September 2016 I 1Property of Valeo. Duplication prohibited
September 2016
Property of Valeo. Duplication prohibited
Using the Benefits of Model-Based Design to Develop AUTOSAR Basic Software Modules
Mohamed Soliman & Amjad Elshenawy
Mathworks Automotive Conference 2016Stuttgart, Sep., 21st 2016
September 2016 I 2Property of Valeo. Duplication prohibited
Agenda
Why use MBD for Developing AUTOSAR BSW Modules?
CAN State Manager (CanSM)
Challenges Encountered in Developing CanSM using MBD
Results of Our Experiment
1
2
4
3
September 2016 I 3Property of Valeo. Duplication prohibited
Agenda
Why use MBD for Developing AUTOSAR BSW Modules?
CAN State Manager (CanSM)
Challenges Encountered in Developing CanSM using MBD
Results of Our Experiment
1
2
4
3
September 2016 I 4Property of Valeo. Duplication prohibited
AUTOSAR Embraces Complexity
33
4551 53 53 55
8089
98
R1.02005
R2.02006
R2.12006
R3.02007
R3.12008
R3.22011
R4.02011
R4.12014
R4.22015
Number of Basic SW Modules
Number of Basic SW Modules
1X
3X
September 2016 I 5Property of Valeo. Duplication prohibited
AUTOSAR Embraces Complexity
2.5255.311 6.006
8.626 8.928 9.811
19.569
27.35731.759
R1.02005
R2.02006
R2.12006
R3.02007
R3.12008
R3.22011
R4.02011
R4.12014
R4.22015
Number of Requirements
Number of Requirements
1X
12X
September 2016 I 6Property of Valeo. Duplication prohibited
Characteristics of AUTOSAR Basic Software Modules
Highly Configurable
Pre-compile Configuration
Enabling/disabling optional
functionality
Link-time Configuration
Configuration of modules that
are only available as object code
(e.g. IP protection)
Post-build Configuration
Change the configuration after
building the code (in the
run time)
September 2016 I 7Property of Valeo. Duplication prohibited
Characteristics of AUTOSAR Basic Software Modules
Standard Interfaces and Standard Types
cmp Com Context View
«module»
Com::Com
«module»
Rte::Rte
«module»
ComM::ComM
Com Rte_Cbk
Com_Cbk
«module»
Dem::Dem
«module»
Det::Det
Com_InitDet_ReportError
Dem_ReportErrorStatus
Com_IpduGroup
«module»
BswM::BswM
«module»
PduR::PduR
«module»
EcuM::EcuM
PduR_Com
«use»
«use»
«mandatory»
«optional»
«optional»
«use optionally»
«optional»
«use»
September 2016 I 8Property of Valeo. Duplication prohibited
Time
Motivations for using MBD for Developing AUTOSAR BSW Modules
In our case MBD is selected to provide the following benefits:
Shorter development time
Better re-usability and maintainability of design / model.
Improvement of the product quality
Cost
Quality
September 2016 I 9Property of Valeo. Duplication prohibited
Agenda
Why use MBD for Developing AUTOSAR BSW Modules?
CAN State Manager (CanSM)
Challenges Encountered in Developing CanSM using MBD
Results of Our Experiment
1
2
4
3
September 2016 I 10Property of Valeo. Duplication prohibited
CAN State Manager
One of the basic software communication stack modules.
Responsible for managing the states of the Can networks.
No
Communication
Silent
Communication
Full
Communication
Microcontroller Abstraction Layer (MCAL)
RTE
Communication Services
Generic NM
Interface
Can Transport
Protocol
PduR
Dbg Dcm
Ipdu
M
XC
P Can
State
Manager
Communication Manager
CanNm
Communication HW Abstraction
Can Interface
CanTrcv
Microcontroller
CanTrcv
DIO DriverSPI Handler
DriverCan Driver
September 2016 I 11Property of Valeo. Duplication prohibited
stm CANSM_BSM
PowerOff
CANSM_BSM_S_NOCOM
CANSM_BSM_S_SILENTCOM
CANSM_BSM_S_NOT_INITIALIZED
CANSM_BSM_S_FULLCOM
CANSM_BSM_S_PRE_NOCOM
CANSM_BSM_S_PRE_FULLCOM
ExitPoint To
FULLCOM
ExitPoint
