This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Watchdog Manager

1: S-WdgM_ReleaseNotes
2: S-WdgM_ReleaseNotes_ind
3: S-WdgM_ReleaseNotess
4: S-WdgM_SafetyManual
5: S-WdgM_SafetyManual_ind
6: S-WdgM_SafetyManuals
7: S-WdgM_Stack_SafetyCase
8: S-WdgM_Stack_SafetyCase_ind
9: S-WdgM_Stack_SafetyCases
10: S-WdgM_UserManual
11: S-WdgM_UserManual_ind
12: S-WdgM_UserManuals
13: WdgM Integration Manual
14: WdgM Peer Review Checklists

Watchdog Manager

Component Documentation

1 - S-WdgM_ReleaseNotes

Release Notes

2 - S-WdgM_ReleaseNotes_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26

3 - S-WdgM_ReleaseNotess

Ensuring Reliable Networks

Safe Watchdog Manager
Release Notes

Author:
TTTech
Security:
Confidential
Document number:
D-SAFEX-RP-70-012
Document Version:
3.4.6
Date:
21.11.2014
Status:
released
Review:
JDU

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any from or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2009, TTTech Automotive GmbH. All rights reserved. Subject to change and corrections

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  2
Approval
Name
Function
Signature
PPU
Project Manager

TGA
Head of Software Department

MAL
Quality Manager

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Document  Date
Responsible Person  Modification
Version
0.9.0
09.06.2011
PPU
Version for Series Release 0.9
0.9.1
17.06.2011
PPU
Integration with DaVinci tool chain.
1.0.0
15.07.2011
PPU
Integration with DaVinci tool chain.
1.1.0
19.08.2011
PPU
Version for Series Release 1.1
1.2.0
07.09.2011
PPU
Version 1.2.0, TMP570LS3xx related release
1.3.0
16.09.2011
PPU
Version 1.3.0, MPC56xx (MPC5604B) release
1.3.1
06.12.2011
PPU
Version 1.3.1, Wdg_MPC56xx_bswmd.arxml
changed only
1.4.0
14.12.2011
PPU
New software release and document split. Watchdog
Manager,  Interface  and  Driver  becomes  own
Release documents.
1.5.0
10.02.2012
PPU
Version 1.5.0
1.6.0
08.03.2012
PPU
Release 1.6.0
1.7.0
13.04.2012
PPU
Release 1.7.0
1.8.0
21.11.2014
PPU
Release 1.8.0
1.8.1
12.06.2012
PPU
Release  1.8.1  did  not  contain  WdgM  module.  It
contains the MPC56xx driver only.
1.8.2
13.07.2012
PPU
Release 1.8.2, BugFixes, Manager release only
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  3
1.9.0
07.09.2012
PPU
Release 1.9.0, Code only
1.9.1
15.09.2012
PPU
Release 1.9.1, Documentation only
1.9.2
21.09.2012
PPU
Release 1.9.2, Style sheet update
1.9.3
02.10.2012
PPU
Release 1.9.3, S-WdgM Verifier - update,
S-WdgM_UserManual  - document update
S-WdgM_Stack_SafetyCase - document new
2.0.7
25.10.2012
PPU
Test  release  2.0.7  to  check  the  delivery  structure.
This is NOT a customer release!
3.0.3
16.11.2012
PPU
Cumulative module update.
(The major version changed to 3 because of the API
change in function (WdgIf_GetTickCounter())
3.1.0
11.01.2013
PPU
Release 1.11.0, embedded code not changed
3.1.1
27.02.2013
PPU
Release 1.13.0, Verifier update only
3.2.0
05.04.2013
JDU
Release 1.14.0, generator update only
3.3.2
29.11.2013
PPU
Release 1.21.0, generator only
3.4.0
19.02.2014
PPU
Autosar 4 update and bug fixes, beta version
3.4.1
21.03.2014
PPU
Update  and  bug  fixes  for  Autosar  4  environment
compatibility.  Backward  compatibility  to  Autosar  3.1
environment added too.
3.4.2
10.04.2014
PPU
Generator bug fix for Autosar compatible driver
3.4.3
27.05.2014
PPU
Release  for  the  AUTOSAR  4.0  and  AUTOSAR  3.1
compatible S-WdgM module
3.4.4
14.08.2014
PPU
Safety Case document for previous version 3.4.3
released only.
3.4.5
04.11.2014
PPU
S-WdgM Generator correction only
3.4.6
21.11.2014
PPU
S-WdgM Generator correction only
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  5

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  6
1
Overview
The Safe Watchdog Manager (S-WdgM) is upper software layer of the Safe Watchdog Manager Stack.
The S-WdgM Stack is part of the service layer of the AUTOSAR architecture. The S-WdgM monitors the
program flow and timing constrains of so-called Supervised Entities. When it detects a violation of the pre-
configured program flow and timing values, it takes a number of configurable actions to recover from this
state.

The Safe Watchdog Manager Stack consists of the following embedded software modules:
  Safe Watchdog Manager software module (hardware independent)
  Safe Watchdog Interface software module (hardware independent)
  Safe Watchdog Driver software module (hardware dependent),

and the Safe Watchdog Manager Stack configuration generators:
  Safe Watchdog Manager configuration generator (hardware independent)
  Safe Watchdog Interface configuration generator (hardware independent)
  Safe Watchdog Driver configuration generator (hardware dependent)

and the Safe Watchdog Manager Stack configuration verifier
  Safe Watchdog Manager configuration verifier (hardware independent)

This document represents the release notes for the Safe Watchdog Manager module only.

The Safe Watchdog Manager is compatible to the WdgM module as specified in the AUTOSAR 4.0 and
AUTOSAR 3.1 specifications but not fully compliant. For deviations and justifications please see the S-
WdgM User Manual.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  7
2
Content of the Module Release

Title
Version*)
Author
Description
WdgM/
3.4.6

S-WdgM Module
  S-WdgM_ReleaseNotes.pdf

  Description/
3.3.3
TTTech

  WdgM_Bswmd_A4.arxml

For AUTOSAR 4.0.x environment
  WdgM_Bswmd.arxml

For AUTOSAR 3.1.y environment
  Doc_SafetyManual/
2.3.28

  S-WdgM_SafetyManual.pdf

  Doc_SafetyCase/
1.1.0

  S-WdgM_SafetyCase.pdf

  Doc_TechRef/
3.3.1
TTTech

  S-WdgM_UserManual.pdf

User Manual
  Generator/
3.3.15
TTTech

  LICENSE

  Wdg_Mgr_Cfg_Gen.exe

  GenTool_Ead/
2.0.12
TTTech

  SWC_WdgM_A4.xsl

For AUTOSAR 4.0.x environment
  SWC_WdgM.xsl

For AUTOSAR 3.1.y environment
  Identifier.xml

  Generation.xml

  Generation_A4.xml

  Implementation/
3.3.3
TTTech

  WdgM.c

Watchdog Manager - Main
  WdgM_Checkpoint.c

Watchdog Manager - Checkpoint
  WdgM_Cfg.h

Watchdog Manager -
Configuration structures
  WdgM.h

Watchdog Manager - API
declaration
  Verifier/
1.2.11
TTTech

  wdgm_verifier.dll

S-WdgM Configuration Verifier
  libwdgm_verifierdll.a

S-WdgM Configuration Verifier lib
  wdgm_verifier.h

S-WdgM Configuration Verifier
  wdgm_verifier_types.h

S-WdgM Configuration Verifier
  wdgm_verifier_version.h

S-WdgM Configuration Verifier
  verify_wdgm_header.xsl

S-WdgM Configuration Verifier
  verify_wdgm_source.xsl

S-WdgM Configuration Verifier
  VerifierTools/
1.0.0

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  8
  MinGW/
5.1.6
MinGW

   w32api-3.13-mingw32-dev.tar.gz

   mingwrt-3.15.2-mingw32-dll.tar.gz

   mingwrt-3.15.2-mingw32-dev.tar.gz

    MinGW-5.1.6.exe

   mingw.ini

   gcc-core-3.4.5-20060117-3.tar.gz
3.4.5

   binutils-2.19.1-mingw32-bin.tar.gz

  xsltproc/
1.0.0
xsltproc

   zlib1.dll

   xsltproc.exe

   libxslt.dll

   libxml2.dll

   libexslt.dll

   iconv.dll

*) Bold version numbers are new artefacts in this release. The non-bold artefacts are the previously released
compatible artifacts. All artefacts listed here are consistent.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  9
3
Change history
This chapter describes the changes in each released version.

3.1
Changes with version 3.4.6
Issue Nr.
Area
Found  Issue title
Release
Wk
status
69689
G
wk47
`WdgM_PBcfg.h` shall #include `WdgM_Cfg.h`
S
The issue description (issue69689):
The file `WdgM_PBcfg.h` uses a type `WdgM_ConfigType` but does not #include the header file where that
type is defined. This situation causes normally no problems because the corresponding C source file
`WdgM_PBcfg.h` has the following #include directive:
  #include "WdgM.h"
  #include "WdgM_PBcfg.h"
Where "WdgM.h" includes the necessary `WdgM_Cfg.h`.

The current release improved this point and the `WdgM_PBcfg.h` includes the `WdgM_Cfg.h` directly.

3.2
Changes with version 3.4.5
S-WdgM module was not changed in this release, the Safety Case document was added only.

Issue Nr.
Area
Found  Issue title
Release
Wk
status
68941
G
44
Safe Execution - Remove Cross Cutting Checks in
S
/2014
the WdgM Config Generator
68932
G
44/
Wdg Config Generator RH850P1x_TLE4473
S
2014
missing paramterers
The change description (issue68941):
The cross-cutting checks are removed from S-WdgM Generator. The Watchdog Manager
Config Generator should not attempt to verify the Watchdog Driver's data because this is on this level not
necessary. The removed cross-check parameters are the following:
  WdgGeneral/WdgInitialTimeout
  WdgSettingsConfig/WdgWindowStart
  WdgSettingsConfig/WdgSlowModeMax
  WdgSettingsConfig/WdgFastModeMax

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  10

Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

3.3
Changes with version 3.4.4
S-WdgM module was not changed in this release, the Safety Case document was added only.

Issue Nr.
Area
Found  Issue title
Release
Wk
status
65369
D

Release Management Tasks for 1.26.1 CW
S
31/2014

3.4
Changes with version 3.4.3
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
62326
all

Safe Execution Release 1.26.0 - Release
S
Management Tasks
(include collection of issues for this release)

3.5
Changes with version 3.4.2
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
61768
G
Wk15
SafeExecution - Deactivate cross-cutting tests to
S
avoid problems with AS3-compatible Third-Party
Drivers

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  11
3.6
Changes with version 3.4.1
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
61023
G+E

Issue collection for Autosar4.x S-WdgM issues and
S
Autosar compatibility of the S-WdgIf module.

3.7
Changes with version 3.4.0
S-WdgM module changes and corrections

Issue Nr.
Area
Found  Issue title
Release
Wk
status
59931
G+E

API and generator points for AUTOSAR 4, reported
S
by Vector

3.8
Changes with version 3.3.2
S-WdgM module changes and corrections

Issue Nr.
Area
Found   Issue title
Release
status
58478
G
Wk 48
MPC5643L_ATA5021 is no “third-party” driver
S
58479
G
Wk 48
Add hint re need to provide driver data in EDF
S

3.9
Changes with version 3.2.0
S-WdgM module changes and corrections:

Issue Nr.
Area
Found   Issue title
Release
status
51893
G
Wk 6
Different checks for third-party drivers
S
51859
G
Wk 6
Use symbolic IDs for SEs and CPs
S
52428
G
Wk 10
#define constants moved from source to header file
S
52577
G
Wk 11
Do not assume system-wide unique CP names
S

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  12
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  13
3.10  Changes with version 3.1.2

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
52577  G
Wk6
“Do not assume system-wide unique CP
O
names”: If there are 2 or more checkpoints
with the same name in different Supervised
Entities then the generator can generate
wrong configurations.

3.11  Changes with version 3.1.1
S-WdgM module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
52281  V
Wk08
Deactivate the test 36. The test is obsolete.
S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation

3.12  Changes with version 3.1.0

S-WdgM module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
50917  V

Test 73, The Verifier doesn’t read the
S
WDGM_STATE_CHANGE_NOTIFICATION
Correctly.
50131  G
Wk45
WdgM and WdgIf config generators must
S
work together with unsupported Wdg Drivers
49656  V

Verifier - Sorting of parameters might make
S
test results wrong.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  14
48637  G
Wk36
CP ID is used as CFG array ID,
S

(when the CP ID’s are not sorted, then the
generator stops generating)
51164
D
Wk02
Safety Manual update
S
51222
D
Wk02
Safety Case update (version numbers)
S
Release status:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests
D … documentation
3.13  Changes with version 3.0.3
S-WdgM module changes and corrections:

Issue
Area  Found
Issue title
Release
Nr.
in Wk
status
50131  G
Wk45
WdgM and WdgIF config generators must
S partly
work together with unsupported Wdg Drivers
49950  E
Wk45
WdgM: line 792: warning (dcc:1516):
S
parameter CallerID is never used
49735  E
Wk44
WdgM: The
S
WdgM_GlobalSuspendInterrupts() should be
defined "extern" and renamed to
GlobalSuspendInterrupts()
49837  E
Wk44
Common Suspend/Restore Interrupt routines
S
shall be used
48420  E
Wk44
Deactivating an active SE should rise in some
S
cases DET report
48667  G
Wk43
Generator shall generate constants with 'u'
S
sufix
48637  G
Wk 36
The CP and SE IDs must be strict ordered.
O
Change   Otherwise the Generator rises an error.
request
48601  SWC
Uneven implementation of port defined
S
argument values for port interface
<WdgM_GlobalMode>
48993  E

WdgIf_GetTickCounter()  writes to WdgM
S
global memory
48818  G

S-WdgM Code segment fixed in the
S
WdgM_MemMap.h file
Release status:
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  15
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

3.14  Changes with version 2.0.7
Test release for new versioning and delivery structure. This is not a customer version. Used internally only.

S-WdgM module changes and corrections:

Embedded Code changes:
  none

Generator changes:
  none

Verifier changes:
  none

Documentation changes:
  none

DaVinci interface changes:
  None

3.15  Changes with TTTech Release 1.9.3: S-WdgM Subpackage 2.0.6
This release contains an update of the Watchdog Manager Configuration Verifier. The release is compatible
with the embedded code basis of the release 1.9.0 and documentation release 1.9.1 and 1.9.2

Embedded Code changes:
  none

Generator changes:
  none

Verifier changes:
  Report file header corrected (“TTTech Internal Use only” removed).
  [46858] Verify all relevant WdgM global settings
  [48716] Detect NULL pointers
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  16

Documentation changes:
  S-WdgM User Manual - update
  S-WdgM Stack Safety Case - new

DaVinci interface changes:
  None

Open issues in this release:
Issue
Area
Issue title
Release
Nr.
1.9.3
48993
E
WdgIf_GetTickCounter()  writes to WdgM global memory
O
48818
G
S-WdgM Code segment fixed in the WdgM_MemMap.h file
O
48601
SWC
Uneven implementation of port defined argument values for port
O
interface <WdgM_GlobalMode>
Release:
S … solved, O … open,  C … Closed as obsolete
Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

3.16  Changes with TTTech Release 1.9.2: S-WdgM Subpackage 2.0.5
This release contains an update of the Watchdog Manager SWC_WdgM.xsl file only. The release is
compatible with the embedded code basis of the release 1.9.0 and documentation release 1.9.1

Embedded Code changes:
  none

Generator changes:
  none

Verifier changes:
  none

Documentation changes:
  none

DaVinci interface changes:
  [47956] SWC_WdgM.xsl file changed because of problem with the WdgMTimebaseSource
parameter. The selection of the WDGM_INTERNAL_HARDWARE_TICK was not possible.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  17
3.17  Changes with Release 1.9.1: S-WdgM Subpackage 2.0.4
This release contains S-WdgM documentation and S-WdgM Verifier only. The documentation in this release
is compatible with the embedded code basis of the release 1.9.0 (Subpackage 2.0.3)

Embedded Code changes:
  none

Generator changes:
  none

Verifier issues:
  See the chapter “Known issues, limitations, updates”

Documentation changes:
  [48745] S-WdgM Safety Manual Formal Review
  [48722] S-WdgM User Manual Review
3.18  Changes with Release 1.9.0: S-WdgM Subpackage 2.0.3
Open issues in this release:
Issue
Area
Issue title
Release
Nr.
1.9.0
48624
E
MPC56xx Driver – MISRA issues.
S
48607
E
WdgIf Interface – MISRA issues.
S
48583
E
WdgM Manager – MISRA issues.
S
47956
SWC  Removed unused runnable entities.
S
47459
E
WdgM_MainFunction should have a reentrancy check.
O
47828
E
Service IDs of an API function differ from AUTOSAR
S
47832
E
A global transition to a deactivated SE doesn’t produce a
O
error response.
48320
E, G
The first Supervision cycle should have definable Alive
S
test.
48320]
E
The ProgramFlowViolationCnt is wrongly incremented
S
48298
E, G
The OS Partition Reset makes compile warning problem
S
46101
T
WdgM: Unit test for the Autosar 3.1 compatibility
S
46382
V
Defines are not checked for correct value (STD_ON,
S
STD_OFF)
46977
SWC  WdgM: Each Entity may have zero or more End
S
Checkpoints
47905
SWC  Location of xxx_SEC_CONST_UNSPECIFIED +
S
xxx_SEC_CODE
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  18
47386
SWC  Special Handling for Callback in Service Component
O
Description
47990
SWC  The WdgM_SetMode() need to be added to the 3.1
S
compatibility mode
47956
SWC  WdgM Generator creates runnable trigger which is not
S
configured
42841
SWC  Service Component always has all version's APIs
S
47328
E
S-WdgM: initialize uninitialized local variable,
S
47131
E
Cover combined X-Y-Monitoring violations in status
S
FAILED
44842
E
WdgM: Magic constants should not be used when not
O
necessary (Disable automatically generated typedefs)
45280
G
Wdgx: The RAM sections of WdgM, Wdg should be
S
related to an Application only
45566
E
WdgM: Configuration checks only if
O
WdgMDevErrorDetect is off
45709
E
Safe WdgM - Alive Counter overrun
S
45814
E
WdgM: Update Copyright information in embedded codes
S
45827
E
WdgM: Add AUTOSAR _AR_ Version macros
S
46044
E
S-WdgM: protect sensitive data accesses from interrupts
S
46383
E
ascSC is assumed to be defined but this is not checked
S
46388
E
INVALID_OSAPPLICATION is not necessarily 0xFF in
S
Os.h
46464
E
WdgM: remove not used code when API_3_1 selected
O
46816
E
Safe WdgM - error from WdgIf during initialization
C
46819
G
S-WdgM: 0xFFFF tolerance values prevent from going to
S
EXPIRED
46820
E
WdgM: AUTOSAR Compiler abstraction
S
46993
E
WdgM: Fixing the external function names
S
46574
G
avoid division by zero if Ticks/second = 0
S
46794
G
reject multiple DM elements for one transition
S

46920
G
checkpoint attribute "startsAGlobalTransition" is now
S
correctly computed
44628
G
remove compiler warning ({{0}, {1}, ..} instead of {0, 1}
S

47177
G
reject configurations not having a 1:1:1 relationship for
S
driver/interface/watchdog
47058
G
disable OS Partition Reset in generator
S

Release:
S … solved, O … open,  C … Closed as obsolete
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  19

Area:
E … embedded, G … generator, V … verifier, SWC … SWC/bswmd file, T … Tests

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  20

3.19  Changes with Release 1.8.2: S-WdgM Subpackage 1.8.2
Embedded Code BugFixies:
  [47131] - Cover combined X-Y-Monitoring violations in status FAILED
  [45709] - Safe WdgM -  Alive Counter overrun
  [45827] - WdgM: Add AUTOSAR _AR_ Version macros
  [46044] - S-WdgM: protect sensitive data accesses from interrupts
  [45280] - Wdgx: The RAM sections of WdgM, Wdg should be related to an Application only
  [47328] - S-WdgM: initialize uninitialized local variables

Configuration Generator BugFixies:

  [46574]: avoid division by zero if Ticks/second = 0
  [46794]: reject multiple DM elements for one transition
  [46920]: checkpoint attribute "startsAGlobalTransition" is now correctly computed
  [44628]: remove compiler warning ({{0}, {1}, ..} instead of {0, 1}
  [47177]: reject configurations not having a 1:1:1 relationship for driver/interface/watchdog
  [47058]: disable OS Partition Reset in generator

3.20  Changes with Release 1.8.0: S-WdgM Subpackage 1.8.0
  The Safety Manual revorked, the not safety related informations are moved to the User Manual.
  [45700] Trigger Mode implemented (Simplified SetMode() function)
  [45927] RememberedEntityId replaced by global transition flags
  [45959] Periodicity of deadline and program flow  tolerances repaired
  [46206] Minor changes to increase test coverage

3.21  Changes with Release 1.7.0: S-WdgM Subpackage 1.7.0
  [45210] Hardware TickCounter implemented
  [45572] WdgM_GetLocalStatus() adapted, WdgMEnableEntityDeactivation flag was moved
  [45663] tick_count_diff calculation repaired
  [45388] Mcu_PerformReset() removed from WdgM_MainFunciton.
3.22  Changes with Release 1.6.0: S-WdgM Subpackage 1.6.0
  [44418] Checksum for configuration added
  [44978] SE deactivation/activation variable protection in the GS memory added
  [45008] Partition reset partly corrected, the Entity reset was added.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  21
  [45066] Refactoring, MISRA check corrections

3.23  Changes with Release 1.5.0: S-WdgM Subpackage 1.5.0
  [43770] The write access of the MainFunction() to the entity memory removed.
  [44107] Deadline, Program flow monitoring debouncing parameters optimization
  [43913] MainFunction() interrupted by Checkpoint() corrections
  [44257] Check for Number of S-WdgM Ticks in SupervisionCycle added
  [43912] The direct reset (hardware reg. access) was removed from CheckpointReached()
3.24  Changes with Release 1.4.0: S-WdgM Subpackage 1.4.0
  The documentation structure was changed. Each module (Manager, Interface and Driver) has now
an own User Manual, Safety Manual and Release Notes. The changes mentioned in this chapter
represents the S-WdgM changes only.
   [42537] WDGM_DEM_SUPERVISION_REPORT define moved to WdgM_Cfg_Feature.h file
   [42797] Compiler warnings removed, the SE deactivation/activation simplified
   [42943] SE Deactivation/Activation issue removed
   [43092] global transitions repaired – internal global transition flag introduced
   [43881] Unused variable removed
3.25  Changes with Release 1.3.1: WdgM Subpackage 1.3.1
The Wdg_MPC56xx_bswmd.arxml file was changed only. The xml element Wdg_Impl was removed from the
file by Mr. Kalmbach at Vector. The element causes a problem in GENy.
3.26  Changes with Release 1.3.0
Embedded code:
  [42477] Notification in GLOBAL_STATE_STOPPED was not necessary and was removed
  [42503] Error message to DEM in GLOBAL_STATE_STOPPED is now reported correctly
  [42509] Check for a valid global transition repaired in the case of a local initial checkpoint.
  [42249] Added the new MPC56xx family platform, new S-Wdg driver created

Generators:
  Added new MPC56xx family platform
3.27  Changes with Release 1.2.0: WdgM Subpackage 1.2.0
Embedded code:
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  22
  For the global Disable/Enable interrupts the AUTOSAR Schedule Manager interface is now used
instead of the operating system interface. (Now the SchM_WdgM.h needs to be included)
  When the RTE is used, then the S-WdgM uses the defines and typedefs generated by RTE instead
of the S-WdgM internal typedefs and defines (switchable with WDGM_USE_RTE)
  Primary Reset path instead of Secondary reset path is used when the
WDGM_IMMEDIATE_RESET==STD_ON is selected. This change was done to guarantee safe
reset. (The previously used external Mcu_PerformReset() function is a QM function)
  The Timebase Tick counter check (stuck-in and negative count) was corrected in the
WdgM_MainFunction()
  Similar to the S-WdgM the S-Wdg has now a Wdg_MemMap.h file. So it is possible to place the
Wdg variables to a memory section predefined by DaVinci Configurator.
Generators:
  better error handling
  XSLT Stylesheet now includes `WdgM_MainFunction` and `WdgM_UpdateTickCount` as runnables.
  Drivers/platforms now can be identified correctly regardless of the SHORT-NAMEs chosen by users

ECU description file change:
Release 1.2.0 uses SUB-PACKAGEs for organizing platform-related data inside ECU description file.
ECU description files created for previous versions have to be adapted slightly - otherwise the code
generators may not be able to find the platform data.  Please follow these steps:

1.  Open the ECU Description file with a text editor
2.  Find <DEFINITION-REF> elements in the ECU description file containing `/TTTECH/Wdg` or
`/TTTECH/WdgImpl`
3.  Replace the `TTTECH/Wdg` substring with `TTTech/TMS570LS3x/Wdg` and /TTTECH/WdgImpl`
with /TTTECH/TMS570LS3x/WdgImpl`
4.  Save your changes

3.28  Changes with Release 1.1.0: WdgM Subpackage 1.1.0
Embedded code:
  The AUTOSAR 3.1 functionality Deactivate / Activate entity was implemented.
  The Callback Notification was implemented.
  The entities initialization in the WdgM_Init() was corrected.
  The Timebase Tick overrun correction was removed on places where it wasn’t necessary
  The MPC5604B Safe Watchdog driver was implemented
o  Note: the MPC5604B internal watchdog’s registers (module SWT) can only be accessed in
one of the supervisor modes. This means that the WdgM_MainFunction(), which periodically
triggers the watchdog, must run in a supervisor mode!
o  This first version of the MPC5604B Safe Watchdog driver was developed and tested using
the Freescale CodeWarrior Compiler 5.9.0.
o  Following configuration sets were verified: fSIRCkhz=128, interruptThenReset=false,
hardLock=false, stopModeControl=true, debugModeControl=true, WdgDevErrorDetect=true,
WdgDemReport=true, WdgDisableAllowed=true, WdgVersionInfoApi=true.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  23

Generators:
Wdg_Mgr_Cfg_Gen.exe generates code to support supervised entity activation/deactivation and
callback notifications.
Wdg_If_Cfg_Gen.exe generates code for the MPC5604B driver and corresponding interface.
3.29  Changes with Release 1.0.0: WdgM Subpackage 1.0.0
  The Safe Watchdog Interface embedded code was split in to two modules:
1.  Safe Watchdog  Interface, is now hardware independent
2.  Safe Watchdog Driver, is hardware dependent
  The Mode switch through the WdgM_Init was removed.
  There is now possibility to disable interrupts while the Global shared data are manipulated
  Some enum definitions in the S-WdgM API (like LOCAL_STATUS_OK) was changed to AUTOSAR
specified #defines
  Changes in the generators:
  The generators generates now additionally WdgM_Cfg_Features.h,WdgIf_Cfg_Features.h,
Wdg_TMS570LS3x_Cfg_Features.h files.
  The generators generates now additionally WdgM_MemMap.f file.
  Changes in the bswmd and swc files:
  Feature definitions are added (defined in the …Cfg_Features.h files)
  Software version and vendor info was added
  Obsolete 3.1 items was deleted
  DEFINITION-REF elements now contains paths beginning with TTTECH instead of AUTOSAR
  The bswmd files are now schema compliant.
  At typedefs WdgM_CheckpointIdType,  WdgM_SupervisedEntityIdType was the maximum value
changed to 65535.
Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  24
4
Test status
The S-WdgM integration tests based on the issue 69689 were performed. No findings.

All test results are positive.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  25
5
Known issues, limitations, updates
Known issues:
For known issues please see the chapter “Change history” above.

Functional limitations of current version:
Not known.

Updates:
Current release represents a S-WdgM module for AUTOSAR 4.0.x and AUTOSAR 3.1.y.

Note, that the S-WdgM Configuration generator reads the AUTOSAR version from ECU description file and
generates a define “#define WDGM_AUTOSAR_4_x STD_ON” in case of Autosar 4.x. Dependent on this
define the embedded code uses the appropriate Autosar 4.0.x functionality.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

Ensuring Reliable Networks
Project Name:
Safe Watchdog Manager
Version: 3.4.6
Document Title:  Release Notes
Doc.No:  D-SAFEX-RP-70-012
Page  26
6
Abbreviation and glossary
Acronym /
Term
Meaning
CP
Checkpoint
EDF
ECU Description File (.arxml file used as input to the configuration generator)
SE
Supervised Entity
OS
Operating System
SCx
Scalability Class (of an Operating System)
S-WdgM
Safe Watchdog Manager (TTTech product, platform independent part)
S-WdgIf
Safe Watchdog Interface (TTTech product, is the platform independent part)
S-Wdg
Safe Watchdog Driver (TTTech product, is the platform dependent part)
WdgM
Watchdog Manager  (module according AUTOSAR specification)
[xxxxx]
TTTech internal issue tracking number.

Date:   21.11.2014
File name:  S-WdgM_ReleaseNotes.doc
© TTTech-Automotive GmbH
Version:   3.4.6
Author:
TTTech

4 - S-WdgM_SafetyManual

Safety Manual

5 - S-WdgM_SafetyManual_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95

6 - S-WdgM_SafetyManuals

Ensuring Reliable Networks
Safe Watchdog Manager
Safety Manual

Author:
TTTech Automotive GmbH
Security:
Company Confidential
Document number:
D-SAFEX-S-70-001
Version:
2.3.28
Date:
26.05.2014
Status:
ALM_Published
MKS ID:
228403

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com

No  part  of  the  document  may  be  reproduced  or  transmitted  in  any  form  or  by  any  means,  electronic  or  mechanical,  for  any  purpose,  without  the  written  permission  of  TTTech
Automotive GmbH. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive GmbH
undertakes no further obligation in relation to this document.

© 2014, TTTech Automotive GmbH. All rights reserved.                                                                                                                                           Subject to changes and corrections

TTTech Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 1
Revision History
17.06.2011 V0.9.4 Draft
15.07.2011 V1.0.0 Safe Watchdog Manager Series Release
12.08.2011 V1.1.0 Safe Watchdog Manager Series Release
07.09.2011 V1.2.0 Safe Watchdog Manager Series Release
16.09.2011 V1.3.0 Safe Watchdog Manager Series Release
16.11.2011 V1.3.1 Safe Watchdog Manager - separating S-Wdg drivers
13.12.2011 V1.4.0 Safe Watchdog Manager - Series Release
10.02.2012 V1.5.0 Safe Watchdog Manager - Series Release
17.02.2012 V1.5.1 Safe Watchdog Manager - Series Release (Patch Release)
09.03.2012 V1.6.0 Safe Watchdog Manager - Series Release
13.04.2012 V1.7.0 Safe Watchdog Manager - Series Release
08.05.2012 V1.7.1 Safe Watchdog Manager
05.05.2012 V2.0.0 Copied from MKS 64019 to MKS 228043. Hierarchie restructured. Labeled for review.
24.05.2012 V2.0.1 Labeled for review.
25.05.2012 V2.0.2 Safe Watchdog Manager - Series Release V1.8.0
27.06.2012 V2.1.0 Reviewed. Some information still open
03.07.2012 V2.2.0 Added config generation and verification process
03.07.2012 V2.2.1 Added timing constraints (issue47259)
05.07.2012 V2.3.0 Added requirements from ETA and Check against System Specification
06.07.2012 V2.3.1 Ready for Release 1.8.2
07.08.2012 V2.3.2 Feedback from Hella-Audit, some texts more precise
23.08.2012 V2.3.3 added system assumptions, S-WdgM requ., AUTOSAR 3.1 info, manual checks
10.09.2012 V2.3.4 Traced requirements from ETA. Dissolved section "Requirements derived from ETA
process"
13.09.2012 V2.3.5 After walkthrough review
13.09.2012 V2.3.6 Added manual tests
15.09.2012 V2.3.7 Safe Watchdog Manager ASIL Release
15.10.2012 V2.3.8 Added system assumption regarding critical sections (297946,297948), issue49890
Added reentrancy, issue49459 (WDGM_E_REENTRANCY)
05.12.2012 V2.3.9   228523 - Added Safety Manager
313849 - Added the 'Safety related requirement' behavior
315317, 315319 - Additional requirements (Safe Execution, Lock Step)
230020 - Relation to the SEooC
14.01.2013 V2.3.10 324187, XSLT processor, issue51325
239057, 239065, 239067 corrected
313849 'S-Wdg' corrected to 'S-WdgM'
24.04.2013 V2.3.11 issue 53646: 358190 - Alive counter necessary
07.11.2013 V2.3.12 In the item 230126 the missing ISO 'part 6' was added.
02.04.2014 V2.3.13 Issue 59785 (partly): After discussion with customer following comments added: 542988,
544495
Issue 58655: 228813, 228815, 260615, 260617 (Win7 test)
Issue 52760, 62290, 61812, 59931
05.05.2014 V2.3.14 Changed points according EEB remarks, issue 52087
05.05.2014 V2.3.15 Improvements base is the customer OIL list, issue 59785
07.05.2014 V2.3.16 Issue 52087, 52760, 59785 : review points corrected
13.05.2014 V2.3.17 Issue 52087, 52760 corrected
14.05.2014 V2.3.18 Issue 59785 corrected
14.05.2014 V2.3.19 Issue 62591 corrected
14.05.2014 V2.3.20 Issue 62589 corrected

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 2
15.05.2014 V2.3.21 Issue 62290 corrected
15.05.2014 V2.3.22 Issue 53646 corrected
15.05.2014 V2.3.23 Issue 62290 corrected
15.05.2014 V2.3.24 Issue 59785, 62589, 62591corrected
16.05.2014 V2.3.25 Issue 62724 corrected
22.05.2014 V2.3.26 Issue 63131: Language Review
23.05.2014 V2.3.27 Issue 62724 corrected
26.05.2014 V2.3.28 Issues corrected:52168, 62591, 53646, 50833, 58842

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 5
-
Category:
Comment
Keywords:

ID:
545205
LEGAL DISCLAIMER
THE INFORMATION GIVEN IN THIS SAFETY MANUAL IS GIVEN AS SUPPORT FOR THE
INTEGRATION OF THE TTTECH SAFETY MODULE INTO A SYSTEM ONLY AND SHALL NOT BE
REGARDED AS ANY DESCRIPTION OR WARRANTY OF A CERTAIN FUNCTIONALITY, CONDITION
OR QUALITY OF THE TTTECH SAFETY MODULE. THE RECIPIENT OF THIS SAFETY MANUAL MUST
VERIFY ANY FUNCTION DESCRIBED HEREIN IN THE REAL APPLICATION.

TTTECH PROVIDES THE SAFETY MANUAL FOR THE SAFETY MODULE "AS IS" AND WITH ALL
FAULTS AND HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, ACCURACY OR COMPLETENESS, OR OF RESULTS
TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK, AS TO THE QUALITY, USE
OR PERFORMANCE OF THE SAFETY MANUAL, REMAINS WITH THE RECIPIENT. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW TTTECH SHALL IN NO EVENT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT
NOT LIMITED TO LOSS OF DATA, DATA BEING RENDERED INACCURATE, BUSINESS
INTERRUPTION OR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF
THE USE OR INABILITY TO USE THE SAFETY MANUAL, EVEN IF TTTECH HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

TTTECH MAKES NO WARRANTY OF ITS PRODUCTS, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW DISCLAIMS ALL LIABILITIES OR
DAMAGES RESULTING FROM OR ARISING OUT OF THE APPLICATION OR USE OF THESE
PRODUCTS.

-
Category:
Comment
Keywords:

ID:
545219
Legal Notice
The information contained in this safety manual does not affect or change any General Terms and
Conditions of TTTech and/or any agreements existing between TTTech and the recipient regarding the
product concerned.

The reader acknowledges that this safety manual may not be reproduced, stored in a retrieval system,
transmitted, changed, or translated, in whole or in part, without the express written consent of TTTech.

The reader acknowledges that any and all of the copyrights, trademarks, trade names, patents (whether
registrable or not) and other intellectual property rights embodied in or in connection with this safety manual
are and will remain the sole property of TTTech or the respective right holder. Nothing contained in this
legal notice, the safety manual or in any TTTech web site shall be construed as conferring to the recipient
any license under any intellectual property rights, whether explicit, by estoppel, implication, or otherwise.

This safety manual and respective products are subject to change.

The product is only allowed to be used in the scope as described in section "System Assumptions". Please
note, that based on the current state of the arts in science it is impossible to develop software that is bug-
free in all applications.

-
Category:
Comment
Keywords:

ID:
545221
We Listen to Your Comments

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 6
Is there any information in this document that you feel is wrong, unclear or missing?
Your feedback will help us to continuously improve the quality of this document. Please contact TTTech
Automotive support if you have questions, change requests or suggestions for improvement related to the
SCM product or documentation. TTTech Automotive support can be reached via the following e-mail
address: support@tttech.com.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 7
1  Purpose of this Document
Category:
Comment
Keywords:

ID:
228517
This document is the Software Safety Manual for the software component Safe Watchdog Manager (S-
WdgM). The S-WdgM was developed by TTTech as an SEooC according to ISO 26262 (2011) for use in
safety related items up to ASIL D (see [ISO26262]). This document contains the requirements that have to
be met to integrate and apply the S-WdgM into a safety-related item.

-
Category:
Comment
Keywords:

ID:
228519
The S-WdgM is part of the S-WdgM Stack. It contains also a S-WdgM Configuration Generator and a S-
WdgM Verifier to generate and verify configuration dependent S-WdgM code.

-
Category:
Comment
Keywords:

ID:
228521
The document contains the requirements that have to be satisfied to
  install the S-WdgM Generator,
  generate S-WdgM code with the S-WdgM Configuration Generator,
  integrate the S-WdgM code into an AUTOSAR system, and
  to apply the S-WdgM within an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
228533
Note: The document describes requirements for the S-WdgM only. It does not provide a full description of
how to create a safe system. For example, it is not concerned with hardware architectural metrics that may
have an influence on software running on that hardware. These considerations are not specific to the S-
WdgM and are thus beyond the scope of this manual.

-
Category:
Comment
Keywords:

ID:
231307
The S-WdgM was developed according to AUTOSAR version 4.0.1 [AS_WDGM_SWS] and adapted for the
AUTOSAR 3.1.4 [AS_WDGM_SWS_3_1] environment, too. The S-WdgM is compatible with both
AUTOSAR versions but not fully compliant. For the deviations see [TT_WDGM_UM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 8
2  Introduction
2.1  Target Audience and Responsibilities
Category:
Comment
Keywords:

ID:
228523
This document addresses the Safety Manager and (system) integrator. The integrator is the person who
implements the requirements, is responsible for the generation of S-WdgM Configuration code, the
integration of the S-WdgM into a safety-related item and its application.

-
Category:
Requirement
Keywords:

ID:
228525
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be an expert in the area of functional safety with deep knowledge of ISO 26262 (see
[ISO26262]).

Moreover, the integrator needs to know
  the AUTOSAR architecture,
  the ANSI C programing language, and
  the S-WdgM User Manual [TT_WDGM_UM]).

-
Category:
Requirement
Keywords:

ID:
228529
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that all requirements defined in this Safety Manual are fulfilled in the integrated
item.

-
Category:
Requirement
Keywords:

ID:
228537
Label:

Safety relevant:

Related To:

Related To':

The integrator shall also follow the instructions in
  the Safety Manual for the S-WdgIf (see [TT_WDGIF_SM]) and
  the Safety Manual for the used S-Wdg drivers (see the driver specific Safety Manual. Safety Manuals
for some drivers can be found in section "References" at the end of this document)
which describe the other components of the S-WdgM Stack.

-
2.2  Structure of this Document
Category:
Requirement
Keywords:

ID:
228527
Label:

Safety relevant:

Related To:

Related To':

Requirements are explicitly marked as "Requirement" in this document. All requirements described in this
document shall be considered by the integrator. Explanatory text that does not represent an explicit
requirement is marked as "Comment".

-
Category:
Comment
Keywords:

ID:
314003
Note: The document items of type "Comment" do not represent explicit action items for the integrator,

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 9
however, the integrator has to ensure that there are no contradictions between the comment and the intend
S-WdgM usage.

-
Category:
Comment
Keywords:

ID:
313849
Note: Requirements in this document shall be treated either as safety related or need not be treated as
safety related, depending on the S-WdgM use case:
  If the S-WdgM is used to monitor a safety related application, then for each used S-WdgM functionality
all corresponding requirements in this document shall be treated as safety related.
  If the S-WdgM is used to monitor a QM application then the requirements in this document need not be
treated as safety related.

As a consequence, the field "Safety relevant" in the requirements are empty.

-
Category:
Comment
Keywords:

ID:
555645
The list shows some keywords used in requirements and their explanation:

Key Word
Description
Must, Shall, Required, Is responsible for, Is the
Requirement is mandatory.
responsibility of
Shall not
Requirement is a prohibition.
May
Requirement is optional.
table 1


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 10
3  Terms
Category:
Comment
Keywords:

ID:
228565

A kind of monitoring that checks whether a Checkpoint in the
Alive Supervision
application code has been passed an allowed number of times
(with tolerances) within a time interval.
An Application Context is the smallest set of data used by an
application that must be saved to allow application interruption at
Application Context
a given time, and a continuation of this application at the point
where it has been interrupted.
A point in the control flow of a Supervised Entity which reports to
Checkpoint
the Safe Watchdog Manager when it is passed.
A tool (like DaVinci Configurator Pro) that creates a Safe
Configuration Tool
Watchdog Manager configuration.
A kind of monitoring that checks whether the execution time
Deadline Monitoring
between two Checkpoints is within expected limits (with
tolerances).
The last Checkpoint in the program flow of a Supervised Entity.
When the End Checkpoint has been passed, the S-WdgM
End Checkpoint
assumes that the Supervised Entity has been left. An entity can
have more than one End Checkpoint (e.g, in the "then" and "else"
clause of an "if" statement).
The escalation of a detected fault to the WD by a Watchdog reset
by calling a S-WdgIf API function or omittance of the Watchdog
trigger.
Error Escalation
The Error Escalation marks the point in time when the S-WdgM
Fault Reaction Time ends and the reaction time of the WD driver
and WD itself starts.
The time from the occurrence of a fault to the detection by the S-
WdgM. The detection is indicated by a status change from
WDGM_LOCAL_STATUS_OK or
WDGM_GLOBAL_STATUS_OK to another state.
S-WdgM Fault Detection Time
The duration of the S-WdgM Fault Detection Time in dependence
of the S-WdgM Configuration is explained in this document.
The S-WdgM Fault Detection Time is also called "diagnostic test
interval" in [ISO26262].
The time from fault detection to the error escalation to the WD
driver (through the S-WdgIf).
The duration of the S-WdgM Fault Reaction Time in dependence
of the S-WdgM Configuration is explained in this document.
Note: The S-WdgM Safety Manual can only discuss the part of
the Fault Reaction Time interval at the S-WdgM level. This part of
S-WdgM Fault Reaction Time
the Fault Reaction Time is prefixed with "S-WdgM".
The S-WdgM Fault Reaction Time is
  the Fault Reaction Time according to [ISO26262] minus
  the reaction time of the WD driver and the WD itself.

For calculation of the WD driver see the according Safety
Manual.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 11
The absence of cascading failures between two or more
Freedom from interference
elements that could lead to the violation of a safety requirement.
See [ISO26262], part1.
The status that summarizes the Local Monitoring Status of all
Global Monitoring Status
Supervised Entities. It indicates whether the S-WdgM has found
an error so far.
In the context of this document a Global Transition is a transition
Global Transition
between two Checkpoints of two different Supervised Entities.
The first Checkpoint in the control flow of a Supervised Entity.
The monitoring of a Supervised Entitiy starts when the Initial
Initial Checkpoint
Checkpoint is passed. A Supervised Entity has exactly one Initial
Checkpoint.
A status that represents the current state of supervision of a
Local Monitoring Status
single Supervised Entity. It indicates whether the S-WdgM has
found an error so far.
In the context of this document a Local Transition is a transition
Local Transition
between two Checkpoints of the same Supervised Entity.
In the context of the S-WdgM Stack the terms Monitoring and
Monitoring / Supervision
Supervision are synonyms.
The generic term for Alive Supervision, Deadline monitoring and
Monitoring Feature
Program Flow Monitoring.
The Local OK-Status is present, when the local status is
WDGM_LOCAL_STATUS_OK.
Local/Global OK-Status
The Global OK-Status is present, when the global status is
WDGM_GLOBAL_STATUS_OK
A kind of monitoring that checks whether the Checkpoints in a
Program Flow Monitoring
Supervised Entity are passed in an expected order.
Safe Watchdog Driver
The lower and hardware dependent software layer of the S-

WdgM Stack. It controls the Watchdog device.
The middle and hardware independent software layer of the S-
Safe Watchdog Interface
WdgM Stack.
Safe Watchdog Manager
The part of the S-WdgM code that is generated by the S-WdgM
Configuration
Generator out of an ECU description file.
This TTTech tool generates a S-WdgM Configuration out of an
Safe Watchdog Manager
ECU description file. In this document the name is abbreviated to
Configuration Generator
"S-WdgM Generator". The tool is part of the S-WdgM package.
The upper and hardware independent software layer of the S-
Safe Watchdog Manager
WdgM Stack. It communicates with the application through RTE.
The stack comprises the S-WdgM, the Safe Watchdog Interface
Safe Watchdog Manager Stack  and the Safe Watchdog driver(s).
A software entity that is monitored by the S-WdgM. Each
Supervised Entity has an identifier. A Supervised Entity is defined
as a set of Checkpoints that are (directly or indirectly) connected
by Local Transitions within a software component or basic
Supervised Entity
software module. There may be zero, one or more Supervised
Entities in a software component or basic software module.

