Sad 10033136 Po10cg
Sad 10033136 Po10cg
Sad 10033136 Po10cg
Document SAD_10033136_PO10CG
Revision 4.2
Status Approved
Date 22-July-2020
Prepared by:
Aravind Vazhathattil
Aptiv Advanced Safety & User Experience
It is not allowed to reproduce this document in any form without specific written permission by Aptiv Advanced Safety & User Experience.
Copyright © 2018 Aptiv Advanced Safety & User Experience. All rights reserved.
Software Architectural Design
10033136 SACID
This Software Architectural Design (SAD) document shall be reviewed and approved by the following:
Revision Record
Revision Revision Date Description / Reason for Revision Author
Number Status*
0.1 Draft 21-Mar-2019 First version of the SAD Dennis
0.2 Draft 23-Apr-2019 Updated static Architecture definition, Added Mcu details Aravind V
and dynamic architecture details
0.3 In Review 12-June-2019 Added section Memory Map , IoHwAb, Lin Aravind V
communication, Interrupts, Data consistency Mechanism
0.4 In Review 14-June-2019 Updated the review comments Aravind V
1.0 Approved 14-June-2019 Changed document status to approved and Updated Aravind V
Approval date
1.1 In Review 20 -Sept- 2019 Updated Project Information Aravind V
Updated Static Architecture Description
Updated Microcontroller Resource
Updated Overview
Added Software Block Diagram
Added non-volatile memory handling and UDS
diagnostic
Added VKMS, SOK and SysSup in CDD
Added Software Component Description (AVS, VAS,
PPE l LKPE , VALK , ISO)
Added Safety Mechanism
Added Security Concepts
Added software Update
Updated Task definition
Added Task Mapping
Updated Interrupts
Added Resource Consumption Estimates
Added AUTOSAR Configuration Tools.
1.2 In Review 24-Sept-2019 Updated the review comments Aravind V
2.0 Approved 24-Sept-2019 Changed document status to approved and Updated Aravind V
Approval date
10033136 SACID
3.0 Approved 24-February-2020 Changed document status to approved and Updated Aravind V
Approval date
3.1 In Review 18-May-2020 Added failsafe handling in Section 5.1 Aravind V
Removed empty chapter 6
10033136 SACID
10033136 SACID
Table of Contents
1 Scope and Project Information ...................................................................................................................... 7
1.1 Intended Audience ................................................................................................................................ 7
1.2 Project Information ................................................................................................................................ 7
2 Functional Description ................................................................................................................................... 8
2.1 Overview ............................................................................................................................................... 8
2.2 System Hardware Block Diagram ......................................................................................................... 8
2.3 Software Block Diagram ........................................................................................................................ 9
2.4 Variant Information for SACID System ............................................................................................... 10
2.5 Carry-over parts from other Projects ................................................................................................... 10
2.6 New concepts and Technologies ........................................................................................................ 10
3 Micro-controller Resources .......................................................................................................................... 11
3.1 MCU Description ................................................................................................................................. 11
3.2 Microcontroller peripherals .................................................................................................................. 11
3.2.1 PLL .................................................................................................................................................. 12
3.2.2 CAN- FD .......................................................................................................................................... 12
3.2.3 LIN ................................................................................................................................................... 12
3.2.4 ETHERNET ..................................................................................................................................... 13
3.2.5 SPI ................................................................................................................................................... 13
3.2.6 ADC ................................................................................................................................................. 13
3.2.7 Timer Modules (System Timer and GPT) ....................................................................................... 14
3.2.8 PWM ................................................................................................................................................ 14
3.2.9 Digital IOs ........................................................................................................................................ 14
3.2.10 Flash ............................................................................................................................................ 14
3.2.11 RAM ............................................................................................................................................ 15
3.3 Hardware fallback Strategy ................................................................................................................. 15
4 Static Architecture Description ..................................................................................................................... 16
4.1 Architecture Definition ......................................................................................................................... 16
4.1.1 Alternate Architecture Evaluation .................................................................................................... 16
4.1.2 Main software structure ................................................................................................................... 16
4.2 Software Safety Concept .................................................................................................................... 50
4.2.1 Self-Test .......................................................................................................................................... 50
4.2.2 Data Consistency Mechanism ......................................................................................................... 52
4.2.3 Safety measure for Communication ................................................................................................ 52
4.2.4 Memory Partition and Protection ..................................................................................................... 54
4.2.5 Program Flow Monitoring ................................................................................................................ 57
4.2.6 Alive Supervision ............................................................................................................................. 59
4.2.7 Timing Protection ............................................................................................................................ 59
4.2.8 Watchdog ........................................................................................................................................ 60
4.2.9 Error Management .......................................................................................................................... 61
4.3 Security Concepts ............................................................................................................................... 63
4.3.1 Hardware Security Module (HSM) .................................................................................................. 63
4.3.2 Secure Boot..................................................................................................................................... 64
4.3.3 Secured Communication with HCP5 ............................................................................................... 66
4.3.4 Secured PLC communication .......................................................................................................... 67
4.3.5 Vehicle Key Management System .................................................................................................. 68
4.3.6 Security Access to Diagnostic services........................................................................................... 69
4.3.7 Intrusion Detection System (IDSM) ................................................................................................. 70
4.3.8 JTAG Protection .............................................................................................................................. 71
4.4 Software Update ................................................................................................................................. 72
4.4.1 Development Phase ........................................................................................................................ 72
4.4.2 Bootloader ....................................................................................................................................... 72
4.4.3 Bootloader updater .......................................................................................................................... 73
10033136 SACID
4.4.4 Interaction between Application and Bootloader. ............................................................................ 73
4.4.5 HSM Updater (vHsmUpdater) ......................................................................................................... 73
4.4.6 Update Mechanism of logical blocks in Program (ROM) Memory .................................................. 74
4.4.7 Flash data security .......................................................................................................................... 75
4.5 System Behavior on the network ........................................................................................................ 75
4.5.1 CAN ................................................................................................................................................. 76
4.5.2 ETHERNET ..................................................................................................................................... 76
4.5.3 LIN ................................................................................................................................................... 76
4.6 System Interfaces ............................................................................................................................... 77
4.6.1 JTAG Interface ................................................................................................................................ 77
4.6.2 XCP ................................................................................................................................................. 77
5 Dynamic Architecture ................................................................................................................................... 78
5.1 ECU (SACID Hardware) States .......................................................................................................... 78
5.2 Data Flow ............................................................................................................................................ 84
5.3 Scheduler ............................................................................................................................................ 84
5.4 Task Definition:.................................................................................................................................... 85
5.4.1 Start-up Task ................................................................................................................................... 85
5.4.2 Idle Task(Background Task) ........................................................................................................... 85
5.4.3 Tasks Details ................................................................................................................................... 85
5.5 Task Mapping ...................................................................................................................................... 86
5.6 Interrupts ............................................................................................................................................. 87
5.7 OS Hook Functions ............................................................................................................................. 88
5.7.1 Error Hook ....................................................................................................................................... 88
5.7.2 Pre-Task Hook ................................................................................................................................ 89
5.7.3 Post-Task Hook ............................................................................................................................... 89
5.8 Resource Consumption Estimates for all Components ...................................................................... 90
5.8.1 Memory Estimate ............................................................................................................................ 90
5.8.2 CPU Load Estimation ...................................................................................................................... 90
5.8.3 CPU Load Measurement ................................................................................................................. 90
5.9 Variant Handling .................................................................................................................................. 91
5.10 Critical Functional Requirements ........................................................................................................ 92
5.10.1 Timing Requirements .................................................................................................................. 92
5.10.2 Security Requirement – Isolation ................................................................................................ 92
6 Memory Map ................................................................................................................................................ 94
6.1 Program(ROM) Memory ...................................................................................................................... 94
6.2 Data Memory ....................................................................................................................................... 94
6.3 RAM Memory ...................................................................................................................................... 94
6.4 Data storage ........................................................................................................................................ 95
6.5 Data buffer........................................................................................................................................... 96
7 Configuration and Build Process ................................................................................................................. 97
7.1 AUTOSAR Configuration Tools........................................................................................................... 97
7.2 Compiler and Linker ............................................................................................................................ 98
7.3 Build Environment ............................................................................................................................... 98
8 Standards and Reference Documents......................................................................................................... 98
9 Definitions and Acronyms ............................................................................................................................ 98
10033136 SACID
10033136 SACID
2 Functional Description
2.1 Overview
SACID (Smart Actuator Charger Interface Device) is a Vehicle to Grid (V2G) communication interface for
charging and discharging of electric vehicles. SACID act as a Power Line communication gateway between
HCP5 and Charging infrastructure. SACID support ISO15118 , CCS1 , CCS2 , CHAdeMO and China GB/T.
SACID communicate with HCP5 (central computer) via CAN-FD. Optionally there is an Ethernet .
➢ Microcontroller
o ST Chorus 4M SPC584C – Handle all communication devices, sensors and actuators
➢ Communication devices
• Ethernet Transceiver (TJA1101) connecting Microcontroller to Ethernet lines
CAN Transceiver TJA1042 for CHAdeMO CAN
• SBC with CAN and LIN Transceiver for CAN-FD and LIN communication.
➢ System Basic Chip (SBC)
• Infineon TLE9262QX
▪ Supply for the microcontroller
▪ High-speed CAN Transceiver supporting CAN-FD
Approved- Revision 4.2 Page 8 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
▪ Lin Transceiver
▪ SPI interface for control and monitor the SBC
➢ H Bridge DRV8703
➢ Power Line Communication
Qualcomm QCA7005 – Establish power line communication with charging infrastructure.
Microcontroller(SPC584C) communicate with QCA7005 via SPI protocol.
Master : Microcontroller(SPC584C) , Slave : QCA7005
10033136 SACID
• Detect and control the position of flap lock motor (connected via both electronically and LIN).
• Detect different type(CCS1/Type1 , CCS2/Type 2 , GB/T) of charging plug connected on the proximity
pin.
• Measure the Frequency , Duty cycle and Voltage on the control pilot line to determine the various IEC-
61851 states of the EVSE.
• Communicate with HCP5 via CAN Bus
• Establish ethernet communication to create communication for E-mobility and EE-Bus
Protocols(according to EEBus standard) to exchange data between EV and EVSE.
SACID is a first power line communication gateway project in APTIV.This is the first project where APTIV use
Vector Vehicle to Grid (V2G) solution. Hence most of the components of this project are newly developed.
