FEO error handling spec. limited to V0.5, comp. requ. adapted

ref: none

Change-Id: I1b487bd87b3d7ab8e1feb2cac0fd228f552c73c8

Author: armin-acn

docs/features/frameworks/feo/index.rst

@@ -438,10 +438,12 @@ w.r.t impact of computation load and latency.
 .. |example_task_chain_3_threads_dynamic| image:: _assets/example_task_chain_3_threads_dynamic.png
 
 
-Error Handling
-==============
+Error Handling for S-CORE v0.5
+==============================
 
-Possible error cases during the different FEO life cycle states shall be handled as follows.
+Possible error cases during the different FEO life cycle states shall be handled as follows. For now, the
+descriptions are focussed on the intended implementation for S-CORE v0.5. Potential adaptations for
+S-CORE v1.0 have been noted down, but shall be considered as drafts only.
 
 * Independent of state
     - If the primary process dies, the external lifecycle management shall kill all dependent processes.
@@ -450,31 +452,36 @@ Possible error cases during the different FEO life cycle states shall be handled
       terminate itself.
 
 * State: Lifecycle Manager creates all processes (primary & secondaries)
-    - If one or more processes cannot be created, the problem will be handled directly by the Lifecycle Manager
-      (e.g. system restart / retry)
-    - If not all secondaries connect to the primary in time, the primary shall report an error to the
-      lifecycle/health management. The startup functions shall not be triggered.
+    - If not all secondaries connect to the primary in time,
+        - S-CORE v0.5: the primary will terminate itself. The startup functions shall not be triggered.
+        - S-CORE v1.0: the primary will not terminate, but report an error to the lifecycle/health management.
+          The startup functions shall not be triggered.
 
 * State: Lifecycle Manager has created all processes (primary & secondaries), all secondaries have connected to the primary
-    - If an error occurs during the execution of a startup function, the primary process shall abort calling
-      startup functions, report the issue to health management and terminate itself. For all of the activities
-      whose startup functions have already been called successfully, the corresponding shutdown functions shall be
-      executed in arbitrary sequence.
+    - If an error occurs during the execution of a startup function,
+        - S-CORE v0.5: the primary process shall abort calling startup functions
+          and terminate itself. For all of the activities whose startup functions have already been called successfully,
+          the corresponding shutdown functions shall be executed in arbitrary sequence.
+        - S-CORE v1.0: in addition, the primary process shall report the issue to health management.
     - During initialization (i.e. in the startup function of an activity), activities shall check for resource allocation
       and report an error to the executor in case of failure.
-    - If a timeout occurs during startup, stepping or shutdown of an activity, the issue shall be reported to
-      health-management. The primary process shall shutdown all successfully started activities in arbitrary sequence
-      and terminate itself.
+    - If a timeout occurs during startup, stepping or shutdown of an activity,
+        - S-CORE v0.5: the primary process shall shutdown all successfully started activities in arbitrary sequence
+          and terminate itself.
+        - S-CORE v1.0: In addition, the primary process shall report the issue to health management.
     - If not all activities reach their initialized state within a certain period of time (startup timeout),
-      the issue shall be reported to health-management. The primary process shall shutdown all successfully
-      started activities in arbitrary sequence and terminate itself.
+        - S-CORE v0.5: the primary process shall shutdown all successfully
+          started activities in arbitrary sequence and terminate itself.
+        - S-CORE v1.0: In addition, the primary process shall report the issue to health management.
 
 * State: Lifecycle Manager has created all processes  (primary & secondaries), all secondaries have connected to the primary, all activities have been started up successfully
-    - If an activity fails in the step function, a logical waypoint error shall be reported to health management.
-      The primary process shall call shutdown for all activities in arbitrary sequence and terminate itself.
+    - If an activity fails in the step function,
+        - S-CORE v0.5: the primary process shall call shutdown for all activities in arbitrary sequence and terminate itself.
+        - S-CORE v1.0: In addition, a logical waypoint error shall be reported to health management.
     - If activities do not meet their intermediate (time/memory/cpu-) budgets the issue shall be detected and handled
       outside of FEO. (Resource supervision and quotas will be defined in a separate feature request, if needed.)
 
 * State: Shutdown of activities
-    - If an activity fails in the shutdown function, a logical waypoint error shall be reported to health management.
-      The primary process shall shutdown all remaining activities and terminate itself.
+    - If an activity fails in the shutdown function,
+        - S-CORE v0.5: the primary process shall shutdown all remaining activities and terminate itself.
+        - S-CORE v1.0: In addition, a logical waypoint error shall be reported to health management.

docs/features/frameworks/feo/modules/feo/feo/docs/requirements/component_requirements.rst