Additional TTTech note:Each Supervised Entity has a state that
is based on the reports from all its Checkpoints.
Supervision Cycle
The time period of the S-WdgM in which the cyclic supervision

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 12
algorithm is executed. At the end of a cycle, the function
WdgM_MainFunction () is called and - depending on the
configuration - Alive Supervision, Deadline Supervision and/or
Program Flow Supervision are performed. See also "Reference
Cycle".
A set of elements that relates at least a sensor, a controller and
System
an actuator with one another (see [ISO26262], part1). In this
document, the MCU is part of the system.
Each kind of monitoring has its own Reference Cycle, which is a
multiple of the Supervision Cycle. At the end of the Reference
Cycle, the according kind of monitoring checks whether an error
Reference Cycle
has occured.
For example: If the Reference Cycle for Deadline Supervision is 5
times the Supervision Cycle, then every 5th call of
WdgM_MainFunction () checks for deadline violations.
The S-WdgM measures the deadline of a Transition in Timebase
Timebase Tick
Ticks. It is also called S-WdgM Tick. The Timebase Tick can be
provided either by the S-WdgM itself or by an external source.
The generic term for the different kinds of fault that the S-WdgM
can detect using a Monitoring Feature:
  omittance of an operation,
Timing Fault
  unrequested execution of an operation,
  operation executed too early,
  operation executed too late, and
  operations executed in the wrong sequence.
A Watchdog device is the hardware part that provides the
Watchdog (device)
Watchdog function. It can be an internal watchdog (on the MCU)
or an external device.
The "WD Mode" represents watchdog property. According
AUTOSAR it can have the value:
WD Mode
  "slow",
  "fast", and
  "off" (WD disabled).
The "WD Trigger Mode" defines the WD trigger window and
consist of:
  the window start time,
  the window end time, and
WD Trigger Mode
  the WD mode (slow, fast, off)

It can be set with the function WdgM_SetMode (). For details see
[TT_WDGM_UM] and [TT_WDGDR_platform_UM] (where
platform is the used platform).
table 2


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 13
4  Notations
Category:
Comment
Keywords:

ID:
228609

Notation   Description
Italic text is a placeholder for a certain name or pattern. E.g.: In Wdg_platform_Init (), the text
text
platform is a placeholder for the name of (a) specific platform(s).
AS3: text
The text after "AS3:" is relevant for AUTOSAR 3.1 environments only.
AS4: text
The text after "AS4:" is relevant for AUTOSAR 4.0 environments only.
table 3


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 14
5  Abbreviations
Category:
Comment
Keywords:

ID:
228549

API
Application Programming Interface
AS3
AUTOSAR 3.1 (environment)
AS4
AUTOSAR 4.0 (environment)
ASIL
Automotive Safety Integrity Level
AUTOSAR
Automotive Open System Architecture
BSW
Basic Software (AUTOSAR term)
BswM
BSW module
CP
Checkpoint
DEM
Diagnostic Event Manager
DET
Development Error Tracer
ECC
Error Checking (and) Correction
ECU
Engine Control Unit
ISO
International Organization for Standardization
MCU
Microcontroller Unit
MPU
Memory Protection Unit. Usually it is a part of the Microcontroller.
MemMap
Memory Mapping (for Memory Management)
QM
Quality Managed (Software)
RTE
Run-Time Environment
SC
SupervisionCycle
SchM
Schedule Manager module according to AUTOSAR 4.0 specification
SE
Supervised Entity
SM
Safety Manual
SW-C, SWC
Software Component
S-Wdg
Safe Watchdog Driver (from TTTech)
S-WdgM
Safe Watchdog Manager (from TTTech)
S-WdgIf
Safe Watchdog Interface (from TTTech)
WD
Watchdog
WdgM
Watchdog Manager according to the AUTOSAR 4.0 specification
WdgIf
Watchdog Interface according to the AUTOSAR 4.0 specification
table 4


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 15
6  Safe Watchdog Manager Overview
Category:
Comment
Keywords:

ID:
228613
For an overview of and more details about
  the S-WdgM,
  the other S-WdgM Stack components,
  the S-WdgM Generator, and
  the S-WdgM Verifier
see the according user manuals and Safety Manuals:
  for the S-WdgM: [TT_WDGM_UM] and this document,
  for the S-WdgIf: [TT_WDGIF_UM] and [TT_WDGIF_SM], and
  for the S-Wdg drivers: the according Safety Manual. See also section "References" at the end of this
document.

-
Category:
Comment
Keywords:

ID:
555650
The Safe Watchdog Manager can be integrated into AUTOSAR 3.1.4 and AUTOSAR 4.0.1 environments.
The S-WdgM code differs between the AUTOSAR versions.
The S-WdgM must be configured for the used AUTOSAR version with the preprocessor switch
WDGM_AUTOSAR_4_x. This switch is automatically generated by the S-WdgM Configuration Generator.

-
Category:
Comment
Keywords:

ID:
559886
The S-WdgM is designed for integration into an AUTOSAR version 3.1.4 or AUTOSAR version 4.0.1
system. However, the S-WdgM is not restricted to this AUTOSAR versions. The software module can also
be integrated into other versions of AUTOSAR and other system SW architectures, provided that the
integration related requirements listed in the Safety Manual are satisfied.

-
Category:
Comment
Keywords:

ID:
562764
The Safe Watchdog Manager can also be switched to a "S-WdgM AUTOSAR 3.1 compatibility mode".
In this mode the behaviour of S-WdgM functions is as defined for the AUTOSAR 3.1 Watchdog Manager.
The mode is set with the preprocessor switch WDGM_AUTOSAR_3_1_X_COMPATIBILITY. The default
value is STD_OFF. On the ECU description file level, the WdgMSupportedAutosarAPI parameter is used.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 16
7  System Assumptions
Category:
Comment
Keywords:

ID:
270633
The S-WdgM module has been developed as a Safety Element out of Context (SEooC) according to ISO
26262. This means that the development was based on assumptions about the target environment where it
shall be integrated. The integrator has to assure that these assumptions are fulfilled by the system.

The assumptions are listed as requirements in this section. Further requirements in this Safety Manual that
may be considered assumptions (depending on the application of the system) are listed in section
"Assumptions in this Document" below.

-
Category:
Requirement
Keywords:

ID:
282827
Label:

Safety relevant:

Related To:
__MKSID__283135
Related To':

The system specification shall be designed to tolerate the occurrence of timing faults. Also a certain
(configurable but always greater than 0) time delay from the occurrence of faults to the safe state must be
acceptable.

-
Category:
Comment
Keywords:

ID:
282829
The S-WdgM reacts on timing faults after they occurred. The detection and reaction time also depends on
the S-WdgM Configuration.
The S-WdgM is not designed for systems where timing fault shall not occur at all.

-
Category:
Requirement
Keywords:

ID:
282805
Label:

Safety relevant:

Related To:
__MKSID__262696,_
Related To':

_MKSID__263095
The MCU shall provide computational resources to execute software components within their specification.

-
Category:
Requirement
Keywords:

ID:
282785
Label:

Safety relevant:

Related To:
__MKSID__262682,_
Related To':

_MKSID__262690,__
MKSID__263089,__
MKSID__263091,__
MKSID__283504,__
MKSID__283399,__
MKSID__283508
The software execution environment shall be able to run software according to requirements of up to the
system's required ASIL.
This also includes:
  free from interference among the SW components (see 282807),
  supervision by an extern measures (see 282795),
  the hardware shall consist of an MCU with all required hardware to run according to system
specifications (i.e. safe HW to detect/avoid e.g. bit-flips by means of start up checks, cyclical checks,
ECC check, ....), and
  the hardware shall be composed of components that are qualifiable up to the desired ASIL of the
system.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 17
Category:
Requirement
Keywords:

ID:
297946
Label:

Safety relevant:

Related To:

Related To':

The software execution environment shall provide methods for mutual exclusion.

-
Category:
Comment
Keywords:

ID:
297948
Such methods are disabling of interrupts, locks, semaphores etc.
Especially disabling of interrupts is often used to gain exclusive access to resources or perform multiple
operations atomically.

-
Category:
Requirement
Keywords:

ID:
282807
Label:

Safety relevant:

Related To:
__MKSID__263115,_
Related To':

_MKSID__283536,__
MKSID__261192
The software platform shall provide an execution environment that is capable of running multiple software
components with freedom from interference from each other.

-
Category:
Comment
Keywords:

ID:
282809
The S-WdgM and the supervised application are considered as separate SW components with freedom
from (unintended) interference. Freedom from interference can be achieved by e.g. a microcontroller with
MPU.

-
Category:
Requirement
Keywords:

ID:
282795
Label:

Safety relevant:

Related To:
__MKSID__262661,_
Related To':

_MKSID__263099,__
MKSID__263109,__
MKSID__283504,__
MKSID__283508
The integrator shall analyze, what safety measures are required in case of timing violations
  of the calls of the S-WdgM and
  during execution of the S-WdgM.

-
Category:
Comment
Keywords:

ID:
561887
The timing violations described above are not handled by S-WdgM internally and must be handled
externally if necessary.

The timing violation can be caused by e.g.
  slower/faster running MCU oscillator or
  a delay by too many high priority tasks.

-
Category:
Comment
Keywords:

ID:
282797
An internal WD can detect timing violations of S-WdgM calls and S-WdgM executions. However, an internal
WD may have the same time base (oscillator) as the CPU that executes the S-WdgM and therefore may not
be able to detect failures of the time base.
An external WD with an independent time base may be necessary.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 18
Category:
Requirement
Keywords:

ID:
315317
Label:

Safety relevant:

Related To:

Related To':

The MCU shall execute the given software correctly.

-
Category:
Comment
Keywords:

ID:
315319
This requirement can be achieved e.g. by using a lockstep MCU.

-
Category:
Requirement
Keywords:

ID:
282791
Label:

Safety relevant:

Related To:
__MKSID__262674
Related To':

In case a software timing fault has been detected and escalated to the system by the S-WdgM, the system
shall initiate the safe state within acceptable time tolerances.

-
Category:
Comment
Keywords:

ID:
282793
The S-WdgM initiates a fault reaction by discontinuation of WD triggering or by a WD reset. It is the
integrators responsibility to ensure that the WD itself leads to a safe state in time.
Note; The S-WdgM detection and reaction time is also delayed depending on the S-WdgM Configurations.

-
Category:
Requirement
Keywords:

ID:
283375
Label:

Safety relevant:

Related To:
__MKSID__283514,_
Related To':

_MKSID__283518
The connected (used) Watchdog (or a hardware that provide the watchdog function) shall work correctly.

-
Category:
Requirement
Keywords:

ID:
282789
Label:

Safety relevant:

Related To:
__MKSID__262604,_
Related To':

_MKSID__263117,__
MKSID__283508,__
MKSID__283504,__
MKSID__261244
The MCU shall be able to perform a safe startup to the point of where the S-WdgM is safely initialized.

-
Category:
Requirement
Keywords:

ID:
566080
Label:

Safety relevant:

Related To:

Related To':

The RAM memory correctness shall be checked at ECU startup time. An ECC or comparable check shall
be used at run-time.

-
Category:
Requirement
Keywords:

ID:
265876
Label:

Safety relevant:

Related To:
__MKSID__283397
Related To':

The FLASH memory correctness shall be checked at ECU startup time. An ECC or comparable check shall
be used at run-time.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 19
Category:
Comment
Keywords:

ID:
263975
The generated code contains a checksum over some significant fields (e.g. version) to check that:
  the generated code belongs to the S-WdgM code according to version information and
  the generated code is not overwritten by other code at the flashing process.

The checksum is checked with every run of the function WdgM_Init (). A failed check yields
WDGM_E_PARAM_CONFIG.

Note: The checksum does not cover the complete configuration and cannot thoroughly detect when the
configuration memory is corrupted (like bitflips).

-
7.1  Assumptions in this Document
Category:
Requirement
Keywords:

ID:
282887
Label:

Safety relevant:

Related To:

Related To':

The following requirements are located in the according context in this document. They may be interpreted
as system assumptions or not - depending on the circumstances the system is developed and applied:

Requirement
Description
Chosen monitoring features and configuration meet
231900, 230957
the system's safety requirements.
260470, 231825, 229211, 236796, 230793
Quality level degradation by external interfaces.
230494
S-WdgM functionality affected by other SW.
260490, 231403, 231419
Quality level degradation by SE deactivation.
260207, 231823, 231547, 231549, 231609
WD driver and WD device.
231277, 231281, 231454, 231462, 231972, 231203    Memory sections, access rights.
231480
Memory corruption.
231207
WdgM_MainFunction () in separated task.
table 5


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 20
8  S-WdgM Function Requirements
Category:
Comment
Keywords:

ID:
270655
The section lists the system requirements that the S-WdgM Stack fulfills.
They are derived from [TT_WDGM_TSR] and [TT_WDGM_SD].
Since the S-WdgM function requirements are not requirements for the system or integrator, they are put
here as comments and marked with "S-WdgM Requirement".

-
Category:
Comment
Keywords:

ID:
282811
(S-WdgM Requirement)
The S-WdgM shall be able to detect software timing faults:
  There shall be methods to detect timing faults within a software components.
  There shall be methods to detect timing faults among software components.

-
Category:
Comment
Keywords:

ID:
282813
The S-WdgM is able to detect program flow violations, Alive Counter violations and deadline violations.
They cover the following kinds of faults:
  omittance of an operation (program flow, Alive Counter),
  unrequested execution of an operation (program flow, Alive Counter),
  operation executed too early (Alive Counter, deadline),
  operation executed too late (Alive Counter, deadline), and
  operations executed in the wrong sequence (program flow).

-
Category:
Comment
Keywords:

ID:
282815
(S-WdgM Requirement)
The S-WdgM shall escalate a detected SW timing fault to the system:
There shall be methods to escalate detected faults so that a corresponding safety measure is triggered.

-
Category:
Comment
Keywords:

ID:
282817
The S-WdgM initiates a fault reaction by discontinuation of WD triggering or by a WD reset. It is the
integrators responsibility to ensure that the WD itself leads to a safe state in time.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 21
9  S-WdgM Configuration
Category:
Comment
Keywords:

ID:
228629
The S-WdgM Configuration code is the part of the S-WdgM code that is generated with the S-WdgM
Generator out of a given ECU description file.
This section lists the safety requirements for the creation of S-WdgM Configuration code.

-
Category:
Comment
Keywords:

ID:
228631
For a description of
  the configuration fields in the ECU description file and
  how to generate S-WdgM code out of the ECU description file
see [TT_WDGM_UM].

-
9.1  Configuration Check-List
Category:
Comment
Keywords:

ID:
228713
The S-WdgM Generator performs basic checks on the contents of the ECU description file when generating
the S-WdgM Configuration code.
The following sections provide instructions for manual checks of safety relevant configuration values that
cannot be performed by the S-WdgM Generator itself.

-
Category:
Requirement
Keywords:

ID:
231900
Label:

Safety relevant:

Related To:

Related To':

If a subset of the S-WdgM monitoring features is used, then the integrator shall verify that the chosen
monitoring features satisfy the system's safety requirements.

-
9.1.1  General Requirements
Category:
Requirement
Keywords:

ID:
228717
Label:

Safety relevant:

Related To:

Related To':

The integrator shall set the configuration parameters according to the project specification.

-
Category:
Requirement
Keywords:

ID:
260470
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no non-S-WdgM function that is called from within the S-WdgM degrades the
quality level of the S-WdgM below the required quality level.

-
Category:
Comment
Keywords:

ID:
544495
The used non-S-WdgM functions are listed in section "Expected Interface" below.

-
Category:
Comment
Keywords:

ID:
260476
Example: If the functions GlobalSuspendInterrupts () and GlobalRestoreInterruts () are implemented for QM

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 22
level and the S-WdgM calls these functions, then the S-WdgM is degraded to QM level.

-
Category:
Requirement
Keywords:

ID:
284187
Label:

Safety relevant:

Related To:

Related To':

The ECU description file that serves as input for the generation of the S-WdgM Configuration code shall
follow the XML schema of the used AUTOSAR version. The supported AUTOSAR versions are defined in
the 231307.

-
Category:
Comment
Keywords:

ID:
284517
The corresponding XML schema can be found in www.autosar.org.

-
9.1.2  Pre-Compile Settings
Category:
Requirement
Keywords:

ID:
228722
Label:

Safety relevant:

Related To:

Related To':

The following fields in the ECU description file shall be "true" if the according feature shall be enabled,
otherwise "false":

Field
Feature
WdgMVersionInfoApi
Enable Version API.
WdgMDevErrorDetect
Enable Development error detection.
WdgMDemReport
Enable DEM calls in case of production errors.
Check whether a caller of WdgM_SetMode () is authorized to call the
function. Also check that the S-WdgM was initialized when the
WdgMDefensiveBehavior
function WdgM_MainFunction () is called.
Note: The AUTOSAR 3.1 version of WdgM_SetMode () does not
check the caller.
Enable an immediate WD reset in case of a Alive Supervision
WdgMImmediateReset
violation, a Deadline violation or a ProgramFlow violation.
WdgMOffModeEnabled
Enable deactivation of a WD device.
AS3: Call SchM_Enter_WdgM () and SchM_Exit_WdgM ()
AS4: Call SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA_0() and
WdgMUseOsSuspendInterrupt
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_0()
The functions suspend and resume interrupts.
WdgMSecondResetPath
Call Mcu_PerformReset () if a WD trigger or a WD reset fails.
WdgMTickOverrunCorrection
Correct the tick counter when the value overflows.
WdgMEntityDeactivationEnabled
Enable deactivation and activation of SEs.
WdgMStateChangeNotification
Invoke a callback function when local or global state changes.
WdgMUseRte
Use the RTE-generated defines and typedefs.
Make a DEM call when global state
WdgMDemSupervisionReport
WDGM_GLOBAL_STATUS_STOPPED is reached.
Do not evaluate Alive Counters from the first SC (in the first call of
WdgMFirstCycleAliveCounterReset   WdgM_MainFunction ()).
table 6



Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 23
-
Category:
Requirement
Keywords:

ID:
228883
Label:

Safety relevant:

Related To:

Related To':

The value of WdgMTimebaseSource shall be set according to the required source of time ticks:

WdgMTimebaseSource
Description
An internal time source for Deadline Monitoring is selected.
WDGM_INTERNAL_SOFTWARE_TICK (0)  The tick counter is incremented each time the
WdgM_MainFunction() is invoked.
An internal time source for Deadline Monitoring is selected.
WDGM_INTERNAL_HARDWARE_TICK (1)  The tick counter value is read from an MCU's internal
hardware counter.
An external time source for Deadline Monitoring is selected.
The tick counter is incremented each time the
WDGM_EXTERNAL_TICK (2)
WdgM_UpdateTickCount() function is invoked. The function
is implemented in the S-WdgM.
table 7


-
Category:
Comment
Keywords:

ID:
239167
The field WdgMTimebaseSource is a WdgM information. If it is set to
WDGM_INTERNAL_HARDWARE_TICK, then the configuration generator checks whether the referred
driver has an active tick counter.

-
Category:
Requirement
Keywords:

ID:
230215
Label:

Safety relevant:

Related To:

Related To':

In case the S-WdgM internal hardware tick counter is used, the integrator shall make sure that the MCU's
internal hardware counter updates the tick counter according to the system specifications.

-
Category:
Comment
Keywords:

ID:
270693
In case of an internal hardware tick counter, the S-WdgM updates the tick counter using the MCU's internal
hardware counter.

-
Category:
Requirement
Keywords:

ID:
238968
Label:

Safety relevant:

Related To:

Related To':

If UseOSsuspendinterrupts is "false", then the integrator is responsible for the implementation of the
functions
  GlobalSuspendInterrupts () and
  GlobalRestoreInterrupts ().

-
Category:
Requirement
Keywords:

ID:
260490
Label:

Safety relevant:

Related To:

Related To':

The integrator shall consider:
If WdgMEntityDeactivationEnabled is "true",

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 24
then a SW component that calls the functions
  WdgM_DeactivateSupervisionEntity() and
  WdgM_ActivateSupervisionEntity()
degrade the quality level of the S-WdgM to the quality level of their caller(s).

-
Category:
Comment
Keywords:

ID:
260491
Example: If two components are used with quality level ASIL-B and QM, then the S-WdgM is degraded to
QM level.

-
Category:
Comment
Keywords:

ID:
260496
The functions WdgM_DeactivateSupervisionEntity() and WdgM_ActivateSupervisionEntity() degrade
because a faulty activation or deactivation process for a SE call may compromise the monitoring features.

-
Category:
Comment
Keywords:

ID:
261042
A partition reset with BswM_WdgM_RequestPartitionReset () is not supported by the S-WdgM.

-
9.1.3  Post Build Configuration and Application Settings
Category:
Comment
Keywords:

ID:
239045
This section provides a check list for the various aspects and configuration fields that must be considered
for implementation and post build configuration of the monitoring features.

-
Category:
Comment
Keywords:

ID:
239073
For further information on configuration fields see [TT_WDGM_UM]. For information on configuration of S-
WdgM Fault Detection Times and S-WdgM Fault Reaction Times, see section "S-WdgM Fault Detection
Time and S-WdgM Fault Reaction Time Evaluation" below.

-
Category:
Requirement
Keywords:

ID:
260207
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the configuration defines
  only one WD driver and
  only one WD device for the driver.

-
Category:
Comment
Keywords:

ID:
260209
The current implementation of the S-WdgM Stack supports only one WD device per WD driver. If configured
otherwise, the S-WdgM Generator yields an error message.

-
Category:
Comment
Keywords:

ID:
260211
The current implementation of the S-WdgM Stack supports one WD driver and one WD device per driver. If
configured otherwise, the S-WdgIf Generator yields an error message.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 25
Category:
Requirement
Keywords:

ID:
260219
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that all API functions of the S-WdgIf that require a device index, use 0 as
device index.

-
Category:
Comment
Keywords:

ID:
260221
The index counting for the WD device starts with 0.

-
Category:
Requirement
Keywords:

ID:
238981
Label:

Safety relevant:

Related To:
__MKSID__261186
Related To':

The integrator shall
  partition the supervised application code into SEs,
  configure the OSApplication ID per SE,
  place CPs per SE (including Initial CPs and - if necessary - End CPs),
  place global CP (including Initial CPs and - if necessary - End CPs),
  configure Deadline Monitoring,
  configure Alive Supervision, and
  configure Program Flow Monitoring
according to the system requirements for S-WdgM monitoring.

-
Category:
Requirement
Keywords:

ID:
358190
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be aware that, if
  the execution does not hit any CP in a SE and
  no Alive Supervision is configured for this SE,
then the S-WdgM will not detect this violation.


-
Category:
Comment
Keywords:

ID:
565654
For periodic SE, this can be solved by configuration of Alive Supervision for the SE.
For non periodic SE, Alive Supervision can not be used.

-
Category:
Requirement
Keywords:

ID:
239047
Label:

Safety relevant:

Related To:

Related To':

For the notification of state changes, the integrator shall set
  WdgMLocalStateChangeCbk (per SE) and
  WdgMGlobalStateChangeCbk
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239049
Label:

Safety relevant:

Related To:

Related To':

For the activation/deactivation of SEs, the integrator shall set

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 26
  WdgMEnableEntityDeactivation (per SE) and
  WdgMInitialStatus (per SE)
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239051
Label:

Safety relevant:

Related To:
__MKSID__283870,_
Related To':

_MKSID__284614,__
MKSID__261172,__
MKSID__261176,__
MKSID__261174,__
MKSID__261178
For the scheduling of WdgM_MainFunction () calls, the integrator shall set
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMTriggerWindowStart (per WD Trigger Mode), and
  WdgMTriggerConditionValue (per WD Trigger Mode)
according to the system requirements.

-
Category:
Requirement
Keywords:

ID:
239053
Label:

Safety relevant:

Related To:

Related To':

For correct handling of WD Trigger Modes the integrator shall set
  WdgMAllowedCallers,
  WdgMInitialTriggerModeId (for SetMode ()), and
  WdgMWatchdogMode
according to the system requirements.

-
9.1.3.1  Alive Monitoring
Category:
Requirement
Keywords:

ID:
239055
Label:

Safety relevant:

Related To:
__MKSID__261186
Related To':

The integrator shall
  define Alive Supervision for every CP,
  set WdgMExpectedAliveIndications per WdgMSupervisionReferenceCycle properly, and
  set the interval [WdgMMinMargin, WdgMMaxMargin] narrow enough
so that Alive Supervision violations are detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239057
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMSupervisionReferenceCycle (perCP),
  WdgMFailedSupervisionRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 27

-
9.1.3.2  Deadline Monitoring
Category:
Requirement
Keywords:

ID:
239063
Label:

Safety relevant:

Related To:

Related To':

The integrator shall
  define Deadline Monitoring for every CP and
  set the interval [WdgMDeadlineMin, WdgMDeadlineMax] narrow enough,
so that Deadline violations are detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239065
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMDeadlineReferenceCycle (per SE),
  WdgMFailedDeadlineRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

-
9.1.3.3  Program Flow Monitoring
Category:
Requirement
Keywords:

ID:
239071
Label:

Safety relevant:

Related To:

Related To':

The integrator shall define Program Flow Monitoring for every CP, so that program flow violations are
detected according to system requirements.

-
Category:
Requirement
Keywords:

ID:
239067
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the following values are set correctly:
  WdgMTicksPerSecond,
  WdgMSupervisionCycle,
  WdgMProgramFlowReferenceCycle (per SE),
  WdgMFailedProgramFlowRefCycleTol (per SE), and
  WdgMExpiredSupervisionCycleTol,
so that the WD is reset after a time delay according to system requirements.

-
9.1.3.4  Configuration Restrictions for S-WdgM AUTOSAR 3.1 Compatibility Mode
Category:
Comment
Keywords:

ID:
284790
If WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON, then the S-WdgM behaves as defined
for the AUTOSAR 3.1 Watchdog Manager. In this case further configuration restrictions shall be considered.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 28
Note: The S-WdgM Generator or S-WdgM Verifier do not check the following restrictions.

-
Category:
Requirement
Keywords:

ID:
284792
Label:

Safety relevant:

Related To:

Related To':

If WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON,
then the following restrictions must be considered:
  for all SEs WdgMSupportedAutosar is set to API_3_1 (in the ECU description file),
  there is only exactly one CP allowed for each SE,
  this CP must be defined as Initial CP and as End CP,
  every CP must have a Alive Supervision defined, and
  there are no local and global transitions allowed.

-
9.1.4  S-WdgM Fault Detection Time and S-WdgM Fault Reaction Time
Evaluation
Category:
Comment
Keywords:

ID:
231587
The time span from a fault occurrence to the system's reaction depends on the S-WdgM Configuration
parameters. This section shows how the different configuration timing parameters add up to the actual
delay from the fault occurrence to the error escalation.

-
Category:
Comment
Keywords:

ID:
239236
A further description of the configuration parameters and examples can be found in [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231597
Definition:
The time span from the fault occurrence to the error escalation by the S-WdgM to the WD driver (through S-
WdgIf) is the sum of
1.  the S-WdgM Fault Detection Time and
2.  the S-WdgM Fault Reaction Time.

In [ISO26262], the S-WdgM Fault Detection Time is called "diagnostic test interval".

-
Category:
Comment
Keywords:

ID:
239636
The time spans of the different monitoring features do not affect each other (except of course, that the error
escalation of one monitoring violation aborts the monitoring of all other violations.)

-
9.1.4.1  S-WdgM Fault Detection Time
Category:
Comment
Keywords:

ID:
260591
The S-WdgM Fault Detection Time is evaluated differently for the various monitoring features as shown in
this section.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 29

Category:
Comment
Keywords:

ID:
239252
The S-WdgM Fault Detection Time spans
  from fault occurrence
  to fault detection (when the S-WdgM switches from a Local or Global OK-Status to another state). The
state change happens within the WdgM_MainFunction ().

-
Category:
Comment
Keywords:

ID:
239560
The S-WdgM Fault Detection Time is differently defined for the various monitoring features.

-
9.1.4.1.1 Alive Supervision
Category:
Comment
Keywords:

ID:
239284
Assume that a fault occurs that leads to an Alive Counter violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the alive count and
  from the call of this CP to the next call of WdgM_MainFunction() at the end of the current
SupervisionReferenceCycle.

-
Category:
Comment
Keywords:

ID:
239300
Because a SupervisionReferenceCycle is a multiple of the SC, there may be other call(s) of
WdgM_MainFunction () between the CP call and the end of the SupervisionReferenceCycle, but only the
WdgM_MainFunction () call at the end of the SupervisionReferenceCycle detects the Alive Counter
violation.

-
Category:
Comment
Keywords:

ID:
239285
In the best case, the S-WdgM Fault Detection Time is less or equal a SupervisionReferenceCycle. This is
when
  the fault occurs,
  the according CP is called afterwards, and
  the WdgM_MainFunction is called at the end of the SupervisionReferenceCycle
within the same SupervisionReferenceCycle.

-
Category:
Comment
Keywords:

ID:
239286
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SupervisionReferenceCycles. That is, when the CP is not called within every
SupervisionReferenceCycle.

-
9.1.4.1.2 Deadline Supervision
Category:
Comment
Keywords:

ID:
239240
Assume that a fault occurs that leads to a Deadline Violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the deadline and
  from call of this CP to the next call of WdgM_MainFunction () at the end of the current SC.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 30
Category:
Comment
Keywords:

ID:
239242
In the best case, the S-WdgM Fault Detection Time is less or equal a SC. This is when
  the fault occurs,
  the CP that checks for Deadline Violation*) is called afterwards and
  the WdgM_MainFunction () is called at the end of the SC
within the same SC.

*) Deadline Monitoring includes at least 2 CPs: The first CP starts the timer, the second CP checks the
timer for violation of the deadline constraints.

-
Category:
Comment
Keywords:

ID:
239244
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SCs. That is, when the CP is not called within every SC.

-
9.1.4.1.3 Program Flow Supervision
Category:
Comment
Keywords:

ID:
239268
Assume that a fault occurs that leads to a Program Flow violation:
The S-WdgM Fault Detection Time is the sum of the time spans
  from the fault to the call of the next CP that monitors the program flow and
  from the call of this CP to the next call of WdgM_MainFunction () at the end of the current SC.

-
Category:
Comment
Keywords:

ID:
239269
In the best case, the S-WdgM Fault Detection Time is less or equal a SC. This is when
  the fault occurs,
  the according CP is called afterwards and
  WdgM_MainFunction () is called at the end of the SC
within the same SC.

-
Category:
Comment
Keywords:

ID:
239270
Note: Depending on the locations of CPs, the time span from the fault occurrence to the CP call may
include several SCs. That is, when the CP is not called within every SC.

-
9.1.4.2  S-WdgM Fault Reaction Time
Category:
Comment
Keywords:

ID:
231805
The S-WdgM Fault Reaction Time spans
  from the end of the S-WdgM Fault Detection Time
  to the error escalation to the WD driver (through the S-WdgIf) (by trigger omittance or invokation of a
WD reset by calling WdgIf_SetTriggerWindow(driver, 0, 0) for each driver).

-
Category:
Comment
Keywords:

ID:
239578
Note: This section does not discuss WD resets due to a S-WdgM error (like DET errors). S-WdgM errors
always lead to immediate WD resets by call of ImmediateWatchdogReset ().

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 31
Category:
Comment
Keywords:

ID:
239580
Note: In the context of the S-WdgM, the S-WdgM Fault Reaction Time ends with the call of the according S-
WdgIf functions
  WdgIf_SetTriggerWindow () and
  Mcu_PerformReset () (if the WD cannot be served correctly).

Be aware that there may be some (configured or HW related) delay from a function call to the actual system
reset. See the manuals of the according S-Wdg drivers.

-
Category:
Comment
Keywords:

ID:
239616
The following assumptions take place here:
  A violation continues from one Reference Cycle (according to the monitoring feature) to the next until
the error is escalated. Discontinuation of a violation before error escalation results in a recovery to the
OK-Status.
  The monitored SEs are always active. Deactivation of a SE aborts the S-WdgM monitoring of this SE.
Activation of a SE resumes the monitoring with OK-Status.

-
Category:
Comment
Keywords:

ID:
239658
There are two kinds of tolerances involved in the S-WdgM fault reaction time span:
  the number of tolerated Reference Cycles per monitoring feature (defined by
WdgMFailedSupervisionRefCycleTol, WdgMFailedDeadlineRefCycleTol and
WdgMFailedProgramFlowRefCycleTol, respectively) and
  the number of SupervisionCycles waiting until the actual error escalation takes place (defined by
WdgMExpiredSupervisionCycleTol).

-
Category:
Comment
Keywords:

ID:
239662
Once the S-WdgM Fault Reaction Time has expired, the error escalation is performed as follows:
If WDGM_IMMEDIATE_RESET is set to STD_ON,
then by the call of WdgIf_SetTriggerWindow(driver, 0, 0) for each WdgM driver to invoke an immediate WD
reset,
otherwise by omittance of the WD trigger.

Note: Some WDs do no support an immediate reset. If not supported, then the WD trigger is still omitted
and the system resets after the WD timeout expired.

-
Category:
Comment
Keywords:

ID:
239634
The S-WdgM Fault Reaction Times of the different monitoring features do not affect each other (except of
course, that the error escalation of one monitoring violation aborts all other monitoring violations.)

-
Category:
Comment
Keywords:

ID:
239582
Notation:
Within this section, the following notation is introduced:

"MF(i) is the i-th run of MainFunction () from the begin of the S-WdgM Fault Reaction Time."

MF(0) is the run of MainFunction () where the S-WdgM Fault Detection Time ends and the Fault Reaction
Time starts.
MF(1) is 1 SC later.
MF(sc) is sc SCs after MF(0).

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 32

-
Category:
Comment
Keywords:

ID:
239584
The S-WdgM Fault Reaction Time is evaluated differently for the various monitoring features as shown in
the following sections.

-
9.1.4.2.1 Alive Supervision
Category:
Comment
Keywords:

ID:
239644
The error escalation is conducted in
MF (i), which is i SCs after MF(0),
where
i = (WdgMSupervisionReferenceCycle * WdgMFailedSupervisionRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-
9.1.4.2.2 Deadline Supervision
Category:
Comment
Keywords:

ID:
239650
The error escalation is conducted in
MF (i), which is i SCs after MF(0),
where
i = (WdgMDeadlineReferenceCycle * WdgMFailedDeadlineRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-
9.1.4.2.3 Program Flow Supervision
Category:
Comment
Keywords:

ID:
239654
The error escalation is conducted in
MF (i), which is i SupervisionCycles after MF(0),
where
i = (WdgMProgramFlowReferenceCycle * WdgMProgramFlowDeadlineRefCycleTol) +
WdgMExpiredSupervisionCycleTol

This is after i SCs.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 33
10 S-WdgM Configuration Generator
Category:
Comment
Keywords:

ID:
228807
This section lists the safety requirements for the installation and application of the S-WdgM Generator.
It also lists the safety requirements for the verification of the S-WdgM Generators results.

-
Category:
Comment
Keywords:

ID:
228809
For information on how to use the S-WdgM Generator, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
228635
Note: The S-WdgM Generator is not ASIL-D. Its output cannot be trusted, hence additional checks are
required by use of the S-WdgM Verifier, which is part of the S-WdgM package.

-
10.1 S-WdgM Generator - Installation
Category:
Requirement
Keywords:

ID:
228813
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator is installed and used on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgM Generator.

-
Category:
Comment
Keywords:

ID:
228815
The S-WdgM Generator has been tested on Windows 7 with Service Pack 1.

-
10.2 S-WdgM Generator - Application
Category:
Requirement
Keywords:

ID:
228823
Label:

Safety relevant:

Related To:

Related To':

The selected output path for the generated S-WdgM code (runtime argument "OUTPUT-DIRECTORY")
shall be empty before the S-WdgM Generator is started.

-
Category:
Comment
Keywords:

ID:
228825
If the output path is not empty, code from previous generation runs may be accidentally integrated into the
AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
263300
The generated files are listed on standard error (stdout).

-
Category:
Requirement
Keywords:

ID:
228827
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator aborts the generation process with an error, the (partially) generated output files

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 34
shall not be used in an AUTOSAR system.

-
Category:
Comment
Keywords:

ID:
228829
Error messages start with "Error" and are displayed on standard error (stderr).
If successful, the S-WdgM Generator returns error level 0, otherwise an error level higher than 0 is returned.

-
Category:
Requirement
Keywords:

ID:
228831
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Generator displays a warning message, the integrator shall ensure that the cause of the
warning does not invalidate the generated S-WdgM Configuration.

-
Category:
Comment
Keywords:

ID:
228833
Warning messages start with "Warning" and are displayed on standard error (stderr).
If successful (even with warning), the S-WdgM Generator returns error level 0, otherwise an error level
higher than 0 is returned.

-
Category:
Comment
Keywords:

ID:
229689
In case of an error free application of the generator, the generated S-WdgM Configuration files in the output
directory are:
  WdgM_PBCfg.c
  WdgM_PBCfg.h
  AS3: WdgM_MemMap.h, or
  AS4: WdgM_OSMemMap.h
  WdgM_Cfg_Features.h

-
Category:
Comment
Keywords:

ID:
231187
TTTech provides a sample demonstration configuration with four SEs. The files may be used by the
integrator, but are intended for demonstration only.

-
Category:
Comment
Keywords:

ID:
228837
The S-WdgM Generator is not configurable. The S-WdgM Generator process is controlled by the input
arguments only.

-
10.3 S-WdgM Generator - S-WdgM Configuration Verification
Category:
Comment
Keywords:

ID:
229705
This section lists the safety requirements for the verification of the S-WdgM Configuration (i.e. the
generated C- and Header-files) of the S-WsgM Generator run.

-
Category:
Comment
Keywords:

ID:
228843
This section describes how the output of the S-WdgM Generator is to be checked so that the output has
ASIL-D quality.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 35
Category:
Comment
Keywords:

ID:
290318
The verification process consists of the following steps, which are explained in details in the following
sections:
  creation of S-WdgM Info files out of the ECU Description file (for the Verifier build),
  build (compilation) of the Verifier,
  Verifier run and manual check of Verifier report,
  manual checks (which can not be performed by the Verifier) and
  check of system specifications against the S-WdgM Info files.

-
Category:
Requirement
Keywords:

ID:
291126
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use the same ECU Description file for verification that was used for the generation of
the S-WdgM Configuration files, which are verified.

-
Category:
Requirement
Keywords:

ID:
260615
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM Verification process is performed on a different OS than Windows 7 with Service Pack 1, the
integrator is responsible for ensuring that the change of the underlying OS does not affect the behavior and
output of the S-WdgM Verification process.

-
Category:
Comment
Keywords:

ID:
260617
The S-WdgM has been tested on Windows 7 with Service Pack 1.

-
10.3.1
Check S-WdgM Configuration against ECU Configuration
Category:
Requirement
Keywords:

ID:
228865
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that all applied files in the verification process are of the same delivered S-
WdgM package.

-
Category:
Comment
Keywords:

ID:
228871
Do not use files of different S-WdgM package versions.

-
Category:
Requirement
Keywords:

ID:
228877
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that all files that are applied in the verification process are unaltered:
  files that are delivered by TTTech are unaltered,
  files created during the verification process are unaltered from creation to application.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 36
10.3.1.1
Creation of S-WdgM Info Files
Category:
Requirement
Keywords:

ID:
232265
Label:

Safety relevant:

Related To:

Related To':

The S-WdgM Info files are a header and a C file with the ECU Description information as C code which is
checked against the generated files.

They shall be named
  wdgm_verifier_info.h and
  wdgm_verifier_info.c

(See Requirement 229681and Comment 263659 for details)

-
Category:
Requirement
Keywords:

ID:
229673
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use an XSLT Processor, which fulfills the requirements in [ISO26262], part 8, clause
11.4.

-
Category:
Comment
Keywords:

ID:
324187
The S-WdgM package of TTTech contains an ISO26262 classified XSLT processor named "xsltproc.exe".

-
Category:
Comment
Keywords:

ID:
263574
The verifier has been tested with xsltproc.exe which uses libxslt V1.1.26 (Win32).

-
Category:
Comment
Keywords:

ID:
269546
The required XSL transformations do not use any XSLT 2.0 features; therefore, a XSLT 1.0 compliant
processor can be used; e.g., XML Spy, xsltproc or Xalan.

-
Category:
Comment
Keywords:

ID:
269548
The following examples assume that xsltproc is being used. The command-line syntax for Xalan is very
similar. XML Spy is a GUI program.

-
Category:
Requirement
Keywords:

ID:
229681
Label:

Safety relevant:

Related To:

Related To':

The integrator shall perform two XSL transformations:

The integrator shall call the XSLT processor to apply the verify_wdgm_header.xsl stylesheet (part of the
package) to the ECU description file and store the transformation's result in the file wdgm_verifier_info.h.

The integrator shall call the XSLT processor to apply the verify_wdgm_source.xsl stylesheet (part of the
package) to the ECU description file and store the result in the file wdgm_verifier_info.c.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 37

Category:
Comment
Keywords:

ID:
263659
If xstlproc.exe is used as XSLT processor, the syntax for the two calls is:
  xsltproc.exe verify_wdgm_header.xsl ECU-description-file >wdgm_verifier_info.h
  xsltproc.exe verify_wdgm_source.xsl ECU-description-file >wdgm_verifier_info.c

-
10.3.1.2
Verifier Compilation
Category:
Comment
Keywords:

ID:
228857
The S-WdgM Verifier executable is created as follows:

-
Category:
Requirement
Keywords:

ID:
229683
Label:

Safety relevant:

Related To:

Related To':

The integrator shall use a compiler/linker for compilation/linkage, which fulfills the requirements in
[ISO26262], part 8, clause 11.4.

-
Category:
Comment
Keywords:

ID:
232263
TTTech has tested with gcc 3.4.5.

-
Category:
Requirement
Keywords:

ID:
270666
Label:

Safety relevant:

Related To:

Related To':

The integator shall make sure that the AUTOSAR- and S-WdgM Stack files used for compilation of the
Verifier are the files used in the system where the S-WdgM is integrated.

-
Category:
Comment
Keywords:

ID:
263812
This is a list of files needed for building the Verifier (other files may be required for compilation depending
on the environment and configuration options):

S-WdgM header files:
  WdgM.h
  WdgM_Cfg.h

S-WdgIf header files:
  WdgIf_Cfg.h
  WdgIf_Types.h

Created S-WdgM "Info file" (XSLT result):
  wdgm_verifier_info.h

Generated S-WdgM header files:
  WdgM_Cfg_Features.h
  AS3: WdgM_MemMap.h, or
  AS4: WdgM_OSMemMap.h
  WdgM_PBcfg.h

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 38
Files from the S-WdgM Stack package:
  wdgm_verifier.h
  wdgm_verifier_types.h
  wdgm_verifier_version.h

List of platform specific files:
  Compiler.h
  Compiler_Cfg.h
  MemMap.h
  Os.h
  Os_MemMap.h
  Platform_Types.h
  Std_Types.h
  Rte_Compiler_Cfg.h (if RTE is used)
  Rte_MemMap.h (if RTE is used)
  Rte_Type (if RTE is used)

-
Category:
Comment
Keywords:

ID:
263833
The set of include commands (-Ipath) for all include paths to these files is referred to verify-includes.

-
Category:
Requirement
Keywords:

ID:
263825
Label:

Safety relevant:

Related To:

Related To':

For the compilation process, the following files must be compiled and linked:
The generated C file:
  WdgM_PBcfg.c
Created S-WdgM Info file:
  wdgm_verifier_info.c
Files from the S-WdgM Stack package:
  wdgm_verifier.dll
  libwdgm_verifierdll.a

-
Category:
Requirement
Keywords:

ID:
269558
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that the output files of the S-WdgM Generator are used as input for the S-WdgM
Verifier executable - and no other file.

-
Category:
Requirement
Keywords:

ID:
269560
Label:

Safety relevant:

Related To:

Related To':

Do not use S-WdgM Generator output files from previous generation processes, like from former versions of
the S-WdgM package.

-
Category:
Comment
Keywords:

ID:
264066
The syntax for the compilation call is:

gcc -Wall wdgm_verifier_info.c callbacks.c WdgM_PBcfg.c verify-includes -Ldll-path -lwdgm_verifierdll -o

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 39
wdgm_verifier.exe

where
  verify-includes is a placeholder for the path(s) of include files as described above and
  dll-path is a placeholder for the path where wdgm_verifier.dll and libwdgm_verifierdll.a are located.

-
Category:
Comment
Keywords:

ID:
229699
In case of an error free application of the compiler/linker the output is a S-WdgM Verifier executable
(wdgm_verifier.exe).

-
10.3.1.3
Verifier Run
Category:
Comment
Keywords:

ID:
229691
When the S-WdgM Verifier executable has been built, it has to be executed.
The S-WdgM Verifier writes a verification report to standard output 'stdout'.
This report must be reviewed as stated in this section and section "Manual Verification Checks" below.

-
Category:
Requirement
Keywords:

ID:
229695
Label:

Safety relevant:

Related To:

Related To':

The integrator shall run the S-WdgM Verifier executable as follows:
wdgm_verifier.exe > verifier_report.txt.

-
Category:
Requirement
Keywords:

ID:
228861
Label:

Safety relevant:

Related To:

Related To':

The integrator shall review the output report of the S-WdgM Verifier executable run as follows:

If
  there is a summary titled "S U M M A R Y" at the end of the verification result and
  the summary shows all tests as PASSED,
then
the verification process ends with no error and the generated files can be considered correct
otherwise
the verification failed.

-
Category:
Comment
Keywords:

ID:
263882
If a test in the summary shows FAILED, then check the test information in the result:
Each test shows
  a description and
  the test result.

-
10.3.2
Manual Verification Checks
Category:
Comment
Keywords:

ID:
284770
The following checks can not be performed automatically but need to be done manually as described here.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 40
-
Category:
Requirement
Keywords:

ID:
284772
Label:

Safety relevant:

Related To:

Related To':

For the following arrays in WdgM_PBcfg.c, the array length must match the number of items in the array:
  WdgMTransition
  WdgMGlobalTransition
  all arrays named StartsGlobalTransition_se_cp_i (for a SE se, a CP cp and an integer i)
  WdgMCheckPoint
  WdgMSupervisedEntity
  WdgMTriggerMode
  WdgMWatchdogDevice

-
Category:
Comment
Keywords:

ID:
284774
Some array lengths are encapsulated with defines like "WdgMCheckPoint [NR_OF_CHECKPOINTS]". The
defines can be found at the top of file WdgM_PBcfg.c.

-
Category:
Requirement
Keywords:

ID:
290776
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, WdgMTicksPerSecond and WdgMTriggerWindowStart in array WdgMTriggerMode shall
meet the condition
round (WdgMTicksPerSecond * WdgMTriggerWindowStart * 0.001) <= 65535
where
round (x) rounds x to the closest integer value (e.g. round(3.3)=3, round(3.5)=4, round(3.7)=4).

-
Category:
Requirement
Keywords:

ID:
290778
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, WdgMTicksPerSecond and WdgMTriggerTimeout in array WdgMTriggerMode shall
meet the condition
round (WdgMTicksPerSecond * WdgMTriggerTimeout * 0.001) <= 65535
where
round (x) rounds x to the closest integer value (e.g. round(3.3)=3, round(3.5)=4, round(3.7)=4).

-
Category:
Requirement
Keywords:

ID:
290780
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294315
In WdgM_PBcfg.c, check the array WdgMTransition:
For each item in the array:
CheckpointSourceId shall be set to an index that is in the range 0..NrOfCheckpoints-1;
where NrOfCheckpoints is the value of the struct member "NrOfCheckpoints" of the corresponding
Supervised Entity; i.e., that Supervised Entity where the local transition starts and ends.

-
Category:
Comment
Keywords:

ID:
290782
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 41
Category:
Requirement
Keywords:

ID:
290784
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294323
In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
CheckpointSourceId shall be set to an index that is in the range 0..NrOfCheckpoints-1;
where NrOfCheckpoints is the value of the struct member "NrOfCheckpoints" of the corresponding
Supervised Entity; i.e. that Supervised Entity where the global transition starts.

-
Category:
Comment
Keywords:

ID:
290788
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290790
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294313
In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
EntitySourceId shall be set to an index that is in the range 0..WDGM_NR_OF_ENTITIES-1.

-
Category:
Comment
Keywords:

ID:
290801
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290792
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, check the array WdgMGlobalTransition:
For each item in the array:
Field WdgMCheckpointLocInitialId shall be set to 0.

-
Category:
Requirement
Keywords:

ID:
290804
Label:

Safety relevant:

Related To:

Related To':
__MKSID__294082
In WdgM_PBcfg.c, check the array WdgMSupervisedEntity :
For each item in the array:
Field WdgMCheckpointRef shall have a value of form &WdgMCheckPoint [i], where i is in range
0..WDGM_NR_OF_CHECKPOINTS-1.

-
Category:
Comment
Keywords:

ID:
290806
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290808
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.c, check the array WdgMSupervisedEntity :
For each item in the array:
WdgMCheckpointLocInitialId shall be set to an index that is within the length of array WdgMCheckPoint.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 42
Category:
Comment
Keywords:

ID:
290812
For example: If WdgMCheckPoint has length 3, then only the indices 0, 1 and 2 are valid.

-
Category:
Requirement
Keywords:

ID:
290814
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array triggers:
For each item in the array:
Field WdgMTriggerModeId shall be equal to the position of the item in the array,
where the first item is considered to have position 0.

-
Category:
Comment
Keywords:

ID:
290816
I.e. the first item has WdgMTriggerModeId set to 0, the next item has WdgMTriggerModeId set to 1, and so
on.

-
Category:
Requirement
Keywords:

ID:
290818
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array deadline_supervisions:
There shall be no two items in the array with
  the same source entity and
  the same source CP and
  the same destination entity and
  the same destination CP.