REPEAT_MAX
CANSM_BSM_S_CHANGE_BAUDRATE
ExitPoint
CHANGE_BR
ExitPoint
NO_COM
ExitPoint
FULL_OR_SILENT_COM
CANSM_BSM_S_SILENTCOM_BOR
CANSM_BSM_WUVALIDATION
/E_NOCOM
T_FULL_COM_MODE_REQUEST
T_NO_COM_MODE_REQUEST,
T_REPEAT_MAX
/E_PRE_NO_COM
[G_SILENT_COM_MODE_REQUESTED]
/E_BR_END_SILENT_COM
[G_FULL_COM_MODE_REQUESTED]
/E_BR_END_FULL_COM
/E_PRE_NOCOM
T_STOP_WAKEUP_SOURCE
T_START_WAKEUP_SOURCE
PowerOn
T_NO_COM_MODE_REQUEST,
T_REPEAT_MAX
/E_PRE_NOCOM
T_SILENT_COM_MODE_REQUEST
/E_FULL_TO_SILENT_COM
CanSM_Init
T_BUS_OFF
T_NO_COM_MODE_REQUEST
/E_PRE_NOCOM
T_FULL_COM_MODE_REQUEST
/E_SILENT_TO_FULL_COM
T_START_WAKEUP_SOURCE
T_FULL_COM_MODE_REQUEST
/E_FULL_COM
CAN State ManagerState Machine Complexity
CANSM_BSM_S_FULLCOM
ExitPoint
CHANGE_BR
stm CANSM_BSM_S_FULLCOM
CANSM_BSM_S_FULLCOM
S_RESTART_CC
do / DO_SET_CC_MODE_STARTED
S_TX_OFF
S_BUS_OFF_CHECK
S_NO_BUS_OFF
EntryPoint
CANSM_BSM_S_RESTART_CC_WAIT
ExitPoint
CHANGE_BR
CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
ExitPoint TxTimeout
[G_RESTART_CC_E_OK]
T_RESTART_CC_INDICATED
/E_TX_OFF
[G_TX_ON]
/E_TX_ON
[G_BUS_OFF_PASSIVE]
/E_BUS_OFF_PASSIVE
T_BUS_OFF
/E_BUS_OFF
T_TX_TIMEOUT_EXCEPTION
T_CHANGE_BR_REQUEST
/E_CHANGE_BR_BSWM_MODE
T_RESTART_CC_TIMEOUT
T_RESTART_CC_INDICATED
/E_TX_OFF
/E_BUS_OFF
T_BUS_OFF
CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
ExitPoint TxTimeout
stm CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
EntryPointS_TX_TIMEOUT_EXCEPTION_PROCEED
ExitPoint TxTimeout
S_CC_STOPPED
do / DO_SET_CC_MODE_STOPPED()
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED()
S_CC_STOPPED_WAIT
S_CC_STARTED_WAIT
[G_CC_STOPPED_E_OK]
T_CC_STOPPED_INDICATED
[G_CC_STARTED_E_OK]
T_CC_STARTED_INDICATED
T_CC_STOPPED_TIMEOUT
T_CC_STOPPED_INDICATED
T_CC_STARTED_TIMEOUT
T_CC_STARTED_INDICATED
September 2016 I 12Property of Valeo. Duplication prohibited
CAN State ManagerModule Complexity
280 requirements.
26 Configuration parameters.
18 Provided Interfaces.
September 2016 I 13Property of Valeo. Duplication prohibited
Agenda
Why use MBD for Developing AUTOSAR BSW Modules?
CAN State Manager (CanSM)
Challenges Encountered in Developing CanSM using MBD
Results of Our Experiment
1
2
4
3
September 2016 I 14Property of Valeo. Duplication prohibited
SWS_BSW_00029: If the BSW Module contains optional functionality,
then this functionality shall be enabled (STD_ON) or disabled (STD_OFF) by a Pre-compile time
configuration parameter.
Pre-compile Configuration
September 2016 I 15Property of Valeo. Duplication prohibited
Pre-compile Configuration
Using “Variant Subsystem” to generate pre-compile configuration
September 2016 I 16Property of Valeo. Duplication prohibited
Pre-compile Configuration
Generate preprocessor conditional for with variant model blocks.
September 2016 I 17Property of Valeo. Duplication prohibited
Standard Interfaces
Example scenario: "Network status change upon Communication Manager module (ComM) request"
SRS_Can_01142 : The CAN State Manager shall offer a network abstract API to upper layer
«module»
ComM
«module»
Nm
«module»
CanSM
Request
COMM_FULL_COMMUNICATION
COMM_FULL_COMMUNICATION
indication
Std_ReturnType:=CanSM_RequestComMode(NetworkHandle,ComM_Mode:=COMM_FULL_COMMUNICATION)
CanSM_RequestComMode(...)=E_OK
September 2016 I 19Property of Valeo. Duplication prohibited
stm CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED()
S_CC_STARTED_WAIT
[G_CC_STARTED_E_OK]
T_CC_STARTED_TIMEOUT
Code Duplication
SWS_BSW_00127: The BSW Module implementation shall avoid
duplication of code.
