Sr. No.	Title	Version
1	FDD – CM107A GuardCfgAndDiagc	See Synergy subproject version
2	Software Naming Conventions	Process 04.02.00
3	Software Coding Standards	Process 04.02.00

Dependencies

SWCs

Module	Required Feature
AR202A MicroCtrlrSuprt	NxtrMcuSuprtLib functions and register definitions

Note : Referencing the external components should be avoided in most cases. Only in unavoidable circumstance external components should be referred. Developer should track the references.

Global Functions(Non RTE) to be provided to Integration Project

GuardCfgAndDiagcInit1 - Non-RTE function so that guard protection can be initialized and enabled before the RTE is started

IpgInin - To be configured as a trusted function because it needs to run in supervisor mode

GuardCfgAndDiagcInit3 - Non-RTE function so that guard startup test can be run before the RTE is started

Configuration REQUIREMeNTS

Build Time Config

Modules	Notes
None

Configuration Files to be provided by Integration Project

Da Vinci Parameter Configuration Changes

Parameter	Notes	SWC

DaVinci Interrupt Configuration Changes

ISR Name	VIM #	Priority Dependency	Notes

Manual Configuration Changes

Constant	Notes	SWC
None

Integration DATAFLOW REQUIREMENTS

Required Global Data Inputs

None

Required Global Data Outputs

None

Specific Include Path present

Yes

Runnable Scheduling

This section specifies the required runnable scheduling.

Init	Scheduling Requirements
GuardCfgAndDiagcInit1	Non-RTE Init, Called in Startup Sequence*	Function call in Startup Sequence
GuardCfgAndDiagcInit2	RTE	Once At Init (RTE)
GuardCfgAndDiagcInit3	Non-RTE Init, Called in Startup Sequence*	Function call in Startup Sequence

*Refer CM100A for the start up sequence

Runnable	Scheduling Requirements	Trigger

Memory Map REQUIREMENTS

Mapping

Memory Section	Contents	Notes
CDD_GuardCfgAndDiagc_START_SEC_CODE

* Each …START_SEC… constant is terminated by a …STOP_SEC… constant as specified in the AUTOSAR Memory Mapping requirements.

Usage

Feature	RAM	ROM

Table 1: ARM Cortex R4 Memory Usage

NvM Blocks

Compiler Settings

Preprocessor MACRO

None

Optimization Settings

None

Appendix

None

2 - GuardCfgAndDiagc Module Design Document

Module Design Document

For

GuardCfgAndDiagc

Mar 31 , 2016

Prepared For:

Software Engineering

Nexteer Automotive,

Saginaw, MI, USA

Prepared By:

Software Group,

Nexteer Automotive,

Saginaw, MI, USA
Change History

Description	Author	Version	Date
Initial Version	Avinash James	1.0	02/16/16
Updates for PBG Register Lock bits and Syncm inclusion	Avinash James	2.0	03/31/16

