diff --git a/docs/features/frameworks/feo/requirements/feature_req.rst b/docs/features/frameworks/feo/requirements/feature_req.rst index eae28fba8fb..6e2aec0b9c4 100644 --- a/docs/features/frameworks/feo/requirements/feature_req.rst +++ b/docs/features/frameworks/feo/requirements/feature_req.rst @@ -174,7 +174,7 @@ Supervision :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data :status: valid The framework shall provide the functionality to enable the reporting of @@ -186,7 +186,7 @@ Supervision :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data :status: valid The framework shall provide the functionality to enable the reporting of @@ -198,7 +198,7 @@ Supervision :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data :status: valid The framework shall provide the functionality to enable the reporting of @@ -210,7 +210,7 @@ Supervision :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__app_architectures__support_time, stkh_req__app_architectures__support_data :status: valid The framework shall provide mechanisms to check after the computation of @@ -228,7 +228,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If the primary process receives a termination signal, it shall call the shutdown @@ -242,7 +242,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If not all secondary processes connect to the primary in time, the primary shall terminate itself. @@ -254,7 +254,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If an error occurs during the execution of a startup function, the primary process shall abort calling @@ -268,7 +268,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid During initialization (i.e. in the startup function of an activity), activities shall check for resource allocation @@ -280,7 +280,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If a timeout occurs during startup, stepping or shutdown of an activity, the primary process shall shutdown all @@ -292,7 +292,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If not all activities reach their initialized state within a certain period of time (startup timeout), @@ -304,7 +304,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_1, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If an activity fails in the step function, the primary process shall call shutdown for all activities @@ -316,7 +316,7 @@ Error Handling for S-CORE v0.5 :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes + :satisfies: stkh_req__dependability__safety_features_4, stkh_req__dependability__availability, stkh_req__execution_model__processes :status: valid If an activity fails in the shutdown function, the primary process shall shutdown all remaining activities diff --git a/docs/features/lifecycle/index.rst b/docs/features/lifecycle/index.rst index c04727f8c3d..d31efc30233 100644 --- a/docs/features/lifecycle/index.rst +++ b/docs/features/lifecycle/index.rst @@ -87,7 +87,7 @@ The Lifecycle feature addresses the following stakeholder requirements: • :need:`stkh_req__functional_req__file_based`: Modular configuration file support allowing changes without rebuilding software, enabling flexible system setup and module management -• :need:`stkh_req__dependability__safety_features`: Implementation of monitoring safety mechanisms +• :need:`stkh_req__dependability__safety_features_1`: Implementation of monitoring safety mechanisms A second task of the lifecycle system is to supervise the aliveness of the processes, which are started and to initiate appropriate actions in case of a failure, which might result in many cases in a change of the operting mode. diff --git a/docs/features/lifecycle/requirements/index.rst b/docs/features/lifecycle/requirements/index.rst index 1bc38b5ec39..dafb06a0a8b 100644 --- a/docs/features/lifecycle/requirements/index.rst +++ b/docs/features/lifecycle/requirements/index.rst @@ -169,7 +169,7 @@ Launching Processes :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features + :satisfies: stkh_req__dependability__safety_features_4 :status: invalid The :term:`Launch Manager` shall provide support to be started with security @@ -214,7 +214,7 @@ Launching Processes :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features + :satisfies: stkh_req__dependability__safety_features_4 :status: invalid The :term:`Launch Manager` shall provide support for launching a process with a @@ -259,7 +259,7 @@ Launching Processes :reqtype: Functional :security: NO :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features + :satisfies: stkh_req__dependability__security_features :status: invalid The :term:`Launch Manager` shall provide support for launching process with diff --git a/docs/features/persistency/requirements/index.rst b/docs/features/persistency/requirements/index.rst index a60974d0420..179eb8f8f6e 100644 --- a/docs/features/persistency/requirements/index.rst +++ b/docs/features/persistency/requirements/index.rst @@ -459,7 +459,7 @@ Requirements :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features + :satisfies: stkh_req__dependability__safety_features_11 :status: valid The Persistency shall support the development mode. @@ -470,7 +470,7 @@ Requirements :reqtype: Functional :security: YES :safety: ASIL_B - :satisfies: stkh_req__dependability__safety_features + :satisfies: stkh_req__dependability__safety_features_11 :status: valid The Persistency shall support the production mode. diff --git a/docs/modules/os/operating_systems/docs/community/autosd.rst b/docs/modules/os/operating_systems/docs/community/autosd.rst index dd3697ffcb1..b7eeec3a9f8 100644 --- a/docs/modules/os/operating_systems/docs/community/autosd.rst +++ b/docs/modules/os/operating_systems/docs/community/autosd.rst @@ -17,7 +17,6 @@ :security: YES :safety: QM :status: valid - :implements: aou_req__platform__integration_assistance, aou_req__platform__os_integration_manual, aou_req__platform__bug_interface AutoSD ###### @@ -79,7 +78,7 @@ Sample usage: .. code:: bash export OCI_IMAGE=localhost/score:latest - export AIB_DISTRO=autosd10-sig + export AIB_DISTRO=autosd10-sig aib build-builder --distro ${AIB_DISTRO} aib build --target qemu --distro ${AIB_DISTRO} image.aib.yml ${OCI_IMAGE} @@ -97,7 +96,7 @@ You can then replace the usage of "aib" with "auto-image-builder.sh" (requires s .. code:: bash export OCI_IMAGE=localhost/score:latest - export AIB_DISTRO=autosd10-sig + export AIB_DISTRO=autosd10-sig # set the container storage to the local "_builder" directory to avoid permissions issues export AIB_LOCAL_CONTAINER_STORAGE=$PWD/_build/containers-storage @@ -139,16 +138,16 @@ Sample usage (MODULE.bazel file): module_name = "os_autosd", path = "/path/to/inc_os_autosd/" ) - + bazel_dep(name = "os_autosd", version = "1.0.0") - + # Configure AutoSD 9 GCC toolchain autosd_10_gcc = use_extension("@os_autosd//toolchain/autosd_10_gcc:extensions.bzl", "autosd_10_gcc_extension") autosd_10_gcc.configure( c_flags = ["-Wall", "-Wno-error=deprecated-declarations", "-Werror", "-fPIC"], cxx_flags = ["-Wall", "-Wno-error=deprecated-declarations", "-Werror", "-fPIC"], ) - + use_repo(autosd_10_gcc, "autosd_10_gcc_repo") register_toolchains("@autosd_10_gcc_repo//:gcc_toolchain_linux_x86_64") diff --git a/docs/requirements/platform_assumptions/index.rst b/docs/requirements/platform_assumptions/index.rst index 4eccadb97c9..51554d28adb 100644 --- a/docs/requirements/platform_assumptions/index.rst +++ b/docs/requirements/platform_assumptions/index.rst @@ -296,7 +296,7 @@ In this section assumptions are described which need to be fulfilled by the appl Note1: Reasons for not needing program flow monitoring could be an OS scheduler with timing and execution guarantees. Or that in case of non/late execution of the application the safety integrity of the system is not affected. - Note2: The SW-Platform supports this - see :need:`stkh_req__dependability__safety_features` "live, deadline, logical supervision" + Note2: The SW-Platform supports this - see :need:`stkh_req__dependability__safety_features_1` Assumptions on Safety System ---------------------------- @@ -310,9 +310,15 @@ In this section assumptions are described which need to be fulfilled by the syst :safety: ASIL_B :status: valid - If the system using the SW-platform has safety goals, the system shall provide state-of-the art hardware safety mechanisms. + If the system using the SW-platform has safety goals, the system shall provide state-of-the art hardware safety mechanisms, namely - Note1: A selection of hardware safety mechanisms is collected in :need:`stkh_req__dependability__safety_features` + - :need:`stkh_req__dependability__safety_features_3` + - :need:`stkh_req__dependability__safety_features_4` + - :need:`stkh_req__dependability__safety_features_5` + - :need:`stkh_req__dependability__safety_features_6` + - :need:`stkh_req__dependability__safety_features_7` + - :need:`stkh_req__dependability__safety_features_8` + - :need:`stkh_req__dependability__safety_features_10` Note2: These safety mechanisms are mostly OS/Hypervisor/HW specific, so the system integrator can only expect S-CORE support for the reference OS/Hypervisor/HW combination. @@ -325,7 +331,7 @@ In this section assumptions are described which need to be fulfilled by the syst If the system using the SW-platform has safety goals, the system shall provide an external health management element which is able to initiate a safe system state. - Note: This can be an "External Hardware Watchdog" + Note: This can be an "External Hardware Watchdog" and/or "Voltage Moditoring" (see :need:`stkh_req__dependability__safety_features_10`) .. aou_req:: Process Isolation :id: aou_req__platform__process_isolation @@ -346,7 +352,7 @@ In this section assumptions are described which need to be fulfilled by the syst If the system using the SW-platform has safety goals, the used os module shall offer the following safety related functions: - - configuration of HW safety mechanisms as in :need:`stkh_req__dependability__safety_features` + - configuration of HW safety mechanisms as in :need:`aou_req__platform__hardware_safety` - startup of OS - loading and starting of processes - management and restriction of process privileges diff --git a/docs/requirements/stakeholder/index.rst b/docs/requirements/stakeholder/index.rst index 52eebb53bec..26075a6921b 100644 --- a/docs/requirements/stakeholder/index.rst +++ b/docs/requirements/stakeholder/index.rst @@ -250,30 +250,149 @@ Dependability Note: This is part of 0.5 release and therefore can only support ASIL_B. Goal is ASIL_D. -.. stkh_req:: Safety features - :id: stkh_req__dependability__safety_features +.. stkh_req:: Health Management + :id: stkh_req__dependability__safety_features_1 :reqtype: Functional :security: YES :safety: ASIL_B - :rationale: There are state-of-the-art safety mechanisms to check HW and SW errors. These are expected to be supported either by the SW-platform alone or by using HW or OS provided safety features. + :rationale: Safety applications may have systematical errors which lead to violations in the control flow. :status: valid :tags: safety_mechanism :valid_from: v1.0.0 - The SW-platform shall support the following safety feature: + The SW-platform shall implement Health Management (alive, deadline, logical supervision) for time and event based taskchains - * Health Management (alive, deadline, logical supervision) for time and event based taskchains - * E2E Protection for communication - * Built-in hardware self-tests - * Safe reset paths - * IO MMU protecting DMA accesses - * Memory Management Unit - * Memory Protection Unit for caches - * ECC Memory - * Software Lockstep - * Power management integrated circuit (PMIC), external watchdog and voltage monitoring - * Safe switch from engineering to field mode and back +.. stkh_req:: E2E Protection + :id: stkh_req__dependability__safety_features_2 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: ECU external communication is using QM rated SW and HW which may currupt messages. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall implement E2E Protection for communication + +.. stkh_req:: HW Self-Test + :id: stkh_req__dependability__safety_features_3 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: The processing HW used by the SW platform may have errors affecting computing, data and control flow. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support Built-in hardware self-tests + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: Safe Startup and Reset + :id: stkh_req__dependability__safety_features_4 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: During startup and shutdown specific errors may occurr (e.g. inintialization errors due to insufficient resources). + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall implement Safe startup and reset paths + +.. stkh_req:: DMA Protection + :id: stkh_req__dependability__safety_features_5 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: DMA function usually grants also QM HW direct access to memory. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support IO MMU protecting DMA accesses + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: Memory Protection + :id: stkh_req__dependability__safety_features_6 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: ASIL SW components memory may be corrupted by QM SW components if those are located on the the same physical memory. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support Memory Management Unit + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: Cache Protection + :id: stkh_req__dependability__safety_features_7 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: ASIL SW components memory may be corrupted by QM SW components if those are located on the the same physical memory. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support Memory Protection Unit for caches + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: Memory Error Correction + :id: stkh_req__dependability__safety_features_8 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: HW errors may occurr on the memory (e.g. bitflips caused by radiation) + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support ECC Memory + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: SW Lockstep + :id: stkh_req__dependability__safety_features_9 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: Computing HW may suffer from systematic or random HW errors. + :status: valid + :tags: safety_mechanism + :valid_from: v2.0.0 + + The SW-platform shall implement Software Lockstep + +.. stkh_req:: External Supervision + :id: stkh_req__dependability__safety_features_10 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: The SW platform may run on malfunctioning HW (e.g. by undervoltage) which prevents from own error detection and recovery. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + + The SW-platform shall support Power management integrated circuit (PMIC), external watchdog and voltage monitoring + + Note: Support means here that a functionality offered by external SW (e.g. an OS) or HW may need to be configured and used. + +.. stkh_req:: Safe Mode Switch + :id: stkh_req__dependability__safety_features_11 + :reqtype: Functional + :security: YES + :safety: ASIL_B + :rationale: It is expected that the SW platform is used in systems in having engineering (development) modes and field (customer) modes, where engineering modes may allow functionality which is unsafe. + :status: valid + :tags: safety_mechanism + :valid_from: v1.0.0 + The SW-platform shall implement Safe switch from engineering to field mode and back .. stkh_req:: SW-platform error reaction :id: stkh_req__dependability__error_reaction @@ -356,7 +475,7 @@ Dependability Note1: Reasons for not needing program flow monitoring could be an OS scheduler with timing and execution guarantees. Or that the non/late execution of the application keeps the system in a safe state. - Note2: The SW-Platform supports this - see :need:`stkh_req__dependability__safety_features` "live, deadline, logical supervision" + Note2: The SW-Platform supports this - see :need:`stkh_req__dependability__safety_features_1` "live, deadline, logical supervision" .. stkh_req:: Availability @@ -1232,7 +1351,7 @@ Requirements Engineering Safety Mechanisms ----------------- -The following stakeholder requirements are assumed to be fulfilled by a safety mechanism due to complexity of the realizing +The following stakeholder requirements describe the assumed safety mechanisms which are needed due to complexity of the realizing SW element(s) or due to dependency on HW. This is confirmed during safety analysis of the derived feature requirements and architecture. .. needtable:: Expected Safety Mechanisms