Following is one of the component re-used from a previous project
1. System Supervision module (SysSup) - See section 4.1.2.3.10.9 for details about this module.
1. International Standards for Vehicle to Grid communication ISO15118 , CCS1 , CCS2 , CHAdeMO and
China GB/T
2. Vector Vehicle to Grid (V2G) solution - V2G solution provides the technology needed to establish the
communication with external charging infrastructure via Power Line Communication (PLC).
10033136 SACID
3 Micro-controller Resources
3.1 MCU Description
The Microcontroller used in SACID hardware is STM Chorus SPC584C74E5EEC.
Following are the available resources of SPC584C74E5EEC.
Timer STM 1 System Time , one 32 bit free running timer for the core.
LINFlexD 18
SPI 8
ADC 5
10033136 SACID
3.2.1 PLL
Internal system and peripheral clocks are generated from PLL.
Following table list the clock freequency shall be configured for different peripherals.
Peripherals Clock Reference Frequency
System clock PLL 120 Mhz
CAN 0 ClkRefPnt_XOSC 16 Mhz
CAN 1 ClkRefPnt_XOSC 16 Mhz
LIN 0 LIN_CLK0 40 Mhz
LIN 1 LIN_CLK0 80 Mhz
EMIOS 1 EMIOS_CLK 80 Mhz
SPI DSPI_CLK0 40 Mhz
HSM HSM_CLK 90 Mhz
3.2.2 CAN- FD
SACID communicate with HCP5 through CAN FD communication .CAN communication (Microcontroller
and CAN transceiver) is qualified CAN FD with 2Mbits/s transmission and payload longer than 8-bytes.
CAN Oscillator Frequency is 16Mhz
CAN bit timing: Arbitration Phase BTL (number of time units) 16
TSeg_1 1
TSeg_2 3
Sample point 81
SJW 1
Baud Rate Pre-scaler (BRP) 2
CAN bit timing: Data Phase BTL (number of time units) 8
TSeg_1 1
TSeg_2 1
Sample point 70
SJW 1
Baud Rate Pre-scaler (BRP) 1
Table 2 : CAN Bit timings
• SACID support wake up by CAN messages
• CAN network go to sleep if there are no NM messages from HCP5
• SACID is an active node in the CAN network and generate NM messages after it wake up
• SACID support the software update through CAN
3.2.3 LIN
The SACID is a LIN master. LIN0 and LIN1 are used. LIN is configured for 19.2Kbits/s transmission
Bit of sample timing tBFS 3.25 us
(LIN2.2) tEBS 22.7 us
tLBS 29.29 us
SACID connected to electric flap, PUSH buttons (ETSA) & LEDs through LIN nodes in few variants(see
section 2.4 for details of variants support LIN).
10033136 SACID
Each LIN line (LIN0 or LIN1) connected to single connector, like AC and DC respectively .
3.2.4 ETHERNET
SACID is also connected with ConMod(Wireless LAN) via Ethernet. SACID use 100BASE-T1 Ethernet
PHY.
3.2.5 SPI
Microcontroller shall use SPI to communicate with the following external peripherals.
1. System Basic Chip TLE9262BQXV33
2. PLC IC QCA7005
3. Motor control Chip DRV8703
SPI Device Baud rate Physical Unit Chip Select
TLE9262BQXV33 1MHz DSPI0 PCS1
QCA7005-AL33 8MHz DSPI1 PCS0
DRV8703-Q1 4MHz DSPI0 PCS7, PCS0, PCS0
3.2.6 ADC
SACID use 12 Bit ADC to convert voltage into ADC counts. Following components on SACID is connected
to ADC Inputs.
1. Temperature Sensor
2. Proximity Detection
3. CC1 and CC2 pins for GB/T.
4. LED
5. Pushbutton
6. Control Pilot
7. Battery
8. Connector Lock
10033136 SACID
3.2.7 Timer Modules (System Timer and GPT)
Following timers shall be used
Usage Timer Type Channel Resolution
OS time tick STM2 , 32 bit Timer Channel 0 1 tick –> 1ms
Time base for CPU Load Periodic Interrupt Channel 0 10000 ticks -> 1ms
measurement Timer
3.2.8 PWM
SACID shall use the following PWM configuration for LED and control Pilot.
Control Pilot
Direction Channel Duty Cycle Period
Input EMIOS_1_CH_03 0-100% 950-1050 Hz
LEDs
Direction Channel Duty Cycle Period
Output EMIOS_1_CH_22 0-100% 200 Hz
Output EMIOS_1_CH_26 0-100% 200 Hz
Output EMIOS_1_CH_20 0-100% 200 Hz
3.2.10 Flash
Following flash memory shall be used . See section 7 for more details of address range of each memory
region.
Usage Memory Total Size Life Cycle
10033136 SACID
3.2.11 RAM
Usage Memory Size
Data and bss section System RAM 256KB
Stack Local RAM 64KB
Data and bss section- HSM HSM RAM 32 KB
firmware 8KB – Standby RAM
Following are the possible options available if project falls in to the scare of Micro-controller resource due to
the additional features or components which are not planned .
1. Insufficient Computing Power
To increase the computing power following are the two options
- Use high clock frequency microcontroller from the same family - SPC58EC80 with clock speed of
180Mhz
Change needed in the software :
a. MCU(Clock and PLL) and OS configuration shall be updated.
- Increase the number of cores - Use dual core Micro-controller SPC58EC80 (Two z4 core @ 180Mhz)
Change needed in the software -
a. Dual core OS shall be purchased from Vector.
b. Identify component which can run independently on second core and move to the second core
2. Insufficient ROM or RAM
Use ST Microcontroller 4M series SPC58EC80 which has 4MB ROM and 512 KB RAM.
10033136 SACID
10033136 SACID
• HSM Firmware
HSM firmware is executed on the hardware security module of the microcontroller. HSM firmware
implement the required crypto algorithms .
Table below have the details of various components of SACID software and component responsible
CDDs
V2G Software Vector
PLCKS APTIV
VKMS Porsche
SOK Porsche
SysSup APTIV
Cdd_CpuLoadMonitor APTIV
Software Components (SWCs)
SFD Porsche
KS Porsche
TempSensor (ALST) APTIV
CPE (Control Pilot Evaluation) APTIV
AVS APTIV
VAS APTIV
PPE APTIV
LKPE APTIV
VALK APTIV
ISOND APTIV
LED APTIV
CCDC APTIV
CDOE APTIV
LKAE APTIV
10033136 SACID
4.1.2.1 Bootloader
The boot loader is a stand-alone program. It is compiled, linked, and downloaded to the ECU separately on
production line. The boot loader and Application SW never run simultaneously. The bootloader is responsible
for downloading software modules (like application software) to SACID memory areas (Flash ROM or
RAM).Bootloader is started first on a power-up of the SACID. Bootloader will verify the integrity of the application
software which is stored in the application memory areas. Once the integrity of application software is verified
bootloader will give the control to application software. The Bootloader is software product delivered by Vector
to APTIV where it is customized and adapted for SACID.
The area contains data specific for particular ECU and ECU variant, such as ECU serial number, hardware
variant identification, if necessary hardware calibration data. The data are flashed to Flash ROM only ones on
production line and cannot be modified after that.
10033136 SACID
SACID software is designed as per Autosar 4.2 / 4.3 Layered Architecture.
Below diagram graphically describe how the software is structured with software layers, modules and blocks as
per the AUTOSAR Architecture.
Note : Crypto modules are based on Autosar 4.3 . All other BSW module are based on Autosar 4.2.
• Application layer
The layer where all functional application components are located. The software architecture of application
layer is “component style” in opposite to “layered style” in Basic Software.
Normally all the application components do not communicate each other directly. All communication is
handled via RTE.
• Runtime Environment layer (RTE)
RTE is a layer providing communication services to the application software components.
• Basic Software layer
BSW is divided into Operating System (OS) and Services modules , ECU abstraction with I/O Hardware
Abstraction (IoHwAb) and Complex Device Drivers.
The OS and Services Layer is the highest layer of the BSW which applies also for its relevance for the
application software.
The ECU Abstraction Layer interfaces the drivers of the Microcontroller Abstraction Layer. It offers an API
for access to peripherals and devices regardless of their location and their connection to the
10033136 SACID
microcontroller. Especially I/O Abstraction (IoHwAb) provides standardized interfaces to access sensors
connected via analog and digital inputs and/or PWM outputs for control actuators.
Complex Device Drivers spans from the MCAL to the RTE. It provides the possibility to integrate special
purpose functionality, e.g. drivers for SBC , PLC IC (QCA7005) .
Autosar basic software provides the following needed for SACID software
➢ Communication (CAN , LIN and ETHERNET)
➢ Diagnostic
➢ Memory handling
➢ Watchdog handling
• Microcontroller Abstraction layer (MCAL)
The lowest layer of Basic Software. It contains internal drivers, which are software modules with direct
access to microcontroller and internal peripherals. It’s aim is to isolate higher layers from microcontroller
dependencies.
• Complex Device Driver
Apart from standard Autosar BSW modules and MCALs , there are some additional hardware dependent
modules like SBC , PLC IC (QCA 7005) are needed for SACID. These modules are implemented as Complex
Device driver. Autosar guidelines are followed for implementation of such modules.
• Microcontroller
this layer shall represent the hardware of the microcontroller
All Autosar BSW modules, RTE, OS, MCALs and Autosar configuring Tools are delivered by Third Party
Company. See Table 15 for details of Autosar BSW supplier.
Tool Name Supplier
Davinci Configurator and Developer Vector
EB tresos (tool used for the configuration of MCALs) ST Electronics
Table 6: Autosar Configuration Tools
Apart from standard Autosar BSW modules and MCALs , there are some additional modules are needed here
to satisfy the ECU requirements. These modules shall be implemented as either Complex Device driver or as
standard driver modules. Autosar guidelines shall be followed for implementation of such modules.
Following modules(Standard Software) are Provided by Porsche which shall be integrated
10033136 SACID
KS SWC 4.4.0
4.1.2.3.1 MCAL
Following MCAL modules shall be used in SACID software to have access to the ST Chorus SPC584C74E5
peripherals .
1. MCU
2. PORT
3. GPT
4. SPI
5. DIO
6. FLS
7. ADC
8. ICU
9. PWM
10. CAN
11. LIN
12. WDG
13. ETHERNET
Standard Autosar MCAL modules like Mcu, Gpt, Fls,Spi, Adc, Dio and Port are provided by ST Electronics.
MCAL configuration tool (EB tresos) is used for configuring these modules as per the requirement and the
hardware schematic.
