AUTOSAR AP RS ExecutionManagement

Requirements on Execution Management
AUTOSAR AP R23-11
Requirements on Execution
Document Title Management
Document Owner AUTOSAR
Document Responsibility AUTOSAR
Document Identification No 720
Document Status published

Part of AUTOSAR Standard Adaptive Platform
Part of Standard Release R23-11
Document Change History

Date Release Changed by Description
• Requirements for deterministic execution
are set to obsolete
AUTOSAR
• The right to create child processes can
2023-11-23 R23-11 Release
be configured by integrator
Management
• Added support for standardized trace
points
AUTOSAR • Added: RS_EM_00151
2022-11-24 R22-11 Release • Changed uptraces to RS_SAF
Management requirements
AUTOSAR
2021-11-25 R21-11 Release • Added: RS_EM_00015
Management
AUTOSAR
2020-11-30 R20-11 Release • Added: RS_EM_00150
Management
• Updated: RS_EM_00009 and
AUTOSAR RS_EM_00103
2019-11-28 R19-11 Release
Management • Changed Document Status from Final to
published
AUTOSAR
• Updated: RS_EM_00008 and
2019-03-29 19-03 Release
RS_EM_00010
Management
5
1 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

AUTOSAR AP R23-11
4
• Removed: RS_EM_00003,
AUTOSAR RS_EM_00004, RS_EM_00110 and
2018-10-31 18-10 Release RS_EM_00111.
Management
• Added: [RS_EM_00014].
AUTOSAR • Removed: RS_EM_00006,
Release RS_EM_00007 and RS_EM_00012
2018-03-29 18-03
Management • Minor changes and document clean up
AUTOSAR
2017-10-27 17-10 Release • Minor changes, document clean up
Management
AUTOSAR
2017-03-31 17-03 Release • Initial release
Management

AUTOSAR AP R23-11
Disclaimer
This work (specification and/or software implementation) and the material contained in
it, as released by AUTOSAR, is for the purpose of information only. AUTOSAR and the
companies that have contributed to it shall not be liable for any use of the work.
The material contained in this work is protected by copyright and other types of intel-
lectual property rights. The commercial exploitation of the material contained in this
work requires a license to such intellectual property rights.
This work may be utilized or reproduced without any modification, in any form or by
any means, for informational purposes only. For any other purpose, no part of the work
may be utilized or reproduced, in any form or by any means, without permission in
writing from the publisher.
The work has been developed for automotive applications only. It has neither been
developed, nor tested for non-automotive applications.
The word AUTOSAR and the AUTOSAR logo are registered trademarks.

AUTOSAR AP R23-11
Contents
1 Scope of this document 6
2 Conventions to be used 7
2.1 Requirements Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 Requirements quality . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.2 Requirements identification . . . . . . . . . . . . . . . . . . . . 7
2.1.3 Requirements status . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Acronyms and abbreviations 9
4 Requirements Specification 11
4.1 Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.1 Startup and Shutdown of Applications . . . . . . . . . . . . . . 12
4.2.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.3 State Management . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.4 Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.5 Support for Diagnostics . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Non-Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Requirements Tracing 21
5.1 Not applicable requirements . . . . . . . . . . . . . . . . . . . . . . . . . 22
6 References 23
7 History of Constraints and Specification Items 24

7.1 Constraint and Specification Item History of this document according
to AUTOSAR Release 17-03 . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1.1 Added Requirements in 17-03 . . . . . . . . . . . . . . . . . . 24
7.1.2 Changed Requirements in 17-03 . . . . . . . . . . . . . . . . . 25
7.1.3 Deleted Requirements in 17-03 . . . . . . . . . . . . . . . . . . 25

AUTOSAR AP R23-11

to AUTOSAR Release R19-11 . . . . . . . . . . . . . . . . . . . . . . . . 28
7.7.1 Added Requirements in R20-11 . . . . . . . . . . . . . . . . . 29
7.7.2 Changed Requirements in R20-11 . . . . . . . . . . . . . . . . 29
7.7.3 Deleted Requirements in R20-11 . . . . . . . . . . . . . . . . . 29

AUTOSAR AP R23-11
1 Scope of this document

This document specifies requirements of the AUTOSAR Adaptive Platform on the Exe-
cution Management. The motivation is to provide a standardized way to start, stop and
police applications platform wide.

