- "
28 | for (var i = 0; i < value.childs.length ; i++) {
29 | res = res + displayJson(value.childs[i])
30 | }
31 | res = res + "
9 |
18 |
19 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/Cluster_Display_Use_Case_v2/Item_Defintion/Papyrus_Model/Cluster_demo/resources/js/simpletreemenu.js:
--------------------------------------------------------------------------------
1 | /***********************************************
2 | * Dynamic Countdown script- � Dynamic Drive (http://www.dynamicdrive.com)
3 | * This notice MUST stay intact for legal use
4 | * Visit http://www.dynamicdrive.com/ for this script and 100s more.
5 | ***********************************************/
6 |
7 | var persisteduls=new Object()
8 | var ddtreemenu=new Object()
9 |
10 | //ddtreemenu.closefolder="icons/closed.gif" //set image path to "closed" folder image
11 | //ddtreemenu.openfolder="icons/open.gif" //set image path to "open" folder image
12 |
13 | //////////No need to edit beyond here///////////////////////////
14 |
15 | ddtreemenu.createTree=function(treeid, enablepersist, persistdays){
16 | var ultags=document.getElementById(treeid).getElementsByTagName("ul")
17 | if (typeof persisteduls[treeid]=="undefined")
18 | persisteduls[treeid]=(enablepersist==true && ddtreemenu.getCookie(treeid)!="")? ddtreemenu.getCookie(treeid).split(",") : ""
19 | for (var i=0; i
10 |
12 | My diagram-explorer tree.
11 |
13 |
16 |
17 | 
64 |
65 | ### Block Diagram nominal function
66 | Nominal function absent of safety mechanisms.
67 |
68 | 
69 |
70 | 
71 | 
72 |
73 |
74 | [todo] sanity check allocation to AGL cluster demo parts possible?
75 | ### Block Diagram Including Safety Checking
76 | Block diagram including safety mechanisms
77 |
78 | 
79 |
80 | Plantuml gets into more and more trouble here to find an acceptable diagram layout...
81 | -> papyrus, but it doesn't let me draw boxes like that
82 | [todo] reflect checker being in HW or SW
83 |
84 | [todo] assumption checking is triggered, hw checker provides an answer -> HW spec still under NDA.
85 |
86 | Plane storage as NUMA
87 | dedicated graphics memory allocation typically
88 | Region blocked for GPU memory
89 | dedicated memory hardware would be very expensive
90 | maybe chip level protection mechanisms (HW)
91 | All SOCs have there specialties, should typically be there.
92 |
93 | clarifying watchdog and Display can be HW / SW
94 | could be WD interface and Display interface
95 |
96 | potentially as subcomponents of our Safety Monitor block
97 |
98 |
99 | ### Block description
100 | [todo] Not accurate anymore, this needs to be aligned with the Papyrus model.
101 | * Telltale requester
102 | * ID: TT_requester
103 | * Description: Source of safety relevant telltale requests. Sends cyclically an E2E protected request indicating whether the telltale shall be displayed or not.
104 | * Display
105 | * ID: AE_Display
106 | * Displays the image data delivered through the HW Display interface.
107 | * The Display of the image data is provided with sufficient Safety Integrity level, see assumption
108 | * Backlight
109 | * ID: AE_Backlight
110 | * Illuminates the Display, Backlight off by means of kill line is used to transition the safe state.
111 | * Request handling/Display State arbitration
112 | * ID: AE_Request_handling
113 | * Function block receiving Telltale requests as well as non safety relevant Information to be displayed in the cluster display. Function block determines the state of the instruments to be rendered and sends that information to the Renderer.
114 | * QM Plane Rendering
115 | * ID: AE_Rendering
116 | * Rendering of the image, either by CPU rasterizer or GPU. Rendered Plane is stored in Plane storage.
117 | * Plane Storage
118 | * ID: AE_Plane_Storage
119 | * Storage for rendered Plane.
