions..

-
10.1.3.1
DET Errors
Category:
Comment
Keywords:

ID:
235920
DET Errors are intended to support the development of an application. During software development, the
compiler directive WDGIF_DEV_ERROR_DETECT is usually set to STD_ON. Once the software is safe
enough so that no further DET error can occur, the option is deactivated. For safety reasons the DET errors
that are returned by the S-WdgIf are listed here.

-
Category:
Comment
Keywords:

ID:
235896
If the compiler switch WDGIF_DEV_ERROR_DETECT is set to STD_ON, then the S-WdgIf reports the
following development errors using the function Appl_Det_ReportError ():

DET Error
Code
Description
A WD device is referenced that is not defined in the S-WdgIf
WDGIF_E_PARAM_DEVICE  0x01
configuration. *)
WdgIf_GetVersionInfo () is called with NULL-pointer as
WDGIF_E_PARAM_PTR
0x02
parameter.
table 9

*) Possible reasons are:
  the pointer to the WdgIf configuration is NULL,
  the device index is higher than the number of WDs in the WdgIf configuration, and
  the pointer to the referenced WD function is NULL.

The DET errors are defined in WdgIf.h.

-
Category:
Comment
Keywords:

ID:
235868
The definition WDGIF_E_PARAM_DEVICE is an AUTOSAR definition (see [AS_WDGIF_SWS]).
The definition WDGIF_E_PARAM_PTR is TTTech specific.

-
Category:
Requirement
Keywords:

ID:
235932
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for making sure that - once the compiler switch
WDGIF_DEV_ERROR_DETECT is set to STD_OFF - no error relevant to DET can occur.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 28

-
10.1.3.2
Return Values
Category:
Comment
Keywords:

ID:
235936
The following functions return E_NOT_OK in case an error occured:

Function
Comment
WdgIf_SetMode ()
DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetMode () of the WD driver returned
E_NOT_OK.
WdgIf_SetTriggerCondition ()  DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetTriggerWindow () of the WD driver
returned E_NOT_OK.
WdgIf_SetTriggerWindow ()
DET error WDGIF_E_PARAM_DEVICE was reported or
the called function Wdg_infix_SetTriggerWindow () of the WD driver
returned E_NOT_OK.
table 10


-
Category:
Comment
Keywords:

ID:
235938
The return codes are handled by the S-WdgIf function that calls one of the functions above.

-
10.2 Functional Specification
Category:
Comment
Keywords:

ID:
283401
A detailed functional specification of the S-WdgIf module is provided in [TT_WDGIF_UDD].

-
Category:
Requirement
Keywords:

ID:
236022
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that the S-WdgIf functionality is not unintentionally affected by
other software (especially the AUTOSAR SW). This is, e.g., manipulation of local variables of S-WdgIf
functions.

-
Category:
Comment
Keywords:

ID:
287742
This includes:
  memory corruption (see section "S-WdgIf Application" below),
  source code modifications, and
  API function calls with wrong parameters.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 29

10.3 S-WdgIf Configuration
Category:
Comment
Keywords:

ID:
236026
The S-WdgIf has two kinds of configuration:
  pre-processor options and
  link-time configuration data.

-
Category:
Comment
Keywords:

ID:
236032
The pre-processor options are generated out of an ECU configuration using the S-WdgIf Generator (coded
in the generated file WdgIf_Cfg_Features.h).
They activate or deactivate certain S-WdgIf features and cannot be altered during runtime.
See section "S-WdgIf Configuration Generator" in this document for details on the S-WdgIf Generator and
its application.
See [TT_WDGIF_UM] for details on the pre-processor options.

-
Category:
Comment
Keywords:

ID:
236034
The link-time configuration data is also generated out of the ECU configuration using the S-WdgIf Generator
(coded in the generated files WdgIf_Lcfg.h and WdgIf_Lcfg.c).
The link-time configuration defines the used WD devices with links to the device specific functions and
cannot be altered during runtime.
See section "S-WdgIf Configuration Generator" above for details on the S-WdgIf Generator and its
application.
See [TT_WDGIF_UM] for more information about on the link-time configuration data.

-
Category:
Comment
Keywords:

ID:
236042
The integrator is responsible for generation and verification of configuration data as depicted in section "S-
WdgIf Configuration Generator" above.

-
Category:
Requirement
Keywords:

ID:
236044
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the configuration data is not altered, e.g. through erroneous HW.

-
Category:
Comment
Keywords:

ID:
236046
This can be realized - for example - with ECC ROM/FLASH checks, cyclical ROM/FLASH checks, and start
up ROM/FLASH checks.

-
10.4 File Structure
Category:
Comment
Keywords:

ID:
236055
For information about the S-WdgIf file structure see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
236057
The following table shows the files that are only included when the according compiler directive is set to
STD_ON:

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 30

Include File
Compiler Directive
Det.h
WDGIF_DEV_ERROR_DETECT
table 11


-
Category:
Comment
Keywords:

ID:
236061
See also the requirement 234574 for File inclusion.

-
10.5 S-WdgIf Integration
Category:
Comment
Keywords:

ID:
236065
This section describes how to integrate the S-WdgIf into a safety-relevant system.

-
Category:
Requirement
Keywords:

ID:
236240
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to demonstrate that the generated S-WdgIf configuration is sufficient
for the considered system.

-
Category:
Requirement
Keywords:

ID:
236256
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct integration of the S-WdgIf code on the system level as described
in this section.

-
Category:
Requirement
Keywords:

ID:
236258
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the chosen WD device(s), which is internal or external, meets the system's
safety requirements.

-
Category:
Comment
Keywords:

ID:
236260
For single oscillator MCU's (where the watchdog clock is derived from the CPU main clock) it is
recommended to use an external watchdog device with its own oscillator as well.

-
10.5.1
Import from AUTOSAR Definitions into S-WdgIf
Category:
Requirement
Keywords:

ID:
236264
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct implementation of all types and definitions that are imported
from AUTOSAR header files and used by the S-WdgIf code according to AUTOSAR specifications.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 31
Category:
Comment
Keywords:

ID:
554231
See also section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236266
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the AUTOSAR header files for the import of the AUTOSAR types
and definitions.

-
Category:
Comment
Keywords:

ID:
236268
For a list of imported AUTOSAR types and definitions and the related header files, see section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236270
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR header files into the S-WdgIf code shall not redefine any identifier that is
defined within the S-WdgIf code. This prohibits, for example, redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
236272
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the correct code of used AUTOSAR functions. That is, correct in
version and functionality.

-
Category:
Comment
Keywords:

ID:
236274
For a list of used AUTOSAR functions, see section "Expected Interface" above.

-
Category:
Requirement
Keywords:

ID:
236276
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Std_Types.h according to the comments in section
"Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236278
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Platform_Types.h according to the comments in
section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
236280
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Compiler.h and a file Compiler_Cfg.h according to the
comments in section "Imported Types and Definitions" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 32
Category:
Comment
Keywords:

ID:
236282
Note: Some other integrated products provide their own contents for Compiler_Cfg.h. They need to be
merged into the file Compiler_Cfg.h of the system.