stm CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
EntryPointS_TX_TIMEOUT_EXCEPTION_PROCEED
ExitPoint TxTimeout
S_CC_STOPPED
do / DO_SET_CC_MODE_STOPPED()
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED()
S_CC_STOPPED_WAIT
S_CC_STARTED_WAIT
[G_CC_STOPPED_E_OK]
T_CC_STOPPED_INDICATED
[G_CC_STARTED_E_OK]
T_CC_STARTED_INDICATED
T_CC_STOPPED_TIMEOUT
T_CC_STOPPED_INDICATED
T_CC_STARTED_TIMEOUT
T_CC_STARTED_INDICATED
stm CANSM_BSM_WUVALIDATION
CANSM_BSM_WUVALIDATION
S_TRCV_NORMAL
do / DO_SET_TRCV_MODE_NORMAL
S_TRCV_NORMAL_WAIT
S_CC_STOPPED
do / DO_SET_CC_MODE_STOPPED
S_CC_STOPPED_WAIT
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED
S_CC_STARTED_WAIT
EntryPoint
WAIT_WUVALIDATION_LEAVE
T_TRCV_NORMAL_INDICATED
[G_TRCV_NORMAL_E_OK]
T_TRCV_NORMAL_INDICATED
T_TRCV_NORMAL_TIMEOUT
T_CC_STOPPED_INDICATED
[G_CC_STOPPED_E_OK]
T_CC_STOPPED_INDICATED
T_CC_STOPPED_TIMEOUT
[G_CC_STARTED_E_OK]
T_CC_STARTED_INDICATED
T_CC_STARTED_TIMEOUT
T_CC_STARTED_INDICATED
stm CANSM_BSM_WUVALIDATION
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED
S_CC_STARTED_WAIT
[G_CC_STARTED_E_OK]
T_CC_STARTED_TIMEOUT
stm CANSM_BSM_S_TX_TIMEOUT_EXCEPTION
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED()
S_CC_STARTED_WAIT
[G_CC_STARTED_E_OK]
T_CC_STARTED_TIMEOUT
stm CANSM_BSM_WUVALIDATION
S_CC_STARTED
do / DO_SET_CC_MODE_STARTED
S_CC_STARTED_WAIT
[G_CC_STARTED_E_OK]
T_CC_STARTED_TIMEOUT
September 2016 I 20Property of Valeo. Duplication prohibited
Code Duplication
Using library of atomic sub-chart to avoid code duplication.
September 2016 I 21Property of Valeo. Duplication prohibited
Compliance with MISRA C Rules
Source complexity (Cyclomatic Complexity): Number of linearly independent paths should not exceed a certain limit.
Implicit and explicit type conversions (Casting). Example: casting from integer to pointer is prohibited.
Parentheses “(” and “)” should be used to emphasis expressions.
The final clause of a switch statement shall be the default clause.
SWS_BSW_00115: If the BSW Module implementation is written
in C language, then it shall conform to the MISRA C 2004 Standard
September 2016 I 22Property of Valeo. Duplication prohibited
Compliance with MISRA C Rules
Cyclomatic Complexity control by separating atomic parts in separate functions
September 2016 I 23Property of Valeo. Duplication prohibited
Compliance with MISRA C Rules
Implicit and explicit type conversions (Casting)
Parentheses level
The final clause of a switch statement
September 2016 I 24Property of Valeo. Duplication prohibited
Maintainability Reusability
ReliabilityEfficiency (Execution
Time, Memory consumption, …)
Non-Functional
Requirements
Non-Functional Requirements
September 2016 I 25Property of Valeo. Duplication prohibited
Non-Functional Requirements
Execution time: Switch Case Vs If Else
Exp #1
Statement #1
Exp #2
Statement #2
Exp #n
Statement #n Default
Statement
False
False
False
True
True
True
Statement #1
Statement #2
Statement #n
Expression
Case #1
Case #2
Case #n
September 2016 I 26Property of Valeo. Duplication prohibited
Non-Functional Requirements
Execution time optimization: Code generation with Switch Case instead of If Else
September 2016 I 27Property of Valeo. Duplication prohibited
Smoke Testing
Smoke testing is non-exhaustive software testing, ascertaining that the most crucial functions of a program work, but not bothering with finer details.
Smoke testing is not a substitute for traditional testing mechanism.
September 2016 I 28Property of Valeo. Duplication prohibited
Smoke Testing
Attaching Microsoft Visual Studio to Matlab process.
September 2016 I 29Property of Valeo. Duplication prohibited
Smoke Testing
Debugging in the Model and the manual code.
September 2016 I 30Property of Valeo. Duplication prohibited
Agenda
Why use MBD for Developing AUTOSAR BSW Modules?
CAN State Manager (CanSM)
Challenges Encountered in Developing CanSM using MBD
Results of Our Experiment
1
2
4
3
September 2016 I 31Property of Valeo. Duplication prohibited
Results of The Provided Solution
Development time is about 18% less than the other manually developed modules with similar size.
Bug fixing is about 34% shorter than the other manually developed modules with similar size.
Number of issues found during testing phase is about 30% less than the other manually developed modules with similar size.