AUTOSAR AP R23-11
2 Conventions to be used
The representation of requirements in AUTOSAR documents follows the table spec-
ified in [TPS_STDT_00078], see Standardization Template [1], chapter Support for
Traceability.
The verbal forms for the expression of obligation specified in [TPS_STDT_00053] shall
be used to indicate requirements, see Standardization Template [1], chapter Support
for Traceability.
2.1 Requirements Guidelines
2.1.1 Requirements quality
2.1.2 Requirements identification
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as follows.
Note that the requirement level of the document in which they are used modifies the
force of these words.
• MUST: This word, or the adjective "LEGALLY REQUIRED", means that the defi-
nition is an absolute requirement of the specification due to legal issues.
• MUST NOT: This phrase, or the phrase "MUST NOT", means that the definition
is an absolute prohibition of the specification due to legal issues.
• SHALL: This phrase, or the adjective "REQUIRED", means that the definition is
an absolute requirement of the specification.
• SHALL NOT: This phrase means that the definition is an absolute prohibition of
the specification.
• SHOULD: This word, or the adjective "RECOMMENDED", means that there may
exist valid reasons in particular circumstances to ignore a particular item, but the
full implications must be understood and carefully weighed before choosing a
different course.
• SHOULD NOT: This phrase, or the phrase "NOT RECOMMENDED", means that
there may exist valid reasons in particular circumstances when the particular be-
havior is acceptable or even useful, but the full implications should be understood
and the case carefully weighed before implementing any behavior described with
this label.
• MAY: This word, or the adjective "OPTIONAL", means that an item is truly op-
tional. One vendor may choose to include the item because a particular market-

AUTOSAR AP R23-11
place requires it or because the vendor feels that it enhances the product while
another vendor may omit the same item.
An implementation, which does not include a particular option, SHALL be prepared
to interoperate with another implementation, which does include the option, though
perhaps with reduced functionality. In the same vein an implementation, which does
include a particular option, SHALL be prepared to interoperate with another implemen-
tation, which does not include the option (except, of course, for the feature the option
provides.)
2.1.3 Requirements status
The following requirements are described within this document but not otherwise con-
sidered in this release:
• [RS_EM_00111] – Identification of Processes
The functionality described above is subject to modification and will be considered for
inclusion in a future release of this document.

AUTOSAR AP R23-11
3 Acronyms and abbreviations

All technical terms used throughout this document – except the ones listed here – can
be found in the official [2] AUTOSAR Glossary or [3] TPS Manifest Specification.
Description
Term
A process refers to the OS concept of a running process.
Attention: process is not equal to Modelled Process (see
process below). Hence each Modelled Process has at some time a
related (OS) process but a process may not always have a related
Modelled Process.
A Modelled Process is an instance of an Executable to be ex-
Modelled Process
ecuted on a Machine.
Dependencies between Executable instances can be config-
Execution Dependency
ured to define a sequence for starting and terminating them.
The element of the AUTOSAR Adaptive Platform responsi-
Execution Management ble for the ordered startup and shutdown of the AUTOSAR Adap-
tive Platform and Adaptive Applications.
The element defining modes of operation for AUTOSAR Adap-
State Management tive Platform. It allows flexible definition of functions which
are active on the platform at any given time.
Identity and Access Manage- A Adaptive Platform Service within the AUTOSAR Adap-
ment (IAM) tive Platform
A Function Group is a set of coherent Modelled Pro-
cesses, which need to be controlled consistently. Depending
on the state of the Function Group, processes (related to
the Modelled Processes) are started or terminated.
processes can belong to more than one Function Group
Function Group State (but at exactly one Function Group).
"MachineFG" is a Function Group with a predefined name,
which is mainly used to control Machine lifecycle and pro-
cesses of platform level Applications. Other Function
Groups are sort of general purpose tools used (for example) to
control processes of user level Applications.
The element of State Management that characterizes the cur-
rent status of a set of (functionally coherent) user-level Appli-
cations.
Function Group State
The set of Function Groups and their Function Group
States is machine specific and are configured in Machine
Manifest.
A state of Function Group "MachineFG" with some prede-
fined states (Startup/Shutdown/Restart). This can term can refer
Machine State to the current state ("The Machine State is ..."), to a specific state
("In Machine State Startup ..."), or to a set of states ("In Machine
States Startup or Shutdown ...").
The results of a calculation are guaranteed to be available before
Time Determinism
a given deadline.
The results of a calculation only depend on the input data and
Data Determinism
are reproducible, assuming a given initial internal state.
Full Determinism Combination of Time and Data Determinism.
A Functional Cluster within the Adaptive Platform
Communication Management
Foundation

AUTOSAR AP R23-11
Manifest file to configure execution of an Adaptive Appli-

cation. An Execution Manifest is created at integration
time and deployed onto a Machine together with the Exe-
Execution Manifest cutable to which it is attached. It supports the integration of the
Executable code and describes the configuration properties
(startup parameters, resource group assignment etc.) of each
process, i.e. started instance of that Executable.
Manifest file to configure a Machine. The Machine Man-
Machine Manifest ifest holds all configuration information which cannot be as-
signed to a specific Executable or process.
Software responsible for managing processes on a Machine
Operating System
and for providing an interface to hardware resources.
Configuration element to enable restrictions on resources uses
ResourceGroup
by Adaptive Applications running in the group.
Adaptive Application interface to Execution Manage-
ExecutionClient
ment.
Adaptive Application interface to Execution Manage-
DeterministicClient ment to support control of the process-internal cycle, a determin-
istic worker pool, activation time stamps and random numbers.
A Functional Cluster within the Adaptive Platform
Platform Health Management
Foundation
Process State Lifecycle state of a Modelled Process
Manifest file to configure Service usage of an Adaptive
Service Instance Manifest
Application.
An execution platform supporting a continuous chain of trust from
boot through to application supporting authentication (that all
Trusted Platform
code executed is from the claimed source) and integrity valida-
tion (that prevents tampered code/data from being executed).
Table 3.1: Technical Terms
The following technical terms used throughout this document are defined in the official
[2] AUTOSAR Glossary or [3] TPS Manifest Specification – they are repeated here for
tracing purposes.
Description
Term
Adaptive Application see [2] AUTOSAR Glossary
Application see [2] AUTOSAR Glossary
AUTOSAR Adaptive Platform see [2] AUTOSAR Glossary
Adaptive Platform Foundation see [2] AUTOSAR Glossary
Manifest see [2] AUTOSAR Glossary
Executable see [2] AUTOSAR Glossary
Functional Cluster see [2] AUTOSAR Glossary
Adaptive Platform Service see [2] AUTOSAR Glossary
Machine see [2] AUTOSAR Glossary
Service see [2] AUTOSAR Glossary
Service Interface see [2] AUTOSAR Glossary
Service Discovery see [2] AUTOSAR Glossary
Table 3.2: Glossary-defined Technical Terms