-
Category:
Requirement
Keywords:

ID:
236284
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file MemMap.h according to the AUTOSAR
specifications.

-
Category:
Comment
Keywords:

ID:
236600
In contrast to the S-WdgM, there is no configuration dependent memory management. All memory
management definitions for the S-WdgIf are located in MemMap.h.

-
Category:
Comment
Keywords:

ID:
236286
Note: Some other integrated products provide their own contents for MemMap.h. They need to be merged
into the file Memmap.h file for the system.

-
Category:
Comment
Keywords:

ID:
236290
TTTech provides example files for
  MemMap.h (which includes the files WdgM_MemMap.h or WdgM_OSMemMap.h, and
Wdg_MemMap.h) and
  demo_MemMap.h (with the memory mapping definitions of the complete S-WdgM Stack).

-
Category:
Comment
Keywords:

ID:
561554
The file WdgM_MemMap.h is used in AUTOSAR 3.1 enviroments.
The file WdgM_OSMemMap.h is used in AUTOSAR 4.0 enviroments.

-
10.5.2
Memory Mapping
Category:
Comment
Keywords:

ID:
236350
This section lists the requirements for the memory mapping of the S-WdgIf data and code (including the
generated S-WdgIf code).

-
Category:
Requirement
Keywords:

ID:
236762
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the inclusion of the correct MemMap.h file into the S-WdgIf code.

-
Category:
Requirement
Keywords:

ID:
236356
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct assignment of S-WdgIf data and code (including the generated
S-WdgIf code) to the various memory sections according to the memory mapping keywords provided by the
S-WdgIf.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 33
Category:
Comment
Keywords:

ID:
236612
For the memory sections that are supported by the S-WdgIf see comment 235894 in section "Imported
Types and Definitions" above.

-
10.5.3
S-WdgIf Files
Category:
Requirement
Keywords:

ID:
236360
Label:

Safety relevant:

Related To:

Related To':
__MKSID__297368
The integrator shall ensure that only
  files of a single delivered package and
  files generated with tools of this package
are installed.

These are the files:
  WdgIf_Cfg_Features.h (generated),
  WdgIf_Lcfg.h (generated),
  WdgIf_Lcfg.c (generated),
  WdgIf_Cfg.h,
  WdgIf_Types.h,
  WdgIf.h, and
  WdgIf.c.

-
10.5.4
Compilation and Linkage
Category:
Requirement
Keywords:

ID:
236366
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation of the S-WdgIf code with a compiler that is compliant to ANSI
ISO/IEC 9899:1990.

-
Category:
Comment
Keywords:

ID:
236370
The generated code is compliant to ANSI ISO/IEC 9899:1990. It is also known as "ANSI C (C89)" and "ISO
C (C90)".

-
Category:
Requirement
Keywords:

ID:
236374
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation and linkage of the S-WdgIf into the AUTOSAR system in
accordance with the system requirements.

-
Category:
Requirement
Keywords:

ID:
236378
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the compiled and linked target binary is correctly loaded into the target
system.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 34
-
10.5.5
S-WdgM Stack Requirements
Category:
Comment
Keywords:

ID:
555505
This section lists the requirements for the S-WdgM Stack that must be met for safe functioning of the S-
WdgIf.

-
Category:
Requirement
Keywords:

ID:
236382
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the S-WdgIf communicates with
  an internal WD device (MCU inside) or
  an external WD device.

-
Category:
Comment
Keywords:

ID:
558045
The communication between the S-WdgIf and the WD driver can be tested with negative integration tests.

-
Category:
Comment
Keywords:

ID:
236384
For ASIL C and D systems, it is recommended to use an external WD device with independent time based
clock, reset circuit and power path.

-
Category:
Comment
Keywords:

ID:
236386
See
  ISO 26262 (see [ISO26262], part 6, section 7.4.14, table 4/1d) and
  Microcontroller manufacturer recommendation(see e.g. [TI_SPNU511_UM] section 5.3.6).

-
Category:
Requirement
Keywords:

ID:
237306
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the communication path to the external WD does not degrade the quality
level below the required quality level.

-
Category:
Comment
Keywords:

ID:
554234
The requirement 237306 above is only relevant when an external WD is used.
Note: The communication path to the external WD could be e.g. a SPI driver.

-
Category:
Requirement
Keywords:

ID:
237369
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the S-WdgIf program code - including configuration code - can not be
corrupted.

-
Category:
Comment
Keywords:

ID:
554832
This can be realized - for example - with ECC ROM/FLASH checks, cyclical ROM/FLASH checks, and start
up ROM/FLASH checks.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 35
10.6 S-WdgIf Application
Category:
Comment
Keywords:

ID:
236760
In contrast to the S-WdgM, the S-WdgIf API functions are not called from application level.
Except WdgIf_GetVersionInfo (), all S-WdgIf functions are called by the S-WdgM.
However, there are a few requirements to be considered on system level.

-
Category:
Comment
Keywords:

ID:
261300
The S-WdgIf does not alter data that is passed through from or to the S-WdgM.
Only the contents of the variable whose address is passed as parameter to WdgIf_GetVersionInfo () is
altered.

-
Category:
Requirement
Keywords:

ID:
236428
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct handling and escalation of errors detected by the S-WdgIf code via
DET monitoring.

-
Category:
Comment
Keywords:

ID:
236756
Returned error codes are handled by the caller of the function that returns a DET error.

-
Category:
Requirement
Keywords:

ID:
236430
Label:

Safety relevant:

Related To:

Related To':

The data that is used by the S-WdgIf, especially the S-WdgIf Configuration data, shall not be modified by
any other SW of the system.

-
Category:
Requirement
Keywords:

ID:
236432
Label:

Safety relevant:

Related To:

Related To':

It shall be considered that the S-WdgIf code has no mechanism for detecting and/or correcting the following
errors:
  corruption of the S-WdgIf memory for constants,
  corruption of the S-WdgIf code memory, and
  corruption of the S-WdgIf local RAM memory (i.e. the local variables placed on the stack).

-
Category:
Requirement
Keywords:

ID:
236434
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the address spaces that are listed in the requirement above and for
which the S-WdgIf offers no mechanism for error detection and error correction can not be corrupted.

-
Category:
Comment
Keywords:

ID:
236438
If a mechanism for detecting/correcting of such manipulations is implemented in the application level or
system level, then it should also cover the S-WdgIf code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 36
10.6.1
S-WdgIf API Functions
Category:
Comment
Keywords:

ID:
262246
There are no function specific requirements for the S-WdgIf API functions, except WdgIf_GetVersionInfo ().
However, some requirements concern all functions need to be met.

