Experiences with CANoe-based Fault Injection for AUTOSAR

Similar documents
Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

FlexRay and Automotive Networking Future

AUTOSAR stands for AUTomotive Open Systems ARchitecture. Partnership of automotive Car Manufacturers and their Suppliers

VT System Smart HIL Testing

10 th AUTOSAR Open Conference

Model Based Development and Code Generation for Automotive Embedded Systems. April 26, 2017 Dr. Gergely Pintér, Dr. Máté Kovács thyssenkrupp Steering

In-Vehicle Global Synchronization

ISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling

A specification proposed by JASPAR has been adopted for AUTOSAR.

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

Advanced Driver Assistance: Modular Image Sensor Concept

Agenda. > AUTOSAR Overview. AUTOSAR Solution. AUTOSAR on the way

Software Architecture. Definition of Software Architecture. The importance of software architecture. Contents of a good architectural model

Automotive Networks Are New Busses and Gateways the Answer or Just Another Challenge? ESWEEK Panel Oct. 3, 2007

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Flexray Protocol in Automotive Network Communications

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

CANoe.Ethernet. Product Information

Create, Embed, Empower. Crevavi Technologies Company profile

Benefits of Collecting Code Coverage Metrics during HIL/ECU Testing

Application. Diagnosing the dashboard by the CANcheck software. Introduction

The House Intelligent Switch Control Network based On CAN bus

Model-Based Design of Automotive RT Applications

Schedule Integration for Time-Triggered Systems

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Arccore AB 2017, all rights reserved. Accelerating innovation

Real and Virtual Development with SystemDesk

Virtual Hardware ECU How to Significantly Increase Your Testing Throughput!

Additional Slides (informative)

MATLAB Expo 2014 Verkehrszeichenerkennung in Fahrerassistenzsystemen Continental

Product Information Embedded Operating Systems

Tools for CAN based networking. On the street, in the air, in the orbit

AUTOSAR Software Design with PREEvision

Virtualization of Heterogeneous Electronic Control Units Testing and Validating Car2X Communication

The Power to Log. Powerful Solution for Vehicle Testing and Validation of Automobile Networks

Comparison of In-Vehicle Communication Protocols for Critical Applications

Aula Mercedes Benz : Table of Contents THEORY (20 HOURS) 1.- BASIC INTRODUCTION TO VEHICLE TELEMATICS IN-VEHICLE NETWORKS - 30 MINS

An Encapsulated Communication System for Integrated Architectures

SIMPLIFYING COMPLEX EMBEDDED DEVELOPMENT PROCESSES WITH MBEDDR

The CANoe.Ethernet Solution

INSTRUMENT CLUSTER 2.0

Autonomous Driving From Fail-Safe to Fail-Operational Systems

EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS

ID 025C: An Introduction to the OSEK Operating System

Dr. Andreas Both / Zhang Enqin Automotive Runtime Software

In Vehicle Networking : a Survey and Look Forward

Distributed System Control with FlexRay Nodes in Commercial Vehicles

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

In March 2007, over 200 developers met in Stuttgart for the. control algorithms that have become increasingly faster are

Connected Vehicle Safety Pilot Overview and Infrastructure Readiness

Vehicle Safety Communications Project Final Overview

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

FlexRay International Workshop. Protocol Overview

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

SPC5 MCAL overview. ZHANG Livia

Robustness Testing of AUTOSAR Software Components. Master of Science Thesis Computer Systems and Networks Programme VICTOR JANSSON JERRY LINDAHL

Functional Safety Architectural Challenges for Autonomous Drive

LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications

Automotive Security An Overview of Standardization in AUTOSAR

Ethernet TSN as Enabling Technology for ADAS and Automated Driving Systems

AUTOSAR Overview and Classic Platform

Dedicated Short Range Communication: What, Why and How?

Experimental Security Analysis of a Modern Automobile

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

Field buses (part 2): time triggered protocols

In-Vehicle Networking freescale.com/automotive

AUTOSAR design flow. Yoon-Jin Kim Application Engineer. July mentor.com/automotive

Exercise 3-5. Multiple Push Buttons EXERCISE OBJECTIVE DISCUSSION

Cooperative Vehicles Opportunity and Challenges

Architecture concepts in Body Control Modules

Verification, Validation, and Test with Model-Based Design

Open, Scalable Real-Time Solutions

Increasing Design Confidence Model and Code Verification

rcube2: Advanced Rapid Prototyping Electronic Control Unit

AUTOMATIC FUNCTIONALITY ASSIGNMENT TO AUTOSAR MULTICORE DISTRIBUTED ARCHITECTURES

A Reliable Gateway for In-vehicle Networks

In-Vehicle Network Architecture for the Next-Generation Vehicles SAE TECHNICAL PAPER SERIES

