AUTOSAR SWS UpdateAndConfigurationManagement
Uploaded by
knowaboutthecarAUTOSAR SWS UpdateAndConfigurationManagement
Uploaded by
knowaboutthecarSpecification of Update and Configuration
Management
AUTOSAR AP R21-11
Specification of Update and
Document Title Configuration Management
Document Owner AUTOSAR
Document Responsibility AUTOSAR
Document Identification No 888
Document Status published
Part of AUTOSAR Standard Adaptive Platform
Part of Standard Release R21-11
Document Change History
Date Release Changed by Description
AUTOSAR • Renamed to SWS_UpdateAnd-
2021-11-25 R21-11 Release ConfigurationManagement
Management • UCM errors ordering
• Vehicle State Manager API detailing
• Classic Plaftorm update specification
for UCM Master
AUTOSAR • Refactored UCM Master API
2020-11-30 R20-11 Release • Simplified UCM Master State
Management Machine
• Detailed campaign history
information
• Introduced UCM Master concept
• Software Package state machine
updated for processing while
AUTOSAR streaming
2019-11-28 R19-11 Release • Reviewed UCM State Machine
Management • Added new security analysis
appendix
• Changed Document Status from
Final to published
1 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
• Updating Package Management
state machine
AUTOSAR • New requirements for robustness
2019-03-29 19-03 Release against reset
Management • Improving specification item atomicity
• Fixing errors in chapter Service
Interfaces
AUTOSAR • Updated interaction other functional
2018-10-31 18-10 Release clusters like PER and EMO/SM
Management • Introduction of vehicle package
distribution
• Extended and updated service
AUTOSAR interface
2018-03-29 18-03 Release • Introduction of Software Package
Management • Introduction to securing update
process
AUTOSAR
2017-10-27 17-10 Release • Initial release
Management
2 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Disclaimer
This work (specification and/or software implementation) and the material contained in
it, as released by AUTOSAR, is for the purpose of information only. AUTOSAR and the
companies that have contributed to it shall not be liable for any use of the work.
The material contained in this work is protected by copyright and other types of intel-
lectual property rights. The commercial exploitation of the material contained in this
work requires a license to such intellectual property rights.
This work may be utilized or reproduced without any modification, in any form or by
any means, for informational purposes only. For any other purpose, no part of the work
may be utilized or reproduced, in any form or by any means, without permission in
writing from the publisher.
The work has been developed for automotive applications only. It has neither been
developed, nor tested for non-automotive applications.
The word AUTOSAR and the AUTOSAR logo are registered trademarks.
3 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Table of Contents
1 Introduction and functional overview 8
2 Acronyms and abbreviations 9
3 Related documentation 11
3.1 Input documents & related standards and norms . . . . . . . . . . . . 11
3.2 Related specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Further applicable specification . . . . . . . . . . . . . . . . . . . . . . 12
4 Constraints and assumptions 13
4.1 Known Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Applicability to car domains . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Dependencies to other functional clusters 14
5.1 Interfaces to Adaptive State Management . . . . . . . . . . . . . . . . 14
5.2 UCM service over ara::com . . . . . . . . . . . . . . . . . . . . . . . . 14
5.3 Interfaces to Adaptive Crypto Interface . . . . . . . . . . . . . . . . . . 14
5.4 Interfaces to Identity and Access Management . . . . . . . . . . . . . 15
5.5 UCM use of Persistency library . . . . . . . . . . . . . . . . . . . . . . 15
6 Requirements Tracing 16
7 Functional specification 26
7.1 UCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.1.1 Software Cluster lifecycle . . . . . . . . . . . . . . . . . . . . 26
7.1.2 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . 27
7.1.2.1 Software Package Management . . . . . . . . . . . 28
7.1.2.2 Runtime dependencies . . . . . . . . . . . . . . . . . 32
7.1.2.3 Update scope and State Management . . . . . . . . 32
7.1.3 Transferring Software Packages . . . . . . . . . . . . . . . . 33
7.1.3.1 Error handling in TransferStart . . . . . . . . . . . . . 36
7.1.3.2 Error handling in TransferData . . . . . . . . . . . . . 36
7.1.3.3 Error handling in TransferExit . . . . . . . . . . . . . 38
7.1.3.4 Error handling in DeleteTransfer . . . . . . . . . . . . 39
7.1.4 Processing of Software Packages from a stream . . . . . . . 39
7.1.5 Processing Software Packages . . . . . . . . . . . . . . . . . 40
7.1.5.1 Error handling during Processing Software Packages 41
7.1.5.2 Error handling for Cancel . . . . . . . . . . . . . . . 43
7.1.5.3 Error handling for RevertProcessedSwPackages . . 44
7.1.5.4 Error handling for GetSwProcessProgress . . . . . . 44
7.1.6 Activation and Rollback . . . . . . . . . . . . . . . . . . . . . 44
7.1.6.1 Activation . . . . . . . . . . . . . . . . . . . . . . . . 44
7.1.6.2 Rollback . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.1.6.3 Boot options . . . . . . . . . . . . . . . . . . . . . . . 47
7.1.6.4 Finishing activation . . . . . . . . . . . . . . . . . . . 47
4 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.1.7 Status Reporting . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.1.8 Robustness against reset . . . . . . . . . . . . . . . . . . . . 53
7.1.8.1 Boot monitoring . . . . . . . . . . . . . . . . . . . . . 53
7.1.9 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.1.10 Version Reporting . . . . . . . . . . . . . . . . . . . . . . . . 54
7.1.11 Securing Software Updates . . . . . . . . . . . . . . . . . . . 54
7.1.12 Functional cluster lifecycle . . . . . . . . . . . . . . . . . . . 55
7.1.12.1 Shutdown behaviour . . . . . . . . . . . . . . . . . . 55
7.2 UCM Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2.1 UCM Master Functional Cluster lifecycle . . . . . . . . . . . 56
7.2.2 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . 56
7.2.3 UCM Master general behaviour . . . . . . . . . . . . . . . . 57
7.2.4 UCM identification . . . . . . . . . . . . . . . . . . . . . . . . 58
7.2.5 UCM Master Software Packages transfer or streaming . . . . 58
7.2.6 Adaptive Applications interacting with UCM Master . . . . . . 59
7.2.6.1 OTA Client . . . . . . . . . . . . . . . . . . . . . . . . 59
7.2.6.2 Vehicle Driver Interface . . . . . . . . . . . . . . . . 61
7.2.6.3 Vehicle State Manager . . . . . . . . . . . . . . . . . 62
7.2.6.4 Flashing Adapter . . . . . . . . . . . . . . . . . . . . 63
7.2.7 Non Adaptive Platform update . . . . . . . . . . . . . . . . . 65
7.2.7.1 D-PDU API implementation support . . . . . . . . . 65
7.2.7.2 Not required D-PDU API concepts . . . . . . . . . . 66
7.2.7.3 Not required D-PDU API functions . . . . . . . . . . 66
7.2.7.4 Classic platform update with UCM Master and diag-
nostic tool . . . . . . . . . . . . . . . . . . . . . . . . 68
7.2.8 Status reporting . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.2.8.1 States . . . . . . . . . . . . . . . . . . . . . . . . . . 71
7.2.8.2 States Transitions . . . . . . . . . . . . . . . . . . . . 72
7.2.9 Campaign cancelling . . . . . . . . . . . . . . . . . . . . . . 74
7.2.10 Campaign Reporting . . . . . . . . . . . . . . . . . . . . . . 74
7.2.11 Content of Vehicle Package . . . . . . . . . . . . . . . . . . . 75
7.2.12 Vehicle update security and confidentiality . . . . . . . . . . 77
8 API specification 78
9 Service Interfaces 79
9.1 Type definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.1 UCMIdentifierType . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.2 TransferIdType . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.3 SwNameType . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.4 SwNameVectorType . . . . . . . . . . . . . . . . . . . . . . . 80
9.1.5 StrongRevisionLabelString . . . . . . . . . . . . . . . . . . . 80
9.1.6 SwNameVersionType . . . . . . . . . . . . . . . . . . . . . . 80
9.1.7 SwNameVersionVectorType . . . . . . . . . . . . . . . . . . . 80
9.1.8 ByteVectorType . . . . . . . . . . . . . . . . . . . . . . . . . 81
9.1.9 SwPackageStateType . . . . . . . . . . . . . . . . . . . . . . 81
9.1.10 SwPackageInfoType . . . . . . . . . . . . . . . . . . . . . . . 81
5 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.1.11 SwPackageInfoVectorType . . . . . . . . . . . . . . . . . . . 82
9.1.12 SwDescType . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
9.1.13 SwDescVectorType . . . . . . . . . . . . . . . . . . . . . . . 83
9.1.14 SwPackageDescType . . . . . . . . . . . . . . . . . . . . . . 83
9.1.15 SwPackageDescVectorType . . . . . . . . . . . . . . . . . . 83
9.1.16 SwClusterStateType . . . . . . . . . . . . . . . . . . . . . . . 84
9.1.17 SwClusterInfoType . . . . . . . . . . . . . . . . . . . . . . . . 84
9.1.18 SwClusterInfoVectorType . . . . . . . . . . . . . . . . . . . . 84
9.1.19 PackageManagementStatusType . . . . . . . . . . . . . . . . 85
9.1.20 ActionType . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
9.1.21 ResultType . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
9.1.22 GetHistoryType . . . . . . . . . . . . . . . . . . . . . . . . . . 86
9.1.23 GetHistoryVectorType . . . . . . . . . . . . . . . . . . . . . . 86
9.1.24 CampaignHistoryType . . . . . . . . . . . . . . . . . . . . . . 87
9.1.25 CampaignErrorType . . . . . . . . . . . . . . . . . . . . . . . 87
9.1.26 CampaignFailureType . . . . . . . . . . . . . . . . . . . . . . 87
9.1.27 UCMStepErrorType . . . . . . . . . . . . . . . . . . . . . . . 88
9.1.28 SoftwarePackageStepType . . . . . . . . . . . . . . . . . . . 88
9.1.29 HistoryVectorType . . . . . . . . . . . . . . . . . . . . . . . . 88
9.1.30 CampaignStateType . . . . . . . . . . . . . . . . . . . . . . . 89
9.1.31 TransferStateType . . . . . . . . . . . . . . . . . . . . . . . . 89
9.1.32 SafetyConditionType . . . . . . . . . . . . . . . . . . . . . . . 90
9.1.33 SafetyConditionsVectorType . . . . . . . . . . . . . . . . . . 90
9.1.34 SafetyStatesType . . . . . . . . . . . . . . . . . . . . . . . . 90
9.1.35 SafetyStatesVectorType . . . . . . . . . . . . . . . . . . . . . 91
9.2 Provided Service Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 91
9.2.1 Package Management . . . . . . . . . . . . . . . . . . . . . . 91
9.2.2 Vehicle Package Management . . . . . . . . . . . . . . . . . 98
9.2.3 Vehicle Driver Application Interface . . . . . . . . . . . . . . 104
9.2.4 Vehicle State Manager . . . . . . . . . . . . . . . . . . . . . 108
9.3 Required Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.3.1 State Management Update Request . . . . . . . . . . . . . . 109
9.4 Application Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.4.1 Application Error Domain . . . . . . . . . . . . . . . . . . . . 109
9.4.1.1 UCMErrorDomain . . . . . . . . . . . . . . . . . . . 109
10 Sequence diagrams 111
10.1 Update process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
10.2 Data transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
10.3 Package processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
10.4 Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
10.5 Failing activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
10.6 UCM Master simplified vehicle update . . . . . . . . . . . . . . . . . . 116
A Mentioned Manifest Elements 117
B Interfaces to other Functional Clusters (informative) 125
6 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
B.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
B.2 Interfaces Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
B.2.1 UCM update notification . . . . . . . . . . . . . . . . . . . . . 125
C Packages distribution within vehicle detailed sequence examples 126
C.1 Collect information of present Software Clusters in vehicle . . . . . . . 126
C.2 Action computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
C.2.1 Pull package from Backend into vehicle . . . . . . . . . . . . 127
C.2.2 Push package from backend into vehicle . . . . . . . . . . . 127
C.3 Packages transfer from backend into targeted UCM . . . . . . . . . . . 129
C.4 Package processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
C.5 Package activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
C.6 Package rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
C.7 Campaign reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
D Security Analysis of Installation and Update 134
D.1 Securing Software Package . . . . . . . . . . . . . . . . . . . . . . . . 134
D.2 Securing Calls to UCM . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
D.3 Suppressing Call to UCM . . . . . . . . . . . . . . . . . . . . . . . . . 135
D.4 Resource Starvation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
D.5 Zombie Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
E History of Constraints and Specification Items 137
E.1 Constraint and Specification Item History of this document according
to AUTOSAR Release R19-11. . . . . . . . . . . . . . . . . . . . . . . 137
E.1.1 Added Traceables in R19-11 . . . . . . . . . . . . . . . . . . 137
E.1.2 Changed Traceables in R19-11 . . . . . . . . . . . . . . . . . 140
E.1.3 Deleted Traceables in R19-11 . . . . . . . . . . . . . . . . . 140
E.1.4 Added Constraints in R19-11 . . . . . . . . . . . . . . . . . . 141
E.1.5 Changed Constraints in R19-11 . . . . . . . . . . . . . . . . 141
E.1.6 Deleted Constraints in R19-11 . . . . . . . . . . . . . . . . . 141
E.2 Constraint and Specification Item History of this document according
to AUTOSAR Release R20-11. . . . . . . . . . . . . . . . . . . . . . . 141
E.2.1 Added Traceables in R20-11 . . . . . . . . . . . . . . . . . . 141
E.2.2 Changed Traceables in R20-11 . . . . . . . . . . . . . . . . . 144
E.2.3 Deleted Traceables in R20-11 . . . . . . . . . . . . . . . . . 147
E.2.4 Added Constraints in R20-11 . . . . . . . . . . . . . . . . . . 148
E.2.5 Changed Constraints in R20-11 . . . . . . . . . . . . . . . . 148
E.2.6 Deleted Constraints in R20-11 . . . . . . . . . . . . . . . . . 148
E.3 Constraint and Specification Item History of this document according
to AUTOSAR Release R21-11. . . . . . . . . . . . . . . . . . . . . . . 149
E.3.1 Added Traceables in R21-11 . . . . . . . . . . . . . . . . . . 149
E.3.2 Changed Traceables in R21-11 . . . . . . . . . . . . . . . . . 150
E.3.3 Deleted Traceables in R21-11 . . . . . . . . . . . . . . . . . 154
E.3.4 Added Constraints in R21-11 . . . . . . . . . . . . . . . . . . 154
E.3.5 Changed Constraints in R21-11 . . . . . . . . . . . . . . . . 154
E.3.6 Deleted Constraints in R21-11 . . . . . . . . . . . . . . . . . 155
7 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
1 Introduction and functional overview
This software specification contains the functional description and interfaces of the
functional cluster Update and Configuration Management which belongs to the
AUTOSAR Adaptive Platform Services. Update and Configuration Man-
agement has the responsibility of installing, updating and removing software on an
AUTOSAR Adaptive Platform in a safe and secure way while not sacrificing the
dynamic nature of the AUTOSAR Adaptive Platform.
The Update and Configuration Management functional cluster is responsible
for:
• Version reporting of the software present in the AUTOSAR Adaptive Platform
• Receiving and buffering software updates
• Checking that enough resources are available to ensure a software update
• Performing software updates and providing log messages and progress informa-
tion
• Validating the outcome of a software update
• Providing rollback functionality to restore a known functional state in case of fail-
ure
In addition to updating and changing software on the AUTOSAR Adaptive Plat-
form, the Update and Configuration Management is also responsible for up-
dates and changes to the AUTOSAR Adaptive Platform itself, including all func-
tional clusters, the underlying POSIX OS and its kernel with the responsibilities defined
above.
In order to allow flexibility in how Update and Configuration Management is
used, it will expose its functionality via ara::com service interfaces, not direct APIs.
This ensures that the user of the functional cluster Update and Configuration
Management does not have to be located on the same ECU.
8 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
2 Acronyms and abbreviations
The glossary below includes acronyms and abbreviations relevant to the UCM module
that are not included in the [1, AUTOSAR glossary].
Abbreviation / Acronym: Description:
DM AUTOSAR Adaptive Diagnostic Management
UCM Update and Configuration Management
UCM Master UCM Master is distributing packages and coordinating an update
campaign in a vehicle
Vehicle State Manager see [1] AUTOSAR Glossary
Backend Backend is a server hosting Software Packages
OTA Client OTA Client is an Adaptive Application in communication with
Backend Over The Air
Application Error Errors returned by UCM
Boot options Boot Manager Configuration
VCI Vehicle Communication Interface
MVCI Modular Vehicle Communication Interface
D-PDU API Diagnostic Protocol Data Unit Application Programming Interface
RDF Root Description File
MDF Module Description File
integrity check verification method proving there has not been any alteration of
the artefact content
Some technical terms used in this document are already defined in the corresponding
document mentioned in the table below. This is to avoid duplicate definition of the
technical term. And to refer to the correct document.
Description
Term
Adaptive Application see [1] AUTOSAR Glossary
Application see [1] AUTOSAR Glossary
AUTOSAR Adaptive Platform see [1] AUTOSAR Glossary
AUTOSAR Classic Platform see [1] AUTOSAR Glossary
Electronic Control Unit see [1] AUTOSAR Glossary
Adaptive Platform Foundation see [1] AUTOSAR Glossary
Adaptive Platform Services see [1] AUTOSAR Glossary
Manifest see [1] AUTOSAR Glossary
Executable see [1] AUTOSAR Glossary
Functional Cluster see [1] AUTOSAR Glossary
Machine see [1] AUTOSAR Glossary
Service see [1] AUTOSAR Glossary
Service Interface see [1] AUTOSAR Glossary
Service Discovery see [1] AUTOSAR Glossary
Execution Management see [2] AUTOSAR Execution Management
MachineFG see [2] AUTOSAR Execution Management
State Management see [3] AUTOSAR State Management
Function Group see [3] AUTOSAR State Management
Communication Management see [4] AUTOSAR Communication Management
Software Cluster see [1] AUTOSAR Glossary
Software Package see [1] AUTOSAR Glossary
Vehicle Package see [1] AUTOSAR Glossary
9 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Table 2.1: Reference to Technical Terms
10 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
3 Related documentation
3.1 Input documents & related standards and norms
[1] Glossary
AUTOSAR_TR_Glossary
[2] Specification of Execution Management
AUTOSAR_SWS_ExecutionManagement
[3] Specification of State Management
AUTOSAR_SWS_StateManagement
[4] Specification of Communication Management
AUTOSAR_SWS_CommunicationManagement
[5] General Requirements specific to Adaptive Platform
AUTOSAR_RS_General
[6] Specification of Cryptography
AUTOSAR_SWS_Cryptography
[7] Specification of Identity and Access Management
AUTOSAR_SWS_IdentityAndAccessManagement
[8] Requirements on Update and Configuration Management
AUTOSAR_RS_UpdateAndConfigurationManagement
[9] Specification of Manifest
AUTOSAR_TPS_ManifestSpecification
[10] Explanation of Adaptive Platform Design
AUTOSAR_EXP_PlatformDesign
[11] Specification of Persistency
AUTOSAR_SWS_Persistency
[12] Specification of Platform Health Management
AUTOSAR_SWS_PlatformHealthManagement
3.2 Related specification
See chapter 3.1.
11 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
3.3 Further applicable specification
AUTOSAR provides a general specification [5] which is also applicable for UCM. The
specification RS General shall be considered as additional and required specification
for implementation of UCM.
12 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4 Constraints and assumptions
4.1 Known Limitations
UCM is not responsible to initiate the update process. UCM realizes a service interface
to achieve this operation. The user of this service interface is responsible to verify that
the vehicle is in a updatable state before executing a software update procedure on
demand. It is also in the responsibility of the user to communicate with other AUTOSAR
Adaptive Platforms or AUTOSAR Classic Platforms within the vehicle.
The UCM receives a locally available software package for processing. The software
package is usually downloaded from the OEM backend. The download of the software
packages has to be done by another application, i.e. UCM does not manage the connec-
tion to the OEM backend. Prior to triggering their processing, the software packages
have to be transferred to UCM by using the provided ara::com interface.
The UCM update process is designed to cover updates on use case with single
AUTOSAR Adaptive Platform. UCM can update Adaptive Applications, the
AUTOSAR Adaptive Platform itself, including all functional clusters and the under-
lying OS.
The UCM is not responsible for enforcing authentication and access control to the pro-
vided interfaces. The document currently does not provide any mechanism for the
confidentiality protection as well as measures against denial of service attacks. The
assumption is that the platform preserves the integrity of parameters exchanged be-
tween UCM and its user.
The possibility to restart a specific application instead of a Machine reboot depends of
the kind of update and application, is therefore implementation specific and is defined
in the Software Package manifest.
UCM does only support updates of ARA::COM and UDS (ISO-14229) compliant ECUs.
UCM is not controlling any action done by diagnostic tool directly updating a Classic plat-
form. For instance UCM cannot protect against downgrading of a Software Cluster
in a Classic platform by a diagnostic tool.
4.2 Applicability to car domains
No restrictions to applicability.
13 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
5 Dependencies to other functional clusters
The UCM functional cluster expose services to client applications via the ara::com
middleware.
Software Package A Dependencies to Functional Clusters
UCM Client
Signed container
SoftwareCluster
Executables
Data Identity & Access Management
Manifests ara::com Persistency
Software Package
Crypto API
Manifest State Management
Authentication tag Posix
Figure 5.1: UCM dependencies to other Functional Clusters.
5.1 Interfaces to Adaptive State Management
UCM relies on State Management and its provided UpdateRequest Service Inter-
face to perform the necessary Function Group state changes needed to activate
the newly installed, updated or removed software.
Certain applications can conflict with the update process or the newly updated pack-
age, and they need to be stopped during the update process. This could be achieved
by putting the machine to a safe Machine state, by activating a combination of suit-
able Function Groups and its states. It is the responsibility of the platform integrator
to define this state or Function Groups. The Adaptive Application accessing the
UCM, should make sure that the platform is switched to this state (using interfaces from
State Management), before starting the update.
5.2 UCM service over ara::com
The UCM shall provide a service interface over ara::com using methods and fields.
5.3 Interfaces to Adaptive Crypto Interface
UCM uses Crypto Interface for AUTOSAR Adaptive Platform [6] to verify package
integrity and authenticity and to decrypt confidential update data.
14 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
5.4 Interfaces to Identity and Access Management
Identity and Access Management [7] controls the UCM’s Clients access to UCM’s service
interface PackageManagement.
5.5 UCM use of Persistency library
UCM may use ara::per to store internal status information. This can e.g. be used to
recover after reboot.
15 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
6 Requirements Tracing
The following tables reference the requirements specified in [8] and links to the fulfill-
ment of these. Please note that if column “Satisfied by” is empty for a specific require-
ment this means that this requirement is not fulfilled by this document.
Requirement Description Satisfied by
[RS_EM_00014] Execution Management shall [SWS_UCM_00202]
support a Trusted Platform.
[RS_SM_00001] State Management shall [SWS_UCM_00242]
coordinate and control multiple
sets of Applications.
[RS_UCM_00001] UCM shall support installing new [SWS_UCM_00001]
software on AUTOSAR [SWS_UCM_00017]
Adaptive Platform [SWS_UCM_00073]
[SWS_UCM_00099]
[SWS_UCM_00131]
[SWS_UCM_00137]
[SWS_UCM_00165]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00240]
[SWS_UCM_00266]
[RS_UCM_00002] UCM shall support reporting [SWS_UCM_00004]
version information for an [SWS_UCM_00038]
AUTOSAR Adaptive [SWS_UCM_00039]
Platform [SWS_UCM_00040]
[SWS_UCM_00071]
[SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00112]
[SWS_UCM_00130]
[SWS_UCM_00131]
[SWS_UCM_00174]
[SWS_UCM_00175]
[SWS_UCM_00176]
[SWS_UCM_00177]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00185]
[SWS_UCM_00186]
[SWS_UCM_00187]
[SWS_UCM_01114]
[SWS_UCM_01136]
[SWS_UCM_01137]
[SWS_UCM_01138]
[SWS_UCM_CONSTR_00001]
[SWS_UCM_CONSTR_00002]
16 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00003] UCM shall support updating [SWS_UCM_00017]
installed software on Adaptive [SWS_UCM_00165]
Platform [SWS_UCM_00190]
[SWS_UCM_00257]
[RS_UCM_00004] UCM shall support uninstalling [SWS_UCM_00001]
software on AUTOSAR [SWS_UCM_00137]
Adaptive Platform [SWS_UCM_00165]
[SWS_UCM_00184]
[SWS_UCM_00266]
[SWS_UCM_00273]
[RS_UCM_00005] UCM shall make sure that [SWS_UCM_00001]
persistent data owned by [SWS_UCM_00137]
uninstalled software is deleted [SWS_UCM_00266]
[RS_UCM_00006] UCM shall verify Software [SWS_UCM_00028]
Package authenticity and [SWS_UCM_00038]
integrity using strong [SWS_UCM_00039]
cryptographic techniques [SWS_UCM_00040]
[SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00136]
[SWS_UCM_00200]
[SWS_UCM_00209]
[RS_UCM_00007] UCM shall check that software [SWS_UCM_00026]
dependencies are fulfilled [SWS_UCM_00027]
[SWS_UCM_00120]
[SWS_UCM_00136]
[SWS_UCM_00161]
[SWS_UCM_00231]
[SWS_UCM_00260]
[RS_UCM_00008] UCM shall support a recovery [SWS_UCM_00005]
mechanism in case of failed [SWS_UCM_00024]
update process [SWS_UCM_00107]
[SWS_UCM_00110]
[SWS_UCM_00111]
[SWS_UCM_00126]
[SWS_UCM_00127]
[SWS_UCM_00131]
[SWS_UCM_00146]
[SWS_UCM_00155]
[SWS_UCM_00162]
[SWS_UCM_00163]
[SWS_UCM_00164]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00264]
[SWS_UCM_00282]
17 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00010] UCM shall support reporting of [SWS_UCM_00038]
Software Packages [SWS_UCM_00039]
downloaded for AUTOSAR [SWS_UCM_00040]
Adaptive Platform [SWS_UCM_00069]
[SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00131]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_CONSTR_00001]
[SWS_UCM_CONSTR_00002]
[RS_UCM_00011] UCM shall support reporting [SWS_UCM_00030]
software versions which have [SWS_UCM_00038]
been installed and will be [SWS_UCM_00039]
activated when new versions are [SWS_UCM_00040]
activated [SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00131]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00185]
[SWS_UCM_00186]
[SWS_UCM_00187]
[SWS_UCM_00191]
[SWS_UCM_00192]
[SWS_UCM_00193]
[SWS_UCM_00194]
[SWS_UCM_00195]
[SWS_UCM_00196]
[SWS_UCM_00197]
[SWS_UCM_00198]
[SWS_UCM_00199]
[SWS_UCM_00286]
[SWS_UCM_00287]
[SWS_UCM_CONSTR_00001]
[SWS_UCM_CONSTR_00002]
[RS_UCM_00012] UCM shall check the consistency [SWS_UCM_00029]
of transferred Software [SWS_UCM_00038]
Package [SWS_UCM_00039]
[SWS_UCM_00040]
[SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00104]
[SWS_UCM_00136]
[SWS_UCM_00207]
[SWS_UCM_00209]
[SWS_UCM_00213]
[SWS_UCM_00267]
[SWS_UCM_01306]
[SWS_UCM_CONSTR_00012]
18 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00013] UCM shall check that it has [SWS_UCM_00007]
enough resources to receive, [SWS_UCM_00008]
process and store the [SWS_UCM_00010]
Software Package and [SWS_UCM_00087]
associated data [SWS_UCM_00088]
[SWS_UCM_00092]
[SWS_UCM_00098]
[SWS_UCM_00136]
[SWS_UCM_00140]
[SWS_UCM_00145]
[SWS_UCM_00206]
[SWS_UCM_00217]
[SWS_UCM_00243]
[SWS_UCM_00275]
[SWS_UCM_00276]
[SWS_UCM_00283]
[SWS_UCM_00289]
[SWS_UCM_01011]
[RS_UCM_00014] UCM shall check that correct [SWS_UCM_00136]
amount of data has been [SWS_UCM_00204]
transferred for the Software [SWS_UCM_00205]
Package [SWS_UCM_00243]
[RS_UCM_00015] UCM shall remove all unneeded [SWS_UCM_00020]
data after Software Package [SWS_UCM_00131]
processing has finished [SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00265]
[SWS_UCM_00285]
[RS_UCM_00017] UCM shall support installing and [SWS_UCM_00184]
updating the persistent data [SWS_UCM_00273]
storage for an Adaptive
Application
[RS_UCM_00018] UCM shall announce when an [SWS_UCM_00021]
application has been installed, [SWS_UCM_00131]
updated or uninstalled [SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00259]
19 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00019] UCM shall support simultaneous [SWS_UCM_00007]
transfers multiple Software [SWS_UCM_00008]
Packages [SWS_UCM_00010]
[SWS_UCM_00031]
[SWS_UCM_00075]
[SWS_UCM_00087]
[SWS_UCM_00088]
[SWS_UCM_00092]
[SWS_UCM_00098]
[SWS_UCM_00140]
[SWS_UCM_00145]
[SWS_UCM_00148]
[SWS_UCM_00203]
[SWS_UCM_00204]
[SWS_UCM_00205]
[SWS_UCM_00206]
[SWS_UCM_00208]
[SWS_UCM_00212]
[SWS_UCM_00214]
[SWS_UCM_00215]
[SWS_UCM_00216]
[SWS_UCM_00275]
[SWS_UCM_00276]
[SWS_UCM_00283]
[RS_UCM_00020] UCM shall support cancellation of [SWS_UCM_00003]
an update or install operation [SWS_UCM_00167]
[SWS_UCM_00234]
[SWS_UCM_00235]
[SWS_UCM_00236]
[SWS_UCM_00237]
[SWS_UCM_00238]
[SWS_UCM_00239]
[SWS_UCM_00278]
[SWS_UCM_00279]
[SWS_UCM_01273]
[SWS_UCM_01274]
[RS_UCM_00021] UCM shall support atomic [SWS_UCM_00022]
activation of installed or updated [SWS_UCM_00025]
Software Clusters [SWS_UCM_00094]
[SWS_UCM_00131]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00241]
[SWS_UCM_00259]
[SWS_UCM_00260]
[SWS_UCM_00280]
[RS_UCM_00023] UCM shall provide an interface to [SWS_UCM_00018]
read progress of the update [SWS_UCM_00131]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00220]
20 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00024] UCM shall provide an interface to [SWS_UCM_00019]
read the state of UCM [SWS_UCM_00044]
[SWS_UCM_00080]
[SWS_UCM_00081]
[SWS_UCM_00083]
[SWS_UCM_00084]
[SWS_UCM_00085]
[SWS_UCM_00086]
[SWS_UCM_00131]
[SWS_UCM_00147]
[SWS_UCM_00149]
[SWS_UCM_00150]
[SWS_UCM_00151]
[SWS_UCM_00152]
[SWS_UCM_00153]
[SWS_UCM_00154]
[SWS_UCM_00166]
[SWS_UCM_00168]
[SWS_UCM_00169]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00258]
[RS_UCM_00025] UCM shall support receiving of [SWS_UCM_00007]
Software Package data [SWS_UCM_00008]
[SWS_UCM_00010]
[SWS_UCM_00031]
[SWS_UCM_00032]
[SWS_UCM_00087]
[SWS_UCM_00088]
[SWS_UCM_00092]
[SWS_UCM_00098]
[SWS_UCM_00131]
[SWS_UCM_00140]
[SWS_UCM_00145]
[SWS_UCM_00165]
[SWS_UCM_00166]
[SWS_UCM_00167]
[SWS_UCM_00168]
[SWS_UCM_00169]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00217]
[SWS_UCM_00219]
[SWS_UCM_00243]
[SWS_UCM_00272]
[SWS_UCM_00275]
[SWS_UCM_00276]
[SWS_UCM_00283]
21 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00026] UCM shall process installation of [SWS_UCM_00017]
new Software Packages, [SWS_UCM_00044]
updates and removal of existing [SWS_UCM_00122]
Software Packages sequentially [SWS_UCM_00184]
[SWS_UCM_00218]
[SWS_UCM_00219]
[SWS_UCM_00240]
[SWS_UCM_00257]
[SWS_UCM_00258]
[SWS_UCM_00261]
[SWS_UCM_00262]
[SWS_UCM_00263]
[SWS_UCM_00265]
[SWS_UCM_00273]
[SWS_UCM_00277]
[SWS_UCM_00281]
[RS_UCM_00027] UCM shall be able to safely [SWS_UCM_00157]
recover from unexpected [SWS_UCM_00158]
interruption. [SWS_UCM_00270]
[RS_UCM_00028] UCM shall support updating [SWS_UCM_00100]
Functional Clusters [SWS_UCM_00245]
[RS_UCM_00029] UCM shall support updating the [SWS_UCM_00101]
underlying Operating System [SWS_UCM_00245]
[RS_UCM_00030] UCM shall be able to verify the [SWS_UCM_00107]
updated software during [SWS_UCM_00111]
activation [SWS_UCM_00126]
[SWS_UCM_00127]
[SWS_UCM_00146]
[SWS_UCM_00155]
[SWS_UCM_00162]
[SWS_UCM_00163]
[SWS_UCM_00164]
[SWS_UCM_00260]
[SWS_UCM_00264]
[RS_UCM_00031] UCM shall prevent installation of [SWS_UCM_00103]
arbitrary previous version of an [SWS_UCM_00190]
Adaptive Application or the
Adaptive Platform
[RS_UCM_00032] UCM shall provide an interface to [SWS_UCM_00115]
return UCM’s action history [SWS_UCM_00131]
[SWS_UCM_00132]
[SWS_UCM_00133]
[SWS_UCM_00134]
[SWS_UCM_00135]
[SWS_UCM_00160]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00271]
[SWS_UCM_01177]
[SWS_UCM_01178]
22 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00033] UCM Master shall support [SWS_UCM_00268]
reporting version information of [SWS_UCM_00269]
a complete vehicle [SWS_UCM_01101]
[SWS_UCM_01103]
[SWS_UCM_01120]
[SWS_UCM_01135]
[SWS_UCM_01218]
[SWS_UCM_CONSTR_00013]
[SWS_UCM_CONSTR_00014]
[RS_UCM_00034] UCM Master shall record all [SWS_UCM_00251]
UCM Master’s action history [SWS_UCM_00252]
[SWS_UCM_00253]
[SWS_UCM_00254]
[SWS_UCM_00255]
[SWS_UCM_00256]
[SWS_UCM_01247]
[SWS_UCM_01248]
[SWS_UCM_01266]
[SWS_UCM_01267]
[SWS_UCM_01268]
[SWS_UCM_01269]
[RS_UCM_00035] UCM Master shall coordinate [SWS_UCM_00178]
software update in a vehicle [SWS_UCM_00210]
across multiple Electronic [SWS_UCM_01013]
Control Units [SWS_UCM_01018]
[SWS_UCM_01119]
[SWS_UCM_01121]
[SWS_UCM_01122]
[SWS_UCM_01123]
[SWS_UCM_01124]
[SWS_UCM_01125]
[SWS_UCM_01126]
[SWS_UCM_01127]
[SWS_UCM_01128]
[SWS_UCM_01129]
[SWS_UCM_01130]
[SWS_UCM_01131]
[SWS_UCM_01132]
[SWS_UCM_01133]
[SWS_UCM_01134]
[SWS_UCM_01204]
[SWS_UCM_01205]
[SWS_UCM_01207]
[SWS_UCM_01209]
[SWS_UCM_01212]
23 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[SWS_UCM_01214]
[SWS_UCM_01215]
[SWS_UCM_01216]
[SWS_UCM_01217]
[SWS_UCM_01218]
[SWS_UCM_01219]
[SWS_UCM_01220]
[SWS_UCM_01221]
[SWS_UCM_01222]
[SWS_UCM_01227]
[SWS_UCM_01228]
[SWS_UCM_01229]
[SWS_UCM_01234]
[SWS_UCM_01236]
[SWS_UCM_01239]
[SWS_UCM_01240]
[SWS_UCM_01241]
[SWS_UCM_01242]
[SWS_UCM_01243]
[SWS_UCM_01244]
[SWS_UCM_01246]
[SWS_UCM_01270]
[SWS_UCM_01271]
[SWS_UCM_01272]
[SWS_UCM_01303]
[SWS_UCM_01305]
[SWS_UCM_CONSTR_00003]
[SWS_UCM_CONSTR_00005]
[SWS_UCM_CONSTR_00006]
[SWS_UCM_CONSTR_00009]
[SWS_UCM_CONSTR_00011]
[SWS_UCM_CONSTR_00015]
[RS_UCM_00036] UCM Master shall use platform [SWS_UCM_00009]
communication services for [SWS_UCM_00173]
interacting with UCM [SWS_UCM_01005]
subordinates [SWS_UCM_01015]
[SWS_UCM_01016]
[RS_UCM_00037] UCM Master shall ensure it is [SWS_UCM_00179]
safe to perform any modification [SWS_UCM_01109]
to the vehicle [SWS_UCM_01110]
[SWS_UCM_01117]
[SWS_UCM_01222]
[SWS_UCM_01228]
[SWS_UCM_01229]
[SWS_UCM_01234]
[SWS_UCM_01240]
[SWS_UCM_01244]
[SWS_UCM_01246]
[SWS_UCM_CONSTR_00003]
[SWS_UCM_CONSTR_00004]
[SWS_UCM_CONSTR_00005]
[SWS_UCM_CONSTR_00006]
[SWS_UCM_CONSTR_00007]
[SWS_UCM_CONSTR_00008]
[SWS_UCM_CONSTR_00009]
24 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Requirement Description Satisfied by
[RS_UCM_00038] UCM Master shall interact with [SWS_UCM_00180]
driver [SWS_UCM_01105]
[SWS_UCM_01107]
[SWS_UCM_01117]
[SWS_UCM_01118]
[SWS_UCM_01120]
[SWS_UCM_01135]
[SWS_UCM_01222]
[SWS_UCM_01228]
[SWS_UCM_01234]
[RS_UCM_00039] UCM Master shall prevent [SWS_UCM_00200]
processing of compromised [SWS_UCM_01221]
Vehicle Packages [SWS_UCM_01301]
[SWS_UCM_01302]
[RS_UCM_00042] UCM Master shall provide an [SWS_UCM_01017]
interface to read the state of an [SWS_UCM_01203]
update campaign [SWS_UCM_01205]
[SWS_UCM_01265]
[RS_UCM_00043] UCM Master shall orchestrate a [SWS_UCM_00179]
software update campaign [SWS_UCM_00180]
according to the Vehicle [SWS_UCM_00210]
Package’s Manifest [SWS_UCM_01003]
[SWS_UCM_01014]
[SWS_UCM_01015]
[SWS_UCM_01016]
[SWS_UCM_01201]
[SWS_UCM_01207]
[SWS_UCM_01209]
[SWS_UCM_01212]
[SWS_UCM_01228]
[SWS_UCM_01301]
[SWS_UCM_01302]
[SWS_UCM_01303]
[SWS_UCM_01305]
[RS_UCM_00044] UCM or UCM Master [SWS_UCM_00274]
initialization [SWS_UCM_01019]
25 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7 Functional specification
7.1 UCM
7.1.1 Software Cluster lifecycle
RevertProcessedSw Packages,Finish (from kRolledBack)
Final
Finish (from kActivated)
P rocessSw Package
ADDED Finish (from PRESENT REMOVED
kA ctivated)
Finish (from kRolledBack)
RevertProcessedSw Packages
Finish (from
P rocessSw Package
kA ctivated)
P rocessSw Package RevertProcessedSw Packages
UPDATED
Initi al
Figure 7.1: State Machine for a Software Cluster
The state machine in Fig. 7.1 describes the life-cycle states of a Software Cluster.
