Explanation of Error Handling on Application Level, AUTOSAR R22-11, CP, No.378
AUTOSARは、ISO、IEC、ITUと情報交換契約を結んでいません。
AUTOSAR文書には、ISO、IEC,ITU記述を全文引用することはできません。
WTO/TBT協定に基づき、国際的な調達は国際規格との差異を記述することにより文化依存しない仕様を目指します。
ISO、IEC、ITU文書を合わせて読むと技術内容は理解できます。
CAN、OSEK/VDX OS、DIAGは、ISO定義を先に確認しましょう。
OSEK COM、OSEK NMなどはISOの規定から基本的な部分で定義を変えています。
変更している部分を仕様等で明記するか、ISOを改定するとよいでしょう。
AUTOSARの参考文献欄の改定が進んでいません。
Glossary用語定義の網羅性が低いです。
本文を読む前に確認するとよいかもしれません。
本文を読んでから確認してもよいかもしれません。
AUTOSARが、2022年の版、R22-11公開しました。公開行事の模様は
AUTOSAR R22-11 Release Event 20221208
下記URL順次確認中です。
間違っていたら、いいね を押していただいて、コメント欄にご報告くださると幸いです。
編集リクエストが、構造的な変更をしている最中に、構造的な編集リクエストをしていただくと、
何をどう直したらいいかわからなくなってしまいます。自動修復ツールがつくれていません。ごめんなさい。
文書は検索してダウンロードすることができます。
クラウドサービスにありがちな、あるのにないかのような検索結果が出ることがあります。
要求/仕様(Requirement and Specification)
一覧
AUTOSAR R22-11 Classic Platform 一覧はこちら。
Classic Platform Release Overview, AUTOSAR R22-11, CP, No.0(2)
AUTOSAR R22-11 マラソン
Qiitaの記事の一覧は作成中です。
AUTOSAR R22-11 一覧(2)
Abstract Platformとの関係
Test, Error, Log and TraceをSW-C、BSWについて統合し、Adaptive Platformと共通化。
<この項は書きかけです。順次追記します。>
文書変更(Document Change)
• Editorial changes:
– Document converted from Word to LaTeX.
– Document structure adjusted to the standard.
用語(terms)
Term | Description |
---|---|
dependability | The term dependability is defined as “the trustworthiness of a system such that reliance can justifiably be placed on the service it provides”. This means that a dependable system is one upon which the user (either human or non-human) can place its trust in that the services provided by the system are correct. The dependability of a system is characterized by a set of attributes, compromised by a set of impairments, and achieved and analyzed by a set of means. |
Detection | The crucial first step in handling a fault is of course to become aware that it has occurred. Without this detection, no further activities can be performed. When it comes to detection, the original fault is often very hard to detect. What can be detected are the effects of the fault, that is, errors. These are detected by monitoring the state of the system. Errors can manifest in different ways. The main manifestations are 1. erroneous values in the system (data errors), 2. erroneous execution time (timing errors), 3. erroneous sequence or execution order (program flow errors). 4. erroneous access to system resources, such as memory Errors may propagate and generate consecutive faults which in turn may result in new errors, e.g., an erroneous data value is used as a pointer and causes a memory access violation, which may create an erroneous value in another data value if a value is written to the erroneous memory location. Most mechanisms used for detection of errors allows the system to perform some action to find out more regarding the source of the error (isolation) and to issue corrective or compensating actions (recovery). Ideally, detection is done before the error has propagated any further, thus making it possible to stop further propagation. However, in most cases additional recovery actions are needed, such as stopping the offending component or reconfiguring to alternate functionality. |
Isolation | Once a fault (or error) has been successfully detected, damage assessment and damage control needs to be performed, i.e. there is a need for isolation. During isolation, efforts are made to find the root cause for the erroneous state in the system, and information (e.g. regarding the spread and cause of the error) is gathered for subsequent use during error recovery. It may not always be possible (or practical) to find the root cause of the erroneous state. Note that isolation in this document refers to isolating the source of the errors, such that recovery is possible. It does not refer to isolation of specific components of a system with the purpose of stopping errors from propagating. In a sense, the word identification may have been a better choice, but as the commonly used word in descriptions of the FDIR process is isolation we will use it here. |
Recovery | When the isolation is complete, recovery actions will be initiated. These actions aim at transferring the system into a controlled state, which can be a completely recovered state where nominal service is provided, or a safe degraded state where a limited or no service is provided. The better the isolation results are, the better the recovery actions can perform. If recovery is not successful, a failure may occur, i.e., the system is in an uncontrolled state and its service is not defin |
英日
日本語は仮訳
T.B.D.