KSAR Support. for. ST s SPC5 32-bit Automotive MCUs

Hardware-In-Loop Test Setup Automation

Interaction between AUTOSAR and non-autosar Systems on top of a Hypervisor

Operating Systems, Concurrency and Time. real-time communication and CAN. Johan Lukkien

Safety and Security for Automotive using Microkernel Technology

Software implemented fault injection for AUTOSAR based systems

Communication Networks for the Next-Generation Vehicles

Adaptive AUTOSAR: Infrastructure Software for Advanced Driver Assistance. Chris Thibeault June 7, 2016

Development and verification of software component level fault injection for safety-critical automotive Ethernet control system

Automotive ECU Design with Functional Safety for Electro-Mechanical Actuator Systems

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

Verification and Test with Model-Based Design

STMicroelectronics Automotive MCU Technical Day 意法半导体汽车微控制器技术日 2017 年 ST 汽车 MCU 技术日 2017 年 6 月 6 日, 上海 2017 年 6 月 8 日, 深圳 2017 年 6 月 13 日, 北京

FlexRay The Hardware View

Application_Database.docx

CAN FD - Flexible Tools for Flexible Data Rates

Subsystem Hazard Analysis (SSHA)

Adaptive AUTOSAR. Ready for Next Generation ECUs V

Goals and prospects of embedded electronic automotive systems

Institutionen för datavetenskap Department of Computer and Information Science

Controller area network

Transcription:

Experiences with CANoe-based Fault Injection for AUTOSAR Patrick E. Lanigan, Priya Narasimhan Electrical & Computer Engineering Carnegie Mellon University Thomas E. Fuhrman Research & Development General Motors Company 1

WHAT TO EXPECT A brief overview of automotive systems / tools AUTOSAR FlexRay Vector CANoe A description of a proof-of-concept softwareimplemented fault-injection framework An example application of the framework A qualitative discussion of the what worked well, as well as what did not work so well. 2

WHAT NOT TO EXPECT A dependability evaluation of the... AUTOSAR specification AUTOSAR implementation FlexRay protocol demo application A discussion of specific fault-models A coverage assessment A quantitative analysis 3

ROADMAP Introduction Overview of automotive systems Motivation Goals Fault-injection framework Runtime evaluation Conclusion 4

AUTOMOTIVE SYSTEMS What is an automotive system? Many mechanical, hydraulic and electrical (incl. hardware and software) components interact to perform vehicle functions Operates in a dynamic environment (other vehicles, pedestrians, animals, etc) Our focus is on the embedded computing architecture Electronic Control Units (ECUs) and software Distributed, serial communication (e.g. CAN, FlexRay) Sensors and actuators 5

BACKGROUND: AUTOSAR Electronics account for significant and increasing proportion of innovation as well as cost. Application Layer AUTOSAR Runtime Environment (RTE) Services Layer ECU Abstraction Layer Microcontroller Abstraction Layer Microcontroller Complex Drivers Source: AUTOSAR Layered Software Architecture, Document ID 053, p. 13. http://www.autosar.org/download/r4.0/autosar_exp_layeredsoftwarearchitecture.pdf Standard software-architecture for automotive applications Encourage reuse of software Reduce development costs Layered architecture Basic Software (BSW) layers provide hardware abstractions Application layer implements high-level functionality Runtime Environment (RTE) layer enables information exchange 6

BACKGROUND: FLEXRAY High-speed, synchronous serial communication protocol Communication schedule is divided into equal-length time slots and executed periodically Slots are statically assigned to nodes Support for dual channels (up to 10 mbps each) FlexRay nodes are synchronized to a global time-base slot counter channel A 1 2 3 channel A frame ID 1 frame ID 2 t channel B frame ID 1 1 2 3 slot counter channel B static slot 1 static slot 2 static slot 3 static segment containing gnumberofstaticslots static slots Source: FlexRay Consortium, FlexRay Protocol Specification, V2.1, p 102 http://www.flexray.com 7

AUTOMOTIVE SYSTEMS (CONT.) An increasing amount of control and autonomy is being delegated to embedded computing architectures. Adaptive cruise control Forward collision warning Curve speed control Side blind zone alert Lane keeping / lane centering control Cross traffic collision avoidance 8

MOTIVATION FOR OUR FRAMEWORK AUTOSAR is likely to be a key enabler of functional safety systems Fault-injection plays an important role in the dependability analysis of such systems Highly recommended by upcoming ISO 26262 standard Hardware-based fault injection requires specialized equipment (e.g., TTX Disturbance node) Availability, cost, complexity can limit applicability Cannot accurately target specific software modules How far can we go with existing software tools (e.g., Vector CANoe)? 9

