Explanation of Error Handling on Application Level, No.378, 2021-11
AUTOSAR R21-11記事一覧はこちら。
AUTOSAR 21-11,160文書読んだ。2022年5月中に全部読み。
AUTOSAR 21-11, 62文書読んだ。2022年5月中に半分到達予定。
AUTOSAR R21-11(0) 仕様ダウンロード一覧。単語帳。参考文献資料作成
用語(terms)
| Term | Description |
|---|---|
| dependability | The term dependability is defined as “the trustworthiness of a system such that reliance can justifiably be placed on the service it provides”. This means that a dependable system is one upon which the user (either human or non-human) can place its trust in that the services provided by the system are correct. The dependability of a system is characterized by a set of attributes, compromised by a set of impairments, and achieved and analyzed by a set of means. |
| Detection | The crucial first step in handling a fault is of course to become aware that it has occurred. Without this detection, no further activities can be performed. When it comes to detection, the original fault is often very hard to detect. What can be detected are the effects of the fault, that is, errors. These are detected by monitoring the state of the system. Errors can manifest in different ways. The main manifestations are 1. erroneous values in the system (data errors), 2. erroneous execution time (timing errors), 3. erroneous sequence or execution order (program flow errors). 4. erroneous access to system resources, such as memory Errors may propagate and generate consecutive faults which in turn may result in new errors, e.g., an erroneous data value is used as a pointer and causes a memory access violation, which may create an erroneous value in another data value if a value is written to the erroneous memory location. Most mechanisms used for detection of errors allows the system to perform some action to find out more regarding the source of the error (isolation) and to issue corrective or compensating actions (recovery). Ideally, detection is done before the error has propagated any further, thus making it possible to stop further propagation. However, in most cases additional recovery actions are needed, such as stopping the offending component or reconfiguring to alternate functionality. |
| Isolation | Once a fault (or error) has been successfully detected, damage assessment and damage control needs to be performed, i.e. there is a need for isolation. During isolation, efforts are made to find the root cause for the erroneous state in the system, and information (e.g. regarding the spread and cause of the error) is gathered for subsequent use during error recovery. It may not always be possible (or practical) to find the root cause of the erroneous state. Note that isolation in this document refers to isolating the source of the errors, such that recovery is possible. It does not refer to isolation of specific components of a system with the purpose of stopping errors from propagating. In a sense, the word identification may have been a better choice, but as the commonly used word in descriptions of the FDIR process is isolation we will use it here. |
| Recovery | When the isolation is complete, recovery actions will be initiated. These actions aim at transferring the system into a controlled state, which can be a completely recovered state where nominal service is provided, or a safe degraded state where a limited or no service is provided. The better the isolation results are, the better the recovery actions can perform. If recovery is not successful, a failure may occur, i.e., the system is in an uncontrolled state and its service is not defin |
英日
日本語は仮訳
T.B.D.
参考(reference)
[1] Software Component Template
AUTOSAR_TPS_SoftwareComponentTemplate
[2] Specification of RTE
AUTOSAR_SWS_RTE
[3] Specification of Operating System
AUTOSAR_SWS_OS
[4] Specification of Communication
AUTOSAR_SWS_COM
[5] Specification of Communication Manager
AUTOSAR_SWS_COMManager
[6] Specification of Diagnostic Communication Manager
AUTOSAR_SWS_DiagnosticCommunicationManager
[7] Specification of ECU State Manager
AUTOSAR_SWS_ECUStateManager
[8] Specification of Function Inhibition Manager
AUTOSAR_SWS_FunctionInhibitionManager
[9] Specification of Diagnostic Event Manager
AUTOSAR_SWS_DiagnosticEventManager
[10]Specification of Watchdog Manager
AUTOSAR_SWS_WatchdogManager
[11]Specification of NVRAM Manager
AUTOSAR_SWS_NVRAMManager
[12]Specification of CRC Routines
AUTOSAR_SWS_CRCLibrary
[13]Specification of Crypto Service Manager
AUTOSAR_SWS_CryptoServiceManager
[14]Specification of Basic Software Mode Manager
AUTOSAR_SWS_BSWModeManager
[15]General Requirements on Basic Software Modules
AUTOSAR_SRS_BSWGeneral
[16]Glossary, AUTOSAR_TR_Glossary
https://www.autosar.org/fileadmin/standards/foundation/21-11/AUTOSAR_TR_Glossary.pdf
[17]Layered Software Architecture
AUTOSAR_EXP_LayeredSoftwareArchitecture
[18]Specification of SW-C End-to-End Communication Protection Library
AUTOSAR_SWS_E2ELibrary
[19]Specification of Module Core Test Driver
AUTOSAR_SWS_CoreTest
[20]Specification of Flash Test
AUTOSAR_SWS_FlashTest
[21]Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing”, IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 1, January-March, 2004
[22]Jim Gray, “Why Do Computers Stop and What Can We Do About It”, Technical
Report TR 85.5, Tandem, 1985.
[23]ISO 26262:2018 (all parts) - Road vehicles - Functional Safety
http://www.iso.org
[24]EASIS Deliverable D1.2-8, “Fault management framework
http://www.easis-online.org