MCU – Mcu module provides service for initialization of the core Mcu functionalities listed below
- Manage CPU clock and peripheral clock
- MCU mode handling
PORT – Microcontroller Port properties are managed by the port module. Following properties can be configured
using the port driver
- Port Pin direction
- Port Pin Initial value
- Port Pin Mode
- Port Pin alternate value
DIO - This module works on pins and ports which are configured by the PORT driver.
All services in DIO driver shall be synchronous (no buffering of request/value). DIO driver is used to read
or write GPIO values.
GPT - The GPT driver is part of the microcontroller abstraction layer (MCAL). It initializes and controls the
internal General Purpose Timer(s) (GPT) of the microcontroller.
GPT driver provides services and configuration parameters for starting and stopping hardware timers,
getting timer values, controlling time triggered interrupt notifications.
10033136 SACID
ADC - The ADC Driver initializes and controls the internal Analogue to Digital Converter Unit(s) of the
microcontroller.
ADC Module in the microcontroller provides both 10 bit and 12 bit resolution data conversion.
ADC Driver shall provide services to start and stop a conversion to enable and disable the trigger source
for a conversion.
PWM- The PWM driver provides functions for initialization and control of the microcontroller internal PWM stage
(pulse width modulation).
PWM module generates pulses with variable pulse width. It allows the selection of the duty cycle and
the signal period time.
FLS - Flash driver module is used for flash read , write and erase operation .Non-volatile data will be stored
and retrieved using the services provided by the Fls module.
CAN - CAN driver shall initialize the CAN controller peripheral and provide services for data transmission,
reception and bus off handling etc.
SPI - SPI driver shall initialize the SPI peripheral and provide services for data transmission and reception.
Microcontroller (ST Chorus) communicate with Power Line IC (Qualcomm QCA 7005), SBC(TLE9273)
via SPI protocol.
ICU – ICU Driver controls the input capture .In SACID there is an interrupt line connected to QCA7005 chip.
Ethernet driver for QCA7005 need an interrupt to be triggered when there in rising on this interrupt line. ICU
module shall be used for configuring this.
EcuM and BswM together implements the ECU mode management and application mode management.
BswM module main responsibility is to arbitrate mode request from application layer SW-Cs or other BSW
modules based on rules and perform action based on arbitration results.
Approved- Revision 4.2 Page 22 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
As these modules mainly handle the mode management , the asynchronous runnables of these modules are
scheduled at period of 10ms.
Runnable Period
EcuM_MainFunction 10ms
BswM_MainFunction 10ms
Table 7 : System stack Modules Asynchronous Runnables
CAN communication requirements in SACID is implemented using Autosar CAN communication modules.
Communication Stack in AUTOSAR is a set of modules like COM (Services Layer), PDU Router(Services Layer),
CanIf (ECU Abstraction Layer) , Can Bus Drivers (MCAL Layer) . In addition to this there are modules like Can
State Manager (CanSM) , Network Manager(Nm, CanNM) and Can Transport Protocol(CanTp) modules in the
communication stack
cmp CommunicationStack
ComM Nm
«fl ow»
«fl ow»
PduR
«fl ow»
«fl ow»
CanTp
«fl ow»
«fl ow»
CanIf
«fl ow»
«fl ow»
CanDriv er
10033136 SACID
Nm module acts as an adaptation layer between can network management (CanNm) and the ComM modules.
Network management (Nm) module also responsible to coordinate the synchronized sleep/shutdown of Ecus
connected to the communication bus.
CanNM module main purpose is to coordinate the transition between normal operation and bus sleep mode of
the CAN network.
AUTOSAR COM is a module between the RTE and the PDU Router. It is responsible for providing a Signal level
access to the application layer and a PDU level access to the lower layers independent of the protocol. It packs
the signals to a PDU at the transmitter and unpacks the received PDU to provide a signal level access to the
application at the receiver. COM is responsible for a signal/signal group level gateway. It maps a received
signal/signal group to a transmit signal/signal group to be gatewayed
PDU Router is a module responsible for routing the PDU to the respective Bus Specific Interface modules(CanIf).
PduR is also responsible for PDU level gateway. PduR module can also interact with Cdd modules .
CanIf module provides standardized interface for all upper layer which require CAN communication. These
includes the transmission and reception of messages and the state handling of controller as well.
CanTp module is mainly used to segment and reassemble CAN-IPDUs longer than 64 bytes (in the case of
CAN-FD) and handle the transmission with flow control in the case of segmented messages.
Most of the above modules does their functionality in Asynchronous manner. Hence each module have
runnables which needs to scheduled periodically.
The period of these runnables depends on message period , overall CPU load etc.
To have better balance of CPU load and to support messages with periodicity of 5ms or more , the main functions
shall be scheduled with a periodicity of 5ms.
Some of the state manager modules like ComM , CanSM shall be scheduled with period of 10ms. Because these
modules are not involved during transmission and reception hence scheduling these modules with period of 5ms
is not required.
Runnable Period
Com_MainFunctionRx 5ms
Com_MainFunctionTx 5ms
CanTp_MainFunction 5ms
CanSM_MainFunction 10ms
ComM_Mainfunction 10ms
Table 8 : CAN BSW Modules Asynchronous Runnables
10033136 SACID
CAN NM starts a transition to Repeat Message state only if the message is in the range of valid CAN-NM. NM-
Identifier in the Extended format (29-bit ID) 0x1B000000 - 0x1B0003FF
CAN Sleep:
Whenever there are no NM messages from other node for duration of 400ms , CAN communication from SACID
needs to be stopped(bus sleep) following proper network management state transitions.
TCP/IP based communication requirement in SACID software is implemented using Autosar Ethernet
modules.
SoAd module create an interface between an Autosar communication module like PduR and socket based
TcpIp stack. It will map I-PDU Ids to socket connections and vice versa.
TcpIp provides socket interface based on internet protocol (IPV4 and IPV6) on ethernet. Autosar TcpIp stack
support both TCP and UDP protocols.
EthIf module provides to upper layer(SoAd) an hardware independent access to ethernet controller.
As the ethernet communication have to handle data with a speed up to 100mbps , asynchronous runnables
have to be scheduled more frequently.
Currently the period of Asynchronous runnables of Ethernet modules are defined as below . This might need
some update later based on data load and CPU load.
Runnable Period
Eth_MainFunction 5ms
EthIf_MainFunctionRx 5ms
EthIf_MainFunctionTx 5ms
10033136 SACID
EthIf_MainFunctionState 5ms
TcpIp_Mainfunction 5ms
SoAd_Mainfunction 5ms
EthSM_MainFunction 5ms
Table 9 : Ethernet BSW Modules Asynchronous Runnables
ComM Nm
«fl ow»
«fl ow»
PduR
«fl ow»
«fl ow»
«fl ow»
LinDriv er
LinSM module control the communication status of Lin network . Also responsible for handling the schedule
change request.
LinNm module coordinate the transition between normal operation state and bus sleep mode of the network.
LinIf module execute the currently selected schedule for each LIN bus SACID ECU is connected. And also
responsible for switching schedule table when requested by the upper layer.LinIf support the behavior of a
master in the LIN 2.1 specification. Transport protocol (LinTp) is included in the LinIf module.
10033136 SACID
Most of the above modules does their functionality in Asynchronous manner. Hence each module have
runnables which needs to scheduled periodically.
The period of these runnables depends on schedule table , overall CPU load etc. To have better balance of CPU
load and to support schedule table 5ms or more , the main functions shall be scheduled with a periodicity of
5ms.
Runnable Period
LinIf_MainFunction 5ms
LinSM_MainFunction 5ms
Table 10 : LIN BSW Modules Asynchronous Runnables
Vector Microsar OS (Autosar OS) is used in SACID .And the MICROSAR OS used in SACID support only single
core. Autosar OS is based on OSEK specification with addition of more protection features. OSEK OS is an
event triggered operating system. This provides flexibility to design the system which support both polling and
event based scheduling.
Scalability class SC4
Conformance class BCC1 , ECC1
Microsar OS support all the scalability class. But in SACID OS is configured for BCC1 and ECC1.
Microsar OS used here support up to scalability class 4. As we need memory protection and timing protection
OS is configured to support the features according to scalability class 4 .There is no dynamic creation of task at
runtime and no dynamic memory management is supported in the operation system . All tasks are configured
during the compilation time.
OS module implements a specific stack concept. It’s possible to define different stacks and can be assigned to
tasks and ISRs. This enable each task and ISRs to have its own stack area.
4.1.2.3.6.1 Task
Application software runnables and asynchronous runnables of BSW are executed in task context. Based on the
execution requirement runnables are mapped to either basic task or extended task. All event-driven SWC
functions are assigned to extended and preemptive tasks. The Extended Tasks differ from the Basic Tasks by
being allowed using additional operating system services which may result in waiting state. Waiting state allows
the processor to be freed and reassigned to a lower priority task without the necessity to terminate the Extended
Task.
10033136 SACID
4.1.2.3.6.2 Interrupt
In SACID software all the peripheral interrupts are serviced after the OS initialization . Hence all the peripheral
interrupts are implemented as Category 2 interrupts. That means in this case OS is responsible for the interrupt
handling like stack allocation to interrupt , interrupt priority handling , nesting of interrupt , invocation of interrupt
service routine etc.
The Io Hardware Abstraction module provides decoding, filtering and data exchange services from MCAL to
RTE. The IoHAB has no direct access to the hardware. It provides a signal based interface to the upper software
layer. It performs static abstraction and inversion (if needed) of values according to their physical representation
at the inputs/outputs of the ECU hardware (compensation of static influences caused within the path between
ECU IO and Microcontroller pin, e.g. voltage divider, hardware inversion).
The IoHAB module handles MCAL modules such as DIO, PWM, ADC. Hence, the IoHAB is modularized into
different components which enable the handling of one group of IOs. It comprises of the following components.
1. IOHAB_Discrete
This sub-component handle all the discrete inputs and outputs.
Discrete inputs are classified as below in IO hardware Abstraction
a. Direct Inputs – Here the Port Pin is directly read
b. Buffered Inputs – Input values are read cyclically and debounced. The value provided to upper
layers is validated.
10033136 SACID
IOHWAB MCAL
IOHWAB
IOHWAB_Analog ADC
IOHWAB_Discrete Dio
IOHWAB_Pwm PWM
IoHWAB module have one init function and few runnables which is scheduled in OS task with period of 5ms.
Runnable Period
IoHwAb_AnalogIn 5ms
IoHwAb_DiscreteIn 5ms
IoHwAb_DiscreteOut 5ms
IoHwAb_PWMIn 5ms
10033136 SACID
Init() DIO
IOHWAB
SACID shall use 128KB internal data flash available in the Microcontroller for storage of data permanently.