Table of Contents

1 Introduction 5

1.1 Purpose 5

1.2 Scope 5

2 GuardCfgAndDiagc & High-Level Description 6

3 Design details of software module 7

3.1 Graphical representation of GuardCfgAndDiagc 7

3.2 Data Flow Diagram 7

3.2.1 Component level DFD 7

3.2.2 Function level DFD 7

4 Constant Data Dictionary 8

4.1 Program (fixed) Constants 8

4.1.1 Embedded Constants 8

5 Software Component Implementation 9

5.1 Sub-Module Functions 9

5.1.1 Init: GuardCfgAndDiagcInit1 9

5.1.1.1 Design Rationale 9

5.1.1.2 Module Outputs 9

5.1.2 Init: GuardCfgAndDiagcInit2 9

5.1.2.1 Design Rationale 9

5.1.2.2 Module Outputs 9

5.1.3 Init: GuardCfgAndDiagcInit3 9

5.1.3.1 Design Rationale 9

5.1.3.2 Module Outputs 9

5.1.4 Per: None 9

5.2 Server Runables 9

5.3 Interrupt Functions 9

5.4 Module Internal (Local) Functions 10

5.4.1 ConfigureFilterN 10

5.4.1.1 Design Rationale 10

5.4.1.2 Processing 10

5.4.2 ChkForPBGErr 10

5.4.2.1 Design Rationale 10

5.4.2.2 Processing 10

5.4.3 ChkForECMErr 10

5.4.3.1 Design Rationale 10

5.4.3.2 Processing 11

5.4.4 Vrfy32BitPBGRegAcs 11

5.4.4.1 Design Rationale 11

5.4.4.2 Processing 11

5.4.5 Vrfy16BitPBGRegAcs 11

5.4.5.1 Design Rationale 11

5.4.5.2 Processing 11

5.4.6 Vrfy8BitPBGRegAcs 11

5.4.6.1 Design Rationale 11

5.4.6.2 Processing 11

5.5 GLOBAL Function/Macro Definitions 12

5.5.1 GLOBAL Function #1 12

5.5.1.1 Design Rationale 12

5.5.1.2 Processing 12

6 Known Limitations with Design 13

7 UNIT TEST CONSIDERATION 14

Appendix A Abbreviations and Acronyms 15

Appendix B Glossary 16

Appendix C References 17

Introduction

Purpose

Scope

The following definitions are used throughout this document:

Shall: indicates a mandatory requirement without exception in compliance.
Should: indicates a mandatory requirement; exceptions allowed only with documented justification.
May: indicates an optional action.

GuardCfgAndDiagc & High-Level Description

See FDD

Design details of software module

Graphical representation of GuardCfgAndDiagc

Data Flow Diagram

Component level DFD

See FDD

Function level DFD

See FDD

Constant Data Dictionary

Program (fixed) Constants

Embedded Constants

Local Constants

Constant Name	Resolution	Units	Value
PBGPROTNCMN_CNT_U32	1	uint32	0x0405FE1FU
PBGUSRMODENA_CNT_U32	1	uint32	0x02000000U
PBGUSRMODDI_CNT_U32	1	uint32	0x00000000U
PBGSPID321ENA_CNT_U32	1	uint32	0x000001C0U
PBGSPID31ENA_CNT_U32	1	uint32	0x00000140U
PBGSPID21ENA_CNT_U32	1	uint32	0x000000C0U
PBGSPID1ENA_CNT_U32	1	uint32	0x00000040U
PBGSETNOREADWRACS_CNT_U32	1	uint32	0x405FE5CU
NROF8BITREG_CNT_U08	1	uint8	((uint8)0x09)
NROF32BITREG_CNT_U08	1	uint8	((uint8)0x02)
READERRBIT_CNT_U32	1	uint32	((uint32)1U<<6U)
WRERRBIT_CNT_U32	1	uint32	((uint32)1U<<7U)
CFGERRBIT_CNT_U32	1	uint32	((uint32)1U<<8U)
PBGERRBIT_CNT_U32	1	uint32	((uint32)1U<<9U)
ECMERRBIT_CNT_U32	1	uint32	((uint32)1U<<10U)
REGTYPE8BIT_CNT_U32	1	uint32	((uint32)0U<<4U)
REGTYPE16BIT_CNT_U32	1	uint32	((uint32)1U<<4U)
REGTYPE32BIT_CNT_U32	1	uint32	((uint32)2U<<4U)
PBGSTRTUPTESTNOFAILR_CNT_U32	1	uint32	0x0U
PBGPROTNLOCKENA_CNT_U32	1	uint32	0x80000000U

Software Component Implementation

Sub-Module Functions

Init: GuardCfgAndDiagcInit1

Design Rationale

Non-RTE function for Guard configuration initialization of PEG, IPG, and PBG so that guard protection can be initialized and enabled before the RTE is started

Module Outputs

Configuration registers for PEG, IPG, and PBG

Init: GuardCfgAndDiagcInit2

Design Rationale

RTE Empty function for purposes of memory mapping

See FDD for more.

Module Outputs

None

Init: GuardCfgAndDiagcInit3

Design Rationale

Non-RTE function for Start Up Initialization test of PBG of Group 3A

See FDD for more.