AUTOSAR AP R23-11
4 Requirements Specification
4.1 Functional Overview

The AUTOSAR Adaptive Platform provides services to influence the lifecycle of
Applications based on configuration. This document therefore includes require-
ments that determine the facilities provided by Execution Management to affect the
machine-wide startup, shutdown and restart of an Application based on configura-
tion.
Execution Management is responsible for all aspects of platform lifecycle manage-
ment and application lifecycle management, including:
• Machine startup and shutdown.
– Execution Management is the initial (“boot”) process of the operating sys-
tem.
• Required process hierarchy of started services, e.g., init and its child process.
– after booting. The boot process in this case corresponds to machine init
process.
• Provision of process isolation with each instance of an Executable managed
as a single process.
• Startup and shutdown of Applications.
– Loading Executable based on a defined Execution Dependency.
– Specific requirements until starting an Executable main function (i.e. entry
point)
• Privileges and use of access control
– description and semantics of access control in manifest files
• State management
– Conditions for the execution of Applications
EM, PHM and SM are the main safety relevant functional clusters of the AUTOSAR
Adaptive Platform. Consequently, their development may require certain processes to
be followed - as recommended in ISO26262. A safety argumentation for the AUTOSAR
Adaptive Platform, describing functional safety measures and use-cases is provided
through Explanation of Safety Overview [4].

AUTOSAR AP R23-11
4.2 Functional Requirements

This section describes all requirements driving the work to define Execution Man-
agement functionality.
4.2.1 Startup and Shutdown of Applications
[RS_EM_00002]{DRAFT} Execution Management shall set-up one process for

the execution of each Modelled Process. d
For each instance of an Executable, Execution Management shall

allocate one POSIX process. Furthermore process specific properties (like
Description:
priority, scheduling policy and access rights) shall be assigned based on the
Execution Manifest.
Rationale: Isolation of Executable instances from each other.
Dependencies: –
Use Case: Safety and security related Applications require isolation.
Supporting –
Material:
c(RS_Main_00010, RS_Main_00049, RS_Main_00080, RS_Main_00320, RS_Main_-

00150, RS_Main_00420, RS_SAF_10037)
[RS_EM_00014]{DRAFT} Execution Management shall support a Trusted Plat-
form. d
Execution Management shall ensure that integrity and authenticity are

checked for all Executables and their corresponding Execution
Description:
Management meta-data (i.e. processed Machine and Execution Manifests),
and shall only allow starting Executables that passed validation check.
Execution Management takes over the responsibility from Operating
System and/or boot loader for AUTOSAR Adaptive Platform startup and
hence for keeping the platform trusted. Execution Management is the only
Rationale:
AUTOSAR Adaptive Platform entity allowed to start Executables and
therefore responsible for the continuation of trust for the AUTOSAR Adaptive
Platform.
Dependencies: –
Verify the integrity and authenticity of software deployed on AUTOSAR
Use Case:
Adaptive Platform.
Supporting –
Material:
c(RS_Main_00170, RS_Main_00514, RS_Main_00180)

AUTOSAR AP R23-11
[RS_EM_00015]{DRAFT} Execution Management shall support integrity and au-

thenticity monitoring. d
Execution Management shall support configurable integrity and authenticity

Description: monitoring for all Executables and their corresponding Execution
Management meta-data (i.e. processed Machine and Execution Manifests).
Execution Management takes over the responsibility from Operating
System and/or boot loader for AUTOSAR Adaptive Platform startup and
hence for keeping the platform trusted. Execution Management is the only
AUTOSAR Adaptive Platform entity allowed to start Executables and
Rationale:
therefore responsible for the continuation of trust for the AUTOSAR Adaptive
Platform. However unsigned SW (or incorrectly signed SW) may at times be
used and to allow this, Execution Management should optionally support
execution. However the presence of such deployments should be noted.
Dependencies: –
Support deployment of prototype (unsigned) software during system
Use Case:
development.
Supporting –
Material:

[RS_EM_00005]{DRAFT} Execution Management shall support the configura-
tion of OS resource budgets for process and groups of processes. d
Based on the Execution Manifest, Execution Management shall