Autosar Memory modules (NvM, MemIf, Fee and Fls) provides services to store data consistently in the data
flash. Data flash available in the Microcontroller ST584C is sector erasable. Hence a Eeprom emulation
mechanism in implemented in the Fee module there by provide more number of erase/program cycles than the
typical flash erase /program, cycle of 250K.
To support the emulation mechanism following configuration shall be done in the Fee module.
One Fee cluster group with two Fee clusters shall be configured
Each fee cluster shall have one sector of size 64KB
Each Fee logical block shall be mapped to the Fee Cluster group.
10033136 SACID
nonvolatile memory whenever there is change in the configuration. Compatible means that the structure and the
length of all blocks are the same. Within a block dummy signals or an area is used to have some margin for
keeping the block compatible for some time. But when a complete new block is added then the structure of the
NvRAM is incompatible. The same is valid when the length of one block changes. Then the complete structure
of the NvRAM is incompatible to the former one. During startup there is an algorithm which checks the
compatibility by comparing the Config ID and in case of non-compatibility then the default values will be loaded
instead of data from the data-flash. Each time during a software update configuration ID shall be change if there
is a layout change due to which previous written data cannot be used.
Default value - All blocks need to have default values configured. This is needed to copy the default values into
the RAM in case there is a problem detected.
10033136 SACID
4.1.2.3.9 UDS Diagnostic
Vector modules Diagnostic Communication manager(Dcm) and Diagnostic Event Manager (Dem) shall be used
for handling diagnostic services and fault management according to UDS standards. Diagnostic functionalities
according to each DIDs, Routines controls etc shall be implemented in a separate application component
(AptivDiagSwc).Dcm module shall interact with this component to invoke operations or fetch data according to
the UDS services requested. For security unlock DCM module shall interact with SFD module.
SCC module is implemented by Vector. Aptiv is responsible for the integration of this module.
SACID use PLC Technology (Power Line Communication) to communicate with the charging station .In this
system data stream is modulated onto power lines.
Vector Vehicle to Grid (V2G) solution provides the technology needed to establish the communication with
external charging infrastructure via PLC. And the V2G solution use Autosar Ethernet and Tcp/Ip stack for the
communication which provides socket communication over IP for TCP and UDP .Vector V2G modules are
implemented as CDD modules and Vector provides this modules as extension to their Autosar solution which
makes the integration possible with other standard Autosar modules.V2G support communication over internet
mechanism and protocols.
Vector V2G solution include Smart Charging Communication (SCC) module which support smart charging
functionalities according to the following standards.
1. ISO 15118
10033136 SACID
2. DIN SPEC 7021
SCC(Smart Charging Communication) – This module is responsible for smart charging communication
according to ISO15118 or DIN SPEC 70121.This module also support the following
AC : AC charging as well as the related Plug and Charge (PnC) and External Identification Means profiles.
DC : DC charging as well as the related Plug and Charge (PnC) and External Identification Means profiles.
ACD : Automatic charging Device
TLS module is implemented by Vector . APTIV is responsible for the integration of this module.
This module contains a transport layer security client .TLS module provide certificate base encryption for the
Power Line communication between SACID and the charging station .TLS support certificate validation using
Online Certificate validation using Certificate Status Protocol (OCSP) stapling V1. TLS use crypto services
provided by the Autosar CSM (Crypto Service manager) for checking the certificate and signature.
10033136 SACID
Exi module is implemented by Vector . APTIV is responsible for the integration of this module.
Efficient XML Interchange is used to interpret the XML documents and convert them to binary formats. This
makes processing and transmission of the files more efficient which economizes communication bandwidth.
SCC module use EXI services for encoding and decoding of XML files.
10033136 SACID
Exi Provided the encoding possibilities to generate schema conform EXI streams according to the
schemata name spaces listed below. Supported XML namespaces are:
- urn:iso:15118:2:2010:AppProtocol as specified by ISO 15118-2 and DIN 70121
- urn:din:70121:2012:MsgDef as specified in DIN 70121
- urn:iso:15118:2:2013:MsgDef as specified by ISO 15118-2 (first edition)
- http://www.w3.org/2000/09/xmldsig# as specified by ISO 15118-2
- urn:iso:15118:2:2016:MsgDef as specified by ISO 15118-2 (second edition)
XMLSec module is implemented by Vector. APTIV is responsible for the integration of this module.
XMLSec module is used to generate and validate XML signatures to EXI encoded data based on the W3C XML
security standard.
10033136 SACID
Figure 15 : XmlSecurity
Complex Device Drive PLC Communication (PLCKS) is responsible for carrying out the EVSE search process
using SLAC Process, as defined in ISO15118-3. It is also responsible for checking the Link Status of the on
board QCA7005 chip. The Status of the EVSE search process and Link Status is sent via CAN Communication
PLCKS module utilizes the callback APIs from QCA7005 Driver(EthTrcv CDD) provided by Vector to send
HomePlug GreenPhy compliant data packets to QCA7005 over the SPI.
PLCKS component has one periodic runnable which triggered every 10ms.
10033136 SACID
Dependency to Scheduler
Runnable Period
Plcks_Slac_SM 10 ms
Vehicle Key-Management System has two parts , VKMS core component and VKMS adapter component.
VKMS core component is CDD module provided by Porsche. VKMS adaptor component is an add-on
implementation in the Vector HSM firmware.
Sichere Onboard Kommunikation (SOK) is a CDD module provided by Porsche . SOK module provides
freshness value for the SecOC module.
SOK version 1.4.0 shall be used. See section 4.3.3 for more details of usage of SOK module in SACID.
4.1.2.3.10.8 NpmGen2
This CDD module is developed by Vector according to VW specification Knockout von Steuergeräten
Querschnittslastenheft LAH DUM.910.C.1.
APTIV shall integrate this CDD module delivered by Vector. This module will implements a mechanism to
avoid power consumption of the electronic control unit. This module monitor the bus activity and ECU activity .
Bus Knockout Monitoring
When communication is detected in any of configured bus this functionality is active and the configured Bus
Knockout timer will be active. When there is no bus activity and the timer expires , then Bus Knockout will be
triggered . When Bus Knockout is triggered , ECU reset will be triggered by calling the function
Appl_CddNpmGen2_BUS_Knock_out_PerformShutdown()
ECUKnockout Monitoring
When no communication is detected this functionality is active and the configured ECUKnockout timer will run.
Once the timer has expired , an ECU shutdown will be triggered by calling
Appl_CddNpmGen2_ECU_Knock_out_PerformShutdown()
10033136 SACID
4.1.2.3.10.9 System Supervision (SysSup)
SysSup(System Supervision) monitors the failures in the System. SysSUp module is implemented as Complex
Device Driver (CDD).
SysSup module capture the following error occur in the SACID ECU.
1. RAM ECC Error
2. Flash ECC Error
3. DataFlash ECC Error
4. Clock Failure
5. Charging Plug Error.
SysSup module trigger the ECU to ERROR state if any of this occur during the execution. If the state transition
to ERROR is due to ‘Charging Plug Error’ then SysSup module immediately trigger the ECU to enter into
SAFE state.In SAFE state all charging functionalities are deactivated and plugs are unlocked as safety
measure.
SysSup module shall have a periodic runnable which is executed in every 100ms to monitor the faults and
recover the ECU.
Runnable Period
SysSup_MainFunction 100ms
See section 4.2.2 for more details of fault handling by SysSup module.
CDD module Cdd_CpuLoadMonitor reads the measured CPU load values from RTM module. When tester
request the CPU load via DID , AppDiagSwc shall fetch the CPU load values from Cdd_CpuLoadMonitor.
10033136 SACID
4.1.2.3.11 Description of the Software components
4.1.2.3.11.1 SFD
SFD from Porsche shall be used for implementing the role based access control.
See section 4.1.13.9 and 4.3.6 for details of SFD.
The Temperature Sensor SWC (TempSensor) shall convert the ADC values measured by a temperature sensor
each at DC+, DC- and AC lines into temperature values.IoHwAb module provides the required interfaces to
read the ADC measurement values. Temperature sensor module shall not directly interact with ADC module.
TempSensor module shall also send the converted measured Adc value on CAN communication bus. It shall
use send receiver interface to send the signal values to the Com module.
10033136 SACID
The ControlPilotEvaluation module communicate with Com module via RTE to send the Voltage, Frequency and
Duty Cycle values on the CAN bus.
AVS
Approved- Revision 4.2 Page 40 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
AVS connector locking mechanism detect the status of actuator(plug) locks . AVS module interact with IoHwAb
module to read the actuator status in terms of ADC counts. These Adc counts are converted to resistance to
find the status of actuator . AVS also send the actuator(plug) lock status via CAN bus .
VAS
VAS get the actuator lock status from AVS(via send receiver interface) and the lock/unlock command from
HCP5 via CAN Bus.VAS module apply the lock/unlock command based on the actuator locks status from
VAS.VAS module interact with IoHwAb module to trigger the actuator(plug) lock /unlock command.
Dependency to Scheduler
Runnable Period
AVS_Connector_Locking_Mech_Runnable_Main 10ms
VAS_Locking_Mechanism_Control_Main 10ms
4.1.2.3.11.5 PPE
Proximity module check the presence of different type of plug system (CCS1/Type1 , CCS2/Type 2 , GB/T )
connected . This is done by analyzing the input from proximity pin. Proximity Detection module interact with
IoHwAb component to read the analog value at the proximity pin . And it interact with Com module (send -
receiver interface )to send the Plug detection status on CAN bus.
Approved- Revision 4.2 Page 41 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
Dependency to Scheduler
Runnable Period
PxoximityDetection_Runnable_Main 10ms
LKPE
LKPE module detect the status of flap . LKPE module interact with IoHwAb module to read the actuator(flap
motor ) status in terms of ADC counts. These Adc counts are converted to resistance to find the status of flap .
LKPE also send the flap status via CAN bus .
VALK
VALK get the actuator(flap) lock status from LKPE(via send receiver interface) and the flap lock/unlock
command from HCP via CAN Bus.VALK module apply the flap lock/unlock command based on the actuator
(flap) locks status from LKPE.VALK module interact with IoHwAb module to trigger the flap lock /unlock
command.
10033136 SACID
Dependency to Scheduler
Runnable Period
VALK_Control_Locking_Mech_Runnable_Main 10ms
LKPE_Control_Locking_Mech_Runnable_Main 10ms
4.1.2.3.11.7 ISOND
ISOND component receive the EVSE parameters from HCP5 via CAN, encode and send them to EVSE
through PLC communication established. ISOND module also control the state machine of the SCC module
and send the ISO messages accordingly. ISOND module shall implement the callbacks required by the SCC
modules. When this callbacks invoked ISOND shall provide the requested parameters received from HCP5.
10033136 SACID
4.1.2.3.11.8 LED
LED component shall be responsible for the display of search light and charging scenarios in LEDs.
LED component shall control four output PWM interface which are connected to the inlet LEDs.
LED component shall write to the output PWM interface based on the received scenario from HCP5.
LED SWC shall interact with IoHwAb for PWC control and interact with Com module (S/R interface) for receiving
the LED display scenario. See Chapter 3 more details of PWM channel configuration.
Dependency to Scheduler
Runnable Period
LED_Runnable_Main 10ms
4.1.2.3.11.9 CCDC
CCDC component shall be responsible for the detection of GBT DC connector based on standardized
resistance values with plugged and unplugged connector (GBT DC). CCDC module shall interact with IoHwAb
module to read the following analog input signal value based on the connector status.
1. Plug signal - analog
2. Wakeup counter
10033136 SACID
Based on the connector detection status , CCDC module shall update the following CAN signals transmitted to
HCP5 module.
Dependency to Scheduler
Runnable Period
CCDC_Runnable_Main 10ms
4.1.2.3.11.10 CDOE
CDOE component shall be responsible for the detection of CHAdeMo connector based on the state of
optoelectronic switch .CDOE module shall interact with the IOHwAb module to read the following Analog input
signals.
1. CSS1
2. CS
Base on the value of these Analog input signals , CDOE module shall update the following CAN signals
transmitted to the HCP5 module.
CAN Signal Direction
CDOE_Status Tx
CDOE_Fault_Status Tx
CDOE_WeckAnf Tx
Dependency to Scheduler
Runnable Period
CDOE_Runnable_Main 10ms
4.1.2.3.11.11 LKAE
LKAE component shall be responsible for the activation of electric flap connected via LIN. This component
shall be active only in software variants with flap connected via LIN. LKAE module receive the flap lock
activation commands from the HCP5 module via CAN communication. LKAE module receive the flap lock from
LKPE module.
Based on this input signal LKAE module shall update the LIN signals.
Following are the input signal received from HCP5 via CAN
10033136 SACID
Dependency to Scheduler
Runnable Period
LKAE_Runnable_Main 10ms
4.1.2.3.11.12 CDOKS
This module shall controls the communication for Chademo charging and evaluate the HW pins for the
charging sequence. CDOK module shall process the analog input signals CCS1 , CCS2 and CPP of the
CHAdEMO charging interface. This module also shall act as gateway between the CAN communication
between the CHAdEMO charging station and the HCP5.
Input signal from CDOE
CDOE Signal Direction
CDOE_Status Rx
10033136 SACID
CDOP_ProtokollVersionFzg Rx
CDOP_ZielLadespannungFzg Rx
CDOP_SollAnforderungFzg Rx
CDOP_FehlerHvBatUeberSpannungFzg Rx
CDOP_FehlerHvBatUnterSpannungFzg Rx
CDOP_FehlerHvBatIstStromDiffFzg Rx
CDOP_FehlerHvBatUeberTempFzg Rx
CDOP_FehlerHvBatIstSpannDiffFzg Rx
CDOP_LadebereitFzg Rx
CDOP_WaehlhebelPosFzg Rx
CDOP_FehlerFzg Rx
CDOP_HvBatIstLadezustandFzg Rx
CDOP_CDO_LsNachrichtSendenAnf Rx
CDOP_CDO_LadeerlaubnisFzg Rx
10033136 SACID
CDOKS_LsMsgEmpfangen Tx
CDOKS_Fehlerstatus Tx
Dependency to Scheduler
Runnable Period
CDOK_Runnable_Main 10ms
4.1.2.3.11.13 GBTSK
This module shall receive the messages which are coming from the GB charging station . The information in
the messages are put on the corresponding signal in CAN-FD communication to HCP5.
And this module also shall assign the signal which are coming from HCP5 module to corresponding Tx
messages to GB charging station.
Following are the input signal from charging station
GBT signals Direction
CHM: Ladesäule Handshake (Charger handshake) Rx
CRM: Erkennung Ladesäule (Charger recognization) Rx
CML: Maximale Leistung der Ladesäule (Charger’s Rx
maximum output capacity)
CRO: Ladebereitschaft der Ladesäule (Charger Rx
output readiness status)
CCS: Ladezustand der Ladesäule (Charger charging Rx
status)
CST: Ladeende der Ladesäule (Charger end-of- Rx
charge)
CSD: Statistik der Ladesäule (Charger statistical Rx
data)
CEM: Timeouterkennung der Ladesäule (Charger Rx
error message)
10033136 SACID
Dependency to Scheduler
Runnable Period
GBTSK_Runnable_Main 10ms
4.1.2.3.11.14 EEBUS_Logic
Data is exchanged according to EEBus standard on the Ethernet interface between SACID and ConMod .
EEBUS_Logic module shall map the data according to EEBUS standard to CAN FD signals(Tx/Rx signal
to/from HCP5).
10033136 SACID
(http://s03.delphiauto.net/17/ConnProj/10033136/Systems/Forms/AllItems.aspx?RootFolder=%2F17%2FConn
Proj%2F10033136%2FSystems%2F10%20Planning%2F30%20Software%20Plans)
4.2.1 Self-Test
According to the safety goals identified for SACID following features shall be implemented according the safety
level ASIL A.
1. Temperature sensor measurement
2. LED functionality
3. Plug motor lock/unlock feedback
4. Plug motor lock /unlock
5. Plug detection
6. Flap lock /unlock
7. Control Pilot detection.
A requirement of the ISO26262 is to detect the accumulation of latent defects. ST Microcontroller has built in
programmable hardware module called Self-Test Control Unit (STCU2), which provide self-test blocks.. STCU2
manage logic built in Self-Test (LBIST) and SRAM built in Self-Test (MBIST) blocks of the device. MBIST bock
shall be used to detect the fault in the RAM.
MBIST shall be implemented for each of the SRAM contained in the Microcontroller.
MBIST shall be configured to execute(offline mode) the test every time the MCU boots or gets destructive reset.
Offline MBIST test shall be configured using Device Configuration Format (DCF) record that automatically
configure the STCU2 to enable and run the MBIST at startup . DCF records are stored in the UTEST memory .
The DCF records provide an interface that can be used to initialize registers within the selected modules (DCF
clients) during system boot . The STCU2 registers are DCF clients. DCF clients are 32-bit wide hardware
registers inside a module that receive and store the data from a DCF record. This stored data is used to initialize
STCU2 registers and to configure the STCU2 for MBIST during startup. Configuration of the MBIST is loaded
to the STCU2 by the SSCM module during the PHASE 3 of the reset sequence.
STCU2 module will trigger a functional reset after MBIST. There shall not be MBIST test during functional reset.
10033136 SACID
10033136 SACID
4.2.1.2 Flash Array Integrity check
To check the integrity of the flash , SACID software shall enable Flash Array integrity check . This can be done
by putting the flash into user test mode. Flash Array integrity check is done before Operating system initialization
in the startup phase.
Flash Array Integrity Check (FAIC) reads data from selected flash blocks and calculates the MISR signature.
This calculated MISR signature will be compared by flash controller (in runtime) with MISR calculated during the
software build and it is included in the s-record file. If the MISR is identical, then the content of selected flash
blocks corresponds to content in s-record file and that there are no ECC errors (single bit or double bit ECC
errors).
During Flash Array integrity check no exception will be reported if double bit ECC errors are detected.
Flash Array integrity check shall be implemented in the SysSup module and it will be executed during startup
phase .
Concurrent accesses to shared data memory can cause data inconsistencies. We have system where several
code entities accessing the same data memory are running in different contexts. Due to this fact Autosar
Recommended Data Consistency Mechanism are considered in the Design of the system. In AUTOSAR
systems the RTE will take care that communication is not corrupted by data consistency problems.
Concept of Exclusive area and InterRunnableVariables are used where RTE guarantee the data consistency
for SW- C communication and execution circumstances. In the case of Basic Software Modules exclusive
areas handled by Basic Software Scheduler(SchM is integrated within RTE) is used.
Exclusive Areas are associated with RunnableEntitys .Focus of the Exclusive Area concept is to block potential
concurrent accesses to ensure data consistency. Exclusive Areas implement critical section. The RTE is
forced to guarantee data consistency when the Runnable Entity runs in an Exclusive Area. A Runnable Entity
can run inside one or several Exclusive Areas completely or can enter one or several Exclusive Areas during
their execution for one or several times.
If a critical section shall not be preempted by ISR , exclusive area shall disable the interrupts when enter into the
exclusive area and enable interrupts when exit from the exclusive area. This is done by using the OS functions
SuspendAllInterrupts() and ResumeAllInterrupts()
End to End protection mechanism shall be implemented to protect against corruption ,repetition , insertion ,
masking and reordering of messages when it is exchanged between SACID and HCP5 via CAN bus.
10033136 SACID
4.2.3.1.1 End-to-End Protection (E2E)
To meet the safety goal it’s important to ensure the integrity of data(safety signal) exchanged between the safety
components and HCP5 via CAN protocol.
All the safety signals exchanged between SACID and HCP5 shall be protected using EndtoEnd (E2E) protection.
Autosar E2E library and E2E Protection Wrapper shall be used to protect the safe data using E2E communication.
Checksum and alive counter are monitored for safe data exchange.
There are safety signals which shall be transmitted from SACD . Such signals shall be protected using E2E
protection mechanism.
E2E Library shall use Profile 2 and Profile 4.
10033136 SACID
Communication of safety signal between software components is handled by the safe RTE module (ASIL A
compliant).Safe RTE ensure that there is unintentional repeat , delay insert , mask , corrupt or lose of data
communicated between SWCs.
See the dataflow diagram in section 5.2 to see the safety signal between SW components/IoHwAb.
Safety signal communicated between SW components or to/from IoHwAb are marked in green line.
10033136 SACID
According to technical safety requirements (TSC [2]) , following components are identified to be ASIL A compliant
to support safety goals for the above mentioned features.
Based on the safety classification of SWCs , BSWs and MCALs , software architecture is configured for 2
partitions.
10033136 SACID
Task OS application
Core0_Init_Task OS_Application_Core0_QM
Core0_task_Swc_Init_QM OS_Application_Core0_QM
Core0_task_Swc_Init_ASIL OS_Application_Core0_ASIL
10033136 SACID
Core0_Task_BswEthernet_QM OS_Application_Core0_QM
Core0_Task_Bsw_PlcDriver_QM OS_Application_Core0_QM
Core0_Task_BswHighPrio_QM OS_Application_Core0_QM
Core0_Task_BswCrypto_QM OS_Application_Core0_QM
Core0_Task_V2G_QM OS_Application_Core0_QM
Core0_Task_Appl_HighPrio_ASIL OS_Application_Core0_ASIL
Core0_Task_Appl_HighPrio_QM OS_Application_Core0_QM
Core0_Task_Bsw_HighPrio_ASIL OS_Application_Core0_ASIL
Core0_Task_Bsw_LowPrio_QM OS_Application_Core0_QM
Core0_Task_Appl_LowPrio_QM OS_Application_Core0_QM
Core0_Task_Diag_LowPrio_QM OS_Application_Core0_QM
Core0_Task_SysSupervision_QM OS_Application_Core0_QM
Core0_Task_Idle OS_Application_Core0_QM
Table 14 : Task mapping to OS Application.
Region descriptors shall be configured for the following memory regions. This shall be done through the OS
configuration.
Region Access Rights
Trusted Non-Trusted
(Os_Application_Core0_ASIL) (OS_Application_Core0_QM)
Read Write Execute Read Write Execute
Core0_QM_noinit_ram x x x x
Core0_QM_ram_data x x x x
Core0_QM_ram_bss x x x x
Core0_ASIL_ram_data x x
Core0_ASIL_ram_bss x x
Core0_Rte_Ram_noncached x x x x
Core0_QM_code x x x x
Core0_ASIL_code x x
Table 15 : RAM / ROM MPU Regions with access rights.
OS reserves one memory region which is reprogrammed by the OS with each task switch. So any memory
access violation to the stack is captured by the MPU and reported .
Program flow monitoring shall be implemented in the SACID software to check the correct execution of software.
10033136 SACID
The focus of this concept is the detection of program flow errors, i.e. a divergence from the valid program
sequence. An incorrect program flow occurs if one or more program instructions are processed either in the
incorrect sequence, not in time or are not even processed at all.
Logical program flow monitoring shall implemented to detect data corruption , process crashes due to invalid
execution of program sequences.
Logical program flow monitoring shall be implemented for all Safety component(See Table 13) runnables.
Autosar WdgM module shall be used for implementing the Logical program flow monitoring .
Following Supervised Entity and check points shall be configured in the WdgM module for the program flow
monitoring .
Supervised Entity CheckPoints Checkpoint trigger location
SE_IohwAb CP1 Entry-> IoHwAb_MainFunction_AnalogIN_TaskThread
SE_IoHwAb CP2 Exit -> IoHwAb_MainFunction_AnalogIN_TaskThread
SE_IoHwAb CP3 Entry-> IoHwAb_MainFunction_DiscreteIN_TaskThread
SE_IoHwAb CP4 Exit -> IoHwAb_MainFunction_DiscreteIN_TaskThread
SE_IoHwAb CP5 Entry -> IoHwAb_MainFunction_DiscreteOUT_TaskThread
SE_IoHwAb CP6 Exit -> IoHwAb_MainFunction_DiscreteOUT_TaskThread
SE_IoHwAb CP7 Entry->IoHwAb_MainFunction_PWMIN_TaskThread
SE_IoHwAb CP8 Exit->IoHwAb_MainFunction_PWMIN_TaskThread
SE_LKPE CP9 Entry_LKPE_Control_Locking_Mech_Runnable_Main
SE_VALK CP10 Entry_VALK_Control_Locking_Mech_Runnable_Main
SE_AVS CP11 Entry_AVS_Connector_Locking_Mech_Runnable_Main
SE_VAS CP12 Entry_VAS_Locking_Mechanism_Main
SE_PP CP13 Entry->ProximityDetection_Runnable_Main
SE_CP CP14 Entry->ControlPilot_Runnable_Main
SE_ALST CP15 Entry-> TempSensor_Runnable_AC_Main
Table 16 : Supervised Entity checkpoints
An external graph as shown in the Figure 26 shall be configured in the WdgM module . And at each check point
of the Supervised entity WdgM_CheckpointReached shall be called to notify WdgM about the entry of checkpoint.
10033136 SACID
Timing protection shall be implemented for all the tasks configured in the OS module (see table 19 ). OS
module shall be configured to SC4 to enable the timing protection.
Approved- Revision 4.2 Page 59 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
Execution budget of each of task needs to be defined . This shall be done based on the analysis of maximum
execution time of task in worst case scenario.
4.2.8 Watchdog
SACID has external watchdog which is part of the System Basic Chip (TLE9262BQXV33).Watch dog manager
combines all Supervised Entity states from program flow monitoring(see section 4.2.5) and alive
supervision(4.2.6) to a global state . If the global state is WDGM_GLOBAL_STATUS_STOPPED then the WdgM
module shall set the trigger condition to “0 -> No trigger “ . When the trigger condition is “No trigger” , watch dog
driver shall not service the watchdog. This will result in the reset of Microcontroller.. As SACID is safety
relevant(ASIL A) external watchdog with window watchdog mechanism shall be used.
MCU is connected to SBC via SPI module.
Below table shows the SBC modes with respective watchdog modes
SBC Mode Watchdog mode Details
INIT Mode Start with Long open window When coming from SBC Init the watchdog timer is
always started with a long open window.
The long open window allows the microcontroller to
run its initialization sequences and then to trigger the
watchdog.
Normal Mode Watchdog is programmable Window watchdog is enabled
Stop mode Watchdog is fixed or OFF
Sleep mode Watchdog is OFF
Restart mode Watchdog is OFF
Table 17: SBC Watch Dog Modes
The watchdog must be triggered inside the open window. A correct watchdog service immediately results in
starting the next closed window. Should the trigger signal meet the closed window or should the watchdog
timer period elapse, then a watchdog reset is created by setting the reset output RO LOW. The SBC switches
to SBC Restart Mode.
10033136 SACID
A watch dog time period of (WD_TIMER) 200ms shall be configured. According to this open window for valid
watchdog trigger is as follows.
tWD = 200ms
So the valid watchdog trigger shall happen between 144ms to 240ms. Any watchdog trigger outside this time
window will cause an reset.
10033136 SACID
4.2.9.1 ECC error handling
MEMU unit collect and report the error events associated with ECC logic used on
• Local SRAM
• Peripheral System RAM
• FLASH
MEMU unit forward this faults to FCCU module.
To prevent the total failure in-case of ECC error during runtime, an ECC error handling mechanism shall be
implemented.
• In case of a non-correctable ram ecc error , SysSup module overwrites the invalid cell and performs a
reset.
• In case non-correctable flash ecc error , SysSup module performs a reset.
• In case of a non-correctable data flash ecc error , SysSup module recalculate the instruction address,
and the call Fls ECC handler to stop the read process via the FLS module.
SysSup module shall configure the CMU to detect any failure in the XOSC clock , System clock and monitor
the PLL to check any deviation in the clock which is locked.
CMU shall be programmed to report the failure to the FCCU module. SysSup module shall monitors the FCCU
module for any clock failure . If there is failure reported , then SysSup module shall perform reset to restore the
clocks.
Approved- Revision 4.2 Page 62 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
4.2.9.3 Register Supervision
Register Supervision shall be implemented in the System Supervision module to ensure that there is no
unintentional modification of the register values.
SysSup shall implement the function the following function
SysSup_RegisterSupervisionCheck Run every 50ms.
A predefine table with the values of registers of the peripherals Adc, Pwm,SIUL , SPI , CGM and SMPU shall
be created.
SYSSUP_RegisterSupervisionTable Store the register values of peripherals Adc,
Pwm,SIUL , SPI , CGM and SMPU
SysSup module shall periodically (50ms) read the values of registers and compare with the value in the
predefined table. If there is register manipulation detected then SysSup module shall try to recover this by
Performing Microcontroller reset.
10033136 SACID
SACID shall use AUTOSAR Crypto stack to access the cryptographic services .
Following modules are part of the Autosar crypto stack
CSM - Crypto Service Manager
• Provide Cryptographic services
• Configure cryptographic services and algorithm
CryIf - Crypto Interface
• Provide uniform interface for different crypto solutions.
CryDrv(HW) – Crypto Driver Hardware
• Enable Application software and FBL get access to security algorithms and functions provided by the
HSM module.
In order to reduce the startup time due secure boot , trusted boot method shall be used.
Trusted Boot
10033136 SACID
First stage is checked sequentially – no parallel execution
First checked entity triggers next check and directly starts subsequent entity
10033136 SACID
10033136 SACID
VKMS_IsTypeIdReady for each key. This check shall be done after each startup and each time when keys are
updated by VKMS.
V2G solution use TLS(Transport Layer Security) version 1.2 for secure communication between EVCC and
SECC. This allows to establish an authenticated and encrypted channel between the EVCC and the SECC.
TLS allows for unilateral or mutual authentication. For ISO unilateral authentication will be used, i.e the EVCC
authenticates the SECC. TLS based communication is established by EVCC by sending SECC Discovery
Protocol message along with parameter TLS enabled.
For SACID to request TLS based communication with EVSE, it shall get an indication from HCP5 whether to
use TLS or not. For transport layer security, EVCC authenticates SECC using SECC Certificate. This is being
achieved by SECC having a private key corresponding to SECC Certificate, and EVCC having V2G Root
Certificate and verifying the certificate chain from the V2G Root Certificate to the SECC Certificate.
10033136 SACID
ISOND
V2G CRYPTO
CSM
Smart Charging
Communication
CRYIF
TCP/IP
XML CryptoDrv
Security Transport Layer
Security
vHSM
The VKMS is used to manage and provide cryptographic key material for vehicles. To this end, individual keys
for each electronic control unit (ECU) are generated and then encrypted in a backend so that they can be
added to a vehicle's individual ECUs during production.
On the ECUs, VKMS software takes care of decrypting and storing the added key material and of providing
the right key for various applications(e g: SOK ) in the ECU.
10033136 SACID
ECU
CSM
DCM
VKMS Adapter
Component CRYIF
DEM
Crypto
HSM
VKMS adapter component is a CDD module provided by Porsche and the VKMS core component is part of the
Vector HSM firmware.
The VKMS core component is responsible for the persistence of the keys. For the purpose of a secure key
handling this component is implemented in the Hardware Security Module (HSM).SOK module use VKMS
service for fetching the key and also check the validity of the Key.
10033136 SACID
An attack on the SACID leads to security events which are reported by so-called security sensors . IDSM
module in SACID collect this security events (SEV).
