AUTOSAR Wdg and ISO26262

Question

[Background]
AUTOSAR Wdg requires the refresh hardware Wdg in ISR context(SWS_Wdg_00166), the purpose is just for "minimum timing jitter" and "minimum latencies" for window Wdg and compatible with old WdgM.
But my understanding is that window Wdg purpose is to find the system clock jitter (exmple:CPU PLL), which is required by ISO26262 AnnexD（Clock jitter.
AUTOSAR Wdg strategy delete the concept of "Wdg window" from upperlayer and encapsulate it in hardware timer, because as long as the WdgM alive, Wdg_SetTriggerCondition is invoked within the Wdg timeout period, Wdg driver shall refresh HW Wdg in hardware timer ISR, at WdgM level, the same as preivous Toggle Wdg.

[Question]
If using AUTOSAR standard to develop Functional Safety Software, how to process above Wdg requirement?
If this is obeyed, ISO26262 is not satisfied.
If this is ignored, AUTOSAR standard is not satisfied.

Who can give me some suggestion?
or
Is there any way to submit this to AUTOSAR?

Answer 1

I'm hardly understanding your [Background] part, but if you look at BSW requirement SRS_Wdg_12019, it says

SRS_Wdg_12019: The watchdog driver shall provide a watchdog trigger routine.

and that is satisfied by SWS_Wdg_00166 amongst others. SWS_Wdg_00166 says

SWS_Wdg_00166: The routine servicing an internal watchdog shall be implemented as an interrupt routine driven by a hardware timer

Further reading reveleas:

As already stated by SWS_Wdg_00162 and SWS_Wdg_00166, the time base for triggering the watchdog shall be provided by means of a hardware. This ensures minimum timing jitter.

These two requirements SWS_Wdg_00162 and SWS_Wdg_00166 also imply that servicing of the watchdog hardware is done directly from a timer ISR. This ensures minimum latencies.

ISO26262 compliance can be achieved not only with ASR features like Wdg, but you need a Window Watchdog for sure. I think you should urgently seek AUTOSAR and ISO26262 classes.

Answer 2

First of all, make sure that your WdgM is designed and developed for your required ASIL level. (Your BSW vendor will provide you this information) If your system is ASIL-B, so your WdgM has to fulfill ASIL-B Requirements. The problem that you are mentioning (WdgM triggers wdg cyclically, independent of the trigger-timing from SW-C) comes from the fact that the WdgM has to consider several SW-C and also maybe sequence monitoring etc. Mentioning the Watchdog-Window should make it obvious that the WdgM cannot trigger the (external) watchdog every time any of the SW-C triggers the WdgM.

Answer 3

I am not entirely sure if I understand your question completely, but I think you're misunderstanding the purpose of the windowed watchdog.

WDG, configured via WDGM, ensures simple is-alive monitoring of your ECU. With some of the configuration options present (such as watchdog checkpoints), it can achieve simple program flow monitoring. The windowing of the watchdog is there just to make sure that you not only kick the watchdog but also observe some timing requirements. To take the simplest case, if you kick the watchdog only from one task and that is supposed to run every 5 ms, windowing can guarantee that the system will detect a failure if the task runs every 1 ms, or every 15 ms.

Autosar by itself is not necessarily sufficient to make software that is safe in the ISO 26262 meaning. You need to know what ASIL you're targeting, and then to design the system to achieve that level. Typically, you'd rely not just on ISO 26262 but also on a safety manual provided by the manufacturer of your hardware. That is likely to specify additional requirements you have to implement, completely independent of Autosar.