These states are reported with GetSwClusterChangeInfo method.
[SWS_UCM_00191] Software Cluster life-cycle state kAdded dA Software
Cluster state shall be kAdded after the Software Cluster is successfully pro-
cessed with ProcessSwPackage method call on the AUTOSAR Adaptive Plat-
form and if it was not previously present in the AUTOSAR Adaptive Platform and
before activation is finished.c(RS_UCM_00011)
[SWS_UCM_00192] Software Cluster life-cycle state transition from kAdded
to kPresent dA Software Cluster state shall change from kAdded to kPre-
sent after a successful activation of a newly added Software Cluster with Finish
method call.c(RS_UCM_00011)
[SWS_UCM_00195] Software Cluster life-cycle state kUpdated dA Software
Cluster state shall be kUpdated after a successful processing of the updated Soft-
ware Cluster with ProcessSwPackage method call and before activation is fin-
ished.c(RS_UCM_00011)
[SWS_UCM_00193] Software Cluster life-cycle state transition from kUp-
dated to kPresent dA Software Cluster state shall change from kUpdated
to kPresent after a successful activation of the updated Software Cluster with
Finish method call, or after reverting the Software Cluster update with a Re-
vertProcessedSwPackage method call.c(RS_UCM_00011)
26 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00196] Software Cluster life-cycle state kRemoved dA Software
Cluster state shall be kRemoved after successful completion of method ProcessS-
wPackage which involves the removal of the existed Software Cluster and before
activation is finished.c(RS_UCM_00011)
[SWS_UCM_00194] Software Cluster life-cycle state transition from kRe-
moved to kPresent in case of RevertProcessedSwPackages call dA Software
Cluster state shall change from kRemoved to kPresent after a successful call to
RevertProcessedSwPackages method in case the Software Cluster was pre-
viously requested to be removed by ProcessSwPackage method call.c(RS_UCM_-
00011)
[SWS_UCM_00286]{DRAFT} Software Cluster life-cycle state transition from
kRemoved to kPresent in case of Finish call dA Software Cluster state shall
change from kRemoved to kPresent after a successful call to Finish method in case
a Software Cluster being removed has to be rolled back after a failing activation.c
(RS_UCM_00011)
[SWS_UCM_00197] End of Software Cluster life-cycle state from state
kAdded in case of RevertProcessedSwPackages call dA Software Cluster
shall reach the end of its life-cycle from kAdded after a successful removal of a
newly added Software Cluster with RevertProcessedSwPackages method call
in case the Software Cluster was previously requested to be added by Pro-
cessSwPackage method call.c(RS_UCM_00011)
[SWS_UCM_00287]{DRAFT} End of Software Cluster life-cycle state from
state kAdded in case of Finish call dA Software Cluster shall reach the end
of its life-cycle from kAdded after a successful removal of a newly added Software
Cluster with Finish method call in case the newly added Software Cluster has
to be rolled back after a failing activation.c(RS_UCM_00011)
[SWS_UCM_00198] End of Software Cluster life-cycle state from state kRe-
moved dA Software Cluster shall reach the end of its life-cycle if it is successfully
removed with a Finish method call and the Software Cluster is in state kRe-
moved.c(RS_UCM_00011)
[SWS_UCM_00199] Reporting of Software Cluster reaching end of life-cycle
dAny Software Cluster reaching the end of its life-cycle shall not be reported by
UCM any more.c(RS_UCM_00011)
7.1.2 Technical Overview
One of the declared goals of AUTOSAR Adaptive Platform is the ability to flexibly
update the software and its configuration through over-the-air updates. During the life-
cycle of an AUTOSAR Adaptive Platform, UCM is responsible to perform software
modifications on the machine and to retain consistency of the whole system.
27 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
The UCM Functional Cluster provides a service interface that exposes its func-
tionality to retrieve AUTOSAR Adaptive Platform software information and consis-
tently execute software updates. Since ara::com is used, the client using the UCM
service interface can be located on the same AUTOSAR Adaptive Platform, but
also remote clients are possible.
The service interface has been primarily designed with the goal to make it possible to
use standard diagnostic services for downloading and installing software updates for
the AUTOSAR Adaptive Platform. However, the methods and fields in the service
interface are designed in such a way that they can be used in principle by any Adaptive
Application. UCM does not impose any specific protocol on how data is transferred to
N am e:
the AUTOSAR A rchitecture
Adaptivesim plyfied Platform and how package processing is controlled. In
A uthor: W aldem ar Knorr
particular 1.0 does not expose diagnostic services.
V ersion:UCM
C reated: 26/03/2018 11:19:35
U pdated: 02/09/2021 14:18:39
As shown in Figure 7.2, whether the use case is an over-the-air update or garage up-
date done through diagnostics, it is not visible to the UCM. The UCM Client abstracts the
use case from the UCM and forwards the data stream and sequence control commands
to the UCM. Later in this document, the term UCM Client is used to describe an Adap-
tive Application that consumes UCM PackageManagement services through
UCM ara::com API. Diagnostic Application and UCM Master are two examples of such
UCM Clients.
Vehicle
«device»
A daptive ECU
AUTOSAR Adaptive Application Layer Server
App A App B App ...
U CM Client (Diagnostic
A pplication / UCM Master) «optional»
Cloud
AUTOSAR Adaptive Platform Services + Foundation
«ServiceProvi... Diagnostic
UCM D oIP socket
Manager (DM)
«optional»
Diagnostic
Client
Figure 7.2: Architecture overview for diagnostic use case
7.1.2.1 Software Package Management
The UCM update sequence consists three different phases:
28 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
• Software Package transfer: A phase in which, one or several Software
Packages are transferred from the UCM’s Client Application to the internal buffer
of the UCM. For further information see chapter 7.1.3.
• Software Package processing: A phase in which the UCM performs the oper-
ation (kInstall, kUpdate, kRemove) on the relevant SoftwareCluster. For
further information see chapter 7.1.5.
• Activation: A phase in which the UCM checks the dependencies of the Soft-
wareClusters that have been involved in the operation, then activates them
and finally check that all the SoftwareClusters can be executed properly (via
State Management) prior to finishing the update. For further information see
chapter 7.1.6
7.1.2.1.1 Software Package
[SWS_UCM_00122] Software Package utilization dThe unit for deployment that
the UCM shall take as input is called Software Package, see [1]. Each Software
Package shall address a single SoftwareCluster.c(RS_UCM_00026)
A SoftwareCluster can act in two roles:
• ‘Sub’-SoftwareCluster : It is a SoftwareCluster without diagnostic target
address, containing processes, executables and further elements
• ‘Root’-SoftwareCluster : It is a SoftwareCluster with a diagnostic target
address that may reference several other ‘Sub’-SoftwareClusters, which thus
form a logical group.
A SoftwareCluster can be of the following categories expressed by the attribute
SoftwareCluster.category :
• APPLICATION_LAYER: the SoftwareCluster can be removed by UCM
• PLATFORM_CORE: the SoftwareCluster cannot be removed as it would break
the system.
• PLATFORM: the SoftwareCluster is part of the platform software and can be
removed
[SWS_UCM_00245]{DRAFT} Software Cluster category dUCM shall not remove a
SoftwareCluster that has category set to PLATFORM_CORE.c(RS_UCM_00028,
RS_UCM_00029)
A Software Package has to be modelled as a so-called SoftwareCluster which
describes the content of a Software Package that is downloaded or uploaded to the
AUTOSAR Adaptive Platform, see [9].
The term Software Package is used for the "physical", uploadable Software
Package that is processed by UCM whereas the term SoftwareCluster is used
29 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
for the modeling element. In the model, the content of a SoftwareCluster is de-
fine by references to all required model elements. The SoftwareCluster and the
related model elements define the content of the manifest that is part of the Software
Package. The Software Package format and the update scope are described in
chapter "Content of a Software Package" as well as in [10].
[SWS_UCM_CONSTR_00012]{DRAFT} dThe SoftwareCluster aggregation of
ArtifactChecksum shall not include the uri of this same SoftwareCluster mani-
fest.c(RS_UCM_00012)
The uri attribute in ArtifactChecksum is referring to the artifact contained in the
SoftwareCluster.
7.1.2.1.2 Content of a Software Package
Each Software Package addresses a single SoftwareCluster and contains
manifests, executables and further data (depending on the role of the SoftwareClus-
ter) as the example sketched in Figure 7.3.
Software Package A
Signed container
SoftwareCluster A
Signed container
Executables
Data
are Package A
Manifests
container
wareCluster Software Cluster
ecutables
Manifest
Data
Authentication tag
anifests
Software Package
are Package Manifest
Manifest
Authentication tag
entication tag
Figure 7.3: Software Package content description
A single Software Package is designed in a way that it could contain one or several
executables of Adaptive Applications, kernel or firmware updates, or updated
30 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
configuration and calibration data to be deployed on the AUTOSAR Adaptive Plat-
form. An exemplary implementation of the adaptive workflow with Software Pack-
ages can be seen in chapter Methodology and Manifest in [10]. For more details on
the Software Package class, you can refer to SoftwarePackage
[SWS_UCM_00112] Software Cluster and version dSoftwareCluster’s mani-
fest shall include a name and a version following description of StrongRevisionLa-
belString.c(RS_UCM_00002)
[SWS_UCM_CONSTR_00001] dIf any content (for instance an executable or persis-
tent data) of an already installed SoftwareCluster is modified by an incoming
Software Package, then the version number of the incoming SoftwareCluster
indicated in the Software Package shall be higher than the version number of the al-
ready installed SoftwareCluster.c(RS_UCM_00002, RS_UCM_00010, RS_UCM_-
00011)
If the constraint is violated, an error will be raised according to [SWS_UCM_00103].
A higher version number is achieved by an increment of the MajorVersion, the Mi-
norVersion, or the PatchVersion.
If there is a need to downgrade a failing SoftwareCluster (for instance, malfunction
in the field that was not detected at activation), it will therefore be needed to repackage
the same old SoftwareCluster that was properly working with an higher version
number.
[SWS_UCM_00190] Reinstallation of older Software Cluster version than pre-
viously removed dNew Software Clusters getting installed shall be compared
with the history of all installed Software Clusters to prevent installation of a Soft-
ware Cluster with a lower or equal version than previously installed.c(RS_UCM_-
00003, RS_UCM_00031)
[SWS_UCM_00130] Software Cluster and version error dIf SoftwareClus-
ter’s manifest does not contain any SoftwareCluster.version following descrip-
tion of StrongRevisionLabelString, UCM shall raise the ApplicationError
InvalidPackageManifest.c(RS_UCM_00002)
[SWS_UCM_CONSTR_00014]{DRAFT} Software Package and Software Clus-
ter shortNames dSoftwarePackage and the referenced SoftwareCluster shall
share the same shortName in order to be able to compare their versions.c(RS_UCM_-
00033)
7.1.2.1.3 Applications Persisted Data
Updating and rolling back of persisted data is handled completely by the application
using persistency without involvement of UCM. A detailed explanation can be found in
the Persistency Specification [11]. An exception here is the removal of persistent data
after a SoftwareCluster is removed.
31 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00184]{DRAFT} Persistent data clean-up after Software Cluster re-
moval dUCM shall remove persistent data of a removed SoftwareCluster by ag-
gregating the information given in the application manifest, namely PersistencyKeyVal-
ueStorage.uri and PersistencyFileStorage.uri, in order to leave the AUTOSAR Adap-
tive Platform and the file system clean.c(RS_UCM_00026, RS_UCM_00017,
RS_UCM_00004)
For more details, please refer to [SWS_PER_00397] in Persistency Specification [11].
[SWS_UCM_00273]{DRAFT} Persistent data clean-up after Software Cluster up-
date that removes a process dUCM shall remove persistent data of a removed pro-
cess by aggregating the information given in the execution manifest, namely Per-
sistencyKeyValueStorage.uri and PersistencyFileStorage.uri, in order to leave the
AUTOSAR Adaptive Platform and the file system clean.c(RS_UCM_00026, RS_-
UCM_00017, RS_UCM_00004)
Persistent data can include administrative and backup data.
7.1.2.2 Runtime dependencies
Processes within a SoftwareCluster can have functional dependencies toward
other SoftwareClusters.
Dependencies are described in the SoftwareCluster metamodel, see [9].
[SWS_UCM_00120]{DRAFT} Runtime dependencies check dUCM shall check run-
time dependencies before the activation of the new software version. This action is
done in the context of Activate.c(RS_UCM_00007)
The rationale is, if UCM has to process several Software Packages, then execu-
tion dependencies may not be fulfilled at all times during the Software Packages
process but must be fulfilled before changes can be activated.
7.1.2.3 Update scope and State Management
Software Package processed by UCM can contain Adaptive Applications, up-
dates to AUTOSAR Adaptive Platform itself or to the underlying OS. Update type
depends on the content of the Software Package.
[SWS_UCM_00099]{DRAFT} Update of Adaptive Application dUCM shall be
able to update Adaptive Applicationsc(RS_UCM_00001)
[SWS_UCM_00100]{DRAFT} Update of Functional Clusters dUCM shall be
able to update all Functional Clusters, including UCM itself.c(RS_UCM_00028)
[SWS_UCM_00101]{DRAFT} Update of Host dUCM shall be able to update the un-
derlying OS hosting the AUTOSAR Adaptive Platform.c(RS_UCM_00029)
32 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Definition of an updatable state with respect to the system setup is the OEM respon-
sibility. Based on the system setup and the application, the system might need to be
switched into a predefined state, to free resource to speed up the update, to block nor-
mal usage of software which might cause interruptions to update process and to block
using functionality which might be interrupted by the update sequence.
[SWS_UCM_00257]{DRAFT} Update session dTo confirm the system is in an up-
datable state, UCM shall start an update session by calling State Management
UpdateRequest Service Interface RequestUpdateSession method after its de-
pendency check triggered by Activate method call.c(RS_UCM_00026, RS_UCM_-
00003)
[SWS_UCM_00258]{DRAFT} Update session rejected dIf State Management
UpdateRequest Service Interface RequestUpdateSession method call raises er-
ror kRejected, UCM shall transition from kActivating to kReady states and Ac-
tivate method call shall return ApplicationError UpdateSessionRejected.c
(RS_UCM_00026, RS_UCM_00024)
If update session could be recurrently rejected, it is up to implementer to cache the
dependency check result in order to avoid unnecessary computation and compute it
only once.
During the update session, the minimum applications required for the Update process
should be executed. This way system is more robust, more resources are free and
user is blocked from using applications, of which failure could cause safety risk to the
user.
Update of some components require a Machine reset to be performed. These com-
ponents should be configured to be part of Function Group MachineFG, as the
update sequence of Function Group MachineFG includes a Machine reset. Ex-
ecution Management, State Management, Communication Management and
UCM itself are good examples which probably require a Machine reset to activate the up-
date. Other such components could be applications involved in the update sequence
or applications involved in safety monitoring. Further details on Function Group
MachineFG can be found in State Management.
7.1.3 Transferring Software Packages
To speed up the overall data transmission time, the package transfer is decoupled
from the processing and activation process. This section describes requirements for
initiation of a data transfer, the data transmission and ending of the data transmission.
Each Software Package gets its own state as soon as it is being transferred to UCM.
The state machines in Fig. 7.4 specify the lifecycle of a Software Package that is
transferred to and processed by UCM. During this lifecycle, a Software Package is
uniquely identified with an id that UCM provides to the client.
33 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
The UCM has the possibility to keep the Software Package in kTransferred states
in case it failed and retry later: transferring Software Package can be costly, if
it is authenticated, there could be no reason to delete it if the update has not been
successfully finished.
Initi al
T ransferStart
T ransferD ata
kTransferring kTransferred P ro cessSw Package kProcessing
TransferExit
Cancel
[TransferNotCompleted]
[TransferCom pleted]
DeleteTransfer
[transfer blocks not stored]
RevertProcessedSw Packages
D eleteTransfer
T ransfer
[ProcessSwPackageDone]
[transfer blocks not stored]
Com pleted ?
ProcessSwPackage
Final Stored transfer
[transfer blocks stored] [transfer blocks not stored] blocks ?
Stored transfer
blocks ?
D eleteTransfer
ProcessedSwPackageCancelled
RevertProcessedSwPackages,
Finish,
RevertProcessedSw Packages
kProcessingStream kProcessed
[ProcessSw PackageDone]
T ransferD ata,
TransferExit
Figure 7.4: State Machine representing Software Packages lifecycle
[SWS_UCM_00007] Data transfer at any time dUCM shall provide support to trans-
fer Software Packages at any time when UCM is running. Transferring is decou-
pled from the UCM Package Management states.c(RS_UCM_00013, RS_UCM_00019,
RS_UCM_00025)
[SWS_UCM_00272]{DRAFT} Transfer block size dTransferStart shall return
BlockSize parameter to indicate the maximum block size to be allowed to transfer
in one TransferData method call.c(RS_UCM_00025)
The block size should be aligned to flashing capability in case of Classic Platform
capability for instance.
34 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00088] Preparation of data transfer dData transfer shall be prepared
with the method TransferStart. In the preparation step the number of bytes to
be transferred is provided by the client and UCM assigns an id for the Software
Package to be transferred.c(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
While a Software Package is being transferred, if UCM receives a subsequent
TransferStart call targeting another Software Package, UCM should make sure
that the sum of the size of both Software Packages (the one being transferred and
the one requested to be transferred) does not exceed the size of the UCM buffer. Oth-
erwise, the TransferStart should raise the ApplicationError Insufficient-
Memory and the newly requested transmission should be rejected as described above.
[SWS_UCM_00008] Executing the data transfer dAfter preparing of the data transfer,
the transmission of the Software Package block-wise shall be supported by the
method TransferData.c(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
[SWS_UCM_00145] Sequential order of data transfer dThe method Transfer-
Data shall support the parameter blockCounter that shall start with 0x01 and be
incremented by one for each subsequent block.c(RS_UCM_00013, RS_UCM_00019,
RS_UCM_00025)
[SWS_UCM_00010] End of data transfer dAfter transmission of a Software Pack-
age is completed, the transmission can be finished with method TransferExit.c
(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
[SWS_UCM_00028]{DRAFT} Software Package Authentication dUCM shall
check authentication of the Software Package or the transferred block before pro-
cessing it.c(RS_UCM_00006)
Software Package contains authentication and integrity tags, which are used during
the transfer sequence to authenticate the content of the Software Package.
[SWS_UCM_00075] Multiple data transfers in parallel dHandling of multiple data
transfers in parallel shall be supported by UCM.c(RS_UCM_00019)
If UCM provide enough buffering resources for Software Packages, several pack-
ages could be transferred (in parallel) before they are processed one after the other.
The processing (i.e. unpacking and actually applying changes to the AUTOSAR Adap-
tive Platform) of Software Packages described by the state kProcessing is
further detailed in Sect. 7.1.5.
[SWS_UCM_00021] Deleting transferred Software Packages dUCM shall provide
a method DeleteTransfer that shall delete the targeted Software Package and
free the resources reserved to store that Software Package.c(RS_UCM_00018)
[SWS_UCM_00069] Report information on Software Packages dUCM shall pro-
vide a method GetSwPackages of the interface service PackageManagement to
provide the Software Packages’ identifiers, names, versions, states, consecutive
bytes received and consecutive blocks received.c(RS_UCM_00010)
35 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
If Software Package is in kTransferring state, it is not possible to get versions
or names as manifest could not be complete or accessible, therefore method GetSw-
Packages should return empty values except for TransferID, ConsecutiveBytesRe-
ceived and ConsecutiveBlocksReceived at this particular state.
[SWS_UCM_00216] Validity of TransferId dThe TransferId of a Software Package
shall be invalidated for further use when it reaches final lifecycle state.c(RS_UCM_-
00019)
7.1.3.1 Error handling in TransferStart
TransferStart allocates resources for the client transfer.
[SWS_UCM_00140] UCM insufficient memory dTransferStart method shall raise
the ApplicationError InsufficientMemory if the UCM buffer has not enough
resources to store the corresponding Software Package.c(RS_UCM_00013, RS_-
UCM_00019, RS_UCM_00025)
7.1.3.2 Error handling in TransferData
TransferData executes the following checks. It is recommended to follow the speci-
fied order.
[SWS_UCM_00275]{DRAFT} TransferData error handling order dTransfer-
Data method shall check the following error conditions and return the respective error
code.
1. [SWS_UCM_00208]
2. [SWS_UCM_00203]
3. [SWS_UCM_00204]
4. [SWS_UCM_00243]
5. [SWS_UCM_00205]
6. [SWS_UCM_00206]
7. [SWS_UCM_00289]
8. [SWS_UCM_00207]
9. [SWS_UCM_00098]
10. [SWS_UCM_00209]
11. [SWS_UCM_00103]
c(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
36 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00208] TransferData OperationNotPermitted dCalling TransferData
after calling TransferExit for a specific TransferId shall raise the error Applica-
tionError OperationNotPermittedc(RS_UCM_00019)
[SWS_UCM_00203] TransferData InvalidTransferId dTransferData shall raise the
error ApplicationError InvalidTransferId in case an invalid TransferId (An ID
that was not initiated by TransferStart or marked invalid by DeleteTransfer or Revert-
ProcessedSwPackages) is sent by the client.c(RS_UCM_00019)
[SWS_UCM_00204] TransferData IncorrectBlock dTransferData shall raise Ap-
plicationError IncorrectBlock upon receipt of a block counter value that is
successfully transmitted to UCM before or upon receipt of an unexpected block counter
value.c(RS_UCM_00014, RS_UCM_00019)
[SWS_UCM_00243] Too big block size received by UCM dIn the case the received
block size with TransferData exceeds the block size returned by TransferStart
for the same TransferId, UCM shall raise the ApplicationError IncorrectBlock-
Size.c(RS_UCM_00013, RS_UCM_00014, RS_UCM_00025)
[SWS_UCM_00205] TransferData IncorrectSize dIn case the transferred Software
package size exceeds the provided size in TransferStart, TransferData shall raise
ApplicationError IncorrectSizec(RS_UCM_00014, RS_UCM_00019)
[SWS_UCM_00206] TransferData InsufficientMemory dTransferData shall raise
the error ApplicationError InsufficientMemory if resources to store the
Software Package ceased to exist during the transfer operation.c(RS_UCM_00013,
RS_UCM_00019)
[SWS_UCM_00289]{DRAFT} TransferData TransferFailed dTransferData
shall raise the error ApplicationError TransferFailed if UCM cannot persist
transferred block.c(RS_UCM_00013)
[SWS_UCM_00207]{DRAFT} TransferData BlockInconsistent dTransferData
shall raise the error ApplicationError BlockInconsistent in case Consistency
check for transferred block fails.c(RS_UCM_00012)
[SWS_UCM_00098]{DRAFT} Software Package Authentication failure dUCM
shall raise the ApplicationError AuthenticationFailed, if the Software
Package authentication check fails.c(RS_UCM_00013, RS_UCM_00019, RS_UCM_-
00025)
This error can happen when TransferData, TransferExit and ProcessSwPack-
age methods are called. When AuthenticationFailed error is raised, it is up to
client to decide if a DeleteTransfer will be called or not. The behaviour may vary
depending on the life cycle, meaning R&D phase or on the field phase.
TransferData checks the package version format in accordance to
[SWS_UCM_00161] (IncompatiblePackageVersion).
37 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00209]{DRAFT} TransferData PackageInconsistent dTransfer-
Data shall raise the error ApplicationError PackageInconsistent in case the
Software Package integrity check fails.c(RS_UCM_00006, RS_UCM_00012)
TransferData checks if the Software Cluster version being updated is older
than currently present in Machine in accordance to [SWS_UCM_00103] (OldVer-
sion).
7.1.3.3 Error handling in TransferExit
[SWS_UCM_00276]{DRAFT} TransferExit error handling order dTransfer-
Exit method shall check the following error conditions and return the respective error
code.
1. [SWS_UCM_00148]
2. [SWS_UCM_00212]
3. [SWS_UCM_00087]
4. [SWS_UCM_00098]
5. [SWS_UCM_00092]
6. [SWS_UCM_00161]
7. [SWS_UCM_00213]
8. [SWS_UCM_00103]
c(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
[SWS_UCM_00148] Transfer sequence order dCalling TransferExit without call-
ing TransferData at least once or after TransferExit is called for a specific Trans-
ferID, shall raise the ApplicationError OperationNotPermitted.c(RS_UCM_-
00019)
[SWS_UCM_00212] TransferExit InvalidTransferId dTransferExit shall raise the
error ApplicationError InvalidTransferId in case an invalid TransferId is sent
by the client.c(RS_UCM_00019)
[SWS_UCM_00087] Insufficient amount of data transferred dDuring Transfer-
Exit UCM shall check if all blocks of the Software Package have been transferred
according to the size parameter of TransferStart. If not UCM shall return Ap-
plicationError InsufficientData.c(RS_UCM_00013, RS_UCM_00019, RS_-
UCM_00025)
TransferExit checks authentication in accordance to [SWS_UCM_00098] (Au-
thenticationFailed).
[SWS_UCM_00092] Software Package integrity dDuring TransferExit UCM shall
raise the ApplicationError PackageInconsistent if the Software Package
38 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
integrity check fails. This Software Package integrity check may be realized by
the UCM via a Software Package Checksum check or via other mechanisms.c(RS_-
UCM_00013, RS_UCM_00019, RS_UCM_00025)
TransferExit checks the package version format in accordance to
[SWS_UCM_00161] (IncompatiblePackageVersion).
[SWS_UCM_00213] TransferExit InvalidPackageManifest dTransferExit
shall raise the error ApplicationError InvalidPackageManifest upon receival
of an invalid manifest.c(RS_UCM_00012)
TransferExit checks if the Software Cluster version being updated is older
than currently present in Machine in accordance to [SWS_UCM_00103] (OldVer-
sion).
7.1.3.4 Error handling in DeleteTransfer
[SWS_UCM_00283]{DRAFT} DeleteTransfer error handling order dDelete-
Transfer method shall check the following error conditions and return the respective
error code.
1. [SWS_UCM_00214]
2. [SWS_UCM_00215]
c(RS_UCM_00013, RS_UCM_00019, RS_UCM_00025)
DeleteTransfer checks if the supplied parameter TransferId is valid.