120 | * Configuration Data
121 | * ID: AE_Merge_Pipeline_Configuration_Data
122 | * Configuration data of the merger, things like alpha/color correction upscaling etc
123 | * Plane Blending
124 | * ID: AE_Plane_Blending
125 | * Plane blending in HW, image postprocessing, color correction etc
126 | * HW Display Interface
127 | * ID: AE_HW_Display_interface
128 | * Physical HW display interface
129 |
130 | ### Sequence diagrams nominal function during state normal Operation
131 | 
132 |
133 | [Todo] Reflect changes in the Block diagrams
134 | [Todo] Replace with Papyrus model sequence charts, these are no longer accurate!
135 |
136 | ### Sequece diagram including telltacle checking during normale Operation
137 | 
138 |
139 | [Todo] Reflect changes in the Block diagrams
140 | [Todo] Replace with Papyrus model sequence charts, these are no longer accurate!
141 |
142 |
143 | ## Safety Goals and Safe State
144 | No hara (hazard analysis and risc assessment) was performed for the system. Instead we assume the following safety goals as given:
145 | ### Safety Goal 1
146 |
147 | While a safety relevant telltale is requested, the system shall display the telltale to human perception within within 200ms
148 | * Info: Timing is debateable, could be relaxed if necessary, does not impact the safety concept (much)
149 | * Info: The safe state of the system cluster display is the black screen.
150 | * Info: "to human perception" means, the periods during which the system does not display the telltale are shorter, than what humans can discern (tbd ms)
151 | * Info: A telltale is considered requested, as soon as telltale request message is received
152 | * Info: The message delay between telltale requester and the system cluster display is out of scope and not considered in this safety concept
153 | * Info: We assume, that the telltale requester sends a request message cyclically and E2E protected, on missing or corrupted messages the cluster display assumes all safety telltales to be requested. [todo] debate, debouncing?
154 | ### Safety Goal 2
155 |
156 | tbd
157 |
158 | ### Safe State
159 | The system wide Safe state is defined as display backlight switched off / black screen.
160 |
161 | ## Interfaces
162 |
163 | ### Telltale request
164 | * The Telltale request is sent cyclically every 200 ms
165 | * The Telltale request contains the information which telltales to show
166 | * The Telltale request is E2E protected
167 |
168 | ### Watchdog petting
169 | * For now we assume a windows watchdog that has to be triggered every x ms
170 | * If necessary, we change the design to an intelligent watchdog, if we need more sophistication, such as control flow monitoring
171 | * If the watchdog is not triggered, it resets the µP and switches off the backlight
172 | * This can be extended to a more realistic design where a not displayed telltale does not directly causes the safe state, but rather switches the system to using a backup image generated by the CPU instead of by the relatively error prone HW graphics pipeline.
173 | * We can extend this to a more realistic design including a reset counter in the µP as opportunity to look into persistent storage
174 | ### Image out
175 | * The Image data is transferred through the HW Display Interface to the Display with a frequency of 60Hz
176 | * We assume the protocol to have E2E protection, and the Display to react to faulty image data by going black (-> Safe state)
177 |
178 | # Safety Concept
179 | ## Safety Goal 1
180 | ## Safety Goal 2
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
--------------------------------------------------------------------------------
/Initialy_discussed_system_scope/telltale.md:
--------------------------------------------------------------------------------
1 | # System definition
2 | The item telltale handles displaying safety relevant warning signs called "telltales" to the driver on the instrument cluster display, in case requested by other systems of the car.
3 |
4 | The requesting system is modelled as a generic controller connected via a bus i.e. CAN.
5 |
6 | Further inputs (involved systems) are the ignition and the battery. While the ignition is off, the display remains black.
7 |
8 | The connection to the Battery is necessary to safely deal with low charge levels that could cause erratic display function.
9 |
10 | Cyclic communication will be necessary, otherwise switch on/off commands can be missed.
11 |
12 | ## Inputs
13 | 1. Telltale request
14 | 1. Battery state
15 | 1. Ignition state
16 |
17 | ## Outputs
18 | None?
19 |
20 | ## Safe States
21 | The safe state of the system is defined by the screen switched off/black. The system is allowed to transition out of the safe state, after Ignition change.
