Safety Requirements for AUTOSAR Adaptive

Platform and AUTOSAR Classic Platform

AUTOSAR FO R20-11

Safety Requirements for

Document Title AUTOSAR Adaptive Platform
and AUTOSAR Classic Platform
Document Owner AUTOSAR
Document Responsibility AUTOSAR
Document Identification No 986

Document Status published

Part of AUTOSAR Standard Foundation
Part of Standard Release R20-11

Document Change History

Date Release Changed by Description
• Initial release
AUTOSAR • Functional safety requirements for
2020-11-30 R20-11 Release the AUTOSAR Adaptive Platform
Management • Technical safety requirements for
PHM, EM, SM, OS, PER, CM and
UCM

1 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Disclaimer

This work (specification and/or software implementation) and the material contained in
it, as released by AUTOSAR, is for the purpose of information only. AUTOSAR and the
companies that have contributed to it shall not be liable for any use of the work.
The material contained in this work is protected by copyright and other types of intel-
lectual property rights. The commercial exploitation of the material contained in this
work requires a license to such intellectual property rights.
This work may be utilized or reproduced without any modification, in any form or by
any means, for informational purposes only. For any other purpose, no part of the work
may be utilized or reproduced, in any form or by any means, without permission in
writing from the publisher.
The work has been developed for automotive applications only. It has neither been
developed, nor tested for non-automotive applications.
The word AUTOSAR and the AUTOSAR logo are registered trademarks.

2 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Table of Contents
1 Scope of Document 4

2 How to Read This Document 4

2.1 Requirements Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Conventions used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Requirement Identifier Coding . . . . . . . . . . . . . . . . . 5
3 Acronyms and abbreviations 7

4 Requirements Specification 7
4.1 Top Level Safety Requirements and Safety Goals . . . . . . . . . . . . 7
4.2 Functional Safety Requirements . . . . . . . . . . . . . . . . . . . . . . 9
4.3 Technical Safety Requirements . . . . . . . . . . . . . . . . . . . . . . 14
4.3.1 AUTOSAR AdaptivePlatform . . . . . . . . . . . . . . . . . . 14
4.3.1.1 Functional Cluster: Platform Health Management
(PHM) . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3.1.2 Functional Cluster: Execution Management (EM) . . 17
4.3.1.3 Functional Cluster: State Management (SM) . . . . 18
4.3.1.4 Operating System (OS) . . . . . . . . . . . . . . . . 19
4.3.1.5 Functional Cluster: Persistency (PER) . . . . . . . . 20
4.3.1.6 Functional Cluster: Communication Management (CM) 21
4.3.1.7 Functional Cluster: Update and Configuration Man-
agement (UCM) . . . . . . . . . . . . . . . . . . . . . 23
5 Requirements Tracing 24

6 References 26

3 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

1 Scope of Document
This document specifies safety requirements on the AUTOSAR Platform, the
AUTOSAR Adaptive Platform in particular. This document elaborates the high level
safety requirements written in RS_Main. It makes use of the intended functionality
described in EXP_PlatformDesign document. The functional safety requirements are
derived from the safety goals and hazards mentioned in EXP_SafetyOverview. Tech-
nical safety requirements towards the AUTOSAR functional cluster and safety relevant
applications are derived from the functional safety requirements.
The AUTOSAR Classic Platform is not in scope.

No ASIL Ratings

The AUTOSAR consortium, especially the AUTOSAR Adaptive Platform Working

Groups are only providing an architecture definition, descriptions of the functional
blocks and a proof of concept implementation, it is not possible to add an ASIL rat-
ing to any requirement in this scope as described in ISO26262[1].

2 How to Read This Document

This document contains functional safety requirements which are generic and do not
mention specific solutions/components of AUTOSAR. The technical safety require-
ments are then derived from functional safety requirements, which mention the specific
responsibilities of AUTOSAR components. Each requirement has its unique identifier
starting with the prefix "RS_SAF_" (for "Safety Requirement").

2.1 Requirements Guidelines

The representation of requirements in AUTOSAR documents follows the table spec-
ified in [TPS_STDT_00078], see Standardization Template [2], chapter Support for
Traceability.
The verbal forms for the expression of obligation specified in [TPS_STDT_00053] shall
be used to indicate requirements, see Standardization Template [2], chapter Support
for Traceability.

4 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

2.2 Conventions used

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as follows, based on [3].
Note that the requirement level of the document in which they are used modifies the
force of these words.
• MUST: This word, or the adjective "LEGALLY REQUIRED", means that the defi-
nition is an absolute requirement of the specification due to legal issues.
• MUST NOT: This phrase, or the phrase "MUST NOT", means that the definition
is an absolute prohibition of the specification due to legal issues.
• SHALL: This phrase, or the adjective "REQUIRED", means that the definition is
an absolute requirement of the specification.
• SHALL NOT: This phrase means that the definition is an absolute prohibition of
the specification.
• SHOULD: This word, or the adjective "RECOMMENDED", means that there may
exist valid reasons in particular circumstances to ignore a particular item, but the
full implications must be understood and carefully weighed before choosing a
different course.
• SHOULD NOT: This phrase, or the phrase "NOT RECOMMENDED", means that
there may exist valid reasons in particular circumstances when the particular be-
havior is acceptable or even useful, but the full implications should be understood
and the case carefully weighed before implementing any behavior described with
this label.
• MAY: This word, or the adjective "OPTIONAL", means that an item is truly op-
tional. One vendor may choose to include the item because a particular market-
place requires it or because the vendor feels that it enhances the product while
another vendor may omit the same item.
An implementation, which does not include a particular option, SHALL be prepared
to interoperate with another implementation, which does include the option, though
perhaps with reduced functionality. In the same vein an implementation, which does
include a particular option, SHALL be prepared to interoperate with another implemen-
tation, which does not include the option (except, of course, for the feature the option
provides.)

