After reading this article you will learn :
- What is role of watchdog manager in watchdog stack of Autosar
- What is Supervised entity, supervision cycle, supervision functions and check points?
- How watchdog manager supervises the SW using Alive indication, Deadline monitoring and Logical supervision.
- Watchdog Manager Interfaces with SWC and how to use watchdog interfaces with SWC.
- Important Configuration Parameter of watchdog manager.
1. Introduction to Watchdog Manager:
Watchdog manager (WDGM) present at service layer of AUTOSAR stack as seen in fig.1.
Task of watchdog manager is to supervise software execution and if it finds error or flaw in execution of software, WDGM takes action on it. SWCs uses services provided by WDGM, using client server interface. SWC are client and WDGM is server.
|Fig.1 WDGM in AUTOSAR Layered Architecture|
2. Functionality of WDGM :
Functionality of WDGM is
- To supervise the SW and to supervise software, watchdog manager uses supervised entities.
- WDGM can change the mode of WDG driver (Slow, Fast or OFF).
- WDGM updates triggering condition in case supervision of SW is OK
- If global supervision status is not OK then resets ECU or do not set triggering condition, so that WDG driver will not trigger WDG and WDG will generate reset.
2.1 Supervision and Supervised Entity :
What is supervised entity ?
Supervised entities (SEs) nothing but a runnable within Software Component (SWC), BSW or CDD.
What WDGM supervises ?
WDGM supervises the supervised entities in SWCs and checks if :
1. Supervised entities (in Software) are getting executed periodically as per configuration e.g. if a runnable having frequency of 10ms so in 50ms runnable should have executed 5 times so watchdog manager monitors if SEs are getting executed number of times (e.g. 5) as per configuration
2. Flow of SE or sequence of execution of SEs are as per design (e.g. code is getting executed in correct sequence).
3. SEs are getting executed within expected time? (e.g. if runnable A should finish its execution in 5ms then WDG manager checks
What is Checkpoint ?
How WDGM get to know that supervised entity has been executed ?
Supervised entities uses checkpoint and when checkpoint (i.e. particular area or line in code may be start of runnable, end of runnable or in between some code line of runnable ) is reached while execution, supervised entities notifies to watchdog manager that this checkpoint is reached (i.e. it is executed).
Supervised entities uses port provided by WDGM to notify checkpoint reached, using client server mechanism as shown in fig.1. Function Provided by WDGM is
There can be multiple checkpoint in one runnable or single check point in one runnable that depends on the design and can be configurable.
Watchdog manager keeps track of check points reached indication and calculates status of supervision based on supervision function. Status of supervision is calculated in supervision cycle.
What is supervision cycle ?
Frequency at which watchdog manger supervises supervised entities . e.g. if supervision cycle is configured as 50ms then every 50ms watchdog manager supervises the supervised entities and checks the status of supervised entities as per configuration.
Putting it all together :
Refer fig.2 , which shows SWCs their runnable and supervised entities.
|Fig.2 SWC to WDGM connection|
In a system there are multiple runnable and among them if 2 are selected as supervised entities.
Supervision cycle of WDGM is configured to 50ms.
cyclicity of SE1 is 5ms and cyclicity of SE2 is 10ms.
Every 5ms SE1 and every 10ms SE2 will indicates checkpoint reached to WDGM i.e. indicates to WDG, particular line(or area) in code is reached.
Every 100ms WDGM will calculate the status of SEs based on checkpoints reported by SEs and supervision function, decides if status of SE is correct or incorrect.
WDGM calculates local supervision status based on status of supervision of each SE in system. Based on local supervision status WDGM calculates Global supervision status and decides SW execution is OK or not.
2.2 WDG Triggering :
WDGM is no longer responsible for triggering the WDG driver since AUTOSAR version 4, WDGM sets a flag in software to true or false i.e. sets triggering condition to TRUE or FALSE based on Global supervision status. WDGM uses function WdgIf_SetTriggerConditionto() update a flag.
WDG driver reads the flag i.e. triggering condition and based on triggering condition (if TRUE) triggers the watchdog to avoid reset.
3. Supervision Functions and working :
In above section you have learnt that WDGM supervises supervised entities by using supervision functions. WDGM performs this task in every supervision cycle and supervised entities reports their status by using checkpoint reached functionality (WdgM_CheckpointReached) to WDGM. WDGM calculates status of supervision based on supervision functions and these supervision functions are :
3.1 Alive indication :
To check if SEs are alive and getting executed number of times in one supervision cycle. This will help to monitor execution of SEs, helps to check if SE is getting executed too many time or getting executed less time. For alive indication 1 checkpoint in each SE will be required.
i.e. Alive supervision is check for cyclic timing constraint.
- In a system (refer above code snippet) there are multiple runnable.
- 3 runnable are selected as Supervised entitiesSE1 (5ms), SE2(10ms),SE3(20ms).
- At time of execution , SE will notify checkpoint reached to WDGM using RTE.
- In supervision cycle (WdgMSupervisionReferenceCycle)100ms WDGM will build the status of alive indications.
- WDGM will calculate number of alive indications reported by SEs
- We can add + and - (minimum tolerance :WdgmMinMargine and maximum tolerance :WdgmMaxMargine) tolerance to expected indications.
- WDGM will verify it against expected alive indications (WdgMExpectedAliveIndications) and calculates local supervision status of each SE
- Expected alive indications for SE1: 20+WdgmMaxMargine or 20-WdgmMinMargine
- Expected alive indications forSE2 : 10+WdgmMaxMargine or 10-WdgmMinMargine
- Expected alive indications forSE3 : 5+WdgmMaxMargine or 5-WdgmMinMargine
- If expected indications match then all SE are executing as per design.
- Else SE are not executing as per design
- Based on this WDGM will calculate status of SE's supervision as correct/incorrect.
3.2 Deadline monitoring :
To check if SEs (non cyclic) are finishing their execution in expected time. For this 2 checkpoints are required in SEs and WDGM calculates time of between two checkpoint to determine the execution time of SE. Execution time span can have minimum (WdgMDeadlineMin) and maximum deadline (WdgMDeadlineMax) for execution.
- A non cyclic supervised entity (InitDio) to be supervised using deadline monitoring.
- SE will finish execution within : WdgMDeadlineMin : 4ms and WdgMDeadlineMin :6ms
- SE will require minimum two checkpoints for deadline monitoring.
- WDGM will calculate time between 1st and last checkpoint.
- At Start of 1st checkpoint i.e. CP4 in above code snippet (WdgMDeadlineStartRef) WDGM will note the time stamp
- And at last checkpoint i.e. CP5 in above code snippet (WdgMDeadlineEndRef) WDGM will note the time stamp
- WDGM calculate time of execution of SE by calculating difference between last check point and first checkpoint.
- WDGM will verify calculated time against expected time i.e. it should be between W
- WDGM will calculate status of SE's supervision as correct/incorrect.
3.3 Logical supervision :
Logical Supervision checks if the code of Supervised Entities is executed in the correct sequence.
In Logical supervision n number of checkpoints used.
As you are aware while designing the code we are using flow charts, and based on flow charts we are writing the code. Now logical supervision will help to verify the flow chart i.e. logic written in code is as per design or not, hence it is called logical supervision.
As per the flow chart, we can decide the checkpoints. These checkpoints will form a graph
Refer below snippet, a code is given and as per logic checkpoints are added.
- WDGM checks if transition of checkpoints are as expected (i.e. as per logic designed).
- Expected Transitions : CP1-->CP2-->CP3-->CP5-->CP1
- Expected Transitions : CP1-->CP2-->CP4-->CP5-->CP1
- WDGM has Activity Flag for each graph, initialized to FALSE
- Activity flag helps to decide if checkpoint reported is 1st checkpoint or not.
- Supervised entities will notify checkpoint reached to WGM e.g. CP1 in fig.4
- WDGM will store current checkpoint and set Activity flag toTRUE
- When next checkpoint is reported (CP2) WDGM will store it and check with previous checkpoint (CP1). WDGM checks if this transition (CP1-->CP2) is valid or not if activity flag is TRUE.
- Similarly WDGM will check transition from CP2-->CP3 is valid or not
- WDGM checks the flow of execution.
- If CP1 is reported and then CP4 is reported, then this is not valid transition and WDGM will update status of SE's supervision as correct/incorrect.
From above discussion it is clear that WDGM calculates status of supervision of SE as correct/incorrect based on supervision function. Based on status of each supervision of SE (correct/incorrect), WDGM builds local status of supervision and based on local status WDGM calculates Global Status of supervision.
4. Important Configuration Parameters :
You want to configure WDGM, below are the some points you should always keep in mind to configure :
1. Define Supervised entities and Supervised entity IDs
2. Define Checkpoints of Supervised entities and checkpoint IDs
3. Select supervision Function to be used : Alive/Deadline/Logical. Configure values to below parameters as per supervision function selected
- Alive Supervision : WdgMExpectedAliveIndications
- Alive Supervision : WdgMMaxMargin
- Alive Supervision : WdgMMinMargin
- Alive Supervision : WdgMSupervisionReferenceCycle i.e. supervision cycle
- Alive Supervision : WdgMFailedAliveSupervisionRefCycleTol (accepted failed count of supervision of SE, used in local supervision status calculation)
- Deadline Supervision : WdgMDeadlineStartRef
- Deadline Supervision : WdgMDeadlineEndRef
- Deadline Supervision : WdgMDeadlineMin
- Deadline Supervision : WdgMDeadlineMax
- Deadline Supervision reference cycle i.e. supervision cycle
- Deadline Supervision : WdgMFailedDeadlineRefCycleTol
- Program Flow reference cycle i.e. supervision cycle
- Program Flow : WdgMFailedProgramflowRefCycleTol
4. Define WDGM Initial mode : Slow or Fast
5. Define WDGM Slow mode (1000ms) and Fast Mode(200ms) timings.
6. Define WdgMExpiredSupervisionCycleTol (accepted failure count of local supervision, used in Global supervision status calculation)
7. OS Application reference.