22 |
23 | _[Further point to discuss, could also be allowed to recover if certain underlying transient faults are no more, i.e. corrupted communication between requester and cluster controller]_
24 |
25 | ## Schematic
26 | [add diagram from google doc](https://docs.google.com/document/d/1GQ9FwFEJz9hLjhK_xTEi2DVBmgU2DBnX/edit#heading=h.wcfczcs05qi2)
27 |
28 | ## Assumptions
29 | It is assumed that the HW of the cluster controller has to be systematically capable in the sense that it either performs correctly or switches itself off, which results in the display not receiving image data and the kill line being pulled down. This implies existence of a window watchdog to ensure there is no temporal misbehaviour.
30 |
31 | Besides the safety relevant telltale functionality, unrelated QM software runs on the cluster controller.
32 |
33 | It is assumed that the High level Safety requirements have ASIL B assigned, since that is the integrity level, typically required for instrument clusters in commercial vehicles.
34 |
35 | ## High level Safety requirements
36 | ### HLSR_1 ASIL B
37 | While the ignition is on and while Unfold Safety Goal
4 | 5 | * [ID_1502911625] [Information] Information: “while ” means that, if the telltale request persists/is repeated, the system has to continue to display the telltale. 6 | * [ID_1052985289] [Information] The 200 ms include the time needed for the request to reach the Cluster demo. This is considered in the frequency of the cyclic communication. 7 | * [ID_1780168904] [FSR] [ASIL B] The Telltale requester shall send a request cyclically controlling whether a telltale is needed to be shown or not. 8 | * [ID_736988533] [TSR] [ASIL B] The Telltale requester shall send the telltale request message every 200 ms 9 | * [ID_529767340] [TSR] [ASIL B] The Telltale request message shall contain a boolean "telltale_request" = 0 if the telltale is not requested and 1 if the telltale is requested 10 | * [ID_950923064] [TSR] [ASIL B] The Telltale request message shall be E2E protected with E2E Protocol xxx 11 | * [ID_1340201467] [Information] We don't specify this in all detail here, Message counter and CRC is needed 12 | * [ID_883554261] [FSR] [ASIL B] All inputs from outside the system, the cluster controller uses to determine whether a requested telltale is shown shall be E2E protected against data corruption out of order transmission and message loss 13 | * [ID_1807969240] [TSR] [ASIL B] The Cluster controller shall monitor messages from the Telltale requester 14 | * [ID_199781775] [TSR] [ASIL B] The Cluster controller shall check the telltale request message for E2E miss 15 | * [ID_1822634618] [Information] We don't specify this in all detail here, Message counter and CRC is needed 16 | * [ID_1213070481] [TSR] [ASIL B] If the cluster controller determines an E2E miss in the tell tale request message, the cluster controller shall transition the system into the safe state 17 | * [ID_1404407311] [TSR] [ASIL B] The Cluster controler shall check all additional inputs from outside the system, the Cluster controller needs to decide whether a requested telltale is displayed for E2E miss 18 | * [ID_114212614] [SW] [ASIL B] The Safety-Signal-Source shall check the additional inputs for E2E misses 19 | * [ID_1017729133] [Information] This refers not only to the telltale request messages from the telltale requester, but also all further inputs the safety-signal source needs to decide whether the requested telltale is displayed or not, e.g. input from a HW checker element, or Image data flowing back from the display 20 | * [ID_1264174165] [TSR] [ASIL B] If the cluster controller determines an E2E miss in an additional input needed for telltale verification, the cluster controller shall transition the system into the safe state 21 | * [ID_1488369061] [SW] [ASIL B] On E2E miss of any input to Safety-signal-source, Safety-signal-source shall request "Safe state" from the safety-app 22 | * [ID_1579674255] [FSR] [ASIL B] The Instrument cluster shall display the requested telltale or transition to the safe state 23 | * [ID_1284231708] [Information] We implement this by splitting into a QM path rendering the Display and a Safety path checking whether the requested telltale is shown or not 24 | * [ID_205232490] [TSR] [QM[B]] The Instrument Cluster shall render the cluster display image within 70ms of the instrument Cluster receiving the message 25 | * [ID_499334358] [SW] [QM[B]] The QT app shall render the image within 70ms of the cluster controller receiving the message 26 | * [ID_874940663] [TSR] [ASIL B] The Instrument Cluster shall determine, whether the requested telltale is displayed 27 | * [ID_994205752] [Information] Safety-signal source part of the control flow 28 | * [ID_745377459] [SW] [ASIL B] The safety-signal-source shall determine, whether the requested telltale is shown 29 | * [ID_1088404633] [SW] [ASIL B] If the requested telltale is not shown, the Safety-signal-source shall request "Safe state" from the safety app. 30 | * [ID_382560048] [SW] [QM[B]] The safety-signal source shall cyclically send the safety status message to the safety app 31 | * [ID_70275415] [SW] [ASIL B] Communication from the Safety signal source to the Safety App shall be E2E protected 32 | * [ID_1259502493] [Information] We don't specify this in all detail here, Message counter and CRC is needed 33 | * [ID_1639133793] [SW] [ASIL B] The results of the Safety signal source workload shall deterministically depend on the inputs 34 | * [ID_220738134] [Information] This implies freedom from spatial interference between the safety-signal-source / safety app and the rest of the (Operating) system, if taken at face value. The formulation is deliberate, the Architecture Workgroup is analysing all potential ways such interference could happen, we then revisit this requirement to refine it regarding safety mechanisms on the application level handling the determined interference scenarios, where possible to avoid putting undue burden on the kernel. 35 | * [ID_1937203672] [Information] Hardware faults are out of scope, see assumptions 36 | * [ID_991487171] [Information] Temporal interference is not relevant here, since the watchdog transitions the system into the safe state, if execution takes too long. 37 | * [ID_1791854442] [TSR] [ASIL B] If the requested telltale is not displayed, the instrument cluster shall transition the system to the safe state by not triggering the external watchdog 38 | * [ID_538932640] [Information] Safety App portion of the Control Flow 39 | * [ID_563434302] [SW] [ASIL B] The Safety App shall check the Communication from Safety Signal Source for E2E misses 40 | * [ID_1726916053] [SW] [ASIL B] The Safety App shall pet the external watchdog, if and only if the cyclic message from the safety signal source passes the E2E check and does not request "safe state" 41 | * [ID_971824356] [SW] [ASIL B] The results of the Safety-app workload shall deterministically depend on the inputs 42 | * [ID_1459030927] [Information] This implies freedom from spatial interference between the safety-signal-source / safety app and the rest of the (Operating) system, if taken at face value. The formulation is deliberate, the Architecture Workgroup is analysing all potential ways such interference could happen, we then revisit this requirement to refine it regarding safety mechanisms on the application level handling the determined interference scenarios, where possible to avoid putting undue burden on the kernel. 43 | * [ID_722885474] [Information] Hardware faults are out of scope, see assumptions 44 | * [ID_560329904] [Information] Temporal interference is not relevant here, since the watchdog transitions the system into the safe state, if execution takes too long. 45 | * [ID_998490846] [TSR] [ASIL B] If the watchdog is not triggered within 200ms, it shall transition the system to the safet state 46 | * [ID_1409122909] [Information] Watchdog part of the control flow 47 | * [ID_1337523371] [Information] Timing allocation considerations: 48 | The timings for rendering and telltale verification are not safety relevant, since the watchdog transitions to the system to the safe state, if the chain takes too long. 49 | * [ID_865269483] [Information] Signal sending including rendering by QT app: 100ms. We assume the time delay between the requester sending the message, and the cluster demo receiving it is less than 30ms, leaving 70ms for the rendering 50 | * [ID_1226012594] [Information] Display check inklusive WD trigger: 50ms 51 | * [ID_322365118] [Information] Watchdog logic inclusive backlight killing: 50ms 52 | * [ID_1266688002] [SW] [ASIL B] The watchdog shall disable the backlight of the Cluster Display within 50ms, if it is not triggered within 150ms. 53 | * [ID_922972509] [FSR] [ASIL B] The chain between Telltale request sent and display/safe state shall be less than 200ms. 54 | * [ID_1197920546] [Information] Timing allocation considerations: 55 | The timings for rendering and telltale verification are not safety relevant, since the watchdog transitions to the system to the safe state, if the chain takes too long. 56 | * [ID_1916288361] [Information] Signal sending including rendering by QT app: 100ms. We assume the time delay between the requester sending the message, and the cluster demo receiving it is less than 30ms, leaving 70ms for the rendering 57 | * [ID_980166321] [Information] Display check inklusive WD trigger: 50ms 58 | * [ID_450743490] [Information] Watchdog logic inclusive backlight killing: 50ms 59 | * [ID_190273872] [TSR] [ASIL B] The Telltale request message shall be sent every 200 ms 60 | * [ID_571758931] [TSR] [QM[B]] The Instrument Cluster shall render the cluster display image within 70ms of the instrument Cluster receiving the message 61 | * [ID_207710874] [SW] [QM[B]] The QT app shall render the image within 70ms of the cluster controller receiving the message 62 | * [ID_1787478473] [TSR] [QM[B]] Verification of telltale shown shall be performed within 50ms 63 | * [ID_1679094583] [TSR] [ASIL B] If the watchdog is not triggered within 200ms, it shall transition the system to the safet state 64 | * [ID_866134195] [Information] Watchdog part of the control flow 65 | * [ID_329269881] [Information] Timing allocation considerations: 66 | The timings for rendering and telltale verification are not safety relevant, since the watchdog transitions to the system to the safe state, if the chain takes too long. 67 | * [ID_678436710] [Information] Signal sending including rendering by QT app: 100ms. We assume the time delay between the requester sending the message, and the cluster demo receiving it is less than 30ms, leaving 70ms for the rendering 68 | * [ID_589807630] [Information] Display check inklusive WD trigger: 50ms 69 | * [ID_27256903] [Information] Watchdog logic inclusive backlight killing: 50ms 70 | * [ID_91008504] [SW] [ASIL B] The watchdog shall disable the backlight of the Cluster Display within 50ms, if it is not triggered within 150ms. 71 |
Unfold Safety Goal
75 | 76 | * [ID_575915779] [Information] We need to discuss this, this might not work with the frequency of 200ms we have in SZ1, it will if we relax it a little bit to around 120ms, see 77 | * [ID_1024133711] [FSR] [ASIL B] The Telltale requester shall send a request cyclically controlling whether a telltale is needed to be shown or not. 78 | * [ID_793329888] [TSR] [ASIL B] The Telltale requester shall send the telltale request message every 200 ms 79 | * [ID_1442215130] [TSR] [ASIL B] The Telltale request message shall contain a boolean "telltale_request" = 0 if the telltale is not requested and 1 if the telltale is requested 80 | * [ID_9487660] [TSR] [ASIL B] The Telltale request message shall be E2E protected with E2E Protocol xxx 81 | * [ID_83965615] [Information] We don't specify this in all detail here, Message counter and CRC is needed 82 | * [ID_1726434528] [FSR] [ASIL B] All inputs from outside the system, the cluster controller uses to determine whether a requested telltale is shown shall be E2E protected against data corruption out of order transmission and message loss 83 | * [ID_691030811] [TSR] [ASIL B] The Cluster controller shall monitor messages from the Telltale requester 84 | * [ID_1451767216] [TSR] [ASIL B] The Cluster controller shall check the telltale request message for E2E miss 85 | * [ID_324867201] [Information] We don't specify this in all detail here, Message counter and CRC is needed 86 | * [ID_29229427] [TSR] [ASIL B] If the cluster controller determines an E2E miss in the tell tale request message, the cluster controller shall transition the system into the safe state 87 | * [ID_1988413123] [TSR] [ASIL B] The Cluster controler shall check all additional inputs from outside the system, the Cluster controller needs