[SWS_UCM_00214] DeleteTransfer InvalidTransferId dDeleteTransfer shall
raise the error ApplicationError InvalidTransferId in case an invalid Trans-
ferId is sent by the client.c(RS_UCM_00019)
[SWS_UCM_00215] DeleteTransfer OperationNotPermitted dCalling Delete-
Transfer during processing or during the processing stream shall raise the error
ApplicationError OperationNotPermitted.c(RS_UCM_00019)
7.1.4 Processing of Software Packages from a stream
It is also possible to process a Software Package while the transfer is still ongoing.
The following requirements apply for this use case.
[SWS_UCM_00165] Processing from stream dThe UCM may support calling Pro-
cessSwPackage directly from stream without waiting to receive the Software
Package completely.c(RS_UCM_00001, RS_UCM_00003, RS_UCM_00004, RS_-
UCM_00025)
39 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00166] Processing from stream state dIf UCM supports processing
from stream and is in state kIdle or kReady, the method ProcessSwPackage for a
Software Package in state kTransferring shall set this Software Package to
state kProcessingStream.c(RS_UCM_00024, RS_UCM_00025)
[SWS_UCM_00167]{DRAFT} Cancelling streamed packages dAll temporary and
processed data of a Software Package in state kProcessingStream shall be re-
moved if Cancel is called.c(RS_UCM_00020, RS_UCM_00025)
[SWS_UCM_00168] Transferring while processing from stream dSoftware
Package state shall remain in kProcessingStream when TransferData is
called.c(RS_UCM_00024, RS_UCM_00025)
[SWS_UCM_00169] Finishing transfer while processing from stream dSoftware
Package state shall be set to kProcessed when TransferExit is called and the
Software Package is completely processed.c(RS_UCM_00024, RS_UCM_00025)
[SWS_UCM_00200]{DRAFT} Failing authentication dUCM shall delete the Soft-
ware Package and its related data processed by ProcessSwPackage call if authen-
tication is failing at TransferExit or ProcessSwPackage call.c(RS_UCM_00039,
RS_UCM_00006)
7.1.5 Processing Software Packages
In contrast to package transmission, only one Software Package can be processed
at the same time to ensure consistency of the system. In the following, a software
or package processing can involve any combination of an installation, update or re-
moval of applications, configuration data, calibration data or manifests. It is up to the
vendor-specific metadata inside a Software Package to describe the tasks UCM has
to perform for its processing. For a removal, this might involve metadata describing
which data needs to be deleted. Nevertheless, the communication sequence between
the triggering application of the software modification and UCM is the same in any case.
For an update of an existing application, the Software Package can contain only
partial data, e.g. just an updated version of the execution manifest. Any UCM Client
need to confirm that UCM is in kIdle CurrentStatus state before starting any up-
date (process/activate).
[SWS_UCM_00001] Starting the package processing dUCM shall provide a method
ProcessSwPackage to process transferred Software Package. id corresponding
to Software Package shall be provided for this method.c(RS_UCM_00001, RS_-
UCM_00004, RS_UCM_00005)
[SWS_UCM_00137] Processing several update Software Packages dUCM shall
support processing of several Software Packages, not in parallel, by calling
method ProcessSwPackage several times in sequence.c(RS_UCM_00001, RS_-
UCM_00004, RS_UCM_00005)
During package processing, the progress is provided.
40 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00018] Providing Progress Information dUCM shall provide a method
GetSwProcessProgress to query the progress of executing the ProcessSwPack-
age method call for provided TransferId. Parameter progress shall be set to a value
representing the progress between 0% and 100% (0x00 ... 0x64).c(RS_UCM_00023)
[SWS_UCM_00003] Cancelling the package processing dUCM shall provide a
method Cancel to cancel the running package processing. UCM shall then abort the
current package processing task, undo any changes and free any reserved resources.c
(RS_UCM_00020)
[SWS_UCM_00024] Revert all processed Software Packages dUCM shall pro-
vide a method RevertProcessedSwPackages to revert all changes done with Pro-
cessSwPackage.c(RS_UCM_00008)
The main difference between a RevertProcessedSwPackages and a Rollback is
that the former can only be performed before the successful activation of the targeted
Software Package(s) while the latter can only be performed after such activation.
Depending on the capabilities of UCM and of the updated target, RevertPro-
cessedSwPackages is used to revert all the changes that have been applied by
ProcessSwPackage. Cancel is also used to revert the changes of the Software
Package for which processing started by ProcessSwPackage method call and iden-
tified by TransferId. For example, if an application with large resource files is updated
“in place” (i.e. in the same partition) then it might not be feasible to revert the update. In
this case, to perform a rollback the triggering application could download a Software
Package to restore a stable version of the application.
7.1.5.1 Error handling during Processing Software Packages
[SWS_UCM_00277]{DRAFT} ProcessSwPackage error handling order dPro-
cessSwPackage method shall check the following error conditions and return the re-
spective error code.
1. [SWS_UCM_00219]
2. [SWS_UCM_00017]
3. [SWS_UCM_00218]
4. [SWS_UCM_00098]
5. [SWS_UCM_00161]
6. [SWS_UCM_00029]
7. [SWS_UCM_00285]
8. [SWS_UCM_00231]
9. [SWS_UCM_00217]
41 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10. [SWS_UCM_00267]
11. [SWS_UCM_00104]
12. [SWS_UCM_00103]
13. [SWS_UCM_00150]
c(RS_UCM_00026)
[SWS_UCM_00219] ProcessSwPackage OperationNotPermitted dProcessSw-
Package shall raise the error ApplicationError OperationNotPermitted in
case the processing of the specified Software Package is already done, or in case
the processed Software Package action is update or removal of a non-existing soft-
ware cluster or in case streaming is not possible.c(RS_UCM_00025, RS_UCM_00026)
[SWS_UCM_00017] Sequential Software Package Processing dOnce method
ProcessSwPackage has been called by a client, further calls to the same method
shall be rejected with ApplicationError ServiceBusy as long as CurrentSta-
tus is different than kProcessing.c(RS_UCM_00001, RS_UCM_00003, RS_UCM_-
00026)
[SWS_UCM_00218] ProcessSwPackage InvalidTransferId dProcessSwPackage
shall raise the error ApplicationError InvalidTransferId in case an invalid
TransferId is sent by the client.c(RS_UCM_00026)
ProcessSwPackage checks authentication in accordance to [SWS_UCM_00098] (
AuthenticationFailed)
[SWS_UCM_00161] Check Software Package version compatibility against UCM
version dAt ProcessSwPackage, TransferData or TransferExit calls, UCM shall raise
ApplicationError IncompatiblePackageVersion if the version for the Soft-
ware Package transferred or to be processed expressed by minimumSupporte-
dUcmVersion attribute is higher than the current version of UCMc(RS_UCM_00007)
The Software Package is generated by a tooling including a packager which version
could not match with the UCM version, leading to manifest interpretation issues for
instance.
[SWS_UCM_00029] Consistency Check of Manifest dUCM shall validate the content
of the manifest against the schema defined for the meta-data(eg: for missing parameter
or for value out of range of the parameter) and shall raise the ApplicationError
InvalidPackageManifest if it finds discrepancies there.c(RS_UCM_00012)
[SWS_UCM_00285]{DRAFT} Removing or updating a Software Cluster not
existing in the Machine dIf a Software Package’s action is to remove or update
a Software Cluster that is not existing in the Machine, UCM shall raise Appli-
cationError SoftwareClusterMissing when ProcessSwPackage is called.c
(RS_UCM_00015)
42 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00231]{DRAFT} ProcessSwPackage IncompatibleDelta
dProcessSwPackage shall raise the error ApplicationError Incompati-
bleDelta if delta package dependency fails at processing.c(RS_UCM_00007)
[SWS_UCM_00217]{DRAFT} ProcessSwPackage InsufficientMemory dPro-
cessSwPackage method shall raise the ApplicationError InsufficientMem-
ory if the UCM buffer has not enough resources to process the corresponding Soft-
ware Package.c(RS_UCM_00013, RS_UCM_00025)
[SWS_UCM_00267]{DRAFT} Error when checksum is not recognised at process-
ing time dIf checksum attribute of ArtifactChecksum or CryptoProvider are not
recognised, UCM shall raise the ApplicationError InvalidChecksumDescrip-
tion.c(RS_UCM_00012)
[SWS_UCM_00104] Integrity Check of processed Package dUCM shall raise the Ap-
plicationError ProcessedSoftwarePackageInconsistent if integrity check
of the processed Software Packages fails.c(RS_UCM_00012)
This operation is realized by the UCM to verify that it did not corrupt any files during the
processing. This integrity check is vendor specific and may be realized by the
UCM by checking the payload Checksum or by any other mechanisms
ProcessSwPackage checks if the Software Cluster version being updated is
older than currently present in Machine in accordance to [SWS_UCM_00103] (Old-
Version).
[SWS_UCM_00150] Cancellation of a Software Package processing dProcessS-
wPackage method shall raise the ApplicationError ProcessSwPackageCan-
celled if the Cancel method has been called during the processing of a Software
Package.c(RS_UCM_00024)
7.1.5.2 Error handling for Cancel
[SWS_UCM_00278]{DRAFT} Cancel error handling order dCancel method shall
check the following error conditions and return the respective error code.
1. [SWS_UCM_00234]
2. [SWS_UCM_00235]
c(RS_UCM_00020)
[SWS_UCM_00234] Cancel OperationNotPermitted dCancel shall raise the error
ApplicationError OperationNotPermitted in case the targeted Software
Package processing has not yet started or has been already finished.c(RS_UCM_-
00020)
[SWS_UCM_00235] Cancel InvalidTransferId dCancel shall raise the error Appli-
cationError InvalidTransferId in case an invalid TransferId is sent by the
client.c(RS_UCM_00020)
43 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.1.5.3 Error handling for RevertProcessedSwPackages
[SWS_UCM_00279]{DRAFT} RevertProcessedSwPackages error handling or-
der dRevertProcessedSwPackages method shall check the following error condi-
tions and return the respective error code.
1. [SWS_UCM_00237]
2. [SWS_UCM_00236]
c(RS_UCM_00020)
[SWS_UCM_00237] RevertProcessedSwPackages OperationNotPermitted d
RevertProcessedSwPackages method call shall raise the error Application-
Error OperationNotPermitted in case the processed Software Packages are
successfully activated or it is called at other states than kReady (Software Pack-
age(s) are finished being processed) or kProcessing states.c(RS_UCM_00020)
[SWS_UCM_00236]{DRAFT} RevertProcessedSwPackages NotAbleToRevert-
Packages dRevertProcessedSwPackages shall raise the error Application-
Error NotAbleToRevertPackages in case reverting of processed Software
Packages have failed.c(RS_UCM_00020)
7.1.5.4 Error handling for GetSwProcessProgress
[SWS_UCM_00220] GetSwProcessProgress InvalidTransferId dGetSwPro-
cessProgress shall raise the error ApplicationError InvalidTransferId in
case an invalid TransferId is sent by the client.c(RS_UCM_00023)
7.1.6 Activation and Rollback
UCM should notify the activation or rollback of Software Packages to other Func-
tional Clusters of the AUTOSAR Adaptive Platform. Vendor specific solution
dictates to which modules this information is available, in which form and if this is done
directly when change is done or when change is executed.
7.1.6.1 Activation
The SoftwareCluster state kPresent does not express whether a Soft-
wareCluster is currently executed or not. You can refer to chapter 7.1.1 Software
Cluster Lifecycle for more details about kPresent state and sequence diagram 10.4
for more details about activation.
44 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00107] Activated state dUCM state kActivated shall express that new
version of updated SoftwareClusters are verified.c(RS_UCM_00008, RS_UCM_-
00030)
The state management [3] on the level of execution is handled by the UCM’s client
controlling the update process.
UCM has to be able to update several SoftwareClusters for an update campaign.
However, these SoftwareClusters could have dependencies not satisfied if updates
are processed and activated one by one. Therefore, UCM splits the activation action
from the general package processing.
[SWS_UCM_00027] Delta Package activation dApplicable version of Soft-
wareCluster on which to apply delta shall be included into related SoftwarePack-
age’s deltaPackageApplicableVersion attribute.c(RS_UCM_00007)
[SWS_UCM_00025] Activation of SoftwareClusters dUCM shall offer method Ac-
tivate to enable execution of any pending changes from the previously processed
Software Packages.c(RS_UCM_00021)
After Activate, the new set of SoftwareClusters can be started. Activation covers
all the processed Software Packages for all the clients.
[SWS_UCM_00022] Shared Activation of Software Packages dUCM shall acti-
vate all the processed Software Packages when Activate is called.c(RS_UCM_-
00021)
The activation method could lead to a full system reset. When Software Package
updates underlying OS, AUTOSAR Adaptive Platform or any Adaptive Appli-
cation which is configured to be part of Function Group MachineFG, the execu-
tion of updated software occurs through system reset by calling State Management
UpdateRequest Service Interface ResetMachine method. Meta-data of Software
Package defines the activation method.
In principle, it is possible to activate multiple versions of the same SoftwareCluster
in one activation step. This could be useful for example with delta package updates
but does not apply to firmware updates. The specification does not prohibit to create
this kind of chained updates. The decision to use chained updates should be based on
safety aspects and the applicability of the underlying update technology, if the update
is for a classic or an adaptive platform, if a file system is involved or if the used platform
even support it.
7.1.6.1.1 Error handling for Activate
[SWS_UCM_00281]{DRAFT} Activate error handling order dActivate method
shall check the following error conditions and return the respective error code.
1. [SWS_UCM_00241]
45 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
2. [SWS_UCM_00026]
3. [SWS_UCM_00258]
4. [SWS_UCM_00242]
5. [SWS_UCM_00280]
c(RS_UCM_00026)
[SWS_UCM_00241] Activate OperationNotPermitted dActivate shall raise the er-
ror ApplicationError OperationNotPermitted in case the UCM state is not
kReady.c(RS_UCM_00021)
[SWS_UCM_00026] Dependency Check dAt activation (i.e. after Activate method
is called), UCM shall perform a dependency check to ensure that all the Software
Packages having dependencies toward each other have been processed successfully,
otherwise return ApplicationError MissingDependencies.c(RS_UCM_00007)
If Activate method cannot establish an Update Session with State Management,
it returns UpdateSessionRejected, see [SWS_UCM_00258].
[SWS_UCM_00242] Activate PreActivationFailed dActivate shall raise the error
ApplicationError PreActivationFailed in case of activation state transition
failure from State Management side.c(RS_SM_00001)
[SWS_UCM_00280]{DRAFT} Activate VerificationFailed dActivate shall raise
the error ApplicationError VerificationFailed in case of verification failure
returned by State Management.c(RS_UCM_00021)
7.1.6.2 Rollback
[SWS_UCM_00005] Rollback to the software prior to Finish the update process d
UCM shall provide a method Rollback to recover from an activation that went wrong.c
(RS_UCM_00008)
Rollback can be called in the case of A/B partitions or UCM uses some other solution to
maintain backups of updated or removed Software Packages.
[SWS_UCM_00110] Rolling-back the software update dAt kRollingBack state,
UCM shall disable the changes done by the software update by calling State Manage-
ment UpdateRequest Service Interface PrepareRollback method for each Func-
tion Group of the processed Software Cluster in the update session. Then
UCM shall call State Management UpdateRequest Service Interface ResetMa-
chine method if any Software Cluster requires a machine reboot to be rolled
back.c(RS_UCM_00008)
46 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.1.6.2.1 Error handling for Rollback
[SWS_UCM_00282]{DRAFT} Rollback error handling order dRollback method
shall check the following error conditions and return the respective error code.
1. [SWS_UCM_00239]
2. [SWS_UCM_00238]
c(RS_UCM_00008)
[SWS_UCM_00239] Rollback OperationNotPermitted dRollback shall raise the er-
ror ApplicationError OperationNotPermitted in case UCM current state is not
kActivated nor kVerifying.c(RS_UCM_00020)
[SWS_UCM_00238]{DRAFT} Rollback NotAbleToRollback dRollback shall raise
the error ApplicationError NotAbleToRollback in case failure has occurred
during Rollback.c(RS_UCM_00020)
7.1.6.3 Boot options
During update process the executed software is switched from original software to
updated software and in case of rollback, from updated software to original version.
Which version of software is executed is dependent on the UCM state and this is man-
aged by the UCM. In case of platform and OS update the switch between software
versions occurs through system reset and depending on the system design the Exe-
cution Management [2] might be started before UCM. In this case there can’t be direct
interface between UCM and Execution Management [2] to define which versions of soft-
ware would be executed. Instead this would be controlled through persistent controls
which are referred as Boot options in this document.
[SWS_UCM_00094] Management of executable software dUCM shall manage which
version of software is available for the Execution Management [2] to launch.c(RS_-
UCM_00021)
During the kActivating state, UCM modifies the Boot options so that in the next
restart for the updated software the new versions will be executed. In the kRolling-
Back state, UCM modifies the Boot options so that in the next restart of the updated
software the original versions will be executed.
7.1.6.4 Finishing activation
[SWS_UCM_00020] Finishing the packages activation dUCM shall provide a method
Finish to commit all the changes and clean up all temporary data of the processed
Software Packages.c(RS_UCM_00015)
47 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
UCM should also remove Software Packages, logs or any older versions of changed
software to save storage space. It is up to implementer to remove or not the Software
Packages.
[SWS_UCM_00259] Ending the update session dUCM shall call State Manage-
ment UpdateRequest Service Interface StopUpdateSession method when UCM is
exiting the kCleaningUp state.c(RS_UCM_00021, RS_UCM_00018)
[SWS_UCM_00240] Finish OperationNotPermitted dFinish shall raise the error
ApplicationError OperationNotPermitted in case there are no activated nor
rolled-back Software Packages pending finalization (i.e UCM state is not kActi-
vated nor kRolledBack.c(RS_UCM_00001, RS_UCM_00026)
For UCM to be able to free all unneeded resources while processing the Finish re-
quest, it is up to the vendor and platform specific implementation to make sure that
obsolete versions of changed SoftwareClusters aren’t executed anymore.
7.1.7 Status Reporting
Once Software Packages are transferred to UCM, they are ready to be processed
to finally apply changes to the AUTOSAR Adaptive Platform. In contrast to the
transmission, the processing and activation tasks have to happen in a strict sequential
order.
To give an overview of the update sequence, the global state of UCM is described in
this section. The details of the processing and activation phases and the methods are
specified in the 7.1.5 and 7.1.6.
The global state of UCM can be queried using the field CurrentStatus. The state
machine for CurrentStatus is shown in Fig. 7.5. This diagram does not include
behaviour after a reset. Examples can be found of how UCM and its CurrentStatus
field behave including reset management in chapter 10 Sequence Diagram.
[SWS_UCM_00019] Status Field of Package Management dThe global state of UCM
shall be provided using the field CurrentStatusc(RS_UCM_00024)
48 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Figure 7.5: State Machine for the package processing using service interface: Package-
Management
UCM supported method calls for each value of field CurrentStatus are shown in Fig.
7.5.
[SWS_UCM_00086]{OBSOLETE} Unsupported method calls dUnsupported
method calls shall raise the ApplicationError OperationNotPermitted.c
(RS_UCM_00024)
[SWS_UCM_00080] Idle state of Package Management dkIdle shall be the default
state.c(RS_UCM_00024)
[SWS_UCM_00149] Return to the Idle state from Processing state dkIdle state
shall be set when ProcessSwPackage returns with error code ProcessSwPackage-
Cancelled and if no other Software Packages were previously processed during
this processing operation.c(RS_UCM_00024)
[SWS_UCM_00151] Entering the Ready state of Package Management after a
Cancel call dIf ProcessSwPackage has been cancelled, it shall return error code
ProcessSwPackageCancelled and set state to kReady only if at least one other
Software Package was previously processed during this processing operation.c
(RS_UCM_00024)
49 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00081] Processing state of Package Management dkProcessing
state shall be set only if ProcessSwPackage has been called. This shall only be
possible, if CurrentStatus is reported as kIdle or kReady.c(RS_UCM_00024)
[SWS_UCM_00266]{DRAFT} OperationNotPermitted error and UCM state dUCM
shall return ApplicationError OperationNotPermitted if ProcessSwPack-
age is called by a client with UCM at CurrentStatus state different than kIdle,
kProcessing or kReady.c(RS_UCM_00001, RS_UCM_00004, RS_UCM_00005)
[SWS_UCM_00083] Entering the Ready state of Package Management after a
successful processing operation dkReady state shall be set after a Software
Package processing has been completed successfully.c(RS_UCM_00024)
[SWS_UCM_00265]{DRAFT} state transition due to ProcessSwPackage error dIf
ProcessSwPackage raises an ApplicationError other than ProcessSwPack-
ageCancelled, it shall transition from kProcessing to kIdle if no other Software
Packages were previously processed during this processing operation, or kReady if
at least one other Software Package was previously processed before the failed pro-
cessing operation, and shall perform clean-up actions.c(RS_UCM_00015, RS_UCM_-
00026)
Clean-up actions could be similar to the cancel call by for instance deleting files, folders
or artefacts of the processed Software Cluster.
[SWS_UCM_00152] Entering the Ready state of Package Management after a
missing dependency dkReady state shall be set when Activate fails due to an
ApplicationError MissingDependencies.c(RS_UCM_00024)
[SWS_UCM_00084] Entering the kActivating state of Package Management d
kActivating shall be set when Activate is called. This triggers the dependency
check and returns ApplicationError MissingDependencies if this check fails.c
(RS_UCM_00024)
[SWS_UCM_00153] Action in kActivating state of Package Management dWhen
kActivating is set and after the State Management UpdateRequest Service In-
terface RequestUpdateSession method call by UCM, the UCM shall call the State
Management UpdateRequest Service Interface PrepareUpdate method for the
concerned Software Cluster including a list of all Function Groups belonging
to that Software Cluster.c(RS_UCM_00024)
[SWS_UCM_00260]{DRAFT} PrepareUpdate, VerifyUpdate and PrepareRollback
orders dUCM shall compute the order of the State Management UpdateRequest
Service Interface PrepareUpdate, VerifyUpdate and PrepareRollback method
calls from the dependency model included in the Software Cluster manifests.c
(RS_UCM_00007, RS_UCM_00021, RS_UCM_00030)
[SWS_UCM_00261] PrepareUpdate, VerifyUpdate and PrepareRollback syn-
chronous calls dCalls to State Management UpdateRequest Service Interface
PrepareUpdate, VerifyUpdate and PrepareRollback methods shall not be
concurrent.c(RS_UCM_00026)
50 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00262]{DRAFT} Update preparation rejected dIf any one of the State
Management UpdateRequest Service Interface PrepareUpdate method call re-
turns error kRejected too many times or for too long (implementation specific thresh-
olds), UCM shall transition from kActivating to kReady states.c(RS_UCM_00026)
[SWS_UCM_00263] Update preparation failure dIf any one of the State Man-
agement UpdateRequest Service Interface PrepareUpdate method returns error
kPrepareFailed, UCM shall transition from kActivating to kReady states.c(RS_-
UCM_00026)
[SWS_UCM_00154]{DRAFT} Entering the Verifying state of Package Manage-
ment dkVerifying shall be set when the dependency check have been performed
successfully (all dependencies are satisfied) and that the preparation of the Soft-
ware Clusters by the State Management has been successfully performed.c
(RS_UCM_00024)
The machine could most likely be restarted in case a A/B partition is used. In case
the A/B partition is not used, all affected Function Groups or the platform could be
restarted. Immediately after the processed Software Package has been restarted,
a system check has to be performed in order to make sure the machine is able to start
up as expected. With this check it is verified that other safety relevant software like
Functional Cluster Platform Health Manager [12] is running and user can
be protected from any issues caused by the update after the update has finished.
An update could most likely require to reparse the manifests after performing the
atomic activation of the Software Clusters (switching A/B partition, changing sym-
links, etc.) if a machine reset is not needed.
[SWS_UCM_00085]{DRAFT} Entering the kActivated state of Package Manage-
ment dkActivated state shall be set when the machine or all impacted Function
Groups (the ones related to the processed Software Package) have been suc-
cessfully restarted and verified indicated by successful return of State Management
UpdateRequest Service Interface VerifyUpdate method calls.c(RS_UCM_00024)
kVerifying state gives the client controlling the update process a chance to perform
verification test by calling State Management UpdateRequest Service Interface
[SWS_SM_91017] VerifyUpdate method, though functionality in verify state can
be limited. Client can also coordinate the results over several AUTOSAR Adaptive
Platforms and still perform a Rollback if verification indicates the need for it.
If the system check is successful, the client can decide either to Rollback the current
active processing so that the previous processed working software gets started, or to
perform Finish so that the changes of processed software become permanent. By
calling Finish a clean-up is initiated and in case of A/B partition, a swap between
the partitions happens and the newly inactive partition becomes a copy of the newly
active partition. In case Finish succeeds (including the clean-up), the current Cur-
rentStatus changes to kIdle.
For Rollback the update software needs to be deactivated and possibly reactivated
from original version, e.g. self-update of UCM. For this reason Rollback is also
51 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
performed through two states, similarly as activation. Calling Rollback sets UCM
into kRollingBack state where original software version is made executable and
where original software is activated by the State Management. This is started by
calling State Management UpdateRequest Service Interface [SWS_SM_91017]
PrepareRollback method for each Software Cluster. On success, UCM goes to
kRollingBack state. In this state all the changes introduced during update process
have been deactivated and can be cleaned by calling Finish.
[SWS_UCM_00126] Entering the kRollingBack state after a Rollback call dThe
state kRollingBack shall be set when Rollback is called.c(RS_UCM_00008, RS_-
UCM_00030)
[SWS_UCM_00155]{DRAFT} Entering the kRolling-Back state after a failure in
the kVerifying state dThe state kRollingBack shall be set if any of the State Man-
agement UpdateRequest Service Interface VerifyUpdate method calls returns
the result kVerifyFailed.c(RS_UCM_00008, RS_UCM_00030)
[SWS_UCM_00264]{DRAFT} Update verification rejected dIf any one of the State
Management UpdateRequest Service Interface VerifyUpdate returns error kRe-
jected too many times or for too long (implementation specific thresholds), UCM shall
transition to kRollingBack state.c(RS_UCM_00030, RS_UCM_00008)
[SWS_UCM_00111]{DRAFT} Entering the kRollingBack state dThe state
kRollingBack shall be set after all calls to State Management UpdateRequest
Service Interface PrepareRollback have returned successfully.c(RS_UCM_00008,
RS_UCM_00030)
[SWS_UCM_00146] Entering the Cleaning-up state after a Finish call dThe state
kCleaningUp shall be set when Finish is called and the UCM starts to perform
cleanup actions.c(RS_UCM_00008, RS_UCM_00030)
[SWS_UCM_00162] Entering the Cleaning-up state after a RevertProcessedSw-
Packages call dThe state kCleaningUp shall be set when RevertProcessedSw-
Packages is called in kProcessing or kReady states and the UCM starts to perform
cleanup actions.c(RS_UCM_00008, RS_UCM_00030)
[SWS_UCM_00163] Action in Cleaning-up state dWhen kCleaningUp state is set,
the UCM shall clean up all data of the processed packages that are not needed any-
more.c(RS_UCM_00008, RS_UCM_00030)
[SWS_UCM_00164] Cleaning up of Software Packages dIn kCleaningUp state, the
UCM may remove (from the UCM buffer for instance) the "physical" Software Package
(e.g. zip file) that was used to transport the the SoftwareCluster to the UCM.c(RS_-
UCM_00008, RS_UCM_00030)
[SWS_UCM_00127] Finishing update sequence dkIdle shall be set when Finish
is called and the clean-up has been successfully performed. This finishes the update
sequence and next sequence can be started.c(RS_UCM_00008, RS_UCM_00030)
52 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_00147] Return to the Idle state from Cleaning-up state dkIdle state
shall be set when the Clean-up operation has been completed successfully.c(RS_-
UCM_00024)
7.1.8 Robustness against reset
Failure during over-the-air updates could lead into corrupted or inconsistent software
configuration and further updates might be blocked. For this reason UCM needs to be
robust against interruptions like power downs.
[SWS_UCM_00157] Detection of reset dAt start up UCM shall identify if uncontrolled
reset occurred.c(RS_UCM_00027)
The way for UCM to detect uncontrolled reset is project specific. UCM could use hard-
ware platform specific registers to detect Soft/Hard reset. Or it could access PHM
Functional Cluster to detect uncontrolled reset. UCM could also check that the Cur-
rentStatus persistent field is not kIdle or kVerifying.
[SWS_UCM_00158] Cleanup of interrupted actions dAfter an uncontrolled reset,
UCM shall check non volatile memory integrity, recover processed artifacts in case it
is corrupted and resume interrupted actions in order to return the system into a state
from where UCM can continue serving its Clients.c(RS_UCM_00027)
[SWS_UCM_00270]{DRAFT} UCM internal state persistency dUCM shall persist
CurrentStatus state field to be able to resume on-going update after an intended or
unintended reboot.c(RS_UCM_00027)
7.1.8.1 Boot monitoring
Activation failure during OS and Platform-self updates can lead to a state in which the
system is not able to reach a point where UCM and the client are able to function as
expected and thus not able to execute the rollback. For these cases the system should
include component which is responsible to monitor that the OS and platform will start
up correctly. In case of failure, the Boot monitoring component should trigger a reset
or modify the boot options to trigger a rollback.
7.1.9 History
[SWS_UCM_00115] History dGetHistory method shall retrieve all actions that have
been performed by UCM within a specific time window input parameter.c(RS_UCM_-
00032)
53 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
In the case the UCM Client requests a rollback after a successful activation, Cur-
rentStatus field transitioning to kActivated, GetHistory method will later re-
turn GetHistoryType, with subelement Resolution of type ResultType equal to
kActivatedAndRolledBack.
[SWS_UCM_00160] Processing results records dUCM shall save activation time and
activation result of processed Software Packages in the history.c(RS_UCM_00032)
[SWS_UCM_00271]{DRAFT} Keeping history of failure error code dUCM shall keep
in GetHistoryType subelement FailureError the last failure error code as de-
scribed in [SWS_UCM_00136]. If no error occurred, the stored value shall be 0.c
(RS_UCM_00032)
7.1.10 Version Reporting
[SWS_UCM_00004] Report software information dUCM shall provide a method
GetSwClusterInfo of the interface service PackageManagement to provide the
identifiers and versions of the SoftwareClusters that are in state kPresent.c(RS_-
UCM_00002)
[SWS_UCM_00030] Report changes dUCM shall provide a method GetSwCluster-
ChangeInfo of the interface service PackageManagement to provide the identifiers
and versions of the SoftwareCluster that are in state kAdded, kUpdated or kRe-
moved.c(RS_UCM_00011)
[SWS_UCM_00185] Provide SoftwareCluster general information dUCM shall
provide a method GetSwClusterDescription to return the version, type approval,
license and release notes of the SoftwareCluster that are in state kPresent.c
(RS_UCM_00002, RS_UCM_00011)
7.1.11 Securing Software Updates
UCM provides service interface using ara::com. There is no authentication of the
client in UCM’s update sequence.
For authentication of the Software Package, you can refer to 7.1.3
[SWS_UCM_00103]{DRAFT} Update to older Software Cluster version than
currently present dIn order to avoid an attacker to install an old Software Cluster
version having known security flaws, UCM shall prohibit its processing. In case of such
attempt, UCM TransferExit or TransferData shall raise the ApplicationError
OldVersion, keep within history this attempt and delete old Software Package.c
(RS_UCM_00031)
54 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_CONSTR_00002]{DRAFT} UCM confidential information handling
dThe PackageManagement interface shall only be mapped via ara::com to a se-
cure endpoint using secure communication channel providing confidentiality protec-
tion.c(RS_UCM_00002, RS_UCM_00010, RS_UCM_00011)
The GetSwClusterInfo, GetSwClusterChangeInfo, GetHistory, GetSwClusterDescrip-
tion and GetSwPackages methods are using data that could identify vehicle user and
therefore should be protected for confidentiality.
[SWS_UCM_00202]{DRAFT} Trusted Platform compliance dUCM shall ensure that
after provisioning updates, all the necessary changes to maintain the Trusted Platform
are carried out.c(RS_EM_00014)
The authentication tag of the Trusted Platform corresponding to the updated/re-
moved/added executable files should also be updated/removed/added. See also Chap-
ter 7.10 of the Execution Management [2] for details on the Trusted Platform.
7.1.12 Functional cluster lifecycle
[SWS_UCM_00274]{DRAFT} UCM initialization dUCM shall offer its services only after
its internal initialization has been completed, after switching to Running state.c(RS_-
UCM_00044)
This requirement prevents calling UCM subordinate API while internal initialization is
on-going. The concrete initialization tasks are implementation specific.
7.1.12.1 Shutdown behaviour
There are no requirements of shutdown behaviour from UCM functional cluster.
55 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2 UCM Master
7.2.1 UCM Master Functional Cluster lifecycle
[SWS_UCM_01205]{DRAFT} UCM Master internal state persistency dUCM Mas-
ter shall persist its state to be able to resume on-going update campaign after an
intended or unintended reboot.c(RS_UCM_00035, RS_UCM_00042)
[SWS_UCM_01019]{DRAFT} UCM Master initialization dUCM Master shall offer
its services only after its internal initialization has been completed, after switching to
Running state.c(RS_UCM_00044)
This requirement prevents calling UCM Master API while internal initialization is on-
going. The concrete initialization tasks are implementation specific.
7.2.2 Technical Overview
UCM Master objective is to provide a standard Adaptive Autosar solution to safely and
securely update a complete vehicle Over The Air or by a Diagnostic Tester.
UCM Master receives packages from Backend or Diagnostic tool, parses and inter-
prets the Vehicle Package, transfers or streams Software Packages to suitable
targets (UCM subordinate or Diagnostic Application) and orchestrates the processing,
activations and eventual rollbacks. All these actions are what is called a campaign
which UCM Master is coordinating. The UCM of the machines in the same network of
a UCM Master, candidates target of a campaign, are referred to as UCM subordinates.
Figure 7.6: Example of UCM Master architecture overview within a vehicle
56 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
The UCM Master could be considered as a set of add-on features that could enrich
any UCM instance. Therefore, as per the UCM APIs, the UCM Master APIs are part of
the Adaptive Platform Services. UCM and UCM Master have separate service
instances.
The OTA Client establishes a communication between Backend and UCM Master
so that they can exchange information of the installed Software Clusters in the
vehicle and the Software Clusters available in the Backend. This communica-
tion could be triggered by OTA Client with a scheduler and UCM Master to request
the updates in case of newly available Software Clusters (pull case) or by Back-
end to push, for instance, an important security update to a fleet of vehicles (push
case). The computation to find new Software Clusters versions and resolution of
dependencies between Software Clusters can be either done at UCM Master or
Backend.
Vehicle Driver interface Adaptive Application is required if it is needed during an
update campaign to interact with vehicle human driver through for instance Human-
Machine Interface. Download of packages from a Backend could have various finan-
cial costs for the driver depending of communication types, so consent from driver
could be suitable.
Vehicle State Manager Adaptive Application is required if it is needed dur-
ing an update campaign to control the vehicle state for safety purposes. For instance, it
could be required for safety to have standing still vehicle, shut-off engine, closed doors,
etc. before starting an UCM activation or during its processing.
7.2.3 UCM Master general behaviour
The UCM Master acts as a client of the service interface offered by the UCM subor-
dinates, already specified in UCM. However, the UCM Master also offers three differ-
ent service interfaces to OTA Client, Vehicle Driver interface and Vehicle State
Manager respectively. UCM Master aggregates UCM subordinates states and can re-
port its status field to a Backend through its OTA Client.
A UCM Master receives a Vehicle Package and transfers or streams Software
Package(s) to the UCM subordinates for an AUTOSAR Adaptive Platform Soft-
ware Cluster update. A Vehicle Package contains instructions for orchestrating
updates between ECUs. The UCM Master provides information about ECUs in the
vehicle, installed software and update campaign resolution.
[SWS_UCM_01003] UCM Master checks states of UCM subordinates dA UCM
Master shall check the status of its UCM subordinates are all at kIdle CurrentSta-
tus state before starting a campaign.c(RS_UCM_00043)
UCM Master should for instance make sure that there is no ongoing diagnostic up-
dates before starting an update campaign by checking the reported state(s) of the UCM
subordinate(s) to be idle.
57 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.4 UCM identification
For UCM Master to distribute Software Packages to other UCM subordinates, UCM
Master has to identify UCM subordinates in vehicle. This identification could be at boot
or later but at least before any communication with Backend are engaged. Each UCM
has a unique identifier in Vehicle Package UcmModuleInstantiation called
identifier to help UCM Master transferring packages to targeted UCMs. To get such
identifier, UCM Master will perform first a service discovery through ara::com to get all
UCMs service instances available. Then UCM Master will call GetId method for each
UCM subordinates returning each corresponding UcmModuleInstantiation identi-
fiers.
[SWS_UCM_00009]{DRAFT} UCM exposing its identifier dUCM shall provide a
method GetId returning its UcmModuleInstantiation identifier.c(RS_UCM_-
00036)
If an ECU hosting UCM subordinate is replaced physically, it will register its services
to the registry at boot up and UCM Master will be able to communicate with UCM
subordinate(s).
[SWS_UCM_01005] UCM Master is discovering UCMs in vehicle dUCM Master
shall continuously look for UCM service instances (use of StartFindService() call).c
(RS_UCM_00036)
If a UCM Master is failing, another inactive UCM Master could be used or activated
by OTA Client.
Default (at boot) Master/Subordinate hierarchy or priority could be optionally overwrit-
ten for each campaign based on Vehicle Package content at the condition OTA
Client could properly parse Vehicle Packages.
7.2.5 UCM Master Software Packages transfer or streaming
UCM Master has generally same transfer API as UCM in order to simplify implementa-
tion and reuse code as much as possible (could be shared library between UCM and
UCM Master).
It is necessary to distinguish Vehicle Package (UCM Master specific) from Soft-
ware Packages transfer.
[SWS_UCM_01011] TransferVehiclePackage InsufficientMemory dTrans-
ferVehiclePackage method shall raise the ApplicationError Insufficient-
Memory if the UCM buffer has not enough resources to process the corresponding
Vehicle Package.c(RS_UCM_00013)
[SWS_UCM_01018]{DRAFT} TransferVehiclePackage BusyWithCampaign d
TransferVehiclePackage method shall return the ApplicationError Busy-
WithCampaign, if the UCM Client wants to start a new campaign, while a campaign is
already started and active.c(RS_UCM_00035)
58 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_01014] Packages transferring sequence dTransferStart method
shall raise the ApplicationError UnexpectedPackage if the Software Pack-
age name parameter was not a value of the RequestedPackage field.c(RS_UCM_-
00043)
[SWS_UCM_01013] Too big block size received by UCM Master dIn the case the
received block size with TransferData exceeds the block size returned by Trans-
ferStart or TransferVehiclePackage for the same TransferId, UCM Master
shall raise the ApplicationError IncorrectBlockSize.c(RS_UCM_00035)
[SWS_UCM_01015] Invalid Vehicle Package manifest dTransferExit shall raise
the ApplicationError InvalidPackageManifest when a Vehicle Package
manifest is not compliant with the AUTOSAR schema.c(RS_UCM_00036, RS_UCM_-
00043)
[SWS_UCM_01016] Invalid Package Manifest dUCM Master shall raise the Appli-
cationError InvalidPackageManifest in case a manifest file is not compliant
with the AUTOSAR schema.c(RS_UCM_00036, RS_UCM_00043)
[SWS_UCM_01017] RequestedPackage field dUCM Master shall provide the field
RequestedPackage containing the requested Software Package name and ver-
sion as defined in update campaign. Changing this field is a notification for the OTA
Client to start transfer of the requested Software Package.c(RS_UCM_00042)
OTA Client does not know what Software Packages should be transferred in a
given campaign contained in a Vehicle Package. OTA Client can know what
Software Package is expected to be transferred by subscribing to UCM Master’s
RequestedPackage field. Version is added to support campaigns which need an up-
date path for a Software Package requiring an intermediate update to a transitional
version. In this case the version parameter makes it unambiguous which package
version shall be transferred as both have the same name assigned.
7.2.6 Adaptive Applications interacting with UCM Master
In order to have interoperability between several vendors platforms, Adaptive Ap-
plications interacting with UCM Master via ara::com like OTA Client, Vehicle
State Manager or Vehicle Driver Interface have their APIs specified. However, their
detailed behaviours are out of scope for this specification document.
7.2.6.1 OTA Client
OTA Client is an Adaptive Application that sets communication channel be-
tween Backend and UCM Master. The communication between Backend and OTA
Client is abstracted and details like protocol are out of scope for this specification
document. OTA Client should make sure Backend is providing the right information
59 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
and packages to the vehicle by identifying the vehicle, by for instance sending VIN to
Backend.
OTA Client uses the UCM Master as a service provider via ara::com. Since trans-
ferring Vehicle Packages and Software Packages from Backend to UCM Mas-
ter is OTA Client’s responsibility, OTA Client should be able to accommodate any
proprietary communication protocol used between OTA Client and Backend and
convert it into ara::com transport protocol. OTA Client should support UCM Master
Software Packages transfer or streaming as specified in chapter 7.2.5, it should
then provide at least the following functionality:
• Comply to the requirements of chapter 7.1.3 in the context of package transfer
between OTA Client and UCM Master.
• OTA Client should subscribe to UCM Master’s RequestedPackage field to
know what Software Package is expected to be transferred
• OTA Client should subscribe to UCM Master’s TransferState field to know
what is campaign state
• OTA Client should subscribe to UCM Master’s SafetyState field to eventu-
ally make sure vehicle is in a safe state before transferring Packages
• OTA Client could support multiple data transfers in parallel, as specified in
[SWS_UCM_00075]
In addition, OTA Client could support the ability to pause or resume the package
transfer for the current campaign to prioritize the transfer of the packages from a dif-
ferent campaign. The ability of OTA Client to pause or resume the package transfer
might be helpful in the case there is a need to cancel an ongoing campaign at kTrans-
ferring state to allow higher priority campaign to be performed.
Only one UCM Master has to be used by OTA Clients per network domain. As UCM
Master is distributing Software Packages and coordinating UCM subordinates, OTA
Clients in the same network domain have to make sure there are no already on-going
campaigns when starting a new campaign with TransferVehiclePackage method
call by checking UCM Master’s state with TransferState field, in order to avoid any
interference and guarantee success of an update campaign.
[SWS_UCM_01101] Provide information of installed Software Clusters in ve-
hicle dUCM Master shall provide a method GetSwClusterInfo to return information
of all Software Cluster present in the vehicle.c(RS_UCM_00033)
UCM Master can aggregate Software Cluster information from several UCMs
within a vehicle and returns the result to a Backend which can compute if there is any
new Software Cluster available and decide to send to UCM Master through OTA
Client a Vehicle Package. It is up to OTA Client to make sure the synchroni-
sation of the versions of Software Packages present in Backend and Software
Clusters in the vehicles using GetSwClusterInfo or SwPackageInventory is
recent enough before starting a campaign with TransferVehiclePackage call.
60 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_01103] Inform Backend of needed Software Packages for an up-
date dOn SwPackageInventory call, UCM Master shall compare the supplied list
of available Software Packages in the Backend for the vehicle to its own inter-
nal information of present Software Clusters in the vehicle and return the list of
Software Packages selected for update.c(RS_UCM_00033)
The OTA Client uses this returned Software Packages list to re-
quest the selected packages to the Backend. As required by constraint
[SWS_UCM_CONSTR_00014], each Software Cluster corresponds to one
Software Package and share the same shortName.
[SWS_UCM_01119] Report information of Software Packages dUCM Master
shall provide a method GetSwPackages to return the identifiers, names, versions,
Consecutive Bytes Received, Consecutive Blocks Received and states of Software
Packages.c(RS_UCM_00035)
7.2.6.2 Vehicle Driver Interface
Vehicle driver interface could be required by legal constrains or communication cost
consideration. To support mandatory safety and security critical updates, driver inter-
action can be used for:
• Requesting transfer, processing or activation permission from vehicle driver
• Notifying vehicle driver of safety and security measures he has to apply to the
vehicle in order to proceed to next step into the update campaign
[SWS_UCM_01105] Interaction of UCM Master with Vehicle Driver dUCM Master
shall provide a method DriverApproval in order to receive the confirmation of the
vehicle driver’s approval.c(RS_UCM_00038)
The Vehicle Driver Interface Adaptive Application could adapt its notification
content related to safety by subscribing to the UCM Master’s SafetyConditions
field.
[SWS_UCM_01117]{DRAFT} UCM Master SafetyState field dUCM Master shall
provide to vehicle driver interface the SafetyConditions field.c(RS_UCM_00038,
RS_UCM_00037)
UCM Master can notify vehicle driver with SafetyState field if the vehicle safety is
breached during the update, by for instance popping-up a message.
[SWS_UCM_01118] UCM Master waiting for vehicle driver approval dIn the case
approval from driver is requested as configured in VehiclePackage, UCM Master
shall wait for DriverApproval method with parameter Approval=True before tran-
sitioning state from kVehiclePackageTransferring to kSoftwarePackage_-
Transferring, kSoftwarePackage_Transferring to kProcessing or kPro-
cessing to kActivating.c(RS_UCM_00038)
61 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_CONSTR_00003] Exclusive use of Vehicle Driver Interface dSoftware
Integrator shall ensure that only one Adaptive Application is using the UCM
Master’s Vehicle Driver Interface.c(RS_UCM_00035, RS_UCM_00037)
For example, the integrator may restrict the access of Vehicle Driver Interface from
UCM Master by configuring the Identity and Access Management functional cluster
accordingly.
[SWS_UCM_01107]{DRAFT} UCM Master provides progress information to Ve-
hicle Driver dUCM Master shall provide to Vehicle Driver Interface Adaptive Ap-
plication methods GetSwTransferProgress and GetSwProcessProgress in
order for UCM Master to inform progress of respectively update campaign’s transfer
and processing.c(RS_UCM_00038)
[SWS_UCM_CONSTR_00004] Unsupported safety by Vehicle driver interface dIn
the case SafetyConditions field is not a supported safety Vehicle driver interface,
it shall call the method DriverApproval with parameter SafetyStates including at
least one SafetyStates=’NotSupported’.c(RS_UCM_00037)
[SWS_UCM_01120] Provide Software Packages general information dUCM
Master shall provide a method GetSwPackageDescription to return the descrip-
tion of each Software Packages that are part of current campaign and that are
contained in Vehicle Package.c(RS_UCM_00033, RS_UCM_00038)
[SWS_UCM_01135]{DRAFT} Get Software Clusters descriptions from a vehi-
cle dAt GetSwClusterDescription method call via VehicleDriverApplica-
tion interface, UCM Master shall return Software Clusters descriptions ag-
gregated from the UCM Subordinates or Flashing Adapters.c(RS_UCM_00033, RS_-
UCM_00038)
7.2.6.3 Vehicle State Manager
Vehicle State Manager is collecting states from the several vehicle ECUs and in-
forms UCM Master when the safety state computed based on the safety policy re-
ferred in the Vehicle Package is changing. If the safety policy is not met, the UCM
Master can for instance decide to:
• Inform vehicle driver that the safety conditions are not met to continue the update
• postpone, pause or cancel the update until policy is met
[SWS_UCM_01109]{DRAFT} UCM Master provides a safety interface dUCM Mas-
ter shall provide a field SafetyConditions for which values are available in Vehi-
clePackage.c(RS_UCM_00037)
[SWS_UCM_01110]{DRAFT} UCM Master SafetyState method dUCM Master
shall provide a method SafetyState to get informed of vehicle state changes.c(RS_-
UCM_00037)
62 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_CONSTR_00005]{DRAFT} Safety state change dVehicle State
Manager Adaptive Application shall call SafetyState method provided by UCM
Master when the safety state is changing.c(RS_UCM_00035, RS_UCM_00037)
[SWS_UCM_CONSTR_00009]{DRAFT} Safety condition change dVehicle
State Manager Adaptive Application shall call SafetyState method provided by
UCM Master when the field SafetyConditions is changing.c(RS_UCM_00035,
RS_UCM_00037)
[SWS_UCM_CONSTR_00015]{DRAFT} Trigger on kVehicleChecking state dOn
transition to kVehicleChecking state, Vehicle State Manager shall first per-
form checks to assess the post-activation state of the vehicle.c(RS_UCM_00035)
Vehicle State Manager could be responsible for performing post-activation
checks, interfacing with an application performing such checks, confirming backend
is still reachable and further updates are still possible.
[SWS_UCM_01272]{DRAFT} VehicleCheck call not permitted dUCM Master
shall return ApplicationError OperationNotPermitted if VehicleCheck
method is called in another UCM Master state than kVehicleChecking.c(RS_-
UCM_00035)
[SWS_UCM_CONSTR_00006]{DRAFT} Exclusive use of Vehicle State Manager
dSystem Integrator shall ensure that Vehicle State Manager is the exclusive user
of the SafetyState method.c(RS_UCM_00035, RS_UCM_00037)
For example, the integrator may restrict the access to Vehicle State Manager in
configuring the Identity and Access Management functional cluster accordingly.
[SWS_UCM_CONSTR_00007]{DRAFT} Unsupported safety conditions by Vehi-
cle State Manager dIn the case the requested SafetyConditions field is not sup-
ported by Vehicle State Manager, it shall call SafetyState method with param-
eter SafetyStates including at least one SafetyStates=’NotSupported’.c(RS_-
UCM_00037)
[SWS_UCM_CONSTR_00008]{DRAFT} Switching vehicle into update mode dVe-
hicle State Manager shall change vehicle’s state and its ECUs in the right update
mode in order to avoid any timeout issues during update.c(RS_UCM_00037)
This vehicle state change could be triggered based on UCM Master State Machine.
7.2.6.4 Flashing Adapter
Flashing Adapter is an application that is used in the case UCM Master is updating a
AUTOSAR Classic Platform or any platform that can be flashed using diagnostic.
It contains OEM specific diagnostic sequences and communicates via ara::com with
the UCM Master and the AUTOSAR Adaptive Platform, and uses an implemen-
tation of diagnostic protocol data unit application programming interface (D-PDU API)
to communicate with Classic ECUs over the Vehicle Bus.
63 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
The data transfer from Flashing Adapter to the target ECU via diagnostic communi-
cation can be subject to interruptions if communication on a higher priority protocol
occurs, e.g. OBD services. In that case the Flashing Adapter can use a project spe-
cific strategy to detect the interruption, retry the transfer from the beginning, and decide
whether to notify or not the client about the transfer interruption.
[SWS_UCM_CONSTR_00011]{DRAFT} Flashing Adapter provided interface
dFlashing Adapter shall provide the same ara::com service interface as UCM
([SWS_UCM_00131]).c(RS_UCM_00035)
64 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.7 Non Adaptive Platform update
[SWS_UCM_01121]{DRAFT} Adaptive Platform interface provided for Flashing
Adapter dThe interface provided by the AUTOSAR Adaptive Platform in order to
update non AUTOSAR Platform should comply with ISO 22900-2:2017 (D-PDU API)
but as this standard’s coverage is wide, it is allowed to implement a reduced API that is
needed to update for instance a AUTOSAR Classic Platform.c(RS_UCM_00035)
The implementation of the D-PDU API is processing binary data from the Flashing
Adapter and do all of the required session, transport and network layer handling to
send and receive the data on the physical vehicle bus with respect to the underlying
protocols. The reason of using ISO 22900-2:2017 is to ensure that the specific Flashing
Adapter from any vehicle or tool manufacturer can operate on a common software
interface and can easily exchange MVCI (Modular Vehicle Communication Interface)
protocol module implementations.
In the case the targeted ECU by an update does not have the capability to switch
between current and new Software Cluster, the vehicle package campaign should
foresee to download not only the new version but also the currently installed version
of the Software Cluster to be updated in order to make possible a rollback from the
new version to the old version of the Software Cluster. The location to store the
current Software Package could be the Flashing Adapter but ultimately it has to be
available to Flashing Adapter in order to flash it in case of a rollback.
7.2.7.1 D-PDU API implementation support
[SWS_UCM_01122]{DRAFT} Supported physical layers by D-PDU API imple-
mentation dISO_11898_2_DWCAN (Dual Wire CAN), ISO_11898_3_DWFTCAN
(Dual Wire CAN Fault tolerant), SAE_J2411_SWCAN (Single Wire CAN) and
IEEE_802_3(Ethernet) physical layers shall be supported if their respective physical
vehicle bus is available inside the ECU, all other physical layers present in D-PDU API
are optional.c(RS_UCM_00035)
[SWS_UCM_01123]{DRAFT} Supported application layers by D-PDU API imple-
mentation dISO_15765_3 (Unified diagnostic services, UDS on CAN, ISO withdrawn
UDS), ISO_14229_3 (Unified diagnostic services on CAN implementation, UDSon-
CAN) and ISO_14229_5 (Unified diagnostic services on Internet Protocol implemen-
tation, UDSonIP) application layers shall be supported if their respective application
layer is available inside the ECU, all other application layers present in D-PDU API are
optional.c(RS_UCM_00035)
[SWS_UCM_01124]{DRAFT} Supported protocols by D-PDU API implementa-
tion dISO UDS on CAN with Application layer ISO_15765_3, ISO UDS on CAN with
Application layer ISO_14229_3 (UDSonCAN) and ISO UDS on DoIP with Application
layer ISO_14229_5 (UDSonIP) protocols shall be supported, all other protocols are
optional.c(RS_UCM_00035)
65 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
These protocols are present in ’Table B.2 - Standard protocol combination list’ of ISO
22900-2:2017(E).
7.2.7.2 Not required D-PDU API concepts
Dynamic Link Libraries for Windows operating system are not required. The Windows
installation process out of ISO 22900-2:2017(E) chapter 8.7.2 is not applicable to the
AUTOSAR Adaptive Platform which is using POSIX Operating System.
[SWS_UCM_01125]{DRAFT} Separation of D-PDU API-Software with the MVCI
protocol module firmware dA D-PDU API implementation may be split at OSI-Layer
4 into a D-PDU API implementation on OSI-Layer 5 (usually in the PC itself) and the
VCI-Module on OSI-Layers 3 and 4 (usually the VCI itself).c(RS_UCM_00035)
[SWS_UCM_01126]{DRAFT} Root description file (RDF) dWithin an AUTOSAR
Adaptive Platform, only one D-PDU API implementation is required for UCM,
therefore the D-PDU API implementation may not use the D-PDU API root descrip-
tion file (RDF).c(RS_UCM_00035)
The only instance of the D-PDU API within a Software Cluster can be statically
linked with the Flashing Adapter.
[SWS_UCM_01127]{DRAFT} Module Description File (MDF) dThe D-PDU API im-
plementation should not implement a protocol description file.c(RS_UCM_00035)
The supported protocol module types are fixed in the UCM use case.
[SWS_UCM_01128]{DRAFT} Symbolic names and IDs dThe Flashing Adapter may
operate the D-PDU API without using symbolic names and IDs during runtime. If the
use case excludes frequent changes to the MDFs, simple Flashing Adapter may even
hardcode (e.g. in a header file) all necessary IDs and operate the D-PDU API without
symbolic names.c(RS_UCM_00035)
[SWS_UCM_01129]{DRAFT} SAE J2534-1 and RP 1210a compatibility dD-PDU
API implementation may not be compatible to SAE J2534-1 and RP 1210a.c(RS_-
UCM_00035)
The Adaptive Platform does not need any migration path.
[SWS_UCM_01130]{DRAFT} ComPrimitives in RawMode dD-PDU API implemen-
tation may not implement the IOCTL filter data structure.c(RS_UCM_00035)
7.2.7.3 Not required D-PDU API functions
PDULockResource() and PDUUnlockResource() are used to lock and unlock exclusive
access to a ComLogicalLink in case of parallel usage of the D-PDU API implemen-
tation by multiple applications on the same physical communication link. Flashing of
66 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
a Classic ECU always requires some exclusive access and should be handled in the
AUTOSAR Adaptive Platform itself.
[SWS_UCM_01131]{DRAFT} PDUIoCtl(PDU_IOCTL_RESET) dThe parame-
ter PDU_IOCTL_RESET may not be implemented in D-PDU API implementa-
tion so the call of PDUIoCtl(PDU_IOCTL_RESET) shall return the error code
PDU_ERR_ID_NOT_SUPPORTED.c(RS_UCM_00035)
[SWS_UCM_01132]{DRAFT} PDUIoCtl(PDU_IOCTL_START_MSG_FILTER),
PDUIoCtl(PDU_IOCTL_CLEAR_MSG_FILTER), PDUIoCtl(
PDU_IOCTL_STOP_MSG_FILTER) dThe call of PDUIoCtl() with the pa-
rameters PDU_IOCTL_START_MSG, PDU_IOCTL_CLEAR_MSG_FILTER
and PDU_IOCTL_CLEAR_MSG_FILTER shall return the error code
PDU_ERR_ID_NOT_SUPPORTED.c(RS_UCM_00035)
The parameters PDU_IOCTL_START_MSG, PDU_IOCTL_CLEAR_MSG_FILTER and
PDU_IOCTL_CLEAR_MSG_FILTER are intended for the PassThru-Mode for com-
primitives and therefore an implementation is not required for the Flashing Adapter.
[SWS_UCM_01133]{DRAFT} PDUIoCtl(PDU_IOCTL_SEND_BREAK)
dThe IOCTL command PDU_IOCTL_SEND_BREAK shall return
PDU_ERR_ID_NOT_SUPPORTED.c(RS_UCM_00035)
The IOCTL command PDU_IOCTL_SEND_BREAK is used to send a break signal on
the ComLogicalLink. A break signal can only be sent on certain physical layers (e.g.
SAE J1850 VPW physical links and UART physical links) which are not supported by
UCM.
[SWS_UCM_01134]{DRAFT} Not used D-PDU API function return codes
dThe return codes PDU_ERR_CABLE_UNKNOWN, PDU_ERR_RSC_LOCKED,
PDU_ERR_RSC_NOT_LOCKED, PDU_ERR_API_SW_OUT_OF_DATE and
PDU_ERR_MODULE_FW_OUT_OF_DATE may not be implemented into the
D-PDU API of the AUTOSAR Adaptive Platform.c(RS_UCM_00035)
There is no cable attached to the ECU and therefore no cable detection return code
PDU_ERR_CABLE_UNKNOWN could occur.
Locking is not required for the Flashing Adapter, therefore PDU_ERR_RSC_LOCKED
and PDU_ERR_RSC_NOT_LOCKED return code could not occur.
There is no separation of D-PDU API-Software with the
MVCI protocol module firmware required in the AUTOSAR Adap-
tive Platform, so PDU_ERR_API_SW_OUT_OF_DATE and
PDU_ERR_MODULE_FW_OUT_OF_DATE return codes could not occur.
67 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.7.4 Classic platform update with UCM Master and diagnostic tool
Updating Classic from diagnostic tester
Communication medium
Garage tester
Communication channel
Vehicle Ethernet or CAN/DoCAN Bus
DoIP
Adaptive AUTOSAR Machine
Driver Vehicle State
Interface Manager
Diagnostic
Flashing application Classic
Adapter AUTOSAR Non
(ECU AUTOSAR
instance)
ISO 22900-2 (D-PDU API)
UCM
Diagnostic
Master Manager
VCI Module 1 VCI Module 2
CAN Ethernet UCM
UDS on
CAN UDS on DoIP
Diagnostic Application is
acting like an OTA Client
Classic Classic
AUTOSAR AUTOSAR
Figure 7.7: Classic platform update with UCM Master and
Concept paper diagnostic
yyyy-nn-dd tool 11
The Diagnostic Manager connects the Diagnostic tool to the Adaptive Platform. The di-
agnostic application is acting like an OTA Client and uses the UCM Master services
to push Vehicle Packages and Software Packages.
68 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.8 Status reporting
UCM Master supports a mechanism to provide the state of an update campaign
typically to OTA Client, Vehicle Driver Application and Vehicle State
stm U CMMaster State Machine
Manager.
SYNCING TRANSFERRING
transferExit() [Driver
do / ComputeUpdates A pproval needed]
Cam paign transferD ata() /A pprovalRequired = True
s tart
[SyncingDone] VEHICLEPACKAGE_TRANSFERRING
Sw PackageInventory(), do / V ehiclePackageReceiving
GetSw ClusterInfo() transferV ehiclePackage()
cancelCam paign(),
IDLE U CMMaster.deleteTransfer()
transferExit() D riverA pproval(True) [not
[InvalidPackageManifest | (InvalidPackageManifest |
LackResources | LackResources |
Initi al FailedDependency | FailedD ependency)]
N onRecoverableFailure] /A pprovalRequired = False
Cam paign
aborted transferExit() [not
(InvalidPackageManifest |
LackResources | FailedDependency)
[A ll CurrentStatus==Idle] cancelCam paign() & (D river approval not needed)]
[InvalidPackageManifest]
CA NCELLING
A ll SW Ps transferred SOFTWAREPACKAGE_TRANSFERRING
do / Cancelling [D river Approval needed]
/A pprovalRequired = True do / D istributeSoftwarePackages transferD ata()
[(Start Proc. first SWP || A ll SWPs transferred) D riverA pproval(True)
& (D river approval not needed)] /A pprovalRequired = False
Transfer
Cam paign finished
Cam paign failed successful
UPDATING U pdate
s tart
[V ehicleChecksSuccessful &&
A ll CurrentStatus==Idle] A ll Packages processed successfully [All
Softw arePackageStates == kProcessed &
cancelCam paign(), D river approval needed]
V ehicleChecksFailed /A pprovalRequired = True
cancelCam paign(),
N onRecoverableFailure
cancelCam paign(), VEHICLE_CHECKING
PROCESSING
A ctivationFailure
do / V ehicleSanityCheck
do / ProcessingSoftw arePackages
A ll Packages processed successfully [All
Softw arePackageStates == kProcessed &
A ll CurrentStatus == Activated D river approval not needed]
transferD ata()
ACTIVATING D riverA pproval(True)
do / UCM.Activate() /A pprovalRequired = False
Figure 7.8: Campaign State Machine (CampaignState field)
69 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
stm U CMMaster State Machine for OTA Client
SYNCING
do / ComputeUpdates
Sw PackageInventory(), [SyncingDone]
GetSw ClusterInfo() Cam paign TRANSFERRING
s tart
IDLE transferV ehiclePackage()
Cam paign
aborted
Transfer
finished
Initi al
[A ll CurrentStatus==Idle]
Cam paign U pdate start
successful
CA NCELLING UPDATING
do / Cancelling
Cam paign failed
Figure 7.9: Campaign State Machine for OTA Client (TransferState field)
Diagrams 7.8 and 7.9 do not include behaviour after reset ([SWS_UCM_01205] for
more details)
[SWS_UCM_01201] Sequential orchestration of campaigns dUCM Master shall or-
chestrate at most a single campaign at any one time.c(RS_UCM_00043)
[SWS_UCM_01265] TransferState field dUCM Master shall provide the state of a
campaign over the TransferState field of the UCM Master’s VehiclePackageM-
anagement service interface.c(RS_UCM_00042)
[SWS_UCM_01203] CampaignState field dUCM Master shall provide the state of a
campaign over the CampaignState field of the UCM Master VehicleDriverAp-
plication Service Interface.c(RS_UCM_00042) There is an overview of the cam-
paign state machine in Fig. 7.8 detailing UCM Master campaign states and transitions.
70 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.8.1 States
[SWS_UCM_01204] Initial state dUCM Master shall have kIdle default state.c(RS_-
UCM_00035)
[SWS_UCM_01207] Trigger on kSoftwarePackage_Transferring state dOn
transition to kSoftwarePackage_Transferring state and if all UCM subordinates
part of the campaign are in kIdle state, UCM Master shall start or resume transfer-
ring (TransferStart and TransferData as well as TransferExit if no streaming
required) the software packages to the UCM subordinates according to the campaign
orchestration.c(RS_UCM_00035, RS_UCM_00043)
[SWS_UCM_01209] Trigger on kProcessing state dOn transition to kProcessing
state, UCM Master shall call ProcessSwPackage method to UCM subordinates to
start or resume processing the software packages ready for processing according to
the campaign orchestration.c(RS_UCM_00035, RS_UCM_00043)
[SWS_UCM_00210] Transferring of software packages on kProcessing state
dIf UCM Master is in kProcessing state, UCM Master shall transfer Software
Packages to the UCM subordinates according to the campaign orchestration.c(RS_-
UCM_00035, RS_UCM_00043)
[SWS_UCM_01212] Trigger on kActivating state dOn transition to kActivating
state, UCM Master shall ask UCM subordinates to activate the software with Activate
method call according to the campaign orchestration.c(RS_UCM_00035, RS_UCM_-
00043)
[SWS_UCM_01214]{DRAFT} Final action on kVehicleChecking state dIf UCM
Master is in kVehicleChecking state and receives the method VehicleCheck
call with parameter VehicleCheckResolution=True, UCM Master shall secondly
commit (Finish) the software on all UCM subordinates part of the campaign.c(RS_-
UCM_00035)
[SWS_UCM_01215]{DRAFT} Trigger on kCancelling state dOn transition to
kCancelling state, UCM Master shall first rollback (Rollback) the software on all
UCM subordinates part of the campaign.c(RS_UCM_00035)
[SWS_UCM_01216]{DRAFT} Final action on kCancelling state dIf UCM Master
is in kCancelling state and the rollback of software on all UCM subordinates is suc-
cessful (successful Rollback and transition from kRollingBack to kRolledBack),
UCM Master shall secondly commit (Finish) the software on all UCM subordinates
part of the campaign.c(RS_UCM_00035)
[SWS_UCM_01217] Monitoring of UCM subordinates dUCM Master shall sub-
scribe to the CurrentStatus field, in order to follow the current campaign from the
state of the UCM Subordinates.c(RS_UCM_00035)
71 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.8.2 States Transitions
[SWS_UCM_01218] Transition from kIdle state to kSyncing state dIf UCM Mas-
ter is in kIdle state, UCM Master shall enter the kSyncing state on a request
to GetSwClusterInfo or SwPackageInventory.c(RS_UCM_00035, RS_UCM_-
00033)
[SWS_UCM_01219] Transition from kSyncing state to kIdle state dIf UCM Mas-
ter is in kSyncing state, UCM Master shall enter the kIdle state on completion of
GetSwClusterInfo or SwPackageInventory.c(RS_UCM_00035)
[SWS_UCM_01220] Transition from kIdle state to kVehiclePackageTrans-
ferring state dIf UCM Master is in kIdle state, UCM Master shall enter the kVe-
hiclePackageTransferring state on successful completion of TransferVehi-
clePackage.c(RS_UCM_00035)
[SWS_UCM_01221]{DRAFT} Transition from kVehiclePackageTransferring
state to kIdle state dIf UCM Master is in kVehiclePackageTransferring state,
UCM Master shall enter the kIdle state on unsuccessful completion of Transfer-
Exit (Vehicle Package) or successful completion of DeleteTransfer (Vehicle
Package) or non recoverable error of TransferData.c(RS_UCM_00035, RS_UCM_-
00039)
[SWS_UCM_01222] Transition from kVehiclePackageTransferring state to
kSoftwarePackage_Transferring state dIf UCM Master is in kVehiclePack-
ageTransferring state, UCM Master shall enter the kSoftwarePackage_-
Transferring state on successful completion of TransferExit (Vehicle Pack-
age).c(RS_UCM_00035, RS_UCM_00037, RS_UCM_00038)
[SWS_UCM_01227] Transition from kSoftwarePackage_Transferring state to
kIdle state dIf UCM Master is in kSoftwarePackage_Transferring state, UCM
Master shall enter the kIdle state on successful cancellation request (CancelCam-
paign) or if there is a non recoverable transfer failure from one of the UCM subordi-
nates.c(RS_UCM_00035)
[SWS_UCM_01228] Transition from kSoftwarePackage_Transferring state to
kProcessing state dWhen UCM Master is in kSoftwarePackage_Transfer-
ring state, if all Software Packages are ready for processing, all Software Pack-
ages from all UCM subordinates are at state kTransferred) or at least one Software
Package started being processed by ProcessSwPackage call to one UCM subordi-
nate according to the campaign orchestration, UCM Master shall enter the kPro-
cessing state.c(RS_UCM_00035, RS_UCM_00037, RS_UCM_00038, RS_UCM_-
00043)
[SWS_UCM_01229]{DRAFT} SafetyConditions while processing stream dIn the
case there is transition from kSoftwarePackage_Transferring state to kPro-
cessing state, the SafetyConditions for kProcessing state shall apply even though
there are Software Packages transferring.c(RS_UCM_00035, RS_UCM_00037)
72 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
It is integrator’s responsibility to make sure in this use case that safety conditions for
Processing will also cover safety approach of transferring.
[SWS_UCM_01234]{DRAFT} Transition from kProcessing state to kActivat-
ing state dIf UCM Master is in kProcessing state and all software packages of the
campaign have been successfully (successful ProcessSwPackage) processed and
all UCM subordinates part to the campaign are in the kReady state, UCM Master
shall enter the kActivating state.c(RS_UCM_00035, RS_UCM_00037, RS_UCM_-
00038)
[SWS_UCM_01236]{DRAFT} Transition from kProcessing state to kCan-
celling state dIf UCM Master is in kProcessing state, UCM Master shall enter
the kCancelling state on successful cancellation request (CancelCampaign) or
in case of non recoverable processing failure of one of the UCM subordinates.c(RS_-
UCM_00035)
[SWS_UCM_01239]{DRAFT} Transition from kActivating state to kCan-
celling state dIf UCM Master is in kActivating state, UCM Master shall enter
the kCancelling state if any UCM subordinates part of the campaign unsuccess-
fully (unsuccessful Activate and transition from kVerifying to kRollingBack)
completed activation.c(RS_UCM_00035)
[SWS_UCM_01240] Transition from kActivating state to kVehicleChecking
state dIf UCM Master is in kActivating state, UCM Master shall enter the kVehi-
cleChecking state if all UCM subordinates part of the campaign successfully (suc-
cessful Activate and transition from kVerifying to kActivated) completed acti-
vation.c(RS_UCM_00035, RS_UCM_00037)
[SWS_UCM_01241]{DRAFT} Transition from kVehicleChecking state to kCan-
celling state dIf UCM Master is in kVehicleChecking state and receives the
method VehicleCheck call with parameter VehicleCheckResolution=False, UCM
Master shall enter the kCancelling state.c(RS_UCM_00035)
[SWS_UCM_01242] Transition from kVehicleChecking state to kIdle state dIf
UCM Master is in kVehicleChecking state and all UCM subordinates part of the
campaign transitioned from kCleaningUp to kIdle, UCM Master shall enter the
kIdle state.c(RS_UCM_00035)
[SWS_UCM_01243] Transition from kCancelling state to kIdle state dIf UCM
Master is in kCancelling state and all UCM subordinates part of the campaign
transitioned from kCleaningUp to kIdle, UCM Master shall enter the kIdle state.c
(RS_UCM_00035)
[SWS_UCM_01246]{DRAFT} Unreachable UCM during update campaign dIn case
a UCM is not reachable by UCM Master during an update campaign (from kTrans-
ferring or kUpdating), UCM Master shall cancel and go back to kIdle.c(RS_-
UCM_00035, RS_UCM_00037)
73 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.9 Campaign cancelling
CancelCampaign method could be used at garage to unlock a blocked update. De-
tails on action by UCM Master, like cleaning up the several UCMs, changing AUTOSAR
Adaptive Platform states, etc. are implementation specific.
In case an update campaign was cancelled, a new update campaign could use again
the already transferred Software Packages. UCM Master could list transferred
Software Packages by calling the UCM subordinates with GetSwPackages.
[SWS_UCM_01244]{DRAFT} Cancellation of an update campaign shall be pos-
sible dUCM Master shall provide method CancelCampaign to any of its client to
cancel from kTransferring or kUpdating states (from TransferState field).c
(RS_UCM_00035, RS_UCM_00037)
[SWS_UCM_01270]{DRAFT} New campaign disabling dUCM Master shall remain
in kIdle when a CancelCampaign method has been called with DisableCampaign
parameter set.c(RS_UCM_00035)
[SWS_UCM_01271]{DRAFT} New campaign enabling dUCM Master shall provide
a method AllowCampaign to any of its client to reallow new campaign after a
CancelCampaign method was called with DisableCampaign parameter set.c(RS_-
UCM_00035)
[SWS_UCM_01273]{DRAFT} CancelCampaign CancelFailed error dCancel-
Campaign shall raise the error ApplicationError CancelFailed in case can-
celling of a campaign fails.c(RS_UCM_00020)
[SWS_UCM_01274]{DRAFT} CancelCampaign OperationNotPermitted error
dCancelCampaign shall raise the error ApplicationError OperationNotPer-
mitted in case the UCM Master states are at kIdle, kSyncing or kCancelling.c
(RS_UCM_00020)
7.2.10 Campaign Reporting
After campaign is finished (finish method has been sent to all UCM subordinates),
UCM Master should report to Backend server status of the vehicle, with for instance
updated information of Software Clusters present in vehicle.
[SWS_UCM_01247] Method to read History Report dUCM Master shall provide a
method GetCampaignHistory to retrieve all actions that have been performed by
UCM Master when exiting state kUpdating from a specific time window.c(RS_UCM_-
00034)
[SWS_UCM_01248] Content of History Report dUCM Master shall save activation
time and activation result of processed Vehicle Packages in the history.c(RS_-
UCM_00034)
74 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
[SWS_UCM_01266]{DRAFT} Subordinate Not Available On The Network dUCM
Master shall record persistently the error SubordinateNotAvailableOnTheNetwork in
case one of the UCM subordinate involved in the current campaign stops offering its
service interface and later report it with GetCampaignHistory.c(RS_UCM_00034)
[SWS_UCM_01267]{DRAFT} Vehicle State Manager Communication Error dUCM
Master shall record persistently the error VehicleStateManagerCommunicationError
in case the communication with Vehicle State Manager is not possible and later report
it with GetCampaignHistory.c(RS_UCM_00034)
[SWS_UCM_01268]{DRAFT} Vehicle Driver Interface Communication Error dUCM
Master shall record persistently the error VehicleDriverInterfaceCommunicationError
in case the communication with Vehicle Driver Interface is no longer possible and later
report it with GetCampaignHistory.c(RS_UCM_00034)
[SWS_UCM_01269]{DRAFT} Campaign cancellation history dIf CancelCampaign
method is called, UCM Master shall record persistently this event to later report it with
GetCampaignHistory.c(RS_UCM_00034)
7.2.11 Content of Vehicle Package
Software Package A Software Package B
Signed container Signed container
SoftwareCluster A SoftwareCluster B
Signed container Signed container
Executables Executables
Data Data
Manifests Manifests
Vehicle Package
Software Cluster Software Cluster
Manifest Signed container Manifest
Software Package Software Package
Authentication tag Authentication tag
manifest A manifest B
Software Package Vehicle Package manifest Software Package
Manifest Manifest
Authentication tag OEM authentication tag Authentication tag
Figure 7.10: Vehicle package overview
A Vehicle Package is typically assembled by an OEM Backend. A Vehicle
Package has to be modelled as a so-called VehiclePackage which describes the
content of the Vehicle Package. It contains a collection of Software Pack-
age Manifests extracted from Backend packages stored in the Backend database.
These Software Packages have to be modelled as a so-called SoftwarePack-
age which describes the content of the Software Package. A Vehicle Package
contains only one Vehicle Package Manifest.
It is possible that within an update campaign, several Machine or ECUs need to be
updated/installed/removed by groups. Some Software Clusters could require re-
boot of Machine or ECU, some just a restart of Adaptive Application or nothing
75 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
(waiting passively for next reboot) to get activated. To optimize a campaign or fulfil
dependencies, it could be required to activate Software Clusters one after the
other or several at once. To support all possible campaigns, the Vehicle Pack-
age includes a model describing this coordination. It also contains a way to identify
the several involved UCMs for packages distribution within the vehicle and potentially
overwriting default UCM Master for this specific campaign.
You can find below for information purpose a description of the information that must
be contained in Vehicle Package manifest:
• Repository: uri, repository or diagnostic address, for history, tracking and security
purposes
• Vehicle description: vehicle description
• Vehicle Driver notifications: it might be needed to ask vehicle driver if UCM Mas-
ter can start transferring Software Packages, processing it and activating it
but also inform him of the necessary safety requirements if applicable.
• Safety policy: safety policy index to be used as argument to subscribe a field to
vehicle safety manager. With this field, UCM Master will be informed at any time
of campaign if vehicle safety is met or not.
• UCM Master identifiers list: defines backup UCM Masters
• Campaign orchestration: You can refer to [9] for more details. This campaign
model allows to group activation of several UCMs and group Software Pack-
ages processing and transferring.
[SWS_UCM_01301]{DRAFT} Vehicle Package authentication dVehicle
Package shall be authenticated by UCM Master before any transfer of Software
Packages.c(RS_UCM_00039, RS_UCM_00043)
[SWS_UCM_01302]{DRAFT} Vehicle Package authentication failure dIn case
Vehicle Package authentication fails at TransferExit call, UCM Master shall
raise the ApplicationError AuthenticationFailed.c(RS_UCM_00039, RS_-
UCM_00043)
[SWS_UCM_01303]{DRAFT} Dependencies between Software Packages dUCM
Master shall check dependencies based on Vehicle Package Manifests and
Software Packages Manifests before an transfer of Software Packages.c
(RS_UCM_00035, RS_UCM_00043)
[SWS_UCM_01305]{DRAFT} Vehicle Package format dVehicle Package shall
contain Vehicle Package manifest and Software Packages manifests of ARXML
format.c(RS_UCM_00035, RS_UCM_00043)
[SWS_UCM_01306]{DRAFT} TransferExit Invalid package manifest dTrans-
ferExit shall raise the error ApplicationErrorInvalidPackageManifest
upon receive of an invalid manifest.c(RS_UCM_00012)
76 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
7.2.12 Vehicle update security and confidentiality
The methods GetSwClusterInfo, SwPackageInventory and GetHistory could
use private or confidential information.
[SWS_UCM_CONSTR_00013]{DRAFT} Confidential information protection dThe
VehiclePackageManagement and VehicleDriverApplication interfaces shall
only be called over secure communication channel providing confidentiality protection.c
(RS_UCM_00033)
The GetSwClusterInfo, SwPackageInventory, GetCampaignHistory,
GetSwClusterChangeInfo, GetHistory, GetSwClusterDescription and
GetSwPackages methods are using data that could identify vehicle user and there-
fore should be protected for confidentiality.
77 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
8 API specification
There are no APIs defined in this release.
78 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9 Service Interfaces
9.1 Type definitions
This chapter lists all types provided by the UCM.
9.1.1 UCMIdentifierType
[SWS_UCM_00173]{DRAFT} d
Name UCMIdentifierType
Kind STRING
Derived from -
Description UCM Module Instantiation Identifier.
c(RS_UCM_00036)
9.1.2 TransferIdType
[SWS_UCM_00031]{DRAFT} d
Name TransferIdType
Kind ARRAY
Array size 16
Subelements uint8_t
Derived from -
Description Represents a handle identifier used to reference a particular transfer request.
c(RS_UCM_00019, RS_UCM_00025)
9.1.3 SwNameType
[SWS_UCM_00071]{DRAFT} d
Name SwNameType
Kind STRING
Derived from -
Description SoftwareCluster or SoftwarePackage shortName attribute inherited from referrable meta
Class.
c(RS_UCM_00002)
79 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.1.4 SwNameVectorType
[SWS_UCM_00174]{DRAFT} d
Name SwNameVectorType
Kind VECTOR
Subelements SwNameType
Derived from -
Description Represents a dynamic size array of Software Cluster names.
c(RS_UCM_00002)
9.1.5 StrongRevisionLabelString
[SWS_UCM_00175]{DRAFT} d
Name StrongRevisionLabelString
Kind STRING
Derived from -
Description Primitive type representing SoftwareCluster (SoftwarePackage) version.
c(RS_UCM_00002)
9.1.6 SwNameVersionType
[SWS_UCM_00176]{DRAFT} d
Name SwNameVersionType
Kind STRUCTURE
Subelements Name SwNameType
Version StrongRevisionLabelString
Derived from -
Description Represents the information of a Software Package (Software Cluster) name and version.
c(RS_UCM_00002)
9.1.7 SwNameVersionVectorType
[SWS_UCM_00177]{DRAFT} d
80 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name SwNameVersionVectorType
Kind VECTOR
Subelements SwNameVersionType
Derived from -
Description Represents a dynamic size array of Software Name and Version
c(RS_UCM_00002)
9.1.8 ByteVectorType
[SWS_UCM_00032]{DRAFT} d
Name ByteVectorType
Kind VECTOR
Subelements uint8_t
Derived from -
Description Byte vector representing raw data.
c(RS_UCM_00025)
9.1.9 SwPackageStateType
[SWS_UCM_00038]{DRAFT} d
Name SwPackageStateType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the state of a Software Package on the Platform.
Range / Symbol Limit Description
kTransferring 0x00 Software package is being transferred, i.e. not completely received.
kTransferred 0x01 Software package is completely transferred and ready to be
processed.
kProcessing 0x02 Software package is currently being processed.
kProcessed 0x03 Software package processing finished.
kProcessingStream 0x04 Software package is being processed from a stream.
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
9.1.10 SwPackageInfoType
[SWS_UCM_00039]{DRAFT} d
81 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name SwPackageInfoType
Kind STRUCTURE
Subelements Name SwNameType
Version StrongRevisionLabelString
TransferID TransferIdType
ConsecutiveBytesReceived uint64_t
ConsecutiveBlocksReceived uint64_t
State SwPackageStateType
Derived from -
Description Represents the information of a Software Package.
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
9.1.11 SwPackageInfoVectorType
[SWS_UCM_00040]{DRAFT} d
Name SwPackageInfoVectorType
Kind VECTOR
Subelements SwPackageInfoType
Derived from -
Description Represents a dynamic size array of Software Packages
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
9.1.12 SwDescType
[SWS_UCM_00186]{DRAFT} d
Name SwDescType
Kind STRUCTURE
Subelements Name SwNameType
Version StrongRevisionLabelString
TypeApproval string
License string
ReleaseNotes string
Size uint64_t
Derived from -
Description Contains general information related to SoftwareCluster that can be used by Vehicle
Driver Application or Human Interface.
82 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
c(RS_UCM_00002, RS_UCM_00011)
9.1.13 SwDescVectorType
[SWS_UCM_00187]{DRAFT} d
Name SwDescVectorType
Kind VECTOR
Subelements SwDescType
Derived from -
Description Represents a dynamic size array of SoftwareCluster description
c(RS_UCM_00002, RS_UCM_00011)
9.1.14 SwPackageDescType
[SWS_UCM_00268]{DRAFT} d
Name SwPackageDescType
Kind STRUCTURE
Subelements SwDesc SwDescType
PackageAction ActionType
Duration uint32_t
Derived from -
Description Contains general information related to SoftwarePackage that can be used by Human
Interface.
c(RS_UCM_00033)
9.1.15 SwPackageDescVectorType
[SWS_UCM_00269]{DRAFT} d
Name SwPackageDescVectorType
Kind VECTOR
Subelements SwPackageDescType
Derived from -
Description Represents a dynamic size array of SwPackageDescType.
c(RS_UCM_00033)
83 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.1.16 SwClusterStateType
[SWS_UCM_00077]{DRAFT} d
Name SwClusterStateType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the state of a SoftwareCluster on the adaptive platform.
Range / Symbol Limit Description
kPresent 0x00 State of a SoftwareCluster that is installed on the adaptive platform
and installation has finished.
kAdded 0x01 State of a SoftwareCluster that has been newly installed.
kUpdated 0x02 State of a SoftwareCluster that has been updated.
kRemoved 0x03 State of a SoftwareCluster that has been removed.
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
9.1.17 SwClusterInfoType
[SWS_UCM_00078]{DRAFT} d
Name SwClusterInfoType
Kind STRUCTURE
Subelements Name SwNameType
Version StrongRevisionLabelString
State SwClusterStateType
Derived from -
Description Represents the information of a SoftwareCluster.
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
9.1.18 SwClusterInfoVectorType
[SWS_UCM_00079]{DRAFT} d
Name SwClusterInfoVectorType
Kind VECTOR
Subelements SwClusterInfoType
Derived from -
Description Represents a dynamic size array of SoftwareClusters
c(RS_UCM_00002, RS_UCM_00006, RS_UCM_00010, RS_UCM_00011, RS_-
UCM_00012)
84 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.1.19 PackageManagementStatusType
[SWS_UCM_00044]{DRAFT} d
Name PackageManagementStatusType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the state of UCM.
Range / Symbol Limit Description
kIdle 0x00 UCM is ready to start processing if software packages are present.
kReady 0x01 UCM has processed one or several packages and waits for additional
packages, activation or reversion of processed packages.
kProcessing 0x02 UCM is currently in the middle of processing a Software Package, i.e.
a client has called ProcessSwPackage.
kActivating 0x03 UCM is performing the dependency check and preparing the activation
of the processed Software packages.
kActivated 0x04 Software changes introduced with processed Software Packages has
been activated and executed.
kRollingBack 0x05 UCM is reverting changes introduced with processed packages.
kRolledBack 0x06 Software changes introduced with processed Software Packages has
been deactivated and original software is executed.
kCleaningUp 0x07 Making sure that the system is in a clean state.
kVerifying 0x08 UCM (via State Management) is checking that the processed
packages have been properly restarted.
c(RS_UCM_00024, RS_UCM_00026)
9.1.20 ActionType
[SWS_UCM_00132]{DRAFT} d
Name ActionType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the UCM action.
Range / Symbol Limit Description
kUpdate 0x00 Update of a SoftwareCluster.
kInstall 0x01 Installation of a new SoftwareCluster.
kRemove 0x02 Removal of a SoftwareCluster.
c(RS_UCM_00032)
9.1.21 ResultType
[SWS_UCM_00133]{DRAFT} d
85 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name ResultType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the result of UCM action.
Range / Symbol Limit Description
kActivated 0x00 Activation was successful.
kActivatedAndRolledBack 0x01 UCM was activated but rolled back by its Client.
kVerificationFailed 0x02 UCM’s action failed.
c(RS_UCM_00032)
9.1.22 GetHistoryType
[SWS_UCM_00134]{DRAFT} d
Name GetHistoryType
Kind STRUCTURE
Subelements Time uint64_t
Name SwNameType
Version StrongRevisionLabelString
Action ActionType
Resolution ResultType
FailureError uint64_t
Derived from -
Description Time refers to the activation time of the software cluster. It is represented in milliseconds
of UCM’s action resolution since 01.01.1970 (UTC).
c(RS_UCM_00032)
9.1.23 GetHistoryVectorType
[SWS_UCM_00135]{DRAFT} d
Name GetHistoryVectorType
Kind VECTOR
Subelements GetHistoryType
Derived from -
Description Represents a list of UCM actions
c(RS_UCM_00032)
86 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.1.24 CampaignHistoryType
[SWS_UCM_00251]{DRAFT} d
Name CampaignHistoryType
Kind STRUCTURE
Subelements CampaignError CampaignErrorType
HistoryVector HistoryVectorType
Derived from -
Description Campaign history
c(RS_UCM_00034)
9.1.25 CampaignErrorType
[SWS_UCM_00252]{DRAFT} d
Name CampaignErrorType
Kind STRUCTURE
Subelements CampaignFailure CampaignFailureType
UCMStepError UCMStepErrorType
Derived from -
Description Campaign Error
c(RS_UCM_00034)
9.1.26 CampaignFailureType
[SWS_UCM_00256]{DRAFT} d
Name CampaignFailureType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Campaign failure
Range / Symbol Limit Description
kUCMError 0x01 UCM error
kInvalidVehiclePackage 0x02 Vehicle Package manifest is invalid
Manifest
kSubordinateNotAvailableOn 0x03 UCM subordinate not reachable
TheNetwork
kVehicleStateManager 0x04 Communication error with Vehicle State Manager
CommunicationError
kVehicleDriverInterface 0x05 Communication error with Vehicle Driver Interface
CommunicationError
5
87 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
kCampaignCancelled 0x06 Campaign was cancelled
c(RS_UCM_00034)
9.1.27 UCMStepErrorType
[SWS_UCM_00253]{DRAFT} d
Name UCMStepErrorType
Kind STRUCTURE
Subelements id UCMIdentifierType
SoftwarePackageStep SoftwarePackageStepType
ReturnedError uint8_t
Derived from -
Description UCM Error
c(RS_UCM_00034)
9.1.28 SoftwarePackageStepType
[SWS_UCM_00255]{DRAFT} d
Name SoftwarePackageStepType
Kind TYPE_REFERENCE
Derived from uint8_t
Description UCM Software Package step at which error occurred
Range / Symbol Limit Description
kTransfer 0x00 Software Package transfer
kProcess 0x01 Software Package processing
kPreActivate 0x02 Software Cluster pre activation
kVerify 0x03 Software Cluster verification
c(RS_UCM_00034)
9.1.29 HistoryVectorType
[SWS_UCM_00254]{DRAFT} d
88 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name HistoryVectorType
Kind STRUCTURE
Subelements id UCMIdentifierType
HistoryVector GetHistoryVectorType
Derived from -
Description History of an UCM
c(RS_UCM_00034)
9.1.30 CampaignStateType
[SWS_UCM_01177]{DRAFT} d
Name CampaignStateType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the status of Campaign.
Range / Symbol Limit Description
kIdle 0x00 UCM Master is ready to start a software update campaign.
kSyncing 0x01 UCM master is providing the list of installed SWCLs (GetSwCluster
Info) or computing the list of SWCLs to install (SwPackageInventory).
kVehiclePackageTransferring 0x02 A vehicle package is being transferred to UCM Master.
kSoftwarePackage_ 0x03 UCM Master is transferring software packages to the UCM
Transferring subordinates.
kProcessing 0x04 The processing of software packages on UCM subordinates is
ongoing. The transferring of software packages may still occur.
kActivating 0x05 The activation of SWCLs on UCM subordinates is ongoing.
kVehicleChecking 0x06 UCM Master is performing post-activation checks (OEM specific).
kCancelling 0x07 UCM Master is rolling-back the activated SWCLs on the UCM
subordinates.
c(RS_UCM_00032)
9.1.31 TransferStateType
[SWS_UCM_01178]{DRAFT} d
Name TransferStateType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the state of an update from OTA Client perspective.
Range / Symbol Limit Description
kIdle 0x00 UCM Master is ready to start a software update campaign.
5
89 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
kTransferring 0x01 Vehicle or Software Packages are being transferred.
kUpdating 0x02 Software Clusters are being updated in the vehicle.
kCancelling 0x03 An error occurred, campaign is being cancelled, reverting changes.
c(RS_UCM_00032)
9.1.32 SafetyConditionType
[SWS_UCM_01114]{DRAFT} d
Name SafetyConditionType
Kind STRING
Derived from -
Description The type of the Safety Conditions.
c(RS_UCM_00002)
9.1.33 SafetyConditionsVectorType
[SWS_UCM_01136]{DRAFT} d
Name SafetyConditionsVectorType
Kind VECTOR
Subelements SafetyConditionType
Derived from -
Description Represents a dynamic size array of Safety Conditions.
c(RS_UCM_00002)
9.1.34 SafetyStatesType
[SWS_UCM_01138]{DRAFT} d
Name SafetyStatesType
Kind TYPE_REFERENCE
Derived from uint8_t
Description Represents the vehicle safety state.
Range / Symbol Limit Description
Safe 0x00 Safe Safety State.
5
90 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
NotSafe 0x01 Not safe Safety State.
NotSupported 0x02 Unsupported Safety State.
c(RS_UCM_00002)
9.1.35 SafetyStatesVectorType
[SWS_UCM_01137]{DRAFT} d
Name SafetyStatesVectorType
Kind VECTOR
Subelements SafetyStatesType
Derived from -
Description Represents a dynamic size array of Safety States.
c(RS_UCM_00002)
9.2 Provided Service Interfaces
9.2.1 Package Management
This chapter lists all provided service interfaces of the UCM.
Port
[SWS_UCM_00073]{DRAFT} d
Name PackageManagement
Kind ProvidedPort Interface PackageManagement
Description
Variation
c(RS_UCM_00001)
Service Interface
[SWS_UCM_00131]{DRAFT} d
Name PackageManagement
NameSpace ara::ucm
91 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Field CurrentStatus
Description The current status of UCM.
Type PackageManagementStatusType
HasGetter true
HasNotifier true
HasSetter false
Method Activate
Description This method activates the processed components.
FireAndForget false
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application MissingDe- Activate cannot be performed because of missing dependencies.
Errors pendencies
Application UpdateSes- Start of an update session was rejected by State Management
Errors sionRejected
Application PreActiva- Error during preActivation step.
Errors tionFailed
Application Verifica- State Management returned verification failure
Errors tionFailed
Method Cancel
Description This method aborts an ongoing processing of a Software Package.
FireAndForget false
Parameter id
Description The Transfer ID.
Type TransferIdType
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Method DeleteTransfer
Description Delete a transferred Software Package.
FireAndForget false
Parameter id
Description Transfer ID of the currently running request.
Type TransferIdType
Variation
Direction IN
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
92 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Method Finish
Description This method finishes the processing for the current set of processed Software Packages. It does a
cleanup of all data of the processing including the sources of the Software Packages.
FireAndForget false
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Method GetHistory
Description Getter method to retrieve all actions that have been performed by UCM.
FireAndForget false
Parameter timestampGE
Description Earliest timestamp (inclusive)
Type uint64_t
Variation
Direction IN
Parameter timestampLT
Description Latest timestamp (exclusive)
Type uint64_t
Variation
Direction IN
Parameter history
Description The history of all actions that have been performed by UCM.
Type GetHistoryVectorType
Variation
Direction OUT
Method GetId
Description Get the UCM Instance Identifier.
FireAndForget false
Parameter id
Description UCM Module Instantiation Identifier.
Type UCMIdentifierType
Variation
Direction OUT
Method GetSwClusterChangeInfo
Description This method returns a list pending changes to the set of SoftwareClusters on the adaptive platform. The
returned list includes all SoftwareClusters that are to be added, updated or removed. The list of changes
is extended in the course of processing Software Packages.
FireAndForget false
Parameter SwInfo
Description List of SoftwareClusters that are in state kAdded,kUpdated or kRemoved.
5
93 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Type SwClusterInfoVectorType
Variation
Direction OUT
Method GetSwClusterDescription
Description This method returns the general information of the Software Clusters present in the platform
FireAndForget false
Parameter SwCluster
Description List of SoftwareClusters present in the platform.
Type SwDescVectorType
Variation
Direction OUT
Method GetSwClusterInfo
Description This method returns a list of SoftwareClusters that are in state kPresent.
FireAndForget false
Parameter SwInfo
Description List of installed SoftwareClusters that are in state kPresent.
Type SwClusterInfoVectorType
Variation
Direction OUT
Method GetSwPackages
Description This method returns the Software Packages that available in UCM.
FireAndForget false
Parameter Packages
Description List of Software Packages.
Type SwPackageInfoVectorType
Variation
Direction OUT
Method GetSwProcessProgress
Description Get the progress (0 - 100%) of the currently processed Software Package.
FireAndForget false
Parameter id
Description The Transfer ID of the Software Package.
Type TransferIdType
Variation
Direction IN
Parameter progress
5
94 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Description The progress of the current package processing (0% - 100%). 0x00 ... 0x64, 0xFF
for "No information available"
Type uint8_t
Variation
Direction OUT
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Method ProcessSwPackage
Description Process a previously transferred Software Package.
FireAndForget false
Parameter id
Description The Transfer ID of the Software Package which should be processed.
Type TransferIdType
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application ServiceBusy Another processing is already ongoing and therefore the current processing request
Errors has to be rejected.
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Authentica- Package authentication failed.
Errors tionFailed
Application Incompati- The version of the Software or Vehicle Package to be processed is not compatible
Errors blePackageV- with the current version of UCM or UCM Master.
ersion
Application InvalidPack- Package manifest could not be read.
Errors ageManifest
Application Soft- The Software Cluster is not present in the Machine.
Errors wareCluster-
Missing
Application Incompati- Delta package dependency check failed.
Errors bleDelta
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
Application Processed- The processed Software Package integrity check has failed.
Errors Soft-
warePack-
ageInconsis-
tent
Application OldVersion Software Package version is too old.
Errors
Application ProcessSw- The processing operation has been interrupted by a Cancel() call.
Errors PackageCan-
celled
Method RevertProcessedSwPackages
Description Revert the changes done by processing (ProcessSwPackage) of one or several software packages.
5
95 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
FireAndForget false
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application NotAbleToRe- RevertProcessedSwPackages failed.
Errors vertPackages
Method Rollback
Description Rollback the system to the state before the packages were processed.
FireAndForget false
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application NotAble- Rollback failed.
Errors ToRollback
Method TransferData
Description Block-wise transfer of a Software Package to UCM.
FireAndForget false
Parameter id
Description Transfer ID.
Type TransferIdType
Variation
Direction IN
Parameter data
Description Data block of the Software Package.
Type ByteVectorType
Variation
Direction IN
Parameter blockCounter
Description Block counter value of the current block.
Type uint64_t
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Incorrect- The same block number is received twice.
Errors Block
Application Incorrect- The size of the block exceeds the provided block size from TransferStart or Transfer
Errors BlockSize VehiclePackage.
Application Incorrect- The size of the Software or Vehicle Package exceeds the provided size in Transfer
Errors Size Start.
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
5
96 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Application Transfer- UCM cannot persist transferred block.
Errors Failed
Application BlockIncon- Consistency check for transferred block failed.
Errors sistent
Application Authentica- Package authentication failed.
Errors tionFailed
Application InvalidPack- Package manifest could not be read.
Errors ageManifest
Application Incompati- The version of the Software or Vehicle Package to be processed is not compatible
Errors blePackageV- with the current version of UCM or UCM Master.
ersion
Application PackageIn- Package integrity check failed.
Errors consistent
Application OldVersion Software Package version is too old.
Errors
Method TransferExit
Description Finish the transfer of a Software Package to UCM.
FireAndForget false
Parameter id
Description Transfer ID of the currently running request.
Type TransferIdType
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Insuffi- TransferExit has been called but total transferred data size does not match expected
Errors cientData data size provided with TransferStart call.
Application Authentica- Package authentication failed.
Errors tionFailed
Application PackageIn- Package integrity check failed.
Errors consistent
Application Incompati- The version of the Software or Vehicle Package to be processed is not compatible
Errors blePackageV- with the current version of UCM or UCM Master.
ersion
Application InvalidPack- Package manifest could not be read.
Errors ageManifest
Application MissingDe- Activate cannot be performed because of missing dependencies.
Errors pendencies
Application OldVersion Software Package version is too old.
Errors
Method TransferStart
Description Start the transfer of a Software Package after having received a Vehicle Package. The size of the
Software Package to be transferred to UCM must be provided. UCM will generate a Transfer ID for
subsequent calls to TransferData, TransferExit, ProcessSwPackage, DeleteTransfer.
FireAndForget false
Parameter size
Description Size (in bytes) of the Software Package to be transferred.
5
97 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Type uint64_t
Variation
Direction IN
Parameter id
Description Return TransferId.
Type TransferIdType
Variation
Direction OUT
Parameter BlockSize
Description Size of the blocks to be received with TransferData method.
Type uint32_t
Variation
Direction OUT
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
c(RS_UCM_00001, RS_UCM_00002, RS_UCM_00008, RS_UCM_00010, RS_-
UCM_00011, RS_UCM_00015, RS_UCM_00018, RS_UCM_00021, RS_UCM_-
00023, RS_UCM_00024, RS_UCM_00025, RS_UCM_00032)
9.2.2 Vehicle Package Management
This chapter lists all provided service interfaces of the UCM Master to OTA Client
Adaptive Application.
Port
[SWS_UCM_00178]{DRAFT} d
Name VehiclePackageManagement
Kind ProvidedPort Interface VehiclePackageManagement
Description
Variation
c(RS_UCM_00035)
Service Interface
[SWS_UCM_00181]{DRAFT} d
98 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name VehiclePackageManagement
NameSpace ara::ucm
Field TransferState
Description The current status of Campaign from an OTA Client perspective.
Type TransferStateType
HasGetter true
HasNotifier true
HasSetter false
Field RequestedPackage
Description Software Package to be transferred to UCM Master.
Type SwNameVersionType
HasGetter true
HasNotifier true
HasSetter false
Field SafetyConditions
Description Safety conditions from the Vehicle Package computed by the Vehicle State Manager Adaptive
Application.
Type SafetyConditionsVectorType
HasGetter true
HasNotifier true
HasSetter false
Field SafetyState
Description Vehicle state computed by the Vehicle State Manager Adaptive Application.
Type SafetyStatesVectorType
HasGetter true
HasNotifier true
HasSetter false
Method CancelCampaign
Description This method aborts an ongoing campaign processing of a Vehicle Package.
FireAndForget false
Parameter DisableCampaign
Description To forbid new campaign
Type bool
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application CancelFailed Cancel failed.
Errors
Method AllowCampaign
Description To allow a new campaign to start
5
99 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
FireAndForget false
Method DeleteTransfer
Description Delete a transferred Software or Vehicle Package.
FireAndForget false
Parameter id
Description Transfer ID of the currently running request.
Type TransferIdType
Variation
Direction IN
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Method GetCampaignHistory
Description Getter method to retrieve all actions that have been performed by UCM Master.
FireAndForget false
Parameter timestampGE
Description Earliest timestamp (inclusive)
Type uint64_t
Variation
Direction IN
Parameter timestampLT
Description Latest timestamp (exclusive)
Type uint64_t
Variation
Direction IN
Parameter CampaignHistory
Description The history of all actions that have been performed by UCM Master.
Type CampaignHistoryType
Variation
Direction OUT
Method GetSwClusterInfo
Description This method returns a list of SoftwareClusters that are in state kPresent.
FireAndForget false
Parameter SwInfo
Description List of installed SoftwareClusters that are in state kPresent.
Type SwClusterInfoVectorType
5
100 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Variation
Direction OUT
Method GetSwPackages
Description This method returns the Software Packages that are part of current campaign handled by UCM Master.
FireAndForget false
Parameter Packages
Description List of Software Packages.
Type SwPackageInfoVectorType
Variation
Direction OUT
Method SwPackageInventory
Description
FireAndForget false
Parameter AvailableSoftwarePackages
Description List of available Software Packages in Backend corresponding to VIN.
Type SwNameVersionVectorType
Variation
Direction IN
Parameter RequiredSoftwarePackages
Description List of Software Packages to be sent to UCM Master.
Type SwNameVersionVectorType
Variation
Direction OUT
Method TransferData
Description Block-wise transfer of a Software or Vehicle Package to UCM Master.
FireAndForget false
Parameter id
Description Transfer ID.
Type TransferIdType
Variation
Direction IN
Parameter data
Description Data block of the Software or Vehicle Package.
Type ByteVectorType
Variation
Direction IN
5
101 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Parameter blockCounter
Description Block counter value of the current block.
Type uint64_t
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Incorrect- The same block number is received twice.
Errors Block
Application Incorrect- The size of the block exceeds the provided block size from TransferStart or Transfer
Errors BlockSize VehiclePackage.
Application Incorrect- The size of the Software or Vehicle Package exceeds the provided size in Transfer
Errors Size Start.
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
Application Transfer- UCM cannot persist transferred block.
Errors Failed
Application BlockIncon- Consistency check for transferred block failed.
Errors sistent
Application Authentica- Package authentication failed.
Errors tionFailed
Application InvalidPack- Package manifest could not be read.
Errors ageManifest
Application Incompati- The version of the Software or Vehicle Package to be processed is not compatible
Errors blePackageV- with the current version of UCM or UCM Master.
ersion
Application PackageIn- Package integrity check failed.
Errors consistent
Application OldVersion Software Package version is too old.
Errors
Method TransferExit
Description Finish the transfer of a Software or Vehicle Package to UCM Master.
FireAndForget false
Parameter id
Description Transfer ID of the currently running request.
Type TransferIdType
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application Invalid- The Transfer ID is invalid.
Errors TransferId
Application Insuffi- TransferExit has been called but total transferred data size does not match expected
Errors cientData data size provided with TransferStart call.
Application Authentica- Package authentication failed.
Errors tionFailed
5
102 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Application PackageIn- Package integrity check failed.
Errors consistent
Application Incompati- The version of the Software or Vehicle Package to be processed is not compatible
Errors blePackageV- with the current version of UCM or UCM Master.
ersion
Application InvalidPack- Package manifest could not be read.
Errors ageManifest
Application MissingDe- Activate cannot be performed because of missing dependencies.
Errors pendencies
Application OldVersion Software Package version is too old.
Errors
Method TransferStart
Description Start the transfer of a Software Package. The name of the Software Package to be transferred to UCM
Master must be provided. UCM Master will generate a Transfer ID for subsequent calls to TransferData,
TransferExit, DeleteTransfer. Size of Software Package to be used to transfer to UCM subordinate is
available in the Vehicle Package and its contained Software Package Manifests.
FireAndForget false
Parameter SoftwarePackageName
Description Software Package Short Name of the Software Package to be transferred.
Type SwNameType
Variation
Direction IN
Parameter id
Description Return TransferId.
Type TransferIdType
Variation
Direction OUT
Parameter BlockSize
Description Size of the blocks to be received with TransferData method.
Type uint32_t
Variation
Direction OUT
Application Unexpected- The Software Package name does not correspond to the RequestedPackage field
Errors Package value.
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
Method TransferVehiclePackage
Description Start the transfer of a Vehicle Package. The size of the Vehicle Package to be transferred to UCM Master
must be provided. UCM Master will generate a Transfer ID for subsequent calls to TransferData, Transfer
Exit, ProcessSwPackage, DeleteTransfer. This call starts a new campaign.
FireAndForget false
Parameter size
Description Size (in bytes) of the Vehicle Package to be transferred.
Type uint64_t
5
103 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Variation
Direction IN
Parameter id
Description Return TransferId.
Type TransferIdType
Variation
Direction OUT
Parameter BlockSize
Description Size of the blocks to be received with TransferData method.
Type uint32_t
Variation
Direction OUT
Application NewCam- New campaigns are disabled, calling AllowCampaign will enable new campaigns.
Errors paignDis-
abled
Application Insuffi- Insufficient memory to perform operation.
Errors cientMemory
c(RS_UCM_00001, RS_UCM_00002, RS_UCM_00008, RS_UCM_00010, RS_-
UCM_00011, RS_UCM_00015, RS_UCM_00018, RS_UCM_00021, RS_UCM_-
00023, RS_UCM_00024, RS_UCM_00025, RS_UCM_00032)
9.2.3 Vehicle Driver Application Interface
This chapter lists all provided service interfaces of the UCM Master to the Vehicle
Driver Adaptive Application.
Port
[SWS_UCM_00180]{DRAFT} d
Name VehicleDriverApplication
Kind ProvidedPort Interface VehicleDriverApplication
Description
Variation
c(RS_UCM_00038, RS_UCM_00043)
Service Interface
[SWS_UCM_00182]{DRAFT} d
104 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Name VehicleDriverApplication
NameSpace ara::ucm
Field ApprovalRequired
Description Flag to inform Adaptive Application if approval from Vehicle Driver is required at current state based on
Vehicle Package Manifest.
Type bool
HasGetter true
HasNotifier true
HasSetter false
Field CampaignState
Description The current status of Campaign.
Type CampaignStateType
HasGetter true
HasNotifier true
HasSetter false
Field SafetyConditions
Description Safety conditions from the Vehicle Package computed by the Vehicle State Manager Adaptive
Application.
Type SafetyConditionsVectorType
HasGetter true
HasNotifier true
HasSetter false
Field SafetyState
Description Vehicle state computed by the Vehicle State Manager Adaptive Application.
Type SafetyStatesVectorType
HasGetter true
HasNotifier true
HasSetter false
Method CancelCampaign
Description This method aborts an ongoing campaign processing of a Vehicle Package.
FireAndForget false
Parameter DisableCampaign
Description To forbid new campaign
Type bool
Variation
Direction IN
Application Opera- The operation is not supported in the current context.
Errors tionNotPer-
mitted
Application CancelFailed Cancel failed.
Errors
105 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Method AllowCampaign
Description To allow a new campaign to start
FireAndForget false
Method DriverApproval
Description Called by Adaptive Application to inform UCM Master of the driver’s notification resolution (approve or
reject)
FireAndForget false
Parameter Approval
Description Driver’s notification resolution
Type bool
Variation
Direction IN
Parameter SafetyStates
Description Safety states acknowledged by the Vehicle Driver Application
Type SafetyStatesVectorType
Variation
Direction IN
Method GetCampaignHistory
Description Getter method to retrieve all actions that have been performed by UCM Master.
FireAndForget false
Parameter timestampGE
Description Earliest timestamp (inclusive)
Type uint64_t
Variation
Direction IN
Parameter timestampLT
Description Latest timestamp (exclusive)
Type uint64_t
Variation
Direction IN
Parameter history
Description The history of all actions that have been performed by UCM Master.
Type CampaignHistoryType
Variation
Direction OUT
Method GetSwClusterDescription
Description This method returns the general information of the Software Clusters present in the Adaptive Platform
5
106 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
FireAndForget false
Parameter SoftwareClusterDescriptions
Description List of SoftwareClusters general information
Type SwDescVectorType
Variation
Direction OUT
Method GetSwPackageDescription
Description This method returns the general information of the Software Packages that are part of current campaign
handled by UCM Master.
FireAndForget false
Parameter Packages
Description List of Software Packages.
Type SwPackageDescVectorType
Variation
Direction OUT
Method GetSwProcessProgress
Description Get the progress (0 - 100%) of the currently package processing.
FireAndForget false
Parameter progress
Description The progress of the current package processing (0% - 100%). 0x00 ... 0x64, 0xFF
for "’No information available"’
Type uint8_t
Variation
Direction OUT
Method GetSwTransferProgress
Description Get the progress (0 - 100%) of the currently transferred package.
FireAndForget false
Parameter progress
Description The progress of the current package transferring (0% - 100%). 0x00 ... 0x64, 0xFF
for "’No information available"’
Type uint8_t
Variation
Direction OUT
c(RS_UCM_00001, RS_UCM_00002, RS_UCM_00008, RS_UCM_00010, RS_-
UCM_00011, RS_UCM_00015, RS_UCM_00018, RS_UCM_00021, RS_UCM_-
00023, RS_UCM_00024, RS_UCM_00025, RS_UCM_00032)
107 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
9.2.4 Vehicle State Manager
This chapter lists all provided service interfaces of the UCM Master to the Vehicle
State Manager Adaptive Application.
Port
[SWS_UCM_00179]{DRAFT} d
Name VehicleStateManager
Kind ProvidedPort Interface VehicleStateManager
Description
Variation
c(RS_UCM_00037, RS_UCM_00043)
Service Interface
[SWS_UCM_00183]{DRAFT} d
Name VehicleStateManager
NameSpace ara::ucm
Field SafetyConditions
Description Safety conditions from the Vehicle Package to be computed by the Vehicle State Manager Adaptive
Application.
Type SafetyConditionsVectorType
HasGetter true
HasNotifier true
HasSetter false
Method SafetyState
Description Method called by Vehicle State Manager Adaptive Application when safety state is changed
FireAndForget false
Parameter SafetyStates
Description Safety conditions computed by the Vehicle State Manager Adaptive Application.
Type SafetyStatesVectorType
Variation
Direction IN
Method VehicleCheck
Description Method for Vehicle State Manager to inform UCM Master of vehicle check resolution
FireAndForget false
Parameter VehicleCheckResolution
Description Vehicle check resolution. True if check succeeded.
Type bool
5
108 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Variation
Direction IN
c(RS_UCM_00001, RS_UCM_00002, RS_UCM_00008, RS_UCM_00010, RS_-
UCM_00011, RS_UCM_00015, RS_UCM_00018, RS_UCM_00021, RS_UCM_-
00023, RS_UCM_00024, RS_UCM_00025, RS_UCM_00032)
9.3 Required Interface
9.3.1 State Management Update Request
UCM requires the UpdateRequest Service Interface [SWS_SM_91017] provided by
State Management
Port
[SWS_UCM_00288]{DRAFT} d
Name UpdateRequest
Kind RequiredPort Interface UpdateRequest
Description The UpdateRequest interface is intended to be used by UCM to interact with StateManagement to
perform updates, installation and removal of SoftwareClusters.
Variation
c()
9.4 Application Errors
9.4.1 Application Error Domain
9.4.1.1 UCMErrorDomain
This section lists all application errors of the UCM.
[SWS_UCM_00136]{DRAFT} d
Name Code Description
AuthenticationFailed 8 Package authentication failed.
BlockInconsistent 25 Consistency check for transferred block failed.
5
109 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
BusyWithCampaign 34 Campaign has already started.
CancelFailed 16 Cancel failed.
IncompatibleDelta 29 Delta package dependency check failed.
IncompatiblePackageVersion 24 The version of the Software or Vehicle Package to be processed is
not compatible with the current version of UCM or UCM Master.
IncorrectBlock 2 The same block number is received twice.
IncorrectBlockSize 30 The size of the block exceeds the provided block size from Transfer
Start or TransferVehiclePackage.
IncorrectSize 3 The size of the Software or Vehicle Package exceeds the provided
size in TransferStart.
InsufficientData 6 TransferExit has been called but total transferred data size does not
match expected data size provided with TransferStart call.
InsufficientMemory 1 Insufficient memory to perform operation.
InvalidChecksumDescription 35 Checksum attribute not recognised.
InvalidPackageManifest 13 Package manifest could not be read.
InvalidTransferId 4 The Transfer ID is invalid.
MissingDependencies 21 Activate cannot be performed because of missing dependencies.
NewCampaignDisabled 31 New campaigns are disabled, calling AllowCampaign will enable
new campaigns.
NotAbleToRevertPackages 15 RevertProcessedSwPackages failed.
NotAbleToRollback 18 Rollback failed.
OldVersion 9 Software Package version is too old.
OperationNotPermitted 5 The operation is not supported in the current context.
PackageInconsistent 7 Package integrity check failed.
PreActivationFailed 19 Error during preActivation step.
ProcessSwPackageCancelled 22 The processing operation has been interrupted by a Cancel() call.
ProcessedSoftwarePackageInconsistent 23 The processed Software Package integrity check has failed.
ServiceBusy 12 Another processing is already ongoing and therefore the current
processing request has to be rejected.
SoftwareClusterMissing 37 The Software Cluster is not present in the Machine.
TransferFailed 38 UCM cannot persist transferred block.
UnexpectedPackage 32 The Software Package name does not correspond to the
RequestedPackage field value.
UpdateSessionRejected 33 Start of an update session was rejected by State Management
VerificationFailed 36 State Management returned verification failure
c(RS_UCM_00006, RS_UCM_00007, RS_UCM_00012, RS_UCM_00013, RS_-
UCM_00014)
110 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10 Sequence diagrams
The following sequence charts are simplified examples and have no normative mean-
ing. The relevant definitions are in chapter 7 only.
10.1 Update process
sd Update
«ServiceProvider»
:UCM
Diagnostic Application (OEM
specific)
ref
Data transmission
ref
Processing
ref
Activation
Figure 10.1: Sequence diagram showing the update process
111 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10.2 Data transmission
«ServiceProvi...
:External Reference
D iagnostic A pplication (OEM
specific)
loop for each Software Package
TransferStart(PackageSize)
:TransferId, BlockSize
loop for each segment of a Software Package
TransferD ata(TransferId, ByteV ectorType, blockCounter): TransferDataReturnType storeD ata
(byteV ector)
:TransferD ataReturnType
TransferExit(TransferId): TransferExitReturnType
checkTransferredPackage()
:TransferExitReturnType
Figure 10.2: Sequence diagram showing the data transmission
112 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10.3 Package processing
Processing
Waldemar Knorr «ServiceProvid...
1.0
21/03/2018 12:54:16 :External Reference
30/11/2020 12:14:52 Diagnostic Application (OEM
specific)
Subscribe(CurrentStatus)
CurrentStatus= :IDLE
opt
GetSwPackages(): SwPackageInfoVectorType
:SwPackageInfoVectorType
loop for each TransferId
ProcessSwPackage(TransferId): ProcessSwPackageReturnType
CurrentStatus= :PROCESSING
opt continously
GetSwProcessProgress(TransferId): uint8
:progress
:ProcessSwPackageReturnType
CurrentStatus= :READY
Figure 10.3: Sequence diagram showing the package processing
113 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10.4 Activation
persistency manifest installed or updated with
the application
U CM m aster UCM sub 1 SM EM A pplication Persistency
(from Actors) (from Actors) (from Actors)
A ctivate() Ready
A ctivating
D ependencyCheck()
StartU pdateSession()
:ReadyForU pdate
loop for each SoftwareCluster
PrepareU pdate(vector<FunctionGroup>)
SetState(Off) ara::core::Deinitialize should
SIGTERM() be the last call
ara::core::D einitialize()
Close storages
& Free
:e xitstatus resources()
:Prepared
:A ctivate success
V erifying
Sym links or
A /B switch() Machine reset is optional and
defined in SWP Manifest
alt ReparseManifest
[Reset]
ResetMachine()
Reparsing is implementation specific. UCM might have to
interact with other Functional Clusters to make sure the
[N o Reset] Verify step will not fail. If no positive response is returned
Reparse from those FCs, it should be reason for UCM to trigger a
Manifests() rollback.
loop for each SoftwareCluster
V erifyU pdate(vector<FunctionGroup>)
SetState(Verify)
Spaw n process()
U pdatePersistency()
D ata backup()
Install and/or
update persistent
data()
:V erified
UCM waiting for other UCM subs to get activated,
Finish() A ctivated coordinated by UCM Master with finish()
Cleaning-up
StopU pdateSession()
SetState()
N orm al()
O penXXX()
CleanUp
backup data()
Figure 10.4: Sequence diagram showing the activation process
114 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10.5 Failing activation
U CM m aster UCM sub 1 SM EM A pplication Persistency
(from Actors) (from Actors) (from Actors)
A ctivate() Ready
A ctivating
D ependencyCheck()
StartU pdateSession()
:ReadyForU pdate
loop for each SoftwareCluster PrepareU pdate(vector<FunctionGroup>) ara::core::Deinitialize
should be the last call
SIGTERM()
ara::core::D einitialize()
Close storages &
Free resources()
:Prepared
:A ctivate Success
V erifying
Sym links or
A /B switch()
alt Machine Reset
ResetMachine()
[Reset]
[N o Reset]
Reparse
Manifests()
loop for each SoftwareCluster
V erifyU pdate(vector<FunctionGroup>)
FG = Verify()
U pdatePersistency()
D ata backup()
Install and/or
update persistent
data()
:Failed
:Failed
RollingBack
loop for each SoftwareCluster
PrepareRollBack(vector<FunctionGroup>)
Sym links or
A /B switch()
alt Machine Reset
ResetMachine()
[Reset]
Persistency manifest is rolledback
[N o Reset] along with the application
Reparse
Manifest()
Finish() RolledBack
CleaningUp
StopU pdateSession()
N orm al()
O penXXX()
Check version and
replace failing
persistent by backup()
Figure 10.5: Sequence diagram showing an activation failing
115 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
10.6 UCM Master simplified vehicle update
CampaignState = IDLE
OTA Client D river Interface V ehicle State Manager U CM m aster UCM sub 1
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:TransferState = SYNCING
Syncing()
:TransferState=IDLE
TransferV ehiclePackage()
:TransferState=TRANSFERRING
:Cam paignState=VEHICLEPACKAGE_TRANSFERRING
transferExit()
:SafetyConditions
SafetyState(SafetyStatesVector)
:A pprovalRequired
:SafetyConditions
D riverA pproval(A pproval, SafetyStates)
D riverO K and VehicleSafe()
:Cam paignState=SO FTW A REPACKAGE_TRANSFERRING
:RequestedPackage=SW PN am e
transferStart()
transferStart()
transferD ata()
transferD ata()
transferExit()
transferExit()
:SafetyConditions
SafetyState(SafetyStatesVector)
:SafetyConditions
:A pprovalRequired
D riverA pproval(A pproval, SafetyStates)
D riverO K and VehicleSafe()
:Cam paignState = PROCESSING
:TransferState=UPDATING
ProcessSw Package()
Processing()
:CurrentStatus=READY
:SafetyConditions
SafetyState(SafetyStatesVector)
:SafetyConditions
:A pprovalRequired
D riverA pproval(A pproval, SafetyStates)
D riverO K and VehicleSafe()
:Cam paignState=ACTIVATING
D ependency check
A ctivate() and Verifying()
:CurrentStatus=ACTIVATED|ROLLINBACK
:Cam paignState = VEHICLE_CHECKING
clean-up and vehicle checks()
Finish()
:TransferState = IDLE
GetCam paignH istory()
Figure 10.6: Sequence diagram showing vehicle update
116 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
A Mentioned Manifest Elements
For the sake of completeness, this chapter contains a set of class tables representing
meta-classes mentioned in the context of this document but which are not contained
directly in the scope of describing specific meta-model semantics.
Chapter is generated.
Class ArtifactChecksum
Package M2::AUTOSARTemplates::AdaptivePlatform::SoftwareDistribution
Note This meta-class provides the ability to associate a checksum with a given artifact identified by its URI.
Tags:atp.Status=draft
Base ARObject, Identifiable, MultilanguageReferrable, Referrable
Attribute Type Mult. Kind Note
checksumValue String 0..1 attr This attributes carries the serialized checksum of the
corresponding artifact.
Tags:atp.Status=draft
uri UriString 0..1 attr This attribute represents the URI of the artifact on which
the checksum shall be computed.
Stereotypes: atpIdentityContributor
Tags:atp.Status=draft
Table A.1: ArtifactChecksum
Class Identifiable (abstract)
Package M2::AUTOSARTemplates::GenericStructure::GeneralTemplateClasses::Identifiable
Note Instances of this class can be referred to by their identifier (within the namespace borders). In addition to
this, Identifiables are objects which contribute significantly to the overall structure of an AUTOSAR
description. In particular, Identifiables might contain Identifiables.
Base ARObject, MultilanguageReferrable, Referrable
Subclasses ARPackage, AbstractDoIpLogicAddressProps, AbstractEvent, AbstractImplementationDataTypeElement,
AbstractSecurityEventFilter , AbstractSecurityIdsmInstanceFilter , AbstractServiceInstance, Abstract
SignalBasedToISignalTriggeringMapping, AdaptiveModuleInstantiation, AdaptiveSwcInternalBehavior,
ApApplicationEndpoint, ApplicationEndpoint, ApplicationError, ArtifactChecksum, AtpBlueprint, Atp
Blueprintable, AtpClassifier , AtpFeature, AutosarOperationArgumentInstance, AutosarVariableInstance,
BuildActionEntity , BuildActionEnvironment, Chapter, CheckpointTransition, ClassContentConditional,
ClientIdDefinition, ClientServerOperation, Code, CollectableElement, ComManagementMapping, Comm
ConnectorPort, CommunicationConnector , CommunicationController , Compiler, ConsistencyNeeds,
ConsumedEventGroup, CouplingPort, CouplingPortStructuralElement, CryptoCertificate, CryptoKeySlot,
CryptoProvider, CryptoServiceMapping, DataPrototypeGroup, DataTransformation, DdsDomainRange,
DependencyOnArtifact, DeterministicClientResourceNeeds, DiagEventDebounceAlgorithm, Diagnostic
ConnectedIndicator, DiagnosticDataElement, DiagnosticDebounceAlgorithmProps, DiagnosticFunction
InhibitSource, DiagnosticRoutineSubfunction, DltApplication, DltArgument, DltMessage, DoIpInterface,
DoIpLogicAddress, DoIpRoutingActivation, E2EProfileConfiguration, End2EndEventProtectionProps,
End2EndMethodProtectionProps, EndToEndProtection, EthernetWakeupSleepOnDatalineConfig, Event
Handler, EventMapping, ExclusiveArea, ExecutableEntity , ExecutionTime, FMAttributeDef, FMFeature
MapAssertion, FMFeatureMapCondition, FMFeatureMapElement, FMFeatureRelation, FMFeature
Restriction, FMFeatureSelection, FieldMapping, FireAndForgetMapping, FlexrayArTpNode, FlexrayTp
PduPool, FrameTriggering, GeneralParameter, GlobalSupervision, GlobalTimeGateway, GlobalTime
Master , GlobalTimeSlave, HealthChannel, HeapUsage, HwAttributeDef, HwAttributeLiteralDef, HwPin,
HwPinGroup, IPSecRule, IPv6ExtHeaderFilterList, ISignalToIPduMapping, ISignalTriggering, Ident
Caption, InternalTriggeringPoint, Keyword, LifeCycleState, Linker, MacMulticastGroup, McDataInstance,
MemorySection, MethodMapping, ModeDeclaration, ModeDeclarationMapping, ModeSwitchPoint,
NetworkEndpoint, NmCluster , NmNode, PackageableElement, ParameterAccess, PduActivationRouting
Group, PduToFrameMapping, PduTriggering, PerInstanceMemory, PersistencyDeploymentElement,
5
117 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class Identifiable (abstract)
4
PersistencyInterfaceElement, PhmSupervision, PhysicalChannel, PortGroup, PortInterfaceMapping,
PossibleErrorReaction, ProcessToMachineMapping, Processor, ProcessorCore, PskIdentityToKeySlot
Mapping, RecoveryNotification, ResourceConsumption, ResourceGroup, RootSwClusterDesign
ComponentPrototype, RootSwComponentPrototype, RootSwCompositionPrototype, RptComponent, Rpt
Container, RptExecutableEntity, RptExecutableEntityEvent, RptExecutionContext, RptProfile, RptService
Point, RunnableEntityGroup, SdgAttribute, SdgClass, SecOcJobMapping, SecOcJobRequirement,
SecureCommunicationAuthenticationProps, SecureCommunicationDeployment, SecureCommunication
FreshnessProps, SecurityEventContextProps, ServiceEventDeployment, ServiceFieldDeployment,
ServiceInterfaceElementSecureComConfig, ServiceMethodDeployment, ServiceNeeds, SignalService
TranslationEventProps, SignalServiceTranslationProps, SocketAddress, SoftwarePackageStep, Someip
EventGroup, SomeipProvidedEventGroup, SomeipTpChannel, SpecElementReference, StackUsage,
StaticSocketConnection, StructuredReq, SupervisionCheckpoint, SupervisionMode, SupervisionMode
Condition, SwGenericAxisParamType, SwServiceArg, SwcServiceDependency, SystemMapping,
SystemMemoryUsage, TimeBaseResource, TimingCondition, TimingConstraint, TimingDescription,
TimingExtensionResource, TimingModeInstance, TlsCryptoCipherSuite, TlsCryptoCipherSuiteProps, Tls
JobMapping, Topic1, TpAddress, TraceableTable, TraceableText, TracedFailure, TransformationProps,
TransformationTechnology, Trigger, UcmDescription, UcmStep, VariableAccess, VariationPointProxy,
VehicleRolloutStep, ViewMap, VlanConfig, WaitPoint
Attribute Type Mult. Kind Note
adminData AdminData 0..1 aggr This represents the administrative data for the identifiable
object.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=adminData
xml.sequenceOffset=-40
annotation Annotation * aggr Possibility to provide additional notes while defining a
model element (e.g. the ECU Configuration Parameter
Values). These are not intended as documentation but
are mere design notes.
Tags:xml.sequenceOffset=-25
category CategoryString 0..1 attr The category is a keyword that specializes the semantics
of the Identifiable. It affects the expected existence of
attributes and the applicability of constraints.
Tags:xml.sequenceOffset=-50
desc MultiLanguageOverview 0..1 aggr This represents a general but brief (one paragraph)
Paragraph description what the object in question is about. It is only
one paragraph! Desc is intended to be collected into
overview tables. This property helps a human reader to
identify the object in question.
More elaborate documentation, (in particular how the
object is built or used) should go to "introduction".
Tags:xml.sequenceOffset=-60
introduction DocumentationBlock 0..1 aggr This represents more information about how the object in
question is built or is used. Therefore it is a
DocumentationBlock.
Tags:xml.sequenceOffset=-30
uuid String 0..1 attr The purpose of this attribute is to provide a globally
unique identifier for an instance of a meta-class. The
values of this attribute should be globally unique strings
prefixed by the type of identifier. For example, to include a
DCE UUID as defined by The Open Group, the UUID
would be preceded by "DCE:". The values of this attribute
may be used to support merging of different AUTOSAR
models. The form of the UUID (Universally Unique
Identifier) is taken from a standard defined by the Open
Group (was Open Software Foundation). This standard is
5
118 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class Identifiable (abstract)
4
widely used, including by Microsoft for COM (GUIDs) and
by many companies for DCE, which is based on CORBA.
The method for generating these 128-bit IDs is published
in the standard and the effectiveness and uniqueness of
the IDs is not in practice disputed. If the id namespace is
omitted, DCE is assumed. An example is
"DCE:2fac1234-31f8-11b4-a222-08002b34c003". The
uuid attribute has no semantic meaning for an AUTOSAR
model and there is no requirement for AUTOSAR tools to
manage the timestamp.
Tags:xml.attribute=true
Table A.2: Identifiable
Class Referrable (abstract)
Package M2::AUTOSARTemplates::GenericStructure::GeneralTemplateClasses::Identifiable
Note Instances of this class can be referred to by their identifier (while adhering to namespace borders).
Base ARObject
Subclasses AtpDefinition, BswDistinguishedPartition, BswModuleCallPoint, BswModuleClientServerEntry, Bsw
VariableAccess, CouplingPortTrafficClassAssignment, CppImplementationDataTypeContextTarget,
DiagnosticEnvModeElement, EthernetPriorityRegeneration, ExclusiveAreaNestingOrder, HwDescription
Entity , ImplementationProps, ModeTransition, MultilanguageReferrable, NmNetworkHandle, Pnc
MappingIdent, SingleLanguageReferrable, SoConIPduIdentifier, SocketConnectionBundle, Someip
RequiredEventGroup, TimeSyncServerConfiguration, TpConnectionIdent
Attribute Type Mult. Kind Note
shortName Identifier 1 attr This specifies an identifying shortName for the object. It
needs to be unique within its context and is intended for
humans but even more for technical reference.
Stereotypes: atpIdentityContributor
Tags:
xml.enforceMinMultiplicity=true
xml.sequenceOffset=-100
shortName ShortNameFragment * aggr This specifies how the Referrable.shortName is
Fragment composed of several shortNameFragments.
Tags:xml.sequenceOffset=-90
Table A.3: Referrable
Class SoftwareCluster
Package M2::AUTOSARTemplates::AdaptivePlatform::SoftwareDistribution
Note This meta-class represents the ability to define an uploadable software-package, i.e. the SoftwareCluster
shall contain all software and configuration for a given purpose.
Tags:
atp.Status=draft
atp.recommendedPackage=SoftwareClusters
Base ARElement, ARObject, CollectableElement, Identifiable, MultilanguageReferrable, Packageable
Element, Referrable
Attribute Type Mult. Kind Note
5
119 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class SoftwareCluster
artifact ArtifactChecksum * aggr This aggregation carries the checksums for artifacts
Checksum contained in the enclosing SoftwareCluster.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=artifactChecksum.shortName, artifact
Checksum.uri
atp.Status=draft
claimed ModeDeclarationGroup * ref Each SoftwareCluster can reserve the usage of a given
FunctionGroup Prototype functionGroup such that no other SoftwareCluster is
allowed to use it
Tags:atp.Status=draft
conflictsTo SoftwareCluster 0..1 aggr This aggregation handles conflicts. If it yields true then
DependencyFormula the SoftwareCluster shall not be installed.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=conflictsTo
atp.Status=draft
contained ARElement * ref This reference represents the collection of model
ARElement elements that cannot derive from UploadablePackage
Element and that contribute to the completeness of the
definition of the SoftwareCluster.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=containedARElement
atp.Status=draft
containedFibex FibexElement * ref This allows for referencing FibexElements that need to be
Element considered in the context of a SoftwareCluster.
Tags:atp.Status=draft
contained UploadablePackage * ref This reference identifies model elements that are required
Package Element to complete the manifest content.
Element
Stereotypes: atpSplitable
Tags:
atp.Splitkey=containedPackageElement
atp.Status=draft
contained Process * ref This reference represent the processes contained in the
Process enclosing SoftwareCluster.