2.2.1 Requirement Identifier Coding

The unique identifier for safety requirements shall consist of

• a document identifier

5 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

• an identifier to distinguish functional safety requirements and technical safety

requirements
• an identifier to identify a target component (either a Functional Cluster in the
AUTOSAR Adaptive Platform or a Basic Software Component in the AUTOSAR
Classic Platform)
• a requirement number
The coding pattern used in this requirements specification is RS_SAF_<Z><YY><XX>,
where
Z is a single digit number, describing whether the requirement is a
0 safety goal or top level safety requirement functional safety requirement, where
YY is reserved
XX is a double digit number
1 functional safety requirement for the AUTOSAR Adaptive Platform, where
YY is reserved
XX is a double digit number
2 technical safety requirement for the AUTOSAR Adaptive Platform, where
YY is a double digit number, describing whether the requirement addresses
00 reserved
11 Platform Health Management (PHM)
12 Execution Management (EM)
13 State Management (SM)
14 Operating System (OS)
15 Persistency (PER)
16 Communication Management (CM)
17 Update and Configuration Management (UCM)
and
XX is a double digit number
3-9 reserved for future use, e.g. technical safety requirement for the AUTOSAR
Classic Platform

6 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

3 Acronyms and abbreviations

The glossary below includes acronyms and abbreviations relevant to RS_Safety that
are not included in the AUTOSAR Glossary [4].
Abbreviation / Acronym: Description:
PHM Platform Health Management
EM Execution Management
SM State Management
OS Operating System
PER Persistency
CM Communication Management
UCM Update and Configuration Management
S2S Signal to Service
SG Safety Goal

Table 3.1: Acronyms and Abbreviations

4 Requirements Specification
This chapter contains top level safety requirements (safety goals) for AUTOSAR in
4.1. Functional safety requirements in 4.2 are derived from these safety goals. The
sub-chapter 4.3 contains technical safety requirements which are derived from the
functional safety requirements.

4.1 Top Level Safety Requirements and Safety Goals

[RS_SAF_00001]{DRAFT} AUTOSAR shall ensure correct computation, execu-
tion and execution order of multiple applications with mixed criticality. d

Type: draft
AUTOSAR shall ensure correct computation, execution and execution order of
Description:
multiple applications with mixed criticality.
To ensure freedom from interference with respect to timing [1] and data
Rationale: processing.
AppliesTo: AP
Supporting ISO26262 [1]
Material:

c(RS_Main_00010, RS_Main_00011, RS_Main_00012, RS_Main_00030)

[RS_SAF_00002]{DRAFT} AUTOSAR shall ensure correct configuration during
the entire life cycle of the platform. d

7 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
AUTOSAR shall ensure correct configuration during the entire life cycle of the
Description:
platform.
AUTOSAR needs to provide measures and mechanisms to keep the
Rationale: configuration consistent through out the whole life-cycle of the item.
AppliesTo: AP
Supporting ISO 26262 [1]
Material:

c(RS_Main_00010, RS_Main_00011, RS_Main_00012, RS_Main_00030)

[RS_SAF_00003]{DRAFT} AUTOSAR shall ensure correct update and upgrade of
multiple platform and non-platform applications with mixed criticality. d

Type: draft
AUTOSAR shall ensure correct update and upgrade of multiple platform and
Description:
non-platform applications with mixed criticality.
AUTOSAR supports updatability during the life cycle and therefore the platform
Rationale:
is responsible to ensure that these updates are performed correctly and safe.
AppliesTo: AP
Supporting ISO 26262 [1]
Material:

c(RS_Main_00010, RS_Main_00011, RS_Main_00012, RS_Main_00030, RS_Main_-

00150)
[RS_SAF_00004]{DRAFT} AUTOSAR shall ensure correct exchange (transmis-
sion and reception) of information. d

Type: draft

Description: AUTOSAR shall ensure correct exchange (transmission and reception) of

information.
In a vehicle several ECUs with several software components are interrelating
with each other to fulfill a goal or functionality. AUTOSAR provides
Rationale: standardized interfaces and mechanisms to achieve safe communication
between these components. Safe communication with elements outside of the
vehicle is also in scope.
AppliesTo: AP
Supporting ISO 26262 [1]
Material:

c(RS_Main_00010, RS_Main_00011, RS_Main_00012, RS_Main_00030)

