Professional Documents
Culture Documents
TSR Q&A Clarification Confirmation
TSR Q&A Clarification Confirmation
1 General NA NA
2 General NA NA
Diagnostic Fault
14 13.7.3.6 PCO_SW_3913
Management
Diagnostic Fault
15 13.7.3.6 PCO_SW_3915
Management
17 General NA NA
SM Signal Processor
(SPU) - Software
18 13.2.3 PCO_SW_3564
Based Self Test
(SBST)
Diagnostic Fault
19 13.7.3.6 PCO_SW_3922
Management
Radar Signal
20 13.7.3.7 Processing and PCO_SW_3926
Detections
SM Signal Processor
(SPU) - Software
21 13.2.3 PCO_SW_3557
Based Self Test
(SBST)
SM Signal Processor
(SPU) - Software
22 13.2.3 PCO_SW_5325
Based Self Test
(SBST)
SM Signal Processor
(SPU) - Software
23 13.2.3 PCO_SW_3560
Based Self Test
(SBST)
Power Supply
24 13.1.1.2.4 PCO_SW_3377
Configuration
Fault Signaling
25 13.1.1.3.3.1 PCO_SW_3378
Protocol
SM Signal Processor
(SPU) - Software
33 13.2.3 PCO_SW_3561
Based Self Test
(SBST)
36 13.7.3.1 Power-up PCO_SW_4146
PCO_SW_3859
41 13.7.3.1 Power-up
PCO_SW_3861
SM Signal Processor
(SPU) - Software PCO_SW_3563,
42 13.2.3 Based Self Test PCO_SW_3564
(SBST)
Time domain
48 13.7.7.4 PCO_SW_3968
Time domain
49 13.7.7.4 PCO_SW_3970
Time domain
50 13.7.7.4 PCO_SW_3971
Time domain
51 13.7.7.4 PCO_SW_3973
SM Safety Processor
- DFLASH Error
56 13.1.7.1 PCO_SW_3431
Correction Code
(ECC)
SM Safety Processor
57 13.1.4.1 - CPU - CRC PCO_SW_3400
Instruction
SM Safety Processor
58 13.1.4.1 - CPU - CRC PCO_SW_3404
Instruction
SM Safety Processor PCO_SW_3483
60 13.1.16 - PMS
SM Safety Processor
- PMS - Die
61 13.1.16.4 PCO_SW_3484
Temperature
Monitoring
SM Safety Processor
- PMS - Die
62 13.1.16.4 PCO_SW_3486
Temperature
Monitoring
SM Safety Processor
- PMS - Die
63 13.1.16.4 PCO_SW_3487
Temperature
Monitoring
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Generic
The Core SW shall verify the correct CPU Bus MPU configuration,
after initial SW initialization and every subsequent configuration
change.
Note:
The definition of what a correct MPU should be is defined
elsewhere (e.g. SW Design Document).
The Core SW shall verify the correct CPU Bus MPU configuration,
after initial SW initialization and every subsequent configuration
change.
Safety Manual Aurix v0.8:
ESM[SW]:CPU:BUS_MPU_INITCHECK
Note:
The definition of what a correct MPU should be is defined
elsewhere (e.g. SW Design Document).
If the Core SW determines that the DMA error violates the safety,
the Core SW shall trigger an alarm.
The Core SW shall detect SPB protocol errors and provide an error
handler to respond with an appropriate safe state.
On power up, the Core SW shall initialize all GPIO pins to a known
state.
On Power-up, the Core SW shall verify that the FPI related safety
mechanisms are functional.
The Core SW shall configure the SMU in Core and Standby mode
to provide 1) responses to all configured alarms, 2)HW
redundancy, and 3)BIST functionality for SMU.
Note:
The possible reactions are:
None - log fault only
Safe Comm - disable communication except for diagnostics
Safe Silent - disable all communication
Safe Silent FSP - disable all communication and enable FSP
Safe Reset - perform an application reset
Generic
Description:
The SPU0 configuration registers
shall be stored before the SPUx test and restored after the SPUx
test.
Rationale:
SW should not publish wrong/misleading information. For
example, if core sw is reporting incorrect detection information
based on mounting position.
The Core SW shall generate a fault for the errors reported by the
SBST.
NOTE:
The Core SW will provide an error handler to disposition errors
reported by SBST.
At power on or reset, if any alarms are configured for FSP safe off
reactions by the application SW, then the FSP0 error pin shall be
re-configured to be an open drain FSP configuration driven high.
On power-up, the Core SW shall test the error out pin by doing the
following:
Reading back the state of the error out pin and verifying its state.
Toggling the state of the pin and verifying that the CAN Tx is
enabled/disabled accordingly.
The Core SW shall control and monitor the temporal program flow
for Core, Feature and Application SW (e.g. deadline monitoring
and run time budget monitoring for software parts relevant for
functional safety).