IDSM module provide standardized interface for BSWs and application to report security events(SEV).Based
on the configured rules IDSM filters and aggregate the SEV to qualified onboard security events (QSEV). This
QSEV shall be send to send to HCP5 using SomeIp protocol.
The list of QSEV shall be discussed and confirmed with PAG.
• BSW Modules and Applications can act as security sensors and report SEV to the IdsM
• The IdsM passes QSEV to the PduR for transmission to the IdsR
10033136 SACID
In FauilureAnalysis state , debug interface can be enabled again by writing the JTAG password in the JTAG
password challenge register of JTAGC using the external debug tool. Debug interface will be enabled if this
password match with the password stored in the DCF record in UTEST memory area.
10033136 SACID
In order to move the Device Life cycle from In Field to Failure Analysis, the device need to pass first level of
security. It means the valid unlock certificate from APTIV’s PKI has to be provided to the ECU via diagnostic
service.
In order to generate the unique JTAG password per ECU, the KDF (Key Derivation Function) shall be used
according to the NIST 800-108. The Key Derivation Key will be generated in the APTIV's offline HSM (Key Broker
Server) using random number generator with 256 bits length according to VW Standard 80180-1. The Key
Derivation Key shall be securely stored in the APTIV's HSM (Key Broker Server).
4.4.2 Bootloader
During manufacturing and after series production software can be updated using bootloader.
SACID use bootloader supplied by Vector . SACID bootloader support software download over CAN-FD.
For the update process Porsche Standard tool PIDT send the software image to the SACID bootloader via
CAN-FD interface.
10033136 SACID
4.4.3 Bootloader updater
Bootloader updater is used for replacing the existing flash Bootloader(FBL) .Bootloader will be download just
like a normal application download and once started , replace the existing bootloader by the new version.
The picture below shows the overview of the bootloader update process.
Updater Updater
Application Bootloader Bootloader Application
V2.0 V2.0
When there is a Diagnostic request to Switch to Programming mode , application software shall write a pattern
in the no_init ram (Core0_QM_noinit_ram) before performing the reset . no-init ram is not cleared and
initialized during reset.
Update of HSM Firmware is done using Flash Bootloader and HsmUpdater (vHsmUpdater).
FBL receive the updated HSM firmware from software Flashing tool (e g: PIDT tool) and request the HSM
firmware for the verification. After successful verification FBL will write the updated HSM firmware and the header
to the Host code flash reserved . FBL initiate the update process by requesting HSMFirmware to start the
HsmUpdater. HsmUpdater then install the update in HsmCode flash.
10033136 SACID
Following logical blocks are defined in SACID . See chapter 7 for details of memory location of this logical
blocks.
1. Hardware Configuration Area
2. Bootloader
3. Application software and QCA firmware
4. HSM firmware
See table below for details of update mechanism of each of the above mentioned logical blocks.
Logical Block Update mechanism
Hardware Configuration Area Hardware Configuration Area is OneTime Programmable.
Hardware(ECU) specific values shall be written in this logical
block. And this values shall be written during manufacturing
process by Aptiv Manufacturing team.
Bootloader Bootloader updater can update the bootloader. See section
4.4.3 for details.
10033136 SACID
Application software and QCA firmware Application software and QCA firmware together builds a single
logical blocks and this can be updated via Bootloader.
It’s not possible to update the QCA firmware alone.
HSM firmware HSM firmware can be updated using Flash Bootloader and
HsmUpdater (vHsmUpdater from Vector)
See section 4.4.4 for details of HSMUpdate.
10033136 SACID
4.5.1 CAN
4.5.2 ETHERNET
10033136 SACID
LKL_Mechanik_blockiert_Lk1 Rx
LKL_Ist_Moment_Niedrig_Hoch Rx
LKL_ResponseError_XIX_LKL1s Rx
Table 26 : LIN External Intreface.
During development phase software flashing and debugging is done using JTAG debugger.
Debug access to both Host core and HSM core is supported via JTAG the interface. Debug access to SACID
ECU through JTAG interface is controlled by Device lifecycle.
4.6.2 XCP
XCP module is used for the measurement of SACID internal parameters. XCP protocol provide access to all
important internal variables , states and error messages of Basic software. This can be used for debugging the
software.
A2L files needed for XCPMaster are generated using Davinci Tools. Measurement tools like CANape or INCA
use this A2L files to read the ECU internal parameters
10033136 SACID
5 Dynamic Architecture
5.1 ECU (SACID Hardware) States
The picture below shows the different states of software and transitions of the states:
10033136 SACID
•STARTUP
Initialization of MCAL modules , SBC chip and Basic software modules are done in startup state. Self-test of
RAM is also executed in the startup state. SACID can enter into STARTUP state due to one of the following
wakeup reason.
1. KL_30 is connected
When KL_30(Battery voltage) is connected SBC will provide the 3.3V and 5V to the microcontroller. With
this Microcontroller will be powered ON and enter into the STARTUP state.
2. CAN FD Wakeup
3. Control Pilot Presence
4. Proximity Wakeup
5. Control Pilot duty cycle change
6. Push button activated
7. LIN Wakeup
8. CHAdeMO wakeup
9. GB/T Wakeup
•ACTIVE
SACID enter into ACTIVE after successful initialization and self test.In ACTIVE state following interfaces are
enabled based on the wakeup reason.
1. CAN interfaces
2. Control pilot's interface
3. CHAdeMO interface
4. PLC interface
5. Ethernet interface
6. China DC GB/T
SACID remains in ACTIVE state as long as one of the above interface is in use and network management
messages are received from HCP5.
•SLEEP
SACID enter into SLEEP state when none of the interfaces are in use and no network management messages
are received from HCP5. To meet the very low current consumption requirement the Hardware designed to use
the wake up concepts (including CAN, LIN and General Wake up pin) from SBC instead of micro-controller sleep
mode. SACID enter into sleep state by putting SBC to sleep state .In this mode , VCC1 regulator is OFF and not
supplying the microcontroller anymore. And in this mode CAN and LIN transceiver also enabled as wakeup
capable. These settings are done before SBC enter into sleep state. A wakeup event on one of the CAN or LIN
will return the SBC to normal mode and signal the wake source.
Approved- Revision 4.2 Page 79 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
•ERROR
SACID enter into ERROR state if there are error during execution of the software.
Following error can trigger SACID to enter into ERROR state.
1. RAM ECC Error
2. Flash ECC Error
3. PLL Clock Deviation (Fault Detected by CMU)
4. MCU Peripheral initialization Error
5. Under/Over voltage detection
There is a sub-state called SAFE is defined in the ERROR state to prevent charging functionality if there are
error detected from Plug Driver or Error detected in the DC temperature. In SAFE state all charging functionalities
are disabled. CAN communication with HCP and Diagnostic communication are enabled in the SAFE state.
10033136 SACID
SAFE STATE
To prevent a total failure in case of a faulty hardware , a concept of failsafe shall be implemented.
Following are the list of faults identified which can cause SACID to enter into error/safe state.
• Error in Self-Test
• Fault reported by FCCU
• Clock Error
• RAM/ROM ECC Error
• Memory Access violation detected by MPU
• CAN Communication Failure
• SPI Communication Failure
• Under/Lower Voltage
• On board high temperature
• Fault detected from Register Supervision
• OS Task Time Violation
• Program Flow Violation
• Execution Fault (Detected by Alive supervision)
• SBC Error
• Fault from CP,PP,TempSensor, PlugMotor,Flap motor, Chademo Pins and Gbt Pin
Two reset counters (Slow and fast) shall be implemented to count the number of reset occurs due to the above
faults. These counters shall be incremented at startup (after each reset). These counter are stored in no-init
RAM area to avoid the re-initialization during startup after reset.
Failsafe reset counter SLOW shall count the number of reset in a time duration of 1 minute. This failsafe
counter SLOW shall be decremented by 1 each 1 minute.
If the failsafe reset counter SLOW is higher than 10 , then software shall activate the failsafe mode.
10033136 SACID
Failsafe reset counter FAST shall count the number of reset in a time duration of 3 second. This failsafe
counter FAST shall be decremented by 1 each 3 seconds.
If the failsafe reset counter FAST is higher than 3, then software shall activate the failsafe mode.
In case of requested reset, these failsafe counters shall not be incremented.
There are two different type of fault handling based on the type of faults .
1. Microcontroller internal/HW faults and Security authenticity /integrity failure .
Following are the sequence of actions before enter into FAILSAFE state.
1. Set DTC corresponding to the error.
2. Notify to HCP5 via CAN
3. Try to do a recovery of fault by performing the Microcontroller reset.
2. Fault from CP,PP,TempSensor, PlugMotor,Flap motor, Chademo Pins and Gbt Pin and E2E/Secure
Communication Error
Following are the sequence of actions before enter into FAILSAFE state.
1. Set DTC
2. Notify to HCP5 via CAN
3. Stay in Active state
In this case SACID5 itself shall not change the operational state.
10033136 SACID
• CAN communication with HCP5 is enabled. But there will be no communication to HCP5 if the fault is
related to CAN or Microcontroller internal faults which affects CAN communication.
• Diagnostic Communication is enabled to read DTCs and DIDs.
• All charging communication are deactivated.
• Lock access to keys stored in the secured data flash if the entry to SAFE state is due to software integrity
and Authenticity failure.
A power on reset clear all the failsafe counters and software will exit from the SAFESTATE.
10033136 SACID
10033136 SACID
A startup task named Core0_Init_task shall be configured. This task shall get activate during the system startup
once the OS is initialized. This startup task is executed only once. Ecu state manager(EcuM) startup two phase
is executed in this task. In startup two phase Rte and scheduler are started which then activate the alarms and
remaining tasks.
An Idle task(Core0_Task_Idle) shall be configured for CPU load measurement. Runnable of RTM (Runtime
Measurement) module shall be executed in this task. This task shall be executed only when there are no other
task is in execution(only when CPU is idle).Hence this task has lowest priority and it is fully pre-emptible.