-
Category:
Comment
Keywords:

ID:
262301
The considered API functions/macros are:
  WdgIf_Setmode (),
  WdgIf_SetTriggerCondition (),
  WdgIf_SetTriggerWindow (),
  WdgIf_GetTickCounter (), and
  WdgIf_GetVersionInfo () (macro).

-
Category:
Requirement
Keywords:

ID:
262242
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to verify the correctness of parameters passed to the S-WdgIf API
functions. Especially, that parameters are not modified when passed from S-WdgM API functions to S-
WdgIf API functions .

-
Category:
Requirement
Keywords:

ID:
262243
Label:

Safety relevant:

Related To:

Related To':

Some S-WdgIf API functions have a pointer to data as argument. The integrator is responsible that this data
is not modified by code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
262244
This concerns WdgIf_GetVersionInfo ().
Note: A wrong pointer could cause data corruption inside of the module that calls this macro.

-
Category:
Requirement
Keywords:

ID:
262247
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct error escalation if a S-WdgIf API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
262248
For the list of functions hat return E_NOT_OK, see comment 235936 in subsection "Return Values" in
section "Error Handling" above.

-
Category:
Requirement
Keywords:

ID:
262238
Label:

Safety relevant:

Related To:

Related To':

The integrator shall retrieve the current version of the S-WdgIf using WdgIf_GetVersionInfo () only.

-
Category:
Comment
Keywords:

ID:
262240
WdgIf_GetVersionInfo () is only available if WDGIF_VERSION_INFO_API is set to STD_ON.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 37

-
Category:
Requirement
Keywords:

ID:
265954
Label:

Safety relevant:

Related To:
__MKSID__263878
Related To':

WdgIf_GetVersionInfo () shall be called with a correct pointer (e.g. use a pointer of type
Std_VersionInfoType without a type cast).

-
10.6.2
Memory Access
Category:
Comment
Keywords:

ID:
236784
The S-WdgIf does not access the hardware registers directly. The hardware could be accessed by calls of
the S-Wdg driver functions. The access of registers by the S-Wdg driver is platform and implementation
dependent and "supervisor" or "privileged" MCU mode may be necessary.

-
10.6.3
Concurrent Function Calls
Category:
Comment
Keywords:

ID:
283153
The following table shows which functions may run concurrently:

figure 1

HW
The interruption is HW dependent and only allowed if interruption of the corresponding WD driver
function is allowed. The corresponding function is:
  for WdgIf_SetMode (): Wdg_infix_SetMode (),
  for WdgIf_SetTriggerCondition (): Wdg_infix_SetTriggerWindow () or
Wdg_infix_SetTriggerCondition () (depending on the AUTOSAR version)
  for WdgIf_SetTriggerWindow (): Wdg_infix_SetTriggerWindow () or
Wdg_infix_SetTriggerCondition () (depending on the AUTOSAR version)
  for WdgIf_GetTickCounter (): Wdg_infix_GetTickCounter ()

Y
Interruption is allowed

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 38
Y(ptr)   Interruption is allowed only if the pointers, given as an output parameter to the function, are
different
Y(reg)   Interruption is allowed only if the function Wdg_infix_GetTickCounter () is implemented as a pure
HW register read.
table 12


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 39
11 Safety Lifecycle Tailoring
Category:
Comment
Keywords:

ID:
234297
This section describes which phases of the S-WdgIf product safety lifecycle according to [ISO26262] were
executed by TTTech during the development and which phases have to be executed by the integrator.

-
Category:
Comment
Keywords:

ID:
234299
The S-WdgIf is a software unit representing a safety element out of context (SEooC) according to
[ISO26262], part 10. The SW requirements of the S-WdgIf are based on [AS_WDGIF_SWS] and
[TT_WDGIF_SRD] with deviations listed in [TT_WDGIF_UM]. The architectural design is documented in
[TT_WDGIF_UDD].

-
Category:
Comment
Keywords:

ID:
234301
The following ISO 26262 phases were executed by TTTech:
  3-7 (Hazard analysis and risk assessment *)),
  3-8 (Functional Safety Concept *)),
  4-6 (Technical Safety Concept *)),
  4-7 (System Design *)),
  6-5 (Initiation of product development at SW level),
  6-8 (Software unit design and implementation), and
  6-9 (Software unit tests).

*) As far as related to the S-WdgIf as SEooC.

All other ISO phases were not executed by TTTech and they are the responsibility of the integrator.

-
Category:
Requirement
Keywords:

ID:
234303
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-6 (Specification of SW safety
requirements) to identify the system's SW safety requirements.

-
Category:
Requirement
Keywords:

ID:
234305
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-7 (SW architectural design) that
covers S-WdgIf code.

-
Category:
Comment
Keywords:

ID:
234311
The S-WdgIf code does not impose any special restrictions on the SW architecture design except for the
requirements in this document.

-
Category:
Requirement
Keywords:

ID:
234313
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262, part 6, clause 8.4.5, b) to verify that the
software unit design of the S-WdgIf is complete with respect to the software safety requirements and the

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 40
software architecture through traceability

-
Category:
Requirement
Keywords:

ID:
234315
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO/DIS 26262 phase 6-10 (SW integration and testing) to
verify that S-WdgIf code is correctly integrated into the system.

-
Category:
Requirement
Keywords:

ID:
234319
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of phase ISO/DIS 26262 6-11 (Verification of SW safety
requirements) to verify the safety requirements that are related to the S-WdgIf code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 41
12 Qualification
Category:
Comment
Keywords:

ID:
234207
The S-WdgIf has been developed according to the requirements in [ISO26262] as specified in section
"Safety Lifecycle Tailoring" above. It can be integrated in systems up to ASIL D, provided that all
requirements in this document are fulfilled.

-
Category:
Comment
Keywords:

ID:
234209
The hardware dependent qualification data for the S-WdgIf for each platform can be found in the S-Wdg
drivers' Safety Manuals.

-
Category:
Comment
Keywords:

ID:
234211
The S-WdgM Stack Safety Case [TT_WDGS_SC] lists all S-WdgIf qualification documents.

-
Category:
Comment
Keywords:

ID:
234213
The S-WdgIf unit tests are specified in [TT_WDGIF_UTS].
The S-WdgIf tests of the unit test framework are specified in [TT_WDGS_UTS].
The integration tests of the S-WdgM Stack are specified in [TT_WDGS_ITS].

-
Category:
Comment
Keywords:

ID:
260894
The environments and S-WdgIf Configurations of integration tests that have been conducted by TTTech
can be found in the Safety Manual of the various S-Wdg drivers (e.g. [TT_WDGDR_platform_SM], where
platform is the used platform. See also section "References" at the end of the document).

-
Category:
Requirement
Keywords:

ID:
234215
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the qualification of the S-WdgIf code for the used environment. This means
that the S-WdgIf code must be integration tested against this environment.