Description:
The EMEM: address range: 0x99000000 .. 0x9903FFFF, size: 256
KBytes shall be stored before the SPUx test and restored after the
SPUx test.
The Core SW shall evaluate the following conditions in order to
prove the MCU startup sequence executed correctly:
• for all CPU and LMU SRAM used by the Application, check that
MCi_FAULTSTS.OPERR[3] matches the corresponding setting of
PROCONRAM RAMINSEL and LMUINSEL bitfields.
ESM[SW]:SYS:MCU_FW_CHECK
The Core SW shall partition all available memory in the sensor into
the following regions:
SAFE_DATA (ASIL B)
CORE_DATA (ASIL B)
AFT_DATA (QM or ASIL B)
SHARED_DATA (QM or ASIL B)
The Core SW shall define the memory map for the sensor
(including Core, Feature and Application SW).
This includes.
Number of sections
Naming conventions
Access rights for each section
The Core SW shall monitor the cycle time and execution budget of
each periodic OS Task.
The Core SW shall publish the run time measurements via the
interfaces available.
The Core SW shall raise a timing fault if a task or ISR misses its
time deadline.
The Core SW shall calculate CRC for the EMEM data and store the
CRC value with the EMEM data.
Once per DIAGNOSTIC_INTERVAL, the Core SW shall execute the
Software Based Self Test (SBST) of the SPUs.
Rationale
The SPU Software Based Self Test (SBST) detects random hardware
faults in a non-lockstep SPU. SBST should be executed cyclically, at
least once in a diagnostic test interval. SBST is a non-destructive
test designed to preserve the state of the SPU, therefore SBST can
be used cyclically during runtime. SBST is a measure against
permanent faults to support the single point fault metric.
NOTE:
SMC[SW]:RIF:INIT_ERROR_HANDLING
NOTE:
The DFLASH with its TECQED ECC algorithm protects perfectly
against bit or bit-line oriented failures. The ECC mechanism does
not protect against wordline oriented failures.
NOTE:
If a task is not to access peripherals, the task should be configured
with CPU privilege level user mode 0 access protection. Tasks
configured for user mode 0 cannot enable or disable interrupts.
The Core SW shall generate a fault if the temperature difference
between the Aurix DIE temperature and the core temperature is
greater than 3degC.
Note CPU2 is a non-lockstep core and does not require lock step
processing enabled.
On start-up, as part of Radar Frontend initialization, the Core SW
shall enable the TX Power monitoring of the Radar Frontend for all
available TX channels.
NOTE:
This test is enabled using the
AWR_MONITOR_TX[n]_POWER_CONF_SB API.
The values for n = 0,1,2
Question Question date Raised by
Is Safe Silent mode nothing but a Stand By mode?
Please provide reference doc if available. 6/13/2018 Aditya Math
Need information regarding the Error Out Pin and its Modes
6/14/2018 Aditya Math
Req: Check CPU bus MPU configuration is correct or not.
Ques: for this memory mapping architecture is needed and how
to check particular memory region is protected or not.
6/18/2018 Jagadish
6/18/2018 Jagadish
7/2/2018 Jagadish
7/12/2018 Sowjanya
Design documents and source code not found for FPI Module(SM
Safety Processor - FPI) 7/16/2018 Suresh Chilumuri
Design documents and source code not found for FPI Module(SM
Safety Processor - FPI) 7/16/2018 Suresh Chilumuri
1) 'Design documents and source code not found for "HW
redundancy" and also for standby mode in PCO_SW_3457
7/17/2018 Ashwin
NA
7/17/2018 Ashwin
NA
7/17/2018 Ashwin
7/19/2018 Ashwin
7/18/2018 Sowjanya
7/18/2018 Sowjanya
7/19/2018 Ashwin
7/18/2018 Sowjanya
7/18/2018 Sowjanya
Function Call for Error out pin config is not implemented at the
Start Up
7/6/2018 Aditya Math
Please provide CAN database which handles the error out pin
enable/disable
7/18/2018 Sowjanya
3rd point-- SCU_LCLCONx.Lsy is just defined no where called and
no function definition
7/25/2018 Jagadish
7/25/2018 Jagadish
ESM[SW]:EMEM:INIT_EMEM' is a changed to
'ESM[SW]:EMEM:READ_CONFIGURATION' in AURIX TC3xx Safety
Manual v0.9. 'ESM[SW]:EMEM:INIT_EMEM' has its own
discripton in 'AURIX TC3xx Safety Manual v0.8'. Since both are
separate requirements mentioned in doors but according to AURIX 7/12/2018 Vishal
TC3xx Safety Manual v0.9 both are same so what shall we
consider here?