Module Outputs

None

Per: None

Server Runables

None

Interrupt Functions

None

Module Internal (Local) Functions

ConfigureFilterN

Function Name	ConfigureFilterN	Type	Min	Max
Arguments Passed	PbgProtReg	volatile uint32*	0	0xFFFFFFFF
	Val	uint32	0	0xFFFFFFFF
	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF
Return Value	None

Design Rationale

This local function sets the value Val to the register address PbgProtReg passed as the arguments and verifies the write operation was successful. If not a diagnostic is set.

Processing

Figure 4.5.3 from SAN ver 1.20

ChkForPBGErr

Function Name	ChkForPBGErr	Type	Min	Max
Arguments Passed	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF

Return Value	None

Design Rationale

This local function checks PBG access violation error is captured. If not set diagnostic, clear the error and if the error doesn’t clear set diagnostic.

Processing

Figure 4.5.3 from SAN ver 1.20

ChkForECMErr

Function Name	ChkForECMErr	Type	Min	Max
Arguments Passed	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF

Return Value	None

Design Rationale

This local function checkscwhether ECM captures the error sets diagnostic message and clears the ECM errors after the check else set diagnostic.

Processing

Refer FDD 4.5.3 Implementation

Vrfy32BitPBGRegAcs

Function Name	Vrfy32BitPBGRegAcs	Type	Min	Max
Arguments Passed	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF

Return Value	None

Design Rationale

This is defined to reduce the path count and modularizes the check for the 32 bit Access registers alone.

Processing

Vrfy16BitPBGRegAcs

Function Name	Vrfy16BitPBGRegAcs	Type	Min	Max
Arguments Passed	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF

Return Value	None

Design Rationale

This is defined to reduce the path count and modularizes the check for the 16 bit Access registers alone.

Processing

Vrfy8BitPBGRegAcs

Function Name	Vrfy8BitPBGRegAcs	Type	Min	Max
Arguments Passed	PbgStrtUpTestFailSts	Uint32 *	0	0xFFFFFFFF

Return Value	None

Design Rationale

This is defined to reduce the path count and modularizes the check for the 8 bit Access registers alone.

Processing

GLOBAL Function/Macro Definitions

GLOBAL Function #1

Function Name	Type	Min	Max
Arguments Passed

Return Value

Design Rationale

Processing

Known Limitations with Design

None

UNIT TEST CONSIDERATION

None

Abbreviations and Acronyms

Abbreviation or Acronym	Description

Glossary

Note: Terms and definitions from the source “Nexteer Automotive” take precedence over all other definitions of the same term. Terms and definitions from the source “Nexteer Automotive” are formulated from multiple sources, including the following:

ISO 9000
ISO/IEC 12207
ISO/IEC 15504
Automotive SPICE® Process Reference Model (PRM)
Automotive SPICE® Process Assessment Model (PAM)
ISO/IEC 15288
ISO 26262
IEEE Standards
SWEBOK
PMBOK
Existing Nexteer Automotive documentation

Term	Definition	Source
MDD	Module Design Document
DFD	Data Flow Diagram

References

Ref. #	Title	Version
1	AUTOSAR Specification of Memory Mapping (Link:AUTOSAR_SWS_MemoryMapping.pdf)	v1.3.0 R4.0 Rev 2
2	MDD Guideline	EA4 01.00.01
3	Software Naming Conventions.doc	2.0
4	Software Design and Coding Standards.doc	2.1

3 - GuardCfgAndDiagc Peer Review Checklists

Overview

Summary Sheet
Synergy Project
Src-GuardCfgAndDiagcNonRte
PolySpace

Sheet 1: Summary Sheet

Rev 1.2

8-Jun-15

Peer Review Summary Sheet

Synergy Project Name:

kzshz2: Intended Use: Identify which component is being reviewed. This should be the Module Short Name from Synergy Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. CM107A_GuardCfgAndDiagc_Impl

Revision / Baseline:

kzshz2: Intended Use: Identify which Synergy revision of this component is being reviewed Rationale: Required for traceability. It will help to ensure this form is not attaced to the the wrong change request. CM107A_GuardCfgAndDiagc_Impl_3.0.0

Change Owner:

kzshz2: Intended Use: Identify the developer who made the change(s) Rationale: A change request may have more than one resolver, this will help identify who made what change. Change owner identification may be required by indusrty standards. Avinash James

Work CR ID:

EA4#4976

kzshz2: Intended Use: Intended to identify at a high level to the reviewers which areas of the component have been changed. Rationale: This will be good information to know when ensuring appropriate reviews have been completed. Modified File Types:

kzshz2: Intended Use: Identify who where the reviewers, what they reviewed, and if the reviewed changes have been approved to release the code for testing. Comments here should be at a highlevel, the specific comments should be present on the specific review form sheet. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. ADD DR Level Move reviewer and approval to individual checklist form Review Checklist Summary:

Reviewed:

N/A

MDD

Yes

Source Code

Yes

PolySpace

N/A

Integration Manual

N/A

Davinci Files

Comments:

General Guidelines:
- The reviews shall be performed over the portions of the component that were modified as a result of the Change Request.
- New components should include FDD Owner and Integrator as apart of the Group Review Board (Source Code, Integration Manual, and Davinci Files)
- Enter any rework required into the comment field and select No. When the rework is complete, review again using this same review sheet and select Yes. Add date and additional comment stating that the rework is completed.
- To review a component with multiple source code files use the "Add Source" button to create a Source code tab for each source file.
- .h file should be reviewed with the source file as part of the source file.

Sheet 2: Synergy Project

Peer Review Meeting Log (Component Synergy Project Review)

Quality Check Items:

Rationale is required for all answers of No

New baseline version name from Summary Sheet follows

Yes

Comments:

naming convention

Project contains necessary subprojects

Yes

Comments:

Project contains the correct version of subprojects

Yes

Comments:

Design subproject is correct version

Yes

Comments:

General Notes / Comments:

LN: Intended Use: Identify who were the reviewers and if the reviewed changes have been approved. Rationale: Since this Form will be attached to the Change Request it will confirm the approval and provides feedback in case of audits. KMC: Group Review Level removed in Rev 4.0 since the design review is not checked in until approved, so it would always be DR4. Review Board:

Change Owner:

Avinash James

Review Date :

04/05/16

Lead Peer Reviewer:

Selva Sengottaiyan

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 3: Src-GuardCfgAndDiagcNonRte

Rev 1.2

8-Jun-15

Peer Review Meeting Log (Source Code Review)

Source File Name:

CDD_GuardCfgAndDiagcNonRte.c

Source File Revision:

Header File Name:

CDD_GuardCfgAndDiagc.h

Header File Revision:

kzshz2: Intended Use: Identify which version of the source file is being review. Rationale: Required for traceability between source code and review. Auditors will likely require this. 1

MDD Name:

Revision:

FDD/SCIR/DSR/FDR/CM Name:

CM107A_GuardCfgAndDiagc_Design

Revision:

3.0.1

Quality Check Items:

Rationale is required for all answers of No

Working EA4 Software Naming Convention followed:

for variable names

N/A

Comments:

for constant names

N/A

Comments:

for function names

N/A

Comments:

for other names (component, memory

N/A

Comments:

mapping handles, typedefs, etc.)

All paths assign a value to outputs, ensuring

N/A

Comments:

No Outputs

all outputs are initialized prior to being written

Requirements Tracability tags in code match the requirements tracability in the FDD

N/A

Comments:

No requirements to trace

requirements tracability in the FDD

All variables are declared at the function level.

N/A

Comments:

No variables

Synergy version matches change history

kzshz2: Intended Use: Indicate that the the versioning was confirmed by the peer reviewer(s). Rationale: There have been many occassions where versions were not updated in files and as a result Unit Test were referencing wrong versions. This often time leads to the need to re-run of batch tests.

Yes

Comments:

and Version Control version in file comment block

Change log contains detailed description of changes

Yes

Comments:

and Work CR number

Code accurately implements FDD (Document or Model)

Yes

Comments:

Verified no Compiler Errors or Warnings

KMC: Intended Use: To confirm no compiler errors or warnings exist for the code under review (warnings from contract header files may be ignored). Rationale: This is needed to ensure there will be no errors discovered at the time of integration. A Sandox project should be used; QAC can find compiler errors but not warnings.