The environment comprises:
  the target CPU,
  the compiler and linker,
  the compiler and linker settings,
  S-WdgIf pre-compile configurations, and
  the used WDs and WD drivers.

-
Category:
Requirement
Keywords:

ID:
234217
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgIf is used in an environment that differs in any way from the environment it has been tested with
(according to [TT_WDGS_ITS] and [TT_WDGIF_UTS]), then the integrator shall analyze the consequences
of the differences and conduct corresponding tests (see [ISO26262] part 6, clause 9, in particular
[ISO26262] clause 9.4.6).

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 42
Category:
Comment
Keywords:

ID:
234219
TTTech offers qualification of the S-WdgIf for customer-specific configurations.

-
Category:
Requirement
Keywords:

ID:
265956
Label:

Safety relevant:

Related To:
__MKSID__263827,_
Related To':

_MKSID__263846,__
MKSID__263860
The integrator shall run integration tests with the generated configurations for S-WdgM and S-WdgIf.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 43
13 Resource Requirements
Category:
Comment
Keywords:

ID:
234197
The memory consumption and runtime consumption of the S-WdgIf depends on the chosen HW, which
itself is chosen by the used S-Wdg driver.
The resource requirements of the complete S-WdgM Stack can be found in the Safety Manual of the
according S-Wdg driver.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 44
14 Constraints and known Problems
Category:
Comment
Keywords:

ID:
290609
For known problems see the Release Notes document delivered with this software module.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 45
15 References
Category:
Comment
Keywords:

ID:
234117
[ISO26262] ISO26262, Internation Standard, Road vehicles- Functional safety, First edition 2011-11-15

-
Category:
Comment
Keywords:

ID:
234119
[TT_WDGM_SM] TTTech Automotive GmbH, Safe Watchdog Manager - Safety Manual, D-SAFEX-S-70-
001

-
Category:
Comment
Keywords:

ID:
234121
[TT_WDGDR_MPC56xx_SM] TTTech Automotive GmbH, Safe Watchdog Driver for MPC56xx - Safety
Manual, D-MSP-M-70-022

-
Category:
Comment
Keywords:

ID:
554844
[TT_WDGDR_SAFETCORE_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TriCore and
SafeTcore - Safety Manual, D-SAFEX-S-70-013

-
Category:
Comment
Keywords:

ID:
234125
[TT_WDGDR_TMS570LS3x_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TMS570LS3x -
Safety Manual, D-SAFEX-S-70-015

-
Category:
Comment
Keywords:

ID:
234123
[TT_WDGDR_V850E2PJ4_SM] TTTech Automotive GmbH, Safe Watchdog Driver for V850E2PJ4 - Safety
Manual, D-SAFEX-S-70-029

-
Category:
Comment
Keywords:

ID:
554842
[TT_WDGDR_TMS570LS_TPS65381_SM] TTTech Automotive GmbH, Safe Watchdog Driver for
TMS570LS_TPS65381 - Safety Manual,
D-SAFEX-S-70-038

-
Category:
Comment
Keywords:

ID:
554840
[TT_WDGDR_MPC5643L_ATA5021_SM] TTTech Automotive GmbH, Safe Watchdog Driver for
MPC5643L_ATA5021 - Safety Manual, D-SAFEX-S-70-049

-
Category:
Comment
Keywords:

ID:
234127
[TT_WDGS_SC] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Safety Case, D-SAFEX-IN-
70-001

-
Category:
Comment
Keywords:

ID:
234129
[TT_WDGM_UM] TTTech Automotive GmbH, Safe Watchdog Manager - User Manual, D-MSP-M-70-001

-
Category:
Comment
Keywords:

ID:
234131
[TT_WDGIF_UM] TTTech Automotive GmbH, Safe Watchdog Interface - User Manual, D-MSP-M-70-006

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 46
Category:
Comment
Keywords:

ID:
234133
[TT_WDGDR_MPC56xx_UM] TTTech Automotive Gmbh, Safe Watchdog Driver (MPC56xx) - User Manual,
D-MSP-M-70-008

-
Category:
Comment
Keywords:

ID:
234135
[TT_WDGDR_SAFETCORE_UM] Safe Watchdog Driver (SafeTcore) - User Manual, D-MSP-M-70-007

-
Category:
Comment
Keywords:

ID:
234137
[TT_WDGDR_TMS570LS3x_UM] TTTech Automotive GbmH, Safe Watchdog Driver (TMS570LS3x) - User
Manual, D-MSP-M-70-010

-
Category:
Comment
Keywords:

ID:
234143
[AS_WDGM_SWS] AUTOSAR, Specification of Watchdog Manager, Version 2.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234145
[AS_WDGIF_SWS] AUTOSAR, Specification of Watchdog Interface, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
559938
[AS_WDGIF_SWS_3_1] AUTOSAR, Specification of Watchdog Interface, Version 2.2.2, Release 3.1,
Revision 1

-
Category:
Comment
Keywords:

ID:
234147
[AS_WDGDR_SWS] AUTOSAR, Specification of Watchdog Driver, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
237766
[AS_RTE_SWS] AUTOSAR, Specification of RTE, Version 3.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234149
[AS_STDTYP_SWS] AUTOSAR, Specification of Standard Types, Version 1.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234151
[AS_COMABS_SWS] AUTOSAR, Specification of Compiler Abstraction, Version 3.0.0, Release 4.0,
Revision 1

-
Category:
Comment
Keywords:

ID:
234153
[AS_PLTFM_SWS] AUTOSAR, Specification of Platform Types, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234155
[AS_MEM_SWS] AUTOSAR, Specification of Memory Mapping, Version 1.2.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
234177
[TI_SPNU511_UM] Texas Instruments, Safety Manual for TMS570LS31x/21x and RM48x Hercules™
ARM® Safety Critical Microcontrollers - User's Guide, Literature Number: SPNU511A, February 2012

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Interface
Version: 1.8.9
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-005
Page 47
15.1 Internal Documents
Category:
Comment
Keywords:

ID:
283409
The following referenced documents are internal TTTech Automotive GmbH document. For inspection,
please contact TTTech Automotive GmbH:

-
Category:
Comment
Keywords:

ID:
283417
[TT_WDGIF_ETA] TTTech Automotive GmbH, Safe Watchdog Interface - Event Tree Analysis, D-SAFEX-
S-70-012

-
Category:
Comment
Keywords:

ID:
283419
[TT_WDGIF_SRD] ] TTTech Automotive GmbH, Safe Watchdog Interface - Software Requirements
Document, D-SAFEX-S-70-002

-
Category:
Comment
Keywords:

ID:
283421
[TT_WDGIF_UDD] TTTech Automotive GmbH, Safe Watchdog Interface - Unit Design Document, D-
SAFEX-D-70-001

-
Category:
Comment
Keywords:

ID:
283423
[TT_WDGIF_UTS] TTTech Automotive Gmbh, Safe Watchdog Interface - Unit Test Specification, D-
SAFEX-V-70-002