-
Category:
Requirement
Keywords:

ID:
290820
Label:

Safety relevant:

Related To:

Related To':

In wdgm_verifier_info.c, check the array deadline_supervisions:
For each item in the array, there shall exist a transition
  in local_transitions or
  in global_transitions
so that all for fields
  source entity
  source CP
  destination entity
  destination CP
are pairwise equal.

-
Category:
Comment
Keywords:

ID:
290794
That is: for every deadline supervision item there shall be a Local Transition or Global Transition defined.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 43

Category:
Requirement
Keywords:

ID:
290796
Label:

Safety relevant:

Related To:

Related To':

Check if
  array WdgMCheckPoint in WdgM_PBcfg.c and
  array alive_supervisions in wdgm_verifier_info.c
match to each other:

For each item CP_item in WdgMCheckPoint:
If WdgMAliveLRef is unequal NULL_PTR (i.e. Alive Supervision is configured),
then
there shall be an item AS_item in array alive_supervisions so that:
  source entity in AS_item matches the SE to which the CP in CP_item belongs,
  source CP in AS_item matches the CP referred in CP_item
  alive indications in AS_item matches WdgMExpectedAliveIndications in CP_item,
  minimum margin in AS_item matches WdgMMinMargin in CP_item
  maximum margin in AS_item matches WdgMMaxMargin in CP_item
  supervision Reference Cycle in AS_item matches WdgMSupervisionReferenceCycle in CP_item
  Otherwise (if WdgMAliveLRef is equal NULL_PTR i.e. no Alive Supervision is configured),
then
no AS_item in array alive _supervision shall exist that matches CP_item in all 6 fields as described
below.

-
Category:
Requirement
Keywords:

ID:
555550
Label:

Safety relevant:

Related To:

Related To':
__MKSID__552565
In wdgm_verifier_info.c, check the line "AUTOSAR Version: AUTOSAR namespace"

If the ECU description file is AUTOSAR 4.0 compliant then
AUTOSAR namespace shall be a 4.0 namespace
else If the ECU description file is AUTOSAR 3.1 compliant then
AUTOSAR namespace shall be a 3.1 namespace

-
Category:
Comment
Keywords:

ID:
560002
An example for an AUTOSAR namespace:

AS4: "http://autosar.org/schema/r4.0"
AS3: "http://autosar.org/3.1.4"

-
Category:
Requirement
Keywords:

ID:
555591
Label:

Safety relevant:

Related To:
__MKSID__304557,_
Related To':

_MKSID__304553,__
MKSID__304567
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the global memory
segment of the S-WdgM:
  StatusG,
  EntityStatusG_seid, for every defined SE seid, and
  Alive_CounterG_acid, for every Alive Counter acid if Alive Counters are configured for the respective

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 44
supervised entity.

The declarations must be memory mapped using the following defines:
  WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
555593
Label:

Safety relevant:

Related To:

Related To':
__MKSID__304565,__MKSID__304563,__MKSID__30456
1
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the global shared
memory segment of the S-WdgM:
  StatusGS,
  EntityGS, and
  GlobalTransitionFlagsGS, which exists only if Global Transitions are defined in the system.

The declarations must be memory mapped using the following defines:
  WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED.

-
Category:
Requirement
Keywords:

ID:
555599
Label:

Safety relevant:

Related To:
__MKSID__304559,_
Related To':

_MKSID__304555
In WdgM_PBcfg.c, check that the declarations of the following identifiers are placed into the entity local data
memory segment of the S-WdgM:
  EntityStatusL_seid, for every defined SE seid, and
  Alive_CounterL_acid, for every Alive Counter acid if Alive Counters are configured for the respective
SE.

The declaration of EntityStatusL_seid must be memory mapped using the following defines:
  WDGM_seid_START_SEC_VAR_NOINIT_UNSPECIFIED and
  WDGM_seid_STOP_SEC_VAR_NOINIT_UNSPECIFIED

The declaration of AliveCounterL_acid must be memory mapped using the following defines:
  WDGM_acid_START_SEC_VAR_NOINIT_32BIT and
  WDGM_acid_STOP_SEC_VAR_NOINIT_32BIT.

-
Category:
Requirement
Keywords:

ID:
565665
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.h, check that constant value WDGM_NR_OF_WATCHDOGS matches the actual number
of configured Watchdog devices.

-
Category:
Requirement
Keywords:

ID:
565673
Label:

Safety relevant:

Related To:

Related To':

In WdgM_PBcfg.h, check that constant value WDGM_NR_OF_TRIGGER_MODES matches the actual
number of configured Watchdog Manager Trigger Modes.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 45

-
Category:
Requirement
Keywords:

ID:
566072
Label:

Safety relevant:

Related To:

Related To':

Check that the constant value WDGM_NR_OF_ALLOWED_CALLERS matches the number of IDs of
modules which the WdgM_SetMode function.

-
Category:
Requirement
Keywords:

ID:
566082
Label:

Safety relevant:

Related To:

Related To':

If WDGM_NR_OF_ALLOWED_CALLERS is greater than zero, check that the struct member
WdgMCallersRef` in WdgM_ConfigType points to an array of WdgM_CallersType which has a length of
WDGM_NR_OF_ALLOWED_CALLERS

-
Category:
Requirement
Keywords:

ID:
566084
Label:

Safety relevant:

Related To:

Related To':

If WDGM_NR_OF_ALLOWED_CALLERS is zero, check that that the struct member WdgMCallersRef` in
WdgM_ConfigType is set to NULL.

-
10.3.3
Check System Specifications against S-WdgM Info Files
Category:
Comment
Keywords:

ID:
265499
As part of the verification process, the generated files wdgm_verifier_info.c must be checked against the
system specification, which served as base for the ECU description.

-
Category:
Comment
Keywords:

ID:
265501
The following instructions show how to extract the data to be checked from the wdgm_verifier_info.c file.
This involves analysis of C-source code and assumes basic knowledge in the programming language.

-
Category:
Comment
Keywords:

ID:
265504
Check the generated Local Transitions as follows:

-
Category:
Comment
Keywords:

ID:
265508
Find the C-struct array named "local_transition".

-
Category:
Comment
Keywords:

ID:
265522
The array holds all Local Transitions of all SEs.
Each Local Transition lt is given as a C-struct containing the following values (in this order):
  the name of the source SE of lt
  the name of the source CP of lt
  the name of the destination SE of lt and
  the name of the destination CP of lt.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 46
Category:
Requirement
Keywords:

ID:
265526
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check that each lt is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265528
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check also that no local transition stated in the System Specification is missing in the
array "local_transitions".

-
Category:
Comment
Keywords:

ID:
265587
Check the generated Global Transitions as follows:

-
Category:
Comment
Keywords:

ID:
265589
Find the C-struct array named "global_transition".

-
Category:
Comment
Keywords:

ID:
265591
The array holds all Global Transitions of all SEs.
Each Global Transition gt is given as a C-struct containing the following values (in this order):
  name of the source SE of gt
  name of the source CP of gt
  name of the destination SE of gt and
  name of the destination CP of gt.

-
Category:
Requirement
Keywords:

ID:
265593
Label:

Safety relevant:

Related To:

Related To':

Check that each gt is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265595
Label:

Safety relevant:

Related To:

Related To':

Check also that no Global Transition stated in the System Specification is missing in the array
"global_transitions".

-
Category:
Comment
Keywords:

ID:
265597
Check the CPs as follows:

-
Category:
Comment
Keywords:

ID:
265599
For each defined SE named se find the C-struct array named "se_se_cp_list".

-
Category:
Comment
Keywords:

ID:
265601
The array holds all CPs of all SEs.
Within se_se_cp_list, each CP cp that is associated to se is given as a C-struct containing the following
values (in this order):

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 47
  ID of se
  ID of cp
  name of se and
  name of cp.

-
Category:
Requirement
Keywords:

ID:
265603
Label:

Safety relevant:

Related To:

Related To':

Check that each cp is defined in se as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265605
Label:

Safety relevant:

Related To:

Related To':

Check also that no CP for se stated in the System Specification is missing in the array "se_se_cp_list".

-
Category:
Comment
Keywords:

ID:
265607
At the end you have checked all CPs of all SEs.

-
Category:
Comment
Keywords:

ID:
265611
Check the SEs as follows:

-
Category:
Comment
Keywords:

ID:
265613
Find the C-struct array named "entities".

-
Category:
Comment
Keywords:

ID:
265615
The array holds information about all SEs.
Each SE se is given as a C-struct containing the following values (in this order):
  ID of se
  name of se
  number of CPs associated to se and
  a reference se_se_cp_list, which refers to a list of CPs for se that has been checked in step "Check the
CPs as follows" (265597) above.

-
Category:
Requirement
Keywords:

ID:
265617
Label:

Safety relevant:

Related To:

Related To':

Check that each se is defined as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265619
Label:

Safety relevant:

Related To:

Related To':

Check also that no SE stated in the System Specification is missing in the array "entities".

-
Category:
Comment
Keywords:

ID:
265621
Check the deadline supervisions as follows:


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 48
-
Category:
Comment
Keywords:

ID:
265623
Find the C-struct array named "deadline_supervisions".

-
Category:
Comment
Keywords:

ID:
265625
The array holds information about all transitions with Deadline Supervision.
Each deadline supervision dl is given as a C-struct containing the following values (in this order):
  name of the source SE of dl
  name of the source CP of dl
  name of the destination SE of dl
  name of the destination CP of dl
  minimum value of the deadline interval of dl and
  maximum value of the deadline interval of dl.

-
Category:
Requirement
Keywords:

ID:
265627
Label:

Safety relevant:

Related To:

Related To':

Check that each defined dl is as stated in the System Specification.

-
Category:
Requirement
Keywords:

ID:
265629
Label:

Safety relevant:

Related To:

Related To':

Check also that no deadline supervision stated in the System Specification is missing in the array
"deadline_supervisions".

-
Category:
Comment
Keywords:

ID:
265639
Check the Alive Supervision as follows:

-
Category:
Comment
Keywords:

ID:
265641
Find the C-struct array named "alive_supervisions".

-
Category:
Comment
Keywords:

ID:
265643
The array holds information about all transitions with Alive Supervision.
Each Alive Supervision as is given as a C-struct containing the following values (in this order):
  name of the source SE of al
  name of the source CP of al
  number of expected alive indications per Reference Cycle of al
  minimum value of the alive indication margin of al and
  maximum value of the alive indication margin of al.

-
Category:
Requirement
Keywords:

ID:
265645
Label:

Safety relevant:

Related To:

Related To':

Check that each defined al is as stated in the System Specification.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 49
Category:
Requirement
Keywords:

ID:
265647
Label:

Safety relevant:

Related To:

Related To':

Check also that no Alive Supervision stated in the System Specification is missing in the array
"alive_supervisions".

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 50
11 Safe Watchdog Manager
Category:
Comment
Keywords:

ID:
228907
This section lists the safety requirements for the integration and application of the S-WdgM code in(to) an
AUTOSAR system.

-
11.1 API Specification
Category:
Comment
Keywords:

ID:
228909
This section describes the imported types and definitions and the expected interface. It also describes
safety related aspects of types, definitions and functions implemented in the S-WdgM.
Some types, definitions and interfaces depend on the used S-WdgM Configuration.


-
Category:
Comment
Keywords:

ID:
229196
For a detailed description of types, definitions and functions implemented in S-WdgM, see
[TT_WDGM_UM].
For a detailed description of types, definitions and functions imported from S-WdgIf, see [TT_WDGIF_UM].

-
Category:
Comment
Keywords:

ID:
229302
For further requirements related to imported types, definitions and interfaces, see section "Integration".

-
Category:
Requirement
Keywords:

ID:
229304
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct import of the types and definitions that are listed in this section.

-
Category:
Requirement
Keywords:

ID:
229306
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct application of the interface functions.

-
Category:
Comment
Keywords:

ID:
542988
Correct in this context means that the interface functions are used in accordance with the requirements
given in this document. See also section "Application Level API Functions" below.

-
Category:
Requirement
Keywords:

ID:
229744
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that all external functions that are called from within the S-WdgM
code are imported from the correct versions of AUTOSAR.

-
Category:
Comment
Keywords:

ID:
558694
The external functions are listed in section "Expected Interface" below. The correct AUTOSAR version is
defined in 231307.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 51

-
Category:
Requirement
Keywords:

ID:
229746
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR files or any other files different from S-WdgM files shall not redefine any
identifier that is defined in the S-WdgM code. E.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
231825
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that no external interface with the S-WdgM degrades the quality level of the S-
WdgM below the required quality level.

-
Category:
Comment
Keywords:

ID:
231827
For example, if an external function of quality level ASIL C is called by the S-WdgM, it degrades the quality
level of the S-WdgM to ASIL C (if no precautions were taken), although the required quality level is ASIL D.

-
Category:
Comment
Keywords:

ID:
558698
The external interface is listed in section "Expected Interface" below.

-
11.1.1
Expected Interface
Category:
Comment
Keywords:

ID:
229201
This section lists external functions that are called by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
229715
For a scheme with interaction of the S-WdgM with external functions, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
234840
The following functions of the lower WdgIf layer are called independent to the chosen S-WdgM
configuration:

Function
Module
WdgIf_SetMode ()
WdgIf
WdgIf_SetTriggerWindow ()
WdgIf
table 8


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 52

Category:
Comment
Keywords:

ID:
229726
Some functions are called by the S-WdgM depending on the compiler switches as listed here:

Compiler Switch
Function
Module
WDGM_DEM_REPORT is set to
Appl_Dem_ReportErrorStatus () **)
DEM
STD_ON
WDGM_DEV_ERROR_DETECT is set  Appl_Det_ReportError () **)
DET
to STD_ON
WDGM_SECOND_RESET_PATH  is set Appl_Mcu_PerformReset () **)
Mcu
to STD_ON
AS3: SchM_Enter_WdgM () and SchM_Exit_WdgM ()
AS4:
WDGM_USE_OS_SUSPEND_INTERR SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA_0 ()  SchM
UPT is set to STD_ON
and
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_0 ()
WDGM_STATE_CHANGE_NOTIFICATI WdgM_GlobalStateChangeCbk () *),
ON is set to STD_ON
WdgM_LocalStateChangeCbk ()
*)
WDGM_TIMEBASE_SOURCE is set to
WDGM_INTERNAL_HARDWARE_TICK WdgIf_GetTickCounter ()
WdgIf

table 9

If a compiler switch is set differently, the according function is not called by the S-WdgM.

*) The actual name of the function is defined by the S-WdgM configuration fields
WdgM_GlobalStateChangeCbk and WdgM_LocalStateChangeCbk, respectively. The actual module
depends on the system architecture.

**) This is a wrapper function. See the next section for information.

-
11.1.1.1
Implementation of Wrapper Functions for the Expected Interface
Category:
Comment
Keywords:

ID:
238249
Some functions of the expected interface may not meet the required quality level and need to be wrapped
so that freedom from interference with the S-WdgM is guaranteed. These functions are:

Function
Wrapper function
Dem_ReportErrorStatus ()
Appl_Dem_ReportErrorStatus ()
Det_ReportError ()
Appl_Det_ReportError ()
Mcu_PerformReset ()
Appl_Mcu_PerformReset ()
table 10


-
Category:
Comment
Keywords:

ID:
260668
Note: Whether a function is called or not depends on the configuration's compiler switches.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 53
Category:
Requirement
Keywords:

ID:
238245
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the implementation of each wrapper function as follows:
1.  the wrapper function serves as wrapper for the call of the according external function,
2.  the wrapper function guarantees freedom from interference with the S-WdgM code and data when the
according function is called, and
3.  the quality level of the wrapper function is sufficient for the required quality level of the system.

-
Category:
Requirement
Keywords:

ID:
259941
Label:

Safety relevant:

Related To:

Related To':

The wrapper function shall be declared in a separate header-file, which shall include the header file for
wrapped AUTOSAR function as follows:

Wrapper Function
Declared In Header File
Header File includes
Appl_Dem_ReportErrorStatus ()   Appl_Dem.h
Dem.h
Appl_Det_ReportError ()
Appl_Det.h
Det.h
Appl_Mcu_PerformReset ()
Appl_Mcu.h
Mcu.h
table 11


-
Category:
Requirement
Keywords:

ID:
229211
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify:
If a function in 234840, 229726, 238249, and 259941above is called, then the quality level of the S-WdgM is
not degraded below the required quality level.


-
Category:
Comment
Keywords:

ID:
260560
If a subset of these functions is called, then the quality level of the S-WdgM is degraded to the quality level
of the function in this subset that has the lowest quality level.

-
Category:
Comment
Keywords:

ID:
229728
For this reason, the integrator is advised to revise the necessity of the expected interfaces.

-
11.1.2
Imported Types and Definitions
Category:
Comment
Keywords:

ID:
229213
This section lists the types and definitions that are imported by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
229296
The following types and definitions are imported from Platform_Types.h and used:
Types:
uint8
uint16

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 54
uint32
boolean
Definitions:
TRUE
FALSE

-
Category:
Comment
Keywords:

ID:
229310
The following types and definitions are imported from Std_Types.h and used:
Types:
Std_ReturnType
Definitions:
STD_ON
STD_OFF

-
Category:
Comment
Keywords:

ID:
235906
The type Std_VersionInfoType is not included, because the WdgM_GetVersionInfo () is implemented as
macro.

-
Category:
Comment
Keywords:

ID:
229312
The following definitions are imported from "Compiler.h" and used:
Definitions:
AUTOMATIC
CONST
FUNC
NULL_PTR
P2CONST
P2FUNC
P2VAR
VAR

-
Category:
Comment
Keywords:

ID:
229318
The following definitions are imported from "Compiler_Cfg.h" and used:
WDGM_CODE
WDGM_CONST
WDGM_APPL_CONST
WDGM_APPL_DATA
WDGM_APPL_VAR
WDGM_VAR

-
Category:
Comment
Keywords:

ID:
290334
The following definitions are imported from " SchM_WdgM.h" and used:
WDGM_EXCLUSIVE_AREA_0

-
Category:
Comment
Keywords:

ID:
290336
The following definitions are imported from " WdgIf_Types.h" and used:
WDGIF_OFF_MODE

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 55
Category:
Comment
Keywords:

ID:
290332
If WDGM_USE_RTE is set to STD_ON, then the following definitions are imported from "Rte_Type.h" (for
AS3) or "Rte_WdgM_Type.h" (for AS4):
WDGM_LOCAL_STATUS_OK
WDGM_LOCAL_STATUS_FAILED
WDGM_LOCAL_STATUS_EXPIRED
WDGM_LOCAL_STATUS_DEACTIVATED
WDGM_GLOBAL_STATUS_OK
WDGM_GLOBAL_STATUS_FAILED
WDGM_GLOBAL_STATUS_EXPIRED
WDGM_GLOBAL_STATUS_STOPPED
WDGM_GLOBAL_STATUS_DEACTIVATED

-
Category:
Comment
Keywords:

ID:
229314
The following definitions are imported from "MemMap.h" (and indirectly from "WdgM_MemMap.h" (for AS3)
or "WdgM_OSMemMap.h" (for AS3)) and used:

In WdgM.c:
WDGM_GLOBAL_START_SEC_VAR_32BIT
WDGM_GLOBAL_STOP_SEC_VAR_32BIT
WDGM_GLOBAL_START_SEC_VAR_BOOLEAN
WDGM_GLOBAL_STOP_SEC_VAR_BOOLEAN
WDGM_START_SEC_CODE
WDGM_STOP_SEC_CODE

In WdgM_Checkpoint.c:
WDGM_START_SEC_CODE
WDGM_STOP_SEC_CODE

In WdgM_PBcfg.c (generated):
WDGM_SEseid_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_START_SEC_VAR_NOINIT_32BIT
WDGM_SEseid_STOP_SEC_VAR_NOINIT_32BIT
(for a SE with WdgMSupervisedEntityId seid) and
WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_START_SEC_CONST_UNSPECIFIED
WDGM_STOP_SEC_CONST_UNSPECIFIED

-
Category:
Comment
Keywords:

ID:
290088
If a SE with WdgMSupervisedEntityId seid belongs to an application (WdgMAppTaskRef for SE seid is set
to appl_name),
then the following defines in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) are redefined:
WDGM_SEseid_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_SEseid_START_SEC_VAR_NOINIT_32BIT
WDGM_SEseid_STOP_SEC_VAR_NOINIT_32BIT
is redefined to

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 56
appl_name_START_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_STOP_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_START_SEC_VAR_NOINIT_32BIT
appl_name_STOP_SEC_VAR_NOINIT_32BIT
respectively.

-
Category:
Comment
Keywords:

ID:
290118
If the S-WdgM component belongs to an application (WdgMGlobalMemoryAppTaskRef is set to
appl_name),
then the following defines in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) are redefined:
WDGM_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_START_SEC_VAR_32BIT
WDGM_GLOBAL_STOP_SEC_VAR_32BIT
WDGM_GLOBAL_START_SEC_VAR_BOOLEAN
WDGM_GLOBAL_STOP_SEC_VAR_BOOLEAN
is redefined to
appl_name_GLOBAL_START_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_GLOBAL_STOP_SEC_VAR_NOINIT_UNSPECIFIED
appl_name_GLOBAL_START_SEC_VAR_32BIT
appl_name_GLOBAL_STOP_SEC_VAR_32BIT
appl_name_GLOBAL_START_SEC_VAR_BOOLEAN
appl_name_GLOBAL_STOP_SEC_VAR_BOOLEAN
respectively.

-
Category:
Comment
Keywords:

ID:
290889
Defines for global shared data are also redefined:
WDGM_GLOBAL_SHARED_START_SEC_VAR_NOINIT_UNSPECIFIED
WDGM_GLOBAL_SHARED_STOP_SEC_VAR_NOINIT_UNSPECIFIED
is redefined to
GlobalShared_START_SEC_VAR_NOINIT_UNSPECIFIED
GlobalShared_STOP_SEC_VAR_NOINIT_UNSPECIFIED

-
Category:
Comment
Keywords:

ID:
229730
The following types are imported from "WdgIf_Types.h" (through "WdgM_Cfg.h") and used:
Type:
WdgIf_ModeType

-
Category:
Requirement
Keywords:

ID:
229235
Label:

Safety relevant:

Related To:

Related To':

If the configuration parameter WDGM_USE_RTE is set to STD_ON, then the integrator shall ensure that
the following types are defined as shown in this table:

Type
Allowed Value
WdgM_SupervisedEntityIdType
uint8, uint16
WdgM_CheckpointIdType
uint8, uint16
WdgM_ModeType
uint8
WdgM_LocalStatusType
uint8

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 57
WdgM_GlobalStatusType
uint8
table 12

No other value is allowed.

-
Category:
Comment
Keywords:

ID:
229707
The S-WdgM assumes that "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) is the source of these
types and includes "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) if - and only if -
WDGM_USE_RTE is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
237635
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Comment
Keywords:

ID:
229288
If the configuration parameter WDGM_USE_RTE is set to STD_OFF, then the types are defined by the S-
WdgM as shown in this table:

Type
Value
WdgM_SupervisedEntityIdType
uint16
WdgM_CheckpointIdType
uint16
WdgM_ModeType
uint8
WdgM_LocalStatusType
uint8
WdgM_GlobalStatusType
uint8
table 13


-
Category:
Requirement
Keywords:

ID:
229264
Label:

Safety relevant:

Related To:

Related To':

If the configuration parameter WDGM_USE_RTE is set to STD_ON, then the integrator shall ensure that
the following definitions are set as shown in the following table:

Definition
Value
WDGM_LOCAL_STATUS_OK
0
WDGM_LOCAL_STATUS_FAILED
1
WDGM_LOCAL_STATUS_EXPIRED
2
WDGM_LOCAL_STATUS_DEACTIVATED  4
WDGM_GLOBAL_STATUS_OK
0
WDGM_GLOBAL_STATUS_FAILED
1
WDGM_GLOBAL_STATUS_EXPIRED
2
WDGM_GLOBAL_STATUS_STOPPED
3
WDGM_GLOBAL_STATUS_DEACTIVATED  4
table 14


-
Category:
Comment
Keywords:

ID:
229709
The S-WdgM assumes that "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) is the source of these

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 58
types and includes "Rte_Type.h" (for AS3) or "Rte_WdgM_Type.h" (for AS4) if - and only if -
WDGM_USE_RTE is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
237637
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Comment
Keywords:

ID:
229292
If the configuration parameter WDGM_USE_RTE is set to STD_OFF then the status definitions are
implemented by the S-WdgM with the values shown in the table above in requirement 229264.

-
11.1.3
Error Handling
Category:
Comment
Keywords:

ID:
229752
This section describes the error codes set by the S-WdgM using the DET or DEM mechanism and the
return values from S-WdgM API functions.

-
11.1.3.1
DET Errors
Category:
Comment
Keywords:

ID:
229766
DET Errors are intended to support the development of an application. During software development, the
compiler directive WDGM_DEV_ERROR_DETECT is usually set to STD_ON. Once the software is safe
enough so that no further DET error can occur, the option is deactivated. For safety reasons the DET
defines are listed here.

-
Category:
Comment
Keywords:

ID:
229742
If the compiler switch WDGM_DEV_ERROR_DETECT is set to STD_ON, then the S-WdgM reports the
following development errors through the function Appl_Det_ReportError ():

Error
Code   Description
WDGM_E_NO_INIT
0x10   Uninitialized S-WdgM.
WDGM_E_PARAM_CONFIG
0x11   Invalid S-WdgM Configuration.
Invalid mode parameter (currently not used by the S-
WDGM_E_PARAM_MODE
0x12   WdgM).
WDGM_E_PARAM_SEID
0x13   Wrong ID number of the SE.
WDGM_E_NULL_POINTER
0x14   Null pointer parameter.
WDGM_E_DISABLE_NOT_ALLOWED  0x15   Disabled Watchdog is not allowed.
WDGM_E_CPID
0x16  Invalid CP ID number.
Using deprecated API service (currently not used by
WDGM_E_DEPRECATED
0x17   S-WdgM).
WDGM_E_TIMEBASE
0x28   Timebase counter failure.
WDGM_E_PARAM_STATE
0x29   Invalid S-WdgM state.
The WdgIf_SetMode(mode) function was called with
WDGM_E_WDGIF_MODE
0x2A   an invalid mode parameter.
WDGM_E_MEMORY_FAILURE
0x2B  Corrupted S-WdgM memory.
WDGM_E_REENTRANCY
0x2C   Reentrancy not allowed.
table 15

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 59

These definitions are defined in WdgM.h.

-
Category:
Comment
Keywords:

ID:
229750
The definitions from 0x10 to 0x17 are AUTOSAR definitions (see [AS_WDGM_SWS]).
The definition from 0x28 to 0x2B are TTTech specific.

-
Category:
Requirement
Keywords:

ID:
229760
Label:

Safety relevant:

Related To:
__MKSID__284531,_
Related To':

_MKSID__284549,__
MKSID__261279,__
MKSID__261146,__
MKSID__261148,__
MKSID__261150,__
MKSID__263904,__
MKSID__283924,__
MKSID__261198,__
MKSID__261210,__
MKSID__261212,__
MKSID__268923,__
MKSID__284038,__
MKSID__284042,__
MKSID__268925,__
MKSID__284050,__
MKSID__268927,__
MKSID__284054,__
MKSID__268929,__
MKSID__284056,__
MKSID__268931,__
MKSID__284062,__
MKSID__268933,__
MKSID__284066,__
MKSID__268935
The integrator is responsible to make sure that - once the compiler switch WDGM_DEV_ERROR_DETECT
is set to STD_OFF - no DET related error can occur.

-
11.1.3.2
DEM Errors
Category:
Comment
Keywords:

ID:
229748
ECU description fileIf the compiler switch WDGM_DEM_REPORT is set to STD_ON, then the S-WdgM
reports the following production errors through the function Appl_Dem_ReportErrorStatus():

Error
Code    Description
AS3: WDGM_E_MONITORING *)
The system reached status
AS4: DemConf_DemEventParameter_WDGM_E_MONI 0x30u   WDGM_GLOBAL_STATUS_STOPPED
TORING **)

AS3: WDGM_E_IMPROPER_CALLER *)
The function is not permitted to call
AS4: DemConf_DemEventParameter_WDGM_E_IMPR 0x33u   WdgM_SetMode ().
OPER_CALLER **)
table 16

*) Note: The error definitions are defined in Dem.h
**) Note: The error definition and error code are defined by the user in the ECU description file and can

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 60
vary.

-
Category:
Requirement
Keywords:

ID:
229756
Label:

Safety relevant:

Related To:
__MKSID__261188,_
Related To':

_MKSID__261190
The integrator is responsible for correct handling and escalation of errors related to DEM according to the
system requirements.

-
11.1.3.3
Return Values
Category:
Comment
Keywords:

ID:
229772
The following functions return E_NOT_OK in case an error occured:

Function
Comment
WdgM_CheckpointReached ()
Monitoring update failed.
WdgM_GetLocalStatus ()
Returning current monitoring status failed.
WdgM_GetGlobalStatus ()
Returning current monitoring status failed.
WdgM_PerformReset ()
Immediate reset of at least one Watchdog failed (if
WDGM_SECOND_RESET_PATH is set to STD_ON).
WdgM_GetMode ()
Returning current WD Trigger Mode failed.
WdgM_SetMode ()
Changing to new WD Trigger Mode failed.
WdgM_DeactivateSupervisionEntity ()
Deactivating SE failed.
WdgM_ActivateSupervisionEntity ()
Activating SE failed.
table 17


-
Category:
Requirement
Keywords:

ID:
229782
Label:

Safety relevant:

Related To:
__MKSID__284531,_
Related To':

_MKSID__261188,__
MKSID__261190
The integrator is responsible for correct handling and escalation of errors (according to the system
requirements) indicated by the return value E_NOT_OK.

-
11.2 Functional Specification
Category:
Comment
Keywords:

ID:
283403
A detailed functional specification of the S-WdgM module is provided in [TT_WDGM_UDD].

-
Category:
Requirement
Keywords:

ID:
230494
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for ensuring that the S-WdgM functionality is not unintentionally affected by
other software (especially the AUTOSAR application). This is, e.g., modification of data like tolerance value,
counters, etc. that are used by the S-WdgM.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 61
-
Category:
Comment
Keywords:

ID:
287738
This includes:
  memory corruption (see section "S-WdgM Application"),
  source code modification (intended and unintended), and
  API function calls with wrong parameters (see sections "Requirements For All Application Level API
Functions" and "Requirements For All System Level API Functions" below).

-
11.3 S-WdgM Configuration
Category:
Comment
Keywords:

ID:
230543
The S-WdgM differs between two kinds of configuration:
  pre-processor options and
  post-build configuration data.

-
Category:
Comment
Keywords:

ID:
230545
The pre-processor options are generated out of an ECU configuration using the S-WdgM Generator (coded
in the generated file WdgM_Cfg_Features.h).
They activate or deactivate certain S-WdgM features and cannot be altered during runtime.
See section "S-WdgM Configuration Generator" above for details on the S-WdgM Generator and its
application.
See [TT_WDGM_UM] for details on the pre-processor options.

-
Category:
Comment
Keywords:

ID:
230547
The post-build configuration data is also generated out of the ECU configuration using the S-WdgM
Generator (coded in the files WdgM_PBcfg.h and WdgM_PBcfg.c).
It defines certain values that affect the S-WdgM functionality (like tolerances or cycle length).
The S-WdgM can switch among these configurations at runtime. However, the current version of the S-
WdgM supports only one mode. The configuration data itself can not be altered at runtime.
See section "S-WdgM Configuration Generator" above for details on the S-WdgM Generator and its
application.
See [TT_WDGM_UM] for details on the post-build configuration data.

-
Category:
Requirement
Keywords:

ID:
230549
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for checking the pre-processor and post-build configuration values for the S-
WdgM for plausibility and suitability for the system requirements (concerning correct function and timing
behaviour) as depicted in section "Configuration Check-List" above.

-
Category:
Requirement
Keywords:

ID:
230532
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for generation and verification of configuration data as depicted in section "S-
WdgM Configuration Generator" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 62
Category:
Requirement
Keywords:

ID:
230551
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the configuration data is not altered at runtime, e.g. by erroneous HW.

-
Category:
Comment
Keywords:

ID:
230553
This can be realized - for example - with ECC ROM checks, cyclical ROM checks, and start up ROM
checks.

-
11.4 File Structure
Category:
Comment
Keywords:

ID:
230234
For information about the S-WdgM file structure, see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
230236
The following table shows the files that are only included when the according compiler directive is set to
STD_ON:

Include File
Compiler Directive
Mcu.h
WDGM_SECOND_RESET_PATH
Det.h
WDGM_DEV_ERROR_DETECT
Dem.h
WDGM_DEM_REPORT
AS3: Rte_Type.h
WDGM_USE_RTE
AS4: Rte_WdgM_Type.h
SchM_WdgM.h
WDGM_USE_OS_SUSPEND_INTERRUPT
table 18


-
Category:
Comment
Keywords:

ID:
230373
Also note that the configuration dependent memory mapping definitions for the S-WdgM are defined in the
file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4), which is generated by the S-WdgM
Generator. The configuration independent memory mapping definitions are defined in MemMap.h

The file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) is included into MemMap.h, which
is itself included into the S-WdgM source code.

Using the definitions in WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4), the integrator can
place the status variables of each SE in a separate address space (e.g., if the SE is part of an OS
application then its data is placed in the same context as the application's data).

-
Category:
Comment
Keywords:

ID:
230242
See also the requirement 229746 for File inclusion.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 63
11.5 S-WdgM Integration
Category:
Comment
Keywords:

ID:
230951
This section describes how to integrate the S-WdgM into a safety-relevant system.

-
Category:
Requirement
Keywords:

ID:
230957
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to demonstrate that
  the failure detection mechanisms provided by the S-WdgM and
  the generated S-WdgM configuration
are sufficient for the considered system.

-
Category:
Requirement
Keywords:

ID:
230953
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct integration of the S-WdgM code
  on application level and
  on system level.

-
Category:
Comment
Keywords:

ID:
558706
The integration of the S-WdgM is correct, when all system requirements are satisfied.

-
Category:
Requirement
Keywords:

ID:
231823
Label:

Safety relevant:

Related To:
__MKSID__283518,_
Related To':

_MKSID__283514
The integrator shall verify that the chosen WD device - internal or external - meets the system's safety
requirements.

-
Category:
Comment
Keywords:

ID:
231896
For single oscillator MCU's (where the watchdog clock is derived from CPU main clock) it is recommended
to use an external watchdog device with its own oscillator as well.

-
11.5.1
Import from AUTOSAR Definitions into S-WdgM
Category:
Requirement
Keywords:

ID:
230955
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct implementation of all types and definitions that are imported
from AUTOSAR header files and used by the S-WdgM code according to AUTOSAR specifications.

-
Category:
Requirement
Keywords:

ID:
230969
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the AUTOSAR header files for the import of the AUTOSAR types
and definitions.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 64

-
Category:
Comment
Keywords:

ID:
230971
For a list of imported AUTOSAR types and definitions and the related header files, see section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
230979
Label:

Safety relevant:

Related To:

Related To':

The inclusion of AUTOSAR header files into S-WdgM code shall not redefine any identifier that is defined
within the S-WdgM code. This prohibits, e.g., redefinitions with #define macros.

-
Category:
Requirement
Keywords:

ID:
230981
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for providing the correct code of used AUTOSAR functions. That is, correct in
version and functionality.

-
Category:
Comment
Keywords:

ID:
230983
For a list of used AUTOSAR functions, see section "Expected Interface" above.
For the AUTOSAR version see 231307.

-
Category:
Requirement
Keywords:

ID:
231015
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Std_Types.h according to the descriptions and
requirements in section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231069
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Platform_Types.h according to the descriptions and
requirements in section "Imported Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231017
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file Compiler.h and a file Compiler_Cfg.h according to the
descriptions and requirements in section "Imported Types and Definitions" above.

-
Category:
Comment
Keywords:

ID:
230977
Note that some other integrated products, provide their own contents for Compiler_Cfg.h. They need to be
merged into the systems Compiler_Cfg.h.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 65
Category:
Requirement
Keywords:

ID:
231025
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to provide a file MemMap.h according to AUTOSAR specifications.

-
Category:
Comment
Keywords:

ID:
231075
Some other integrated products, provide their own contents for MemMap.h. They need to be merged into
the system's MemMap.h file.

-
Category:
Requirement
Keywords:

ID:
260767
Label:

Safety relevant:

Related To:

Related To':

The integrator shall include the generated file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for
AS4) in the file MemMap.h.

-
Category:
Requirement
Keywords:

ID:
260828
Label:

Safety relevant:

Related To:

Related To':

The integrator shall place the inclusion of WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4)
before Os_MemMap.h in MemMap.h.

-
Category:
Comment
Keywords:

ID:
260769
WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4) contains S-WdgM configuration dependent
definitions. See also section "Memory Mapping" below.

-
Category:
Comment
Keywords:

ID:
231077
TTTech provides example files for MemMap.h (with include commands of WdgM_MemMap.h (for AS3)
or WdgM_OSMemMap.h (for AS4)) and a file demo_MemMap.h (with the memory mapping definitions of
the complete S-WdgM Stack).

-
11.5.2
Memory Mapping
Category:
Comment
Keywords:

ID:
231283
This section lists the requirements for the memory mapping of the S-WdgM data and code (also the
generated S-WdgM code). For a detailed description on how to manage S-WdgM memory sections, see
[TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231029
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for
  the generation of the file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS3) as described
in section "S-WdgM Configuration Generator" above and
  its inclusion into the file MemMap.h which is itself included into the S-WdgM code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 66
Category:
Comment
Keywords:

ID:
231484
TTTech provides a sample file WdgM_MemMap.h (for AS3) or WdgM_OSMemMap.h (for AS4).

-
Category:
Requirement
Keywords:

ID:
231277
Label:

Safety relevant:

Related To:

Related To':

The integrator is also responsible for the correct assignment of data and code of the S-WdgM (including the
generated S-WdgM code) to the various memory sections according to the memory mapping keywords
provided by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231289
For the memory sections that are supported by the S-WdgM see comment 229314 in section "Imported
Types and Definitions" above.

-
Category:
Requirement
Keywords:

ID:
231281
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign the data for each SE to the corresponding address space of the SWC address
area where the SE is located.

-
Category:
Comment
Keywords:

ID:
290510
See parameter WdgMAppTaskRef in [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231454
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign global data to a address space with
  read access for all tasks and applications and
  read/write access for the S-WdgM.

-
Category:
Requirement
Keywords:

ID:
231462
Label:

Safety relevant:

Related To:

Related To':

The integrator shall assign global shared data to an address space with read/write access for all tasks and
applications.

-
Category:
Comment
Keywords:

ID:
290512
See parameter WdgMGlobalMemoryAppTaskRef in [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231474
All S-WdgM global shared data is protected by the S-WdgM against corruption

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 67
Category:
Requirement
Keywords:

ID:
231972
Label:

Safety relevant:

Related To:
__MKSID__261238,_
Related To':

_MKSID__261216
In a system that uses MCU memory protection, the S-WdgM global data and variables shall be placed in a
separate memory section that can not be corrupted by other software modules or hardware failures.

-
11.5.3
S-WdgM Files
Category:
Requirement
Keywords:

ID:
231035
Label:

Safety relevant:

Related To:

Related To':

The integrator shall ensure that only
  files of a single delivered package and
  files generated with tools of this package
are installed:

These are the files:
  WdgM_PBCfg.h (generated),
  WdgM_PBCfg.c (generated),
  WdgM_Cfg_Features.h (generated),
  WdgM_Cfg.h,
  WdgM.h,
  WdgM.c, and
  WdgM_Checkpoint.c

-
Category:
Requirement
Keywords:

ID:
230229
Label:

Safety relevant:

Related To:

Related To':

The loaded S-WdgM Configuration shall be compatible with the S-WdgM embedded code.

-
Category:
Comment
Keywords:

ID:
289588
The S-WdgM performs a version check with every call of WdgM_Init ().

-
11.5.4
Compilation and Linkage
Category:
Requirement
Keywords:

ID:
230959
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for compilation of the S-WdgM code with a compiler that is compliant to ANSI
ISO/IEC 9899:1990.

-
Category:
Comment
Keywords:

ID:
230963
The generated code is compliant to ANSI ISO/IEC 9899:1990. It is also known as "ANSI C (C89)" and "ISO
C (C90)".


-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 68
Category:
Requirement
Keywords:

ID:
230991
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct compilation and linkage of the S-WdgM into the AUTOSAR system.

-
Category:
Requirement
Keywords:

ID:
231079
Label:

Safety relevant:

Related To:

Related To':

The integrator shall guarantee that the compiled and linked target binary is correctly loaded into the target
system.

-
11.5.5
S-WdgM Stack Requirements
Category:
Requirement
Keywords:

ID:
231547
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that the S-WdgM communicates with least
  an internal WD device (MCU inside) or
  an external WD device.

-
Category:
Requirement
Keywords:

ID:
231549
Label:

Safety relevant:

Related To:

Related To':

For ASIL D systems, an external monitoring facility shall be used.

-
Category:
Comment
Keywords:

ID:
231551
This is highly recommended in ISO 26262 (see [ISO26262], part 6, section 7.4.14, table 4/1d).

-
Category:
Requirement
Keywords:

ID:
236796
Label:

Safety relevant:

Related To:

Related To':

The integrator shall verify that the communication path to the external WD does not degrade the quality
level below the required quality level.

-
11.6 S-WdgM Application
Category:
Comment
Keywords:

ID:
230581
This section lists the requirements for the application of the S-WdgM.
For requirements for the S-WdgM Generator see section "S-WdgM Generator" above.

-
Category:
Comment
Keywords:

ID:
230584
For an overview of the application of the S-WdgM monitoring features see [TT_WDGM_UM].

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 69
Category:
Requirement
Keywords:

ID:
230164
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the correct inclusion of all S-WdgM header files in the AUTOSAR
application that declare the S-WdgM API functions.

-
Category:
Comment
Keywords:

ID:
230586
This includes:
  WdgM_PBCfg.h (generated),
  WdgM_Cfg_Features.h (generated),
  WdgM_Cfg.h, and
  WdgM.h.

-
Category:
Requirement
Keywords:

ID:
230588
Label:

Safety relevant:

Related To:

Related To':

The application shall check the return values (if any) of the S-WdgM API functions to detect errors.

-
Category:
Comment
Keywords:

ID:
230609
In case a S-WdgM API function call fails, a DET report is made (if configured so) and an error code is
returned.

-
Category:
Requirement
Keywords:

ID:
230597
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for correct handling and escalation of errors that are detected by the S-WdgM
code. This includes:
  error codes indicating that a S-WdgM API function was not successful and
  application errors releaved by S-WdgM monitoring features.

-
Category:
Requirement
Keywords:

ID:
230226
Label:

Safety relevant:

Related To:
__MKSID__283536,_
Related To':

_MKSID__261228
The following memory sections shall not be corrupted or manipulated neither by a HW failure nor by a SW
bug in any SW other than S-WdgM:
  S-WdgM local entity data memory and
  S-WdgM global data memory.

-
Category:
Comment
Keywords:

ID:
289546
This can be achieved by using e.g. ECC and placing the data to a trusted memory area protected by the
MPU.

-
Category:
Comment
Keywords:

ID:
558862
For the memory section description of
  local entity memory section,
  global memory section, and

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 70
  global shared memory section
see section "Memory Sections" in [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
230607
Label:

Safety relevant:

Related To:

Related To':

The following memory sections shall not be corrupted or manipulated neither by a HW failure nor by a SW
bug in any SW other than S-WdgM:
  S-WdgM configuration memory and
  S-WdgM program code memory.

-
Category:
Comment
Keywords:

ID:
558768
This can be achieved by using e.g. ECC, startup and run-time memory checks.

-
Category:
Comment
Keywords:

ID:
230617
It shall be considered that the S-WdgM code has no mechanism for detecting and/or correcting the
following errors:
  corruption of the Local Entity memory,
  corruption of the Global S-WdgM memory,
  corruption of the S-WdgM memory for constants,
  corruption of the S-WdgM code memory, and
  corruption of the used hardware registers.

Note: The S-WdgM itself has no direct access to hardware registers. The registers can be accessed by
calls of external functions. These functions are listed in section "Expected Interfaces" above.

-
Category:
Requirement
Keywords:

ID:
231480
Label:

Safety relevant:

Related To:
__MKSID__283399,_
Related To':

_MKSID__261192
The integrator shall guarantee that address spaces for which the S-WdgM offers no mechanism for error
detection and error correction can not be corrupted.

-
Category:
Comment
Keywords:

ID:
231317
The S-WdgM has mechanisms for detection of unintended manipulations of its own variables placed in the
Global Shared memory. If the memory is manipulated, then a reset is performed.

-
Category:
Comment
Keywords:

ID:
230615
If a mechanism for detection/correction of such manipulations is implemented in the application level or
system level, then it should also cover the S-WdgM code.

-
11.6.1
Application Level API Functions
Category:
Comment
Keywords:

ID:
230729
This section lists the requirements for the S-WdgM API functions on application level.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 71
11.6.1.1
WdgM_GetMode ()
Category:
Requirement
Keywords:

ID:
230813
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current WD Trigger Mode using WdgM_GetMode () only.

-
Category:
Comment
Keywords:

ID:
236520
The WD trigger mode is not fully AUTOSAR 4.0.1 and AUTOSAR 3.1.4 compatible.
It considers only the following configuration fields:
  WdgMTriggerConditionValue
  WdgMTriggerWindowStart
  WdgMWatchdogMode

-
11.6.1.2
WdgM_SetMode ()
Category:
Requirement
Keywords:

ID:
231776
Label:

Safety relevant:

Related To:

Related To':

The application developer shall set the current WD Trigger Mode using WdgM_SetMode () only.

-
Category:
Comment
Keywords:

ID:
231778
The WD Trigger Mode is not fully AUTOSAR 4.0.1 and AUTOSAR 3.1.4 compatible.
The function WdgM_SetMode () considers only the following configuration fields for a new configuration:
  WdgMTriggerConditionValue
  WdgMTriggerWindowStart
  WdgMWatchdogMode

-
Category:
Comment
Keywords:

ID:
283836
Note: The function WdgM_SetMode () can also be used in AUTOSAR 3.1 compatibility mode. See
[TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
289522
Label:

Safety relevant:

Related To:
__MKSID__284058
Related To':

If WdgMDefensiveBehavior is set to "true", then the integrator shall check the DEM reports for the error
WDGM_E_IMPROPER_CALLER, which indicates calls of WdgM_SetMode () by unauthorized callers.

Otherwise the integrator shall make sure that unauthorized calls of WdgM_SetMode () can not occur.

-
11.6.1.3
WdgM_CheckpointReached ()
Category:
Requirement
Keywords:

ID:
230815
Label:

Safety relevant:

Related To:

Related To':

The application developer shall indicate to the S-WdgM that a certain point in application code has been
reached using WdgM_CheckpointReached () only.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 72

-
Category:
Comment
Keywords:

ID:
230817
WdgM_CheckpointReached () performs the following steps:
  all defined Alive Supervision counters are updated,
  Deadline Monitoring is performed, and
  Program Flow Monitoring is performed.

-
Category:
Comment
Keywords:

ID:
283838
Note: The function WdgM_CheckpointReached () is not defined in AUTOSAR 3.1 compatibility mode and
replaced by the function WdgM_UpdateAliveCounter ().

-
11.6.1.4
WdgM_GetLocalStatus ()
Category:
Requirement
Keywords:

ID:
230733
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current local monitoring status using WdgM_GetLocalStatus
() only.

-
11.6.1.5
WdgM_GetGlobalStatus ()
Category:
Requirement
Keywords:

ID:
230739
Label:

Safety relevant:

Related To:

Related To':

The application developer shall retrieve the current global monitoring status using WdgM_GetGlobalStatus
() only.