8/1/2018 Sowjanya
7/6/2018 Jagadish
generic requirement
7/12/2018 jagadish
Code is not implemented for checking the difference between the
temperature values
C:\Sandbox\Checkpoints\Tricore\Cor
e_Library_20.10\SW\Common\Suppli
ed_SW\ILLD\iLLD_1_0_1_4_0_TC39B
\Src\BaseSw\iLLD\TC39B\Tricore\Sm HW redundancy is due to the 2 SMUs: Core & 8/14/2018
u\Smu Standby
C:\Sandbox\Checkpoints\Tricore\Cor
e_Library_20.10\SW\Core_SW\Diagn
ostic_Manager\source
(TestGuardian.c)
[SA] Is this status for the SPU SBST? The code is 8/29/2018
currently in collaborator review.
C:\Sandbox\Checkpoints\Tricore\Cor
e_Library_20.10\SW\Core_SW\Diagn
ostic_Manager\source
(TestGuardian.c)
C:\Sandbox\Checkpoints\Tricore\Cor
e_Library_20.10\SW\Core_SW\Diagn Please look at Test Guardian Code and design 7/30/2018
ostic_Manager\source document. Safe Silent = Safe CAN OFF
(TestGuardian.c)
No design documents and code [SA] SME marked requirement obsolete. 8/29/2018
No design documents and code [SA] SME marked requirement obsolete. 8/29/2018
No design documents and code [SA] This requirement is in TBC state. 8/29/2018
[SA] DTS and DTSC limits are set at -42 & 146 deg
C. If temperature exceeds these limits, SMU
alarm will be generated. Code is currently in 8/29/2018
review and expected to be checked in PTC by end
of this week.
ref: aurix 2.5.1 and Os_StartCores.c This should be marked redundant as it will be 7/30/2018
file covered in 4146.
ref: aurix 2.5.1 and Os_StartCores.c This should be marked obsolete. Lockstep is
enabled by Aurix Startup SW (aka its Firmware), 7/30/2018
file which is not our SW development responsibility.
File Neme:
AWR1xxx_Radar_Interface_Control.p
df
Answered by State Comment
Vijayalaxmi Closed NA
Vijayalaxmi Closed NA
Nagamani Closed NA
1)Core and Standby are they Core running and core stand
by mode?
2)How to achieve HW redundancy ?Need code and
Satyajit Open design implementation status?
Adhyapak Satyajit: There are two SMU's one is main(core) SMU,
stand by SMU. Need to check whether stand by SMU is
working fine when main SMU is faulty
Satyajit Closed NA
Adhyapak
Need to test for all faults with all events or testing few
Satyajit Closed faults are sufficient?
Adhyapak 9/5/2018 Viji : Requirement marked as Non-Functional.
Need to test for all asserts ws or testing few asserts are
Satyajit sufficient?
Closed
Adhyapak Nagamani: need to make it as non-functional requriment
9/5/2018 Viji : Requirement marked as Non-Functional.
Satyajit Closed NA
Adhyapak
Please confirm with Jack
Satyajit Closed 9/5/2018 Viji : Requirement in 'To Be Clarified' state.
Adhyapak Hence will not be verified.
Satyajit Closed NA
Adhyapak
Satyajit Closed NA
Adhyapak
Satyajit
Open
Adhyapak
Open NA
Satyajit Closed NA
Adhyapak
14
Requirement
If the indictated power supply mode configuration does not match the flag
settings (identified by PMSWSTAT.HWCFGEVR status flags), the system shall
transition to safe-silent.
On power-up, the Core SW shall test the error out pin by doing the
following:
Reading back the state of the error out pin and verifying its state.
Toggling the state of the pin and verifying that the CAN Tx is
enabled/disabled accordingly.
On power up, during initialization, the Core SW shall verify that the CPU
CRC instruction is functioning correctly using a known test data vector
NOTE:
If a task is not to access peripherals, the task should be configured with
CPU privilege level user mode 0 access protection. Tasks configured for
user mode 0 cannot enable or disable interrupts.
The Core SW shall control and monitor the functional program sequence
for safety-relevant software parts.
The Core SW shall control and monitor the temporal program flow for
Core, Feature and Application SW (e.g. deadline monitoring and run time
budget monitoring for software parts relevant for functional safety).
The Core SW shall verify that data transmission between the software
components on different cores/tasks is safe (i.e., Errors in data
transmission are detected) and in accordance with the ASIL classification
of the data being transmitted.
SAFE_DATA (ASIL B)
CORE_DATA (ASIL B)
AFT_DATA (QM or ASIL B)
SHARED_DATA (QM or ASIL B)
Note: Due to safety concerns, the application and feature teams have a
predefined memory allocation
The Core SW shall publish the run time measurements via the interfaces
available.
Question
Requirement is not implemented. The Start Up CSC should call the IfxPMS
Please provide CAN database which handles the error out pin
enable/disable
Please provide more information on the deadline monitoring and run time
budget monitoring.
[SA] Requirement in under SME review and bound to change. FYI, test
vector can be any data set for wich the CRC value is known.
[SA] Based on the new safety manual V0.9, the temperature difference is
9degC. Code is currently implemented and checked into PTC under
diag_temp_monitor.c