-
Category:
Comment
Keywords:

ID:
283427
[TT_WDGS_UTS] TTTech Automotive Gmbh, Safe Watchdog Manager Stack - Unit Test Specification -
Test Framework, D-SAFEX-V-70-008

-
Category:
Comment
Keywords:

ID:
283425
[TT_WDGS_ITS] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test
Specification, D-SAFEX-V-01-001

-
Category:
Comment
Keywords:

ID:
554880
[TT_WDGS_ITR] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test Report, D-
SAFEX-V-01-002

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

10 - S-WdgIf_UserManual

Safe Watchdog Interface

11 - S-WdgIf_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21

12 - S-WdgIf_UserManuals

Safe Watchdog Interface
User Manual
Version:
1.9.4
Date:
21.05.2014
Document number:
D-MSP-M-70-006
TTTech Autom otive Gm bH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, support@tttech-automotiv e.com
The data in this document may  not be altered or amended without special notif ication f rom TTTech Automotiv e GmbH. TTTech Automotiv e GmbH
undertakes no f urther obligation in relation to this document. The sof tware described in it can only  be used if  the customer is in possession of  a general
license agreement or single license.
Using and copy ing is only  allowed in concurrence with the specif ications stipulated in the contract. Under no circumstances may  any  part of  this
document be copied, reproduced, transmitted, stored in a retriev al sy stem, or translated into another language without written permission of  TTTech
Automotiv e GmbH.
The names and designations used in this document are trademarks or brands belonging to the respectiv e owners.
© 2011 - 2014 TTTech Automotiv e GmbH. All rights reserv ed.                                                                                 Subject to changes and
corrections.
TTTech Automotiv e GmbH Conf idential and Proprietary  Inf ormation

Introduction
Page
3
1
Introduction
The Safe Watchdog Interface  (S-WdgIf)  is  a  part  of  the  Safe  Watchdog  Manager
Stack.
Note: This is a user manual and does not cover safety-related topics. For safety-related
projects  that  need  to  fulfill  ISO  26262  requirements,  refer  to  the  Safe  Watchdog
Interface Safety Manual [5] 20 .
Note: The <infix> placeholder used in this document stands for the infix part of the
names of the Watchdog driver functions to which the S-WdgIf interfaces. Depending on
the version of the used AUTOSAR environment, the S-WdgIf can consist of the
following:
In AUTOSAR 4.0 compatible environment, the S-WdgIf consists of the vendor ID and
device name strings, where vendo ID is the ID of the vendor of the Watchdog driver
and device name is the name of the configured Watchdog driver device .
In AUTOSAR 3.1 compatible environment, the S-WdgIf consists of the device name
string, where device name is the name of the configured Watchdog driver device
2
Safe Watchdog Interface
2.1
Basic Functionality of the S-WdgIf
The S-WdgIf was developed according AUTOSAR version 4.0.1 [2] 20  and adapted for
the  AUTOSAR  3.1.4  environment  [1] 20 .  The  S-WdgIf  is  compatible  with  both
AUTOSAR versions, but not fully compliant. For the deviations, see section Deviations
from the AUTOSAR Watchdog Interface 5 .
The S-WdgIf is  designed  to  be  integrated  into  an AUTOSAR 3.1.4  and  4.0.1  system.
However, it is not restricted to this AUTOSAR version. The software module can also be
integrated into other versions of AUTOSAR and  other  system  software  architectures  if
the  integration  related  requirements  listed  in  the  Safe  Watchdog  Interface  Safety
Manual [5] 20  are met.
The S-WdgIf provides a standard interface to all the configured watchdog devices. The
Safe  Watchdog  Manager  (S-WdgM)  accesses  each configured  watchdog  through  its
Device Index.
The  S-WdgIf  is  hardware-independent  and  abstracts  one  or  more  Safe  Watchdog
Driver  modules  for  the  S-WdgM.  The  S-WdgM  calls  the  S-WdgIf  with a  device  index
parameter  (DeviceIndex).  It  is  translated  by  the  S-WdgIf  into  a  S-Wdg  driver
instance. If necessary, additional driver parameters are provided.
Figure 1 shows the layered structure of the  S-WdgM.  The  attached  watchdog  devices
can be internal, external, or both.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
4
Applications
Safe Watchdog
Manager user API
BSW’s
System

API
Safe Watchdog
Manager
Safe
Watchdog
Safe Watchdog
Manager
Interface
Stack
Safe
Safe
Watchdog
Watchdog
Hardware
Driver 2
Driver 1
dependent
part
Software
Hardware
External
Internal
Watchdog
Watchdog
device
device