Table 19 : OS Tasks
10033136 SACID
10033136 SACID
Exi_MainFunction QM 5
Core0_Task_Appl_HighPrio_QM Plcks_Slac_SM QM 1
ISOND_Runnable_Main QM 2
VALK_Control_Locking_Mech_Runnable_Main QM 3
Core0_Task_Bsw_LowPrio_QM BswM_MainFunction QM 1
EcuM_MainFunction QM 2
ComM_MainFunction QM 3
CanSM_MainFunction QM 4
LinSM_MainFunction QM 5
EthSM_MainFunction QM 6
CanTp_Mainfunction QM 7
CanNM_MainFunction QM 8
Nm_MainFunction QM 9
Core0_Task_Appl_LowPrio_QM Led_Runnable_Main QM 1
AptivDiagSwc_Runnable_Main QM 2
Core0_Task_Diag_LowPrio_QM Dcm_MainFunction QM 1
Dem_MasterMainFunction QM 2
Dem_SatelliteMainFunction QM 3
Core0_Task_SysSupervision_QM SysSup_MainFunction QM 1
5.6 Interrupts
Following peripheral shall use interrupt mechanism for their respective functionality
10033136 SACID
All of the above interrupts are implemented as Category 2 interrupt. That means in this case OS is responsible
for the interrupt handling like stack allocation to interrupt , interrupt priority handling , nesting of interrupt ,
invocation of interrupt service routine etc.
Nesting is disabled for all the interrupts. Hence all the interrupt share the same stack memory.
A stack size of 2048Bytes shall be configured for the interrupts.
ErrorHook shall be used for capturing the error reported from the OS module and this shall be reported to System
Supervision module. And based on the criticality of the error SysSup module shall try to recover the from the
error .
Within the Error Hook function following errors shall be captured and reported to the SysSup module.
OS Error Code Error Description
E_OS_ACCESS Illegal Access
E_OS_CALLEVEL Invalid Calling Context
E_OS_ID Invalid OS Object ID
E_OS_LIMIT Maximum task activation reached
E_OS_NOFUNC OS Object is currently not in use
E_OS_RESOURCE Scheduling requested with already occupied resource
E_OS_STATE OS object is not in correct state to perform the
requested operation
E_OS_MISSINGEND Task terminate without a TerminateTask()
E_OS_STACKFAULT A stack fault is detected
E_OS_PROTECTION_MEMORY A memory access violation occurred
E_OS_PROTECTION_TIME A task /ISR exceeds its execution time budgets.
E_OS_PROTECTION_LOCKED A task/ISR blocks for too long
E_OS_PROTECTION_EXCEPTION A trap occurred
E_OS_INTERFERENCE_DEADLOCK Deadlock situation due to interference
E_OS_CORE Core not available
E_OS_PARAM_POINTER A null pointer was given as an argument
10033136 SACID
This hook is called by the operating system before execution of a new task.
This hook shall be used for the measurement of the task execution time using RunTime Measurement
(RTM) module.
PreTaskHook_ OS_Application_Core0_QM OS_Application_Core0_QM
PreTaskHook_ OS_Application_Core0_ASIL OS_Application_Core0_ASIL
Rtm_Start shall be called at the beginning of Pre-Task hook to start the measurement of task corresponding to
the measurement ID.
PreTaskHook_<OSApplication>()
{
TaskId = GetTaskID()
If(TaskId == ‘x’)
Rtm_Start (MeasurementID of Task ‘x’)
}
This hook is called by the operating system after executing the current task.
This hook shall be used for the measurement of task execution using RunTime Measurement
(RTM) module.
PostTaskHook_ OS_Application_Core0_QM OS_Application_Core0_QM
PostTaskHook_ OS_Application_Core0_ASIL OS_Application_Core0_ASIL
Rtm_Stop shall be called at the beginning of Post-Task hook to stop the measurement of task corresponding to
the measurement ID.
PostTaskHook_<OSApplication>()
{
TaskId = GetTaskID()
If(TaskId == ‘x’)
Rtm_Stop (MeasurementID of Task ‘x’)
}
10033136 SACID
Below is the memory estimation of various components used in the SACID software.
Run Time Measurement (RTM) module provided by Vector shall be used for measuring the CPU load of the
software
10033136 SACID
RTM module measure the following
1. Minimum CPU load
2. Maximum CPU Load
3. Average CPU Load
4. Current CPU Load
RTM module measure the CPU load by monitoring the total time spend in the idle task. An idle task shall be
created by configuring a preemptive task with lowest priority in OS.No other runnable or functions shall be
mapped to this task other than the runnable of RTM module Rtm_CpuLoadMeasurementFunction.
RTM module use Periodic Interrupt Timer (PIT) for the time base to measure the time in ticks.PIT shall be
configured with a resolution of 10000 ticks per 1ms.
CDD module Cdd_CpuLoadMonitor shall periodically read the CPU load values published by the RTM module.
There is DID available in the SACID to read the CPU load. When this DID is requested Diagnostic module shall
read the CPU load values from Cdd_CpuLoadMonitor.
During initialization of BSW modules , based on the variants right configuration can be selected using the
interface EcuM_DeterminePbConfiguration()
10033136 SACID
1. SACID software shall complete initialization and send functionally valid values on CAN bus within
200ms during startup.
2. SACID shall complete all the initialization needed for PLC (QCA firmware download and initialization)
and ready for PLC communication within 9s.
There shall be an isolation between SACID external and internal communication . This isolation must disallow
any software or protocol vulnerabilities to compromise SACID completely. It must disallow the attacker to
access the internal interfaces and must protect SACID from any buffer overflow or memory leakage.
There is currently only one Ethernet stack which is shared between vehicle external communication (V2G-
PLC) and vehicle internal communication. Hence it is not possible to create two separate memory partition for
modules involved in Vehicle external communication and vehicle internal communication.
This has been discussed with Porsche Cyber security team. Based on the detailed discussion with Porsche
and Vector , following solution is proposed and agreed .
The following additional protection measures shall be implemented in the SACID software
1. First Barrier
• Increase the confidence in freedom from interference between modules
Approved- Revision 4.2 Page 92 of 99
Copyright © 2019 Aptiv Advanced Safety & User Experience Confidential – Restricted Aptiv information. Do not disclose.
Software Architectural Design
10033136 SACID
a. Static Code Analysis
b. Disable unused functionality
• Enable SafeBSW option in the configuration of BSW modules (EthIf, TcpIp,SoAd,Eth,
Csm,Cryf,Crypto)
• Enable development error detection
• Implement mechanism similar to DET check in application
2. Second Barrier
• Prevent code execution from RAM to avoid successful code injection attacks. MPU module shall be
configured prevent code execution from RAM.
• Enable stack protection.
10033136 SACID
6 Memory Map
The memory map and memory budget for the SACID software is distributed as follows:
6.1 Program(ROM) Memory
See the attached excel sheet for more details on the memory map.
Memorymap_SACID
_SPC584C_3MBFlash_320KBRam.xlsx
10033136 SACID
Memory Type of data Size Trigger for read Trigger for Write Integrity
Location check
ROM One Time 224 Read during startup phase Written only once at the CRC is
programmable data bytes of the software and used plant calculated for
for the following. this set of
- VW FAZIT -Identify the variants data and
Identification String -Initialize the Ethernet written in the
communication data flash.
-HW Part Number -Initialize the PLC
communication.
-Spare part number Also read during
diagnostic session when
-HW version corresponding DIDs are
requested.
-MCU MAC address
Data Flash SACID coding 192 During startup phase data Diagnostic DIDs are CRC
parameters for bytes will be read and copied to available to write this
Application components RAM. parameters
Data Flash Dem Admin Data 10 During startup phase data Stored to data flash CRC
bytes will be read and copied to during sleep by
RAM(Buffer handled by NvM_WriteAll
the Dem module)
Data Flash - Dem Status 364 During startup phase data Stored to data flash CRC
- Dem Primary Entry bytes will be read and copied to during sleep only if
- Dem Secondary Entry RAM(Buffer handled by data is changed by
- Aging Data the Dem module) NvM_WriteAll
Data Flash Charging session ID 9 During startup phase During normal CRC
bytes (NvM_ReadAll) data will operation any change
be read and copied to is updated in the RAM
RAM variable variable
Scc_SessionIDNvm Scc_SessionIDNvm .
And the data in the
variable
Scc_SessionIDNvm
stored to the data flash
During sleep by
NvM_WriteAll
Table 23 : Persistent Data Storage
10033136 SACID
Following RAM buffers are available in the SACID which act as Mirror of data stored in the Data flash.
Dem Status During Initial cycle default data will be copied from ROM to RAM
Dem Primary Entry Buffer .
Dem Secondary Entry In the subsequent cycle during startup phase(NvM_ReadAll) data
Aging Data will be copied from Data flash to RAM buffer.
During clear DTC RAM buffer will be updated and stored to the
dataflash.
During sleep(NvM_WriteAll) RAM buffer is stored to the dafaflash
only if the content is changed.
Charging session ID During Initial cycle default data will be copied from ROM to RAM
Buffer .
In the subsequent cycle during startup phase(NvM_ReadAll) data
will be copied from Data flash to RAM buffer.
During sleep(NvM_WriteAll) RAM buffer is stored to the dafaflash
only if the content is changed. If there is a change in the value , that
will be notified by the vScc module.
10033136 SACID
10033136 SACID
The Aptiv use the standard Build Environment based on MTSA_MAK. The MTSA_MAK build system is based
on Gnu Make, which is a tool to maintain software rebuilding based on dependency analysis. Dependency
analysis is helpful to only recompile things which need to be recompiled after some files changed (MINIMUM
recompile), and to recompile all files needed to be recompiled (CONSISTENT recompile). Dependency is defined
in rules for input files through a "compilation step" onto output files (i.e. the result of the "compilation step"). That
dependency is maintained based on the time stamp of the input and output files. So whenever the output file
has an older modification time than one of the input files, the "compilation step" of the rule is triggered to update
the output files
Term Definition
ASIL Automotive Safety Integrity Level
AUTOSAR AUTomotive Open System ARchitecture
BSW Basic Software
CAN Controller Area Network
CDD Complex Device Driver
CPU Central Processing Unit
CCS Combine Charging System
CP Control Pilot
DIO Digital Input Output
ECC Error Correcting Code
EVCC Electric Vehicle Communication Controller
EVSE Electric Vehicle Supply Equipment
ECU Electronic Control Unit
EB Elektro Bit
10033136 SACID
Term Definition
FBL Flash Boot Loader
GSCP Global SPICE Compliant Process
GPT General Purpose Timer
HCP High Computing Platform
I/O Input / Output
IDSM Intrusion Detection System Manager
ISR Interrupt Service Routine
MCAL Microcontroller Abstraction Layer
MCU Micro-Controller Unit
LIN Local Interconnect Network
PWM Pulse Width Modulation
PLC Power Line Communication
QSEV Qualified Security Events
RTE Run Time Environment
SWC Software Component
SACID Smart Actuator Charger Interface Device
SECC Supply Equipment Communication Controller
SLAC Signal Level Attenuation Characterization
SysSup System Supervision
SEV Security Events
TLS Transport Layer Security