-
11.6.1.6
WdgM_PerformReset ()
Category:
Requirement
Keywords:

ID:
230757
Label:

Safety relevant:

Related To:

Related To':

The integrator shall initiate an immediate Watchdog reset from application level only using
WdgM_PerformReset ().

-
Category:
Comment
Keywords:

ID:
230761
Note: This function is hardware dependent. Some WD drivers do not support an immediate reset. Check the
according S-Wdg driver documentation (see also the reference list for example drivers in this document).


-
11.6.1.7
WdgM_LocalStateChangeCbk, WdgM_GlobalStateChangeCbk
Category:
Comment
Keywords:

ID:
231768
The identifiers WdgM_LocalStateChangeCbk and WdgM_GlobalStateChangeCbk are not function names.
They are fields of the S-WdgM Configuration holding pointers to the actual callback functions.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 73
The functions are implemented by the integrator. They are the alternative to RTE notification. RTE
notifications are not supported by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
237639
See [AS_RTE_SWS] for information on AUTOSAR RTE.

-
Category:
Requirement
Keywords:

ID:
230793
Label:

Safety relevant:

Related To:

Related To':

The SW component that implements the callback functions shall be developed with at least the same
quality level as required for the system.

-
Category:
Comment
Keywords:

ID:
230801
Note: The quality level of the S-WdgM is degraded to the quality level of the callback function. An error in
the callback function may corrupt the function integrity of the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231877
If the application that calls the callback function is in a different memory section than the S-WdgM,
then the OS feature "Trusted Function" may be necessary to perform the callback.

-
Category:
Comment
Keywords:

ID:
230891
The function referred to by WdgM_LocalStateChangeCbk is only invoked if
WDGM_STATE_CHANGE_NOTIFICATION is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
239606
The function referred to by WdgM_GlobalStateChangeCbk is only invoked,
if WDGM_STATE_CHANGE_NOTIFICATION is set to STD_ON,
except when the new status is WDGM_GLOBAL_STATUS_STOPPED and WDGM_IMMEDIATE_RESET
is set to STD_ON (an immediate system reset need not be notified).

-
11.6.1.8
WdgM_ActivateSupervisionEntity ()
Category:
Requirement
Keywords:

ID:
231399
Label:

Safety relevant:

Related To:

Related To':

The integrator shall activate the monitoring of a SE using WdgM_ActivateSupervisionEntity () only.

-
Category:
Requirement
Keywords:

ID:
231400
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible that the activation of a SE does not
  compromise the systems performance or
  the systems availability (i.e. no unintended resets)

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 74
Category:
Comment
Keywords:

ID:
231401
The activation is performed from within WdgM_MainFunction () at the end of a SC.

-
Category:
Requirement
Keywords:

ID:
231403
Label:

Safety relevant:

Related To:

Related To':

The software component(s) that call WdgM_ActivateSupervisionEntity () shall be developed with at least the
same quality level as required by the system safety requirements.

-
Category:
Comment
Keywords:

ID:
231404
A missing activation of a SE may violate safety requirements.

-
Category:
Comment
Keywords:

ID:
231402
For more information on WdgM_ActivateSupervisionEntity (), see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231405
WdgM_ActivateSupervisionEntity () is only available if WDGM_ENTITY_DEACTIVATION_ENABLED is set
to STD_ON.

-
11.6.1.9
WdgM_DeactivateSupervisionEntity ()
Category:
Requirement
Keywords:

ID:
231415
Label:

Safety relevant:

Related To:

Related To':

The integrator shall deactivate the monitoring of a SE using WdgM_DeactivateSupervisionEntity () only.

-
Category:
Requirement
Keywords:

ID:
231416
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible that deactivation of a SE does not compromise system safety requirements.

-
Category:
Comment
Keywords:

ID:
231417
The deactivation is performed from within WdgM_MainFunction () at the end of a SC.

-
Category:
Requirement
Keywords:

ID:
231419
Label:

Safety relevant:

Related To:

Related To':

The software component(s) that call WdgM_DeactivateSupervisionEntity () shall be developed with at least
the same quality level as required by the system safety requirements.

-
Category:
Comment
Keywords:

ID:
231420
An unintended deactivation of a SE may violate safety requirements.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 75
Category:
Requirement
Keywords:

ID:
288603
Label:

Safety relevant:

Related To:
__MKSID__284070
Related To':

The integrator shall guarantee that a SE is *not* deactivated while its local Initial CP has been hit but one of
its local End CP has not yet been hit.

-
Category:
Comment
Keywords:

ID:
288605
That is, the program flow of the SE is currently monitored somewhere between the local Initial CP and a
local End CP. A deactivation in this moment may corrupt data that is used to monitor the SE.

-
Category:
Comment
Keywords:

ID:
231418
For more information on WdgM_DeactivateSupervisionEntity, () see [TT_WDGM_UM].

-
Category:
Comment
Keywords:

ID:
231421
WdgM_DeactivateSupervisionEntity () is only available if WDGM_ENTITY_DEACTIVATION_ENABLED is
set to STD_ON.

-
11.6.1.10
S-WdgM AUTOSAR 3.1 compatibility mode Functions
Category:
Comment
Keywords:

ID:
231387
This section lists safety requirements of functions that are only available in AUTOSAR 3.1 compatibility
mode.

-
Category:
Comment
Keywords:

ID:
562709
In the "S-WdgM AUTOSAR 3.1 compatibility mode" the S-WdgM emulates the functionality of the
AUTOSAR 3.1 Watchdog Manager.
This mode is active when the parameter WDGM_AUTOSAR_3_1_X_COMPATIBILITY is set to STD_ON.

-
11.6.1.10.1  WdgM_UpdateAliveCounter ()
Category:
Requirement
Keywords:

ID:
283846
Label:

Safety relevant:

Related To:

Related To':

The application developer shall indicate to the S-WdgM that a certain point in application code has been
reached using WdgM_UpdateAliveCounter () only.

-
Category:
Comment
Keywords:

ID:
283852
This function replaces WdgM_CheckpointReached ().

-
11.6.1.10.2  WdgM_SetMode ()
Category:
Requirement
Keywords:

ID:
283850
Label:

Safety relevant:

Related To:

Related To':

The application developer shall set the current WD Trigger Mode using WdgM_SetMode () only.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 76

-
Category:
Requirement
Keywords:

ID:
283856
Label:

Safety relevant:

Related To:

Related To':

Note: The AUTOSAR 3.1 version of this function has not parameter CallerID, hence there is no check
whether the caller is authorized to call the function or not.

-
11.6.1.11
Requirements For All Application Level API Functions
Category:
Requirement
Keywords:

ID:
230613
Label:

Safety relevant:

Related To:
__MKSID__284040,_
Related To':

_MKSID__284048,__
MKSID__284052
It is the responsibility of the integrator to verify the correctness of parameters passed to S-WdgM
application level API functions.

-
Category:
Requirement
Keywords:

ID:
230735
Label:

Safety relevant:

Related To:
__MKSID__284040,_
Related To':

_MKSID__284048,__
MKSID__284052
Some S-WdgM API function have a pointer to data as argument. The integrator is responsible that such
data is not modified by the application or code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
230737
This includes:
  WdgM_GetMode (),
  WdgM_GetLocalStatus (), and
  WdgM_GetGlobalStatus ().

-
Category:
Requirement
Keywords:

ID:
230751
Label:

Safety relevant:

Related To:
__MKSID__284060,_
Related To':

_MKSID__284064,__
MKSID__284068,__
MKSID__284072,__
MKSID__283934
The integrator is responsible for a correct error escalation if a S-WdgM API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
230753
For the list of functions that return E_NOT_OK, see comment 229772 in subsection "Return Values" in
section "Error Handling" above.

-
Category:
Requirement
Keywords:

ID:
230222
Label:

Safety relevant:

Related To:

Related To':

If the RTE invokes an W-SgdM API function, the RTE code shall not corrupt SWC's memory.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 77

-
11.6.2
System Level API Functions
Category:
Comment
Keywords:

ID:
230731
This section lists the requirements for the S-WdgM API functions in the system layer.

-
Category:
Comment
Keywords:

ID:
230819
Note: The system level API functions are not visible in the application layer. The system functions are
invoked by the BSW modules. The RTE does not generate interfaces for these functions.

-
11.6.2.1
WdgM_Init ()
Category:
Requirement
Keywords:

ID:
230821
Label:

Safety relevant:

Related To:

Related To':

The integrator shall initialize (all parts of the) the S-WdgM (data) using WdgM_Init () only.

-
Category:
Requirement
Keywords:

ID:
265946
Label:

Safety relevant:

Related To:
__MKSID__261148,_
Related To':

_MKSID__261150
WdgM_Init () shall be called with correct parameter (i.e. the pointer to the according configuration).

-
Category:
Comment
Keywords:

ID:
290640
Besides the DET reports, a WdgM_Init() function failure can be checked indirectly by reading the global
pointer variable g_wdgm_cfg_ptr. In case of an error the pointer is NULL

-
Category:
Requirement
Keywords:

ID:
265886
Label:

Safety relevant:

Related To:
__MKSID__261062,_
Related To':

_MKSID__261130
The integrator shall check the integrity of the S-WdgM Configuration before invoking the WdgM_Init()
function.

-
Category:
Requirement
Keywords:

ID:
265884
Label:

Safety relevant:

Related To:

Related To':

The integrator shall check the loaded S-WdgM code for manipulation before invoking the WdgM_Init()
function.

-
Category:
Comment
Keywords:

ID:
270674
This includes - for example - checks for bitflips.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 78
Category:
Requirement
Keywords:

ID:
230841
Label:

Safety relevant:

Related To:

Related To':

Any S-WdgM monitoring (e.g. any call of WdgM_CheckpointReached ()) shall be performed after the S-
WdgM initialization.

-
Category:
Requirement
Keywords:

ID:
230843
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for passing the appropriate S-WdgM Configuration to WdgM_Init () (i.e. so that
no safety requirement is violated).

-
Category:
Requirement
Keywords:

ID:
231163
Label:

Safety relevant:

Related To:

Related To':

The WdgM_Init() function shall be called after the initialization functions of the used S-Wdg drivers (named
Wdg_platform_Init (), where platform is the used platform).

-
Category:
Comment
Keywords:

ID:
231179
The initialization function(s) of the S-Wdg driver(s) activate the WD device.

-
Category:
Comment
Keywords:

ID:
264615
Note: Some platforms activate the WD automatically once it is powered.

-
Category:
Requirement
Keywords:

ID:
231169
Label:

Safety relevant:

Related To:
__MKSID__261244
Related To':

The function WdgM_Init() shall be called after the memory protection is activated.

-
Category:
Requirement
Keywords:

ID:
231171
Label:

Safety relevant:

Related To:

Related To':

All other S-WdgM API functions shall only be called after WdgM_Init() has successfully initialized the S-
WdgM.

-
Category:
Requirement
Keywords:

ID:
265944
Label:

Safety relevant:

Related To:
__MKSID__261279
Related To':

The function WdgM_Init () shall be called after Wdg_platform_Init ().

-
Category:
Comment
Keywords:

ID:
231181
After execution of WdgM_Init() all monitoring features are fully operational.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 79
Category:
Requirement
Keywords:

ID:
264609
Label:

Safety relevant:

Related To:

Related To':

The integrator shall be aware that the system's SW is not monitored by the S-WdgM until the S-Wdg device
is initialized.

-
Category:
Requirement
Keywords:

ID:
264611
Label:

Safety relevant:

Related To:
__MKSID__283878,_
Related To':

_MKSID__261176,__
MKSID__261170
The integrator is responsible that the initialization of the WD device and the S-WdgM is performed correctly
and in time.

-
Category:
Requirement
Keywords:

ID:
289548
Label:

Safety relevant:

Related To:
__MKSID__285029
Related To':

The integrator shall consider:
If WdgM_Init () is called during monitoring by the S-WdgM (i.e. after the initial SC),
then all information about pending violations gets lost.
There will be no further DEM report for pending violations.

-
Category:
Comment
Keywords:

ID:
289550
In this context, "pending violations" are violations that have already been detected by the S-WdgM but have
not yet been escalated to the lower S-WdgM Stack levels and no DEM error has been reported so far.
The time duration of pending depends on the S-WdgM Configuration fields, like the number of tolerated
Reference Cycles.

-
11.6.2.2
WdgM_MainFunction ()
Category:
Requirement
Keywords:

ID:
265950
Label:

Safety relevant:

Related To:
__MKSID__261170,_
Related To':

_MKSID__261172,__
MKSID__261174,__
MKSID__261176
The function WdgM_MainFunction () shall be called at the end of every SC.

-
Category:
Requirement
Keywords:

ID:
231209
Label:

Safety relevant:

Related To:

Related To':

The integrator shall make sure that WdgM_MainFunction () is correctly scheduled by the operating system
(if used) and is always called as scheduled.

-
Category:
Comment
Keywords:

ID:
231780
If WdgM_MainFunction () is not called in time then the WD is not triggered in time and performs a system
reset.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 80
Category:
Requirement
Keywords:

ID:
231183
Label:

Safety relevant:

Related To:

Related To':

The first call of WdgM_MainFunction () shall be inside the initial trigger window of the WD.

-
Category:
Comment
Keywords:

ID:
264607
The time between the WD initialization and its first trigger by function WdgM_MainFunction (SC #0) shall
match the system requirements. This time can be configured in the S-Wdg driver configuration (see the
User Manual of the according S-Wdg driver. Not all platforms support the configuration of the time for the
first S-Wdg trigger.

-
Category:
Comment
Keywords:

ID:
231185
Otherwise the safe state is initiated.

-
Category:
Comment
Keywords:

ID:
232459
For details on the initial trigger window see [TT_WDGM_UM].

-
Category:
Requirement
Keywords:

ID:
231609
Label:

Safety relevant:

Related To:
__MKSID__283870
Related To':

The integrator shall guarantee that the WdgM_MainFunction() is not executed faster as defined by the
system design.

-
Category:
Comment
Keywords:

ID:
231191
This can be achieved e.g. by using a windowed watchdog device.
When the WdgM_MainFunction() is executed faster as defined, then the S-WdgM reaction times (reset) are
not as expected.
A trigger of the Watchdog outside the defined window leads to a reset. This feature is HW dependent. See
the Safety Manual for the WD driver. Safety Manuals for some drivers can be found in section "References"
at the end of this document.

-
Category:
Requirement
Keywords:

ID:
231207
Label:

Safety relevant:

Related To:

Related To':

The function WdgM_MainFunction() shall be executed in a task that is different to the tasks that are
monitored by the S-WdgM.

-
Category:
Comment
Keywords:

ID:
231370
Avoid influence or corruption of WdgM_MainFunction() by another task.

-
11.6.2.3
WdgM_UpdateTickCount ()
Category:
Comment
Keywords:

ID:
231611
This function has been added by TTTech and not part of AUTOSAR.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 81
Category:
Requirement
Keywords:

ID:
230857
Label:

Safety relevant:

Related To:
__MKSID__284091,_
Related To':

_MKSID__261214
If the configuration parameter WDGM_TIMEBASE_SOURCE is set to WDGM_EXTERNAL_TICK,
then the Time Base Tick Counter shall be updated using WdgM_UpdateTickCount () every
1/WdgMTicksPerSecond part of a second.

-
Category:
Requirement
Keywords:

ID:
230873
Label:

Safety relevant:

Related To:
__MKSID__284091,_
Related To':

_MKSID__261214
If the configuration parameter WDGM_TIMEBASE_SOURCE is set to WDGM_EXTERNAL_TICK,
then the developer is responsible for calling WdgM_UpdateTickCount () periodically in an interval that is
short enough for successful Deadline Monitoring and long enough so that the system safety is not
compromised.

-
Category:
Requirement
Keywords:

ID:
230213
Label:

Safety relevant:

Related To:

Related To':

In case an external tick counter is used, the integrator shall avoid
  forward jumps,
  stuck-at,
  negative counting, and
  jitter
of the S-WdgM Timebase Tick counter.

-
Category:
Comment
Keywords:

ID:
290532
They can influence the expected accuracy of the deadline measurement.

-
Category:
Comment
Keywords:

ID:
230875
The Timebase Tick counter delivers the time base for Deadline Monitoring. It can be - for example - called
from a task with fixed time period and high priority.

-
Category:
Comment
Keywords:

ID:
230877
If WDGM_TIMEBASE_SOURCE is set to WDGM_INTERNAL_SOFTWARE_TICK,
then WdgM_UpdateTickCount () is called from within WdgM_MainFunction () once at every call of
WdgM_MainFunction ().

-
Category:
Comment
Keywords:

ID:
236538
If WDGM_TIMEBASE_SOURCE is set to WDGM_INTERNAL_HARDWARE_TICK,
then the S-WdgM does not provide the function WdgM_UpdateTickCount (). The counter value is read from
the hardware through the S-WdgIf function WdgIf_GetTickCounter (). See [TT_WDGIF_UM] and
[TT_WDGIF_SM].
This feature is HW dependent. See the Safety Manual specific for the driver. Safety Manuals for some
drivers can be found in section "References" at the end of this document.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 82
11.6.2.4
WdgM_GetVersionInfo ()
Category:
Requirement
Keywords:

ID:
230895
Label:

Safety relevant:

Related To:

Related To':

The integrator shall retrieve the current version of the S-WdgM using WdgM_GetVersionInfo () only.

-
Category:
Comment
Keywords:

ID:
230897
WdgM_GetVersionInfo () is only available if WDGM_VERSION_INFO_API is set to STD_ON.

-
Category:
Comment
Keywords:

ID:
230899
WdgM_GetVersionInfo () is a C macro.

-
11.6.2.5
Requirements For All System Level API Functions
Category:
Requirement
Keywords:

ID:
231321
Label:

Safety relevant:

Related To:

Related To':

It is the responsibility of the integrator to verify the correctness of parameters that are passed to the S-
WdgM system level API functions.

-
Category:
Requirement
Keywords:

ID:
230831
Label:

Safety relevant:

Related To:

Related To':

Some S-WdgM API functions have a pointer to data as argument. The integrator is responsible that such
data is not modified by the system or code other than the S-WdgM.

-
Category:
Comment
Keywords:

ID:
230832
This includes:
  WdgM_Init ()
  WdgM_GetVersionInfo ()
  WdgM_GetLocalStatus()
  WdgM_GetGlobalStatus()
  WdgM_GetMode()

-
Category:
Requirement
Keywords:

ID:
230833
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for a correct error escalation if a S-WdgM API function returns E_NOT_OK.

-
Category:
Comment
Keywords:

ID:
230835
For the list of functions that return E_NOT_OK, see comment 229772 in subsection "Return Values" in
section "Error Handling" above.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 83
Category:
Requirement
Keywords:

ID:
230885
Label:

Safety relevant:

Related To:

Related To':

The following functions - although available - are for S-WdgM internal processing and shall not be used:
  GlobalSuspendInterrupts ()
  GlobalRestoreInterrupts ()
  WdgM_SetTickCount ()
  WdgM_WriteRememberedEntityId ()
  WdgM_WriteGlobalActivityFlag ()
  WdgM_WriteGlobalTransitionFlag ()
  WdgM_ReadGlobalTransitionFlag ()
  WdgM_ReadRememberedEntityId ()

-
11.6.3
Memory Access
Category:
Comment
Keywords:

ID:
231145
This section lists the requirements related to memory access of the various S-WdgM API functions.

-
Category:
Requirement
Keywords:

ID:
231203
Label:

Safety relevant:

Related To:
__MKSID__261230
Related To':

The S-WdgM API functions shall be granted the required access rights to the various memory sections as
depicted in the following table.

-
Category:
Comment
Keywords:

ID:
231147
The following table shows the required access rights for each S-WdgM API function according to the
memory sections.
A description of the memory sections can be found in [TT_WDGM_UM].


   Memory Section
S-WdgM local  S-WdgM global  S-WdgM global  MCU
Function
SE memory
memory
shared memory  Register (3)
WdgM_Init () (1)
read, write
read, write
read, write
read, write
WdgM_MainFunction ()
read
read, write
read
read, write
WdgM_CheckpointReached ()
read, write
read
read, write
-----
WdgM_UpdateTickCount () (2)
-----
read, write
-----
-----
WdgM_PerformReset ()
-----
write
-----
read, write
WdgM_GetLocalStatus ()
read
-----
-----
-----
WdgM_GetGlobalStatus ()
-----
read
-----
-----
WdgM_GetMode ()
-----
read
-----
-----
WdgM_SetMode ()
-----
write
-----
-----
WdgM_DeactivateSupervisionEntity ()  -----
-----
write
-----
WdgM_ActivateSupervisionEntity ()
-----
-----
write
-----
table 19

(1) The function WdgM_Init () initializes all internal S-WdgM variables and the S-WdgM variables in the
contexts of the SEs.

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 84
(2) The Timebase Tick counter belongs to the S-WdgM global variables.
(3) MCU Register access. The S-WdgM does not access the hardware registers directly. The hardware is
accessed by calling the WD driver or MCU driver functions. The register access is platform and
implementation dependent and may imply "supervisor MCU mode" or "privileged MCU mode". See the
driver's User Manual and Safety Manual for details.

-
Category:
Comment
Keywords:

ID:
231149
Note: The MMU or MPU - if running on the target system - need to be configured accordingly.

-
Category:
Requirement
Keywords:

ID:
284909
Label:

Safety relevant:

Related To:
__MKSID__261230
Related To':

The integrator shall check the MMU/MPU error messages if MMU or MPU is used.

-
Category:
Comment
Keywords:

ID:
284911
For the case that a S-WdgM API function is denied required memory access.

-
11.6.4
Concurrent Function Calls
Category:
Requirement
Keywords:

ID:
283147
Label:

Safety relevant:

Related To:
__MKSID__284600,_
Related To':

_MKSID__284608
The following table shows which functions may run concurrently:


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 85

figure 1

"Y" is for "Yes" (may run concurrently) and
"N" is for "No" (may not run concurrently)
*1) Allowed only if running in different application contexts.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 86
12 Safety Lifecycle Tailoring
Category:
Comment
Keywords:

ID:
230008
This section describes which phases of the S-WdgM product safety lifecycle according to [ISO26262] were
executed by TTTech during the development and which phases have to be executed by the integrator.

-
Category:
Comment
Keywords:

ID:
230016
The S-WdgM is a software unit representing a safety element out of context (SEooC) according to
[ISO26262], part 10. The SW requirements of the S-WdgM are based on [AS_WDGM_SWS] and
[TT_WDGM_SRD] with deviations listed in [TT_WDGM_UM]. The architectural design is documented in
[TT_WDGM_UDD].

-
Category:
Comment
Keywords:

ID:
230020
The following ISO 26262 phases that are relevant for the integrator were executed by TTTech:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)
  4-6 Technical Safety Concept *)
  4-7 System Design *)
  6-5 Initiation of product development at SW level *),
  6-8 Software unit design and implementation *) and
  6-9 Software unit tests *).

*) As far as related to the S-WdgM as SEooC.

-
Category:
Requirement
Keywords:

ID:
230022
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-6 (Specification of SW safety
requirements) to identify the system's SW safety requirements.

-
Category:
Requirement
Keywords:

ID:
230024
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-7 (SW architectural design) that
covers S-WdgM code.

-
Category:
Comment
Keywords:

ID:
230026
The S-WdgM code does not impose any special restrictions on the SW architecture design except for the
requirements in this document.

-
Category:
Requirement
Keywords:

ID:
230030
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262, part 6, clause 8.4.5, b) to verify that the
software unit design of the S-WdgM is complete with respect to the software safety requirements and the
software architecture through traceability.


Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 87
-
Category:
Requirement
Keywords:

ID:
230040
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of ISO 26262 phase 6-10 (SW integration and testing) to
verify that S-WdgM code is correctly integrated into the system.

-
Category:
Requirement
Keywords:

ID:
230042
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the execution of phase ISO 26262 6-11 (Verification of SW safety
requirements) to verify the safety requirements that are related to S-WdgM code.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 88
13 Qualification
Category:
Comment
Keywords:

ID:
230060
The S-WdgM has been developed according to the requirements in [ISO26262] as specified in section
"Safety Lifecycle Tailoring" above. It can be integrated in systems up to ASIL D, provided that all
requirements in this document are fulfilled.

-
Category:
Comment
Keywords:

ID:
228543
The hardware dependent qualification data and required resources for each platform are part of the WD
drivers' Safety Manual.

-
Category:
Comment
Keywords:

ID:
230093
The S-WdgM Stack Safety Case [TT_WDGS_SC] lists all S-WdgM qualification documents.

-
Category:
Comment
Keywords:

ID:
230128
om The S-WdgM unit tests are specified in [TT_WDGM_UTS].
The S-WdgM tests of the unit test framework are specified in [TT_WDGS_UTS].
The integration tests of the S-Wdg Stack are specified in [TT_WDGS_ITS].


-
Category:
Comment
Keywords:

ID:
260892
The environments and S-WdgM Configurations of integration tests that have been conducted by TTTech
can be found in the Safety Manual of the various S-Wdg drivers (e.g. [TT_WDGDR_platform_SM], where
platform is the used platform. See also section "References" at the end of the document).

-
Category:
Requirement
Keywords:

ID:
230124
Label:

Safety relevant:

Related To:

Related To':

The integrator is responsible for the qualification of the S-WdgM code for the used environment. This
means that the S-WdgM code must be integration tested against these environment.

The environment comprises:
  the target CPU,
  the compiler and linker,
  the compiler and linker settings,
  S-WdgM Stack pre-compile configurations,
  the used WDs and S-Wdg drivers, and
  the AUTOSAR software stack.

-
Category:
Requirement
Keywords:

ID:
283952
Label:

Safety relevant:

Related To:

Related To':

Integration tests shall also cover the detection and escalation of all kinds of violations (by means of
"negative tests").

This comprises:
  deadline violations (Local and Global Transitions, min.deadline violations, max. deadline violations),

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 89
  program flow violations (Local and Global Transitions), and
  Alive Counter violations (min. Alive Counter violation, max. Alive Counter violations).

-
Category:
Requirement
Keywords:

ID:
230126
Label:

Safety relevant:

Related To:

Related To':

If the S-WdgM is used in an environment that differs in any way from the environment it has been tested
with (see the list below), then the integrator shall analyze the consequences of the differences and conduct
corresponding tests (see [ISO26262] part 6, clause 9, in particular [ISO26262] part 6, clause 9.4.6).

The TTTech test environments are defined in
  the S-Wdg driver Safety Manual [TT_WDGDR_platform_SM] (if a TTTech driver for this
platform exists),
(and in detail in:)
  the Integration Test Specification [TT_WDGS_ITS], and
  the Unit Test Specification [TT_WDGM_UTS].

-
Category:
Comment
Keywords:

ID:
231613
TTTech offers qualification of the S-WdgM for customer-specific configurations.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 90
14 Resource Requirements
Category:
Comment
Keywords:

ID:
230150
The memory consumption and runtime consumption of the S-WdgM depends on the chosen HW, which
itself is chosen by the used S-Wdg driver.
The resource requirements of the complete S-WdgM Stack can be found in the according S-Wdg Safety
Manual.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 91
15 Constraints And Known Problems
Category:
Comment
Keywords:

ID:
290553
For known problem see the Release Notes delivered with this software module.

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 92
16 References
Category:
Comment
Keywords:

ID:
229559
[ISO26262] ISO26262, Internation Standard, Road vehicles- Functional safety, First edition 2011-11-15

-
Category:
Comment
Keywords:

ID:
229814
[TT_WDGIF_SM] TTTech Automotive GmbH, Safe Watchdog Interface - Safety Manual, D-SAFEX-S-70-
003

-
Category:
Comment
Keywords:

ID:
229604
[TT_WDGDR_MPC56xx_SM] TTTech Automotive GmbH, Safe Watchdog Driver for MPC56xx - Safety
Manual, D-MSP-M-70-022

-
Category:
Comment
Keywords:

ID:
229606
[TT_WDGDR_SAFETCORE_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TriCore and
SafeTcore - Safety Manual, D-SAFEX-S-70-013

-
Category:
Comment
Keywords:

ID:
229612
[TT_WDGDR_TMS570LS3x_SM] TTTech Automotive GmbH, Safe Watchdog Driver for TMS570LS3x -
Safety Manual, D-SAFEX-S-70-015

-
Category:
Comment
Keywords:

ID:
230103
[TT_WDGS_SC] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Safety Case, D-SAFEX-IN-
70-001

-
Category:
Comment
Keywords:

ID:
229551
[TT_WDGM_UM] TTTech Automotive GmbH, Safe Watchdog Manager - User Manual, D-MSP-M-70-001

-
Category:
Comment
Keywords:

ID:
229626
[TT_WDGIF_UM] TTTech Automotive GmbH, Safe Watchdog Interface - User Manual, D-MSP-M-70-006

-
Category:
Comment
Keywords:

ID:
229628
[TT_WDGDR_MPC56xx_UM] TTTech Automotive Gmbh, Safe Watchdog Driver (MPC56xx) - User Manual,
D-MSP-M-70-008

-
Category:
Comment
Keywords:

ID:
229630
[TT_WDGDR_SAFETCORE_UM] Safe Watchdog Driver (SafeTcore) - User Manual, D-MSP-M-70-007

-
Category:
Comment
Keywords:

ID:
229634
[TT_WDGDR_TMS570LS3x_UM] TTTech Automotive GbmH, Safe Watchdog Driver (TMS570LS3x) - User
Manual, D-MSP-M-70-010

-
Category:
Comment
Keywords:

ID:
229521
[AS_WDGM_SWS] AUTOSAR, Specification of Watchdog Manager, Version 2.0.0, Release 4.0, Revision 1

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 93

-
Category:
Comment
Keywords:

ID:
555639
[AS_WDGM_SWS_3_1] AUTOSAR, Specification of Watchdog Manager, Version 1.2.2, Release 3.1,
Revision 1

-
Category:
Comment
Keywords:

ID:
229535
[AS_WDGIF_SWS] AUTOSAR, Specification of Watchdog Interface, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
229537
[AS_WDGDR_SWS] AUTOSAR, Specification of Watchdog Driver, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
237643
[AS_RTE_SWS] AUTOSAR, Specification of RTE, Version 3.0.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230108
[AS_STDTYP_SWS] AUTOSAR, Specification of Standard Types, Version 1.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230110
[AS_COMABS_SWS] AUTOSAR, Specification of Compiler Abstraction, Version 3.0.0, Release 4.0,
Revision 1

-
Category:
Comment
Keywords:

ID:
230112
[AS_PLTFM_SWS] AUTOSAR, Specification of Platform Types, Version 2.3.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
230114
[AS_MEM_SWS] AUTOSAR, Specification of Memory Mapping, Version 1.2.0, Release 4.0, Revision 1

-
Category:
Comment
Keywords:

ID:
229557
[TI_SPNU511_UM] Texas Instruments, Safety Manual for TMS570LS31x/21x and RM48x Hercules™
ARM® Safety Critical Microcontrollers - User's Guide, Literature Number: SPNU511A, February 2012

-
16.1 Internal Documents
Category:
Comment
Keywords:

ID:
283456
The following referenced documents are internal TTTech Automotive GmbH document. For inspection,
please contact TTTech Automotive GmbH:

-
Category:
Comment
Keywords:

ID:
283458
[TT_WDGM_ETA] TTTech Automotive GmbH, Safe Watchdog Manager - Event Tree Analysis, S-SAFEX-
S-70-001

-
Category:
Comment
Keywords:

ID:
283460
[TT_WDGM_SD] TTTech Automotive GmbH, Safe Watchdog Manager - System Design, D-SAFEX-D-70-
007

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

Ensuring Reliable Networks
Project Name: Safe Watchdog Manager
Version: 2.3.28
Doc. Name: Safety Manual
Doc. No: D-SAFEX-S-70-001
Page 94

-
Category:
Comment
Keywords:

ID:
283476
[TT_WDGM_TSR] TTTech Automotive GmbH, Safe Watchdog Manager - Technical Safety Requirements,
D-SAFEX-S-70-021

-
Category:
Comment
Keywords:

ID:
283462
[TT_WDGM_SRD] TTTech Automotive GmbH, Safe Watchdog Manager - Software Requirements
Document, D-SAFEX-S-70-004

-
Category:
Comment
Keywords:

ID:
283464
[TT_WDGM_UDD] TTTech Automotive GmbH, Safe Watchdog Manager - Unit Design Document, D-
SAFEX-D-70-002

-
Category:
Comment
Keywords:

ID:
283468
[TT_WDGM_UTS] TTTech Automotive Gmbh, Safe Watchdog Manager - Unit Test Specification, D-
SAFEX-V-70-001

-
Category:
Comment
Keywords:

ID:
283472
[TT_WDGS_ITS] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test
Specification, D-SAFEX-V-01-001

-
Category:
Comment
Keywords:

ID:
283474
[TT_WDGS_ITR] TTTech Automotive GmbH, Safe Watchdog Manager Stack - Integration Test Report, D-
SAFEX-V-01-002

-

Date: 26.05.2014
Author: TTTech Automotive GmbH
© TTTech  Automotive GmbH
TTTech  Automotive GmbH Confidential and Proprietary Information

7 - S-WdgM_Stack_SafetyCase

Safety Case

8 - S-WdgM_Stack_SafetyCase_ind

Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12

9 - S-WdgM_Stack_SafetyCases

Ensuring Reliable Networks

Safe Watchdog Manager Stack
Safety Case

Author:
TTTech
Reviewer(s):
VLE
Reference:
D-SAFEX-IN-70-001
Security:
Confidential
Version:
1.1.0
Date:
14.08.2014
Status:
Released

TTTech Automotive GmbH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, office@tttech-automotive.com
No part of the document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written permission of TTTech
Automotive. Company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. TTTech Automotive undertakes no
further obligation in relation to this document.
Copyright © 2010, TTTech Automotive GmbH. All rights reserved. Subject to changes and corrections

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 2

Revision Chart
A revision is a new edition of the document and affects all sections of this document.

Version
Date
Responsible Person
Modification
0.1.0
2012-07-02
PPU
Creation
0.2.0
2012-07-19
PPU
Corrected ISO/DIS -> ISO
0.3.0
2012-09-27
PPU
Added S-WdgM Stack chapter
0.4.0
2012-10-01
PPU
Versions of artefacts updated
1.0.0
2012-10-01
PPU
Version of this document updated
1.0.1
2012-10-03
PPU
Document split to three module dependent
documents: S-WdgM, S-WdgIf, S-Wdg
Content against 1.0.0 not changed
1.0.2
2012-10-04
PPU
In the chapter 2 the RAD reference removed
and the provided ISO lifecycles added.
1.0.3
2012-11-16
PPU
Version of the documents updated.
1.0.4
2012-11-19
PPU
Version of the documents updated.
1.0.5
2012-11-19
PPU
Version of the documents updated.
1.0.80
2014-03-03
PPU
Based on ver. 1.0.4, the Verifier versions
updated only.
1.1.0
2014-08-14
PPU
Versions of artefacts updated for release
1.26.1

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 4
1
Purpose of this Document
This document represents the safety case for the Safe Watchdog Manager Stack. In detail it
covers following areas:
  Safe Watchdog Manager Stack (the common parts)
  Safe Watchdog Manager

The other units of the Safe Watchdog Manager Stack – the Safe Watchdog Interface and the
Safe Watchdog Driver have separate safety case documents.

The safety case references all relevant documents to provide evidence that the software units
have been developed according to requirements of ISO26262:2011 (see [ISO]) for an ASIL D
SEooC software component.

The creation of the proof of due diligence document for the whole watchdog safety concept is the
responsibility of the integrator of the Safe Watchdog Manager Stack (S-WdgM Stack) and is not
part of this safety case document.

2
Assumptions on S-WdgM Stack as SEooC
2.1
Assumptions on scope
According to ISO 26262:2011-10, clause 9.2.4.2, Step 1a, the following assumptions on scope of
the software component as an SEooC were made:
  S-WdgM Stack is integrated into an AUTOSAR 4 or compatible software architecture
  S-WdgM Stack must not unintentionally interfere with other software components
  S-WdgM Stack expects that the executing hardware is working correctly

3
Software Safety Lifecycles
The software units represent SEooC units according to ISO26262. The following software safety
lifecycles were executed as part of the development process of the software units:

Concept phases:
  3-7 Hazard analysis and risk assessment *)
  3-8 Functional Safety Concept *)

Product development at the system level:
  4-6 Technical Safety Concept *)
  4-7 System Design *)

Product development at the software level:
  6-5: Initiation of product development at the software level *)
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 5
  6-8: Software unit design and implementation *)
  6-9: Software unit testing *)

Supporting processes:
  8-7 Configuration management
  8-8 Change management

*) As far as related to the S-WdgM Stack as SEooC

Part 6-6 deals with safety requirements, which are always defined on system level. For the
development of the SEooC, we have made assumptions on the safety requirements, which are
described in the corresponding SEooC safety manuals. The system integrator must verify that the
SEooC fits to the actual system safety requirements.

The other software safety lifecycle phases described by ISO26262 have to be executed by the
system integrator.

4
Software Safety Lifecycle Documentation
The following subsections list the software safety lifecycle artifacts of the software units:
  Safety manuals as .pdf files with references to the MKS repository,
  Source code delivered to customer as pointer to the code location,
  Requirement, design documentation, and test specification as references to the respective
documents in the MKS repository. They are identified by MKS document id the document
version number and the document label.
  Test results as .doc or .pdf files

The customer delivery contains
  User manuals
  Safety manuals and
  Source code

All other artifacts can be audited by the customer on request – either on-site in TTTech Vienna
development location, or via teleconference (e.g. Webex).

The verification and confirmation measures as required by ISO26262:2011 has been executed as
described in the Software Project Plan (SPP).

The evidence for the execution of all verification and confirmation measures as required by
ISO26262 are version-controlled in the following directory:
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/certification/sqa/s-wdgm/evidence

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 6
The conformity of the development processes of the S-WdgM Stack with ISO 26262:2011
has been assessed in a process audit [AUDIT_S-WdgM].

4.1
Safe Watchdog Manager Stack
This chapter contains common documents related to all three units
  Safe Watchdog Manager
  Safe Watchdog Interface
  Safe Watchdog Driver
4.1.1  Software Project Plan (SPP)
The SPP contains all planning activities for all software units. It also represents the “Safety Plan”
as required by ISO26262. Chapter VI of the SPP also contains the software tool qualification plan
and software tool qualification report as required by ISO26262 - 8 clause 11.

Document Title
Safe Watchdog Manager Stack Software Project Plan
Document Version
0.7.0
Document Number
D-SAFEX-P-70-001
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/03_planning&risk-management/S-WdgM_SPP_V_0_7_0.doc
4.1.2  Functional Safety Concept (FSC)
This document reflects the functional safety concept according to ISO26262 3-8 Functional Safety
Concept.
It is the top-level document for the Safe Watchdog Manager Stack and therefore also includes
assumptions on the ISO 26262:2011 work product 3-7 Hazard analysis and risk assessment in the
scope of this SEooC.

Document Title
Safe Watchdog Manager Stack Functional Safety Concept
Document Version
0.2.0
Document Number
D-SAFEX-S-70-006
Location
MKS ID 262558
Label
Release_1_26_1
4.1.3  Technical Safety Requirements (TSR)
This document describes the technical safety requirements that are assumed for a system using
the Safe Watchdog Manager Stack. The technical safety requirements are relevant for the system
integrator.

Document Title
Safe Watchdog Manager Stack - Technical Safety Requirements
Document Version
0.2.0
Document Number
D-SAFEX-S-70-021
Location
MKS ID 262750
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 7
Label
Release_1_26_1
4.1.4  System Design (SD)
This document reflects the system design document according to ISO 26262:2011 [ISO] 4-7
System Design for the system using the Safe Watchdog Manager Stack. It is based on the
technical safety requirements document [TSR] of the ISO 26262:2011 [ISO] work product 4-6
Technical Safety Requirements in the scope of this SEooC.

Document Title
Safe Watchdog Manager Stack - System Design Specification
Document Version
0.2.0
Document Number
D-SAFEX-D-70-007
Location
MKS ID 263048
Label
Release_1_26_1
4.1.5  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Manager Stack. The SRD
represents the software unit high-level requirements as required by ISO 26262:2011 – 6, clause 6.

Document Title
Safe Watchdog Manager Stack - Software Requirements Document
Document Version
1.0.5
Document Number
D-SAFEX-D-70-024
Location
MKS ID 264112
Label
Release_1_26_1

4.1.6  Software Architecture Document (SAD)
This document describes the software architecture of the Safe Watchdog Manager Stack.

Document Title
Safe Watchdog Manager Stack - Software Architecture Document
Document Version
1.0.2
Document Number
D-SAFEX-S-70-016
Location
MKS ID 266056
Label
Release_1_26_1
4.1.7  Integration Test Specification (ITS)
This document describes the Integration Test, that verifies the Watchdog Manager, Watchdog
Interface and Watchdog Driver which are compatible with other AUTOSAR components and shows
the expected behaviour at runtime.

Document Title
Safe Watchdog Manager Stack - Integration Test Specification
Document Version
2.1.2
Document Number
D-SAFEX-V-01-001
Location
MKS ID 61036
Label
Release_1_26_1    *1)
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 8
4.1.8  Integration Test Report (ITR)
This document contains a detailed integration test report of the Safe Watchdog Manager Stack
according to the requirements of ISO 26262:2011

Document  Safe Watchdog Manager Stack - Integration Test Report
Title
Document  2.0.21
Version
Document  D-SAFEX-V-01-002
Number
Location
MKS ID 280966
Label
Release_1_26_1   *1)
Location
\\fileserver.vie.at.tttech.ttt\sw-development\software-
PDF
releases\external\TTX\2014\safe_execution_V1_26_0_2014_05_27\
_internal_documents\integration_test\safe_execution_integration_test_report_v1_26_0.pdf
  *1)  The S-WdgM and S-WdgIf Integration test was executed on the V850PJ4 platform (evaluation board) in the 1.26.0
TTTech Release. The S-Wdg driver integration test was executed on the R7F701353 customer platform with the
TLE4473 watchdog at the 1.25.0 TTTech Release.
4.2
Safe Watchdog Manager
This chapter contains documents related to Safe Watchdog Manager module.
4.2.1  Software Requirements Document (SRD)
This document describes the software requirements for Safe Watchdog Manager. The SRD
represents the software unit high-level requirements as required by ISO 26262:2011 – 6, clause 6.

Document Title
Safe Watchdog Manager Software Requirements Document
Document Version
1.0.10
Document Number
D-SAFEX-S-70-004
Location
MKS ID 53448
Label
Release_1_26_1

4.2.2  Unit Design Document (UDD)
The UDD represents the software unit design specification as required by ISO 26262:2011 – 6,
clause 8.

Document Title
Safe Watchdog Manager Unit Design Document
Document Version
1.0.6
Document Number
D-SAFEX-D-70-002
Location
MKS ID 53535
Label
Release_1_26_1
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 9
4.2.3  Source Code
The source code of the software unit is written in the C programming language.
Title
Safe Watchdog Manager Source Code
Version
3.3.2
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/SW/msp-watchdog-mgr

The HIS metrics and the MISRA rule check are performed with the tool QA-C.
The HIS metrics report can be found in the files
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_0.
All HIS metrics violations are justified in the respective source files.

The results of the MISRA-check can be found in the folders
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-ASIL/04_technical-
documents/HIS_MISRA_checks/Release_1_26_0
All violations are justified. The justifications are provided as comments in the respective source
files.
4.2.4  Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262:2011 – 6, clause 9 . The UTS demonstrates 100% requirements coverage.

Document Title
Safe Watchdog Manager Unit Test Specification
Document Version
1.0.22
Document Number
D-SAFEX-V-70-001
Location
MKS ID 61477
Label
Release_1_26_1
4.2.5  Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262:2011 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed
and that 100% MC/DC coverage is achieved.

Document Title
Safe Watchdog Manager Unit Test Report
Document Version
1.0.4
Document Number
D-SAFEX-V-70-005
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/04_technical-documents/Reviews/S-WdgM/UTR/S-WdgM-
Stack_UTR_WdgM_D-SAFEX-V-70-005_V_1 0 4.pdf

4.2.6  Safety Manual (SM)
The Safety Manual (SM) contains the requirements for the integrator of the software unit. All
requirements described in this document must be followed. In specific, the SM describes for which
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 10
configuration (configuration parameters, used hardware, compiler and linker settings) the software
unit has been tested according to ISO 26262:2011 requirements. Moreover, the SM describes
which SW safety lifecycle requirements and recommendations of ISO 26262:2011 were not
executed during the development of the software unit. These requirements and recommendations
have to be considered by the integrator of the software unit.

Document Title
Safe Watchdog Manager Safety Manual
Document Version
2.3.28
Document Number
D-SAFEX-S-70-001
Locations
MKS ID 228403
Label
Release_1_26_1
4.2.7  Safe Watchdog Manager Verifier
4.2.7.1
Software Requirements Document (SRD)
This document lists the requirements to be fulfilled by the Safe Watchdog Manager Configuration
Verifier.

Document Title
Safe Watchdog Manager Verifier Software Requirements Document
Document Version
1.0.2
Document Number
D-SAFEX-S-70-007
Location
MKS ID 239129
Label
Release_1_26_1

4.2.7.2
Source Code
The verifier source code is written in the C programming language. It is delivered as a .dll file.

Title
Safe Watchdog Manager Verifier Source Code
Version
1.2.11
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/SW/msp-watchdog-mgr-config/src/C

4.2.7.3
Unit Test Specification (UTS)
The UTS contains a detailed test specification of the software unit according to the requirements of
ISO 26262:2011 – 6, clause 9.

Document Title
Safe Watchdog Manager Verifier Unit Test Specification
Document Version
1.0.3
Document Number
D-SAFEX-V-70-009
Location
MKS ID 313571
Label
Release_1_26_1
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 11
4.2.7.4
Unit Test Report (UTR)
The UTR contains a detailed unit test report according to the requirements of ISO 26262:2011 – 6,
clauses 8 and 9. The UTR shows that all tests and review procedures specified in the UTS passed.

Document Title
Safe Watchdog Manager Verifier Unit Test Report
Document Version
1.0.1
Document Number
D-SAFEX-V-70-010
Location
http://tttechsvn.vie.at.tttech.ttt/trunk/projects/customers/SafeExe-
ASIL/04_technical-documents/Unit_Test_Reports/S-WdgM-
Stack_UTR_WdgMVerifier_D-SAFEX-V-70-010_V_1.0.1.doc
5
Summary
The evidence in sections
  “Assumptions on S-WdgM Stack as SEooC”,
  “Software Safety Lifecycles”
  “Software Safety Lifecycle Documentation”
and the assessment reports [AUDIT_S-WdgM] shows that the S-WdgM Stack has been developed
as a SEooC component according to ISO26262:2011 and can be used for up to ASIL D.

It is safe to integrate the SW unit into safety-related systems developed according to ISO
26262:2011, if the requirements that are described in the Safety Manual (SM) are fulfilled by the
system integrator.
6
Abbreviations and Glossary
Acronym / Term
Meaning
API
Application Programmer Interface
ASIL
Automotive Safety Integrity Level
HIS
Herstellerinitiative Software
HW
Hardware
ISO
International Standard
MC/DC
Modified Condition/Decision Coverage
MISRA
Motor Industry Software Reliability Association
MKS
MKS Integrity software tool made by MKS Software Inc.
SEooC
Safety Element out of Context according to ISO 26262:2011-10
SM
Safety Manual
SW
Software
7
References
7.1
Documents Available on Request
The following documents are not part of the customer delivery. The documents can be made
available in video conferences (e.g., WebEx) or in on-site audits at the development center of
Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

Ensuring Reliable Networks
Document Name: Safety Case
Ref.: D-SAFEX-IN-70-001
Page 12
TTTech in Vienna. If necessary, please contact the TTTech Automotive Support at
support@tttech-automotive.com.

[AUDIT_S-WdgM]
TÜV NORD – Institut für Fahrzeugtechnik & Mobilität,

A/
Report on the Functional Safety Audit for TTTech’s Safe Watchdog
Manager Stack (ISO 26262 / ASIL D)
1.  Report-No: 8109170322-B01, Version 1.0, 2012-07-18
2.  Report-No: 8109170322-B02, Version 1.0  2012-12-20

B/
Functional Safety Assessment Report of “Safe Watchdog Manager
Stack” conformity against ISO26262, ASIL D.
Report-No: 8109170322-B04, Version 1.0 2013-02-25
[COMPL]
TTTech Computertechnik AG, ISO_DIS_26262_Compliance.xls, D-INT-CL-
70-001

7.2
Other Documents
[ISO]
International Organization for Standardization, International Standard
ISO26262 Road vehicles – Functional safety (all parts), 2011

Last Change: 14.08.2014
Author: TTTech
Version: 1.1.0
© TTTech Automotive GmbH

10 - S-WdgM_UserManual

Safe Watchdog Manager

11 - S-WdgM_UserManual_ind

Outline
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133

12 - S-WdgM_UserManuals

Safe Watchdog Manager
User Manual
Version:
3.3.1
Date:
22.05.2014
Document number:
D-MSP-M-70-001
TTTech Autom otive Gm bH
Schoenbrunner Str. 7, A-1040 Vienna, Austria, Tel. + 43 1 585 34 34-0, Fax +43 1 585 34 34-90, support@tttech-automotiv e.com
The data in this document may  not be altered or amended without special notif ication f rom TTTech Automotiv e GmbH. TTTech Automotiv e GmbH
undertakes no f urther obligation in relation to this document. The sof tware described in it can only  be used if  the customer is in possession of  a general
license agreement or single license.
Using and copy ing is only  allowed in concurrence with the specif ications stipulated in the contract. Under no circumstances may  any  part of  this
document be copied, reproduced, transmitted, stored in a retriev al sy stem, or translated into another language without written permission of  TTTech
Automotiv e GmbH.
The names and designations used in this document are trademarks or brands belonging to the respectiv e owners.
© 2011 - 2014 TTTech Automotiv e GmbH. All rights reserv ed.                                                                                 Subject to changes and
corrections.
TTTech Automotiv e GmbH Conf idential and Proprietary  Inf ormation

Introduction
Page
4
1
Introduction
The  Safe  Watchdog  Manager  (S-WdgM)  Stack  provides  software  modules  to
monitor the correct functioning of safety-relevant activities in systems  with software
modules of mixed criticality, such as
newly developed safety-related functions,
legacy functions, and
basic software.
The S-WdgM Stack is designed to be used in automotive ECUs.
The S-WdgM Stack has three software modules
Safe Watchdog Manager (S-WdgM)
Safe Watchdog Interface (S-WdgIf)
Safe Watchdog Driver (S-Wdg)
The S-WdgM can run on single-core and multi-core systems.
This  user  manual  describes  the  S-WdgM,  which  is  an  AUTOSAR  basic  software
module  that  is  part  of  the  AUTOSAR  service  layer.  The  S-WdgM  checks  the  logical
program  flow and  temporal behavior  of  the  program  flow  of  safety-relevant  functions.
Safety-relevant  functions  use  checkpoint  calls  to  send  life  signs  to  the  S-WdgM.
Internal or external watchdog hardware is used independently from the system  CPU to
monitor
if the system is still alive,
if the system functions properly, and
if the system shows the correct temporal behavior and logical program flow.
The S-WdgM was developed according to AUTOSAR version 4.0 r1 [1] 128. However,
its functionality can be restricted to the functionality described by AUTOSAR 3.1 r4 in
the AUTOSAR 3.1 compatibility mode.
The S-WdgM is designed to be integrated into AUTOSAR 3.1.4 or 4.0.1 compatible
environments. However, it is not restricted to these AUTOSAR versions only. The
software module can also be integrated into other versions of AUTOSAR and other
system software architectures if the integration-related requirements listed in the Safe
Watchdog Manager Safety Manual [5] 128 are met.
The  S-WdgM  is  compatible  with the  AUTOSAR  4.0  r1  Watchdog  Manager,  but  not
fully  compliant.  For  deviations  from  the  AUTOSAR  4.0  r1  specification,  see  Section
Deviations from the AUTOSAR 4.0 r1 Watchdog Manager 34 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
5
This user manual does not cover safety-related topics. For safety-related requirements
for  integration and  application of  the  S-WdgM,  refer  to  the  Safe  Watchdog  Manager
Safety Manual [5] 128.
1.1
Architecture Overview
The  S-WdgM  Stack  consists  of  the  hardware-independent  modules  Safe
Watchdog  Manager  and  Safe  Watchdog  Interface  and  a  hardware-dependent
module, the Safe Watchdog Driver.
Figure 1 shows the S-WdgM Stack with its modules in an AUTOSAR environment.
“Safe”
“Safe”
“Q M”
“QM”
S WC
S WC
Ch eck poi nt
C heck po int
S WC
SWC
“S af e
“Saf e
Co mp on ent  1 ”
Co m pon en t 2 ”
RTE
)
S
4
Y
s
/
S
r
3
e
C
COM
S
Safe W atc hdog
iv
(
r
t
”
S
SafeContext
G
n
i
R
O
Manager
A
o
D
I
D
p
C
D
x
k
c
fe
e
a
J1939TP
le
h
S
p
C
“
m
Safe W atc hdog
M
o
E
O
I
M
I nterfac e
C
fe
T
N
S
a
I
R
P
O
L
F
I
S
N
M
A
1
C
Safe
P
C
W atchdog
X
Dri ver
CA L
EXT
Internal
Microc ontroller
W atc hdog
External
Safety  Rel ated
Autosar
N on-s afety  related
Ch eck ing /P r ot ect ion
W atc hdog
Fu nct ion
F unction
Basic  SW  Component
Function
Fig 1: Safe Watchdog M anager Stack in an AUTOSAR environment
The S-WdgM controls, through the S-WdgIf and the S-Wdg, the hardware-implemented
watchdog controller, which can be one or more internal watchdog controllers or external
watchdog devices.
Note: A watchdog device requires a hardware-dependent S-Wdg driver.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
6
Figure  2  shows  the  layered  structure  of  the  S-WdgM  Stack.  The  attached  watchdog
device can be internal or external.

Applications
Safe Watchdog
Manager use r API
BSW’s
System

API
Safe Watchdog
Manager
Safe
Watchdog
Safe Watchdog
Manager
Interface
Stack
Safe
Safe
Watchdog
Watchdog
Hardware
Driver 2
Driver 1
dependent
part
Software
Hardware
E xternal
Internal
Watchdog de vice
Watchdog
device
Fig. 2: Layered structure of the Safe Watchdog M anager
The  S-WdgM  monitors  the  program  flow  and  timing  constraints  of  so-called
supervised entities (SE). The SEs are software entities (like application software) that
are  supervised  by  the  S-WdgM.  When  the  S-WdgM  detects  a  violation  of  the
preconfigured  program  flow  or  the  timing  values,  it  takes  a  number  of  configurable
actions  to  log  that  violation  and/or  go  to  a  safe  state  (for  details,  see  Section  Safe
Watchdog  Manager  (S-WdgM) 9 ).  The  S-WdgM  communicates  with  the  system  via
the Safe Watchdog Application Interface (API) (see Section API Description) 73 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
7
1.2
Use Cases
The  S-WdgM  monitors  the  user  software  at  runtime  and  compares  the  preconfigured
logical and temporal constraints  with the  actual logical and  temporal behavior.  The  S-
WdgM can monitor the following violations:
timing violation (checked by deadline monitoring and alive monitoring)
program flow violation (checked by program flow monitoring)
The S-WdgM periodically triggers the watchdog device through its interface (S-WdgIf)
and  driver  layer  (S-Wdg).  When the  S-WdgM  detects  a  fault  in  the  program  flow  or
timing, then it stops the watchdog triggering, or it initiates a reset of the microcontroller
immediately or after a delay, depending on the S-WdgM configuration.
The S-WdgM monitors the following software and hardware faults:
The supervised entity is executed but the execution was not requested.
The supervised entity was not executed but the execution was requested.
The execution of the supervised entity started too early or too late.
The  execution time  of  a  a  supervised  entity  or  part  of  a  supervised  entity  or  many
supervised entities is longer or shorter than expected.
The  program  flow  of  a  a  supervised  entity  or  part  of  a  supervised  entity  or  many
supervised entities differs from expected program flow.
The reaction of the S-WdgM to detected faults can be configured as follows:
S-WdgM sends information about the detected fault.
S-WdgM initiates a reset of the microcontroller after a watchdog timeout.
S-WdgM initiates an immediate reset of the microcontroller.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
8
1.3
Safe Watchdog Manager Stack Content
The Safe Watchdog Manager Stack consists of:
Embedded code:
Safe Watchdog Manager (S-WdgM) software module
Safe Watchdog Interface (S-WdgIf) software module
Safe Watchdog Driver (S-Wdg) software modules
A part of the embedded code is generated out of a given ECU configuration.
S-WdgM Configuration Generators (which generate a part of the embedded code
out of a given ECU configuration):
Safe Watchdog Manager Generator
Safe Watchdog Interface Generator
Safe Watchdog Driver Generator
Safe Watchdog Manager Configuration Verifier
Configuration example:
An example of an ECU configuration and the generated code.
Documentation:
User Manuals covering the
o Safe Watchdog Manager,
o Safe Watchdog Interface, and
o Safe Watchdog Drivers
Safety Manuals covering the
o Safe Watchdog Manager
o Safe Watchdog Interface
o Safe Watchdog Drivers
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Introduction
Page
9
2
Safe Watchdog Manager (S-WdgM)
The  S-WdgM  monitors  safety-relevant  applications  on  the  ECU.  The  S-WdgM  is  a
basic  software  module  at  the  service  layer  of  the  standardized  basic  software
architecture of AUTOSAR.  The  S-WdgM  monitors  the  program  flow of  a  configurable
number of so-called supervised entities (SE). When the  S-WdgM  detects  a  violation
of  the  preconfigured  temporal  or  logical  constraints  in  the  program  flow,  it  takes  a
number  of  configurable  actions  to  log  the  fault  and  to  go  to  a  safe  state  after  a
configurable  time  delay.  The  safe  state  is  reached  by  resetting  the  watchdog  or  by
omitting watchdog triggering.
Every supervised entity has a defined control flow. Significant points in this control flow
are represented by checkpoints (CP). This means the control flow  can be  modeled
as a graph, with the checkpoints being the nodes and the pieces of code in between
being the transitions (see Figure  4 for an example).
The  S-WdgM  configuration  defines  the  allowed  transitions  between  the  checkpoints,
and the timing constraints for these transitions
within every supervised entity and
between checkpoints of different supervised entities.
The  supervised  entities  have  to  report  to  the  S-WdgM  when  they  have  reached  a
checkpoint.  Thus,  the  developer  has  to  insert  calls  at  the  checkpoints  that  pass  this
information to the S-WdgM.
The  S-WdgM  functionality  partially  deviates  from  the  AUTOSAR  requirements.  For
details, refer to Section Deviations from the AUTOSAR 4.0 r1 Watchdog Manager 34 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 10
2.1
File Structure
Figure 3 gives an overview of the S-WdgM module.

Fig. 3: File structure of the S-WdgM module
Note: The file structure shown in Figure 3 corresponds to the integration of the S-WdgM
in an AUTOSAR 3.1 environment. The differences between an AUTOSAR 3.1 and an
AUTOSAR 4.0 environment are described below in the following two tables.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 11
The following files are part of the S-WdgM:
File
Description
WdgM.c
Implementation of  the  S-WdgM,  defines  the  API  for  the
Service Layer of the BSW-Layer.
WdgM_Checkpoint.c
Implementation of  the  S-WdgM,  defines  the  API  for  the
Application Layer.
WdgM.h
Header  file  of  the  S-WdgM,  provides  API  function
declarations.
WdgM_Cfg.h
Provides  defines  and  declarations  for  the  S-WdgM
configuration identifiers
WdgM_MemMap.h or
The  file  is  generated  and  contains  defines  for  the
WdgM_OSMemMap.h
memory management of the S-WdgM code and data.
The  integrator  can  place  the  status  variables  of  every
supervised  entity  in  a  separate  RAM  sector  (see  also
Section Memory Sections 95 ).  The  file  is  included  in the
AUTOSAR MemMap.h file.
Note: The name of this generated file is
WdgM_MemMap.h in an AUTOSAR 3.1 environment
and
WdgM_OSMemMap.h in an AUTOSAR 4.0
environment.
WdgM_Cfg_Features.h The file  is  generated  and  contains  S-WdgM  precompile
directives.
WdgM_PBcfg.h
The file is generated and contains  the  declaration of  the
S-WdgM configuration.
WdgM_PBcfg.c
The  file  is  generated  and  contains  the  S-WdgM
configuration.
The following files are included by the S-WdgM, but are not part of the S-WdgM:
File
Description
WdgIf_Types.h
Provides the declaration of the S-WdgIf API.
Std_Types.h
AUTOSAR file
Compiler.h
AUTOSAR file
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 12
Compiler_Cfg
Contains compiler abstraction macros
PlatformTypes.h
AUTOSAR file
MemMap.h
AUTOSAR file. Includes WdgM_MemMap.h.
Appl_Det.h
Provides
API
to
a
wrapper
function
for
Det_ReportError().*
Appl_Dem.h
Provides
API
to
a
wrapper
function
for
Dem_ReportErrorStatus().*
Note:  In  an  AUTOSAR  4.0  environment,  this  file  is
indirectly included by WdgM.c. It  is  included  through the
generated file WdgM_Cfg_Features.h.
Appl_Mcu.h
Provides
API
to
a
wrapper
function
for
Mcu_PerformReset().*
Rte_Type.h or
Provides generated RTE type definitions for the WdgM.
Rte_WdgM_Type.h
Note: The name of this generated file is
Rte_Type.h in an AUTOSAR 3.1 environment and
Rte_WdgM_Type.h in an AUTOSAR 4.0
environment.
SchM_WdgM.h
Provides  the  API of  the  Schedule  Manager  for  entering
and exiting an exclusive area.
*) The services
Det_ReportError(),
Dem_ReportErrorStatus() and
Mcu_PerformReset()
may  not  meet  the  quality  level  required  for  the  S-WdgM.  These  services  must  be
wrapped  by  a  wrapper  service  that  has  the  same  name  as  the  corresponding
AUTOSAR service with the prefix Appl_, which guarantees freedom from interference.
The  implementation  of  the  wrapper  service  is  not  part  of  the  S-WdgM.  The  Safe
Watchdog Manager Safety Manual [5] 128 provides a guideline on how to implement the
wrapper.
NOTE:  A  wrapper  could  be  just  a  direct  call  to  the  corresponding  module,  but  that
wrapper could also perform more complex operations such as switching the OS context
before calling the service.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 13
2.2
Basic Functionality of the S-WdgM
As described in AUTOSAR [1], the S-WdgM is a basic software module that monitors
the program flow of supervised entities (SE).
2.2.1
Supervised Entity and Program Flow Supervision
A supervised entity is a software part that is monitored by the  S-WdgM.  There  is  no
fixed  relationship  between supervised  entities  and  the  architectural  building  blocks  in
AUTOSAR.
The  checkpoints  mark  important  steps  during  the  execution  of  an  algorithm.  At  the
checkpoint, a supervised entity calls  the  function
78
WdgM_CheckpointReached()
directly (if  no  runtime  environment  is  present)  or  with a  wrapper  function  (if  a  runtime
environment  is  present),  with  that  wrapper  function  being  provided  by  the  runtime
environment.  The  checkpoints  are  connected  by    transitions.  Local  transitions  bind
Checkpoints to a closed graph. These graphs represent the program flow.
The S-WdgM knows which program  flow is  correct  and  decides  if  a  supervised  entity
behaves as expected or violates the predefined rules.
The question of how to identify the checkpoints for an algorithm  is  a  trade-off  between
performance and code block size per checkpoint:
The more checkpoints an algorithm has, the  better  is  the  representation of  the  code
structure. But this has an adverse effect on performance.
However, if an algorithm has  only a  few checkpoints,  then there  are  code  segments
and program flow branches that are not represented. In this case, performance will be
better, but not everything will be monitored.
A  supervised  entity can represent  an  algorithm,  a  function,  or  –  in  the  case  of  an
operating system – an entire task. In the AUTOSAR definition, a supervised entity can
be distributed over more than one task or application. There can be several supervised
entities for the same task. However, the S-WdgM implementation does not support the
distribution of one supervised entity over more  than one  task  or  application when they
run in different contexts. The S-WdgM expects that at least one supervised entity and at
least one checkpoint are defined.
Figure    4  shows  the  example
of  a
simple
supervised
entity  called
temperature_control:
Supervised  entity  temperature_control  has  six  checkpoints  (illustrated  by
ovalboxes), which are connected by directed transitions (illustrated by arrows).
As  can  be  seen  in  Figure    4,  it  is  possible  to  reach  the  checkpoint
temperature_needs_correction after the checkpoint read_temperature.

However,  reaching  the  checkpoint  heater_adjusted_successfully  after  the
checkpoint read_temperature would be a violation of the program flow.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 14
Fig. 4: Example of a simple supervised entity with a control flow
Use program flow monitoring
Control  (program)  flow  monitoring  is  highly  recommended  by  ISO  26262-6  (7.4.14).
Apart from its main feature, which is to detect logical errors in the monitored algorithms,
program flow monitoring increases the  probability of  detecting  illegal program  counter
jumps within the whole system.
It  is  possible  to  tolerate  program  flow  violations  within  a  supervised  entity  for  a
certain  amount  of  monitoring  cycles.  it  is  possible  to  define  a  program  flow
reference cycle (a multiple of the S-WdgM monitoring cycle) and a tolerance, which is
a number of program flow reference cycles, during which program flow violations should
be tolerated  for  the  supervised  entity.  If  a  program  flow violation is  detected  for  more
program  flow  reference  cycles  than  the  defined  tolerance,  then  the  supervised  entity
changes its status from FAILED to EXPIRED.
The  necessary  configuration  parameters  to  tolerate  program  flow  violations  of  a
supervised entity are:
59
WdgMFailedProgramFlowRefCycleTol
:This
parameter
contains
the
acceptable amount of program flow violations for this supervised entity.
60
WdgMProgramFlowReferenceCycle
:This  parameter  contains  the  amount  of
supervision cycles to be used as  reference  by the  program  flow supervisions  of  this
supervised entity.
Note:  The  program  flow  reference  cycle  for  a  supervised  entity  starts  with  the  first
detected  program  flow  violation  and  not  with  the  S-WdgM  startup.  Hence,  the  first
program  flow  reference  cycle  starts  with  the  transition  of  the  supervised  entity  from
status OK to FAILED. If no program flow violation is detected for a whole program flow
reference cycle within the tolerance then the supervised entity recovers and changes its
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 15
status  from  FAILED  to  OK.  Otherwise,  if  the  tolerance  is  exhausted  and  the  program
flow violations continue, then the supervised entity changes its status to EXPIRED. It can
be  said  that  the  program  flow  reference  cycle  is  processed  only  during  the  status
FAILED  –  it  starts  with  the  first  detected  program  flow  violation.  The  program  flow
reference cycle is restarted with each following transition from OK to FAILED, and it is
not processed during the status OK, EXPIRED or DEACTIVATED.
2.2.2
Deadline Monitoring
The main purpose of deadline monitoring is to check the temporal, dynamic behavior
of  the  supervised  entity.  However,  it  would  also  strongly  increase  the  probability  of
detecting random jumps or irregular updates of the timebase tick  counter,  which might
otherwise degrade system integrity without being discovered.
The  temporal  behavior  of  the  supervised  entities  can  be  monitored  by  assigning
deadlines to transitions.
A
deadline
is  defined
through  a
maximum
deadline
(parameter

69
WdgMDeadlineMax
)
and
a
minimum
deadline
(parameter

WdgMDeadlineMin 69 ).  The  destination  checkpoint  of  a  transition  should  not  be
reached before the minimum time or  after  the  maximum  time  after  which the  source
checkpoint  of  that  transition  was  reached.  Otherwise  the  S-WdgM  will  detect  a
deadline violation. Apart from a maximum deadline  time  it  is  strongly recommended
to  use  a  minimum  deadline  time  as  well,  where  applicable.  This  allows  discovering
timebase tick counter errors implicitly. Deadlines are good for discovering crashed
tasks or infinite loops. If the destination  checkpoint  is  never  reached  because  the
task ended with an error or is stuck in a loop, this would cause a deadline violation.
A transition is considered to violate its deadline if  the  destination checkpoint  is  not
hit  within  the  configured  deadline  interval.  A  deadline  is  assigned  to  an  already
defined transition by specifying the  same  source  and  destination checkpoints  as  for
the
transition.
The
corresponding
deadline
parameters
are

WdgMDeadlineStartRef 70  and WdgMDeadlineStopRef 70 .
Note: A transition should be defined either as a local or a global transition.
As for local transitions, the source and destination checkpoints belong to the same
supervised entity.
As for global transitions, the source and destination checkpoints belong to different
supervised entities.
An example  of  a  supervised  entity with deadlines  defined  for  its  transitions  is  given
below.
Note:  The  first  deadline  is  defined  to  have  a  minimum  of  0  and  a  maximum  of  2
(seconds).  Hence,  CP1  must  be  reached  no  later  than  2  seconds  after  CP0.  The
second  deadline  implies  that  CP2  must  be  reached  no  earlier  than  1  and  no  later
than 3 seconds after CP1. Otherwise a deadline violation will be detected.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 16

Fig. 5: Example of a simple supervised entity with deadlines
Note: Deadline violation is detected
when the next checkpoint is reached outside the defined deadline or
within the
85
WdgM_MainFunction()
if the next checkpoint is not reached at all
(or has not been reached yet) and the maximum deadline has already expired.
A  slightly  more  complex  situation  is  when  several  transitions  go  out  of  the  same
checkpoint. In this case, deadline violations  are  detected  in the  same  manner  when
the next checkpoint is reached outside the defined deadlines. However, if none of the
next  checkpoints  is  reached,  the  WdgM_MainFunction() 85  detects  a  deadline
violation only after the maximum of maximum deadlines of all outgoing transitions has
elapsed, which is shown in Figure 6. If the program gets stuck after CP0, the deadline
violation is detected within the  next  main function that  is  executed  not  earlier  than 5
seconds after reaching CP0.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 17
Fig. 6: Example of multiple outgoing transitions with deadlines
A special case is a hybrid situation when some of the outgoing transitions have
deadlines and others do not. In this case, the main function detects a deadline
violation if none of the next checkpoints is reached within the maximum of maximum
deadlines in order to detect blocked supervised entities. No deadline violation will be
detected after the maximum has expired, however, if the checkpoint without deadline
is reached before the main function. If none of the CP1, CP2 is reached after CP0
( 7), then the next
85
WdgM_MainFunction()
(executed at least 2 seconds after
CP0 is reached) detects a deadline violation. If, however, CP1 is reached after 2
seconds, but before the next WdgM_MainFunction() 85 , no deadline violation
would be detected.
Note: To avoid this ambiguous situation it is a good practice to define deadlines for
all outgoing transitions of a checkpoint (or for none of them).
Fig. 7: Example of a the case where only one of several outgoing transitions has a deadline
The rules for deadline violation detection also apply to global transitions or to the case
of local transitions mixed with global transitions at a checkpoint.
It is possible  to  tolerate  deadline  violations  within a  supervised  entity for  a  certain
amount  of  monitoring  cycles.  It  is  possible  define  a  deadline  reference  cycle  (a
multiple  of  the  S-WdgM  monitoring  cycle)  and  a  tolerance,  which  is  a  number  of
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 18
deadline reference cycles, during which deadline violations should be tolerated for the
supervised  entity.  If  a  deadline  violation  is  detected  for  more  deadline  reference
cycles than the  defined  tolerance,  then the  supervised  entity changes  its  status  from
FAILED to EXPIRED.
The  necessary  configuration  parameters  to  tolerate  deadline  violations  of  a
supervised entity are:
58
WdgMFailedDeadlineRefCycleTol
:
This
parameter
contains
the
acceptable amount of violated deadlines for this supervised entity.
WdgMDeadlineReferenceCycle 59 :  This  parameter  contains  the  amount  of
supervision  cycles  to  be  used  as  reference  by  the  deadline  supervisions  of  this
supervised entity.
Note:  The  deadline  reference  cycle  for  a  supervised  entity  starts  with  the  first
detected  deadline  violation  and  not  with  the  S-WdgM  start  up.  Hence,  the  first
deadline  reference  cycle  starts  with  the  transition  of  the  supervised  entity  from  the
status  OK  to  FAILED.  If  no  deadline  violation  is  detected  for  a  whole  deadline
reference cycle within the tolerance, then the supervised entity recovers and changes
its  status  from  FAILED  to  OK.  Otherwise,  if  the  tolerance  is  exhausted  and  the
deadline  violations  continue,  then  the  supervised  entity  changes  its  status  to
EXPIRED. It can be said that the  deadline  reference  cycle  is  processed  only during
the status FAILED – it starts with the  first  detected  deadline  violation.  The  deadline
reference cycle is restarted with each following transition from OK to FAILED, and it is
not processed during the status OK, EXPIRED or DEACTIVATED.
2.2.3
Alive Supervision
Aliveness monitors the frequency of hits of checkpoints. For example, the  algorithm
could expect a sensor to report its measurements on a regular basis, and a certain task
needs to process this data periodically. If a task stops reporting (alive sign is lost or too
infrequent) or starts reporting too often, then the aliveness of that task is violated.
Alive  supervision  is  associated  with  a  checkpoint  in  a  supervised  entity.  If  you
need  to  monitor  only  the  frequency  with  which  a  task  is  called,  you  can  make  it  a
supervised entity that contains only one checkpoint with the corresponding aliveness
parameters.
Note:  Irregular  calls  of  the  S-WdgM  main  function  or  the  omission  of  calls  of
78
WdgM_CheckPointReached()
would  most  likely result  in  aliveness  violation.
When  alive  monitoring  for  a  checkpoint  is  activated,  then  that  checkpoint  must  be
regularly  called  for  the  entire  period  during  which  the  supervised  entity  is  active,
otherwise  aliveness  violation will be  detected.    In the  first  supervision cycle,  the  Alive
counter
evaluation
can
be
suppressed
by
the
parameter

48
WdgMFirstCycleAliveCounterReset
.
It is important to consider which aliveness parameters are better for a specific situation.
The  example  below  shows  how  to  choose  the  appropriate  alive  supervision
parameters.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 19
Let a supervised entity with one checkpoint monitor the aliveness of a task.
The S-WdgM has a period of 20ms, one S-WdgM tick is 1ms.
The task is periodic with a fixed period of 30ms.
The aliveness parameters that must be set are:
o
65
WdgMExpectedAliveIndications
:
Defines  how  many  alive  indications  (checkpoint  reached  calls)  are  expected
within one supervision reference cycle.
o
66
WdgMSupervisionReferenceCycle
:
Defines the supervision reference cycle length as a number of supervision cycles
(
99
WdgMSupervisionCycle
).
o
66
WdgMMinMargin
:
Defines the lower tolerance of expected alive indications.
o
66
WdgMMaxMargin
:
Defines the upper tolerance of expected alive indications.
o Hence, the allowed number of indications is in the range
WdgMSupervisionReferenceCycle is in the range
[WdgMExpectedAliveIndications - WdgMMinMargin,
WdgMExpectedAliveIndications + WdgMMaxMargin]
Note: In contrast to the deadline and program flow reference cycle the alive supervision
cycle begins with the S-WdgM startup. The alive  supervision in the  very first  cycle  can
be influenced by the parameter WdgMFirstCycleAliveCounterReset 48 . This is
because  each  alive  counter  is  evaluated  once  per  supervision  reference  cycle.  This
means that the supervision reference cycle is processed from the system startup on and
during  the  status  OK  and  FAILED  of  the  corresponding  supervised  entity.  If  the
supervised entity is in the status EXPIRED, then the supervision reference  cycle  is  not
needed  anymore.  If  the  supervised  entity  is  in  the  status  DEACTIVATED,  then  the
supervision reference cycle is frozen. It is restarted if the supervised  entity is  activated
again.
There are several ways for monitoring the task given in the example above. Below, one
variant is given:
Set
WdgMExpectedAliveIndications=1
WdgMSupervisionReferenceCycle=1
WdgMMinMargin=1
WdgMMaxMargin=0
This means the S-WdgM should expect 1 or 0 (WdgMExpectedAliveIndications
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 20
-  WdgMMinMargin)  occurrences  within  one  supervised  reference  cycle,  which  is
fixed to 20ms (which is one S-WdgM supervision cycle).
Figure  8 illustrates this example.
CP:
EAI = 1
n
n
n
n
n
o
o
o
o
o
i
SRC=1
i
i
i
i
t
t
t
t
t
c
min=1
c
c
c
c
n
CP
n
CP n
n
CP
n
u
u
u
u
u
max=0
F
F
F
F
F
n
n
n
n
n
i
i
i
i
i
a
a
a
a
a
M
M
M
M
M
_
_
_
_
_
M
M
M
M
M
g
g
g
g
g
d
d
d
d
d
W
W
W
W
W
   time
S-WdgM period
20ms
Task period
      30ms
Supervision
20ms
reference
cycle
Number of alive
1
1
1
0
indications per
supervision cycle

Fig. 8: A task being monitored during one S-WdgM  supervision cycle (20ms)
However, if the task stops being executed  it  will not  be  detected,  because  zero  alive
indications  per  supervised  reference  cycle  are  tolerated.  Therefore,  this  choice  of
setting aliveness parameters is not very good.
Below, a second variant is given:
Set
WdgMExpectedAliveIndications=2
WdgMSupervisionReferenceCycle=2
WdgMMinMargin=1
WdgMMaxMargin=0
This means the S-WdgM should expect  1  or  2  alive  indications  within one  supervised
reference  cycle,  which  is  fixed  to  40ms  (and  which  is  two  S-WdgM  supervision
cycles).
Figure  9 illustrates this example.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 21
CP:
EAI = 2
n
n
n
n
n
o
o
o
o
o
i
SRC=2
i
i
i
i
t
t
t
t
t
c
min=1
c
c
c
c
n
CP
n
CP n
n
CP
n
u
u
u
u
u
max=0
F
F
F
F
F
n
n
n
n
n
i
i
i
i
i
a
a
a
a
a
M
M
M
M
M
_
_
_
_
_
M
M
M
M
M
g
g
g
g
g
d
d
d
d
d
W
W
W
W
W
   time
S-WdgM period
20ms
Task period
      30ms
supervision
40ms
reference
cycle
Number of alive
2
1
indications per
supervision cycle

Fig. 9: A task being monitored during two S-WdgM  supervision cycles (40ms)
This  configuration  solves  the  problem  of  detecting  the  disappearance  of  the  task.
However, the reaction time for error detection doubles from 20 to 40ms.
A third variant would be to set the supervision reference  cycle  to  the  least  common
multiple of the S-WdgM supervision cycle and the task period. In the example given
above  this  would  be  60ms  (three  S-WdgM  supervision  cycles).  In  this  case,  we
expect  exactly 2  alive  indications.  Hence,  the  minimum  and  maximum  margins  are
both 0.
Note:  The task period and the S-WdgM supervision cycle must  be  synchronized
and started with an offset to each other (e.g., scheduled in an operating system).
2.2.4
More Details on Checkpoints and Transitions
Every supervised entity has one initial checkpoint. The number  of  end  checkpoints
can be  zero,  one  or  more  than  one.  If  the  supervised  entity  contains  only  one  single
checkpoint, then it should be both an initial and  an end  checkpoint.  Local  transitions
are defined by their source and  destination  checkpoints,  which must  belong  to  the
same  supervised  entity.  Those  local  transitions  are  specified  in  the  parameters
68
WdgMLocalTransitionSourceRef
and  WdgMLocalTransitionDestRef
67 .
After initialization of the S-WdgM, all supervised entites are passive.
Note:
This
has
nothing
to
do
with
the
supervised
entity
state

82
WDGM_LOCAL_STATUS_DEACTIVATED
.
A supervised entity becomes active when its local initial checkpoint has been called. In
the  example  of  the  supervised  entity  temperature_control  (see  Section
Supervised  Entity  and  Program  Flow  Supervision 13  and  Figure    4),  the  initial
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 22
checkpoint  is  read_temperature.  Only  if  the  supervised  entity  is  active,  its
checkpoints  (other  than the  initial checkpoint)  may  be  reached,  otherwise  a  program
flow  violation  occurs.  Reaching  an  end  checkpoint,  the  supervised  entity  is  set  to
passive state, and it can be activated again only through the initial checkpoint.
Reaching the initial checkpoint again after the supervised entity has been activated is a
program flow violation.
Local  reflexive  transitions  (from  a  checkpoint  to  itself)  are  allowed  only  when
configured.  The  reflexive  transitions  cannot  be  defined  for  local  initial  or  local  end
checkpoints.
Local initial checkpoints are not allowed to have local incoming transitions.
Local end checkpoints are not allowed to have local outgoing transitions.
2.2.5
Global Transitions
It is possible to represent program flow dependencies  between supervised  entities  by
using  so-called  global  transitions.  Global  transitions  are  defined  for  the  S-WdgM
configuration  by  their  source  and  destination  checkpoints,  which  must  belong  to
different  supervised  entities  and  which  are  specified  by  the  parameters
69
WdgMGlobalTransitionSourceRef
and

68
WdgMGlobalTransitionDestRef
. The end  checkpoint  of  an supervised  entity
is usually connected to the initial checkpoint of another supervised entity,  expressing  a
logical  dependency  between  them.  However,  global  transitions  are  allowed  between
any two checkpoints of any two supervised entities.
One  must  keep  in mind  several things  when defining  a  global  transition  between  two
arbitrary checkpoints:
If the source of the global transition is not a local end checkpoint, then the source entity
will  remain  active.  Program  flow  violation  would  occur  if  its  initial  checkpoint  were
reached again.
If the destination checkpoint of the global transition is not a local initial checkpoint., the
destination entity may not be active. Program flow violation would occur if a non-initial
checkpoint of an inactive supervised entity were reached.
Exactly  one  global  initial  checkpoint  must  be  defined.  The  first  global  transition
passed must have that checkpoint as a source.
It is possible to define one or several global end checkpoints or none. Once the global
end  checkpoint  served  as  a  destination  checkpoint  of  a  global  transition,  no  more
global  transitions  are  allowed  (unless  they  are  started  with  the  global  initial
checkpoint).
Figure 10 shows a global transition between two supervised entities:
The pressure_sensor_task gets the pressure value.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 23
The control_pressure_task calculates a reaction and reacts to  the  measured
pressure. However, it can start only after  the  first  task  (pressure_sensor_task)
has finished and after the pressure value has been obtained. This relation is shown by
a global transition (see dotted arrow).
Some transitions in Figure 10 have comments that show deadlines in milliseconds.
Deadlines can also be defined for global transitions (see dotted arrow), where 1..5ms
means  that  the  second  task  (control_pressure_task)  should  start  not  later
than 5ms, but not earlier than 1ms after the first task has finished.
Fig. 10: Global transition between two supervised entities
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 24
2.2.6
Global Transitions and Program Flow
In general the,  program  flow does  not  differ  between local and  global  transitions.  But
what seems intuitive for local transitions might not be so obvious for global transitions..
This section gives examples that show the usage of local and  global transitions  with a
focus on program flow split.
From the perspective of the S-WdgM, the program flow is  the  consecutive  reaching  of
checkpoints.  The  start  of  each  program  flow  must  be  a  local  initial  checkpoint.  The
program flow propagates through local transitions within the boundaries of a supervised
entity  and  through  global  transitions  within  the  boundaries  of  the  whole  system.  The
program flow might eventually come to an end at a local end checkpoint, or never come
to an end if a program flow loop occurs.
A very important feature is  that  it  is  not  allowed  to  split  the  program  flow.  This  means
that  the  program  flow is  allowed  to  take  only  one  transition  at  each  checkpoint  from
which more than one local or global transition comes out.
2.2.6.1
Example of an Incorrect Global Transition Split
Figure  11  shows  that  after  checkpoint  cp0_1  the  program  flow  must  decide  to  take
either  the  global  transition  cp1_0  or  cp2_0.  Reaching  cp2_0  immediately  after
reaching cp1_0 would result in a program flow violation.

Fig. 11: Incorrect global transition split
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 25
2.2.6.2
Example of an Incorrect Program Split in the Middle of an Entity
Figure 12 shows another example. Let us assume that the program flow reaches cp0_0
and  then  cp0_1.  Afterward  the  program  flow  decides  to  take  the  global  transition
reaching  cp1_0  instead  of  taking  the  local transition.  Now,  if  the  local  transition  took
place afterward  (by reaching  cp0_2),  a  program  flow violation would  occur.  However,
cp0_2 can be reached via the global transition if the program flow comes from cp1_1.

Fig. 12: Incorrect program split in the middle of an entity
Note:  It  is  easy  to  create  configurations  with  complex  global  transitions  that  do  not
make much sense in a real system. For example, if "jumping out" of a supervised entity
from a  checkpoint  that  is  not  a  local end  checkpoint,  one  must  keep  in mind  that  this
supervised entity is still active (local activity flag is still true), and it cannot be restarted
by reaching  its  local initial  checkpoint  again.  Thus,  it  is  recommended  to  use  global
transitions  carefully  and  let  them  start  only  at  local  end  checkpoints  of  a  supervised
entity and end at a local initial checkpoint of some other entity. Exceptions to this  must
be analyzed thoroughly,  with respect  to  the  program  flow and  the  local activity of  both
supervised entities.
2.2.7
S-WdgM Supervision Cycle
The supervision cycle is the  time  period  in which the  cyclic  supervision algorithm  is
executed.  At  the  end  of  each  supervision  cycle,  the  main  function,
85
WdgM_MainFunction()
,  is  called.  This  function  evaluates  the  checkpoint  data
gathered  in  the  previous  period  and  triggers  the  Watchdog  if  no  violation  has  been
detected. Function WdgM_MainFunction() also checks for violations depending on
the reference cycle defined for the respective monitoring feature.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 26
Example:  If
60
WdgMProgramFlowReferenceCycle
=3,  then  the  check  for
program flow violation is done in every third call of WdgM_MainFunction().
The shorter this period and the reference cycles, the shorter the reaction time of the S-
WdgM, but the more processor time is consumed.
Note: Aliveness supervision is strongly connected to this period. The expected number
of  alive  indications  for  a  certain  checkpoint  refers  to  the  last  supervision  cycle
(configurable  for  the  checkpoint),  which  is  expressed  in  the  number  of  supervision
cycles.
Figure 13 shows a time span with 3 supervision cycles. In each cycle, CP1 and CP2 are
hit once. Once the S-WdgM main function is  called,  the  window for  the  next  watchdog
trigger
is
defined
by

77
WdgMTriggerWindowStart
and

77
WdgMTriggerConditionValue
.
WD
WD
WD
trigger
trigger
t rigger

n
n
n
Entity 1
Entit y 1
Ent it y 1
tio
tio
tio
c
c
c
n
n
n
u
u
u
CP1
CP2
F
CP1
CP2
F
C P1
C P2
F
it
in
in
in
a
a
In

a
_
M
M
M
M
M
M
M
g
g
g
g
d
d
d
d
W
W
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
Explanations:
Trigger window
CP1,  CP2:       Checkpoint  1  and 2
WD t rigger:     Point  where  the watchdog t rigger occurs
Entity1:             Entity wit h t wo checkpoints
Green bar:     Time window  where  re-t riggering is allowed

Fig. 13: S-WdgM  supervision cycle
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 27
2.2.8
S-WdgM Stack Fault Reaction Time
The  S-WdgM  distinguishes  between the  fault  detection  time  and  the  fault  reaction
time.
The fault detection time spans from the occurrence of an error to the point in time
when that  error  is  detected  and  communicated  to  the  system  (via  DET  or  callback
functions).
The fault reaction time  spans  from  the  detection  of  an error  to  the  actual system
reset.
If a program flow violation or a deadline violation occur, the source checkpoint and
the  destination checkpoint  report  to  the  S-WdgM  when hit.  At  the  end  of  the  current
supervision  cycle,  the  S-WdgM  main  function,
85
WdgM_MainFunction()
,  is
called and the violation is detected (ie. the configured destination checkpoint was hit too
late or not at all) and communicated to the system.
If an alive counter violation occurs, it is also the  S-WdgM  main function that  detects
and communicates the violation at the end of the supervision reference cycle of the
alive supervision.
Once a violation has been detected, the S-WdgM can (depending on the configuration)
immediately go to a safe state (ie. reset the WS or discontinue triggering the WD) or
allow a configurable number of violations in a row and, hence, delay the safe state
for this amount of supervision reference cycles.
The decision whether to trigger or reset the WD or not is made within the S-WdgM main
function. This function also performs the trigger and reset.
The  shortest  fault  detection  and  reaction  time  can  be  achieved  by  configuring  an
immediate reset. However, the time still depends on what  occurs  first  in a  supervision
cycle, the fault or the hit of the checkpoint.
Figure  14  shows  a  scenario  with  a  fault  occurring  first.  The  checkpoint  registers  the
fault,  and  at  the  end  of  the  current  supervision  cycle,  the  fault  is  detected,
communicated, with the system being reset.
Note:  For  alive  supervision,  the  detection  is  at  the  end  of  the  current  supervision
reference cycle.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 28
WD
trigger

n
n
n
o
o
o
i
i
i
t
t
t
c
c
c
n
n
n
u
u
u
F
CP
F
CP
F
n
n
n
i
i
i
a
a
a
M
M
M
M
M
M
g
g
g
d
Fault
d
d
W
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
S-WdgM fault detection ti me  S-WdgM fault reacti on  tim e
S-WdgM  Stack
mi nimum reacti on  tim e
CP …  Checkpoint  with Alive monitoring
RESET
- The WdgMSupervisionReferenceCycle = WdgMSupervisionCycle
- The Watchdog is triggered inside the WdgM_MainFunction().
- The green  line represents t he  time window   when the  Watchdog can be triggered.
- WdgMImmediateReset = TRUE
Fig. 14: The S-WdgM  Stack minimum reaction time

Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 29
Figure  15.  shows  a  scenario  with  a  checkpoint  being  hit  first.  The  fault  cannot  be
detected before the next checkpoint is hit, which is  due  to  the  subsequent  supervision
cycle.  As  a  consequence,  violation,  detection,  communication  and  system  reset  are
done in the second following call of the S-WdgM main function.
Note: For alive supervision, the detection is at the end of the next supervision reference
cycle for alive supervision.

n
n
CP not  called
n
o
o
o
i
i
wit hin expected
i
t
t
t
c
c
time int erval
c
n
n
n
u
u
u
F
CP
F
CP
F
n
n
n
i
i
i
a
a
a
M
M
M
M
M
M
g
g
g
d
d
d
W
Fault
W
W
time
WdgMTriggerWindowStart
WdgMSupervisionCycle
WdgMTriggerConditionValue
S-WdgM  fault  detection time
S-WdgM faul t  reaction ti me
S-WdgM Stack maximum reaction  time
CP  …  Checkpoint  wit h Alive monitoring
- In the pict ure,  WdgMSupervisionReferenceCycle = WdgMSupervisionCycle
RESET
- The Watchdog is triggered inside the WdgM_MainFunction().
- The green  line represents t he  time window   when the Watchdog can be triggered.
- The ‘S-WdgM Fault detection time’ is equal  to I SO26262  ‘Diagnostic test interval’
- The ‘ault reacti on  tim e is the S-WdgM  Fault reaction time + the S-Wdg Fault reaction
time.