Fig. 1: Layered structure of the Safe Watchdog M anager
2.2
Extensions to the AUTOSAR Watchdog Interface
The S-WdgIf implements and extends the  AUTOSAR  Watchdog  Interface  module.  It
implements the following two interfaces to the Watchdog Driver:
AUTOSAR-compatible interface
o Wdg_<infix>_SetTriggerCondition()
o Wdg_<infix>_SetMode()
TTTech-compatible interface
o Wdg_<infix>_SetTriggerWindow()
o Wdg_<infix>_SetMode()
Switching  between the  two  interfaces  with the  watchdog  driver  is  done  by  setting  the
parameter
6
WdgIfUseAutosarDrvApi
in  a  correspoding  way.  For  details,  see
section Integration  with  Fully  AUTOSAR  Compliant  Drivers 5  and  the  description  of
parameter
6
WdgIfUseAutosarDrvApi
in  section  Configuration  Parameters  for
the S-WdgIf 5 .
Function  WdgIf_GetTickCounter()  is  an  additional  extension  to  AUTOSAR,
providing
access
to
the
corresponding
S-Wdg
function
Wdg_<infix>_GetTickCounter(),  if  supported  by  the  hardware  and  if  the
configuration  parameter
7
WdgIfInternalTickCounterRef
is  set  in  a
correspoding
way.
For
details,
see
the
description
of
parameter
7
WdgIfInternalTickCounterRef
in section Configuration Parameters  for  the
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
5
S-WdgIf 5 .
2.3
Deviations from the AUTOSAR Watchdog Interface
For safety reasons, the S-WdgIf module should not depend on external modules. This is
why  the  AUTOSAR  module  Development  Error  Tracer  (DET)  is  called  in  the
presence
of
development
errors
only
if
the
preprocessor
switch
8
WDGIF_DEV_ERROR_DETECT
  is set to STD_ON.
The  S-WdgIf  calls  function
15
Appl_Det_ReportError()
in  order  to  report
detected DET errors instead of calling function
15
Det_ReportError()
specified in
AUTOSAR. For details, see section Expected Interfaces 15 .
2.4
Integration with Fully AUTOSAR Compliant Drivers
In order to integrate the S-WdgIf with a fully AUTOSAR-compliant  watchdog  driver  set
the  configuration  parameter
6
WdgIfUseAutosarDrvApi
to  STD_ON.  This  will
result in the following:
The AUTOSAR Wdg_<infix>_SetMode() is called out of WdgIf_SetMode().
The
Wdg_<infix>_SetTriggerCondition()
is
called
out
of
WdgIf_SetTriggerCondition().
The
Wdg_<infix>_SetTriggerCondition()
is
called
out
of
WdgIf_SetTriggerWindow()  as  well,  however,  the  parameter  WindowStart  is
not passed.
Note:
If
the
S-WdgM
is
the
caller
of
the
S-WdgIf
(i.e.,
function
WdgIf_SetTriggerWindow()  is  used  to  service  the  watchdog  device),  then  the
parameter WindowStart (WdgMTriggerWindowStart) has  no  effect,  because  it
cannot be passed to an AUTOSAR-compliant driver. It is then good practice to set it to
0, because this would be the functional meaning of its absence.
For more information about the configuration parameter WdgIfUseAutosarDrvApi
6 , see section Configuration Parameters for the S-WdgIf 5 .
2.5
Configuration Parameters for the S-WdgIf
Parameter Name
WdgIfDeviceIndex
Path
WdgIf/WdgIfDevice/WdgIfDeviceIndex
Group
Watchdog device
Type
Integer
Range
0...65535
Compatibility
AUTOSAR
Description
Represents  the  Watchdog  Device  ID  so  that  it  can  be
referenced by the S-WdgM.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
6
Parameter Name
WdgIfDriverRef
Path
WdgIf/WdgIfDevice/WdgIfDriverRef
Group
Watchdog device
Type
Reference
Range
n.a.
Compatibility
AUTOSAR
Description
Reference to the Watchdog driver of this Watchdog Device.
Parameter Name
WdgIfDevErrorDetect
Parameter Name
WDGIF_DEV_ERROR_DETECT
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfDevErrorDetect
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR
Description
Pre-processor switch for enabling the development error
reporting.
Parameter Name
WdgIfVersionInfoApi
Parameter Name
WDGIF_VERSION_INFO_API
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfVersionInfoApi
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR
Description
Pre-processor switch to enable/disable the service returning
the version information.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
7
Parameter Name
WdgIfUseAutosarDrvApi
Parameter Name
WDGIF_USE_AUTOSAR_DRV_API
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfUseAutosarDrvApi
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
Pre-processor  switch  to  enable/disable  the  use  of  fully
AUTOSAR-compliant driver API functions.
Parameter Name
WdgIfInternalTickCounterRef
Parameter Name
WDGIF_INTERNAL_TICK_COUNTER
(Embedded Code)
Path
WdgIf/WdgIfGeneral/WdgIfInternalTickCounterRef
Group
Preprocessor
Type
Reference
Range
n.a.
Compatibility
TTTech
Description
If  this  parameter  references  a  driver  which  implements  an
internal
tick
counter
then
the
function

WdgIf_InternalTickCounter() is compiled and can
be  used  by  the  S-WdgM.  Otherwise  the  API  is  not
compiled. Note:  If a driver is selected, then it  must  support
the
internal
tick
counter,
and
its
parameter
WdgInternalTickCounter must be set to TRUE.
2.6
Configuring the S-WdgIf in the ECU Description File
Apart from the preprocessor options the user must add a WdgIfDevice  container  to
the  S-WdgIf  module  in  the  ECU  description  file.  This  container  has  two  attributes:
WdgIfDeviceIndex  shall  be  set  to  zero,  and  WdgIfDriverRef 6  points  must
be selected so that it points to the Watchdog driver being used.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
8
2.7
Preprocessor Options
Option
Description
WDGIF_DEV_ERROR_DETECT
Enables  or  disables  calls  to  DET  in  case  of
development
errors.
Corresponds
to
ECU
description option
6
WdgIfDevErrorDetect
.
STD_ON: Development errors are checked and
reported to DET
STD_OFF: Development errors are checked but
not reported to DET
WDGIF_VERSION_INFO_API
Enables the version info API for  compiling  (can be
disabled in order to save resources).  Corresponds
to
ECU
description
option

8
WdgIfVersionInfoApi
.
STD_ON: The S-WdgIf API for version information
is provided.
STD_OFF: The S-WdgIf API for version
information is not provided.
WDGIF_INTERNAL_TICK_COUNTER
Enables  or  disables  the  usage  of  an  internal  tick
counter  in  the  S-WdgIf.  Corresponds  to  ECU
description
option

8
WdgIfInternalTickCounterRef
.
If
a
driver  is  referenced  the  usage  of  an  internal  tick
counter is enabled, otherwise disabled.
WDGIF_USE_AUTOSAR_DRV_API
Enables  or  disables  the  use  of  fully  AUTOSAR-
compliant driver API functions.
STD_ON:
AUTOSAR-compliant
driver
API
functions  are  used.  Note:  The  parameter
WindowStart
(WdgMTriggerWindowStart) of the  S-WdgM
configuration is then ignored. Therefore, it is good
practice to set it to 0.
STD_OFF:  TTTech driver API functions are used.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page
9
2.8
File Structure
Figure 2 gives an overview of the file structure of the S-WdgIf.