[RS_SAF_00005]{DRAFT} AUTOSAR shall detect faults and failures while pro-
cessing data, communicating with other systems or system elements. d

8 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
AUTOSAR shall detect faults and failures while processing data,
Description:
communicating with other systems or system elements.
Mechanisms to detect faults and failures are required to achieve higher safety
ratings and increase product quality. A list of potential failures is described in
Rationale: EXP_SafetyOverview [5] and ISO 26262 [1]. Incorrect specification or
configuration is a potential source of failure.
AppliesTo: AP
Supporting ISO 26262 [1]
Material:

c(RS_Main_00010)

4.2 Functional Safety Requirements

[RS_SAF_10001]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
initialization of hardware and software components. d

Type: draft
The AUTOSAR Adaptive Platform shall provide safe initialization of hardware
Description:
and software components
Safe initialization of the underlying hardware and the AUTOSAR Adaptive
Rationale: Platform functional cluster and services and the application software is required
to ensure intended functionality.
Use Case: AP-UC-02
AppliesTo: AP
Dependencies: EM, SM, UCM, PHM
Supporting –
Material:

c(RS_SAF_00001, RS_SAF_00002)
[RS_SAF_10002]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
verification mechanisms of platform functional-clusters, applications, services
and their respective configuration data. d

Type: draft
The AUTOSAR Adaptive Platform shall provide safe verification mechanisms of
Description: platform functional-clusters, applications, services and their respective
configuration data.
5

9 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

4
Due to the random hardware failures in the memory unit the data integrity is
required to be verified to ensure no loss of data has occurred over time during
Rationale:
operation, stand-by or powered off and has not been tampered with.
Note: Not with respect to cybersecurity.
Use Case: AP-UC-02, AP-UC-06
AppliesTo: AP
Dependencies: EM, UCM, PER
Supporting –
Material:

c(RS_SAF_00002, RS_SAF_00003)
[RS_SAF_10005]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
shutdown and termination of application and services. d

Type: draft
The AUTOSAR Adaptive Platform shall provide safe shutdown and termination
Description:
of application and services.
Before termination of applications and services and/or shut-down of the
AUTOSAR Adaptive Platform or the whole ECU, the dependent applications
Rationale: have to be terminated properly in the right order to prevent conflicts or failures
or unexpected behavior. Ensure safe degradation, fault evacuation and fault
containment.
Use Case: [AP-UC-01], [AP-UC-06]
AppliesTo: AP
Dependencies: EM, SM, PHM, UCM, OS
Supporting –
Material:

c(RS_SAF_00001, RS_SAF_00003)
[RS_SAF_10006]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
transition of states in an application/service life cycle. d

Type: draft
The AUTOSAR Adaptive Platform shall provide safe transition of states in an
Description:
application/service life cycle.
AUTOSAR Adaptive Platform is responsible for managing and monitoring the
Rationale:
internal states of the application.
Use Case: [AP-UC-01], [AP-UC-06]
AppliesTo: AP
[RS_SAF_00001]
Dependencies:
EM, SM, PHM
5

10 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

4
Supporting –
Material:

c()
[RS_SAF_10008]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
resource management for the AUTOSAR Adaptive Platform functional-clusters,
applications and services. d

Type: draft
The AUTOSAR Adaptive Platform shall provide safe resource management for
Description:
the AUTOSAR Adaptive Platform functional-clusters, applications and services.
The functional clusters, applications and services of the AUTOSAR Adaptive
Platform shall be ensured with adequate resources and availability to that
resource in the expected time with sufficient freedom from interference. No
Rationale: unexpected or unhandled exception shall prevent access or delay access to a
required and properly managed and authorized resource.
Resources are - among other - CPU, runtime, memory consumption, net
bandwidth, peripherals (like ADC, DAC, Timer) . . .
Use Case: [AP-UC-01]
AppliesTo: AP
Dependencies: EM, OS
Supporting –
Material:

c(RS_SAF_00001, RS_SAF_00002, RS_SAF_00004)

[RS_SAF_10014]{DRAFT} The AUTOSAR Adaptive Platform shall provide an in-
terface for an application or service to allow safe communication. d

Type: draft

Description: The AUTOSAR Adaptive Platform shall provide an interface for an application
or service to allow safe communication.
In a vehicle several ECUs with several software components are interrelating
with each other to fulfill a goal or functionality. AUTOSAR Adaptive Platform
Rationale: provides standardized interfaces and mechanisms to achieve safe
communication between these components. Safe communication with
elements outside of the vehicle is also in scope.
Use Case: [AP-UC-03], [AP-UC-04], [AP-UC-05]
AppliesTo: AP
Dependencies: CM[E2E]
Supporting –
Material:

c(RS_SAF_00004)

11 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

[RS_SAF_10027]{DRAFT} The AUTOSAR Adaptive Platform shall prevent loss of

a valid configuration. d

Type: draft
Description: The AUTOSAR Adaptive Platform shall prevent loss of a valid configuration.
AUTOSAR Adaptive Platform should provide mechanisms to switch back to the
Rationale: latest working configuration
Use Case: [AP-UC-02], [AP-UC-06]
AppliesTo: AP
Dependencies: UCM
Supporting –
Material:

c(RS_SAF_00002)
[RS_SAF_10028]{DRAFT} The AUTOSAR Adaptive Platform shall provide de-
pendable scheduling of AUTOSAR Adaptive Platform functional-clusters, appli-
cations and services. d