Fig. 15: The S-WdgM  Stack maximum reaction time
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 30
2.2.9
Reset Path and Safe State
The  safe  state  is  entered  as  a  result  of  an  MCU  reset.  The  S-WdgM  builds  its
functionality on a  reliable  and  robust  reset  path.  The  S-WdgM  default  reset  path
uses the Watchdog Device itself through the S-WdgIF. The Watchdog Device can be
either  an  external  chip  or  an  MCU-internal  controller.  The  system  integrator  can
additionally
set
a
secondary
path
by
adding
the
parameter

WDGM_SECOND_RESET_PATH = STD_ON. The secondary reset path is used when
the Safe Watchdog Interface returns an error response. This error response can be
caused by communication errors to the external Watchdog device.
Figure 16 shows the primary and secondary reset path.
S-WdgM    API
BSW’s

Safe Watchdog
Manager
Secondary
reset path
Safe Watchdog
Interface

Mcu
Safe Watchdog
driver
Driver
Primary
reset path
Software
Hardware
E xterna l
          I
nt
er
n
al               I
n
t
e
r
n
al
          MCU
Watchdog
Watchdog
Reset
device
device

Fig. 16: Primary and secondary reset path of the S-WdgM
The  S-WdgM  uses  the  primary  reset  path  for  a  regular  Watchdog-initiated  reset
and also for an immediate MCU reset. The primary reset  path is  the  preferred  path,
because  it  is  part  of  the  S-WdgM  software  and  thus  safe.  The  MCU  driver  with  the
AUTOSAR function
89
Appl_Mcu_PerformReset()
must guarantee  freedom  from
interference.
The secondary reset path is optional. It is used when the primary reset path signals
a fault.
The S-WdgM safe state is the MCU reset state.
Note: The S-WdgM safe state is not necessarily the system safe state.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 31
The S-WdgM can invoke the safe state in two ways:
MCU reset after watchdog timeout by discontinuing watchdog triggering.
Immediate MCU reset by an immediate watchdog reset. The immediate reset can be
configured.  See  parameter
39
WDGM_IMMEDIATE_RESET
in  Section  S-WdgM
Global Preprocessor Settings 38 .
2.2.10 S-WdgM Local Entity State
Every supervised  entity has  a  local  state  that  expresses  the  occurrence  of  detected
violations:
State OK
No violation has been detected
State FAILED
A  violation  has  been  detected,  the  reset  is  pending  within  a  delay
time (maybe 0 ticks) and the violation repeats.
State EXPIRED A  violation  has  repeated  throughout  the  delay  time.  A  reset  is
inevitable.
AUTOSAR allows configuring a tolerance delay after an alive counter violation has been
detected. See [1] for detailed  information.  AUTOSAR does  not  allow configuring  such
tolerances  for  program  flow and  deadline  violations.  The  S-WdgM  allows  configuring
such tolerances for all three monitoring features described below:
Once  a  violation  has  been  detected,  the  S-WdgM  changes  its  state  from  OK  to
FAILED and starts a so-called tolerance time, which is configured as follows:
The  tolerance  time  is  the  supervision  reference  cycle  (according  to  the  monitoring
feature) multiplied by a supervision reference cycle tolerance value.
As  long  as  the  violation repeats  within the  tolerance  time  at  least  every supervision
reference cycle, the S-WdgM stays in the state FAILED.
If  the  violation does  not  occur  in  a  supervision  reference  cycle  within  the  tolerance
delay, the S-WdgM returns to the state OK as if  no  violation had  happened.  Only the
status change is logged.
If the violation has repeated to the end of the tolerance time, the  S-WdgM  enters  the
state EXPIRED.
Figure 17 shows the state changes  in dependence  of  the  configured  reference  cycles
and reference cycle tolerances.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 32

Fig. 17: M odified state machine
Note: The AUTOSAR implementation can be simulated for deadline and program flow
violations with
reference cycle = reference cycle tolerance = 0.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 33
The exact names of the configuration fields for the tolerance delay are:
Monitoring
Reference Cycle
Reference Cycle Tolerance
Alive Supervision
WdgMSupervisionReferenceCycle
WdgMFailedSupervisionRefCycleTol
66
57
Program Flow Monitoring WdgMProgramFlowReferenceCycle
WdgMFailedProgramFlowRefCycleTol
60
59
Deadline Monitoring
WdgMDeadlineReferenceCycle 59
WdgMFailedDeadlineRefCycleTol 58
Note:
60
WdgMProgramFlowReferenceCycle
and
59
WdgMFailedProgramFlowRefCycleTol
must both be 0 or unequal to 0.
59
WdgMDeadlineReferenceCycle
and
58
WdgMFailedDeadlineRefCycleTol
must both be 0 or unequal to 0.
2.2.11 S-WdgM Global State
The  local  states  are  periodically  summarized  in  an    S-WdgM  global  state.  If  all
supervised  entities  have  the  state  OK,  then the  global state  is  OK.  When at  least  one
supervised  entity  changes  to  the  state  FAILED,  then  the  global  state  becomes
FAILED.  When  at  least  one  supervised  entity  changes  to  the  state  EXPIRED,  the
global  state  becomes  EXPIRED.  Once  the  global  state  is  EXPIRED,  the  S-WdgM
continues the delay until it enters the state STOPPED. This is  when the  S-WdgM  stops
triggering the Watchdog (or resets it). The delay is the supervision  cycle  multiplied
by  the  configurable  expired  supervision  cycle  tolerance
(parameter
53
WdgMExpiredSupervisionCycleTol
).
Once  in  the  state  STOPPED,  the  S-WdgM  brings  the  system  to  the  safe  state  by
performing  a  system  reset  through  the  S-WdgIf  module  and,  thus,  through  the
watchdog(s)  in the  system.  If  the  preprocessor  option WDGM_SECOND_RESET_PATH
45  is set to STD_ON and the S-WdgIf reports a failure, then the system goes into a safe
state through the MCU module (see Section S-WdgM Global Preprocessor Settings 38 )
.
2.3
Integration in AUTOSAR 3.1 and 4.0 Environments
The S-WdgM implements functionality described in AUTOSAR 4.0r1. However, the S-
WdgM can be integrated in AUTOSAR 3.1 and AUTOSAR 4.0 environments. To this
end, a special preprocessor switch is automatically generated by the configuration
generator. That preprocessor switch cannot be altered manually. This is
WDGM_AUTOSAR_4_x (STD_ON / STD_OFF), which is placed in the generated
file WdgM_Cfg_Features.h. The value of the preprocessor switch is determined by
the configuration generator according to the provided ECUC file, more specifically
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 34
according to the XML default name space of the ECUC file (attribute xmlns).
For AUTOSAR 3.1: WDGM_AUTOSAR_4_x is generated to STD_OFF, which
prepares the embedded code for a compilation in an AUTOSAR 3.1 environment. If
the AUTOSAR version is not 3.1, but any other 3.x, the configuration generator
additionally outputs a warning during this process.
For AUTOSAR 4.0: WDGM_AUTOSAR_4_x is generated to STD_ON, which prepares
the embedded code for a compilation in an AUTOSAR 4.0 environment. If the
AUTOSAR version is not 4.0, but any other 4.x, the configuration generator
additionally outputs a warning during this process.
For any other AUTOSAR version (smaller than 3 or greater than 4), the configuration
generator generates no code and exits with an error message.
Note: The integration of the S-WdgM in an AUTOSAR 3.1 environment must be
differentiated from the AUTOSAR 3.1 compatibility mode described in this document.
The integration into an AUTOSAR environment refers only to the software environment
in which the S-WdgM interacts, whereas the AUTOSAR 3.1 compatibility mode is a
special operation mode of the module itself selected at pre-compile time. In this
special mode, the functionality is reduced to the functionality described by the
AUTOSAR 3.1. For more information refer to AUTOSAR version 3.1 r1 [7] 128.
2.4
Deviations from the AUTOSAR 4.0 r1 Watchdog Manager
The  S-WdgM  is  compatible  with the  AUTOSAR  4.0  r1  Watchdog  Manager,  but  not
fully compliant. This has the following reasons:
The  AUTOSAR  specification  does  not  define  functionality  comprehensively  and
precisely enough for implementation (e.g., global transitions).
The AUTOSAR specification does not contain certain functionality (e.g., program flow,
deadline monitoring recovering).
The AUTOSAR specification defines an approach that is very complex to be handled
by the user or consumes too much run time (S-WdgM mode switching).
The  AUTOSAR  specification  does  not  fully  consider  safety  requirements  (e.g.,
windowed Watchdog Trigger).
Below you can find  the  deviations  from  the  AUTOSAR 4.0  r1  Watchdog  Manager  in
detail:
2.4.1
Entities, Checkpoints and Transitions
For periodical watchdog triggering at least one supervised entity and one checkpoint
should be defined.
In contrast to AUTOSAR, local activity flags of the supervised entities are set back to
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 35
FALSE  every  time  an  end  checkpoint  of  this  supervised  entity  is  reached.
Analogously,  the  global activity flag  is  set  back  to  FALSE  as  soon as  a  global  end
checkpoint is reached.
Local  initial  checkpoints  cannot  have  incoming  local  transitions,  but  they  can  have
incoming global transitions.
Local  end  checkpoints  cannot  have  outgoing  local  transitions,  but  they  can  have
outgoing global transitions.
If global transitions are used, then there must be exactly one global initial checkpoint.
The  global initial checkpoint  should  be  called  before  any other  global  checkpoint  is
invoked.
If a non-initial checkpoint of an supervised entity is reached and this supervised entity
is not active, then this is considered to be a program flow violation in this supervised
entity.
If a checkpoint is the source for a local and a global transition, then only one of the two
transitions  can occur.  The  other  one  is  considered  a  program  flow violation.  This  is
because  the  program  flow  cannot  split  into  2  paths.  If,  for  example,  a  new  task  is
started from a CP1 (global transition to CPnew) and the original task continues (local
transition to CP2), then the sequence following the sequences of checkpoint hits is not
allowed:
o     CP->CPnew->CP2 and
o     CP->CP2->CPnew.
If a local initial checkpoint is the destination checkpoint for a global transition, then the
checkpoint must be hit by following the global transition. There is a dilemma, though: If
several  supervised  entities  form  a  cycle  of  transitions,  with  each  supervised  entity
entered via a global transition from the previous supervised entity, then there is no way
to start the cycle, because no local initial checkpoint is allowed to be hit in a way other
than via  the  global transition.  The  solution  is  an  exception  in  the  S-WdgM:  A  local
initial checkpoint can be hit, not  coming  through the  global transition,  if  it  is  also  the
global initial checkpoint.
As  in AUTOSAR,  the  S-WdgM  needs  a  time  source  in order  to  measure  transition
deadlines.  Whereas  AUTOSAR  does  not  define  the  source  for  ticks,  the  S-WdgM
allows the user to choose between three Tick sources:
o Internal software source,
o Internal hardware source,
o External tick source
For  details  see  Section  Deadline  Measurement  and  Tick  Counter 100  and  the
description  of  parameter
44
WdgMTimebaseSource
in  Section  S-WdgM  Global
Preprocessor Settings 38 .
The checkpoint and entity identifiers are zero-based and increase the list of integer
numbers without gaps.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 36
Deadline monitoring is bound to program flow. Only if program flow transitions are
configured, it is possible to configure transition deadlines.
The local/global end checkpoint does not need to be defined.
Currently only one checkpoint with an alive counter is supported per supervised entity.
This is recommended in the AUTOSAR 4.0 r1 Watchdog Manager specification,
since the functionality is not consistently described.
2.4.2
Tolerances
The S-WdgM allows tolerance delay for all three monitoring features. In AUTOSAR,
this is restricted to alive supervision. Tolerance delay allows recovering from program
flow and deadline violations as well as from alive counter violations.
The
interpretation
of
the
AUTOSAR
parameter

53
WdgMExpiredSupervisionCycleTol
implements
a
delay
of
(WdgMExpiredSupervisionCycleTol  +  2)  supervision  cycles.  The  S-
WdgM
implements
a
delay
of
WdgMExpiredSupervisionCycleTol
supervision cycles. This allows configuring no delay, with the tolerance value set to
0.
2.4.3
Watchdog and Reset
The  AUTOSAR Watchdog  Manager  supports  several watchdog  drivers  and  several
watchdog  devices  per  watchdog  driver.  However,  the  TTTech  S-WdgM  Stack
supports  only  one  watchdog  driver  and  only  one  watchdog  device  per  watchdog
driver.
For safety reasons, the S-WdgM uses the  primary watchdog  reset  as  an immediate
reset  (WDGM_IMMEDIATE_RESET  =  STD_ON)  .  In  contrast,  the  AUTOSAR  Watchdog
Manager uses the external function Appl_Mcu_PerformReset().
The
S-WdgM
does
not
support
a
partition
reset
with

BswM_WdgM_RequestPartitionReset().
2.4.4
API
The  S-WdgM  function  WdgM_SetMode()  switches  the  trigger  mode  only.  This
relates to the fields
o
56
WdgMTriggerConditionValue
o WdgMTriggerWindowStart 56
o
55
WdgMWatchdogMode
.
It does not change the set of supervised entities. This can be simulated by activating
and deactivating different sets  of  supervised  entities  for  different  modes.  Note:  Full
support of the function is too time expensive at runtime and too complex (not safe) to
implement and to configure.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 37
For  safety  and  complexity  reasons,  the  function  WdgM_DeInit()  is  not
implemented.
The S-WdgM provides the functions WdgM_DeactivateSupervisionEntity()
81
and
82
WdgM_ActivateSupervisionEntity()
for  deactivating  and
activating of the SE.  These functions are not AUTOSAR 4.0 r1 compatible.
The S-WdgM uses only direct callback notification for a local and global state change.
The RTE notification is not implemented.
Due  to  implementation  complexity  and  verification  difficulty,  the  S-WdgM  does  not
support RTE Mode Ports.
The S-WdgM checks the configuration independently of the WdgMDevErrorDetect
38  parameter. This parameter enables/disables the DET calls only.
The ECU Description Configuration constraints are described in Section Assumptions/
Constraints 72 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 38
2.5
Configuration Parameters for the S-WdgM
This  Section  contains  a  brief  description  of  the  configuration  parameters  for  the  S-
WdgM, sorted according to their functionality. The path to each parameter  or  option is
the  exact  ECU  description  file  path.  The  parameters  are  placed  inside  the  ECU
description  file.  The  S-WdgM  Configuration  Generator 102  uses  the  parameters  to
generate configuration structures.
The list includes functions defined in AUTOSAR 4.0 r1 and functions added by TTTech.
For AUTOSAR 3.1 functions and a comparison of AUTOSAR 4.0 r1 and AUTOSAR 3.1
functions, see Section AUTOSAR 3.1 Compatibility 90 .
2.5.1
S-WdgM Global Preprocessor Settings
Parameter Name
WdgMDevErrorDetect
Parameter Name
WDGM_DEV_ERROR_DETECT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  development
error detection and reporting. This parameter must be  used
to  remove  unneeded  code  segments  regarding  DET
features.
true: Development error detection is enabled.
false: Development error detection is disabled.
Parameter Name
WdgMDemReport
Parameter Name
WDGM_DEM_REPORT
(Embedded Code)
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 39
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor  switch enables/disables  calls  to  DEM  in
case of production error detection.
true: DEM calls enabled in case of production errors.
false: DEM calls disabled in case of production errors.
Parameter Name
WdgMImmediateReset
Parameter Name
WDGM_IMMEDIATE_RESET
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  the  immediate
watchdog  reset  feature  in  case  of  alive,  deadline  or
program  flow fault.  When  it  is  enabled  and  the  S-WdgM
recognizes a fault (i.e., the S-WdgM global state changes to
WDGM_GLOBAL_STATUS_STOPPED),  then the  S-WdgM  does  not
wait for the watchdog  device  timeout,  but  invokes  the  reset
immediately.
The parameter can be configured to perform an MCU reset
if the immediate reset fails.
Note:  Not all hardware  platforms  can invoke  an immediate
reset.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 40
true: Perform an immediate watchdog reset.
false: Discontinue watchdog trigger and wait for
watchdog timeout.
Parameter Name
WdgMOffModeEnabled
Parameter Name
WDGM_OFF_MODE_ENABLED
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch enables/disables the selection of
WDGIF_MODE_OFF for the watchdog mode. When enabled,
the watchdog device can be deactivated.
Note: On the same hardware platform, the watchdog cannot
be deactivated once it has been activated.
true: WDGIF_MODE_OFF is allowed.
false: WDGIF_MODE_OFF is disallowed.
Parameter Name
WdgMVersionInfoApi
Parameter Name
WDGM_VERSION_INFO_API
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 41
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch enables/disables  the  API function
92
WdgM_GetVersionInfo()
.
Note: WdgM_GetVersionInfo() is a macro.
true: Version API is enabled.
false: Version API is disabled.
Parameter Name
WdgMDefensiveBehavior
Parameter Name
WDGM_DEFENSIVE_BEHAVIOR
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This  preprocessor  switch  enables/disables  the  defensive
behavior of the Watchdog Manager module.
WdgM_SetMode() 76  checks  whether  the  caller  is
authorized.
85
WdgM_MainFunction()
checks if  the  S-WdgM  has
been initialized.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 42
Parameter Name
WdgMUseRte
Parameter Name
WDGM_USE_RTE
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch instructs  the  S-WdgM  to  use  the
defines  and  typedefs  generated  by  the  RTE.  The  RTE-
generated defines and typedefs save S-WdgM configuration
RAM.
Note:  Section  S-WdgM  Type  Definitions 73  covers  the
types and defines that can be imported from the RTE.
true:  The S-WdgM  uses  the  RTE-generated  defines  and
typedefs.
false: The S-WdgM uses its own defines and typedefs.
Parameter Name
WdgMDemSupervisionReport
Parameter Name
WDGM_DEM_SUPERVISION_REPORT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 43
Compatibility
AUTOSAR 4.0 r1
(renamed from WdgMDemAliveSupervisionReport)
Description
This preprocessor switch enables/disables the call to DEM if
the
S-WdgM
has
reached
the
state

WDGM_GLOBAL_STATE_STOPPED.
true: The DEM call is performed.
false: The DEM call is not performed.
Parameter Name
WdgMUseOsSuspendInterrupt
Parameter Name
WDGM_USE_OS_SUSPEND_INTERRUPT
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
AUTOSAR 4.0 r1
Description
This preprocessor switch controls how interrupts are
suspended and resumed within the S-WdgM.
true:
For AUTOSAR 3.1 (WDGM_AUTOSAR_4_x is
STD_OFF), the S-WdgM uses
- function SchM_Enter_WdgM() to suspend
interrupts,
- function SchM_Exit_WdgM() to resume
interrupts.
For AUTOSAR 4.0 (WDGM_AUTOSAR_4_x is
STD_ON), the S-WdgM uses
- function
SchM_Enter_WdgM_WDGM_EXCLUSIVE_AREA
_0() to suspend interrupts,
- function
SchM_Exit_WdgM_WDGM_EXCLUSIVE_AREA_
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 44
0() to resume interrupts.
false:
The user must define
- function GlobalSuspendInterrupts() to
suspend interrupts,
- function GlobalRestoreInterrupts() to
resume interrupts.
Parameter Name
WdgMTimebaseSource
Parameter Name
WDGM_TIMEBASE_SOURCE
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
integer
Range
WDGM_EXTERNAL_TICK
WDGM_INTERNAL_SOFTWARE_TICK
WDGM_INTERNAL_HARDWARE_TICK
Compatibility
TTTech
Description
This  preprocessor  switch  defines  the  source  for  the  S-
WdgM Tick.
Note:
The  precision  of  the  transition  deadline  measurement  is
based on this Tick.
When  the  deadline  measurement  is  not  used,  the  S-
WdgM Tick counter is internally not  used,  and  it  need  not
be incremented.  In this  case,  to  save  run-time  resources,
the  parameter  WdgMTimebaseSource  should  be  set
to WdgMInternalSoftwareTick, which is  the  default
value. See also parameter WdgMTicksPerSecond .
The parameters:
WDGM_EXTERNAL_TICK:
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 45
An  external  clock  source  (through  the  API  function
87
WdgM_UpdateTickCount()
).  The  S-WdgM  tick
counter is incremented every time this function is called by
the system.
WDGM_INTERNAL_SOFTWARE_TICK:
The  S-WdgM  Tick  Counter  is  incremented  every  time
85
WdgM_MainFunction()
is called.
WDGM_INTERNAL_HARDWARE_TICK:
The  Tick  source  is  the  MCU  hardware  counter.  The
frequency  of  the  MCU  hardware  counter  is  given  by  the
parameter  WdgMTicksPerSecond.  The  tick  is  queried
by the S-WdgM through the S-WdgIf API.
Note:  Not all hardware platforms support  this  feature.  For
details, refer to the S-Wdg Driver documentation.
Parameter Name
WdgMSecondResetPath
Parameter Name
WDGM_SECOND_RESET_PATH
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This preprocessor switch allows an MCU reset if a WD
command (trigger or reset) fails. This second reset path is
performed by calling Appl_Mcu_PerformReset().
Note:
Appl_Mcu_PerformReset()
itself
calls
Mcu_PerformReset(), which triggers the reset.
true: The MCU is reset with Appl_Mcu_PerformReset
() when the primary reset path signals an error.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 46
false: The MCU is not reset.
Parameter Name
WdgMTickOverrunCorrection
Parameter Name
WDGM_TICK_OVERRUN_CORRECTION
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables/disables  the  32-bit  S-
WdgM Tick Counter overflow detection and correction.
true: The Tick counter overflow is corrected.
false: The Tick counter overflow is not corrected.
Note:  Depending  on  the  frequency  with  which  the  Tick
Counter is incremented, the counter can overflow or not. See
parameter  WdgMTimebaseSource 44
for
additional
information.
The  Tick  Counter  overflow detection and  correction  is  only
used
when
WDGM_TIMEBASE_SOURCE
=
WDGM_EXTERNAL_TICK.
If not set to true, the check of the tick counter for jumps and
jitter may be incorrect.
The parameter must be set to true when the  external Tick
source is used and the Tick counter (32bit) can overflow.
Example: The tick counter is incremented every millisecond.
Then the overflow happens after 49 days.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 47
Parameter Name
WdgMEntityDeactivationEnabled
Parameter Name
WDGM_ENTITY_DEACTIVATION_ENABLED
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables  entity  deactivation.  This
functionality  is  not  specified  in  AUTOSAR  4.0  r1  and  can
violate  system  safety  (see  the   S afe  W atchdog  M anager
Safety
Manual
[5] 128,
parts

WdgM_DeactivateSupervisionEntity() 81
and
82
WdgM_ActivateSupervisionEntity()
).
See
also
parameter

WdgMEnableEntityDeactivation 61 .
true: An entity can be deactivated.
false: An entity cannot be deactivated.
The default value is false.
Parameter Name
WdgMStateChangeNotification
Parameter Name
WDGM_STATE_CHANGE_NOTIFICATION
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
Preprocessor
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 48
Range
false/true
Compatibility
TTTech
Description
This  preprocessor  switch  enables  local  and  global  state
change  callback  notifications.  There  are  different  callbacks
for local and global state notifications.
true: Any local or global state change invokes a callback.
false:  No  callbacks  are  performed.  See  also  the
parameters

49
WdgMGlobalStateChangeCbk
and
WdgMLocalStateChangeCbk 63 .
Parameter Name
WdgMCallerId
Path
WdgM/WdgMGeneral/WdgMCallerIds/
Group
General
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter defines one valid CallerId for the callers that
have permission to call the function WdgM_SetMode().
Parameter Name
WdgMFirstCycleAliveCounterReset
Parameter Name
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET
(Embedded Code)
Path
WdgM/WdgMGeneral/
Group
General
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 49
Range
false/true
Compatibility
TTTech
Description
This parameter  decides  if  the  Alive  counters  are  evaluated
in the first supervision cycle.
true:  The  Alive  counters  are  not  evaluated  in  the  first
supervision cycle
false:  The  Alive  counters  are  evaluated  in  the  first
supervision cycle
2.5.2
S-WdgM General Settings
Parameter Name
WdgMGlobalStateChangeCbk
Path
WdgM/WdgMGeneral/
Group
General
Type
Reference
Compatibility
TTTech
Description
This is the parameter for a callback function for notifying the
system  of  the  S-WdgM  global  state  change.  The  S-WdgM
has  only  one  callback  function  for  the  global  state.  In  a
safety-relevant environment, the callback function can cause
safety degradation. For details, refer to the  Safe  Watchdog
Manager Safety Manual [5] 128.
Parameter Name
WdgMGlobalMemoryAppTaskRef
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Reference
Multiplicity
0, 1
Compatibility
TTTech
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 50
Description
This is the parameter for a reference to an OS application or
task where the S-WdgM is running.
Note: When OS SC3 (OS with memory protection) is used,
the global variables of the S-WdgM should be placed in the
same  memory  segment  where  the  S-WdgM  context  is
running.
Example:  The  application  name  is  incorporated  into  the
corresponding
MemMap
defines
in
the
file

WdgM_MemMap.h  in  an  AUTOSAR  3.1  environment  or
WdgM_OSMemMap.h in an AUTOSAR 4.0 environment.
Parameter Name
WdgMModeId
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...255
Compatibility
AUTOSAR 4.0 r1 / TTTech
Description
This is the parameter for the S-WdgM mode. The S-WdgM,
in contrast  to  the  AUTOSAR  WdgM,  uses  only  one  mode.
This parameter is kept for compatibility reasons only,  and  it
is not used by the S-WdgM.
Parameter Name
WdgMInitialTriggerModeId
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...255
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 51
Compatibility
TTTech
Description
This  is  the  parameter  for  the  S-WdgM  initial  trigger  mode.
The  S-WdgM  trigger  mode  is  a  restricted  version  of  the
AUTOSAR mode. It only sets the fields:
WdgMTriggerConditionValue
WdgMTriggerWindowStart
WdgMWatchdogMode
When  more  than  one  Watchdog  device  is  used,  then  this
parameter addresses the first Watchdog only.
For details, refer to the function WdgM_SetMode().
Parameter
Name WdgMTriggerModeId
(ECU)
Path (ECU)
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
0...254
Compatibility
TTTech
Description
This  parameter  contains  a  unique  identifier  of  the  trigger
mode.
Parameter Name
WdgMTicksPerSecond
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Float
Unit
Hz
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 52
Compatibility
TTTech
Description
This  parameter  defines  the  number  of  S-WdgM  Ticks  per
second. It is the rate by which the  S-WdgM  Tick  Counter  is
incremented. This parameter is used in two ways:
1. The  system  environment  that  periodically  calls  the
function  WdgM_UpdateTickCount()  for  deadline
monitoring.
See
also
parameter
WdgMTimebaseSource.
2. The S-WdgM Configuration Generator that calculates min
and max parameters for the transition deadlines.
Note:
When
the
S-WdgM
Tick
source
is
WDGM_INTERNAL_SOFTWARE_TICK,  then the  following
relation must be obeyed:
(1 / WdgMTicksPerSecond [Hz])
= WdgMSupervisionCycle [s]
For
the
Tick
sources
WDGM_INTERNAL_HARDWARE_TICK
and
WDGM_EXTERNAL_TICK,  the  following  relation  must  be
obeyed:
(1 / WdgMTicksPerSecond [Hz])
<= WdgMSupervisionCycle [s]
The  parameter  WdgMTicksPerSecond  must  not  be
zero.
Parameter Name
WdgMSupervisionCycle
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Float
Range
0 < WdgMSupervisionCycle
Unit
second
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 53
Description
This  parameter  defines  the  schedule  period  of  the  main
function, WdgM_MainFunction(). It is the time period in
which the S-WdgM performs cyclic supervision, and also the
watchdog trigger period. The parameter is important for  the
system that calls the function WdgM_MainFunction().
Parameter Name
WdgMExpiredSupervisionCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/
Group
General
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter defines a further delay of the violation
escalation to the Watchdog after the S-WdgM reached the
status WDGM_LOCAL_STATUS_EXPIRED (in numbers of
supervision cycles).
Parameter Name
WdgMGlobalCheckpointFinalRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision/
Group
General
Type
Reference
Multiplicity
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  final  global
checkpoint.
Note:  There  might  be  no,  one  or  several  global  end
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 54
checkpoints.
Parameter Name
WdgMGlobalCheckpointInitialRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision/
Group
General
Type
Reference
Multiplicity
0, 1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the global initial
checkpoint.
Note: If global transitions are defined, then exactly one
global initial checkpoint must be defined.
Parameter Name
WdgMWatchdogName
Path
WdgM/WdgMGeneral/WdgMWatchdog/
Group
Watchdog device
Type
String
Range
N/A
Compatibility
AUTOSAR 4.0 r1
Description
This parameter is a symbolic name of the Watchdog. It is
used as a comment only.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 55
Parameter Name
WdgIfDeviceRef
Path
WdgM/WdgMGeneral/WdgMWatchdog/
Group
Watchdog device
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter  for  a  reference  to  a  device  container
(WdgIfDevice)  of  the  S-WdgIf.  This  container  contains
data  and  a  reference  that  represents  the  connection of  the
S-WdgM to the Watchdog device through the S-WdgIf.
Parameter Name
WdgMWatchdogMode
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Enumeration
Range
WDGIF_FAST_MODE
WDGIF_OFF_MODE
WDGIF_SLOW_MODE
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the watchdog mode for a
referenced watchdog in the S-WdgM.
Implementation type: WdgIf_ModeType.
Note:  Not  all  hardware  platforms  support  all  watchdog
modes.  For  details,  see  the  User  Manual of  the  respective
S-Wdg Driver.
Note: Do not confuse this parameter with the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 56
Trigger Mode (WdgMModeID 50 ).
Parameter Name
WdgMTriggerConditionValue
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
1...65535
Unit
ms
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  defines  the  latest  possible  time  where  the
next watchdog trigger is accepted (window end).
Note:  Not  all  hardware  platforms  allow  changing  this
parameter during runtime. For details, see the  User  Manual
of the respective S-Wdg Driver.
Parameter Name
WdgMTriggerWindowStart
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Integer
Range
0...65535
Unit
ms
Compatibility
TTTech
Description
This parameter defines the earliest time after which the next
watchdog trigger is accepted (window start).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 57
Note:  Not  all  hardware  platforms  allow  changing  this
parameter  during  runtime.  On  some  platforms,  this
parameter is not avaliable or set to zero. For details, see the
User Manual of the respective S-Wdg Driver.
Parameter Name
WdgMTriggerWatchdogRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMTrigger/
Group
Watchdog trigger
Type
Reference
Multiplicity
0...255
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  configured
watchdog.
2.5.3
S-WdgM Supervised Entity Options
Parameter Name
WdgMFailedSupervisionRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  contains  the  acceptable  number  of  failed
alive  indications  for  this  supervised  entity  in  a  row  (i.e.,  at
least one violation per supervision reference cycle in a row).
Note:  This parameter should be set to 0  if  no  alive  counter
is configured for this supervised entity, because nothing can
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 58
be  tolerated.  If  there  is  an  alive  counter  in  this  supervised
entity,  then  the  parameter  can  be  0  (no  alive  counter
violations tolerated) or positive.
Parameter Name
WdgMSupervisedEntityInitialMode
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Enumeration
Range
WDGM_LOCAL_STATUS_DEACTIVATED,
WDGM_LOCAL_STATUS_OK,
WDGM_LOCAL_STATUS_FAILED
Compatibility
TTTech
Description
This  is  the  initial  local  monitoring  status  of  the  supervised
entity.
Parameter Name
WdgMFailedDeadlineRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
TTTech
Description
This parameter contains  the  acceptable  number  of  violated
deadlines for this supervised entity in a row (i.e., at least one
violation per WdgMDeadlineReferenceCycle in a row).
Note:  If  a  positive  tolerance  for  deadline  violations  is
entered, then the user must enter a positive  reference  cycle
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 59
for  the  violations  (WdgMDeadlineReferenceCycle),
because  the  tolerance  is  defined  in  terms  of  reference
cycles. The tolerance can also  be  0.  In this  case  a  positive
reference cycle would make no sense,  because  there  is  no
reference cycle if no violations are tolerated.
Parameter Name
WdgMDeadlineReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65535
Compatibility
TTTech
Description
This  parameter  contains  the  number  of  supervision  cycles
that  define  a  cycle  for  the  deadline  monitoring  of  this
supervised entity.
Note:
If
the
deadline
reference
cycle
tolerance
(WdgMFailedDeadlineRefCycleTol) is set  to  0,  then
this  parameter  must  be  0  as  well.  This  is  because  the  first
detected  violation  would  cause  the  supervised  entity  to
change its status  to  EXPIRED  and  then no  reference  cycle
could  exist.  If  the  deadline  reference  cycle  tolerance  is
positive,  then  this  parameter  must  be  positive  as  well,
because the tolerance is defined  as  a  number  of  reference
cycles which cannot be of zero duration.
Parameter Name
WdgMFailedProgramFlowRefCycleTol
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65534
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 60
Compatibility
TTTech
Description
This parameter contains the acceptable number of program
flow violations for this supervised entity in a row (i.e., at least
one  violation  per  WdgMProgramFlowReferenceCycle
in a row).
Note:  If  a  positive  tolerance  for  program  flow  violations  is
entered, then the user must enter a positive  reference  cycle
for
the
violations
(WdgMProgramFlowReferenceCycle),  because  the
tolerance  is  defined  in  terms  of  reference  cycles.  The
tolerance  can  also  be  0.  In  this  case  a  positive  reference
cycle would make no sense, because  there  is  no  reference
cycle if no violations are tolerated.
Parameter Name
WdgMProgramFlowReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Integer
Range
0...65535
Compatibility
TTTech
Description
This  parameter  contains  the  number  of  supervision  cycles
that  define  a  cycle  for  the  program  flow monitoring  of  this
supervised entity.
Note:  If  the  program  flow  reference  cycle  tolerance
(WdgMFailedProgramFlowRefCycleTol)  is  set  to  0,
then this parameter must be  0  as  well.  This  is  because  the
first detected violation would  cause  the  supervised  entity to
change its status  to  EXPIRED  and  then no  reference  cycle
could  exist.  If  the  deadline  reference  cycle  tolerance  is
positive,  then  this  parameter  must  be  positive  as  well,
because  tolerance  is  defined  as  a  number  of  reference
cycles which cannot be of zero duration.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 61
Parameter Name
WdgMLocalStatusSupervisedEntityRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMLocalStatusParams/
Group
Supervised entity
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the supervised entity
for which the parameters of this container are set.
Parameter Name
WdgMSupervisedEntityId
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the identifier of the supervised
entity for which the parameters of this container are set.
Parameter Name
WdgMEnableEntityDeactivation
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Boolean
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 62
Range
false/true
Compatibility
TTTech
Description
This  parameter  enables  the  deactivation  and  activation  of
this  supervised  entity.  See  also  the  preprocessor  switch
47
WdgMEntityDeactivationEnabled
.
This functionality is not specified in AUTOSAR 4.0 r1 and
can violate system safety (see the Safe Watchdog Manager
Safety Manual [5] 128, parts
WdgM_DeactivateSupervisionEntity() and
WdgM_ActivateSupervisionEntity()).
true:  Supervised  entity  deactivation  and  activation  is
enabled.
- For
activation,
function
WdgM_ActivateSupervisionEntity() 82  must
be used.
- For
deactivation,
function
WdgM_DeactivateSupervisionEntity() 81
must be used
false:  Entity  deactivation  and  activation  for  this
supervised entity is disabled.
Parameter Name
WdgMSupportedAutosarAPI
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Enumeration
Range
API_4_0
API_3_1
Compatibility
TTTech
Description
This parameter defines the S-WdgM API compatibility.
API_4_0: The AUTOSAR 4.0 r1 API is selected.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 63
API_3_1: The AUTOSAR 3.1 API is selected.
The system can be either AUTOSAR4.0 r1 or AUTOSAR
3.1. Mixed variants are not allowed. When one supervised
entity in a system is AUTOSAR 3.1 then all the other
supervised entities must be AUTOSAR 3.1 as well.  For
details, refer to Section AUTOSAR 3.1 Compatibility 90 .
Parameter Name
WdgMLocalStateChangeCbk
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Function name
Multiplicity
0, 1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a  callback  function used  to  inform
about a local state change of a supervised entity.
The S-WdgM has one callback function for every supervised
entity.
Note:  In a safety-relevant environment, the callback function
can  cause  safety  degradation.  For  details,  see  the  Safe
Watchdog Manager Safety Manual [5] 128.
Parameter Name
WdgMLocalCheckpointFinalRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
0...65535
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 64
Description
This  is  the  reference  to  an  end  checkpoint  for  this
supervised entity.
Parameter Name
WdgMLocalCheckpointInitialRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  reference  to  the  initial  checkpoint  for  this
supervised entity.
Parameter Name
WdgMAppTaskRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
Group
Supervised entity
Type
Reference
Multiplicity
0, 1
Compatibility
TTTech
Description
This is the reference to an OS application (task) to which this
supervised entity belongs. In case of OS SC3, the local data
of the supervised entity must be placed in the same memory
segment  as  the  application (task)  of  which  this  supervised
entity is a part.
The  S-WdgM  Configuration  Generator 102  enables  memory
mapping of the supervised entity local data so that it can be
put  into  the  memory  segment  of  the  referred  task  or
application (task) using memory mapping.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 65
2.5.4
S-WdgM Checkpoint Options
Parameter Name
WdgMCheckpointId
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMCheckpoint/
Group
Checkpoint
Type
Integer
Range
0...65534
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the identifier of the checkpoint that
is unique over the supervised entity.
2.5.5
Alive Counter Options
Parameter Name
WdgMExpectedAliveIndications
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of expected alive
indications within a supervision reference cycle, according
to the corresponding supervised entity.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 66
Parameter Name
WdgMMaxMargin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of alive indications that
are acceptable in addition to the expected indications
(WdgMExpectedAliveIndications)
within
the
corresponding supervision reference cycle.
Parameter Name
WdgMMinMargin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Integer
Range
0...65535
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the number of alive indications that
are acceptable to be missing from the expected indications
(WdgMExpectedAliveIndications)
within
the
corresponding supervision reference cycle.
Parameter Name
WdgMSupervisionReferenceCycle
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 67
Group
Alive counter
Type
Integer
Range
1...65535
Compatibility
AUTOSAR 4.0 r1
Description
This  parameter  defines  the  supervision  reference  cycle
length
as
a
number
of
supervision
cycles
(WdgMSupervisionCycle).
Parameter Name
WdgMAliveSupervisionCheckpointRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMAliveSupervision/
Group
Alive counter
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  checkpoint  for
which this alive supervision  is configured.
2.5.6
S-WdgM Local Transition Options
Parameter Name
WdgMLocalTransitionDestRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMLocalTransition/
Group
Local transition
Type
Reference
Multiplicity
1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 68
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  destination
checkpoint of a local transition within this supervised entity.
Parameter Name
WdgMLocalTransitionSourceRef
Path
WdgM/WdgMGeneral/WdgMSupervisedEntity/
WdgMLocalTransition/
Group
Local transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  source
checkpoint of a local transition within this supervised entity.
2.5.7
S-WdgM Global Transition Options
Parameter Name
WdgMGlobalTransitionDestRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision
/WdgMGlobalTransition/
Group
Global transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  destination
checkpoint of a global transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 69
Parameter Name
WdgMGlobalTransitionSourceRef
Path
WdgM/WdgMConfigSet/WdgMMode/
WdgMProgramFlowSupervision
/WdgMGlobalTransition/
Group
Global transition
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the source
checkpoint of a global transition.
2.5.8
S-WdgM Local and Global Deadline Options
Parameter Name
WdgMDeadlineMax
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Float
Range
0.0...((1/WdgMTicksPerSecond)
*
65535)
seconds
Compatibility
AUTOSAR 4.0 r1
Description
This parameter contains the longest time span after which
the deadline is still considered to be met.
Note: The time span is counted from the point in time when
the source checkpoint of the transition is reached.
Parameter Name
WdgMDeadlineMin
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 70
Group
Local or global deadline
Type
Float
Range
0.0...((1/WdgMTicksPerSecond)
*
65535)
seconds
Compatibility
AUTOSAR 4.0 r1
Description
This parameter  contains  the  shortest  time  span after  which
the deadline is considered to be met.
Note: The time span is counted from the point in time when
the source checkpoint of the transition is reached.
Parameter Name
WdgMDeadlineStartRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Reference
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This  is  the  parameter  for  a  reference  to  the  source
checkpoint for deadline monitoring.
Note:  The  start  and  stop  references  of  a  deadline  must
match an existing local or global transition.
Parameter Name
WdgMDeadlineStopRef
Path
WdgM/WdgMConfigSet/WdgMMode/WdgMDeadlineSupervision/
Group
Local or global deadline
Type
Reference
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 71
Multiplicity
1
Compatibility
AUTOSAR 4.0 r1
Description
This is the parameter for a reference to the destination
checkpoint for deadline monitoring.
Note: The start and stop references of a deadline must
match an existing local or global transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 72
2.6
ECU Description Configuration
2.6.1
Assumptions/Constraints
There  is  a  WdgMTrigger  element  for  every  WdgMWatchdog  element;  i.e.,  the
former
WdgMTriggerWatchdogRef
always
"points"
to
an
existing
WdgMWatchdog element.
For the purpose of navigating within the  ECU description file,  we  assume  that  every
referenced element is identified by its SHORT-NAME element.
Example:  A  WdgMTrigger  element  WdgMTriggerWatchdogRef  attribute  is  a
reference  to  a  WdgMWatchdog  SHORT-NAME  element  and  not  to  its
WdgMWatchdogName element.
We  expect  the  Checkpoint  IDs  to  create  a  zero-based,  monotonically  increasing
sequence of integers with no gaps.
We  expect  that  every  WdgMMode  element  has  a
maximum  of  one
WdgMProgramFlowSupervision  subelement,  which  in  turn  has  exactly  one
WdgMGlobalCheckpointInitialRef subelement.
We
expect
that
the
WdgMSupervisedEntityId
attribute
of
all
SupervisedEntity  instances  in  one  ECU  description  file  builds  a  zero-based,
monotonically increasing  sequence  of  integers  with no  gaps.  This  is  a  requirement
because the embedded code uses the Entity ID  as  an array index when accessing
WdgMSupervisedEntity.
The  ECU description files  to  be  used  for  configuring  the  Watchdog  Manager  must
belong to the XML namespace "http://autosar.org/3.1.4".
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 73
2.7
API Description
The S-WdgM software module is the top level layer of the Safe Watchdog Manager
Stack.  The  S-WdgM  software  module  contains  the  core  functionality  with  supervised
entity  state  machines  and  calculation  of  the  S-WdgM  global  state.  The  S-WdgM
communicates on one side through its user API with the Application Layer (optionally
using RTE) and through its system API with the Basic Software Components (BSW)
and, on the other side, with the S-WdgIf layer.
2.7.1
S-WdgM Type Definitions
This Section describes the types of parameters passed to the API functions of the S-
WdgM.
Name
WdgM_ConfigType
Type
Structure
Range
N/A
Description
This is the type for the S-WdgM configuration structure. This
structure  is  generated  by  the  S-WdgM  Configuration
Generator 102.
Name
WdgM_SupervisedEntityIdType
Type
uint16
Range
0...65534
Description
This  is  the  type  for  an  individual  supervised  entity  for  the
Safe Watchdog Manager.
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 74
Name
WdgM_CheckpointIdType
Type
uint16
Range
0...65534
Description
This  is  the  type  for  a  checkpoint  in  the  context  of  a
supervised entity for the S-WdgM.
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_ModeType
Type
uint8
Range
0...255
Description
This  is  the  type  for  the  ID  of  a  trigger  mode  that  was
configured for the S-WgM. The current trigger mode can be
retrieved with WdgM_GetMode().
Note:  If configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_LocalStatusType
Type
uint8
Range
WDGM_LOCAL_STATUS_OK = 0
WDGM_LOCAL_STATUS_FAILED = 1
WDGM_LOCAL_STATUS_EXPIRED = 2
WDGM_LOCAL_STATUS_DEACTIVATED = 4
Description
This is the type for the local monitoring state of a supervised
entity."The current local state of a supervised entity can be
retrieved with WdgM_GetLocalStatus().
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 75
Note: If configuration parameter WDGM_USE_RTE is set to
STD_ON, then this type is imported, otherwise it is
generated..
Name
WdgM_GlobalStatusType
Type
uint8
Range
WDGM_GLOBAL_STATUS_OK = 0,
WDGM_GLOBAL_STATUS_FAILED = 1,
WDGM_GLOBAL_STATUS_EXPIRED = 2,
WDGM_GLOBAL_STATUS_STOPPED = 3,
WDGM_GLOBAL_STATUS_DEACTIVATED = 4
Description
This is the type for the global monitoring state. It summarizes
the local states of all supervised entities. The  current  global
state can be retrieved with WdgM_GetGlobalStatus().
Note: If  configuration parameter  WDGM_USE_RTE  is  set  to
STD_ON,  then  this  type  is  imported,  otherwise  it  is
generated..
Name
WdgM_TimeBaseTickType
Type
uint32
Range
0...232-1
Description
This is the type for the Timebase Tick.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 76
Name
Std_VersionInfoType
Type
Structure
Range
N/A
Description
This is the parameter type of function
92
WdgM_GetVersionInfo()
.
2.7.2
S-WdgM Application Level API Functions
This Section describes the S-WdgM  API  functions  that  are  imported  or  provided  by
the S-WdgM software module.
Syntax
Std_ReturnType WdgM_SetMode
(WdgM_ModeType Mode, uint16 CallerID)
Service ID[hex]
0x03
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
Mode: The ID  of the Trigger Mode to which the S-WdgM must be
set.
CallerID:  ID  of  the  caller  allowed  to  call  the  function
WdgM_SetMode().  The  allowed  caller  is  defined  in  the
configuration.
The
caller
ID
is
checked
if
WdgMDefensiveBehavior is true.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK: The new Trigger Mode has been successfully set.
E_NOT_OK: The setting of the new Trigger Mode failed.
Compatibility
AUTOSAR 4.0 r1 / TTTech
Description
This  functions  sets  the  Trigger  Mode  of  the  S-WdgM.  The  S-
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 77
WdgM  Trigger  Mode  is  a  set  of  Watchdog  trigger  times  and
Watchdog  mode.  The  S-WdgM  can  have  one  or  more  Trigger
Modes  for  every watchdog.  In contrast  to  AUTOSAR,  where  the
Mode  represents  a  set  of  entities  with  all  entity-specific
parameters,  the  S-WdgM  Trigger  Mode  only  sets  the  following
parameters:
WdgMTriggerConditionValue
WdgMTriggerWindowStart
WdgMWatchdogMode
Note: A change to trigger mode with ID Mode sets all
configured watchdogs to the trigger mode with ID Mode. As a
consequence, all watchdogs must have configured the same
number of Trigger Modes.
This  function can be  used  to  increase  the  S-WdgM  supervision
cycle in an MCU sleep mode.
Syntax
Std_ReturnType
WdgM_GetMode(WdgM_ModeType*
Mode)
Service ID[hex]
0x0b
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) Mode:  Pointer  to  the  current  Trigger  Mode  ID  of  the  Watchdog
Manager
Return value
Std_ReturnType:
E_OK: Current Trigger Mode successfully returned.
E_NOT_OK: Returning current Trigger Mode failed.
Compatibility
AUTOSAR 4.0 r1/TTTech
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 78
Description
Returns  the  current  Trigger  Mode  of  the  S-WdgM.  The  S-WdgM
Trigger  Mode  represents  one  Watchdog  trigger  time  and  mode
setting.
Syntax
Std_ReturnType WdgM_CheckpointReached
(WdgM_SupervisedEntityIdType SEID,
WdgM_CheckpointIdType CheckpointID)
Service ID[hex]
0x0e
Sync/Async
Synchronous
Reentrant?
Yes, reentrant in the context of a different supervised entity.
Parameters (in)
SEID:  Identifier  of  the  supervised  entity  that  reports  a
checkpoint.
CheckpointID:  Identifier  of  the  checkpoint  within  a
supervised entity that has been reached.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK: Checkpoint monitoring successful.
E_NOT_OK:  Checkpoint  monitoring  fault.  Returned  in  the
following cases
o WDGM_E_NO_INIT:  Uninitialized  S-WdgM  (DET  code
0x10)
o WDGM_E_PARAM_SEID:  Wrong  Id  number  of  the
supervised entity (DET code 0x13)
o WDGM_E_CPID:  Invalid  checkpoint  ID  number  (DET  code
0x16)
o WDGM_E_PARAM_STATE:  Invalid  S-WdgM  state.  Reset
will be invoked (DET code 0x29).
Compatibility
AUTOSAR 4.0 r1
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 79
Description
Indicates  to  the  S-WdgM  that  a  checkpoint  within  a  supervised
entity has been reached.
Syntax
Std_ReturnType WdgM_GetLocalStatus
(WdgM_SupervisedEntityIdType SEID,
WdgM_LocalStatusType* Status)
Service ID[hex]
0x0c
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
SEID:  Identifier  of  the  supervised  entity whose  monitoring  state
is returned.
Parameters  (in/ None
out)
Parameters (out) Status:  Pointer  to  the  local  monitoring  state  of  the  given
supervised entity.
Return value
Std_ReturnType:
E_OK: Current monitoring state successfully returned.
E_NOT_OK: Returning the current monitoring state failed.
Compatibility
AUTOSAR 4.0 r1
Description
Returns the monitoring state of the given supervised entity.
Note:  The  S-WdgM  updates  the
state
inside
the