@@ -264,3 +264,105 @@ Component Requirements: feo
     This can be done e.g. via evaluation of floating point exceptions,
     checking of hardware registers or status information of the
     software platform.
+
+Error Handling for S-CORE v0.5
+==============================
+
+.. comp_req:: Response to termination request
+    :id: comp_req__feo__response_term_request
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__response_term_request
+    :status: valid
+
+    If the primary process receives a termination signal, it shall call the shutdown
+    function of all remaining activities in arbitrary sequence and terminate itself.
+
+    If a secondary process receives a termination signal, it shall terminate itself.
+
+
+.. comp_req:: Secondary connection timeout
+    :id: comp_req__feo__secondary_conn_timeout
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__secondary_conn_timeout
+    :status: valid
+
+    If not all secondary processes connect to the primary in time, the primary shall terminate itself.
+    The startup functions shall not be triggered.
+
+
+.. comp_req:: Activity startup error
+    :id: comp_req__feo__act_startup_error
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__act_startup_error
+    :status: valid
+
+    If an error occurs during the execution of a startup function, the primary process shall abort calling
+    startup functions and terminate itself. For all of the activities
+    whose startup functions have already been called successfully, the corresponding shutdown functions shall be
+    executed in arbitrary sequence.
+
+
+.. comp_req:: Activity resource allocation error
+    :id: comp_req__feo__act_alloc_error
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__act_alloc_error
+    :status: valid
+
+    During initialization (i.e. in the startup function of an activity), activities shall check for resource allocation
+    and report an error to the executor in case of failure.
+
+
+.. comp_req:: Activity timeout
+    :id: comp_req__feo__act_timeout
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__act_timeout
+    :status: valid
+
+    If a timeout occurs during startup, stepping or shutdown of an activity, the primary process shall shutdown all
+    successfully started activities in arbitrary sequence and terminate itself.
+
+
+.. comp_req:: Startup timeout
+    :id: comp_req__feo__startup_timeout
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__startup_timeout
+    :status: valid
+
+    If not all activities reach their initialized state within a certain period of time (startup timeout),
+    the primary process shall shutdown all successfully started activities in arbitrary sequence and terminate itself.
+
+
+.. comp_req:: Activity stepping error
+    :id: comp_req__feo__act_stepping_error
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__act_stepping_error
+    :status: valid
+
+    If an activity fails in the step function, the primary process shall call shutdown for all activities
+    in arbitrary sequence and terminate itself.
+
+
+.. comp_req:: Activity shutdown error
+    :id: comp_req__feo__act_shutdown_error
+    :reqtype: Functional
+    :security: YES
+    :safety: ASIL_B
+    :satisfies: feat_req__feo__act_shutdown_error
+    :status: valid
+
+    If an activity fails in the shutdown function, the primary process shall shutdown all remaining activities
+    in arbitrary sequence and terminate itself.

docs/features/frameworks/feo/requirements/index.rst

@@ -213,8 +213,8 @@ Supervision
     software platform.
 
 
-Error Handling
-==============
+Error Handling for S-CORE v0.5
+==============================
 
 .. feat_req:: Response to termination request
     :id: feat_req__feo__response_term_request
@@ -224,10 +224,10 @@ Error Handling
     :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes
     :status: valid
 
-    If the primary process receives a termination signal from the Lifecycle Manager, it shall call the shutdown
+    If the primary process receives a termination signal, it shall call the shutdown
     function of all remaining activities in arbitrary sequence and terminate itself.
 
-    If a secondary process receives a termination signal from the Lifecycle Manager, it shall terminate itself.
+    If a secondary process receives a termination signal, it shall terminate itself.
 
 
 .. feat_req:: Secondary connection timeout
@@ -238,8 +238,8 @@ Error Handling
     :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes
     :status: valid
 
-    If not all secondary processes connect to the primary in time, the primary shall report an error to the
-    lifecycle/health management. The startup functions shall not be triggered.
+    If not all secondary processes connect to the primary in time, the primary shall terminate itself.
+    The startup functions shall not be triggered.
 
 
 .. feat_req:: Activity startup error
@@ -251,7 +251,7 @@ Error Handling
     :status: valid
 
     If an error occurs during the execution of a startup function, the primary process shall abort calling
-    startup functions, report the issue to health management and terminate itself. For all of the activities
+    startup functions and terminate itself. For all of the activities
     whose startup functions have already been called successfully, the corresponding shutdown functions shall be
     executed in arbitrary sequence.
 
@@ -276,9 +276,8 @@ Error Handling
     :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes
     :status: valid
 
-    If a timeout occurs during startup, stepping or shutdown of an activity, the issue shall be reported to
-    health-management. The primary process shall shutdown all successfully started activities in arbitrary sequence
-    and terminate itself.
+    If a timeout occurs during startup, stepping or shutdown of an activity, the primary process shall shutdown all
+    successfully started activities in arbitrary sequence and terminate itself.
 
 
 .. feat_req:: Startup timeout
@@ -290,8 +289,7 @@ Error Handling
     :status: valid
 
     If not all activities reach their initialized state within a certain period of time (startup timeout),
-    the issue shall be reported to health-management. The primary process shall shutdown all successfully
-    started activities in arbitrary sequence and terminate itself.
+    the primary process shall shutdown all successfully started activities in arbitrary sequence and terminate itself.
 
 
 .. feat_req:: Activity stepping error
@@ -302,8 +300,8 @@ Error Handling
     :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes
     :status: valid
 
-    If an activity fails in the step function, a logical waypoint error shall be reported to health management.
-    The primary process shall call shutdown for all activities in arbitrary sequence and terminate itself.
+    If an activity fails in the step function, the primary process shall call shutdown for all activities
+    in arbitrary sequence and terminate itself.
 
 
 .. feat_req:: Activity shutdown error
@@ -314,5 +312,5 @@ Error Handling
     :satisfies: stkh_req__dependability__safety_features, stkh_req__dependability__availability, stkh_req__execution_model__processes
     :status: valid
 
-    If an activity fails in the shutdown function, a logical waypoint error shall be reported to health management.
-    The primary process shall shutdown all remaining activities and terminate itself.
+    If an activity fails in the shutdown function, the primary process shall shutdown all remaining activities
+    in arbitrary sequence and terminate itself.