Tags:atp.Status=draft
dependsOn SoftwareCluster 0..1 aggr This aggregation can be taken to identify a dependency
DependencyFormula for the enclosing SoftwareCluster.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=dependsOn
atp.Status=draft
design SoftwareClusterDesign * ref This reference represents the identification of all Software
ClusterDesigns applicable for the enclosing Software
Cluster.
Stereotypes: atpUriDef
Tags:atp.Status=draft
diagnostic DiagnosticContribution 0..1 ref This reference represents the definition of the diagnostic
Extract Set extract applicable to the referencing SoftwareCluster
Tags:atp.Status=draft
diagnosticProps SoftwareCluster 0..1 aggr This aggregation represenst the diagnostic-related
DiagnosticProps configuration of a SoftwareCluster.
Tags:atp.Status=draft
5
120 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class SoftwareCluster
license Documentation * ref This attribute allows for the inclusion of the full text of a
license of the enclosing SoftwareCluster. In many cases
open source licenses require the inclusion of the full
license text to any software that is released under the
respective license.
Tags:atp.Status=draft
module AdaptiveModule * ref This reference identifies AdaptiveModuleInstantiations
Instantiation Instantiation that need to be included with the SoftwareCluster in order
to establish infrastructure required for the installation of
the SoftwareCluster.
Stereotypes: atpSplitable
Tags:
atp.Splitkey=moduleInstantiation
atp.Status=draft
releaseNotes Documentation 0..1 ref This attribute allows for the explanations of changes since
the previous version. The list of changes might require
the creation of multiple paragraphs of test.
Tags:atp.Status=draft
typeApproval String 0..1 attr This attribute carries the homologation information that
may be specific for a given country.
Tags:atp.Status=draft
vendorId PositiveInteger 1 attr Vendor ID of this Implementation according to the
AUTOSAR vendor list.
Tags:atp.Status=draft
vendor CryptoService 1 ref This reference identifies the certificate that represents the
Signature Certificate vendor’s signature.
Tags:atp.Status=draft
version StrongRevisionLabel 1 attr This attribute can be used to describe a version
String information for the enclosing SoftwareCluster.
Tags:atp.Status=draft
Table A.4: SoftwareCluster
Class SoftwarePackage
Package M2::AUTOSARTemplates::AdaptivePlatform::SoftwareDistribution
Note This meta-class represents the ability to formalize the content of a software package.
Tags:
atp.Status=draft
atp.recommendedPackage=SoftwarePackages
Base ARElement, ARObject, CollectableElement, Identifiable, MultilanguageReferrable, Packageable
Element, Referrable
Attribute Type Mult. Kind Note
actionType SoftwarePackageAction 1 attr This attribute defines the action to be taken in the step of
TypeEnum processing the enclosing SoftwarePackage.
Tags:atp.Status=draft
activationAction SoftwarePackage 0..1 attr This attribute governs the action to be taken after the
ActivationActionEnum installation of the SoftwareCluster completed.
Tags:atp.Status=draft
compressed PositiveInteger 1 attr This size represents the size of the compressed Software
Software Package.
PackageSize
Tags:atp.Status=draft
5
121 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class SoftwarePackage
deltaPackage StrongRevisionLabel 0..1 attr This attribute identifies the version of the included
Applicable String SoftwareCluster for which the enclosing SoftwarePackage
Version can be used as a delta update
Tags:atp.Status=draft
estimated TimeValue 0..1 attr This attribute provides an estimation about how long the
DurationOf operation of the SoftwarePackage is going to take.
Operation
Tags:atp.Status=draft
minimum RevisionLabelString 1 attr This attribute identifies the minimum supported version of
SupportedUcm the UCM for this SoftwarePackage.
Version
Tags:atp.Status=draft
packagerId PositiveInteger 1 attr This attribute identifies Id of the organization that provides
the packager generating the SoftwarePackage.
Tags:atp.Status=draft
packager CryptoService 1 ref This reference identifies the certificate that represents the
Signature Certificate packager’s signature.
Tags:atp.Status=draft
purposeOf Documentation 0..1 ref The referenced Documentation is supposed to provide a
Update description of the purpose of the update.
Tags:atp.Status=draft
softwareCluster SoftwareCluster 1 ref This reference identifies the SoftwareCluster that belongs
to the SoftwarePackage. The nature of this relation is
actually more like an aggregation than a reference. But
the relation is still modelled as a reference because two
ARElements cannot aggregate each other.
Tags:atp.Status=draft
uncompressed PositiveInteger 1 attr This attribute gives an indication about the storage that
SoftwareCluster has to be available on the target.
Size
Tags:atp.Status=draft
Table A.5: SoftwarePackage
Primitive StrongRevisionLabelString
Package M2::AUTOSARTemplates::GenericStructure::GeneralTemplateClasses::PrimitiveTypes
Note This primitive represents a revision label which identifies an object under version control. It represents a
pattern which requires three integer numbers separated by a dot, representing from left to right Major
Version, MinorVersion, PatchVersion and additional labels for pre-release version and build metadata.
Legal patterns are for example: 1.0.0-alpha+001 1.0.0+20130313144700 1.0.0-beta+exp.sha.5114f85
Tags:
atp.Status=draft
xml.xsd.customType=STRONG-REVISION-LABEL-STRING
xml.xsd.pattern=(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(-((0|[1-9]\d*|\d*[a-zA-Z-][0-9a-z
A-Z-]*)(\.(0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?
xml.xsd.type=string
Table A.6: StrongRevisionLabelString
Class UcmModuleInstantiation
Package M2::AUTOSARTemplates::AdaptivePlatform::PlatformModuleDeployment::Ucm
Note This meta-class represents the ability to define a definition of a UCM instantiation.
Tags:atp.Status=draft
5
122 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class UcmModuleInstantiation
Base ARObject, AdaptiveModuleInstantiation, Identifiable, MultilanguageReferrable, NonOsModule
Instantiation, Referrable
Attribute Type Mult. Kind Note
identifier String 1 attr This represents the identification of a UCM.
Tags:atp.Status=draft
maxNumberOf PositiveInteger 0..1 attr This attribute supports the configuration of the maximum
Parallel number of parallel transfers that the Ucm on the enclosing
Transfers Machine is allowed to create.
Tags:atp.Status=draft
ucmSoftware StrongRevisionLabel 0..1 attr This attribute defines the software version of the UCM on
Version String this platform.
Note that the definition of the ucmSoftwareVersion is
required if the ability of the SoftwarePackage to require a
minimum version of the UCM is utilized.
Tags:atp.Status=draft
Table A.7: UcmModuleInstantiation
Class VehiclePackage
Package M2::AUTOSARTemplates::AdaptivePlatform::SoftwareDistribution
Note This meta-class represents the ability to define a vehicle package for executing an update campaign.
Tags:
atp.Status=draft
atp.recommendedPackage=VehiclePackages
Base ARElement, ARObject, CollectableElement, Identifiable, MultilanguageReferrable, Packageable
Element, Referrable
Attribute Type Mult. Kind Note
driver VehicleDriver * aggr This aggregation provides the ability to configure the
Notification Notification necessary driver notifications.
Tags:atp.Status=draft
estimated TimeValue 0..1 attr This attribute provides an estimation about how long the
DurationOf campaign based on the VehiclePackage is going to take.
Campaign
Tags:atp.Status=draft
maximum RevisionLabelString 0..1 attr This attribute identifies the maximum supported version of
SupportedUcm the UCM Master for this VehiclePackage.
MasterVersion
Tags:atp.Status=draft
minimum RevisionLabelString 0..1 attr This attribute identifies the minimum supported version of
SupportedUcm the UCM Master for this VehiclePackage.
MasterVersion
Tags:atp.Status=draft
packager CryptoService 1 ref This reference identifies the certificate that represents the
Signature Certificate packager’s signature.
Tags:atp.Status=draft
repository UriString 0..1 attr This attribute identifies the repository where the Vehicle
Package is stored.
Tags:atp.Status=draft
rollout VehicleRolloutStep * aggr This represents the rollout qualification.
Qualification
Tags:atp.Status=draft
(ordered)
5
123 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Class VehiclePackage
ucm UcmDescription * aggr This aggregation represents the UcmDescriptions to be
considered in the context of the VehiclePackage.
Tags:atp.Status=draft
ucmMaster UcmDescription * ref This reference lists the fallback order of Ucms that can
Fallback take over the master role if the master goes down.
(ordered)
Tags:atp.Status=draft
vehicle Documentation 0..1 ref This reference identifies the vehicle description.
Description
Tags:atp.Status=draft
Table A.8: VehiclePackage
124 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
B Interfaces to other Functional Clusters (informative)
B.1 Overview
AUTOSAR decided not to standardize interfaces which are exclusively used between
Functional Clusters (on platform-level only), to allow efficient implementations, which
might depend e.g. on the used Operating System.
This chapter provides informative guidelines how the interaction between Functional
Clusters looks like, by clustering the relevant requirements of this document. In addi-
tion, the standardized public interfaces which are accessible by user space applications
(see chapter 8) can also be used for interaction between Functional Clusters.
The goal is to provide a clear understanding of Functional Cluster boundaries and in-
teraction, without specifying syntactical details. This ensures compatibility between
documents specifying different Functional Clusters and supports parallel implementa-
tion of different Functional Clusters. Details of the interfaces are up to the platform
provider.
B.2 Interfaces Tables
B.2.1 UCM update notification
UCM shall provide the notification to other Functional Clusters that changes have been
done to the software. This enables other functional clusters to check if updated man-
ifests have changes relevant for the concerned Functional Cluster. This can be done
through the field CurrentStatus provided by the UCM service.
125 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C Packages distribution within vehicle detailed
sequence examples
C.1 Collect information of present Software Clusters in vehicle
From a regular basis, UCM master and UCM can collect information of present Soft-
ware Clusters from the other AUTOSAR Adaptive Platforms of the vehicle in
order to be used later when communicating with Backend and then determine if there
are new actions (update, remove, install) required.
sd [U seCase] 1. D eterm ine installed SW CL in vehicle [Determine installed SWCL in vehicle]
A daptive platform A A daptive platform B
D iagnostic tool U CM m aster UCM slave 1
(from Actors) (from Actors) (from Actors)
GetSw ClusterInfo()
:Sw ClusterInfoV ector
Figure C.1: Collect information of Software Clusters present in vehicle from several
AUTOSAR Adaptive Platforms
C.2 Action computation
In order to find out if there is a new update available from Backend or the need to install
or remove a Software Cluster, vehicle and Backend have to share their current
status and either Backend or vehicle have to compute what UCM Master actions are
needed.
Backend will have the possibility to push a package into the vehicle when communi-
cation is established, for instance for security purpose.
Communication trial between Backend and UCM master can be done on driver’s re-
quest or from a scheduler.
126 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.2.1 Pull package from Backend into vehicle
Case where vehicle is computing the difference between Software Clusters ver-
sions that are present in vehicle and the ones available in Backend.
sd [U seCase] 2.1 Pull package from backend [2.1 Pull package from backend]
OTA Client U CM m aster UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors)
OTA Client could regularly (scheduler
or diag trigger) establish connection
with backend and update whole
vehicle installed SWCluters
A daptive Platform A A daptive Platform B A daptive Platform C
opt Optional GetSw ClusterInfo()
:Sw ClusterInfoVector
GetSw ClusterInfo()
Once connection is set with OTA Client,
Backend is sending its inventory based on :Sw ClusterInfoVector
VIN already communicated by OTA client
MergeSw ClusterInfoVectors()
:TransferState=IDLE
Sw PackageInventory(Sw N am eV ersionVector)
UCM Master computes what
Com puteU pdates() SWCLs should be updated
:Sw N am eV ersionVector
:TransferState=IDLE
TransferV ehiclePackage(Size)
:TransferState=Transferring
:transferId
loop Backend sends
Vehicle Package
transferD ata(transferId, block, blockCounter)
:transferD ataReturn
transferExit(transferId)
Com puteD ependencies()
:transferExitReturn
Figure C.2: Pull package from backend
C.2.2 Push package from backend into vehicle
Case where Backend is computing the difference between Software Clusters ver-
sions that are present in vehicle and the ones available in Backend.
127 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
sd [U seCase] 2.2 pushed package from backend [2.2 pushed package from backend]
OTA Client U CM m aster UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors)
:TransferState=IDLE
GetSw ClusterInfo()
Backend is requesting installed
SW Clusters in vehicle
opt Optionnal
GetSw ClusterInfo()
:Sw ClusterInfoVector
GetSw ClusterInfo()
:Sw ClusterInfoVector
MergeSw ClusterInfoVectors()
:Sw ClusterInfoVector
BackendCom puteU pdatesA ndD ependencies()
transferV ehiclePackage(Size)
:TransferState=Transferring
Backend sends
:transferId Vehicle Package
loop
transferD ata(transferId, block, blockCounter)
:transferD ataReturn
transferExit(transferId)
:transferExitReturn
Com puteD ependencies()
Figure C.3: Push package from backend
128 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.3 Packages transfer from backend into targeted UCM
sd [U seCase] 3 D istribute Softw are packages to UCM slaves [3 Distribute Software packages to UCM slaves]
A daptive platform C
A dpative platform B
A daptive Platform A
OTA Client D river Interface U CM m aster V ehicle State Manager UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:TransferState = IDLE
TransferV ehiclePackage(Size)
:Cam paignState=V ehiclePackage_Transferring
:TransferState = Transferring
:transferId
loop transfer blocks
transferD ata(transferId, block, blockCounter)
:transferD ataReturn
transferExit(transferId)
:transferExitReturn
Tem poraryStoreV ehiclePackageManifest()
ManifestA uthentication(Signature)
ParseSW CLPackageManisfests(): ((UCM Slave1 Id,
SW CLPackageBSize),( UCM slave2 Id,
SW CLPackageBSize))
:Cam paignState = V ehiclePackage_Transferring
opt Vehicle Safety condition
subcribe(SafetyConditions)
SafetyState(SafetyStatesVector)
opt Driver notification
:A pprovalRequired==True
:Cam paignState = V ehiclePackage_Transferring
subscribe(SafetyConditions)
GetSw ClusterD escription()
GetSw ClusterD escription()
GetSw ClusterD escription()
:Sw D escV ectorType
:Sw D escV ectorType
:Sw D escV ectorType
GetSw PackagesD escription()
Get Metadata from Vehicle Package Manifest()
:Sw D escV ectorType
W aitA pproval()
D riverA pproval(A pproval, SafetyStates)
:Cam paignState = Softw arePackage_Transferring
par Transfers
:RequestedPackage == SWCLPackageAName
:SafetyState=True
TransferStart(SW CLPackageA N ame) Counter argument for
efficient resume
TransferStart(SW CLPackageASize)
checkA vailableMemory()
:transferId1
:transferId
loop Streaming of package A
If upgrade, Check
InstalledVersion <
transferD ata(transferId1, block, BlockCounter) NewVersion
transferD ata(transferId1, block, blockCounter)
PackageA uthentication(PackageSignature)
:transferD ataReturn
:transferD ataReturn
transferExit(transferId1)
transferExit(transferId1)
ConsistencyCheck(Checksum)
:transferExitReturn
:TransferExitReturn
opt Progress check
GetSw TransferProgress()
:Progress
:RequestedPackage == SWCLPackageBName
TransferStart(SW CLPackageBName)
TransferStart(SW CLPackageBSize)
CheckA vailableMemory()
:transferId2
:transferId2
loop Streaming of package B
transferD ata(transferId2, Block, BlockCounter)
transferD ata(transferId2, Block, BlockCounter)
:transferD ataReturn
:transferD ataReturn
transferExit(transferId2)
transferExit(TransferId2) PackageA uthentication
(PackageSignature)
transferExitReturn() CheckV ersion
(V ersion,
:transferExitReturn
PreviousV ersion)
:TransferState=Updating
:Cam paignState=Processing
Figure C.4: Stream packages blocks from backend into targeted UCM
129 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.4 Package processing
sd [U seCase] 4 Softw are packages processing [4 Software packages processing]
D river Interface U CM m aster V ehicle State Manager UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:Cam paignState = Softw arePackage_Transferring
Subscribe(CurrentStatus)
:CurrentStatus=ready
ParseV ehiclePackageManifest(): Cam paignOrchestration,
D ependencies
CheckV ehicleSW CLD ependencies
(V ehiclePackageD ependencies)
opt Vehicle driver notification for processing
:Cam paignState = Softw arePackage_Transferring
:A pprovalRequired==True
W aitA pproval()
D riverA pproval(True, SafetyStates)
GetSw ProcessProgress()
:Progress
opt Vehicle safety state
subscribe(SafetyConditions)
SafetyState(SafetyStatesVector)
:SafetyStatesVector
W ait for Safe conditions()
SafetyState(SafetyStatesVector)
:SafetyStatesVector
:Cam paignState = Processing
par Processes packages
opt Check on-going processing
GetSw Packages(): Sw ClusterInfoVectorType
ProcessSw Package(transferId1): ProcessSwPackageReturnType
PackageIntegrityCheck()
ParseA ctionFrom Manifest()
ManifestConsistencyCheck()
CheckSW CLA vailableMemory
(SW CLPayloadSize)
:ProcessSw PackageReturn
loop Until Progress = 100
GetProcessProgress(transferId1): ProcessingStatusType
:progress=100
opt Check on-going processing
GetSw Packages(Sw InfoN ame2): SwClusterInfoVectorType
ProcessSw Package(transferId2): ProcessSwPackageReturnType
PackageIntegrityCheck()
CheckSW CLA vailableMemory
(SW CLPayloadSize)
ManifestConsistencyCheck()
ParseA ctionFrom Manifest()
loop Until Progress = 100
GetProcessProgress(transferId2): ProcessingStatusType
:progress=100
:Cam paignState = Activating
Figure C.5: Packages processing by UCMs
130 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.5 Package activation
sd [U seCase] 5 Softw are packages activation [5 Software packages activation]
D river Interface U CM m aster V ehicle State Manager UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:Cam paignState=Processing
opt Optional Action
:Cam paignState=kProcessing
A pprovalRequired=True()
W aitA pproval()
D riverA pproval(True, SafetyStates)
opt Check Vehicle Safety conditions before/during activation
subscribe(SafetyConditions)
:SafeToUpdate=True
par A ctivations could be performed in parallel
:Cam paignState=kActivating
Subscribe(CurrentStatus)
:READY
Partition activation
A ctivate(A ctivationMethod)
:CurrentStatus = kActivating
D efineA ctivationMethod(Manifest or ActionMethod)
CheckPackageD ependencies(SW CLD ependencies)
:0
:CurrentStatus = kVerifying
:V ehicleState
sw apPartitionA ndSyncThem()
:CurrentStatus = kActivated Sw restart activation
Subscribe(CurrentStatus)
:READY
A ctivate(A ctivationMethod)
:CurrentStatus = kActivating
D efineA ctivationMethod
(Manifest or ActionMethod)
CheckPackageD ependencies
:0 (SW CLD ependencies)
:CurrentStatus = kVerifying
stopO ldSW CLIfNeeded()
startN ew SW CLIfNeeded()
:CurrentStatus = kActivated
:Cam paignState=Vehicle_Checking
V ehicleChecks()
Finish()
:CurrentStatus = kCleaningUp
:CurrentStatus = kIdle
Finish()
:CurrentStatus = kCleaningUp
:CurrentStatus = kIdle
:Cam paignState=kIdle
Figure C.6: Packages activation by UCMs
131 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.6 Package rollback
sd [U seCase] 5.1 Softw are clusters rollback [5.1 Software clusters rollback]
OTA Client V ehicle State ManagerD river Interface U CM m aster UCM sub 1
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:Cam paignState=kActivating
Subscribe(CurrentStatus)
:READY
A ctivate(Cam paignO rchestration)
:CurrentStatus = kActivating
D efineA ctivationMethod
(Manifest or ActionMethod)
CheckPackageD ependencies
(SW CLD ependencies)
:CurrentStatus = kVerifying
alt
[U CM verify failing]
:CurrentStatus = kRollingBack
[V SM agregated verify failing]
V ehicleCheck(False)
RollBack()
:Cam paignState=kCancelling
:TransferState=kCancelling
:CurrentStatus = kRolledBack
Finish()
:CurrentStatus = kCleaningUp
:Cam paignState=kIdle
:TransferState=kIdle
Figure C.7: Packages rollback by UCMs
132 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
C.7 Campaign reporting
sd [U seCase] 6 Cam paign reporting [6 Campaign reporting]
OTA Client D river Interface U CM m aster UCM sub 1 UCM sub 2
(from Actors) (from Actors) (from Actors) (from Actors) (from Actors)
:Cam paignState=IDLE
par Checking UCM slaves states
opt Check UCM state
Subscribe(CurrentStatus)
:IDLE
GetH istory(tim eStampGE, timeStampLT)
:GetH istoryReturnType
opt
Subscribe(CurrentStatus)
:IDLE
GetH istory(tim eStampGE, timeStampLT)
:GetH istoryReturnType
Cam paignA ggregation()
Cam paignJudgement()
opt Optional Action
GetCam paignH istory(timeForm, timeTo)
:Cam paignH istoryType
getCam paignH istory(timeFrom, timeTo)
:Cam paignH istoryType
Figure C.8: Campaign reporting to backend
133 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
D Security Analysis of Installation and Update
This chapter presents a summary for the security analysis of the UCM. Some of the
threats could not be addressed by specifying AUTOSAR requirements. The main rea-
son for not specifying the countermeasures is to allow vendors to flexibly decide on the
solution that fits their setup. Here we aim to raise awareness and provide advice on
the selected topics:
D.1 Securing Software Package
UCM is responsible for applying changes of the platform and applications contained
in the Software Packages it receives. Therefore, integrity and authenticity of Software
Packages are critical to protect system integrity. It shall be ensured that the Software
Packages are neither illegitimately altered nor issued by unauthorized parties. This
can be achieved by applying cryptographic techniques such as digital signatures. The
period that Software Package resides in UCM before being activated shall not be ne-
glected. It provides a window of opportunity for an attacker to tamper with the Software
Package after the authentication is done at TransferExit.
Information disclosure is another security threat category that might be applicable to
Software Packages. Packages that contain sensitive information, such as intellec-
tual properties or cryptographic keys, require confidentiality protection in addition to
integrity and authenticity when being persisted or transmitted over a communication
channel.
Another aspect of protecting Software Update Packages is their freshness. An attacker
may try to manipulate the system by downgrading the software via replaying an authen-
tic but older Software Update Package. In this regard, the platform shall ensure that
only newer packages (i.e. packages that contain newer version of installed SWCL) can
be installed.
D.2 Securing Calls to UCM
UCM provides a very critical functionality in the platform that allows modifying appli-
cations and platform components. In that sense, it is critical to prevent unauthorized
access to UCM, meaning only legitimate callers should be allowed to reach the UCM
service interface. This is primarily enforced in the communication layer supported by
the Identity and Access Management. Additionally, the calls to the UCM interface shall
be protected against altering, e.g. changing API arguments. When the service and
client reside on the same machine, the security relies on the integrity of the operating
system and the platform. In case, the service and the client are running on different
machines, a secure communication, assuring authenticity and integrity of communica-
tion, is additionally required.
134 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
Moreover, some API methods of the UCM interface returns sensitive information about
the platform. This subset (GetSwClusterInfo, GetSwClusterChangeInfo, GetHistory,
GetSwPackages) shall be protected against information disclosure and should only be
reachable over a channel that provides confidentiality.
A similar reasoning is applicable for securing the communication between UCM Master
and its clients. Regarding protection against information disclosure, GetSwClusterInfo,
SwPackageInventory and GetHistory for UCM Master shall only be called over confi-
dential channels.
D.3 Suppressing Call to UCM
Multiple scenarios can be envisioned where an attacker targets suppressing the calls to
UCM. The attack could block the calls to or the response from UCM. In both cases the
caller of the service may assume that UCM is not responding and retries its request.
This would lead to undesired overhead on the system. For such scenarios, it is recom-
mended that both UCM and the UCM Client consider reporting security events when
same calls repeatedly received at UCM or calls repeatedly fail at the caller side. This
information could potentially be picked up by Intrusion Detection Systems or Anomaly
Detection Systems.
D.4 Resource Starvation
According to the current specification, the available resources for transferring a Soft-
ware Package is only checked when TransferStart is called but not reserved. This
means, while the transfer is ongoing, the system storage can be exhausted by other
processes using the same storage media. This scenario is also applicable to UCM
Master when receiving data from its client. A similar case is possible for processing
of Software Package, as the resources are only checked at the beginning but not re-
served. In this regard, a solution could be to reserve the necessary resources for the
Software Package transfer or processing from the beginning to prevent attacks aiming
at such scenarios.
At the same time, reserving the resources might provide opportunity to the attacker
in other scenarios. The specification allows transferring multiple Software Packages
in parallel. Consequently, a misbehaving or compromised client can open unlimited
number of transfer sessions causing UCM to run out of resources. To cope with this
scenario, a threshold for the number of parallel transfer sessions can be defined.
D.5 Zombie Sessions
The AUTOSAR specification does not enforce any expiry time for the established trans-
fer sessions. As a result, the resources that are hold by an ongoing session will not
135 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
be released no matter how long time it takes. At the same time, in certain cases it
may take a long time for larger software packages to be transferred to UCM or UCM
Master, especially when they are received from external sources with weak connec-
tivity on-the-fly. However, a timeout may be considered for such a transfer to prevent
attackers from mounting denial of service attacks by long term allocation of resources.
136 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
E History of Constraints and Specification Items
Please note that the lists in this chapter also include constraints and specification items
that have been removed from the specification in a later version. These constraints and
specification items do not appear as hyperlinks in the document.
E.1 Constraint and Specification Item History of this document
according to AUTOSAR Release R19-11.
E.1.1 Added Traceables in R19-11
Number Heading
[SWS_UCM_00009] UCM exposing its identifier
[SWS_UCM_00105] UCM confidential information handling
[SWS_UCM_00161] Check Software Package version compatibility against UCM version
[SWS_UCM_00162] Entering the Cleaning-up state after a RevertProcessedSwPackages call
[SWS_UCM_00163] Action in Cleaning-up state
[SWS_UCM_00164] Cleaning up of Software Packages
[SWS_UCM_00165] Processing from stream
[SWS_UCM_00166] Processing from stream state
[SWS_UCM_00167] Cancelling streamed packages
[SWS_UCM_00168] Transferring while processing from stream
[SWS_UCM_00169] Finishing transfer while processing from stream
[SWS_UCM_00170] Log message retrieving
[SWS_UCM_00171] Log level changing
[SWS_UCM_00172] Log messages removing
[SWS_UCM_00173] UCMIdentifierType table
[SWS_UCM_00174] SwNameVectorType table
[SWS_UCM_00175] StrongRevisionLabelString table
[SWS_UCM_00176] SwNameVersionType table
[SWS_UCM_00177] SwNameVersionVectorType table
[SWS_UCM_00178] ProvidedPort VehiclePackageManagement
[SWS_UCM_00179] RequiredPort VehicleStateManager
[SWS_UCM_00180] RequiredPort VehicleDriverApplication
[SWS_UCM_00181] ProvidedInterface VehiclePackageManagement
[SWS_UCM_00182] RequiredInterface VehicleDriverApplication
[SWS_UCM_00183] RequiredInterface VehicleStateManager
Transferring of software packages on kProcessApproving or kProcess-
[SWS_UCM_00210]
ing state
5
137 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01001] UCM Master processes Vehicle Package
[SWS_UCM_01002] UCM Master shall provide UCM services
[SWS_UCM_01003] UCM Master checks states of UCM subordinates
[SWS_UCM_01004] Only one UCM Master shall be active per network domain
[SWS_UCM_01005] UCM Master is discovering UCMs in vehicle
[SWS_UCM_01006] Vehicle Package transfer to UCM Master
Start transfer of a Vehicle Package or Software Packageto UCM Mas-
[SWS_UCM_01007]
ter
[SWS_UCM_01008] Transfer data of a Vehicle Package to UCM Master
[SWS_UCM_01009] Exit the transfer of a Vehicle Package to UCM Master
[SWS_UCM_01010] Delete a Vehicle Package transferred to UCM Master
[SWS_UCM_01101] Provide information of installed Software Clusters in vehicle
[SWS_UCM_01102] Get information of available Software Clusters in Backend
[SWS_UCM_01103] Inform Backend of needed Software Clusters for an update
[SWS_UCM_01105] Interaction of UCM Master with Vehicle Driver
[SWS_UCM_01106] Exclusive use of Vehicle Driver Interface
[SWS_UCM_01107] UCM Master provides progress information to Vehicle Driver
[SWS_UCM_01108] Unsupported safety policy by Vehicle driver interface
[SWS_UCM_01109] Vehicle State Manager shall provide to UCM Master a safety state
UCM Master shall be able to set the safety policy to be computed by Vehicle
[SWS_UCM_01110]
State Manager
[SWS_UCM_01111] Exclusive use of Vehicle State Manager
[SWS_UCM_01112] Unsupported safety policy by Vehicle State Manager
[SWS_UCM_01113] Switching vehicle into update mode
[SWS_UCM_01114] SafetyPolicyType table
[SWS_UCM_01115] VehicleStateManagerErrorDomain
[SWS_UCM_01116] VehicleDriverApplicationErrorDomain
[SWS_UCM_01177] CampaignStateType table
[SWS_UCM_01201] Sequential orchestration of campaigns
[SWS_UCM_01203] CampaignState field
[SWS_UCM_01204] Initial state
[SWS_UCM_01205] UCM Master internal state persistency
[SWS_UCM_01206] Trigger on kTransferApproving state
[SWS_UCM_01207] Trigger on kTransferring state
[SWS_UCM_01208] Trigger on kProcessApproving state
[SWS_UCM_01209] Trigger on kProcessing state
[SWS_UCM_01211] Trigger on kActivateApproving state
[SWS_UCM_01212] Trigger on kActivating state
[SWS_UCM_01213] Trigger on kVehicleChecking state
5
138 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01214] Final action on kVehicleChecking state
[SWS_UCM_01215] Trigger on kRollingBack state
[SWS_UCM_01216] Final action on kRollingBack state
[SWS_UCM_01217] Monitoring of UCM subordinates
[SWS_UCM_01218] Transition from kIdle state to kSyncing state
[SWS_UCM_01219] Transition from kSyncing state to kIdle state
[SWS_UCM_01220] Transition from kIdle state to kVehiclePackageTransferring state
[SWS_UCM_01221] Transition from kVehiclePackageTransferring state to kIdle state
Transition from kVehiclePackageTransferring state to kTransfer-
[SWS_UCM_01222]
ring state
Transition from kVehiclePackageTransferring state to kTransferAp-
[SWS_UCM_01223]
proving state
[SWS_UCM_01224] Transition from kTransferApproving state to kTransferring state
[SWS_UCM_01225] Transition from kTransferApproving state to kIdle state
[SWS_UCM_01226] Transition from kTransferring state to kTransferApproving state
[SWS_UCM_01227] Transition from kTransferring state to kIdle state
[SWS_UCM_01228] Transition from kTransferring state to kProcessing state
[SWS_UCM_01229] SafetyPolicy while processing stream
[SWS_UCM_01230] Transition from kTransferring state to kProcessApproving state
[SWS_UCM_01231] Transition from kProcessApproving state to kProcessing state
[SWS_UCM_01232] Transition from kProcessApproving state to kIdle state
[SWS_UCM_01233] Transition from kProcessing state to kProcessApproving state
[SWS_UCM_01234] Transition from kProcessing state to kActivating state
[SWS_UCM_01235] Transition from kProcessing state to kActivateApproving state
[SWS_UCM_01236] Transition from kProcessing state to kIdle state
[SWS_UCM_01237] Transition from kActivateApproving state to kActivating state
[SWS_UCM_01238] Transition from kActivateApproving state to kIdle state
[SWS_UCM_01239] Transition from kActivating state to kRollingBack state
[SWS_UCM_01240] Transition from kActivating state to kVehicleChecking state
[SWS_UCM_01241] Transition from kVehicleChecking state to kRollingBack state
[SWS_UCM_01242] Transition from kVehicleChecking state to kIdle state
[SWS_UCM_01243] Transition from kRollingBack state to kIdle state
[SWS_UCM_01244] Cancellation of an update campaign shall be possible
[SWS_UCM_01245] Cancellation during activation shall be possible
[SWS_UCM_01246] Unreachable UCM during update campaign
[SWS_UCM_01247] Method to read History Report
[SWS_UCM_01248] Content of History Report
[SWS_UCM_01301] Vehicle Package authentication
[SWS_UCM_01302] Vehicle Package authentication failure
5
139 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01303] Dependencies between Software Packages
[SWS_UCM_01304] Confidential information protection
[SWS_UCM_CON-
STR_00001]
Table E.1: Added Traceables in R19-11
E.1.2 Changed Traceables in R19-11
Number Heading
[SWS_UCM_00003] Cancelling the package processing
[SWS_UCM_00017] Sequential Software Package Processing
[SWS_UCM_00018] Providing Progress Information
[SWS_UCM_00027] Delta Package activation
[SWS_UCM_00071] SwNameType table
[SWS_UCM_00081] Processing state of Package Management
[SWS_UCM_00082] Exit from Processing state of Package Management
[SWS_UCM_00102] Update state
[SWS_UCM_00103] Update to older Software Cluster version than currently present
[SWS_UCM_00104] Consistency Check of processed Package
[SWS_UCM_00111] Entering the Rolled-back state
[SWS_UCM_00112] Software Cluster and version
[SWS_UCM_00126] Entering the RollingBack state after a Rollback call
[SWS_UCM_00130] Software Cluster and version error
[SWS_UCM_00146] Entering the Cleaning-up state after a Finish call
[SWS_UCM_00149] Return to the Idle state from Processing state
[SWS_UCM_00151] Entering the Ready state of Package Management after a Cancel call
[SWS_UCM_00155] Entering the RollingBack state after a failure in the Verifying state
Table E.2: Changed Traceables in R19-11
E.1.3 Deleted Traceables in R19-11
Number Heading
[SWS_UCM_00012] Log message retrieving
[SWS_UCM_00114] ActivateOptionType table
[SWS_UCM_00144] Log error
Table E.3: Deleted Traceables in R19-11
140 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
E.1.4 Added Constraints in R19-11
none
E.1.5 Changed Constraints in R19-11
none
E.1.6 Deleted Constraints in R19-11
none
E.2 Constraint and Specification Item History of this document
according to AUTOSAR Release R20-11.