to decide whether a requested telltale is displayed for E2E miss 88 | * [ID_571517104] [SW] [ASIL B] The Safety-Signal-Source shall check the additional inputs for E2E misses 89 | * [ID_224260376] [Information] This refers not only to the telltale request messages from the telltale requester, but also all further inputs the safety-signal source needs to decide whether the requested telltale is displayed or not, e.g. input from a HW checker element, or Image data flowing back from the display 90 | * [ID_1568256292] [TSR] [ASIL B] If the cluster controller determines an E2E miss in an additional input needed for telltale verification, the cluster controller shall transition the system into the safe state 91 | * [ID_1562874415] [SW] [ASIL B] On E2E miss of any input to Safety-signal-source, Safety-signal-source shall request "Safe state" from the safety-app 92 | * [ID_1967724661] [FSR] [ASIL B] The instrument cluster shall transition to the safe state within 50ms, if an unrequested telltale is displayed for more than 100 ms 93 | * [ID_464783880] [Information] We implement this by splitting into a QM path rendering the Display and a Safety path checking whether the requested telltale is shown or not 94 | * [ID_1234093641] [TSR] [QM[B]] The Instrument Cluster shall render the cluster display image within 70ms of the instrument Cluster receiving the message 95 | * [ID_1721681830] [SW] [QM[B]] The QT app shall render the image within 70ms of the cluster controller receiving the message 96 | * [ID_142142357] [TSR] [ASIL B] All Inputs the Cluster controller needs to decide whether a un requested telltale is displayed shall be E2E protected 97 | * [ID_1824391227] [TSR] [ASIL B] The Instrument Cluster shall determine, if a not requested telltale is displayed for more than 100ms 98 | * [ID_1623141656] [TSR] [ASIL B] If a unrequested telltale is shown for more than 100ms the instrument cluster shall transition the system to the safe state by not triggering the external watchdog 99 | * [ID_1771819379] [FSR] [ASIL B] The chain between Telltale request sent and display/safe state shall be less than 200ms. 100 | * [ID_1372264395] [Information] Timing allocation considerations: 101 | The timings for rendering and telltale verification are not safety relevant, since the watchdog transitions to the system to the safe state, if the chain takes too long. 102 | * [ID_851857056] [Information] Signal sending including rendering by QT app: 100ms. We assume the time delay between the requester sending the message, and the cluster demo receiving it is less than 30ms, leaving 70ms for the rendering 103 | * [ID_60352073] [Information] Display check inklusive WD trigger: 50ms 104 | * [ID_1148423018] [Information] Watchdog logic inclusive backlight killing: 50ms 105 | * [ID_1374235407] [TSR] [ASIL B] The Telltale request message shall be sent every 200 ms 106 | * [ID_66701131] [TSR] [QM[B]] The Instrument Cluster shall render the cluster display image within 70ms of the instrument Cluster receiving the message 107 | * [ID_139490740] [SW] [QM[B]] The QT app shall render the image within 70ms of the cluster controller receiving the message 108 | * [ID_1797976261] [TSR] [QM[B]] Verification of telltale shown shall be performed within 50ms 109 | * [ID_666005204] [TSR] [ASIL B] If the watchdog is not triggered within 200ms, it shall transition the system to the safet state 110 | * [ID_1120681616] [Information] Watchdog part of the control flow 111 | * [ID_150284297] [Information] Timing allocation considerations: 112 | The timings for rendering and telltale verification are not safety relevant, since the watchdog transitions to the system to the safe state, if the chain takes too long. 113 | * [ID_149104298] [Information] Signal sending including rendering by QT app: 100ms. We assume the time delay between the requester sending the message, and the cluster demo receiving it is less than 30ms, leaving 70ms for the rendering 114 | * [ID_530521654] [Information] Display check inklusive WD trigger: 50ms 115 | * [ID_1019504250] [Information] Watchdog logic inclusive backlight killing: 50ms 116 | * [ID_10230674] [SW] [ASIL B] The watchdog shall disable the backlight of the Cluster Display within 50ms, if it is not triggered within 150ms. 117 |