Description: allocate OS resources to the process. The allocation shall be possible for
single process and groups of processs.
Rationale: Real-time guarantees shall be defined
Dependencies: –
Like cgroups (based on containers which contain one or more processes) and
Use Case:
ulimit.
Supporting –
Material:

00150, RS_SAF_10008)
[RS_EM_00008]{DRAFT} Execution Management shall support the binding of
all threads of a given process to a specified set of processor cores. d
Execution Management shall allow the binding of threads to specific set of

Description: processor cores based on configuration in the Execution Manifest. The
binding granularity shall be at process level.
Rationale: Mechanism to influence load balancing, reaction times, and latencies.
Dependencies: –
A process can be assigned to designated cores to limit thread migration
Use Case:
between cores available on the Machine.
5

AUTOSAR AP R23-11
4
Supporting –
Material:

00501, RS_Main_00150, RS_SAF_10008)
[RS_EM_00009]{DRAFT} Execution Management shall control the right to cre-
ate child processes for each process it starts. d
Execution Management is responsible for starting child processes and

Description: shall prevent such child processes from directly starting other processes,
unless configured otherwise.
Execution Management needs full control of starting applications to ensure
required isolation of temporal and spatial properties. However, existing software
may require rights to create child processes and it can be unpractical to
Rationale: modify it for use with AUTOSAR Adaptive Platform. For this reason,
Execution Management allows selected processes to create child
processes, but this must be configured by integrator and is not a right that is
granted by default.
Dependencies: –
Segregation between applications with different safety and/or security
Use Case:
properties.
Supporting –
Material:
c(RS_Main_00010, RS_Main_00011, RS_Main_00049, RS_Main_00150, RS_SAF_-

10001, RS_SAF_10008)
[RS_EM_00010] Execution Management shall support multiple instances of
Executables. d
It shall be possible to start more than one Modelled Process from a single
Description: Executable. Instance specific information is described in Modelled
Process startup configuration.
Rationale: Avoid code duplication.
Dependencies: –
Use Case: Redundancy of an Executable by parallel execution of two instances.
Supporting –
Material:
c(RS_Main_00002, RS_Main_00049, RS_Main_00106, RS_Main_00501)

AUTOSAR AP R23-11
[RS_EM_00011] Execution Management shall support self-initiated graceful

shutdown of processes. d
Execution Management shall support self-initiated graceful shutdown of

Description:
processes.
Self-initiated graceful shutdown enables a process to free allocated dedicated
resources and inform other interacting entities about its shutdown (e.g.
Rationale: de-registering a service) to create a consistent state within the
Machine/vehicle. Self-initiated process shutdown is, by definition, only be
initiated by the process itself.
Dependencies: –
Use Case: The process of an Executable instance is finished and shuts down itself.
Supporting –
Material:
c(RS_Main_00002, RS_Main_00049)
[RS_EM_00100] Execution Management shall support the ordered startup and
shutdown of processes. d
Execution Management shall support the ordered startup and shutdown of

Description:
Executable instances.
Ensure that startup and shutdown dependencies between Executable
instances are respected, if an execution dependency is specified in the
Rationale: Execution Manifest of an Executable instance. If no execution
dependency is specified between Executable instances, they can be started
and stopped in an arbitrary order.
Dependencies: –
An Executable needs a specific functional cluster to be up and running
Use Case:
before it can be started.
Supporting –
Material:
4.2.2 Execution
[RS_EM_00050]{DRAFT} Execution Management shall perform Machine-wide

coordination of processes. d
Execution Management shall provide an API for a process to register its

Description:
activities for being able to coordinate their execution.
Rationale: Coordinated scheduling of activities across Executables.
Dependencies: –
5

AUTOSAR AP R23-11
4
Usage of computation resources within the running processes shall be
managed in the Machine to ensure that activities can be coordinated across
Use Case:
processes. Registration enables Execution Management to form the
necessary Machine-wide view for the coordination.
Supporting –
Material:
c(RS_Main_00460, RS_SAF_10008)
[RS_EM_00051]{DRAFT} Execution Management shall provide APIs to the pro-
cess for configuring external trigger conditions for its activities. d
Execution Management shall provide an API for configuring the trigger

Description:
conditions of registered activities.
Execution Management shall have the information when to schedule the
Rationale:
activities.
Dependencies: –
Use Case: Execution on data receipt, sequencing of activity execution.
Supporting –
Material:
[RS_EM_00052]{DRAFT} Execution Management shall provide APIs to the pro-
cess for configuring cyclic triggering of its activities. d
Execution Management shall provide an API for configuring the cyclic

Description:
triggering of registered activities.
Execution Management shall have the information when to schedule the
Rationale:
activities.
Dependencies: –
Use Case: Cyclic execution of activities
Supporting –
Material:
[RS_EM_00053]{OBSOLETE} Execution Management shall provide APIs to the
process to support deterministic redundant execution of processes. d
Execution Management shall provide APIs to support deterministic

Description:
redundant execution of processes.
High ASIL systems require safety mechanism like software lockstep to be
Rationale: implemented on non-automotive grade microprocessors. The redundant
execution shall guarantee deterministic, i.e. reproducible results.
Dependencies: –
Use Case: Redundant execution of activities to implement software lockstep
5

AUTOSAR AP R23-11
4
Supporting –
Material:
c(RS_Main_00010, RS_Main_00501, RS_SAF_10028)

[RS_EM_00113]{DRAFT} Execution Management shall support time-triggered
execution. d
Description: Execution Management shall facilitate time-triggered periodic execution.