Yes

Comments:

Component.h is included

Yes

Comments:

All other includes are actually needed. (System includes

Yes

Comments:

only allowed in Nexteer library components)

Software Design and Coding Standards followed:

Version:2.1

Code comments are clear, correct, and adequate

Yes

Comments:

and have been updated for the change: [N40] and

all other rules in the same section as rule [N40],

plus [N75], [N12], [N23], [N33], [N37], [N38],

[N48], [N54], [N77], [N79], [N72]

Source file (.c and .h) comment blocks are per

Yes

Comments:

standards and contain correct information: [N41], [N42]

Function comment blocks are per standards and

Yes

Comments:

contain correct information: [N43]

Code formatting (indentation, placement of

Yes

Comments:

braces, etc.) is per standards: [N5], [N55], [N56],

[N57], [N58], [N59]

Embedded constants used per standards; no

Yes

Comments:

"magic numbers": [N12]

Memory mapping for non-RTE code

Yes

Comments:

is per standard

All execution-order-dependent code can be

Yes

Comments:

recognized by the compiler: [N80]

All loops have termination conditions that ensure

N/A

Comments:

finite loop iterations: [N63]

All divides protect against divide by zero

N/A

Comments:

if needed: [N65]

All integer division and modulus operations

N/A

Comments:

handle negative numbers correctly: [N76]

All typecasting and fixed point arithmetic,

N/A

Comments:

including all use of fixed point macros and

timer functions, is correct and has no possibility

of unintended overflow or underflow: [N66]

All float-to-unsiged conversions ensure the.

N/A

Comments:

float value is non-negative: [N67]

All conversions between signed and unsigned

N/A

Comments:

types handle msb==1 as intended: [N78]

All pointer dereferencing protects against

Yes

Comments:

null pointer if needed: [N70]

Component outputs are limited to the legal range

N/A

Comments:

No outputs

defined in the FDD DataDict.m file : [N53]

All code is mapped with FDD (all FDD

Yes

Comments:

subfunctions and/or model blocks identified

with code comments; all code corresponds to

some FDD subfunction and/or model block): [N40]

Review did not identify violations of other

Yes

Comments:

coding standard rules

Anomaly or Design Work CR created

N/A

Comments:

for any FDD corrections needed

General Notes / Comments:

Change Owner:

Avinash James

Review Date :

04/05/16

Lead Peer Reviewer:

Selva Sengottaiyan

Approved by Reviewer(s):

Yes

Other Reviewer(s):

Sheet 4: PolySpace

Rev 1.2

8-Jun-15

Peer Review Meeting Log (QAC/PolySpace Review)

Source File Name:

CDD_GuardCfgAndDiagcNonRte.c

Source File Revision:

Source File Name:

CDD_GuardCfgAndDiagc.c

Source File Revision:

Source File Name:

Source File Revision:

EA4 Static Analysis Compliance Guideline version:

01.01.00

Poly Space version:

Windows User: eg. 2013b 2013B

Polyspace sub project version:

Windows User: eg. TL108a_PolyspaceSuprt_1.0.0 NA

QAC version:

Windows User: eg 8.1.1-R 8.1.1-R

QAC sub project version:

Windows User: eg. TL_100A_1.1.0 1.2.0

Quality Check Items:

Rationale is required for all answers of No

Contract Folder's header files are appropriate and

kzshz2: Intended Use: Identify that the contract folder contains only the information required for this component. All other variables, constants, function prototypes, etc. should be removed. Rationale: This will help avoid unit testers having to considers object not used. It will also avoid having other files required for QAC.

Yes

Comments:

function prototypes match the latest component version

100% Compliance to the EA4 Static Analysis

Yes

Comments:

Compliance Guideline

fine

Are previously added justification and deviation

Yes

Comments:

comments still appropriate

Do all MISRA deviation comments use approved

Yes

Comments:

deviation tags

Cyclomatic complexity and Static path count OK

Creager, Kathleen: use Browse Function Metrics, STCYC and STPTH

Yes

Comments:

for all functions in the component per Design

and Coding Standards rule [N47]

General Notes / Comments:

Rule 21.1 Exception but validated to be fine

Change Owner:

Avinash James

Review Date :

04/05/16

Lead Peer Reviewer:

Selva Sengottaiyan

Approved by Reviewer(s):

Yes

Other Reviewer(s):