Fig. 2: File structure of the S-WdgIf
The  implementation  of  the  S-WdgIf  module  is  in  the  file  WdgIf.c.  File  WdgIf.c
provides  an interface  to  the  upper  layer,  the  S-WdgM,  and  includes  the  header  file
WdgIf.h.  The  header  files  WdgIf_Types.h  and  Std_Types.h  are  included
indirectly through the WdgIf.h.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page 10
File
Description
WdgIf_Types.h
S-WdgIf  and  common  Safe  Watchdog  Stack  type
definitions
WdgIf_Cfg.h
Pre-compile time definitions
MemMap.h
Is included directly in the  module  implementation files
to organize code, data and constants in the memory.
Appl_Det.h
Appl_Det.h is included instead of Det.h, because
the  reporting  of  development  errors  is  not  done  by
directly calling  the  DET service  Det_ReportError
15
()
,  but  by  calling  the  user-defined  service
Appl_Det_ReportError() 15 .
Note:  This  service  could  just  be  a  direct  call  to  the
external  module  DET,  but  could  also  perform  more
complex operations such as switching the  OS  context
before calling DET.
WdgIf_Lcfg.c and
These files contain the generated configuration.
WdgIf_Lcfg.h
WdgIf_Cfg_Features.h
Is generated and contains all preprocessor options for
the S-WdgIf module.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Safe Watchdog Interface
Page 11
3
API Description
This section describes the types, functions and interfaces that are imported or provided
by the S-WdgIf software layer.
3.1
Type Definitions
This section describes the types of the parameters passed to the API functions of the
S-WdgIf.
Name
WdgIf_InterfaceFunctionsType
Type
Structure
Elements
Std_ReturnType (*
Pointer to the platform-specific SetMode
Wdg_SetMode) (uint8,
function
WdgIf_ModeType)
void (*
Pointer to the platform-specific
Wdg_SetTriggerWindow)
SetTriggerWindow function
(uint8, uint16, uint16)
Description
Provides pointers to the platform-specific APIs
Name
WdgIf_InterfaceFunctionsPerWdgDeviceType
Type
Structure
Elements
const
Pointers to the platform-specific
WdgIf_InterfaceFunctions
functions
Type* WdgFunctions
const uint8 WdgInstance
Index of the physical watchdog instance
within this platform
Description
Connects platform-dependent functions to a physical watchdog in
order to allow several watchdogs of the same platform to work
simultaneously (e.g., external watchdogs).
Name
WdgIf_InterfaceType
Type
Structure
Elements
const uint8 NumOfWdgs
Number of watchdogs supported in the
S-WdgIf
const
Reference to the functions and physical
WdgIf_InterfaceFunctionsPerW
watchdog indices
dgDeviceType*
WdgFunctionsPerDevice
#if
Function pointer to the
(WDGIF_INTERNAL_TICK_COUNTER
GetTickCounter driver function if the
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 12
== STD_ON)
internal tick counter is switched on
uint32 (*Wdg_GetTickCounter)
(void)
#endif
Description
Main S-WdgIf configuration structure.
Name
WdgIf_ModeType
Type
Enumeration
Range
WDGIF_OFF_MODE: Watchdog disabled
WDGIF_SLOW_MODE: Long timeout period (slow
triggering)
WDGIF_FAST_MODE: Short timeout period (fast
triggering)
Description
Mode of the Watchdog
3.2
S-WdgIf Functions
Syntax
Std_ReturnType WdgIf_SetMode
(uint8 DeviceIndex, WdgIf_ModeType Mode)
Service ID
0x01
[hex]
Sync/Async
Synchronous
Reentrant?
No
Parameters
DeviceIndex: Identifies the watchdog instance.
(in)
Mode: One of the following statically configured modes:
o WDGIF_OFF_MODE: Watchdog disabled
o WDGIF_SLOW_MODE: Long timeout period (slow triggering)
o WDGIF_FAST_MODE: Short timeout period (fast triggering)
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Description
This function maps the SetMode service to the corresponding
physical watchdog implementation according to the parameter
DeviceIndex.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 13
Syntax
Std_ReturnType WdgIf_SetTriggerCondition
(uint8 DeviceIndex, uint16 Timeout)
Service ID[hex]
0x02
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
DeviceIndex: Identifies the watchdog instance.
Timeout: Timeout value in milliseconds for setting the trigger
counter.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Description
This function maps the SetTriggerCondition service to
the corresponding physical watchdog implementation according
to the parameter DeviceIndex.
Syntax
Std_ReturnType WdgIf_SetTriggerWindow
(uint8 DeviceIndex, uint16 WindowStart,
uint16 Timeout)
Service ID[hex]
0x04
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
DeviceIndex: Identifies the watchdog instance.
WindowStart: Minimum time until next watchdog service is
allowed in milliseconds.
Timeout: Timeout value in milliseconds for setting the trigger
counter.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
E_OK: API finished successfully.
E_NOT_OK: An error occurred during execution.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 14
Description
This function maps the SetTriggerWindow service to the
corresponding physical watchdog implementation according to
the parameter DeviceIndex.
Syntax
void WdgIf_GetVersionInfo
(Std_VersionInfoType* VersionInfoPtr)
Service ID[hex] 0x03
Sync/Async
Synchronous
Reentrant?
No
Parameters (in) VersionInfoPtr: Pointer to where to store the version
information of this module.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
void
Description
This function is implemented as a macro and returns the version
information about this module. This function is only enabled if the
preprocessor switch WDGIF_VERSION_INFO_API 8 is
STD_ON.
Syntax
uint32 WdgIf_GetTickCounter (void)
Service ID[hex]
none
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
TickCounter: Pointer to where to store the tick counter
value provided by the driver.
Parameters
none
(in/out)
Parameters
none
(out)
Return value
The current hardware tick counter of type uint32.
Description
This function returns the current hardware tick counter.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 15
3.3
Expected Interfaces
This section describes the expected interfaces to external modules used by the S-WdgIf
and their activation conditions.
Function
Description
Appl_Det_ReportError()
If the preprocessor option
8
WDGIF_DEV_ERROR_DETECT
is set to
STD_ON, the S-WdgIf references the function
Appl_Det_ReportError() of the DET
API.
Note: If the pre-compiler option
WDGIF_DEV_ERROR_DETECT is set to
STD_OFF, the S-WdgIf is self-contained and
does not call any functions from external
modules.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