Algorithms in processes can be time-triggered. The OS needs to provide
Rationale: mechanisms to allow the time-triggered execution of applications. The triggers
need to contain at least external timers, but are not limited to.
Dependencies: –
Use Case: Redundant execution of activities to implement software lockstep
Supporting –
Material:
c(RS_Main_00010, RS_Main_00501, RS_SAF_10028)

[RS_EM_00111]{DRAFT} Execution Management shall assist identification of
processes during Machine runtime. d
Adaptive Applications shall be identifiable, for example by Identity

and Access Management, during runtime so that access restrictions can be
enforced. Execution Management spawns runtime processes based on
Description: Execution Manifest. Execution Management is qualified to assist
AUTOSAR Adaptive Platform software, such as Identity and Access
Management, by providing information about the link between runtime
representation and Modelled Process.
Adaptive Applications shall be identifiable by Identity and Access
Rationale: Management on the basis of their runtime representation as spawned by
Execution Management.
Dependencies: –
App A requests access on Service Interface. Identity and Access
Management is able to retrieve runtime information of App A, e.g. POSIX pid
Use Case: or cryptographic token. Execution Management assists Identity and
Access Management by resolving this runtime information to the Adaptive
Application.
Supporting –
Material:

AUTOSAR AP R23-11
[RS_EM_00152]{DRAFT} Execution Management shall support standardized

trace points throughout the state transitions. d
Execution Management shall support standardized trace points throughout

Description:
the state transitions.
Providing standardized trace points in a Functional Cluster allows
Rationale: comparison of timing in different implementations upon state changes, such as
upon application process creation, initialization, and termination.
Dependencies: ara::log
Tracing and timing analysis of different Applications and Functional
Use Case:
Clusters behavior.
Supporting –
Material:
c(RS_Main_01026)
4.2.3 State Management
[RS_EM_00101]{DRAFT} Execution Management shall support State Man-

agement functionality. d
Execution Management shall provide an interface to State Management

Description:
to request a change in Function Group State.
To support the starting and stopping of processes based on declared
Function Group State dependencies, Execution Management provides
an interface to request Function Group State (including Machine
Rationale: State) changes by the State Management fuctional cluster. In response to
state change requests, Execution Management ensures that only the
required set of Application processes are running in any given operation
conditions and therefore platform resources are saved for relevant processes.
Dependencies: –
Use Case: Provide a mechanism to define modes of operation of the Machine.
Supporting –
Material:
c(RS_Main_00460)

AUTOSAR AP R23-11
[RS_EM_00103] Execution Management shall support process lifecycle man-

agement. d
The lifecycle of a process consists of its initialization, running and terminating

(shutdown) phases. As well as supporting transitions between these phases of
the process lifecycle, Execution Management should ensure that phases,
e.g. the startup and shutdown, of processes can be coordinated between
Description: groups of processes which shall run in the same Machine State or
Function Group State. Coordination and tracking of lifecycle phases
enables Execution Management to ensure that Executable’s processes
are fully established and running before other processes which depend on
their functionality can be started.
Coordination and tracking of lifecycle phases enables Execution
Management to ensure that Executable processes are fully established and
Rationale:
running before other executable processes which depend on their
functionality can be started.
Dependencies: –
Use Case:
Supporting –
Material:
4.2.4 Error Handling
[RS_EM_00150]{DRAFT} Error Handling. d
Execution Management shall support error handling including

Description:
unrecoverable errors.
Execution Management may face conditions where it has no mechanism to
recover the system. These situations are typically expected to result from a
Rationale: misconfigured system and therefore a suitable response might be to halt
startup so that the misconfiguration can be resolved.
Dependencies: –
Execution Management can not start PHM or State Management and
Use Case: hence the platform as a whole cannot be started, it is not possible to recover
from this situation hence Execution Management must halt startup.
Supporting –
Material:
c(RS_Main_00011)
4.2.5 Support for Diagnostics
Support for Diagnostics is handled by State Management and therefore the require-
ments are replaced by the ones from [5].

AUTOSAR AP R23-11
4.3 Non-Functional Requirements

[RS_EM_00151]{DRAFT} Execution Management shall be implemented at least
according the highest safety integrity level from any process that is supported
on the platform. d
Execution Management shall be implemented at least according the highest

Description:
safety integrity level from any process that is supported on the platform.
Execution Management manages process instantiation and termination of
all the processes and therefore needs to be developed and executed
Rationale: according to the same safety standards as the highest rated safety application
managed by Execution Management in the system.
An ASIL C, B and QM Application is running on the AUTOSAR Adaptive
Platform. Execution Management shall execute the ASIL C, B and the QM
Use Case:
application, therefore Execution Management shall be implemented with an
ASIL C.
AppliesTo: AP
Dependencies: EM
Supporting –
Material:
c(RS_SAF_10001)

AUTOSAR AP R23-11
5 Requirements Tracing
The following tables reference the requirements specified in [6] and links to the fulfill-
ment of these.
Please note that if column “Satisfied by” is empty for a specific requirement this
means that this requirement is not fulfilled by this document. Likewise, an entry of
[RS_EM_NA] indicates that the source requirement has been evaluated as “not appli-
cable” to Execution Management.
Requirement Description Satisfied by
[RS_Main_00002] AUTOSAR shall provide a software [RS_EM_00005] [RS_EM_00010] [RS_EM_00011]
platform for high performance [RS_EM_00100]
computing platforms
[RS_Main_00010] Safety Mechanisms [RS_EM_00002] [RS_EM_00005] [RS_EM_00008]
[RS_EM_00009] [RS_EM_00053] [RS_EM_00113]
[RS_Main_00011] Mechanisms for Reliable Systems [RS_EM_00009] [RS_EM_00150]
[RS_Main_00049] AUTOSAR shall provide an Execution [RS_EM_00002] [RS_EM_00009] [RS_EM_00010]
Management for running multiple [RS_EM_00011] [RS_EM_00100] [RS_EM_00103]
applications
[RS_Main_00050] AUTOSAR shall provide an Execution [RS_EM_00008] [RS_EM_00051] [RS_EM_00052]
Framework towards applications to [RS_EM_00103]
implement concurrent application
internal control flows
[RS_Main_00060] Standardized Application [RS_EM_00051]
Communication Interface
[RS_Main_00080] Formal Description Language [RS_EM_00002]
[RS_Main_00106] AUTOSAR shall provide the [RS_EM_00005] [RS_EM_00008] [RS_EM_00010]
possibility to extend the software with [RS_EM_00103]
new SWCs without recompiling the
platform foundation
[RS_Main_00150] AUTOSAR shall support the [RS_EM_00002] [RS_EM_00005] [RS_EM_00008]
deployment and reallocation of [RS_EM_00009]
AUTOSAR Application Software
[RS_Main_00170] AUTOSAR shall provide secure [RS_EM_00014] [RS_EM_00015] [RS_EM_00111]
access to ECU data and services
[RS_Main_00180] Intellectual Property Protection [RS_EM_00014] [RS_EM_00015]
[RS_Main_00320] AUTOSAR shall provide formats to [RS_EM_00002] [RS_EM_00008]
specify system development
[RS_Main_00340] AUTOSAR shall support the [RS_EM_00005] [RS_EM_00052] [RS_EM_00100]
continuous timing requirement
analysis
[RS_Main_00420] AUTOSAR shall use established [RS_EM_00002] [RS_EM_00111]
software standards and consolidate
de-facto standards for basic software
functionality
[RS_Main_00460] AUTOSAR shall standardize methods [RS_EM_00050] [RS_EM_00100] [RS_EM_00101]
to organize mode management on [RS_EM_00103]
Application, ECU and System level
[RS_Main_00501] AUTOSAR shall support redundancy [RS_EM_00008] [RS_EM_00010] [RS_EM_00053]
concepts [RS_EM_00113]
[RS_Main_00514] System Security Support [RS_EM_00014] [RS_EM_00015] [RS_EM_00111]
[RS_Main_01026] AUTOSAR shall support tracing and [RS_EM_00152]
profiling on the target and onboard
5

AUTOSAR AP R23-11
4
Requirement Description Satisfied by
[RS_SAF_10001] AUTOSAR shall provide mechanisms [RS_EM_00009] [RS_EM_00151]
to support safe initialization of
software components.
[RS_SAF_10008] AUTOSAR shall provide mechanisms [RS_EM_00005] [RS_EM_00008] [RS_EM_00009]
to support safe resource [RS_EM_00050]
management for the AUTOSAR
Adaptive Platform functional-clusters,
applications and services and
AUTOSAR Classic Platform basic
software modules and software
components.
[RS_SAF_10028] AUTOSAR shall provide mechanisms [RS_EM_00053] [RS_EM_00113]
to support dependable scheduling of
AUTOSAR Adaptive Platform
functional-clusters, applications and
services and AUTOSAR Classic
Platform basic software modules and
software components.
[RS_SAF_10037] AUTOSAR shall provide mechanisms [RS_EM_00002]
to prevent unintended alteration of
data.
Table 5.1: RequirementsTracing
5.1 Not applicable requirements

[RS_EM_NA]{DRAFT} dThese requirements are not applicable as they are not within
the scope of this release.c(RS_Main_01025, RS_Main_00650, RS_Main_00026, RS_-
Main_00030, RS_Main_00190, RS_Main_00230, RS_Main_00250, RS_Main_00260,
RS_Main_00261, RS_Main_00270, RS_Main_00280, RS_Main_00285, RS_Main_-
00300, RS_Main_00301, RS_Main_00310, RS_Main_00350, RS_Main_00360, RS_-
Main_00410, RS_Main_00440, RS_Main_00445, RS_Main_00490, RS_Main_00491,
RS_Main_00500, RS_Main_00503, RS_Main_00507, RS_Main_00510, RS_Main_-
00511, RS_Main_00512, RS_Main_00653, RS_Main_01001, RS_Main_01002, RS_-
Main_01003, RS_Main_01004, RS_Main_01005, RS_Main_01007, RS_Main_01008)