WdgM_MainFunction() every supervision cycle.
Syntax
Std_ReturnType WdgM_GetGlobalStatus
(WdgM_GlobalStatusType* Status)
Service ID[hex]
0x0d
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 80
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) Status: Pointer to global monitoring state of the S-WdgM.
Return value
Std_ReturnType:
E_OK: Current global monitoring state successfully returned.
E_NOT_OK: Watchdog reset failed.
Compatibility
AUTOSAR 4.0 r1
Description
Returns the global monitoring state of the S-WdgM.
Note:
The
S-WdgM
updates
the
state
inside
the
WdgM_MainFunction() every supervision cycle.
Syntax
Std_ReturnType WdgM_PerformReset(void)
Service ID[hex]
0x0f
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK:  This  value  will  not  be  returned  because  the  reset  is
activated, and the routine does not return.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 81
E_NOT_OK: The function has failed.
Compatibility
AUTOSAR 4.0 r1
Description
Instructs the S-WdgM to cause an immediate watchdog reset.
Note:
This  function is  hardware-dependent.  Some  watchdogs  do  not
support  an  immediate  reset.  Check  the  S-Wdg  Driver
documentation.
This  function  can  may  direct  access  to  hardware  registers.
Access  to  hardware  registers  can be  dependent  on  hardware
platforms and software architectures. Hence, the application that
calls  WdgM_PerformReset()  must  have  the  corresponding
access rights.
Syntax
Std_ReturnType
WdgM_DeactivateSupervisionEntity
(WdgM_SupervisedEntityIdType SEID)
Re-entrant?
Yes
Parameters (in)
SEID:  ID  of  the  supervised  entity  to  be  deactivated.  Range
[0...N]
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
E_OK:  Marking  the  supervised  entity  for  deactivation  was
successful.
E_NOT_OK:  Marking  the  supervised  entity  for  deactivation
failed.
Compatibility
TTTech, AUTOSAR 3.1
Note: Defined in the AUTOSAR 3.1 specification. This function is
no longer available in the AUTOSAR 4.0 r1 specification.
Description
The function marks an entity for deactivation. An entity can only be
deactivated when its local state is WDGM_LOCAL_STATUS_OK or
WDGM_LOCAL_STATUS_FAILED.
The
deactivation
itself
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 82
happens  at  the  end  of  the  supervision  cycle  inside  the
WdgM_MainFunction(). When an entity is deactivated then its
checkpoints are not evaluated  anymore  and  the  entity local state
is WDGM_LOCAL_STATUS_DEACTIVATED.
Note:
When an entity is deactivated, the global transitions to this entity
are not evaluated.
Using this function can degrade system safety. The deactivation
of  entity  supervision  in  safety-related  products  needs  special
attention to avoid unintended supervised entity deactivation.
The  function  WdgM_DeactivateSupervisionEntity()
can  deactivate  a  supervised  entity  only  before  its  initial
checkpoint  was  passed  or  after  its  end  checkpoint  was
passed. The focus here is on entities that are spread over more
than one supervision cycles. Note:  The local program flow of  a
supervised  entity  may  span  over  more  than  one  supervision
cycle. Those active entities cannot be deactivated while running.
Deactivating active SEs leads to a DEM error report.
In  the  same  call  of  WdgM_MainFunction(),  first  the
supervised  entity  is  deactivated,  then  the  local  states  of  all
supervised entities and the global state are set.
After  SE  deactivation  the  function  WdgM_GetLocalStatus
() can be used to check the SE local state.
This  function  is  only  available  if  the  preprocessor  switch
WdgMEntityDeactivationEnabled  is set to true  and  if
the entity option
61
WdgMEnableEntityDeactivation
is
set to true.
Syntax
Std_ReturnType WdgM_ActivateSupervisionEntity
(WdgM_SupervisedEntityIdType SEID)
Parameters (in)
SEID: Supervised entity identifier.
Parameters  (in/ None
out)
Parameters (out) None
Return value
Std_ReturnType:
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 83
E_OK:  Marking  the  supervised  entity  for  activation  was
successful.
E_NOT_OK: Marking the supervised entity for activation failed.
Compatibility
TTTech, AUTOSAR 3.1
Note:  Defined in the AUTOSAR 3.1 specification, this function is
no longer available in the AUTOSAR 4.0 r1 specification.
Description
The  function marks  an entity for  activation.  An entity can only be
activated when its local state is WDGM_LOCAL_STATUS_DEACTIVATED.
The  activation itself  happens  at  the  end  of  the  supervision  cycle
inside the WdgM_MainFunction().
Note:
This function can degrade system safety. The activation of entity
supervision in safety-related products needs special attention to
avoid unintended supervised entity deactivation.
In  the  same  call  of  WdgM_MainFunction(),  first  the  local
states of all supervised entities and the global state are set, then
the supervised entity is activated.
After  SE  activation  the  function  WdgM_GetLocalStatus()
can be used to check the SE local state.
This  function  is  only  available  if  the  preprocessor  switch
WdgMEntityDeactivationEnabled  is set to true  and if the entity
option WdgMEnableEntityDeactivation is set to true.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 84
2.7.3
Callback Functions
Global state callback
When  WDGM_STATE_CHANGE_NOTIFICATION  ==  STD_ON  and  the  S-WdgM
global  state  changes,  then  the  callback  routine  defined  by  the  parameter
WdgMGlobalStateChangeCbk 49  is called.
Local state callback
When WDGM_STATE_CHANGE_NOTIFICATION == STD_ON and the local state of a
supervised  entity  changes,  then  the  callback  routine  defined  by  the  parameter
63
WdgMLocalStateChangeCbk
is called.
2.7.4
S-WdgM System Level API Functions
This section describes the function definitions of the S-WdgM system level interface.
The system level interface functions are not  visible  in the  AUTOSAR application layer.
The  system  functions  are  directly  invoked  by  the  BSW  modules.  The  RTE  does  not
generate interfaces for these functions.
Syntax
void
WdgM_Init(const
WdgM_ConfigType*
ConfigPtr)
Service ID[hex]
0x00
Sync/Async
Synchronous
Reentrant?
No
Parameters (in)
ConfigPtr: Pointer to post-build configuration data
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Compatibility
AUTOSAR 4.0 r1
Description
The  WdgM_Init()  function  initializes  the  S-WdgM.  After  the
execution of this function, monitoring is activated according to the
configuration  of  ConfigPtr.  This  function  can  be  used  during
monitoring, too, but note that all pending violations are lost.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 85
Syntax
void WdgM_GetVersionInfo
(Std_VersionInfoType* VersionInfo)
Service ID[hex]
0x02
Sync/Async
Synchronous
Reentrant?
Yes
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) VersionInfo: Pointer to where to store the version information
of the S-WdgM module.
Return value
None
Compatibility
AUTOSAR 4.0 r1
Description
The  WdgM_GetVersionInfo()  function  returns  information
about the version of this module. This includes the module ID, the
vendor ID, and the vendor-specific version number.
Syntax
void WdgM_MainFunction(void)
Service ID[hex]
0x08
Timing
FIXED_CYCLIC
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 86
Compatibility
AUTOSAR 4.0 r1
Description
This  function  evaluates  monitoring  data  gathered  from  the  hit
checkpoints in all supervised entities during the supervision cycle.
Depending on the violation found (if there is any), the
local state of the supervised entities and
the S-WdgM global state
are evaluated again.
Depending on the resulting global state:
the WD is triggered, or
the WD trigger discontinues (safe state), or
the WD is reset (safe state).
The function must run at the end of every supervision cycle. It may
be called by the Basic Software Scheduler or a  task  with a  fixed
period time.
The  WdgM_MainFunction()  function  is  not  reentrant.  To
prevent data inconsistency when it is interrupted by itself (e.g., due
to  schedule  overload),  the  function  checks  if  it  is  executed
concurrently. If this function is  started  before  its  last  instance  has
finished, it raises a development error.
Note:
Alive  counter  violations  are  detected  at  the  end  of  every  alive
supervision reference cycle,
program  flow  violations  are  detected  at  the  end  of  every
supervision cycle,
continued  program  flow  violations  are  detected  at  the  end  of
every program flow supervision cycle.
deadline violations are detected at the end of every supervision
cycle,
continued of deadline violations are detected at the end of every
deadline supervision cycle.
See also the Safe Watchdog Manager Safety Manual [5] 128 .
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 87
Syntax
void WdgM_UpdateTickCount(void)
Service ID[hex]
None
Timing
FIXED_CYCLIC
Reentrant?
No
Parameters (in)
None
Parameters  (in/ None
out)
Parameters (out) None
Return value
None
Compatibility
TTTech
Description
This function increments the S-WdgM Timebase Tick Counter by
one.
When
the
precompile
configuration
parameter

44
WdgMTimebaseSource
is  set  to  WDGM_EXTERNAL_TICK,
then this function needs to be called periodically from outside  the
S-WdgM.
The Timebase Tick Counter  delivers  the  time  base  for  deadline
monitoring.  In  the  AUTOSAR  environment,  this  function  can  be
called,  for  example,  from  a  task  with fixed  time  period  and  high
priority.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 88
2.7.5
Expected Interfaces
This  section describes  the  expected  interfaces  to  external modules  used  by  the  S-
WdgM at BSW level (see Figure 18) and describes how to use  the  external interfaces
with regard to safety (for detailed requirements on how to  use  external interfaces,  see
the Safe Watchdog Manager Safety Manual [5] 128).
Note: The external modules are AUTOSAR-defined modules.
RTE
S-WdgM
Safe Watchdog  Notification
Application Level
API
WdgM_Init()

WdgM_GetVersionInfo()
S-WdgM
WdgM_MainFunction()
BSW
WdgM_UpdateTickCount()*
(EcuM)
WdgM_GetTickCount()
(SchM)
Appl_Dem_ReportErrorStatus()*

Dem
Appl_Det_ReportError()*

Det
Appl_Mcu_PerformReset() *

Mcu
SchM_Enter_WdgM()*
SchM_Exit_WdgM() *

SchM
WdgIf_SetMode()
WdgIf_SetTriggerWindow()
WdgIf_GetTickCounter()*

*
S-WdgIF
Optional interface

Fig. 18: Expected interfaces to external modules
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 89
Function
Description
Appl_Dem_ReportErrorStatus()
If  the  precompiler  switch  WdgMDemReport  is  set  to
STD_ON,
the
S-WdgM
calls
the
function
Dem_ReportErrorStatus()  through  the  wrapper
Appl_Dem_ReportErrorStatus().
Safety  aspect:  The  DEM  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
Appl_Det_ReportError()
If the precompiler switch WdgMDevErrorDetect is  set
to
STD_ON,
the
S-WdgM
calls
the
function
Det_ReportError()
through
the
wrapper
Appl_Det_ReportError().
Safety  aspect:  The  DET  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
Appl_Mcu_PerformReset()
If  the  precompiler  switch  WDGM_SECOND_RESET_PATH
is
STD_ON,
the
S-WdgM
calls
the
function
Mcu_PerformReset()
through
the
wrapper
Appl_Mcu_PerformReset().
Safety  aspect:  The  MCU  module  may  not  meet  the
required  quality  level.  The  wrapper  is  implemented  to
guarantee  freedom  from  interference.  See  the  Safe
Watchdog  Manager  Safety  Manual  [5] 128  for  more
information.
SchM_Enter_WdgM() and
If
the
precompiler
switch
WdgMUseOsSuspendInterrupt is set to STD_ON, the
SchM_Exit_WdgM()
S-WdgM calls  the functions  SchM_Enter_WdgM() and
SchM_Exit_WdgM().
Safety  aspect:  The  SCHM  module  may  not  meet  the
required quality  level.  See  the  Safe  Watchdog  Manager
Safety Manual [5] 128  for more information.
Note: If the precompiler switches
WdgMDevErrorDetect,
WdgMDemReport,
WdgMUseOsSuspendInterrupt,
WdgMImmediateReset and
WDGM_SECOND_RESET_PATH
are set to false, the S-WdgM module does not call the corresponding function(s).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 90
Note:  The  functions  listed  in the  table  above  may not  meet  the  required  quality  level
and,  thus,  must  be  wrapped  in order  to  ensure  freedom  from  interference  with the  S-
WdgM.  The  integrator  must  implement  the  Appl_...()  functions  according  to  the
requirements specified in the Safe Watchdog Manager Safety Manual [5] 128.
Note:  The  system  integrator  must  revise  the  necessity  of  the  expected  interfaces.  A
called external function may degrade the quality level of the S-WdgM below the required
quality level.
2.7.6
AUTOSAR 3.1 Compatibility Mode
If the parameter
62
WdgMSupportedAutosarAPI
is set to API_3_1 , the S-WdgM
is compiled in the AUTOSAR 3.1 compatibility mode. This means that its functionality is
reduced to the functionality described by AUTOSAR 3.1.
The AUTOSAR 3.1 compatibility mode has the following configuration restrictions:
Exactly one checkpoint must be defined for a supervised entity.
The checkpoint must have an initial attribute and an end attribute.
An Alive counter must be defined for the checkpoint.
Local and global transitions are not allowed.
The AUTOSAR 4.0 r1 supervised entities are not allowed.
Note: the AUTOSAR 3.1 compatibility mode must be differentiated from the AUTOSAR
environment  version  in  which  the  S-WdgM  is  integrated.  The  compatibility  mode  is
related only to the functionality of the module.
2.7.6.1
User API
If  the  parameter  WdgMSupportedAutosarAPI 62  is  set  to  API_3_1  (embedded  macro
WDGM_AUTOSAR_3_1_X_COMPATIBILITY = STD_ON),  then the  S-WdgM  provides  the
AUTOSAR 3.1 functions described in the table below. The table also shows the internal
mapping of the AUTOSAR 3.1 to the AUTOSAR 4.0 r1 functions:
S-WdgM in AUTOSAR 3.1
WdgM_SetMode(Mode)
compatibility mode
Native S-WdgM function
WdgM_SetMode(Mode, CallerID)
Note
The  CallerID  =  0  is  added  in  the  S-WdgM  embedded
code.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 91
S-WdgM in AUTOSAR 3.1
WdgM_GetMode(*Mode)
compatibility mode
Native S-WdgM function
WdgM_GetMode(*Mode)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_UpdateAliveCounter(SEID)
compatibility mode
Native S-WdgM function
WdgM_CheckpointReached(SEID, CPID)
Note
The CPID = 0 is added in the S-WdgM embedded code
S-WdgM in AUTOSAR 3.1
WdgM_GetAliveSupervisionStatus(SEID, *status)
compatibility mode
Native S-WdgM function
WdgM_GetLocalStatus(SEID, *status)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_GetGlobalStatus(*status)
compatibility mode
Native S-WdgM function
WdgM_GetGlobalStatus(*status)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_ActivateAliveSupervision(SEID)
compatibility mode
Native S-WdgM function
WdgM_ActivateSupervisionEntity(SEID)
Note
The function name is redefined in the file WdgM_swc.arxml.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 92
S-WdgM in AUTOSAR 3.1
WdgM_DeactivateAliveSupervision(SEID)
compatibility mode
Native S-WdgM function
WdgM_DeactivateSupervisionEntity(SEID)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_GssChangeCbk(status)
compatibility mode
Native S-WdgM function
WdgM_GlobalStateChangeCbk(status)
Note
The function name is redefined in the file WdgM_swc.arxml.
S-WdgM in AUTOSAR 3.1
WdgM_IssChangeCbk(status)
compatibility mode
Native S-WdgM function
WdgM_LocalStateChangeCbk(status)
Note
The function name is redefined in the file WdgM_swc.arxml.
2.7.6.2
System API
S-WdgM in AUTOSAR 3.1
WdgM_Init(&Config)
compatibility mode
Native S-WdgM function
WdgM_Init(&Config)
Note
The function signature is the same.
S-WdgM in AUTOSAR 3.1
WdgM_GetVersionInfo(&versioninfo)
compatibility mode
Native S-WdgM function
WdgM_GetVersionInfo(&versioninfo)
Note
The function signature is the same.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 93
S-WdgM in AUTOSAR 3.1
WdgM_Cbk_GptNotification()
compatibility mode
Native S-WdgM function
WdgM_UpdateTickCount()
Note
In
the
AUTOSAR
3.1
environment
the
WdgM_UpdateTickCount()
function is not used,
because it is used in the AUTOSAR 4.0 r1 deadline
monitoring only.
S-WdgM in AUTOSAR 3.1
WdgM_MainFunction_AliveSupervision()
compatibility mode
Native S-WdgM function
WdgM_MainFunction()
Note
In the AUTOSAR 3.1 and AUTOSAR 4.0 r1 environment,
the native S-WdgM function (WdgM_MainFunction()
85 ) must be called.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Safe Watchdog Manager (S-WdgM)
Page 94
3
Integration
3.1
Initialization of the S-WdgM
In a safety-related system, the initialization of the Watchdog device should  be  done  as
soon as  possible  after  system  start  (at  least  before  a  QM  task  may  compromise  the
initialization process).  The  Watchdog  device  starts  the  counter  for  the  next  expected
trigger.
Note:  The ways how the Watchdog device is  initialized,  configured,  and  how it  reacts
are  platform-dependent  and  can be  different.  See  the  corresponding   S afe  W atchdog
D river U ser M anual.
The time between the  initialization  of  the  S-Wdg  and  the  first  triggering  in function
WdgM_MainFunction()  (Supervision  cycle  0)  must  match  the  Watchdog
requirements.  This  time  can be  adapted  in the  S-Wdg  configuration  by  changing  the
initial S-Wdg trigger window to meet the operating system start time requirements (see
Figure  19).
   Supervision  cycle 0
   Supervision cycle 1
   Supervision  cycle 2

o
)
)

(
(
i
n
n
n
t
o
o
c
tio

i
)
i
n
t
t
a
(
c
c
u

t

F
w
liz
n
n
i

)
n
n
)
(
u
u
F
F
i
flo
itia
I
(
t
n
n
_
S
i

i

i
a

m

>
O
n
M
ra
In
a
a
)
…
_
I
x
y
x
z
x
y
z
M
M
_
_
_
_
_
_
_
_
g
U
(
<
t
_
_
n
_
r
M
_
k
k
k
k
k
k
k
M

M
M
ro
C
i
g
a
g
s
g
s
s
s
g
s
s
s
g
)
P
a
a
a
a
a
a
a
M
a
d
t
d
d
d
d
(
m
W
S
W
T
W
T
T
T
W
T
T
T
W
n
0
t ime
OS is running
Init. WD level
WD reload level

e
lu
a
r v
te
n
u
o
c
D
W
WD res et level
t ime
Trigger
Trigger
WD  not  initialized
WD  initial trigger window
window
  window
Reset
Reset
Res et
window
window
window

Fig. 19: Start phase of the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 95
The y-axis in Figure  21 shows the WD counter value, which is reset after each trigger.
Then  the  countdown  runs  until  the  S-Wdg  is  triggered  again  (within  the  WD  initial
trigger  window  or  Trigger  window)  or  0  (WD  Reset  level)  is  reached  (i.e.,  the
window has been missed) so that a reset is performed.
Notes:
Not  all  hardware  platforms  can  configure  a  different  trigger  time  for  the  first
supervision cycle (cycle 0).
In the first supervision cycle, the Alive counter evaluation can be suppressed by the
parameter WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET 48 .
The functions
84
85
WdgM_Init()
and WdgM_MainFunction()
functions can be
placed inside a task, too.
The function Wdg_<...>_Init() can be placed before main().
For safety reasons  the  S-WdgM  uses  windowed  triggering  mode.  This  means  that
watchdog triggering outside the defined window time causes a reset.
After the  execution of  function WdgM_Init()the  supervision of  configured  entities  is
activated and the checkpoints can be executed (called).
3.2
Memory Sections
Memory segmentation into sections is especially important when memory protection is
used in the system.
The S-WdgM uses three basic RAM data sections:
1. Memory  sections  for  local  data  of  every  SE:  This  section  contains  local
information  about  every  supervised  entity  and,  if  defined,  also  the  Alive  counters.
These variables are used by the WdgM_CheckpointReached() function and are
part of the private SWC (task, application) memory and written only in the context  of
this SWC.
Note: The S-WdgM does not protect this memory section.
2. Memory sections for global data:  This section contains  the  S-WdgM  global data
such as S-WdgM global status  and  Timebase  Tick  counter.  It  is  a  S-WdgM  private
memory.
Note:  In  the  AUTOSAR  environment,  where  QM  and  Safety-related  modules  are
used  together,  the  S-WdgM  global  data  should  be  placed  in  a  so-called  trusted
memory section to guarantee its safety and integrity.
3. Memory sections for global shared data:  This section contains data such as  the
last  active  entity.  This  memory  must  be  writable  for  all  SWCs  using  the
WdgM_CheckpointReached()  function and  for  the  WdgM_Init()  function.  As
this  is  a  memory where  all the  QM  SWCs  could  write,  the  S-WdgM  variables  are
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 96
protected  (stored  double-inverted)  by the  S-WdgM  itself.  The  S-WdgM  checks  the
correctness  of  these  variables  with  read  operations.  If  a  fault  is  detected,  the  S-
WdgM initiates a reset.
Figure 20 shows the memory usage of the S-WdgM.
S-WdgM RAM  memory map
SWC’ s   pri vate memory
SWC’ s   pri vate memory
SWC’ s   pri vate memory
section
1
S-WdgM local  enti ty mem ory
Write:  Chec kpointReached,
WdgM_I nit

S-WdgM  Gl obal memory

section
Read: all
2
Write:  S-WdgM
S-WdgM Global shared  memory

section
Read: all
3
Write:  all
Fig. 20: M emory usage of the S-WdgM

Local entity memory:  Local  entity  data  is  supervised  entity  private  data.  This  is  the
data where the function
78
WdgM_CheckpointReached()
writes.
The S-WdgM Configuration Generator 102  provides defines so  that  the  status  variables
of every supervised entity can be placed in a separate RAM section. The declaration of
every  entity  starts  with  the  defines  WDGM_SEi_START_SEC_VAR_*  and  ends  with
WDGM_SEi_STOP_SEC_VAR_*, where i is the ID of the supervised entity.
Theses  defines  are  in  the  generated  file  WdgM_MemMap.h  in  an  AUTOSAR  3.1
environment or WdgM_OSMemMap.h in an AUTOSAR 4.0 environment. Hence, it must
be included in the file MemMap.h.
If  the  entity  is  linked  to  an  OS  task  (through  its  ECU  description  parameter
WdgMAppTaskRef 64 ),  then  the  supervised  entity  data  is  placed  in  a  section
embedded
in
appl_name_START_SEC_VAR_*
and
appl_name_STOP_SEC_VAR_*, where appl_name  is the name of the  application.
In this case, the integrator must make sure to  include  the  file  Os_MemMap.h  after  the
file WdgM_MemMap.h in file MemMap.h.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 97
Global memory:  Global  data  are  private  S-WdgM  variables.  The  memory  mapping
defines
are
WDGM_GLOBAL_START_SEC_VAR_*
and
WDGM_GLOBAL_STOP_SEC_VAR_*.
This section can be mapped to an OS application (through its ECU description
parameter
49
WdgMGlobalMemoryAppTaskRef
). For this mapping, the defines
appl_name_START_SEC_VAR_* and appl_name_STOP_SEC_VAR_* are used,
where appl_name is the name of the application. In this case, the integrator must
make sure to include the file Os_MemMap.h after the file WdgM_MemMap.h in file
MemMap.h.
As this section is internally  not protected by the S-WdgM, it should be in a memory area
where it cannot be corrupted.
Global  shared  memory:  Global  shared  data  should  be  placed  in  a  RAM  section
where all tasks can read and write to that data.
The  memory  mapping  defines  are  WDGM_GLOBAL_SHARED_START_SEC_VAR_*
and  WDGM_GLOBAL_SHARED_STOP_SEC_VAR_*.  These  variables  are  internally
protected by the S-WdgM.
3.3
Timing Setup
The timing of the S-WdgM is defined by
the calling period of function
85
WdgM_MainFunction()
and,
the count period of the S-WdgM Tick Counter (for Deadline Monitoring).
Every time when the function
85
WdgM_MainFunction()
is invoked,
the Alive counters are evaluated,
running deadlines are checked for violations,
checkpoint fault indications are evaluated and, finally,
the S-WdgM global status of all supervised entities is calculated.
Note:  The  time  period  during  which  the  function
85
WdgM_MainFunction()
is
called, is the S-WdgM supervision cycle. This cycle time is also used for the periodic
triggering of the Watchdog device. The period of this cycle  determines  the  shortest  S-
WdgM  reaction time.  For  example:  If  the  S-WdgM  reaction  time  should  be  not  more
than 10 ms, the supervision cycle time should be set to 10 ms or shorter.
Figure 21 shows the S-WdgM timing configuration parameters. The parameters can be
set by a Configuration Tool.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 98
Oscillator  (f_osc)
System environment (OS)
S-WdgM Configuration – timing parameters

WdgMTicksPerSecond [Hz]
Scheduler
WdgMSupervisionCycle [s]
WdgMTriggerWindowStart [ms]

WdgMTriggerConditionValue [ms]
)
*1

t
n
u

S-Wdg Configuration – timing parameters
o
n
C
o
k
i
)
c
t
i
c
WdgWindowStart [s]
T
n
r  *2
e
u
t
F
te
a
n
e
WdgInitialTimeout [s]
d
i
m
p
a
U
M
ra
_
_
a
M
M
p
g
g
k
d
d
ic
f_wdg
W
W
T

Watchdog
Safe  Watchdog
trigger
Safe Watchdog
t rigger
device
Manager
Driver
Tick  (*2

MCU counter
*1) Used for  external Tick source
*2) Used for  internal hardware  Tick  source

Fig. 21: Time base of the S-WdgM
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 99
Two  configuration  parameters  shown  in  Figure  21  are  used  by  the  System
Environment only. The Scheduler uses these parameters and periodically calls
function WdgM_MainFunction() 85  and,
if defined, also function WdgM_UpdateTickCounter().
All the other parameters are used by the S-WdgM and S-Wdg.
Configuration Parameter
Description
WdgMSupervisionCycle
This parameter defines the time period in which the S-
WdgM  performs  cyclic  supervision.  This  is  the  time
period  in which  function  WdgM_MainFunction() 85
is  called.  The  user  of  this  parameter  is  the  system
environment
that
periodically
calls
function
WdgM_MainFunction().  The  Watchdog  device  is
triggered with every call of WdgM_MainFunction().
WdgMTicksPerSecond
This parameter defines the frequency by which the  S-
WdgM Tick counter is incremented.
If  the  external  Tick  counter  is  selected,  the  user  of
this  parameter  is  the  system  environment  that
periodically
calls
function
WdgM_UpdateTickCount() 87 .
If the internal hardware Tick counter is selected, this
parameter  configures  the  frequency  of  the  MCU
counter.
The parameter
51
WdgMTicksPerSecond
must not
be zero.
WdgMTriggerWindowStart
This  parameter  defines,  for  all  supervision  cycles
(except  for  the  first),  the  lower  limit  of  the  Watchdog
trigger  window.  If  the  Watchdog  triggered  before,  a
reset is caused. This parameter is in milliseconds. The
user is the S-WdgM.
WdgMTriggerConditionValue This  parameter  defines,  for  all  supervision  cycles
(except  for  the  first),  the  upper  limit  of  the  Watchdog
trigger window. If the Watchdog is not triggered in time,
a  reset  is  caused.  This  parameter  is  in  milliseconds.
The user is the S-WdgM.
WdgWindowStart
This  parameter  defines,  for  the  first  supervision  cycle,
the  minimum  window  time  after  which  watchdog
triggering  is  allowed.  This  parameter  is  used  by  the
Safe Watchdog Driver only.
WdgInitialTimeout
This  parameter  defines,  for  the  first  supervision  cycle,
the  upper  limit  of  the  Watchdog  trigger  window.  If  the
Watchdog  is  not  triggered  in  time,  a  reset  is  caused.
This  parameter  is  used  by  the  Safe  Watchdog  Driver
only  (see  the  corresponding  Safe  Watchdog  Driver
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 100
User Manual).
3.3.1
Deadline Measurement and Tick Counter
The transition time between two checkpoints is measured in Ticks. The Tick Counter
delivers  a  time  base  for  Deadline  Monitoring.  The  Tick  counter  is  the  smallest
deadline time unit for the S-WdgM. There are three possible Tick sources (see Figure
22):
Internal  hardware  Tick  source:  The  tick  source  is  an  S-WdgM  internal  source
derived  from  the  MCU  hardware  counter.  If  the  internal  hardware  Tick  source  is
selected, the frequency is set by the parameter WdgMTicksPerSecond.
Internal  software  Tick  source:  The  Tick  source  is  software-based  where  the
internal  counter  is  incremented  every  time  the  S-WdgM  main  function
(WdgM_MainFunction())  is  called.  If  the  internal  software  Tick  source  is
selected, the frequency is the same as WdgM_MainFunction() is called.
External Tick source:  The Tick  must  be  counted  externally by calling  the  S-WdgM
function WdgM_UpdateTickCount().  If  the  external  Tick  source  is  selected,  the
system  integrator  is  responsible  for  calling  the  function  on  a  regular  basis.  The  S-
WdgM  internally  checks  if  the  number  of  Ticks  corresponds  with  the  Supervision
Cycle.
Note:
The
Tick
source
can
be
selected
by  setting
the
parameter
WdgMTimebaseSource.
The
default
parameter
value
is
WDGM_INTERNAL_SOFTWARE_TICK.

Safe Watchdo g
Once per SupervisionCycle
Manager
Int ernal  software

Syst em API :
WdgM_UpdateTickCount()
external
c lock
Tick Counter

Int ernal  hardware

Safe Watchdo g
Driver
Tick source  switch parameter:
WdgMTmebaseSource

MCU counter

Fig. 22: S-WdgM  Tick source selection for deadline monitoring
The Ticks per second must be configured for the S-WdgM to translate the  monitored
deadlines  from  seconds  (as  stored  in  the  AUTOSAR  ECU  description  files)  to  S-
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 101
WdgM ticks. This conversion is done during configuration generation for the S-WdgM,
with the deadlines being stored in the generated configuration as S-WdgM ticks.
Note:
Non-integer  ticks  are  not  allowed.  If  a  deadline  cannot  be  converted  into  an integer
number of S-WdgM ticks, the S-WdgM Configuration Generator will report an error.
For an internal software Tick source and an external Tick source the internal Tick
counter is initialized to 1.
Examples
Let a S-WdgM Tick be 2 ms. If there is a deadline of 3 ms, it cannot be converted to
S-WdgM ticks without loss of accuracy. It will be between 1 and 2 S-WdgM ticks.
Let a S-WdgM Tick be 1 ms (i.e., the parameter  WdgMTicksPerSecond  is  set  to
1000).  A  deadline  of  0.002s=2ms  is  then translated  to  2  S-WdgM  ticks.  But  a
deadline of 0.0005s=0.5ms cannot be translated to an integer number of S-WdgM
ticks.
Note:  There is a trade-off between the S-WdgM Tick resolution and performance. The
shorter  the  Tick  length,  the  finer  the  deadlines  that  can  be  monitored.  However,  the
performance gets worse due to more frequent calls to the WdgM_UpdateTickCount
() function.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Integration
Page 102
4
Configuration Generation
4.1
S-WdgM Configuration Generator
The S-WdgM  Configuration  Generator  is  a  Microsoft  Windows  console  application
that  can  be  launched  from  a  command  prompt  window  by  entering  the  command
Wdg_Mgr_Cfg_Gen.exe. The S-WdgM Configuration Generator reads the S-WdgM
module  information  from  the  AUTOSAR  ECU  description  file  (*.arxml)  and
generates configuration structures for the S-WdgM.
Note:  Safety  requirements  must  be  considered  for  the  generation  process.  These
requirements  are  listed  in the  Safe  Watchdog  Manager  Safety  Manual  [5] 128,  which
also gives a detailed description of a verification process for the generated files using a
separate tool. This verification process is mandatory for safety-related systems.
To  use  the  S-WdgM  Configuration  Generator,  enter  the  following  command  in  a
command prompt window:
Wdg_Mgr_Cfg_Gen.exe [options] <ECU-DESC-FILE> <OUTPUT-DIR>
[options]
Description
--version
Shows  the  application  version  number  and  license
information, and then exits.
-h/--help
Shows this help message and exits.
Parameter
Description
<ECU-DESC-FILE>
The ECU description file (*.arxml). It is generated by
a tool like the DaVinci Configurator, for example.
<OUTPUT-DIR>
The  destination  folder  for  the  generated  output.  You
must specify this parameter.
The S-WdgM Configuration Generator was developed and  tested  for  MS  Windows  7
and can be integrated  into  a  graphical configuration environment.  The  following  DLLs
must be present in the system:
OLEAUT32.dll
USER32.dll
POWRPROF.dll
SHELL32.dll
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 103
ole32.dll
WSOCK32.dll
ADVAPI32.dll
WS2_32.dll
VERSION.dll
KERNEL32.dll
The installer for this DLL is available at the Microsoft Download Center.
4.1.1
S-WdgM Configuration Verification
The S-WdgM Verifier is a TTTech tool for the verification  of  the  generated  S-WdgM
configuration. The S-WdgM Verifier is delivered as a DLL (wdgm_verifier.dll)
that must be compiled with the configuration files produced by the generator and the
files  produced  by  the  XSLT  Processor.  The  compilation  result  is  a  Windows
Verifier.exe
program.  Running
the
Verifier  generates  a
report  file
(verifier_report.txt) that contains the result of the verification.
Figure 23 shows the workflow of the S-WdgM Verifier build. For details, refer to the
Safe Watchdog Manager Safety Manual [5] 128.
Wdg* Config Generator
Wdg* Config
Lcfg*.c, *.h
System
Config
XSL File
Verifier
Report
Specs
Tool *1
ECU Descr. File
Info File
XSLT Processor
Gene ration Path
Manual
Validation
User Verification
Path
*1 DaVinci Configu rator

Fig. 23: Workflow of the S-WdgM  Configuration Verifier build
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 104
4.1.1.1
Installing the S-WdgM Verifier
To run the S-WdgM Verifier an XSLT Processor and a working gcc environment are
required.
The XSLT Processor can be installed by installing  the  Configuration  Tool  (DaVinci
Configurator), and it consists of following files:
iconv.dll,
libexslt.dll,
libxml2.dll,
libxslt.dll,
zlib1.dll,
xsltproc.exe.
The  recommended  way  to  install  gcc  is  to  install  the  MinGW  environment  with  the
provided  installer  program  (MinGW-5.1.6.exe)  for  Windows  7.  To  install  gcc
proceed as follows:
1. Start  the  installer  program,  accept  the  license  terms  and  click  Next  until  you  are
prompted to select a configuration.
2. When  prompted,  select  Minimal  configuration.  There  is  no  need  to  select  any
check boxes.
3. Complete the installation process after accepting the default settings.
4. Having  installed  gcc,  add  the  c:\MinGW\bin  directory  to  your  search  path  by
entering  the  command  set  PATH=%PATH%;c:\MinGW\bin  in  a  command
prompt  window.  Alternatively you can edit  Environment  Variables  in  the  System
Properties dialog (Start > Control Panel > System).
To verify that gcc is working, open a new command prompt window and enter gcc --
version to let gcc show its version number.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 105
4.2
Workflow
Figure 24 shows the workflow of how to  generate  and  apply a  configuration for  the  S-
WdgM.

Fig. 24: Workflow of configuration generation and application for the S-WdgM
The  S-WdgM  Configuration  Generator  is  the  application  that  generates  the
configuration for  the  S-WdgM.  The  input  used  to  generate  a  configuration is  an ECU
description  file  (*.arxml).  The  ECU  description  file  contains  the  configured
AUTOSAR  WdgM,  WdgIf  and  Wdg  modules.  The  S-WdgM  configuration  can  be
created and configured in several ways.
If you use the Vector tools  DaVinci Configurator Pro (DVC) and DaVinci Developer,
the workflow to generate the configuration is as follows:
DVC  is  configured  such  that  it  uses  the  external  generator  S-WdgM  Configuration
Generator  to  generate  the  configuration  for  the  modules  S-WdgM,  S-WdgIf  and  S-
Wdg.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 106
During  configuration  generation,  the  S-WdgM  Configuration  Generator  is
automatically invoked and produces the configuration *.c and *.h files.
If  necessary,  DaVinci  Developer  can  be  used  to  configure  the  runtime
environment  (RTE)  for  the  S-WdgM.  You can  configure  the  software  components
that  need  to  call  S-WdgM  functions,  with  the  tool  generating  the  respective  RTE
configuration files.
If  you  do  not  use  the  Vector  tools  mentioned  above  the  workflow  to  create  a
configuration is as follows:
Start a command prompt window and enter the following command:
Wdg_Mgr_Cfg_Gen.exe <ecu_descr_file> <output_directory>
where  <ecu_descr_file>  is  the  name  of  the  respective  ECU  description  file
(*.arxml) and
<output_directory>  is  the  directory where  to  create  the  respective  *.c  and
*.h files.
The  S-WdgM  code  generator  generates  a  configuration  file,  WdgM_PBcfg.c  (see
Section  Configuration  Generation 102),  where  all  S-WdgM  variables  are  defined  and
assigned to various memory sections (see Section Memory Sections 95 ).
The  S-WdgM  code  generator  also  generates  the  file  WdgM_MemMap.h  in  an
AUTOSAR 3.1 environment or WdgM_OSMemMap.h in an AUTOSAR 4.0 environment,
where the S-WdgM memory sections defined in the WdgM_PBcfg.c file are assigned
to  user-defined  application  sections  or  other  system  sections.  The  relation  between
memory  sections  and  applications  can  be  defined  with  a  tool  such  as  DaVinci
Configurator
using
the
parameters
WdgMAppTaskRef
and
WdgMGlobalMemoryAppTaskRef.
The  following  example  of  a  WdgM_MemMap.h  file  places  the  status  variables  for  a
supervised  entity  with  index  1  to  the  application  memory  section  called
Application_1_START_SEC_VAR_NOINIT_UNSPECIFIED
and
Application_1_STOP_SEC_VAR_NOINIT_UNSPECIFIED:
/* Supervised Entity SE1 */
#ifdef WDGM_SE1_START_SEC_VAR_NOINIT_UNSPECIFIED
#undef WDGM_SE1_START_SEC_VAR_NOINIT_UNSPECIFIED
#define Application_1_START_SEC_VAR_NOINIT_UNSPECIFIED
#endif
#ifdef WDGM_SE1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#undef WDGM_SE1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#define Application_1_STOP_SEC_VAR_NOINIT_UNSPECIFIED
#endif
If  no  application  is  assigned  with  the  parameters  WdgMAppTaskRef  or
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 107
WdgMGlobalMemoryAppTaskRef,  then  the  prefix  is  WDGM_  instead  of  the
application name.
All  global  shared  data  used  by  the  S-WdgM  are  protected  by  S-WdgM  against
corruption.
4.3
Output Files
The  following  output  files  are  generated  for  the  respective  platform  type
(<platform>),  where  <platform>  is  the  respective  hardware  platform  used,
e.g., MPC5604 or TMS570LS3xx:
WdgM_PBCfg.c
WdgM_PBCfg.h
WdgM_MemMap.h  (in an AUTOSAR  3.1  environment)  or  WdgM_OSMemMap.h  (in
an AUTOSAR 4.0 environment)
WdgM_Cfg_Features.h
The  file  WdgM_PBCfg.c  contains  the  main  configuration  structure  with  the  default
name  WdgMConfig_Mode0.  This  configuration  name  should  be  used  by  the
initialization function, i.e., by call WdgM_Init(&WdgMConfig_Mode0). If necessary,
the  non-standard  AUTOSAR  name  WdgMConfig_Mode0  can  be  renamed  to
WdgMConfigSet in the Configuration Tool (e.g, DaVinci).
Since the S-WdgM Configuration Generator is not trusted, the generated code must be
verified.  For  details  on  the  configuration  verification  process,  refer  to  the  Safe
Watchdog Manager Safety Manual [5] 128.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 108
4.4
Error Messages
The generator will show an error message in the command prompt window and quit if
something goes wrong during configuration generation.
4.4.1
Basic Errors
Error
Error Message
No.
1
Bad call syntax.
2
Cannot open ECU description file `%s`.
3
Cannot convert float parameter `%s/%s` to an Watchdog ticks.
4
Cannot convert `%s` to a numerical value.
5
Fatal error.
6
Method `%s` must be implementd by subclass of `%s`.
7
Missing WdgM data.
4.4.2
Semantic Errors
Error
Error Message
No.
1001
Checkpoint IDs belonging to Supervised Entity `%s` are not a
zero-based list of increasing integers without gaps.
1002
No WdgMMode elements found.
1003
Supervised Entity `%s`: local transition starts at Checkpoint
with an ID %d.
1004
No WdgMMode element with WdgMModeId %d found.
1005
ECU Description File has no `WdgM` element.
1006
Referencing non-existing checkpoint `%s`.
1015
No value found for parameter defined by `%s` in `Element `%s`.
1016
Supervised Entity `%s` has no checkpoints.
1017
Supervised Entity `%s` defines local transitions
for alien checkpoint(s) `%s`.
1018
Local Transition `%s` references alien checkpoint `%s`.
1019
Local Transition `%s` references wrong destination entity `%s`.
1020
Local Transition `%s` references wrong source entity `%s`.
1021
Cannot convert float parameter `%s/%s` (%.6f [s]) to an integral
number of Watchdog ticks. (Using %.2f ticks per second).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 109
1025
Ignoring `WdgMGeneral/WdgMNumberOfSupervisedEntities`.
1026
Found more than one `WdgMMode` elements;
generating code for mode with ID %d.
1027
Cannot find top level element %s.
1028
No value found for `#define %s`. Verify element defined by `.../%
s`.
1029
No `.../WdgM/WdgMGeneral/WdgMWatchdog` elements found.
1031
No transition found for WdgMDeadlineSupervision `%s`
between Supervised Entity `%s`, Checkpoint `%s` and
Supervised Entity `%s`, Checkpoint `%s`.
1034
Found a `REFERENCE-VALUE` element defined by `%s`
without a `VALUE-REF` child element.
1035
Cannot find `REFERENCE-VALUE` element defined by `%s`.
1036
Checkpoint `%s` has no ID.
1037
Checkpoint `%s` has no `VALUE` element for its ID.
1038
Missing `SHORT-NAME` element.
1039
No global initial Supervised Entity found.
1040
Program Flow Supervision has no checkpoint defined by %s.
1043
Watchdog `%s` has no `WdgMTrigger` element assigned to it.
1044
Cannot identify driver.
1045
No `WdgMLocalStatusParams` element found.
1048
Cannot find checkpoint ID for `%s/%s`.
1049
Cannot find checkpoint ID for `%s/%s`.
1050
Cannot find checkpoint ID for `%s`.
1051
`%s` is an AUTOSAR 3.1 Supervised Entity and therefore shall
have exactly one checkpoint and this checkpoint shall have
its ID set to 0.
1052
Supervised Entity `%s`: `WdgMFailedProgramFlowRefCycleTol` is
positive (%d) but `WdgMProgramFlowRefCycle` is not (%d).
1053
Supervised Entity `%s`: Zero tolerance for program flow
violations -
`WdgMProgramFlowRefCycle` set to %d and
`WdgMFailedProgramFlowRefCycleTol` set to zero.
1054
Supervised Entity `%s`: `WdgMFailedDeadlineRefCycleTol` is
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 110
positive (%d) but `WdgMDeadlineReferenceCycle` is not (%d).
1055
Supervised Entity `%s`: Zero tolerance for dealine violations -
`WdgMDeadlineReferenceCycle` set to %d and
`WdgMFailedDeadlineRefCycleTol` set to zero.
1056
WdgMAliveSupervision `%s` (checkpoint `%s`):
`WdgMSupervisionReferenceCycle` (%d) must be a positive value.
1057
Supervised Entity `%s`: `WdgMFailedSupervisionRefCycleTol` set
to a positive value (%d) but there is no alive counter attached
to any of its checkpoints.
1058
Mandatory `LocalStatusParams` data is missing.
1059
Shortest maximum deadline (%s: %f seconds) is shorter than
`WdgMSupervisionCycle` (%f seconds).
1060
Mode with ID `%d`
(`WdgMTicksPerSecond`: %d; `WdgMSupervisionCycle`: %f)
fails to meet timing requirement
`(1 / WdgMTicksPerSecond) <= WdgMSupervisionCycle`.
1061
Watchdog `%s`, trigger mode ID %s: the requirement
`WdgMTriggerWindowStart <= WdgMSupervisionCycle <=
WdgMTriggerConditionValue` is not fulfilled
1062
Verify that every Supervised Entity has a unique ID.
1063
No local incoming transitions defined for checkpoint `%s` in
Supervised Entity `%s`. Reaching `%s` will trigger a Program
Flow violation.
1064
Supervised Entity `%s` has no initial checkpoint.
1065
Callback function(s) `%s` will never be executed because
`WDGM_STATE_CHANGE_NOTIFICATION` is turned off.
1066
`WDGM_STATE_CHANGE_NOTIFICATION` is turned on but there is
no callback function defined. Verify the
`WdgMGlobalStateChangeCbk`
and `WdgMLocalStateChangeCbk` values
1068
Ensure that Supervised Entities have callback functions with
a unique name.
1069
Local end checkpoint %s/%s must not be the source
of a local transition.
1070
Local init checkpoint %s/%s must not be the destination
of a local transition.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 111
1071
The Supervised Entity IDs are not a zero-based list of integers
without gaps.
1072
The watchdog driver is called in the context of the watchdog
manager and its global variables must be placed in the
same section as the watchdog manager's global variables
in the presence of memory protection!
(The watchdog driver global variables are placed in `%s`
and the watchdog manager global variables are placed in `%s`).
1073
This driver configuration generator supports %s -- %s is not
supported.
1075
The targeted precision (%d ticks per second) is too high; please
lower the resolution (`.../WdgMMode/WdgMTicksPerSecond`).
1076
There is no WdgMTrigger element associated to Watchdog `%s`.
1081
No drivers found
1082
No Watchdog Interface devices found
1083
Watchdog IF device `%s` references non-existing Watchdog `%s`
1084
Watchdog `%s` references non-existing Watchdog IF device `%s`
1085
`WdgMTicksPerSecond` must not be zero if the Watchdog Manager
uses an external tick counter source for deadline monitoring.
1086
Supervised Entity `%s` contains more than one checkpoint
having an alive counter
1090
No Supervised Entities found!
1091
Transition `%s` references non existing checkpoint `%s` in entity
`%s`.
1092
ECU Description File references non-existing checkpoint `%s` in
Supervised Entity `%s`.
1093
Supervised Entity `%s` contains references to non-existing
checkpoint(s) `%s`.
1094
Global Transition `%s` has non-existing Entity `%s` as source.
1095
Global Transition `%s` has non-existing Entity `%s` as
destination.
1096
WdgMDeadlineSupervision `%s`: `WdgMDeadlineMin` (%s)
is greater than `WdgMDeadlineMax` (%s).
1097
The `%s` value (%s [s]) of `%s` must not be greater than %s [s].
1098
For the INTERNAL_SOFTWARE_TICK the `(1 / WdgMTicksPerSecond[Hz])
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 112
= WdgMSupervisionCycle[s]` relation must be kept;
the configured values for `WdgMTicksPerSecond` (%s) and
`WdgMSupervisionCycle` (%s) do not fulfill this requirement.
1099
This ECU Description File's AUTOSAR version (%s) is
not compatible with the version supported by
this configuration generator (%s)
1100
This ECU Description File's AUTOSAR version (%s) has a different
minor number than the version supported by this configuration
generator (%s)
1101
Watchdog Driver `%s` is configured to have an active
tick counter but the Watchdog Manager is not configured
to have an internal HW timebase.
1102
The Watchdog Manager is configured to use an internal
HW counter but the Watchdog Interface is not.
1103
The Watchdog Interface is configured to use an internal
HW counter but the Watchdog Manager is not
1104
The Watchdog Manager is configured to use an internal HW
tick counter but the Watchdog driver `%s` has no active
tick counter.
1105
Error while reading list of `WdgMCallerIds`
1106
The Watchdog Manager is configured to use an internal HW
tick counter but the Watchdog Interface does not reference
any Watchdog Driver at all.
1107
The Watchdog Manager is not configured to use an internal HW
tick counter but the Watchdog Interface has a reference to
a Watchdog Driver with an internal tick counter.
1108
Every `WdgWatchdog` has to have the same number (either %d
or %d) of associated `WdgMTrigger` elements.
1109
Verify that the Trigger Modes belonging to each trigger have IDs
building a zero-based integer sequence without any gaps
1110
Invalid `WdgMInitialTriggerModeId` value (%d).
1111
The `SafeTcore` platform requires `WdgWindowStart` = 0 [ms].
(Current value: %s)
1112
`WdgMWatchdogMode` is set to `WDGIF_OFF_MODE`:
`WdgMTriggerConditionValue` and `WdgMTriggerWindowStart`
will be ignored
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 113
1113
Ticks per second must be greater than zero
1114
Multiple `WdgMDeadlineSupervision` elements defined for
the transition from %s/%s to %s/%s
1115
OS partition reset is currently not supported.
1116
The current version supports only configurations having only one
Watchdog, one IF device and one driver.
1119
The value 65535; e.g., 2^16 -1, must not be assigned to any
of these elements: `WdgMFailedDeadlineRefCycleTol`,
`WdgMFailedProgramFlowRefCycleTol` and
`WdgMFailedSupervisionRefCycleTol`.
1120
Cannot find a VALUE element for
`...WdgMConfigSet/WdgMMode/WdgMInitialTriggerModeId’
1121
Cannot find a VALUE element for
...WdgMConfigSet/WdgMMode/WdgMTrigger/WdgMTriggerModeId`
1122
Global transition connecting checkpoints `%s` and `%s`
in the same entity `%s` is not allowed.
1123
`WdgMSupervisionCycle` (%s) is not greater than zero
1124
Watchdog `%s`, trigger mode ID %s: `WdgMTriggerConditionValue`
is not greater than zero.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Configuration Generation
Page 114
5
Appendix
List of Generator and Verifier checks.
5.1
Watchdog Manager Configuration Verifier Requirements
5.1.1
General Remarks
The verifier detects three kinds of errors:
1. deltas between the ECU Description File (EDF) and the generated configuration,
2. errors in the configuration which might have a negative impact on the  embedded
code (worst case could be to make it crash),
3. integrity checks already required to be implemented by the generator.
5.1.2
General Requirements
The  S-WdgM  Verifier  must  handle  a  (broken)  configuration  with  no  supervised
entities at all (even though the S-WdgM Configuration Generator would not generate a
configuration out of an EDF with no supervised entities at all).
The S-WdgM Verifier must handle a (broken) configuration with no checkpoints at all
(even though the S-WdgM Configuration Generator would not generate  a  configuration
out of an EDF with no checkpoints at all).
5.1.3
Deltas the S-WdgM Verifier Must Detect between the EDF and the Generated
Configuration
Test No. Requirement
Test 1
The  number  of  CPs  according  to  the  EDF  and  the  number  of  CPs  referenced  by  SEs
entities must match.
Test 2
The  number  of  CPs  according  to  the  EDF  and  the  number  of  CPs  stored  in  the
NrOfAllCheckpoints member of the main structure must match.
Test 3
The number of  local  transitions  according  to  the  EDF  must  match  the  number  of  local
transitions referenced by CPs according to the corresponding NrOfLocalTransitions
members.
Test 4
The number of global transitions  according to the EDF must  match the number of global
transitions
referenced
by
CPs
according
to
the
corresponding
NrOfGlobalTransitions members.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 115
Test 5
The  number  of  SEs  according  to  the  EDF  must  match  the  value  of  the
NrOfSupervisedEntities member of the main structure.
Test 17
The  NrOfStartedGlobalTransitions  value  of  a  CP  must  match  the  number  of
global transitions having that CP as a starting point according to the EDF.
Test 19
If an alive supervision is defined for a CP,  then the WdgMExpectedAliveIndications
65  member of that CP must  match the number of expected alive indications  of the alive
supervision, as specified in the EDF.
Test 20
If an alive supervision is  defined for a CP,  then the WdgMMinMargin 66  member of that
CP  must  match  the  corresponding  attribute  (.../WdgMMinMargin)  in  the  alive
supervision, as specified in the EDF.
Test 21
If an alive supervision is defined for a CP,  then the   WdgMMaxMargin 66  member of that
CP  must  match  the  corresponding  attribute  (.../WdgMMaxMargin)  in  the  alive
supervision, as specified in the EDF.
Test 22
If
an
alive
supervision
is
defined
for
a
CP,
then
the
WdgMSupervisionReferenceCycle 66  member  of  that  CP  must  match  the
corresponding  attribute  (.../WdgMSupervisionReferenceCycle)  in  the  alive
supervision, as specified in the EDF.
Test 27
The  NrOfLocalTransitions  value  of  a  CP  must  be  set  to  the  number  of  local
transitions having that CP as a destination point according to the EDF.
Test 28
The  NrOfGlobalTransitions  value  of  a  CP  must  be  set  to  the  number  of  global
transitions having that CP as a destination point according to the EDF.
Test 32
If no alive supervision is defined for a CP,  then the WdgMExpectedAliveIndications
65  member of that CP must be zero (see Test 19).
Test 33
If no alive supervision is defined for a CP,  then the WdgMMinMargin 66  member of that
CP must be zero (see Test 20).
Test 34
If no alive supervision is  defined for a CP,  then the WdgMMaxMargin 66  member of that
CP must be zero (see Test 21).
Test 35
If
no
alive
supervision
is
defined
for
a
CP,
then
the
WdgMSupervisionReferenceCycle 66  member of that  CP  must  be  zero  (see  Test
22).
Test 37
WdgM_TransitionType->WdgMDeadlineMin 69  must  match  the  corresponding
value in the EDF.
Test 38
WdgM_TransitionType->WdgMDeadlineMax 69  must  match  the  corresponding
value in the EDF.
Test 39
WdgM_GlobalTransitionType->WdgMDeadlineMin 69
must
match
the
corresponding value in the EDF.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 116
Test 40
WdgM_GlobalTransitionType->WdgMDeadlineMax 69
must
match
the
corresponding value in the EDF.
Test 41
The  WdgMitialStatus  value  of  each  SE  must  match  the  value  entered  as
WdgMSupervisedEntityInitialMode 58
for  the
WdgMLocalStatusParams
element assigned to the SE.
Test 42
For
every
entity:
X
must
match
Y,
where
X
is
the
WdgMFailedSupervisionRefCycleTol 57  member  of  an  SE  in  the  generated
configuration and Y is  the element  WdgMFailedSupervisionRefCycleTol 57  in the
WdgMLocalStatusParams defined for the same entity in the EDF.
Test 43
For every entity: X must match Y, where X is the WdgMFailedDeadlineRefCycleTol
58
member  of  an  SE  in  the  generated  configuration  and  Y  is  the  element
WdgMFailedDeadlineRefCycleTol 58  in  the  WdgMLocalStatusParams  defined
for the same entity in the EDF.
Test 44
For every entity: X must match Y, where  X is the WdgMDeadlineReferenceCycle 59
member of a that  supervised entity  in the  generated  configuration  and  Y  is  the  element
WdgMDeadlineReferenceCycle 59  in  the  WdgMLocalStatusParams  defined  for
the same entity in the EDF.
Test 45
For
every
entity:
X
must
match
Y,
where