参考(reference)
[1] Software Component Template
AUTOSAR_TPS_SoftwareComponentTemplate
[2] Specification of RTE
AUTOSAR_SWS_RTE
[3] Specification of Operating System
AUTOSAR_SWS_OS
[4] Specification of Communication
AUTOSAR_SWS_COM
[5] Specification of Communication Manager
AUTOSAR_SWS_COMManager
[6] Specification of Diagnostic Communication Manager
AUTOSAR_SWS_DiagnosticCommunicationManager
[7] Specification of ECU State Manager
AUTOSAR_SWS_ECUStateManager
[8] Specification of Function Inhibition Manager
AUTOSAR_SWS_FunctionInhibitionManager
[9] Specification of Diagnostic Event Manager
AUTOSAR_SWS_DiagnosticEventManager
[10]Specification of Watchdog Manager
AUTOSAR_SWS_WatchdogManager
[11]Specification of NVRAM Manager
AUTOSAR_SWS_NVRAMManager
[12]Specification of CRC Routines
AUTOSAR_SWS_CRCLibrary
[13]Specification of Crypto Service Manager
AUTOSAR_SWS_CryptoServiceManager
[14]Specification of Basic Software Mode Manager
AUTOSAR_SWS_BSWModeManager
[15]General Requirements on Basic Software Modules
AUTOSAR_SRS_BSWGeneral
[16]Glossary, AUTOSAR_TR_Glossary
https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_TR_Glossary.pdf
[17]Layered Software Architecture
AUTOSAR_EXP_LayeredSoftwareArchitecture
[18]Specification of SW-C End-to-End Communication Protection Library
AUTOSAR_SWS_E2ELibrary
[19]Specification of Module Core Test Driver
AUTOSAR_SWS_CoreTest
[20]Specification of Flash Test
AUTOSAR_SWS_FlashTest
[21]Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing”, IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 1, January-March, 2004
[22]Jim Gray, “Why Do Computers Stop and What Can We Do About It”, Technical
Report TR 85.5, Tandem, 1985.
[23]ISO 26262:2018 (all parts) - Road vehicles - Functional Safety
http://www.iso.org
[24]EASIS Deliverable D1.2-8, “Fault management framework
http://www.easis-online.org
関連文書(Related document)
2023年1月 記事数一覧
年末100記事を30点に仕上げる。
2023 書き初め
「はじめてのCAN/CANFD 」 ベクタージャパン <エンジニア夏休み企画>【読書感想文】
三方良し Udemy 車載LAN入門講座 CAN通信編
詳解 車載ネットワーク CAN, CAN FD, LIN, CXPI, Ethernetの仕組みと設計のために(1) 著者 <エンジニア夏休み企画 読書感想文>
詳解 車載ネットワーク CAN, CAN FD, LIN, CXPI, Ethernetの仕組みと設計のために(2)参考文献 <エンジニア夏休み企画>【読書感想文】
詳解 車載ネットワーク CAN、CAN FD、LIN、CXPI、Ethernetの仕組みと設計のために
AUTOSAR Abstract Platform User Group Weekly Report(1) 2022.1.8
AUTOSAR Abstract Platform User Group Weekly Report(2) 2022.1.15
202304 URL更新
Explanation of Error Handling on Application Level, AUTOSAR 378, R22-11, CP, 20230421
<この記事は個人の過去の経験に基づく個人の感想です。現在所属する組織、業務とは関係がありません。>
文書履歴(document history)
ver. 0.01 初稿 20230121
ver. 0.02 ありがとう追記 20230624
最後までおよみいただきありがとうございました。
いいね 💚、フォローをお願いします。
Thank you very much for reading to the last sentence.
Please press the like icon 💚 and follow me for your happy life.