Type: draft
The AUTOSAR Adaptive Platform shall provide dependable scheduling of
Description:
AUTOSAR Adaptive Platform functional-clusters, applications and services.
Dependable scheduling is required to ensure the proper time-allocation for all
Rationale:
the available functional-clusters, applications and services.
Use Case: [AP-UC-01]
AppliesTo: AP
Dependencies: EM, OS
Supporting –
Material:

c(RS_SAF_00001, RS_SAF_00002)
[RS_SAF_10030]{DRAFT} The AUTOSAR Adaptive Platform shall provide safe
program execution. d

Type: draft
Description: The AUTOSAR Adaptive Platform shall provide safe program execution.
The AUTOSAR Adaptive Platform shall offer flow monitoring mechanisms to
Rationale: detect and ensure that the intended program flow of functional-clusters and
services as well as for user-applications and user-services is not violated.
Use Case: [AP-UC-01]
AppliesTo: AP
Dependencies: EM, SM, OS, PHM
5

12 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

4
Supporting –
Material:

c(RS_SAF_00001)
[RS_SAF_10031]{DRAFT} The AUTOSAR Adaptive Platform shall detect the pro-
gram execution time violation. d

Type: draft

Description: The AUTOSAR Adaptive Platform shall detect the program execution time
violation.
All the timing constraints of the functional-clusters, applications and services
Rationale:
need to be supervised and monitored.
Use Case: [AP-UC-01], [AP-UC-06]
AppliesTo: AP
Dependencies: EM, SM, OS, PHM
Supporting –
Material:

c(RS_SAF_00001)
[RS_SAF_10037]{DRAFT} The AUTOSAR Adaptive Platform shall prevent unin-
tended alteration of data. d

Type: draft
Description: The AUTOSAR Adaptive Platform shall prevent unintended alteration of data.
Due to the random hardware failures in the memory unit the data integrity is
required to be verified to ensure no alteration to data has occurred over time
during operation, stand-by or powered off and has not been tampered with. To
Rationale:
achieve freedom from interference, the access to data needs to be managed
and protected.
Note: Not with respect to cybersecurity.
Use Case: [AP-UC-06]
AppliesTo: AP
Dependencies: PER, PHM
Supporting –
Material:

c(RS_SAF_00002, RS_SAF_00003, RS_SAF_00004)

[RS_SAF_10038]{DRAFT} The AUTOSAR Adaptive Platform shall ensure that the
safety relevant software is updated/upgraded in a state that cannot cause a haz-
ardous situation. d

13 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
The AUTOSAR Adaptive Platform shall ensure that the safety relevant software
Description:
is updated/upgraded in a state that cannot cause a hazardous situation.
The update of safety critical application should be done when the car is
Rationale: stationary and at a safe location e.g. a parking garage.
Use Case: [AP-UC-02]
AppliesTo: AP
Dependencies: UCM, SM
Supporting –
Material:

c(RS_SAF_00003)

4.3 Technical Safety Requirements

4.3.1 AUTOSAR AdaptivePlatform

4.3.1.1 Functional Cluster: Platform Health Management (PHM)

[RS_SAF_21101]{DRAFT} Platform Health Management shall inherit at least the

highest safety integrity level from any Process that is running on the platform. d

Type: draft
Platform Health Management shall inherit at least the highest safety integrity
Description:
level from any Process that is running on the platform.
Platform Health Management is responsible for ensuring part of the safe
execution of safety relevant processes/applications, it should at least be
Rationale:
developed with the highest ASIL as the process/application that is being
executed.
An ASIL C, B and QM Application is running on the adaptive Platform. PHM
Use Case: shall supervise the ASIL C and B application, therefore PHM shall be
implemented with an ASIL C
AppliesTo: AP
Dependencies: PHM
Supporting –
Material:

c(RS_SAF_10002, RS_SAF_10030, RS_SAF_10031)

[RS_SAF_21102]{DRAFT} Platform Health Management shall supervise the State
Management and triggers a watchdog reset in case it fails. d

14 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
Platform Health Management shall ensure that the State Management is
Description:
functioning, and triggers a watchdog reset in case it fails.
Since State Management is a fundamental functional cluster of the Adaptive
Rationale: AUTOSAR, if it fails then Platform Health Management (which controls the
watchdog) shall trigger a reset which is the only reasonable option
SM is managing a safety critical application. Supervision of SM fails and is
Use Case: detected by PHM. PHM shall trigger a watchdog reset.
AppliesTo: AP
Dependencies: PHM, SM
Supporting –
Material:

c(RS_SAF_10006, RS_SAF_10030, RS_SAF_10005)

[RS_SAF_21103]{DRAFT} Platform Health Management shall supervise the Exe-
cution Management and triggers a watchdog reset in case it fails. d

Type: draft
Platform Health Management shall ensure that the Execution Management is
Description:
functioning, and triggers a watchdog reset in case it fails.
Since Execution Management is a fundamental functional cluster of the
Rationale: Adaptive AUTOSAR, if it fails then Platform Health Management (which
controls the watchdog) shall trigger a reset which is the only reasonable option
EM is managing safety critical applications and supervision of EM fails and is
Use Case: detected by PHM. PHM shall trigger a watchdog reset.
AppliesTo: AP
Dependencies: PHM, EM
Supporting –
Material:

c(RS_SAF_10006, RS_SAF_10030, RS_SAF_10005)

[RS_SAF_21104]{DRAFT} Platform Health Management shall monitor the alive-
ness of safety relevant applications and services. d

Type: draft
Platform Health Management shall monitor the execution frequency of safety
Description:
relevant applications and services.
Alive Supervision is one of the mechanisms of Platform Health Management by
Rationale:
which it monitors safety relevant processes/applications.
A safety critical application with alive supervision get stuck at some point in
Use Case: time during execution. PHM detects that the supervised application is not alive.
5

15 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

4
AppliesTo: AP
Dependencies: PHM
Supporting –
Material:

c(RS_SAF_10031)
[RS_SAF_21105]{DRAFT} Platform Health Management shall monitor the control
flow of safety relevant applications and services. d

Type: draft
Platform Health Management shall monitor the control flow of safety relevant
Description:
applications and services.
Logical Supervision is one of the mechanisms of Platform Health Management
Rationale:
by which it monitors safety relevant processes/applications.
A safety critical application is developed to follow a specific control flow and is
Use Case: suddenly not behaving as intended. PHM detects the control flow violation.
AppliesTo: AP
Dependencies: PHM
Supporting –
Material:

c(RS_SAF_10005, RS_SAF_10006, RS_SAF_10030)

[RS_SAF_21106]{DRAFT} Platform Health Management shall monitor that the
duration between the checkpoints of safety relevant applications and services
are within the minimum and maximum configured time limits. d

Type: draft
Platform Health Management shall monitor that the duration between the
Description: checkpoints of safety relevant applications and services are within the minimum
and maximum configured time limits.
Deadline Supervision is one of the mechanisms of Platform Health
Rationale: Management by which it monitors safety relevant processes/applications.
A safety critical application is developed to reach specific checkpoints in a
Use Case: defined time window and is suddenly not behaving as intended. PHM detects
the violation.
AppliesTo: AP
Dependencies: PHM
Supporting –
Material:

c(RS_SAF_10031)

16 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

[RS_SAF_21107]{DRAFT} Platform Health Management shall notify State Man-

agement in case an AUTOSAR Adaptive Platform functional cluster, application
or service other than Execution Management and State Management fails. d

Type: draft
Platform Health Management shall notify State Management in case an
Description: AUTOSAR Adaptive Platform functional cluster, application or service other
than Execution Management and State Management fails.
Since the recovery actions are coordinated in SM, the failures shall be reported
Rationale:
to SM except if SM or EM themselves fail.
PHM supervises a safety critical application. This application fails. PHM
Use Case:
detects the issue and reports to SM.
AppliesTo: AP
Dependencies: PHM, SM
Supporting –
Material:

c(RS_SAF_10005, RS_SAF_10006)

4.3.1.2 Functional Cluster: Execution Management (EM)

[RS_SAF_21201]{DRAFT} Execution Management shall inherit at least the high-

est safety integrity level from any process that is running on the platform. d

Type: draft
Execution Management shall inherit at least the highest safety integrity level
Description:
from any process that is running on the platform.
EM manages process instantiation and termination of all the processes and
Rationale: therefore needs to be developed and executed according to the same safety
standards as the highest rated safety application managed by EM in the system
An ASIL C, B and QM Application is running on the adaptive Platform. EM shall
Use Case: execute the ASIL C, B and the QM application, therefore EM shall be
implemented with an ASIL C.
AppliesTo: AP
Dependencies: EM
Supporting –
Material:

c(RS_SAF_10001)
[RS_SAF_21202]{DRAFT} Execution Management shall support fully determinis-
tic execution (time determinism and data determinism) so that higher ASIL levels
can be achieved even when using parallel processing. d

17 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
Execution Management shall support fully deterministic execution (time
Description: determinism and data determinism) so that higher ASIL levels can be achieved
even when using parallel processing.
According to ISO 26262-6 Table 3 one principle of software architectural design
Rationale: is restricted use of interrupts to achieve determinism, which is highly
recommended to achieve ASIL D.
Two instances of the same application of the same ASIL can be executed for
Use Case: decomposition to reach the higher ASIL level (with some additional measure)
AppliesTo: AP
Dependencies: EM
Supporting –
Material:

c(RS_SAF_10028, RS_SAF_10030, RS_SAF_10031, RS_SAF_10005)

4.3.1.3 Functional Cluster: State Management (SM)

[RS_SAF_21301]{DRAFT} State Management shall inherit at least the highest

safety integrity level from any Process that is managed by it. d

Type: draft
State Management shall inherit at least the highest safety integrity level from
Description:
any Process that is managed by it.
SM manages state changes and recovery actions of all the processes and
Rationale: therefore needs to be developed and executed according to the same safety
standards as the highest rated safety application managed by SM in the system
An ASIL C, B and QM Application is running on the adaptive Platform. SM shall
Use Case: manage the ASIL C, B and the QM application, therefore SM shall be
implemented with an ASIL C.
AppliesTo: AP
Dependencies: SM
Supporting –
Material:

c(RS_SAF_10001)
[RS_SAF_21302]{DRAFT} State Management shall coordinate recovery actions.
d

18 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
Description: State Management shall coordinate recovery actions.
State Management is a central functional cluster to which Platform Health
Management reports supervision failures and State Management decides
Rationale: which recovery action (e.g. functional group state change, notification to a safe
application or even ECU reset) should be triggered.
PHM supervises a safety critical application. This application fails. PHM
Use Case:
detects the issue and reports to SM. SM coordinates the error recovery actions.
AppliesTo: AP
Dependencies: SM, PHM
Supporting –
Material:

c(RS_SAF_10005, RS_SAF_10006)

4.3.1.4 Operating System (OS)

[RS_SAF_21401]{DRAFT} The OS shall support a mechanism that prevents star-

vation of applications or processes on the basis of CPU usage (under the respect
of available resources). d

Type: draft
The OS shall support a mechanism that prevents starvation of applications or
Description: processes on the basis of CPU usage (under the respect of available
resources).
To achieve freedom from interference it is necessary to prevent processes from
Rationale: being adversely affected by other processes that are consuming of excessive
resources.
A QM application and a ASIL B application are executed on the same core. OS
Use Case:
ensures the defined amount of execution time for safety relevant application.
AppliesTo: AP
Dependencies: OS
Supporting –
Material:

c(RS_SAF_10008, RS_SAF_10028, RS_SAF_10031)

[RS_SAF_21402]{DRAFT} The OS shall support resource reservation for mem-
ory in the interval [min,max]. If max is not specified it shall be considered as
unlimited. d

19 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
The OS shall support resource reservation for memory in the interval
Description:
[min,max]. If max is not specified it shall be considered as unlimited.
To achieve freedom from interference it is necessary to prevent processes from
adversely affecting other processes, through consumption of excessive
resources. To this end the OS mechanisms to configure minimum guarantees
Rationale:
on available memory are necessary. Optionally a maximum can be configured -
if not specified the process can consume all memory that is not otherwise
reserved.
A QM application and a ASIL application are executed on the same machine.
Use Case: OS is ensuring all applications are only getting the defined amount of memory
allocated.
AppliesTo: AP
Dependencies: OS
Supporting –
Material:

c(RS_SAF_10008)
[RS_SAF_21403]{DRAFT} Operating System shall ensure that only allowed
memory accesses are made. d

Type: draft
Description: Operating System shall ensure that only allowed memory accesses are made.
To achieve freedom from interference it is necessary to prevent processes from
adversely affected other processes. Access to private memory which is
Rationale:
reserved for a process shall be protected against un-allowed accesses from
other processes.
A QM application and a ASIL application are executed on the same machine.
Use Case: OS prevents the QM application from changing the memory assigned to the
safety critical application.
AppliesTo: AP
Dependencies: OS
Supporting –
Material:

c(RS_SAF_10008)

4.3.1.5 Functional Cluster: Persistency (PER)

[RS_SAF_21501]{DRAFT} Persistency shall add integrity information to the per-

sistent data if such a mechanism does not already exist in the operating system.
d

20 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
Persistency shall add integrity information to the persistent data if such a
Description:
mechanism does not already exist in the operating system
To be able to detect data corruption (violating data integrity), integrity
information such as CRC is needed to be added when storing data. If there
Rationale: exists an existing underlying mechanism which provides such a functionality
with the required integrity, e.g. within the OS, then this takes away AUTOSARs
responsibility.
A safety critical application requests to store data to a persistent storage.
Use Case: Persistency adds data integrity information and stores the data.
AppliesTo: AP
Dependencies: PER
Supporting –
Material:

c(RS_SAF_10037)
[RS_SAF_21502]{DRAFT} Persistency shall check the integrity of persistent data
when reading it if this is not already done by the operating system. d

Type: draft
Persistency shall check the integrity of persistent data when reading it if this is
Description:
not already done by the operating system.
Without an integrity check during read, a corrupted piece of data being read
can be wrongly treated as correct. If there exists an existing underlying
Rationale:
mechanism which provides such a functionality with the required integrity, e.g.
within the OS, then this takes away AUTOSARs responsibility.
A safety critical application requests data from a persistent storage.
Use Case: Persistency reads requested data and checks the integrity information.
AppliesTo: AP
Dependencies: PER
Supporting –
Material:

c(RS_SAF_10037)

4.3.1.6 Functional Cluster: Communication Management (CM)

[RS_SAF_21601]{DRAFT} Communication Management shall provide mecha-

nisms for detection of errors during the exchange of information among software
components, by considering all faults listed in the ISO standard (ISO 26262:6-
2018 D.2.4). d