X
is
the
WdgMFailedProgramFlowRefCycleTol 59  member  of  an  SE  in  the  generated
configuration and Y is  the element  WdgMFailedProgramFlowRefCycleTol 59  in the
WdgMLocalStatusParams defined for the same entity in the EDF.
Test 46
For
every
entity:
X
must
match
Y,
where

X
is
the
WdgMProgramFlowReferenceCycle 60  member  of  a  that  supervised  entity  in  the
generated configuration and Y is  the element  WdgMProgramFlowReferenceCycle 60
in the WdgMLocalStatusParams defined for the same entity in the EDF.
Test 47
Each  SE  in  the  generated  configuration  must  have  its  OSApplication  set  to
WDGM_INVALID_OSAPPLICATION.
Test 85
The set of relations between alive supervisions and CPs in the EDF is  the same as  in the
generated configuration file,  i.e.  each CP  has  on both sides  either  the  same  or  no  alive
supervision associated. Note: Related to Error 1092 111.
Test 86
In the generated configuration file, for each SE: All CPs  that  are referenced in the SE  are
defined  (in  array  WdgMCheckPoint).  Note:  This  includes  the  check  for  references  by
CP-ID and references by address to CP-list item (related to Error 1093) 111 .
Test 89
The  WdgMGeneral
parameter  WdgMVersionInfoApi 40
and  the
constant
WDGM_VERSION_INFO_API 40  defined in WdgM_Cfg_Features.h must match.
Test 90
The  WdgMGeneral
parameter  WdgMDevErrorDetect 38
and  the
constant
WDGM_DEV_ERROR_DETECT 38  defined in WdgM_Cfg_Features.h must match.
Test 91
The
WdgMGeneral
parameter
WdgMDemReport 38
and
the
constant
WDGM_DEM_REPORT 38  defined in WdgM_Cfg_Features.h must match.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 117
Test 92
The  WdgMGeneral  parameter  WdgMDefensiveBehavior 41  and  the  constant
WDGM_DEFENSIVE_BEHAVIOR 41  defined in WdgM_Cfg_Features.h must match.
Test 93
The  WdgMGeneral
parameter  WdgMImmediateReset 39
and  the
constant
WDGM_IMMEDIATE_RESET 39  defined in WdgM_Cfg_Features.h must match.
Test 94
The  WdgMGeneral
parameter  WdgMOffModeEnabled 40
and  the
constant
WDGM_OFF_MODE_ENABLED 40  defined in WdgM_Cfg_Features.h must match.
Test 95
The  WdgMGeneral  parameter  WdgMUseOsSuspendInterrupt 43  and  the  constant
WDGM_USE_OS_SUSPEND_INTERRUPT 43  defined  in  WdgM_Cfg_Features.h  must
match.
Test 96
The  WdgMGeneral
parameter  WdgMTimebaseSource 44
and  the
constant
WDGM_TIMEBASE_SOURCE 44  defined in WdgM_Cfg_Features.h must match.
Test 97
The  WdgMGeneral  parameter  WdgMSecondResetPath 45
and  the  constant
WDGM_SECOND_RESET_PATH 45  defined in WdgM_Cfg_Features.h must match.
Test 98
The  WdgMGeneral  parameter  WdgMTickOverrunCorrection 46  and  the  constant
WDGM_TICK_OVERRUN_CORRECTION 46  defined  in  WdgM_Cfg_Features.h  must
match.
Test 99
The  WdgMGeneral  parameter  WdgMEntityDeactivationEnabled 47  and  the
constant
WDGM_ENTITY_DEACTIVATION_ENABLED 47
defined
in
WdgM_Cfg_Features.h must match.
Test 100
The  WdgMGeneral  parameter  WdgMStateChangeNotification 47
and  the
constant
WDGM_STATE_CHANGE_NOTIFICATION 47
defined
in
WdgM_Cfg_Features.h must match.
Test 101
The  WdgMGeneral  parameter  WdgMUseRte 42  and  the  constant  WDGM_USE_RTE 42
defined in WdgM_Cfg_Features.h must match.
Test 102
The  WdgMGeneral  parameter  WdgMDemSupervisionReport 42  and  the  constant
WDGM_DEM_SUPERVISION_REPORT 42  defined  in  WdgM_Cfg_Features.h  must
match.
Test 103
The  WdgMGeneral  parameter  WdgMFirstCycleAliveCounterReset 48  and  the
constant
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET 48
defined
in
WdgM_Cfg_Features.h must match.
Test 104
The value WDGM_GLOBAL_TRANSITIONS in WdgM_Cfg_Features.h must  be STD_ON
if the configuration includes global transitions and STD_OFF otherwise.
Test 105
The value WDGM_AUTOSAR_3_1_X_COMPATIBILITY in WdgM_Cfg_Features.h must
be STD_ON if there is  at  least  one SE  with  its  attribute  WdgMSupportedAutosarAPI
62  set to the enumeration value API_3_1. Otherwise this value must be STD_OFF.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 118
Test 106
The  value  WDGM_MULTIPLE_TRIGGER_MODES  must  be  STD_ON  if  WdgMTrigger
elements  have  more  than  one  WdgMTriggerMode  subelement.  Otherwise  this  value
must be STD_OFF. Note: It is required elsewhere that  all triggers  have the same amount
of trigger modes. Therefore you can take any trigger for performing this test.
5.1.4
Integrity Checks
Test No. Requirement
Test 18
If the WdgMIsEndCheckpointGlobal value of a CP is TRUE, then that CP must not  be
the source of any global transition.
Test 23
The WdgMAliveLRef value of a CP  must  only  be NULL_PTR  if  and  only  if  there  is  no
alive supervision defined for that CP.
Test 24
The WdgMAliveGRef value of a CP  must  only  be NULL_PTR  if  and  only  if  there  is  no
alive supervision defined for that CP.
Test 25
The WdgMDeadlineMonitoring value of a CP  must  be set  to TRUE if that  CP  is  the
source  or  destination  of  at  least  one  transition  with  associated  deadline  monitoring.
Otherwise this value will be set to FALSE.
Test 26
The WdgMOutgoingDeadlineMax value of a CP must be set  to the maximum deadline
associated to any of the transitions having that CP as a starting point.
Test 29
The  WdgMLocalTransitionRef  member  of  a  CP  must  be  set  to  NULL_PTR  if  and
only if there are no local transitions having that CP as a destination point.
Test 30
The WdgMGlobalTransitionsRef member of a CP  must  be set  to NULL_PTR if and
only if there are no global transitions having that CP as a destination point.
Test 31
The WdgMStartsAGlobalTransition value of a CP must be set to TRUE if that CP is
the starting point of a global transition. Otherwise this value must be set to FALSE.
Test 48
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedProgramFlowRefCycleTol 59
is
greater
than
zero,
or
WdgMProgramFlowReferenceCycle 60  is zero (see Error 1053 109)
Test 49
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedDeadlineRefCycleTol 58
is
zero,
or
WdgMDeadlineReferenceCycle 59  is greater than zero (see Error 1054 109 ).
Test 50
The
following
condition
must
be
fulfilled
for
each
SE:
Either
WdgMFailedDeadlineRefCycleTol 58
is
greater
than
zero,
or
WdgMDeadlineReferenceCycle 59  is zero (see Error 1055 110).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 119
Test 51
The  following  condition  must  be  fulfilled  for  systems  with  internal  software  timebase
source:  The  shortest  WdgMDeadlineMax 69
greater  zero  value  among  all
WdgMDeadlineSupervision
elements
must
be
greater
or
equal
to
WdgMSupervisionCycle 52  (see Error 1059 110 ).
Test 52
The  following  condition  must  be  fulfilled:  1  /  WdgMTicksPerSecond 51 )  <=
WdgMSupervisionCycle 52  (see Error 1060 110 ).
Test 53
The  WdgMSupervisionCycle 52  stored  in  the  EDF  must  be  greater  than  zero  (see
Error 1123 113).
Test 54
The following condition must be fulfilled: 0 < ticks_per_second <= rti_hz / 2.
Test 55
The  targeted  precision  must
fulfill  the  following  condition:
int
(round
(ticks_per_second *  window_start * 0.001)) <= 65535. Note: 65535  is
the maximum 16-bit integer (see Error 1075 111).
Test 56
The  targeted  precision  must
fulfill  the  following  condition:
int
(round
(ticks_per_second * condition_value * 0.001)) <= 65535. Note: 65535
is the maximum 16-bit integer (see Error 1075 111 ).
Test 57
Each WdgMWatchdog element  must  have a WdgMTrigger  value  associated  to  it  (see
Error 1076 111).
Test 58
In each SE, there must be a maximum of one CP having an alive counter (see Error 1086
111 ).
Test 59
Make sure that transitions reference existing CPs (see Error 1091 111).
Test 60
Make sure that  global transitions  reference only  existing SEs  as  source (see Error 1094
111 ).
Test 61
Make sure that  global transitions  reference  only  existing  SEs  as  destination  (see  Error
1095 111).
Test 62
The minimum deadline of each WdgMDeadlineSupervision element  must  be less  or
equal to the maximum deadline (see Error 1096 111 ).
Test 63
No  deadline  value  must  be  greater  than  (1  /  tps)  *  MAX_16_BIT_VALUE  (see
Error 1097 111).
Test 64
The following  condition  must  be  fulfilled  for  configurations  with  an  internal  software  tick
counter  source:  (1  /  WdgMTicksPerSecond[Hz])  =  WdgMSupervisionCycle
[s] (see Error 1098 111 ).
Test 65
The  trigger  modes  belonging  to  each  trigger  must  build  a  zero-based  list  of  increasing
integers without a gap (see Error 1109 112).
Test 66
Every  transition  must  have  no  more  than  one  WdgMDeadlineSupervision  element
assigned to it (see Error 1114 113).
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 120
Test 67
The WdgMProgramFlowMonitoring boolean value of an SE must  be true if and only  if
there are local or global transitions starting or ending in any of the CPs of that SE.
Test 87
All defined Watchdog devices in the EDF must  have the same number of WdgMTrigger
elements. Note: Not necessarily the same modes with respect to mode settings.
Test 88
The following condition must  be fulfilled:  (WdgMFailedProgramFlowRefCycleTol =
0) OR (WdgMProgramFlowRefCycle > 0). Note: Related to Error 1052 109.
Test 107
The WdgMTriggerTimeout field in each element  in  the  WdgMTriggerMode  array  (of
type WdgM_TriggerModeType) must have a value greater than zero (Error 1124 113 ).
5.1.5
Errors To Be Detected by the Verifier to Protect the Embedded Code
Test No. Requirement
Test 6
The WdgMSupervisedEntityRef value of the   main structure shall be a NULL pointer
if and only if the number of SEs according to the EDF is zero.
Test 7
The EntityStatusLRef member of each SE must not be a NULL pointer.
Test 8
The EntityStatusGRef member of each SE must not be a NULL pointer.
Test 9
The WdgMAliveLRef member of each checkpoint  shall be NULL_PTR if and only  if the
member WdgMAliveGRef in the same SE is NULL_PTR.
Test 10
The main WdgM_ConfigType structure shall have its DataGSRef member set to a non-
NULL pointer.
Test 11
The main WdgM_ConfigType structure shall have its  DataGRef member set  to a non-
NULL pointer.
Test 12
The main WdgM_ConfigType structure shall have its  EntityGSRef  member  set  to  a
non-NULL pointer.
Test 13
The  main  WdgM_ConfigType  structure  shall  have  its  GlobalTransitionFlagsGS
member set to NULL if and only if there are no global transitions.
Test 14
The  value  of  WdgM_GlobalTransitionType->GlobalTransitionFlagId  must
match the position of the current element in the WdgM_GlobalTransitionType array.
Test 15
The EntityStatusLRef member of each SE must point to a unique variable.
Test 16
The EntityStatusGRef member of each SE must point to a unique variable.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 121
Test 68
The CPs  belonging to each SE  must  have IDs  that  build a  zero-based  list  of  increasing
integers without a gap (see Error 1001 108).
Test 69
Each SE must have at least one CP (see Error 1016 108 ).
Test 70
There  must  be  either  a  global  transition  or  a  local  transition  for  every
WdgMDeadlineSupervision element (see Error 1031 109).
Test 71
The ID of each SE  must  be unique  (see  Error  1062 110).  Note:  Actually  superseded  by
handling of Error 1071 111 . See below.
Test 72
Each SE must have an initial checkpoint (see Error 1064 110).
Test 73
There must  be at  least  one callback  function for the SEs  or for the main structure if  the
flag WDGM_STATE_CHANGE_NOTIFICATION 47  is set to STD_ON (see Error 1066 110).
Test 74
The number of SEs must not be zero (see Error 1090 111 ).
Test 75
The  WdgM_LocalStateChangeCbk  member  of  each  SE  must  point  to  the  callback
function configured for that  SE  according  to  the  EDF.  Otherwise  this  member  must  be
NULL_PTR (see Error 1066 110 ).
Test 76
The  WdgM_GlobalStateChangeCbk  member  of  the  main  structure  must  be
NULL_PTR if no callback function was configured for signaling a global  state change (see
Error 1066 110).
Test 77
The callback functions assigned to SEs must have a unique name (see Error 1068 110 ).
Test 78
CPs  defined as  local end CPs  must  not  have outgoing local  transitions  (see  Error  1069
110 ).
Test 79
CPs defined as local initial CPs must not have incoming local transitions  (see Error 1070
110 ).
Test 80
The SE  IDs  must  build a zero-based list  of increasing integers  without  a  gap  (see  Error
1071 111).
Test 81
If the WdgMFailedSupervisionRefCycleTol 57  of an SE is  set  to  greater  than
zero, then there shall be an alive supervision counter associated to one of the CPs  of that
SE (see Error 1057 110).
Test 82
Each CP configured to be an SE initial CP must have CP ID = 0.
Test 83
The STD_OFF and STD_ON constants must be defined as zero (0) and one (1).
Test 84
The value for WdgMTicksPerSecond 51  must be greater than zero.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Appendix
Page 122
6
Abbreviations
Abbreviation
Description
API
Application Programming Interface
ASIL
Automotive Safety Integrity Level
BswM
Basic Software Module
CP
Checkpoint
DEM
Diagnostic Event Manager
DET
Development Error Tracer
DVC
DaVinci Configurator Pro (by Vector Informatik GmbH)
ECU
Electronic Control Unit
EDF
ECU Description File
ISO
International Organization for Standardization
MCU
Microcontroller Unit
N/A
Not available
OS
Operating System
QM
Quality Managed Software (software development process)
RTE
Run-Time Environment
SCHM
Schedule Manager module (according AUTOSAR 4.0 r1)
SE
Supervised Entity
SEID
Supervised Entity Identifier
SW-C, SWC
Software Component
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 123
Abbreviation
Description
S-Wdg
Safe Watchdog Driver (implementation by TTTech)
S-WdgIf
Safe Watchdog Interface (implementation by TTTech)
S-WdgM
Safe Watchdog Manager (implementation by TTTech)
WD
Watchdog
WdgM
AUTOSAR 4.0 r1 Watchdog Manager
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Abbreviations
Page 124
7
Glossary
Term
Description
Alive Indications
An indication provided by a Supervised Entity Alive counter
to signal its aliveness to the S-WdgM.
Alive Monitoring
A kind of S-WdgM monitoring (supervision) that checks if a
Supervised Entity is executed sufficiently often and  not  too
often.
Checkpoint
A point in the control flow of  a  supervised  entity where  the
activity is reported to the S-WdgM.
Closed Graph
A closed graph is a directed graph where every Checkpoint
is reachable, starting from the local initial Checkpoint.
Configuration Tool
A  tool  used  for  creating  a  S-WdgM  configuration,  e.g,
DaVinci Configurator Pro.
Container
Refers  to  the  AUTOSAR  term  "container".  Represents  a
structure with different parameters.
Deadline Monitoring
Kind of S-WdgM monitoring (supervision) that checks if the
execution time between two Checkpoints is lower or higher
as the configured limits.
Destination
End point of a transition.
Checkpoint
End Checkpoint
The  last  Checkpoint  that  is  monitored  for  a  Supervised
Entity.  After  passing  the  End  Checkpoint,  the  S-WdgM
expects  that  the  entity  is  not  monitored.  To  start  the
monitoring  again  the  Initial  Checkpoint  must  be  passed
first.  A  Supervised  Entity  can  have  zero  or  more  End
Checkpoints.
Error
Discrepancy between a computed, observed or measured
value or condition, and the true, specified or theoretically
correct value or condition.
Failure
Termination of the ability of an element, to perform a
function as required.
Fault
Abnormal condition that can cause an element or an item to
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 125
fail.
Fault Detection Time
See. S-WdgM Fault Detection Time.
Fault Reaction Time
The  Fault  Reaction  Time  is  the  S-WdgM  Fault  Reaction
Time plus the S-Wdg Fault Reaction Time.
Global
Monitoring Status  that  summarizes  the  Local  Monitoring  Status  of  all
Status
supervised entities.
Global Transition
A global transition is a transition between two  checkpoints
in  the  logical  program  flow  (i.e.,  source  and  destination
checkpoint),  where  the  checkpoints  belong  to  different
supervised entities.
Initial Checkpoint
The  first  Checkpoint  that  is  monitored  in  the  Supervised
Entity. The  monitoring  of  a  Supervised  Entity must  start  at
this Checkpoint. A Supervised Entity has exactly one  Initial
Checkpoint.
Local
Monitoring Status that represents the current result of supervision of  a
Status
single Supervised Entity.
Local Transition
A  Local  Transition  is  the  transition  between  two
checkpoints (i.e., source and destination checkpoint) in the
logical program flow in the same Supervised Entity.
Program
Flow Kind of S-WdgM monitoring (supervision) that checks if the
Monitoring
inspected software is executed  in a  predefined  sequence.
This sequence is defined by the user and collected in the S-
WdgM configuration.
S-WdgM
Fault The  time-span  from  the  occurrence  of  a  fault  to  the
Detection Time
detection of  the  fault  by  the  S-WdgM.  The  detection  of  a
fault
is
indicated
by  a
change
of
the
state
WDGM_LOCAL_STATE_OK
or
WDGM_GLOBAL_STATE_OK to a different state.
It is called diagnostic test interval in [6] 128 , part1.
S-WdgM
Tick Tick  Counter  is  used  for  deadline  monitoring  time
(Counter)
measurement.
Depending
on
the
parameter
WdgMTimebaseSource  the Tick Counter is  incremented
by 1 for each supervision cycle or, for higher precision, with
the API function WdgM_UpdateTickCounter() or with
a hardware counter.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 126
Safe State
The Safe State is the operating mode of an item without an
unreasonable level of risk ([6] 128, part1).
Safe
Watchdog The  software  module  consisting  of  Safe  Watchdog
Manager Stack
Manager,  Safe  Watchdog  Interface  and  Safe  Watchdog
Driver.
Safe
Watchdog The hardware-independent upper software layer of the Safe
Manager
Watchdog Manager Stack.
(S-WdgM)
Safe
Watchdog The  hardware-independent  middle  software  layer  of  the
Interface
Safe Watchdog Manager Stack.
(S-WdgIf)
Safe  Watchdog  Driver The  hardware-dependent  lowest  layer  of  the  Safe
(S-Wdg)
Watchdog Manager Stack. Controls the Watchdog device.
Source Checkpoint
Start point of a transition.
Supervised Entity
A  software  entity that  is  monitored  by  the  S-WdgM.  Each
supervised  entity  has  exactly  one  identifier.  A  supervised
entity denotes a collection of checkpoints within a software
component or basic software  module.  There  may be  zero,
one or more supervised entities in a software component or
basic  software  module.  Each  entity  has  a  state  that  is
based  on the  states  reported  from  all  its  checkpoints.  All
checkpoints  of  one  entity  belong  to  the  same  memory
context.
Supervision Cycle
The  time  period  of  the  S-WdgM  in  which  the  cyclic
supervision algorithm is performed.
Supervision
The number of Supervision Cycles used as a  reference  by
Reference Cycle
Alive,  Deadline  and  Program  Flow  Supervision  for
periodic supervision. Every kind of supervision has its own
reference cycle.
Timebase Tick
The  S-WdgM  measures  the  deadline  of  a  Transition  in
Timebase  Ticks.  (In  the  context  of  this  document  also
referred to as S-WdgM Tick.)
Note:  The  Timebase  Tick  is  provided  either  by  the  S-
WdgM itself, or it can be provided by an external source.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 127
Trigger Mode
The  S-WdgM  Trigger  Mode  is  a  set  of  Watchdog  trigger
times and Watchdog mode. One  Trigger  Mode  is  a  group
of the following three parameters:
WdgMTriggerWindowStart
WdgMTriggerConditionValue
WdgMWatchdogMode
Each  Watchdog  device  can  have  one  or  more  Trigger
Modes.
Watchdog Device
The  Watchdog  Device  is  the  hardware  part  which
represents the watchdog  functionality.  It  can be  an internal
watchdog  integrated  on  the  MCU  chip,  or  it  can  be  an
external watchdog device outside the MCU.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Glossary
Page 128
8
References
[1]
AUTOSAR, Specification of Watchdog Manager. 080. V. 2.0.0. Rel. 4.0. Rev. 1.
[2]
AUTOSAR, Specification of Watchdog Interface. 041. V. 2.3.0. Rel. 4.0. Rev. 1.
[3]
AUTOSAR, Specification of Watchdog Driver. 039. V. 2.3.0. Rel. 4.0. Rev. 1.
[4]
TTTech Automotive GmbH, Safe Watchdog Interface, User Manual. D-MSP-M-70-006.
[5]
TTTech Automotive GmbH, Safe Watchdog Manager, Safety Manual. D-SAFEX-S-70-001.
[6]
ISO 26262-2011, Road vehicles – Functional safety. International Standard.
International Organization for Standardization (ISO), 2011.
[7]
AUTOSAR, Specification of Watchdog Manager. 080. V. 1.2.2. Rel. 3.1. Rev. 1.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

References
Page 129
9
License Information
The S-WdgM Configuration Generator is copyright TTTech Automotive GmbH © 2011 –
2012. All rights reserved. The use of the software is subject to TTTech's Standard
Software License Terms for Embedded Software and Software Tools provided together
with the software. In case you don't have access to TTTech's Standard Software
License Terms please contact office@tttech-automotive.com
The S-WdgM Configuration Generator was developed with the Python programming
language (Copyright © 2001-2012 Python Software Foundation; All Rights Reserved) -
For Python parts of the software see PYTHON SOFTWARE FOUNDATION LICENSE
VERSION 2 in the LICENSE file provided with this software.
The S-WdgM Configuration Generator includes the lxml library (Copyright © 2004 Infrae.
All rights reserved) - for the lxml library see the full license text in the LICENSE file
provided with this software.
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 130
Index
Entities, checkpoint, transitions     34
Error messages     108
basic errors     108
semantic errors     108
- A -
- F -
Abbreviations     122
Alive counter violation     27
Fault detection time     27
Alive indications     26
Fault reaction time     27
Alive supervision     33
Aliveness     18
- G -
Aliveness parameters     19
Aliveness supervision     26
Global data     97
Aliveness violation     18
Global memory     97
API description     73
Global shared data     97
type definitions     73
Global shared memory     97
Appl_Dem.h     12
Global state     33, 39, 40, 41, 42, 43, 44, 45
Appl_Det.h     12
WdgMExpiredSupervisionCycleTol     33
Appl_Mcu.h     12
Global transitions     15, 22
Appl_Mcu_PerformReset     89
WdgMGlobalTransitionDestRef     22
AUTOSAR 3.1 and 4.0 Compatibility     33
WdgMGlobalTransitionSourceRef     22
Glossary     124
- C -
- I -
Checkpoint     9, 18
destination checkpoint     21
Initial checkpoint     21
end checkpoint     21
Integration     94
initial checkpoint     21
deadline measurement     100
local initial checkpoint     22
initialization of the S-WdgM     94
CheckpointID     78
memory sections     95
Compiler.h     11
tick counter     100
Compiler_Cfg     12
timing setup     97
Configuration generation     102
Introduction     4
output files     107
architecture overview     5
workflow     105
use cases     7
- D -
- L -
Deadline     15
local end checkpoint     22
Deadline monitoring     33
Local entity data     96
Deadline reference cycle     17
Local entity memory     96
Deadline violation     17, 27
Local reflexive transition     22
Default reset path     30
Local state     31
Dem_ReportErrorStatus()     12
Local transition     15, 21
Destination checkpoint     15
Det_ReportError()     12
- M -
- E -
Maximum deadline
WdgMDeadlineMax     15, 69
End checkpoint     21
Maximum reaction time     29
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 131
MCU reset     30
local entity state     31
MCU reset state     30
local transition options     67
Mcu_PerformReset()     12
program flow supervision     13
MemMap.h     12
reset path     30
Minimum deadline
safe state     30
WdgMDeadlineMin     15, 69
supervised entity     13
Minimum reaction time     28
supervised entity options     57
supervision cycle     25
- N -
SchM_WdgM.h     12
Secondary reset path     30
SEID     78
Node     9
Std_Types.h     11
- P -
Std_VersionInfoType     76
Supervised entity     6, 9, 13, 18
Supervision cycle     25
PlatformTypes.h     12
main function     25
Primary reset path     30
WdgM_MainFunction()     25
Program flow monitoring     33
WdgMTriggerConditionValue     26, 77
Program flow reference cycle     14
WdgMTriggerWindowStart     26, 77
Program flow violation     27
Supervision reference cycle     31
Program flow violations     14
S-WdgM     9, 122
application level API functions     76
- R -
callback functions     84
expected interfaces     88
Reference cycle     33
system level API functions     84
Reference cycle tolerance     33
type definitions     73
Rte_Type.h     12
S-WdgM supervision cycle     19, 25
Rte_WdgM_Type.h     12
S-WdgM Verifier     103
- S -
- T -
Safe state     27, 30
Tolerance value     31
Safe Watchdog Manager     9
Tolerances     36
alive counter options     65
Transition     9, 15
alive supervision     18
global     15
API description     73
local     15
basic functionality     13
local reflexive     22
checkpoint options     65
WdgMDeadlineStartRef     15, 70
configuration parameters     38
WdgMDeadlineStopRef     15, 70
deadline monitoring     15
deviations from AUTOSAR 4.0 r1     34
- W -
ECU description configuration     72
fault reaction time     27
Watchdog and Reset     36
file structure     10
WDGIF_MODE_OFF     40
general settings     49
WdgIf_Types.h     11
global deadline options     69
WdgIfDeviceRef     55
global preprocessor settings     38
WdgInitialTimeout     99
global state     33
WdgM.c     11
global transition options     68
WdgM.h     11
global transitions     22
WdgM_ActivateAliveSupervision(SEID)     91
local deadline options     69
WdgM_ActivateSupervisionEntity()     37, 47, 82
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 132
WdgM_Cbk_GptNotification()     93
WDGM_STATE_CHANGE_NOTIFICATION     47
WdgM_Cfg.h     11
WdgM_SupervisedEntityIdType     73
WdgM_Cfg_Features.h     11, 33
WDGM_TICK_OVERRUN_CORRECTION     46
WdgM_Checkpoint.c     11
WdgM_TimeBaseTickType     75
WdgM_CheckpointIdType     74
WdgM_UpdateAliveCounter(SEID)     91
WdgM_CheckpointReached()     13, 18, 78, 96
WdgM_UpdateTickCounter()     99
WdgM_ConfigType     73
WdgMAliveSupervisionCheckpointRef     67
WdgM_DeactivateAliveSupervision(SEID)     92
WdgMAppTaskRef     64
WdgM_DeactivateSupervisionEntity()     37, 47, 81
WdgMCallerId     48
WdgM_Delnit()     37
WdgMCheckpointId     65
WDGM_DEM_REPORT     38
WdgMConfig_Mode0     107
WDGM_DEV_ERROR_DETECT     38
WdgMDeadlineMax     15, 69
WDGM_E_CPID     78
WdgMDeadlineMin     15, 69
WDGM_E_NO_INIT     78
WdgMDeadlineReferenceCycle     18, 33, 59
WDGM_E_PARAM_SEID     78
WdgMDeadlineStartRef     15, 70
WDGM_E_PARAM_STATE     78
WdgMDeadlineStopRef     15, 70
WDGM_ENTITY_DEACTIVATION_ENABLED     47
WdgMDefensiveBehavior     41
WDGM_EXTERNAL_SOFTWARE_TICK     44
WdgMDemReport     38
WDGM_FIRSTCYCLE_ALIVECOUNTER_RESET
WdgMDemSupervisionReport     42
48, 95
WdgMDevErrorDetect     37, 38
WdgM_GetAliveSupervisionStatus(SEID, *status)
WdgMEnableEntityDeactivation     47, 61
91
WdgMEntityDeactivationEnabled     47
WdgM_GetGlobalStatus()     79
WdgMExpectedAliveIndications     19, 65
WdgM_GetGlobalStatus(*status)     91
WdgMExpiredSupervisionCycleTol     33, 53
WdgM_GetLocalStatus()     79
WdgMFailedDeadlineRefCycleTol     18, 33, 58
WdgM_GetMode()     77
WdgMFailedProgramFlowRefCycleTol     14, 33, 59
WdgM_GetMode(*Mode)     91
WdgMFailedSupervisionRefCycleTol     33, 57
WdgM_GetVersionInfo()     92
WdgMFirstCycleAliveCounterReset     18, 48
WDGM_GLOBAL_STATE_STOPPED     43
WdgMGlobalCheckpointFinalRef     53
WdgM_GlobalStatusType     75
WdgMGlobalCheckpointInitialRef     54
WdgM_GssChangeCbk(status)     92
WdgMGlobalMemoryAppTaskRef     49
WDGM_IMMEDIATE_RESET     31, 39
WdgMGlobalStateChangeCbk     49, 84
WdgM_Init(&Config)     92
WdgMGlobalTransitionDestRef     22, 68
WdgM_Init()     95
WdgMGlobalTransitionSourceRef     22, 69
WDGM_INTERNAL_HARDWARE_TICK     45
WdgMImmediateReset     39
WDGM_INTERNAL_SOFTWARE_TICK     45
WdgMInitialTriggerModeId     50
WdgM_IssChangeCbk(status)     92
WdgMLocalCheckpointFinalRef     63
WDGM_LOCAL_STATUS_DEACTIVATED     21, 82
WdgMLocalCheckpointInitialRef     64
WDGM_LOCAL_STATUS_FAILED     81
WdgMLocalStateChangeCbk     63, 84
WDGM_LOCAL_STATUS_OK     81
WdgMLocalStatusSupervisedEntityRef     61
WdgM_LocalStatusType     74
WdgMLocalTransitionDestRef     21, 67
WdgM_MainFunction()     25, 27, 95, 97
WdgMLocalTransitionSourceRef     21, 68
WdgM_MainFunction_AliveSupervision()     93
WdgMMaxMargin     19, 66
WdgM_MemMap.h     11, 50, 96, 106
WdgMMinMargin     19, 66
WdgM_ModeType     74
WdgMModeID     50, 56
WdgM_OSMemMap.h     11, 50, 96, 106
WdgMOffModeEnabled     40
WdgM_PBcfg.c     11
WdgMProgramFlowReferenceCycle     14, 26, 33, 60
WdgM_PBcfg.h     11
WdgMSecondResetPath     45
WdgM_PerformReset()     80
WdgMStateChangeNotification     47
WDGM_SECOND_RESET_PATH     30, 33, 45
WdgMSupervisedEntityId     61
WdgM_SetMode()     76
WdgMSupervisedEntityInitialMode     58
WdgM_SetMode(Mode)     90
WdgMSupervisionCycle     19, 52, 53, 99
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Index
Safe Watchdog Manager
Page 133
WdgMSupervisionReferenceCycle     19, 33, 66
WdgMSupportedAutosarAPI     62, 90
WdgMTickOverrunCorrection     46
WdgMTicksPerSecond     51, 99
WdgMTimebaseSource     44
WdgMTriggerConditionValue     26, 56, 77, 99
WdgMTriggerModeId     51
WdgMTriggerWatchdogRef     57
WdgMTriggerWindowStart     26, 56, 77, 99
WdgMUseOsSuspendInterrupt     43
WdgMUseRte     42
WdgMVersionInfoApi     40
WdgMWatchdogMode     55, 77
WdgMWatchdogName     54
WdgWindowStart     99
- Z -
Zero alive indication     20
Safe Watchdog Manager 3.3.1
© 2011 - 2014 TTTech Automotive GmbH
Document number: D-MSP-M-70-001
TTTech Automotive Confidential and Proprietary

Document Outline

13 - WdgM Integration Manual

Integration Manual

For

WdgM

VERSION: 1

DATE: 01/15/16

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA

Location: The official version of this document is stored in the Nexteer Configuration Management System.

Revision History

Sl. No.	Description	Author	Version	Date
1	Initial version	Lucas Wendling	1.0	01/15/16

Table of Contents

1 Abbrevations And Acronyms 4

2 References 5

3 Dependencies 6

3.1 SWCs 6

3.2 Global Functions(Non RTE) to be provided to Integration Project 6

4 Configuration REQUIREMeNTS 7

4.1 Build Time Config 7

4.2 Configuration Files to be provided by Integration Project 7

4.3 Da Vinci Parameter Configuration Changes 7

4.4 DaVinci Interrupt Configuration Changes 7

4.5 Manual Configuration Changes 7

5 Integration DATAFLOW REQUIREMENTS 8

5.1 Required Global Data Inputs 8

5.2 Required Global Data Outputs 8

5.3 Specific Include Path present 8

6 Runnable Scheduling 9

7 Memory Map REQUIREMENTS 10

7.1 Mapping 10

7.2 Usage 10

7.3 Non RTE NvM Blocks 10

7.4 RTE NvM Blocks 10

8 Compiler Settings 11

8.1 Preprocessor MACRO 11

8.2 Optimization Settings 11

9 Appendix 12

Abbrevations And Acronyms

Abbreviation	Description

References

This section lists the title & version of all the documents that are referred for development of this document

Sr. No.	Title	Version

Dependencies

SWCs

Module	Required Feature

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

NxtrWdgM_Init

NxtrWdgM_Init is a trusted function interface for WdgM_Init. This is currently needed because an include order issue prevents the Os from visibility to the configuration structure passed into WdgM_Init, so the trusted function cannot be directly called. This function is only needed in a project if the WdgM_Init function is called from a non-trusted application task context (which is the typical scenario).

If this function is needed (based on if WdgM_Init needs to be called from a non-trusted task context), the following needs to be done for integration:

Include NxtrWdgM.gpj as a subrproject in the integration project gpj file.
Configure the Os with a trusted function call named “NxtrWdgM_Init”. This has a void return with no passed parameters (void).
In the startup sequence when WdgM_Init would need to be called, the trusted function needs to be called “Call_NxtrWdgM_Init”

If this function is not needed (if WdgM_Init already is called from a trusted task context), the integrator can exclude NxtrWdgM.gpj from the integration project gpj file and WdgM_Init API can be directly called.

Configuration REQUIREMeNTS

Configuration of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Build Time Config

Modules	Notes

Configuration Files to be provided by Integration Project

N/A

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	Notes

Manual Configuration Changes

Constant	Notes	SWC

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

Required Global Data Outputs

Specific Include Path present

Yes

Runnable Scheduling

API usage and scheduling of BSW components expected to be captured at a project architectural level and is beyond the scope of this document. Third party documentation can be referenced as needed.

Init	Scheduling Requirements	Trigger
NxtrWdgM_Init	See section 3.2 for details on if this function is required

Runnable	Scheduling Requirements	Trigger

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

NvM Blocks

Compiler Settings

Preprocessor MACRO

Optimization Settings

Appendix

<This section is for appendix>

14 - WdgM Peer Review Checklists

Overview

Summary Sheet
Synergy Project
Source Code
PolySpace
Integration Manual

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgM

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. WdgM_Vector_Ar4.0.3_03.03.03_1

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Lucas Wendling

Work CR ID:

EA4#3183

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

N/A

Source Code

N/A

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

3rd Party BSW component. Only reviewed 3rd party files for correctness to delivery and any Nexteer created

source files and documentation

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

Follows convention created for

naming convention

BSW components

Project contains necessary subprojects

N/A

Comments:

Project contains the correct version of subprojects

N/A

Comments:

Design subproject is correct version

N/A

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Source Code

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

NxtrWdgM.c

Source File Revision:

Header File Name:

NxtrWdgM.h

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. 1

MDD Name:

N/A

Revision:

N/A

FDD/SCIR/DSR/FDR/CM Name:

N/A

Revision:

N/A

Quality Check Items:

Rationale is required for all answers of No

Working EA4 Software Naming Convention followed:

for variable names

N/A

Comments:

for constant names

N/A

Comments:

for function names

Yes

Comments:

for other names (component, memory

Yes

Comments:

mapping handles, typedefs, etc.)

All paths assign a value to outputs, ensuring

N/A

Comments:

all outputs are initialized prior to being written

Requirements Tracability tags in code match the requirements tracability in the FDD

N/A

Comments:

requirements tracability in the FDD

All variables are declared at the function level.

N/A

Comments:

Synergy version matches change history

kzshz2: Intended Use: Indicate that the the versioning was confirmed by the peer reviewer(s). Rationale: There have been many occassions where versions were not updated in files and as a result Unit Test were referencing wrong versions. This often time leads to the need to re-run of batch tests.

Yes

Comments:

and Version Control version in file comment block

Change log contains detailed description of changes

Yes

Comments:

and Work CR number

Code accurately implements FDD (Document or Model)

N/A

Comments:

Verified no Compiler Errors or Warnings

KMC: Intended Use: To confirm no compiler errors or warnings exist for the code under review (warnings from contract header files may be ignored). Rationale: This is needed to ensure there will be no errors discovered at the time of integration. A Sandox project should be used; QAC can find compiler errors but not warnings.

Yes

Comments:

No sandbox available for BSW components

Test was done manually on an integration project.

Component.h is included

Yes

Comments:

All other includes are actually needed. (System includes

Yes

Comments:

only allowed in Nexteer library components)

Software Design and Coding Standards followed:

Version:

Code comments are clear, correct, and adequate

Yes

Comments:

and have been updated for the change: [N40] and

all other rules in the same section as rule [N40],

plus [N75], [N12], [N23], [N33], [N37], [N38],

[N48], [N54], [N77], [N79], [N72]

Source file (.c and .h) comment blocks are per

Yes

Comments:

standards and contain correct information: [N41], [N42]

Function comment blocks are per standards and

Yes

Comments:

contain correct information: [N43]

Code formatting (indentation, placement of

Yes

Comments:

braces, etc.) is per standards: [N5], [N55], [N56],

[N57], [N58], [N59]

Embedded constants used per standards; no

N/A

Comments:

"magic numbers": [N12]

Memory mapping for non-RTE code

Yes

Comments:

is per standard

All execution-order-dependent code can be

N/A

Comments:

recognized by the compiler: [N80]

All loops have termination conditions that ensure

N/A

Comments:

finite loop iterations: [N63]

All divides protect against divide by zero

N/A

Comments:

if needed: [N65]

All integer division and modulus operations

N/A

Comments:

handle negative numbers correctly: [N76]

All typecasting and fixed point arithmetic,

N/A

Comments:

including all use of fixed point macros and

timer functions, is correct and has no possibility

of unintended overflow or underflow: [N66]

All float-to-unsiged conversions ensure the.

N/A

Comments:

float value is non-negative: [N67]

All conversions between signed and unsigned

N/A

Comments:

types handle msb==1 as intended: [N78]

All pointer dereferencing protects against

N/A

Comments:

null pointer if needed: [N70]

Component outputs are limited to the legal range

N/A

Comments:

defined in the FDD DataDict.m file : [N53]

All code is mapped with FDD (all FDD

N/A

Comments:

subfunctions and/or model blocks identified

with code comments; all code corresponds to

some FDD subfunction and/or model block): [N40]

Review did not identify violations of other

Yes

Comments:

coding standard rules

Anomaly or Design Work CR created

N/A

Comments: List Anomaly or CR numbers

for any FDD corrections needed

General Notes / Comments:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 4: PolySpace

Rev 1.2

8-Jun-15

Peer Review Meeting Log (QAC/PolySpace Review)

Source File Name:

NxtrWdgM.c

Source File Revision:

Source File Name:

Source File Revision:

Source File Name:

Source File Revision:

EA4 Static Analysis Compliance Guideline version:

01.01.00

Poly Space version:

Windows User: eg. 2013b 2013B

Polyspace sub project version:

Windows User: eg. TL108a_PolyspaceSuprt_1.0.0 N/A

QAC version:

Windows User: eg 8.1.1-R N/A

QAC sub project version:

Windows User: eg. TL_100A_1.1.0 N/A

Quality Check Items:

Rationale is required for all answers of No

Contract Folder's header files are appropriate and

kzshz2: Intended Use: Identify that the contract folder contains only the information required for this component. All other variables, constants, function prototypes, etc. should be removed. Rationale: This will help avoid unit testers having to considers object not used. It will also avoid having other files required for QAC.

Yes

Comments:

Copy of NxtrWdgM.h moved

function prototypes match the latest component version

to contract folder to avoid analysis of 3rd party headers

100% Compliance to the EA4 Static Analysis

Yes

Comments:

Compliance Guideline

Are previously added justification and deviation

N/A

Comments:

comments still appropriate

Do all MISRA deviation comments use approved

Yes

Comments:

deviation tags

Cyclomatic complexity and Static path count OK

Creager, Kathleen: use Browse Function Metrics, STCYC and STPTH

Yes

Comments:

for all functions in the component per Design

and Coding Standards rule [N47]

General Notes / Comments:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 5: Integration Manual

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Integration Manual Review)

Integration Manual Name:

kzshz2: Intended Use: Identify which file is being reviewed Rationale: Required for traceability. It will help to ensure this sheet is not attached to the wrong design review form. WdgM Integration Manual.doc

Integration Manual Revision:

kzshz2: Intended Use: Identify which version of the integration manual has been reviewed. Rationale: Required for traceability between the MDD and review. Auditors will likely require this. 1

Quality Check Items:

Rationale is required for all answers of No

Synergy version matches header

Yes

Comments:

Latest template used

Yes

Comments:

Change log contains detailed description of changes

Yes

Comments:

Changes Highlighted (for Integrator)

N/A

Comments:

Initial Version

General Notes / Comments:

Change Owner:

Lucas Wendling

Review Date :

01/21/16

Lead Peer Reviewer:

Jared Julien

Approved by Reviewer(s):

Yes

Other Reviewer(s):