BACKGROUND: VECTOR CANOE CANoe is a simulation and evaluation environment for automotive applications Supports a variety of bus protocols (e.g., FlexRay) The behavior of simulated nodes can be defined in multiple ways External DLL using CANoe programming interface CAPL scripting language Provides graphical and text-based output windows Source: Vector Product Catalog, p. 32 10

THE -ILITIES 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization Controllability Repeatable scenarios with respect to time, location and duration. 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization Controllability Repeatable scenarios with respect to time, location and duration. Observability Distinguish masked faults from faults with no effect. 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization Controllability Repeatable scenarios with respect to time, location and duration. Observability Distinguish masked faults from faults with no effect. Portability Minimize changes required to existing codebase(s). 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization Controllability Repeatable scenarios with respect to time, location and duration. Observability Distinguish masked faults from faults with no effect. Portability Minimize changes required to existing codebase(s). Flexibility Support a wide range of scenarios, faults and errors. 11

THE -ILITIES Functionality (1) Exercise error handling (2) Runtime configuration (3) Runtime visualization Controllability Repeatable scenarios with respect to time, location and duration. Observability Distinguish masked faults from faults with no effect. Portability Minimize changes required to existing codebase(s). Flexibility Support a wide range of scenarios, faults and errors. Avoid Probe Effects Fault-injection process should not produce unintended side effects. 11

ROADMAP Introduction Fault-injection framework Architecture Fault-injection hook locations Example use of fault-injection hooks Runtime evaluation Conclusion 12

FAULT-INJECTION STRATEGY Hooks are inserted into AUTOSAR functions Manipulation hooks modify function arguments Suppression hooks cause functions to return error codes Fault-injection scenarios are defined by six parameters Manipula(on parameters Suppression parameters Loca;on Argument Mask Offset Opera;on Ac;ve 13

FAULT-INJECTION FRAMEWORK CANoe Node 1 Node 2 Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Node 1 Node 2 Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Node 1 Node 2 AUTOSAR library Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Node 1 Node 2 AUTOSAR library CAPL script Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 AUTOSAR library CAPL script Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

FAULT-INJECTION FRAMEWORK CANoe Fault-injection library Node 1 Node 2 Fault-injection parameters AUTOSAR library CAPL script Fault-injection hook implementations Node 3 Node 4 CAPL extensions 14

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) Services Layer ECU Abstraction Layer Complex Drivers Microcontroller Abstraction Layer Microcontroller (ECU) 15

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) Services Layer ECU Abstraction Layer Complex Drivers Microcontroller Abstraction Layer Microcontroller (ECU) 15

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) System Services Memory Services Communication Services ECU Abstraction Layer Complex Drivers Microcontroller Drivers Memory Drivers Communication Drivers I/O Drivers Microcontroller (ECU) 15

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) System Services Memory Services Communication Services ECU Abstraction Layer Complex Drivers WdgM Microcontroller Drivers Memory Drivers Communication Drivers I/O Drivers Microcontroller (ECU) 15

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) System Services Memory Services Communication Services ECU Abstraction Layer Complex Drivers WdgM Com Microcontroller Drivers Memory Drivers Communication Drivers I/O Drivers Microcontroller (ECU) 15

HOOK LOCATIONS IN AUTOSAR Application layer AUTOSAR Runtime Environment (RTE) System Services Memory Services Communication Services ECU Abstraction Layer Complex Drivers WdgM Com Microcontroller Drivers Memory Drivers Communication Drivers I/O Drivers Fr Microcontroller (ECU) 15

EXAMPLE HOOK USAGE Pass target arguments by reference for manipulation inside the hook. Arguments are only modified if the current location is active. SWIFI_Hook_Fr_Tx(&channel, &slotid, &basecycle, &cyclerep, &framestatus, (uint16 *)&Fr_LSduLength, (uint8 *)Fr_LSduPtr); CANoeAPI_SendFlexRayMessage(Fr_CtrlIdx, channel, slotid, basecycle, cyclerep, framestatus, Fr_LSduLength, Fr_LSduPtr); If the suppression hook is active, immediately return an error code. if (SWIFI_Suppress_Fr_Tx()) { return E_NOT_OK; } 16

EXAMPLE HOOK IMPLEMENTATIONS Modifiable arguments (id, buffer) are passed by reference, while non-modifiable arguments (blength) provide additional context. EXPORT_C int SWIFI_Hook_Com_Write(uint16 *id, uint16 blength, uint8 *buffer) { if ((gfi_location == SWIFI_LOC_COM_WRITE) && (gfi_operation!= SWIFI_OP_NONE)) { switch(gfi_argument) { case SWIFI_ARG_PAYLOAD: apply_mask(buffer, blength, gfi_mask, gfi_offset, gfi_operation); return 1; case SWIFI_ARG_SLOTID: apply_mask((uint8 *)id, sizeof(uint16), gfi_mask, gfi_offset, gfi_operation); return 1; default: return 0; } } } return 0; Suppression hooks return a boolean value that indicates whether or not the instrumented function should abort. EXPORT_C int SWIFI_Suppress_Com_Write() { return (gfi_location == SWIFI_LOC_COM_WRITE) && gfi_suppress; } 17