21 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
Communication Management shall provide mechanisms for detection of errors
Description: during the exchange of information among software components, by
considering all faults listed in the ISO standard (ISO 26262:6-2018 D.2.4).
This requirement is created initially to fulfill the goal of AUTOSAR in supporting
the development of safety-related systems by offering safety measures and
mechanisms. As users may build project-specific applications, it is only
Rationale:
possible for AUTOSAR to provide the safe exchange of information. ISO 26262
is mentioned and to be followed, as it is the international standard for functional
safety of E/E systems for automotive.
Two ASIL rated applications on different control devices shall exchange
information through a component (HW or SW) with a lower rated ASIL.
Communication Management shall support safety mechanisms like a counter, a
Use Case:
checksum and a timestamp to allow the ASIL applications or the CM
implementations to detect and ensure that the information has been transmitted
correctly, in time and in-order.
AppliesTo: AP
Dependencies: CM[E2E]
Supporting –
Material:

c(RS_SAF_10014, RS_SAF_10037)
[RS_SAF_21602]{DRAFT} Communication Management shall, based on individ-
ual safety concepts, allow integrators to select and configure the set of safety
mechanisms to detect communication faults. d

Type: draft
Communication Management shall, based on individual safety concepts, allow
Description: integrators to select and configure the set of safety mechanisms to detect
communication faults.
The AUTOSAR Platform is designed to be used in various applications. It is
possible that for specific applications, a particular type of fault will not occur.
Rationale:
Therefore, it is reasonable to have the configurability such that integrators may
freely select the set of mechanisms to be deployed.
A hi-level design change or new information requires a different communication
protection mechanism. An integrator can select the proper protection by
Use Case:
changing the Manifest. Communication Management uses the changed
descriptor after a system update.
AppliesTo: AP
Dependencies: CM[E2E]
Supporting –
Material:

c(RS_SAF_10014, RS_SAF_10037)

22 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

4.3.1.7 Functional Cluster: Update and Configuration Management (UCM)

[RS_SAF_21701]{DRAFT} Update and Configuration Management (UCM) shall

orchestrate the recovery to a safe operating mode in case of failed update pro-
cess of a safety relevant software. d

Type: draft
Update and Configuration Management (UCM) shall orchestrate the recovery
Description: to a safe operating mode in case of failed update process of a safety relevant
software.
A failed update of a safety relevant software can cause a hazardous situation
Rationale: and to avoid such a situation, Update and Configuration Management shall
ensure that it stays in a safe operating mode.
A system update has been performed and the new configuration is not stable
Use Case: and crashes. The system shall transition to a safe operating mode because the
safety integrity is not ensured any more.
AppliesTo: AP
Dependencies: UCM
Supporting –
Material:

c(RS_SAF_10038)
[RS_SAF_21702]{DRAFT} In case of software update/install of a safety relevant
software, Update and Configuration Management shall verify the update/instal-
lation by checking the integrity of the updated or newly installed software. d

Type: draft
In case of software update/install of a safety relevant software, Update and
Description: Configuration Management shall verify the update/installation by checking the
integrity of the updated or newly installed software.
Update and Configuration Management shall ensure that the updated safety
Rationale:
relevant software is installed correctly.
A system update is going to be performed. The update package contains
Use Case: several modules. Update and Configuration Management shall check that the
information within the update package is extracted and stored properly.
AppliesTo: AP
Dependencies: UCM
Supporting –
Material:

c(RS_SAF_10001, RS_SAF_10002, RS_SAF_10005, RS_SAF_10006, RS_SAF_-

10008, RS_SAF_10028)
[RS_SAF_21703]{DRAFT} If the verification of the update/installation of a safety
relevant software fails, Update and Configuration Management shall ensure that
a transition from non-hazardous state to a potentially hazardous state is not
made unless the safety feature is available. d

23 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

Type: draft
If the verification of the update/installation of a safety relevant software fails,
Update and Configuration Management shall ensure that a transition from
Description:
non-hazardous state to a potentially hazardous state is not made unless the
safety feature is available
The safety feature whose update failed shall be either available as it was or a
retry should be made which eventually results in the updated safety feature.
Rationale: Unless this happens, the function group state which ensures that a hazardous
situation cannot occur, shall not be changed.
Use Case: –
AppliesTo: AP
Dependencies: UCM
Supporting –
Material:

c(RS_SAF_10038)
[RS_SAF_21704]{DRAFT} Update and Configuration Management shall verify
the integrity of the new configuration and ensure that a well known configura-
tion can be used in case the verification fails. d

Type: draft
Update and Configuration Management shall verify the integrity of the new
Description: configuration and ensure that a well known configuration can be used in case
the verification fails.
During transmission of a new configuration errors may occur and the integrity
check may fail. To allow to continue operation Update and Configuration
Rationale: Management shall provide a mechanism to roll back or load another known and
consistent configuration which is considered safe.
Use Case: –
AppliesTo: AP
Dependencies: UCM
Supporting –
Material:

c(RS_SAF_10027)

5 Requirements Tracing
The following table references the requirements specified in [6] and links to the fulfill-
ment of these.
Feature Description Satisfied by