AUTOSAR AP R23-11
6 References
[1] Standardization Template

AUTOSAR_FO_TPS_StandardizationTemplate
[2] Glossary
AUTOSAR_FO_TR_Glossary
[3] Specification of Manifest
AUTOSAR_AP_TPS_ManifestSpecification
[4] Explanation of Safety Overview
AUTOSAR_FO_EXP_SafetyOverview
[5] Requirements of State Management
AUTOSAR_AP_RS_StateManagement
[6] Main Requirements
AUTOSAR_FO_RS_Main

AUTOSAR AP R23-11
7 History of Constraints and Specification Items

Please note that the lists in this chapter also include constraints and specification items
that have been removed from the specification in a later version. These constraints and
specification items do not appear as hyperlinks in the document.
7.1 Constraint and Specification Item History of this document ac-

cording to AUTOSAR Release 17-03
7.1.1 Added Requirements in 17-03
Number Heading
[RS_EM_00001] The Execution Management shall load Executables
The Execution Management shall set-up one process for the execution of
[RS_EM_00002]
each Executable instance
The Execution Management shall support the checking of the integrity of
[RS_EM_00003]
Executables at startup of Executable
The Execution Management shall support the authentication and
[RS_EM_00004]
authorization of Executables at startup of Executable
The Execution Management shall support the configuration of OS resource
[RS_EM_00005]
budgets for Executable and groups of Executables
The Execution Management shall support the analysis of available and
[RS_EM_00006] required OS resource budgets for Executables and groups of Executables
during installation and run-time
The Execution Management shall support of the allocation of dedicated
[RS_EM_00007]
resources for the Executable (e.g GPU)
The Execution Management shall support the binding of Executable threads
[RS_EM_00008]
to a specified set of processor cores.
[RS_EM_00009] Only Execution Management shall start Executables
The Execution Management shall support multiple instantiation of
[RS_EM_00010]
Executables
[RS_EM_00011]
Executable instances
Application Manifest shall support unambiguous identification of Executable
[RS_EM_00012]
instances
[RS_EM_00013] Execution Management shall support configurable recovery actions
The Execution Management shall support the ordered startup and shutdown
[RS_EM_00100]
of Executables
The Execution Management shall do a system-wide coordination of
[RS_EM_00050]
activities.
The Execution Management shall provide functions to the Executable for
[RS_EM_00051]
configuring external trigger conditions for its activities
5

AUTOSAR AP R23-11
4
Number Heading
The Execution Management shall provide functions to the Executable for
[RS_EM_00052]
configuring cyclic triggering of its activities
The Execution Management shall provide Machine State Management
[RS_EM_00101]
functionality
[RS_EM_00103] Execution Management shall support application lifecycle management
Table 7.1: Added Requirements in 17-03
7.1.2 Changed Requirements in 17-03
none
7.1.3 Deleted Requirements in 17-03
none

Number Heading
The Execution Management shall provide functions to support redundant
[RS_EM_00053]
execution of Executables
[RS_EM_00110] Execution Management shall support diagnostic reset cause
none

AUTOSAR AP R23-11
Number Heading
[RS_EM_00001] The Execution Management shall load Executables
Table 7.3: Deleted Requirements in 17-10

Number Heading
[RS_EM_00151]
Number Heading
[RS_EM_00101]
functionality
[RS_EM_00110] Execution Management shall support diagnostic reset cause
Table 7.5: Changed Requirements in 18-03
Number Heading
The Execution Management shall support the analysis of available and
[RS_EM_00006] required OS resource budgets for Executables and groups of Executables
during installation and run-time
5

AUTOSAR AP R23-11
4
Number Heading
The Execution Management shall support of the allocation of dedicated
[RS_EM_00007]
resources for the Executable (e.g GPU)
Application Manifest shall support unambiguous identification of Executable
[RS_EM_00012]
instances

Number Heading
[RS_EM_00014] Execution Management shall support a Trusted Platform
Execution Management shall assist identification of Processes during
[RS_EM_00111]
Machine runtime
Number Heading
The Execution Management shall set-up one process for the execution of
[RS_EM_00002]
each Executable instance
The Execution Management shall support the configuration of OS resource
[RS_EM_00005]
budgets for Executable and groups of Executables
[RS_EM_00011]
Executable instances
[RS_EM_00101]
functionality

AUTOSAR AP R23-11
Number Heading
The Execution Management shall support the checking of the integrity of
[RS_EM_00003]
Executables at startup of Executable
The Execution Management shall support the authentication and
[RS_EM_00004]
authorization of Executables at startup of Executable

none
Number Heading
The Execution Management shall support the binding of Executable threads
[RS_EM_00008]
to a specified set of processor cores.
none

cording to AUTOSAR Release R19-11
none

AUTOSAR AP R23-11
Number Heading
none

7.7.1 Added Requirements in R20-11
Number Heading
[RS_EM_00113] Execution Management shall support time-triggered execution
[RS_EM_00150] Error Handling
Table 7.12: Added Requirements in R20-11
7.7.2 Changed Requirements in R20-11
none
7.7.3 Deleted Requirements in R20-11
Number Heading
Table 7.13: Deleted Requirements in R20-11