API Description
Page 16
4
S-WdgIf Configuration
This section describes the configuration of the S-WdgIf.
4.1
Link Time Configuration
The link time configuration for the S-WdgIf is configured in the ECU description file, e.g.,
by a tool such as DaVinci Configurator Pro . Basically, link time configuration
contains all information needed for mapping each underlying watchdog driver to a
device index. The configuration can be generated by the S-WdgIf configuration
generator, described in section The S-WdgIf Configuration Generator 16 .
4.2
S-WdgIf Configuration Generator
The S-WdgIf generator is a Microsoft Windows console application that can be
launched from a command prompt window by entering the command
Wdg_If_Cfg_Gen.exe. The S-WdgIf generator reads the S-WdgIf module
information from the AUTOSAR ECU description file (*.arxml) and generates
configuration structures for the S-WdgIf.
Note: Alternatively, you can use the DaVinci Configurator from Vector Informatik
GmbH.
To use the S-Wdg generator, enter the following command in a command prompt
window:
Wdg_If_Cfg_Gen.exe [options] <ECU-DESC-FILE> <OUTPUT-DIR>
<BSWMD_DIR>
[options]
Description
--version
Show the application version number and exits.
-h/--help
Shows this help message and exits.
Parameter
Description
<ECU-DESC-FILE>
The ECU description file (*.arxml). It is generated by
a development tool (e.g.,from the DaVinci tool chain).
<OUTPUT-DIR>
The destination folder for the generated output. You
must specify this parameter.
<BSWMD_DIR>
The directory in which the Configuration Generator
recursively searches for the BSWMD file(s) that
describe the used Watchdog drivers.
The respective configuration for the S-WdgIf is exported to two files:
WdgIf_Lcfg.c
WdgIf_Lcfg.h
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 17
4.3
Error Messages
The generator will show an error message in the command prompt window and quit if
something goes wrong during configuration generation.
4.3.1
Basic Errors
Error
Error Message
No.
1
Bad call syntax.
2
Cannot open ECU description file `%s`.
3
Cannot convert float parameter `%s/%s` to an Watchdog ticks.
4
Cannot convert `%s` to a numerical value.
5
Fatal error.
6
Method `%s` must be implementd by subclass of `%s`.
7
Missing WdgM data.
4.3.2
Semantic Errors
Error
Error Message
No.
1007
Missing non-zero value for `RTICLK_khz`.
1008
Non-supported platform `%s`.
1009
%s platform: Bad WDGIF_SLOW_MODE configuration:
InitialTimeout_ms = %d > %d = SlowModeMax_ms.
1010
%s platform: Bad WDGIF_SLOW_MODE configuration:
InitialWindowStart_ms = %d > %d = SlowModeMax_ms.
1011
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialTimeout_ms = %d > %d = FastModeMax_ms.
1012
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialWindowStart_ms = %d > %d = FastModeMax_ms.
1013
%s platform: Bad WDGIF_FAST_MODE configuration:
InitialWindowStart_ms = %d >= %d = InitialTimeout_ms.
1014
WDGIF_OFF_MODE not supported for %s.
1022
`Wdg/WdgSettingsConfig/WdgRtiKhz` must be a non-zero value.
1023
`Wdg/WdgSettingsConfig/WdgFpiKhz` must be a non-zero value.
1024
Missing or unsupported driver. (Also verify the ECU description
file's AUTOSAR XML namespace).
1030
`/Wdg/WdgSettingsConfig/fSIRCkhz` must be a non-zero value.
1032
Cannot generate code for unknown driver `%s`.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 18
Verify module having `DEFINITION-REF` ending with `.../Wdg`.
1033
Watchdog IF references unknown driver `%s`.
Verify module reference having a `DEFINITION-REF` ending with
`...WdgIf/WdgIfDevice/WdgIfDriverRef.
1041
No device found for Watchdog `%s`. Verify elements defined
by `..WdgIf/WdgIfDevice`.
1042
Device for `%s` platform has no device index.
Verify elements defined by `.../WdgIfDeviceIndex`.
1046
Error trying to identify the Watchdog's platform
1047
Error trying to generate Wdg_MemMap.h.
1067
No default `WdgDefaultMode` defined.
1074
The specified ticks per second value for the used WdgMmode
(%d Hz) and the RTI clock frequency (%d Hz) must satisfy
the following condition: 0 < ticks_per_second <= rti_hz / 2.
1077
The `MPC5643L_MC33904` platform requires `WdgInitialTimeout`
= 12 [ms].
1078
The `MPC5643L_MC33904` platform requires `WdgWindowStart`
= 6 [ms].
1079
One of the WdgMTrigger elements associated with WdgMWatchdog
`%s` has a WdgMTriggerConditionValue value which does not
match the WdgInitialTimeout (%d ms) defined for the `%s` driver.
1080
One of the WdgMTrigger elements associated with WdgMWatchdog
`%s` has a WdgMTriggerWindowStart value which does not
match the `WdgWindowStart` (%d ms) defined for the `%s` driver.
1087
There are more than 1 watchdogs with an internal tick counter
(%s)
1088
`%s` has an active internal tick counter but the Watchdog
Interface
does not reference it via `WdgIfInternalTickCounterRef`.
1089
The driver (`%s`) referenced by the Watchdog Interface via
`WdgIfInternalTickCounterRef` has no active internal tick
counter.
1117
`/Wdg/WdgSettingsConfig/SysClkKhz` must be a non-zero value.
1118
MPC56xx: using an internal tick counter requires configuring
`STMdebugModeControl`.
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

S-WdgIf Configuration
Page 19
5
Abbreviations
Abbreviation
Description
API
Application Programming Interface
AUTOSAR
AUTOSAR  (AUTomotive  Open  System  ARchitecture)  is  a
worldwide  development  partnership  of  car  manufacturers,
suppliers  and  other  companies  from  the
electronics,
semiconductor and software industry.
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECU
Electronic Control Unit
MCU
Microcontroller Unit
S-Wdg
Safe Watchdog Driver (implementation by TTTech)
S-WdgIf
Safe Watchdog Interface (implementation by TTTech)
S-WdgM
Safe Watchdog Manager (implementation by TTTech)
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 20
6
References
[1]
AUTOSAR, Specification of Watchdog Interface. V. 2.2.2, Rel. 3.1, Rev. 1
[2]
AUTOSAR, Specification of Watchdog Interface. V. 2.3.0, Rel. 4.0, Rev. 1
[3]
TTTech Automotive GmbH, Safe Watchdog Manager, Safety Manual, V. 2.0.2
[4]
TTTech Automotive GmbH, Safe Watchdog Manager, User Manual, V. 1.8.0
[5]
TTTech Automotive GmbH, Safe Watchdog Interface, Safety Manual, V. 1.8.0
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Interface
Page 21
Index
- M -
MemMap.h     10
- A -
- P -
Abbreviations     19
API Description     11
Preprocessor Options     8
Appl_Det.h     10
Appl_Det_ReportError     10
- S -
Appl_Det_ReportError()     15
- B -
Safe Watchdog Interface     3
Std_Types.h     9
S-WdgIf Configuration     16
Basic Functionality of the S-WdgIf     3
S-WdgIf Configuration Generator     16
S-WdgIf Functions     12
- C -
- T -
Configuration Parameters for the S-WdgIf     5
Type Definitions     11
- D -
- W -
Det_ReportError     10
Det_ReportError()     15
WdgIf.c.     9
Deviations from the AUTOSAR Watchdog Interface
WdgIf.h     9
5
WdgIf_Cfg.h     10
WdgIf_Cfg_Features.h     10, 11
- E -
WDGIF_DEV_ERROR_DETECT     6, 8, 15
WdgIf_GetTickCounter     5
ECU Description Configuration     7
WdgIf_GetTickCounter()     14
Error messages
WdgIf_GetVersionInfo()     14
basic errors     17
WdgIf_InterfaceFunctionsPerWdgDeviceType     11
semantic errors     17
WdgIf_InterfaceType     11
Expected Interfaces     15
WDGIF_INTERNAL_TICK_COUNTER     7, 8
WdgIf_InternalTickCounter()     7
- F -
WdgIf_Lcfg.c     10
WdgIf_Lcfg.h     10
WdgIf_ModeType     12
File Structure     9
WdgIf_SetMode()     12
- I -
WdgIf_SetTriggerCondition()     13
WdgIf_SetTriggerWindow()     13
WdgIf_Types.h     10
Introduction     3
WDGIF_USE_AUTOSAR_DRV_API     7, 8
WDGIF_VERSION_INFO_API     6, 8
- L -
WdgIfDevErrorDetect     6, 8
WdgIfDriverRef     6, 7
Link Time Configuration     16
WdgIfInternalTickCounterRef     7, 8
WdgIfVersionInfoApi     6, 8
Safe Watchdog Interface 1.9.4
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-006
TTTech Automotive Confidential and Proprietary

Document Outline

13 - WdgIf Peer Review Checklists

Overview

Summary Sheet
Synergy Project

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgIf

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgIf_Vector_Ar4.0.3_03.03.06_0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3182

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):