24 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

[RS_Main_00010] AUTOSAR shall support the development of safety [RS_SAF_00001]

related systems [RS_SAF_00002]
[RS_SAF_00003]
[RS_SAF_00004]
[RS_SAF_00005]
[RS_Main_00011] AUTOSAR shall support the development of [RS_SAF_00001]
reliable systems [RS_SAF_00002]
[RS_SAF_00003]
[RS_SAF_00004]
[RS_Main_00012] AUTOSAR shall provide a software platform to [RS_SAF_00001]
support the development of highly available [RS_SAF_00002]
systems [RS_SAF_00003]
[RS_SAF_00004]
[RS_Main_00030] AUTOSAR shall support development processes [RS_SAF_00001]
for safety related systems [RS_SAF_00002]
[RS_SAF_00003]
[RS_SAF_00004]
[RS_Main_00150] AUTOSAR shall support the deployment and [RS_SAF_00003]
reallocation of AUTOSAR Application Software
[RS_SAF_00001] AUTOSAR shall ensure correct computation, [RS_SAF_10001]
execution and execution order of multiple [RS_SAF_10005]
applications with mixed criticality. [RS_SAF_10008]
[RS_SAF_10028]
[RS_SAF_10030]
[RS_SAF_10031]
[RS_SAF_00002] AUTOSAR shall ensure correct configuration [RS_SAF_10001]
during the entire life cycle of the platform. [RS_SAF_10002]
[RS_SAF_10008]
[RS_SAF_10027]
[RS_SAF_10028]
[RS_SAF_10037]
[RS_SAF_00003] AUTOSAR shall ensure correct update and [RS_SAF_10002]
upgrade of multiple platform and non-platform [RS_SAF_10005]
applications with mixed criticality. [RS_SAF_10037]
[RS_SAF_10038]
[RS_SAF_00004] AUTOSAR shall ensure correct exchange [RS_SAF_10008]
(transmission and reception) of information. [RS_SAF_10014]
[RS_SAF_10037]
[RS_SAF_10001] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21201]
safe initialization of hardware and software [RS_SAF_21301]
components. [RS_SAF_21702]
[RS_SAF_10002] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21101]
safe verification mechanisms of platform [RS_SAF_21702]
functional-clusters, applications, services and their
respective configuration data.
[RS_SAF_10005] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21102]
safe shutdown and termination of application and [RS_SAF_21103]
services. [RS_SAF_21105]
[RS_SAF_21107]
[RS_SAF_21202]
[RS_SAF_21302]
[RS_SAF_21702]

25 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

[RS_SAF_10006] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21102]

safe transition of states in an application/service [RS_SAF_21103]
life cycle. [RS_SAF_21105]
[RS_SAF_21107]
[RS_SAF_21302]
[RS_SAF_21702]
[RS_SAF_10008] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21401]
safe resource management for the AUTOSAR [RS_SAF_21402]
Adaptive Platform functional-clusters, applications [RS_SAF_21403]
and services. [RS_SAF_21702]
[RS_SAF_10014] The AUTOSAR Adaptive Platform shall provide an [RS_SAF_21601]
interface for an application or service to allow safe [RS_SAF_21602]
communication.
[RS_SAF_10027] The AUTOSAR Adaptive Platform shall prevent [RS_SAF_21704]
loss of a valid configuration.
[RS_SAF_10028] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21202]
dependable scheduling of AUTOSAR Adaptive [RS_SAF_21401]
Platform functional-clusters, applications and [RS_SAF_21702]
services.
[RS_SAF_10030] The AUTOSAR Adaptive Platform shall provide [RS_SAF_21101]
safe program execution. [RS_SAF_21102]
[RS_SAF_21103]
[RS_SAF_21105]
[RS_SAF_21202]
[RS_SAF_10031] The AUTOSAR Adaptive Platform shall detect the [RS_SAF_21101]
program execution time violation. [RS_SAF_21104]
[RS_SAF_21106]
[RS_SAF_21202]
[RS_SAF_21401]
[RS_SAF_10037] The AUTOSAR Adaptive Platform shall prevent [RS_SAF_21501]
unintended alteration of data. [RS_SAF_21502]
[RS_SAF_21601]
[RS_SAF_21602]
[RS_SAF_10038] The AUTOSAR Adaptive Platform shall ensure that [RS_SAF_21701]
the safety relevant software is updated/upgraded [RS_SAF_21703]
in a state that cannot cause a hazardous situation.

6 References

[1] ISO 26262:2018 (all parts) – Road vehicles – Functional Safety

http://www.iso.org
[2] System Template
AUTOSAR_TPS_SystemTemplate
[3] Key words for use in RFCs to Indicate Requirement Levels
http://www.ietf.org/rfc/rfc2119.txt
[4] Glossary
AUTOSAR_TR_Glossary

26 of 27 Document ID 986: AUTOSAR_RS_Safety

 Safety Requirements for AUTOSAR Adaptive
Platform and AUTOSAR Classic Platform
AUTOSAR FO R20-11

[5] Explanation of Safety Overview

AUTOSAR_EXP_SafetyOverview
[6] Main Requirements
AUTOSAR_RS_Main

27 of 27 Document ID 986: AUTOSAR_RS_Safety