AUTOSAR AP R23-11

Number Heading
[RS_EM_00015] Execution Management shall support integrity and authenticity monitoring
none
none

Number Heading
[RS_EM_00151]
Number Heading
Execution Management shall set-up one process for the execution of
[RS_EM_00002]
each Modelled Process.
Execution Management shall support the configuration of OS resource
[RS_EM_00005]
budgets for process and groups of processes.
5

AUTOSAR AP R23-11
4
Number Heading
Execution Management shall support the binding of all threads of a given
[RS_EM_00008]
process to a specified set of processor cores.
Execution Management shall ensure it is the sole entity starting
[RS_EM_00009]
processes.
Execution Management shall perform Machine-wide coordination of
[RS_EM_00050]
processes.
Execution Management shall provide APIs to the process to support
[RS_EM_00053]
deterministic redundant execution of processes.
[RS_EM_00103] Execution Management shall support process lifecycle management.
[RS_EM_00113] Execution Management shall support time-triggered execution.
[RS_EM_NA]
Table 7.16: Changed Requirements in R22-11
none
7.10 Constraint and Specification Item History of this document

according to AUTOSAR Release R23-11
Number Heading
Execution Management shall support standardized trace points
[RS_EM_00152]
throughout the state transitions.
Number Heading
Execution Management shall support the binding of all threads of a given
[RS_EM_00008]
process to a specified set of processor cores.
Execution Management shall control the right to create child processes
[RS_EM_00009]
for each process it starts.
5

AUTOSAR AP R23-11
4
Number Heading
Execution Management shall provide APIs to the process to support
[RS_EM_00053]
deterministic redundant execution of processes.
[RS_EM_00151]
Table 7.18: Changed Requirements in R23-11
none

AUTOSAR AP RS ExecutionManagement

Uploaded by

Copyright:

Available Formats

AUTOSAR AP RS ExecutionManagement

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AUTOSAR AP RS ExecutionManagement

Uploaded by

Copyright:

Available Formats

Requirements on Execution Management

Document Status published

Document Change History

1 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

2 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

3 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

7 History of Constraints and Specification Items 24

4 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

7.4.3 Deleted Requirements in 18-10 . . . . . . . . . . . . . . . . . . 28

5 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

1 Scope of this document

6 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

2.1 Requirements Guidelines

2.1.1 Requirements quality

2.1.2 Requirements identification

7 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

2.1.3 Requirements status

8 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

3 Acronyms and abbreviations

9 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

Manifest file to configure execution of an Adaptive Appli-

Table 3.1: Technical Terms

Table 3.2: Glossary-defined Technical Terms

10 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

4.1 Functional Overview

11 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

4.2 Functional Requirements

4.2.1 Startup and Shutdown of Applications

[RS_EM_00002]{DRAFT} Execution Management shall set-up one process for

For each instance of an Executable, Execution Management shall

c(RS_Main_00010, RS_Main_00049, RS_Main_00080, RS_Main_00320, RS_Main_-

Execution Management shall ensure that integrity and authenticity are

c(RS_Main_00170, RS_Main_00514, RS_Main_00180)

12 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

[RS_EM_00015]{DRAFT} Execution Management shall support integrity and au-

Execution Management shall support configurable integrity and authenticity

c(RS_Main_00170, RS_Main_00514, RS_Main_00180)

Based on the Execution Manifest, Execution Management shall

c(RS_Main_00002, RS_Main_00010, RS_Main_00106, RS_Main_00340, RS_Main_-

Execution Management shall allow the binding of threads to specific set of

13 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

c(RS_Main_00010, RS_Main_00050, RS_Main_00106, RS_Main_00320, RS_Main_-

Execution Management is responsible for starting child processes and

c(RS_Main_00010, RS_Main_00011, RS_Main_00049, RS_Main_00150, RS_SAF_-

c(RS_Main_00002, RS_Main_00049, RS_Main_00106, RS_Main_00501)

14 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

[RS_EM_00011] Execution Management shall support self-initiated graceful

Execution Management shall support self-initiated graceful shutdown of

Execution Management shall support the ordered startup and shutdown of

c(RS_Main_00002, RS_Main_00049, RS_Main_00340, RS_Main_00460)

[RS_EM_00050]{DRAFT} Execution Management shall perform Machine-wide

Execution Management shall provide an API for a process to register its

15 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

Execution Management shall provide an API for configuring the trigger

Execution Management shall provide an API for configuring the cyclic

Execution Management shall provide APIs to support deterministic

16 of 32 Document ID 720: AUTOSAR_AP_RS_ExecutionManagement

c(RS_Main_00010, RS_Main_00501, RS_SAF_10028)

Description: Execution Management shall facilitate time-triggered periodic execution.