E.2.1 Added Traceables in R20-11
Number Heading
[SWS_UCM_00184] Persistent data clean-up after Software Cluster removal
[SWS_UCM_00185] Provide Software Cluster general information
[SWS_UCM_00186]
[SWS_UCM_00187]
[SWS_UCM_00190] Reinstallation of older Software Cluster version than previously removed
[SWS_UCM_00191] Software Cluster life-cycle state kAdded
[SWS_UCM_00192] Software Cluster life-cycle state transition from kAdded to kPresent
[SWS_UCM_00193] Software Cluster life-cycle state transition from kUpdated to kPresent
[SWS_UCM_00194] Software Cluster life-cycle state transition from kRemoved to kPresent
[SWS_UCM_00195] Software Cluster life-cycle state kUpdated
[SWS_UCM_00196] Software Cluster life-cycle state kRemoved
[SWS_UCM_00197] End of Software Cluster life-cycle state from state kAdded
[SWS_UCM_00198] End of Software Cluster life-cycle state from state kRemoved
[SWS_UCM_00199] Reporting of Software Cluster reaching end of life-cycle
[SWS_UCM_00200] Failing authentication
[SWS_UCM_00201] Delta Package dependency error
[SWS_UCM_00202] Trusted Platform compliance
[SWS_UCM_00203] TransferData InvalidTransferId
[SWS_UCM_00204] TransferData IncorrectBlock
5
141 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00205] TransferData IncorrectSize
[SWS_UCM_00206] TransferData InsufficientMemory
[SWS_UCM_00207] TransferData BlockInconsistent
[SWS_UCM_00208] TransferData OperationNotPermitted
[SWS_UCM_00209] TransferData PackageInconsistent
[SWS_UCM_00211] TransferData TransferInterrupted
[SWS_UCM_00212] TransferExit InvalidTransferId
[SWS_UCM_00213] TransferExit InvalidPackageManifest
[SWS_UCM_00214] DeleteTransfer InvalidTransferId
[SWS_UCM_00215] DeleteTransfer OperationNotPermitted
[SWS_UCM_00216] Validity of TransferId
[SWS_UCM_00217] ProcessSwPackage InsufficientMemory
[SWS_UCM_00218] ProcessSwPackage InvalidTransferId
[SWS_UCM_00219] ProcessSwPackage OperationNotPermitted
[SWS_UCM_00220] GetSwProcessProgress InvalidTransferId
[SWS_UCM_00230] ProcessSwPackage AuthenticationFailed
[SWS_UCM_00231] ProcessSwPackage IncompatibleDelta
[SWS_UCM_00232] ProcessSwPackage
[SWS_UCM_00233] Cancel Operation CancelFailed
[SWS_UCM_00234] Cancel OperationNotPermitted
[SWS_UCM_00235] Cancel InvalidTransferId
[SWS_UCM_00236] RevertProcessedSwPackages NotAbleToRevertPackages
[SWS_UCM_00237] RevertProcessedSwPackages OperationNotPermitted
[SWS_UCM_00238] Rollback NotAbleToRollback
[SWS_UCM_00239] Rollback OperationNotPermitted
[SWS_UCM_00240] Finish OperationNotPermitted
[SWS_UCM_00241] Activate OperationNotPermitted
[SWS_UCM_00242] Activate PreActivationFailed
[SWS_UCM_00243] Too big block size received by UCM
[SWS_UCM_00245] Software Cluster category
[SWS_UCM_00250] TransferData AuthenticationFailed
[SWS_UCM_00251]
[SWS_UCM_00252]
[SWS_UCM_00253]
[SWS_UCM_00254]
[SWS_UCM_00255]
[SWS_UCM_00256]
[SWS_UCM_00257] Update session
[SWS_UCM_00258] Update session rejected
5
142 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00259] Ending the update session
[SWS_UCM_00260] PrepareUpdate, VerifyUpdate and PrepareRollback orders
[SWS_UCM_00261] PrepareUpdate, VerifyUpdate and PrepareRollback synchronous calls
[SWS_UCM_00262] Update preparation rejected
[SWS_UCM_00263] Update preparation failure
[SWS_UCM_00264] Update verification rejected
[SWS_UCM_01011] TransferVehiclePackage InsufficientMemory
[SWS_UCM_01012] TransferVehiclePackage InsufficientComputationPower
[SWS_UCM_01013] Too big block size received by UCM Master
[SWS_UCM_01014] Packages transferring sequence
[SWS_UCM_01015] Invalid Vehicle Package manifest
[SWS_UCM_01016] Invalid Package Manifest
[SWS_UCM_01017] RequestedPackage field
[SWS_UCM_01117] UCM Master SafetyState field
[SWS_UCM_01118] UCM Master waiting for vehicle driver approval
[SWS_UCM_01119] Report information of Software Packages
[SWS_UCM_01120] Provide Software Packages general information
[SWS_UCM_01121] Adaptive Platform interface provided for Flashing Adapter
[SWS_UCM_01122] Supported physical layers by D-PDU API implementation
[SWS_UCM_01123] Supported application layers by D-PDU API implementation
[SWS_UCM_01124] Supported protocols by D-PDU API implementation
[SWS_UCM_01125] Separation of D-PDU API-Software with the MVCI protocol module firmware
[SWS_UCM_01126] Root description file (RDF)
[SWS_UCM_01127] Module Description File (MDF)
[SWS_UCM_01128] Symbolic names and IDs
[SWS_UCM_01129] SAE J2534-1 and RP 1210a compatibility
[SWS_UCM_01130] ComPrimitives in RawMode
[SWS_UCM_01131] PDUIoCtl(PDU_IOCTL_RESET)
PDUIoCtl(PDU_IOCTL_START_MSG_FILTER),
[SWS_UCM_01132] PDUIoCtl(PDU_IOCTL_CLEAR_MSG_FILTER),
PDUIoCtl(PDU_IOCTL_STOP_MSG_FILTER)
[SWS_UCM_01133] PDUIoCtl(PDU_IOCTL_SEND_BREAK)
[SWS_UCM_01134] Not used D-PDU API function return codes
[SWS_UCM_01178]
[SWS_UCM_01265] TransferState field
[SWS_UCM_01266] Subordinate Not Available On The Network
[SWS_UCM_01267] Vehicle State Manager Communication Error
[SWS_UCM_01268] Vehicle Driver Interface Communication Error
[SWS_UCM_01269] Campaign cancellation history
5
143 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01270] New campaign disabling
[SWS_UCM_01271] New campaign enabling
[SWS_UCM_01305] Vehicle Package format
[SWS_UCM_01306] TransferExit Invalid package manifest
[SWS_UCM_CON-
UCM confidential information handling
STR_00002]
[SWS_UCM_CON-
Exclusive use of Vehicle Driver Interface
STR_00003]
[SWS_UCM_CON-
Unsupported safety policy by Vehicle driver interface
STR_00004]
[SWS_UCM_CON-
Safety state change
STR_00005]
[SWS_UCM_CON-
Exclusive use of Vehicle State Manager
STR_00006]
[SWS_UCM_CON-
Unsupported safety policy by Vehicle State Manager
STR_00007]
[SWS_UCM_CON-
Switching vehicle into update mode
STR_00008]
[SWS_UCM_CON-
Safety policy change
STR_00009]
[SWS_UCM_CON-
UCM Client update sequence
STR_00010]
[SWS_UCM_CON-
Flashing Adapter provided interface
STR_00011]
Table E.4: Added Traceables in R20-11
E.2.2 Changed Traceables in R20-11
Number Heading
[SWS_UCM_00018] Providing Progress Information
[SWS_UCM_00020] Finishing the packages activation
[SWS_UCM_00025] Activation of SoftwareClusters
[SWS_UCM_00026] Dependency Check
[SWS_UCM_00027] Delta Package activation
[SWS_UCM_00028] Software Package Authentication
[SWS_UCM_00029] Consistency Check of Manifest
[SWS_UCM_00031]
[SWS_UCM_00032]
[SWS_UCM_00038]
5
144 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00039]
[SWS_UCM_00040]
[SWS_UCM_00044]
[SWS_UCM_00069] Report information on Software Packages
[SWS_UCM_00071]
[SWS_UCM_00073]
[SWS_UCM_00077]
[SWS_UCM_00078]
[SWS_UCM_00079]
[SWS_UCM_00084] Entering the kActivating state of Package Management
[SWS_UCM_00085] Entering the kActivated state of Package Management
[SWS_UCM_00088] Preparation of data transfer
[SWS_UCM_00092] Software Package integrity
[SWS_UCM_00098] Software Package Authentication failure
[SWS_UCM_00107] Activated state
[SWS_UCM_00110] Rolling-back the software update
[SWS_UCM_00111] Entering the kRolled-Back state
[SWS_UCM_00112] Software Cluster and version
[SWS_UCM_00115] History
[SWS_UCM_00126] Entering the kRolling-Back state after a Rollback call
[SWS_UCM_00130] Software Cluster and version error
[SWS_UCM_00131]
[SWS_UCM_00132]
[SWS_UCM_00133]
[SWS_UCM_00134]
[SWS_UCM_00135]
[SWS_UCM_00136]
[SWS_UCM_00137] Processing several update Software Packages
[SWS_UCM_00145] Sequential order of data transfer
[SWS_UCM_00147] Return to the Idle state from Cleaning-up state
[SWS_UCM_00148] Transfer sequence order
[SWS_UCM_00149] Return to the Idle state from Processing state
[SWS_UCM_00151] Entering the Ready state of Package Management after a Cancel call
[SWS_UCM_00153] Action in kActivating state of Package Management
[SWS_UCM_00154] Entering the Verifying state of Package Management
[SWS_UCM_00155] Entering the kRolling-Back state after a failure in the kVerifying state
[SWS_UCM_00158] Cleanup of interrupted actions
[SWS_UCM_00162] Entering the Cleaning-up state after a RevertProcessedSwPackages call
[SWS_UCM_00165] Processing from stream
5
145 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00166] Processing from stream state
[SWS_UCM_00167] Cancelling streamed packages
[SWS_UCM_00168] Transferring while processing from stream
[SWS_UCM_00169] Finishing transfer while processing from stream
[SWS_UCM_00173]
[SWS_UCM_00174]
[SWS_UCM_00175]
[SWS_UCM_00176]
[SWS_UCM_00177]
[SWS_UCM_00178]
[SWS_UCM_00179]
[SWS_UCM_00180]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00210] Transferring of software packages on kProcessing state
[SWS_UCM_01003] UCM Master checks states of UCM subordinates
[SWS_UCM_01006] Start transfer of a Vehicle Package to UCM Master
[SWS_UCM_01007] Start transfer of a Software Package to UCM Master
Transfer data of a Vehicle Package or Software Package to UCM Mas-
[SWS_UCM_01008]
ter
Exit the transfer of a Vehicle Package or Software Package to UCM
[SWS_UCM_01009]
Master
[SWS_UCM_01010] Delete a Vehicle Package transferred to UCM Master
[SWS_UCM_01101] Provide information of installed Software Clusters in vehicle
[SWS_UCM_01102] Get information of available Software Clusters in Backend
[SWS_UCM_01103] Inform Backend of needed Software Clusters for an update
[SWS_UCM_01105] Interaction of UCM Master with Vehicle Driver
[SWS_UCM_01107] UCM Master provides progress information to Vehicle Driver
[SWS_UCM_01109] UCM Master provides a safety policy interface
[SWS_UCM_01110] UCM Master SafetyState method
[SWS_UCM_01114]
[SWS_UCM_01177]
[SWS_UCM_01203] CampaignState field
[SWS_UCM_01207] Trigger on kSoftwarePackage_Transferring state
[SWS_UCM_01221] Transition from kVehiclePackageTransferring state to kIdle state
Transition from kVehiclePackageTransferring state to kSoft-
[SWS_UCM_01222]
warePackage_Transferring state
[SWS_UCM_01227] Transition from kSoftwarePackage_Transferring state to kIdle state
5
146 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
Transition from kSoftwarePackage_Transferring state to kProcess-
[SWS_UCM_01228]
ing state
[SWS_UCM_01229] SafetyPolicy while processing stream
[SWS_UCM_01234] Transition from kProcessing state to kActivating state
[SWS_UCM_01236] Transition from kProcessing state to kIdle state
[SWS_UCM_01239] Transition from kActivating state to kCancelling state
[SWS_UCM_01240] Transition from kActivating state to kVehicleChecking state
[SWS_UCM_01244] Cancellation of an update campaign shall be possible
[SWS_UCM_01245] Cancellation during activation shall be possible
[SWS_UCM_01246] Unreachable UCM during update campaign
[SWS_UCM_01247] Method to read History Report
[SWS_UCM_01302] Vehicle Package authentication failure
[SWS_UCM_01304] Confidential information protection
[SWS_UCM_CON-
STR_00001]
Table E.5: Changed Traceables in R20-11
E.2.3 Deleted Traceables in R20-11
Number Heading
[SWS_UCM_00011] Updating persisted data
[SWS_UCM_00041] LogLevelType table
[SWS_UCM_00042] LogEntryType table
[SWS_UCM_00043] LogVectorType table
[SWS_UCM_00082] Exit from Processing state of Package Management
[SWS_UCM_00091] Successful data transfer
[SWS_UCM_00096] Entering the Rolled-back state
[SWS_UCM_00102] Update state
[SWS_UCM_00105] UCM confidential information handling
[SWS_UCM_00108] Execution of the update software
[SWS_UCM_00113] Rollback of persisted data
[SWS_UCM_00124] Verify State
[SWS_UCM_00128]
[SWS_UCM_00141] UCM insufficient memory for parallel data transfer
[SWS_UCM_00142] Prevent software from blocking the Rollback operation
[SWS_UCM_00143] Log level setting
[SWS_UCM_00156] Procurement of Checksum
5
147 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00170] Log message retrieving
[SWS_UCM_00171] Log level changing
[SWS_UCM_00172] Log messages removing
[SWS_UCM_01002] UCM Master shall provide UCM services
[SWS_UCM_01106] Exclusive use of Vehicle Driver Interface
[SWS_UCM_01108] Unsupported safety policy by Vehicle driver interface
[SWS_UCM_01111] Exclusive use of Vehicle State Manager
[SWS_UCM_01112] Unsupported safety policy by Vehicle State Manager
[SWS_UCM_01113] Switching vehicle into update mode
[SWS_UCM_01115] VehicleStateManagerErrorDomain
[SWS_UCM_01116] VehicleDriverApplicationErrorDomain
[SWS_UCM_01206] Trigger on kTransferApproving state
[SWS_UCM_01208] Trigger on kProcessApproving state
[SWS_UCM_01211] Trigger on kActivateApproving state
Transition from kVehiclePackageTransferring state to kTransferAp-
[SWS_UCM_01223]
proving state
[SWS_UCM_01224] Transition from kTransferApproving state to kTransferring state
[SWS_UCM_01225] Transition from kTransferApproving state to kIdle state
[SWS_UCM_01226] Transition from kTransferring state to kTransferApproving state
[SWS_UCM_01230] Transition from kTransferring state to kProcessApproving state
[SWS_UCM_01231] Transition from kProcessApproving state to kProcessing state
[SWS_UCM_01232] Transition from kProcessApproving state to kIdle state
[SWS_UCM_01233] Transition from kProcessing state to kProcessApproving state
[SWS_UCM_01235] Transition from kProcessing state to kActivateApproving state
[SWS_UCM_01237] Transition from kActivateApproving state to kActivating state
[SWS_UCM_01238] Transition from kActivateApproving state to kIdle state
Table E.6: Deleted Traceables in R20-11
E.2.4 Added Constraints in R20-11
none
E.2.5 Changed Constraints in R20-11
none
E.2.6 Deleted Constraints in R20-11
none
148 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
E.3 Constraint and Specification Item History of this document
according to AUTOSAR Release R21-11.
E.3.1 Added Traceables in R21-11
Number Heading
[SWS_UCM_00265] state transition due to ProcessSwPackage error
[SWS_UCM_00266] OperationNotPermitted error and UCM state
[SWS_UCM_00267] Error when checksum is not recognised at processing time
[SWS_UCM_00268]
[SWS_UCM_00269]
[SWS_UCM_00270] UCM internal state persistency
[SWS_UCM_00271] Keeping history of failure error code
[SWS_UCM_00272] Transfer block size
Persistent data clean-up after Software Cluster update that removes a
[SWS_UCM_00273]
process
[SWS_UCM_00274] UCM initialization
[SWS_UCM_00275] TransferData error handling order
[SWS_UCM_00276] TransferExit error handling order
[SWS_UCM_00277] ProcessSwPackage error handling order
[SWS_UCM_00278] Cancel error handling order
[SWS_UCM_00279] RevertProcessedSwPackages error handling order
[SWS_UCM_00280] Activate VerificationFailed
[SWS_UCM_00281] Activate error handling order
[SWS_UCM_00282] Rollback error handling order
[SWS_UCM_00283] DeleteTransfer error handling order
[SWS_UCM_00285] Removing or updating a Software Cluster not existing in the Machine
Software Cluster life-cycle state transition from kRemoved to
[SWS_UCM_00286]
kPresent in case of Finish call
End of Software Cluster life-cycle state from state kAdded in case of
[SWS_UCM_00287]
Finish call
[SWS_UCM_00288]
[SWS_UCM_00289] TransferData TransferFailed
[SWS_UCM_01018] TransferVehiclePackage BusyWithCampaign
[SWS_UCM_01019] UCM Master initialization
[SWS_UCM_01135] Get Software Clusters descriptions from a vehicle
[SWS_UCM_01136]
[SWS_UCM_01137]
[SWS_UCM_01138]
[SWS_UCM_01272] VehicleCheck call not permitted
[SWS_UCM_01273] CancelCampaign CancelFailed error
5
149 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01274] CancelCampaign OperationNotPermitted error
[SWS_UCM_-
CONSTR_00012]
[SWS_UCM_-
Confidential information protection
CONSTR_00013]
[SWS_UCM_-
Software Package and Software Cluster shortNames
CONSTR_00014]
[SWS_UCM_-
Trigger on kVehicleChecking state
CONSTR_00015]
Table E.7: Added Traceables in R21-11
E.3.2 Changed Traceables in R21-11
Number Heading
[SWS_UCM_00004] Report software information
[SWS_UCM_00009] UCM exposing its identifier
[SWS_UCM_00017] Sequential Software Package Processing
[SWS_UCM_00020] Finishing the packages activation
[SWS_UCM_00030] Report changes
[SWS_UCM_00039]
[SWS_UCM_00044]
[SWS_UCM_00078]
[SWS_UCM_00080] Idle state of Package Management
[SWS_UCM_00081] Processing state of Package Management
Entering the Ready state of Package Management after a successful
[SWS_UCM_00083]
processing operation
[SWS_UCM_00084] Entering the kActivating state of Package Management
[SWS_UCM_00085] Entering the kActivated state of Package Management
[SWS_UCM_00092] Software Package integrity
[SWS_UCM_00103] Update to older Software Cluster version than currently present
[SWS_UCM_00104] Integrity Check of processed Package
[SWS_UCM_00107] Activated state
[SWS_UCM_00110] Rolling-back the software update
[SWS_UCM_00111] Entering the kRollingBack state
[SWS_UCM_00115] History
[SWS_UCM_00126] Entering the kRollingBack state after a Rollback call
[SWS_UCM_00127] Finishing update sequence
[SWS_UCM_00130] Software Cluster and version error
5
150 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00131]
[SWS_UCM_00133]
[SWS_UCM_00134]
[SWS_UCM_00136]
[SWS_UCM_00146] Entering the Cleaning-up state after a Finish call
[SWS_UCM_00147] Return to the Idle state from Cleaning-up state
[SWS_UCM_00149] Return to the Idle state from Processing state
[SWS_UCM_00151] Entering the Ready state of Package Management after a Cancel call
Entering the Ready state of Package Management after a missing
[SWS_UCM_00152]
dependency
[SWS_UCM_00153] Action in kActivating state of Package Management
[SWS_UCM_00154] Entering the Verifying state of Package Management
[SWS_UCM_00155] Entering the kRolling-Back state after a failure in the kVerifying state
[SWS_UCM_00162] Entering the Cleaning-up state after a RevertProcessedSwPackages call
[SWS_UCM_00163] Action in Cleaning-up state
[SWS_UCM_00164] Cleaning up of Software Packages
[SWS_UCM_00166] Processing from stream state
[SWS_UCM_00167] Cancelling streamed packages
[SWS_UCM_00168] Transferring while processing from stream
[SWS_UCM_00169] Finishing transfer while processing from stream
[SWS_UCM_00176]
[SWS_UCM_00181]
[SWS_UCM_00182]
[SWS_UCM_00183]
[SWS_UCM_00185] Provide SoftwareCluster general information
[SWS_UCM_00186]
Reinstallation of older Software Cluster version than previously
[SWS_UCM_00190]
removed
[SWS_UCM_00191] Software Cluster life-cycle state kAdded
[SWS_UCM_00192] Software Cluster life-cycle state transition from kAdded to kPresent
Software Cluster life-cycle state transition from kUpdated to
[SWS_UCM_00193]
kPresent
Software Cluster life-cycle state transition from kRemoved to
[SWS_UCM_00194]
kPresent in case of RevertProcessedSwPackages call
[SWS_UCM_00195] Software Cluster life-cycle state kUpdated
[SWS_UCM_00196] Software Cluster life-cycle state kRemoved
End of Software Cluster life-cycle state from state kAdded in case of
[SWS_UCM_00197]
RevertProcessedSwPackages call
[SWS_UCM_00198] End of Software Cluster life-cycle state from state kRemoved
[SWS_UCM_00200] Failing authentication
5
151 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_00209] TransferData PackageInconsistent
[SWS_UCM_00210] Transferring of software packages on kProcessing state
[SWS_UCM_00213] TransferExit InvalidPackageManifest
[SWS_UCM_00214] DeleteTransfer InvalidTransferId
[SWS_UCM_00215] DeleteTransfer OperationNotPermitted
[SWS_UCM_00220] GetSwProcessProgress InvalidTransferId
[SWS_UCM_00237] RevertProcessedSwPackages OperationNotPermitted
[SWS_UCM_00239] Rollback OperationNotPermitted
[SWS_UCM_00240] Finish OperationNotPermitted
[SWS_UCM_00241] Activate OperationNotPermitted
[SWS_UCM_00242] Activate PreActivationFailed
[SWS_UCM_00243] Too big block size received by UCM
[SWS_UCM_00251]
[SWS_UCM_00252]
[SWS_UCM_00253]
[SWS_UCM_00254]
[SWS_UCM_00255]
[SWS_UCM_00257] Update session
[SWS_UCM_00258] Update session rejected
[SWS_UCM_00259] Ending the update session
[SWS_UCM_00260] PrepareUpdate, VerifyUpdate and PrepareRollback orders
[SWS_UCM_00261] PrepareUpdate, VerifyUpdate and PrepareRollback synchronous calls
[SWS_UCM_00262] Update preparation rejected
[SWS_UCM_00263] Update preparation failure
[SWS_UCM_00264] Update verification rejected
[SWS_UCM_01003] UCM Master checks states of UCM subordinates
[SWS_UCM_01011] TransferVehiclePackage InsufficientMemory
[SWS_UCM_01015] Invalid Vehicle Package manifest
[SWS_UCM_01016] Invalid Package Manifest
[SWS_UCM_01103] Inform Backend of needed Software Packages for an update
[SWS_UCM_01109] UCM Master provides a safety interface
[SWS_UCM_01114]
[SWS_UCM_01117] UCM Master SafetyState field
[SWS_UCM_01118] UCM Master waiting for vehicle driver approval
PDUIoCtl(PDU_IOCTL_START_MSG_FILTER), PDUIoCtl(
[SWS_UCM_01132] PDU_IOCTL_CLEAR_MSG_FILTER), PDUIoCtl(
PDU_IOCTL_STOP_MSG_FILTER)
[SWS_UCM_01203] CampaignState field
[SWS_UCM_01204] Initial state
5
152 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_01207] Trigger on kSoftwarePackage_Transferring state
[SWS_UCM_01209] Trigger on kProcessing state
[SWS_UCM_01212] Trigger on kActivating state
[SWS_UCM_01214] Final action on kVehicleChecking state
[SWS_UCM_01215] Trigger on kCancelling state
[SWS_UCM_01216] Final action on kCancelling state
[SWS_UCM_01217] Monitoring of UCM subordinates
[SWS_UCM_01218] Transition from kIdle state to kSyncing state
[SWS_UCM_01219] Transition from kSyncing state to kIdle state
[SWS_UCM_01220] Transition from kIdle state to kVehiclePackageTransferring state
[SWS_UCM_01221] Transition from kVehiclePackageTransferring state to kIdle state
Transition from kVehiclePackageTransferring state to
[SWS_UCM_01222]
kSoftwarePackage_Transferring state
[SWS_UCM_01227] Transition from kSoftwarePackage_Transferring state to kIdle state
Transition from kSoftwarePackage_Transferring state to
[SWS_UCM_01228]
kProcessing state
[SWS_UCM_01229] SafetyConditions while processing stream
[SWS_UCM_01234] Transition from kProcessing state to kActivating state
[SWS_UCM_01236] Transition from kProcessing state to kCancelling state
[SWS_UCM_01239] Transition from kActivating state to kCancelling state
[SWS_UCM_01240] Transition from kActivating state to kVehicleChecking state
[SWS_UCM_01241] Transition from kVehicleChecking state to kCancelling state
[SWS_UCM_01242] Transition from kVehicleChecking state to kIdle state
[SWS_UCM_01243] Transition from kCancelling state to kIdle state
[SWS_UCM_01244] Cancellation of an update campaign shall be possible
[SWS_UCM_01246] Unreachable UCM during update campaign
[SWS_UCM_01247] Method to read History Report
[SWS_UCM_01265] TransferState field
[SWS_UCM_01270] New campaign disabling
[SWS_UCM_-
UCM confidential information handling
CONSTR_00002]
[SWS_UCM_-
Unsupported safety by Vehicle driver interface
CONSTR_00004]
[SWS_UCM_-
Safety state change
CONSTR_00005]
[SWS_UCM_-
Exclusive use of Vehicle State Manager
CONSTR_00006]
[SWS_UCM_-
Unsupported safety conditions by Vehicle State Manager
CONSTR_00007]
[SWS_UCM_-
Switching vehicle into update mode
CONSTR_00008]
5
153 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
4
Number Heading
[SWS_UCM_-
Safety condition change
CONSTR_00009]
Table E.8: Changed Traceables in R21-11
E.3.3 Deleted Traceables in R21-11
Number Heading
[SWS_UCM_00093] Transfer sequence
[SWS_UCM_00201] Delta Package dependency error
[SWS_UCM_00211] TransferData TransferInterrupted
[SWS_UCM_00230] ProcessSwPackage AuthenticationFailed
[SWS_UCM_00232] ProcessSwPackage
[SWS_UCM_00233] Cancel Operation CancelFailed
[SWS_UCM_00250] TransferData AuthenticationFailed
[SWS_UCM_01001] UCM Master processes Vehicle Package
[SWS_UCM_01004] Only one UCM Master shall be active per network domain
[SWS_UCM_01006] Start transfer of a Vehicle Package to UCM Master
[SWS_UCM_01007] Start transfer of a Software Package to UCM Master
Transfer data of a Vehicle Package or Software Package to UCM
[SWS_UCM_01008]
Master
Exit the transfer of a Vehicle Package or Software Package to UCM
[SWS_UCM_01009]
Master
[SWS_UCM_01010] Delete a Vehicle Package transferred to UCM Master
[SWS_UCM_01012] TransferVehiclePackage InsufficientComputationPower
[SWS_UCM_01102] Get information of available Software Clusters in Backend
[SWS_UCM_01213] Trigger on kVehicleChecking state
[SWS_UCM_01245] Cancellation during activation shall be possible
[SWS_UCM_01304] Confidential information protection
[SWS_UCM_-
UCM Client update sequence
CONSTR_00010]
Table E.9: Deleted Traceables in R21-11
E.3.4 Added Constraints in R21-11
none
E.3.5 Changed Constraints in R21-11
none
154 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
Specification of Update and Configuration
Management
AUTOSAR AP R21-11
E.3.6 Deleted Constraints in R21-11
none
155 of 155 Document ID 888: AUTOSAR_SWS_UpdateAndConfigurationManagement
You might also like
- ProCash NDC-DDC V3021 InstallationManual en100% (4)ProCash NDC-DDC V3021 InstallationManual en432 pages
- Hospital Management System: A Project Report On50% (2)Hospital Management System: A Project Report On24 pages
- JNTUA Software Project Management Notes - R20No ratings yetJNTUA Software Project Management Notes - R2070 pages
- AUTOSAR CP TPS DiagnosticExtractTemplateNo ratings yetAUTOSAR CP TPS DiagnosticExtractTemplate719 pages
- AUTOSAR SWS DiagnosticCommunicationManager PDFNo ratings yetAUTOSAR SWS DiagnosticCommunicationManager PDF553 pages
- AUTOSAR TPS DiagnosticExtractTemplate-1No ratings yetAUTOSAR TPS DiagnosticExtractTemplate-1578 pages
- AUTOSAR SWS DiagnosticCommunicationManagerNo ratings yetAUTOSAR SWS DiagnosticCommunicationManager689 pages
- AUTOSAR CP TPS BSWModuleDescriptionTemplateNo ratings yetAUTOSAR CP TPS BSWModuleDescriptionTemplate381 pages
- Installing and Managing DC9440-Series Operator Workplace Console SoftwareNo ratings yetInstalling and Managing DC9440-Series Operator Workplace Console Software264 pages
- ProCash NDC DDC V3021 InstallationManual en PDFNo ratings yetProCash NDC DDC V3021 InstallationManual en PDF432 pages
- CANopen Communication Manual S400 S600 enNo ratings yetCANopen Communication Manual S400 S600 en138 pages
- Software Configuration Management: DN9770985 Issue 18-0No ratings yetSoftware Configuration Management: DN9770985 Issue 18-083 pages
- AUTOSAR CP SWS SAEJ1939NetworkManagementNo ratings yetAUTOSAR CP SWS SAEJ1939NetworkManagement64 pages
- Z-OS New Era of Networks Program DirectoryNo ratings yetZ-OS New Era of Networks Program Directory36 pages
- AUTOSAR CP RS DiagnosticExtractTemplateNo ratings yetAUTOSAR CP RS DiagnosticExtractTemplate48 pages
- VistaRoboticsCS2 Csproj FileListAbsoluteNo ratings yetVistaRoboticsCS2 Csproj FileListAbsolute15 pages
- Poject:: Name - Gaurav Kumar Section - K22ES Roll No. - 58 Registration No. - 12210400 Course Code - CSENo ratings yetPoject:: Name - Gaurav Kumar Section - K22ES Roll No. - 58 Registration No. - 12210400 Course Code - CSE18 pages
- 02 - Lec01 - Information Information SystemsNo ratings yet02 - Lec01 - Information Information Systems13 pages
- Binamon Z1 Smart Contract Audit Report - QuillAuditsNo ratings yetBinamon Z1 Smart Contract Audit Report - QuillAudits16 pages
- IEC Certification Kit: Polyspace Bug Finder Reference WorkflowNo ratings yetIEC Certification Kit: Polyspace Bug Finder Reference Workflow32 pages
- COMP 486 Software Dependability1643698388No ratings yetCOMP 486 Software Dependability16436983882 pages
- Schematic Arrangement of Diesel Power Station (I) Fuel Supply SystemNo ratings yetSchematic Arrangement of Diesel Power Station (I) Fuel Supply System4 pages
- CS8392 OBJECT ORIENTED PROGRAMMING - SyllabusNo ratings yetCS8392 OBJECT ORIENTED PROGRAMMING - Syllabus14 pages
- Building Front-End Applications With React - Advanced React Cheatsheet - Codecademy PDFNo ratings yetBuilding Front-End Applications With React - Advanced React Cheatsheet - Codecademy PDF2 pages