ROADMAP Introduction Fault-injection framework Runtime evaluation Configuration interface Demo application Example scenarios and fault manifestations Conclusion 18

CONFIGURING A FAULT-INJECTION SCENARIO 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. Activate a suppression hook. 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. Select the target argument. Activate a suppression hook. 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. Select the target argument. Activate a suppression hook. Define the mask......and offset. 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. Select the target argument. Activate a suppression hook. Select the target location. Define the mask......and offset. 19

CONFIGURING A FAULT-INJECTION SCENARIO Select how the mask is applied to the argument. Select the target argument. Activate a suppression hook. Select the target location. Define the mask......and offset. 19

DEMO APPLICATION The framework was applied to a by-wire application Sensing ECU reads throttle and brake inputs Front and rear ECUs calculate wheel speed independently Front ECU is the target of fault injection Originally developed as a simple CANoe demonstration No fault-tolerance mechanisms No application-level error handling FlexRay Front Wheel Speed ECU (AUTOSAR) Sensor ECU (CAPL) CAN Can / FlexRay Gateway (CAPL) Rear Wheel Speed ECU (CAPL) 20

EXAMPLE FAULT-INJECTION SCENARIOS 21

EXAMPLE FAULT-INJECTION SCENARIOS No active faults. 21

EXAMPLE FAULT-INJECTION SCENARIOS No active faults. Front & rear wheel speed changes equally with application of throttle. 21

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) 22

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) Suppression hook is active. 22

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) FlexRay frame reception function is the target. Suppression hook is active. 22

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) FlexRay frame reception function is the target. Suppression hook is active. Front wheel speed no longer responds to changes in throttle application. 22

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) 23

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) Suppression hook is active. 23

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) Com signal reception function is the target. Suppression hook is active. 23

EXAMPLE FAULT-INJECTION SCENARIOS (CONT.) Com signal reception function is the target. Suppression hook is active. Front wheel speed drops immediately and no longer responds to changes in throttle application. 23

ROADMAP Introduction Fault-injection framework Runtime evaluation Conclusion Lessons learned Summary Questions 24

THE -ILITIES (LESSONS LEARNED REMIX) 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Portability Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations Fault-injection logic is modularized away from application code Requires no changes to existing configuration files or autogenerated code 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Portability Controllability Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations Fault-injection logic is modularized away from application code Requires no changes to existing configuration files or autogenerated code Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Portability Controllability Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations Fault-injection logic is modularized away from application code Requires no changes to existing configuration files or autogenerated code Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control Observability X Observability is limited to application-level behavior 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Portability Controllability Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations Fault-injection logic is modularized away from application code Requires no changes to existing configuration files or autogenerated code Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control Observability X Observability is limited to application-level behavior Flexibility X Protocol-level errors cannot be injected directly because the simulated communication controller is not accessible from software 25

THE -ILITIES (LESSONS LEARNED REMIX) Functionality Portability Controllability Excercise AUTOSAR fault-handling mechanisms Observe application-level manifestations Fault-injection logic is modularized away from application code Requires no changes to existing configuration files or autogenerated code Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control Observability X Observability is limited to application-level behavior Flexibility X Protocol-level errors cannot be injected directly because the simulated communication controller is not accessible from software Avoid Probe Effects X Certain faults cannot be isolated to simulated nodes (e.g., memory-access faults crash the entire simulation) 25

THE -ILITIES (LESSONS LEARNED REMIX) Controllability Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control Observability X Observability is limited to application-level behavior Implementation limitations Flexibility X Protocol-level errors cannot be injected directly because the simulated communication controller is not accessible from software Avoid Probe Effects X Certain faults cannot be isolated to simulated nodes (e.g., memory-access faults crash the entire simulation) 25

THE -ILITIES (LESSONS LEARNED REMIX) Controllability Good control of fault location by layer, component, function, data structure X Manual control makes duration and time of faults very difficult to control Observability X Observability is limited to application-level behavior Environment limitations Implementation limitations Flexibility X Protocol-level errors cannot be injected directly because the simulated communication controller is not accessible from software Avoid Probe Effects X Certain faults cannot be isolated to simulated nodes (e.g., memory-access faults crash the entire simulation) 25

SUMMARY CANoe is a suitable environment for fault-injection, provided that the faults injected fall within the level of abstraction provided by the simulation. This proof-of-concept framework shows promise for rapid-prototyping of new applications. A combination of techniques are likely required for a robust analysis. 26

QUESTIONS? Patrick E. Lanigan planigan@ece.cmu.edu 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback