From 8a38187272bbf06577d2164ac2b3cc64a3a21eeb Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Wed, 1 Apr 2026 18:13:55 +0200 Subject: [PATCH 1/3] Update Safety Analysis Template --- .../features/feature_name/safety_analysis/dfa.rst | 1 + .../features/feature_name/safety_analysis/fmea.rst | 2 ++ .../module_name/component_name/docs/safety_analysis/dfa.rst | 1 + .../module_name/component_name/docs/safety_analysis/fmea.rst | 2 ++ .../folder_templates/platform/docs/safety_mgt/platform_dfa.rst | 1 + 5 files changed, 7 insertions(+) diff --git a/process/folder_templates/features/feature_name/safety_analysis/dfa.rst b/process/folder_templates/features/feature_name/safety_analysis/dfa.rst index ba1afa5222..51ebe66c2c 100644 --- a/process/folder_templates/features/feature_name/safety_analysis/dfa.rst +++ b/process/folder_templates/features/feature_name/safety_analysis/dfa.rst @@ -44,6 +44,7 @@ Dependent Failure Initiators :id: feat_saf_dfa____ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/features/feature_name/safety_analysis/fmea.rst b/process/folder_templates/features/feature_name/safety_analysis/fmea.rst index 89a6a5ec14..9b29adc7cb 100644 --- a/process/folder_templates/features/feature_name/safety_analysis/fmea.rst +++ b/process/folder_templates/features/feature_name/safety_analysis/fmea.rst @@ -45,6 +45,8 @@ Failure Mode List :id: feat_saf_fmea____ :fault_id: :failure_effect: "description of failure effect of the fault model on the element" + :failure_root_cause: "description of the root cause of the failure" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst index 62c8f48019..bfdbe8a5b6 100644 --- a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst +++ b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst @@ -44,6 +44,7 @@ Dependent Failure Initiators :id: comp_saf_dfa____ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst index fcb6f65ed6..c2550af272 100644 --- a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst +++ b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst @@ -44,6 +44,8 @@ Failure Mode List :id: comp_saf_fmea____ :fault_id: :failure_effect: "description of failure effect of the fault model on the element" + :failure_root_cause: "description of the root cause of the failure" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst b/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst index 2dafac8c92..aa81abd970 100644 --- a/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst +++ b/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst @@ -40,6 +40,7 @@ Dependent Failure Initiators :id: plat_saf_DFA__Platform__ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: From 221d12cc3c0104e63390910a9bd03d8095d10e77 Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Thu, 2 Apr 2026 10:38:56 +0200 Subject: [PATCH 2/3] create new needs element for FMEA fault models --- process/conf.py | 26 +++ .../guidance/fault_models_guideline.rst | 204 ++++++++++++------ 2 files changed, 162 insertions(+), 68 deletions(-) diff --git a/process/conf.py b/process/conf.py index db45e680f0..7642da70f4 100644 --- a/process/conf.py +++ b/process/conf.py @@ -34,3 +34,29 @@ # :need:`{title}` is used in the needs templates to display the title of the need needs_role_need_template = "{title}" + + +def setup(app): + # Register the FMEA Fault Model need type. + # This type is used for fault models listed in the FMEA fault models guideline + # so they can be linked to from FMEA analyses instead of using plain IDs. + fmea_fault_model_type = { + "directive": "fmea_fault_model", + "title": "FMEA Fault Model", + "prefix": "fmea_fault_model__", + "tags": [], + "parts": 2, + "mandatory_options": { + "id": "^fmea_fault_model__[0-9a-z_]+$", + "status": "^(valid|draft)$", + "element": "^.*$", + "importance": "^(High|Medium|Low)$", + }, + "optional_options": {}, + "mandatory_links": {}, + "optional_links": {}, + } + app.config.needs_types.append(fmea_fault_model_type) + for opt in ("element", "importance"): + if opt not in app.config.needs_extra_options: + app.config.needs_extra_options.append(opt) diff --git a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst index 34f7d9d59c..ffe43e5010 100644 --- a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst @@ -29,71 +29,139 @@ FMEA Fault Models Fault Models for sequence diagrams - .. list-table:: Fault Models for sequence diagrams - :header-rows: 1 - :widths: 15,15,45,15 - - * - Element - - ID - - Failure Mode - - Importance (can be used for prioritization) - * - message - - MF_01_01 - - message is not received (is a subset/more precise description of MF_01_05) - - High - * - message - - MF_01_02 - - message received too late (only relevant if delay is a realistic fault) - - Medium - * - message - - MF_01_03 - - message received too early (usually not a problem) - - Low - * - message - - MF_01_04 - - message not received correctly by all recipients (different messages or messages partly lost). Only relevant if the same message goes to multiple recipients. - - High - * - message - - MF_01_05 - - message is corrupted - - High - * - message - - MF_01_06 - - message is not sent - - High - * - message - - MF_01_07 - - message is unintended sent - - High - * - duration/time constraint - - CO_01_01 - - minimum constraint boundary is violated - - Medium - * - duration/time constraint - - CO_01_02 - - maximum constraint boundary is violated - - High - * - execution - - EX_01_01 - - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature. - - High - * - execution - - EX_01_02 - - processing too slow (only relevant if timing is considered) - - Medium - * - execution - - EX_01_03 - - processing too fast (only relevant if timing is considered) - - Medium - * - execution - - EX_01_04 - - loss of execution - - High - * - execution - - EX_01_05 - - processing changes to arbitrary process - - Medium - * - execution - - EX_01_06 - - processing is not complete (infinite loop) - - High +------------------------------------ + +.. fmea_fault_model:: message is not received + :id: fmea_fault_model__mf_01_01 + :status: valid + :element: message + :importance: High + :hide: + + Is a subset/more precise description of :need:`fmea_fault_model__mf_01_05`. + +.. fmea_fault_model:: message received too late + :id: fmea_fault_model__mf_01_02 + :status: valid + :element: message + :importance: Medium + :hide: + + Only relevant if delay is a realistic fault. + +.. fmea_fault_model:: message received too early + :id: fmea_fault_model__mf_01_03 + :status: valid + :element: message + :importance: Low + :hide: + + Usually not a problem. + +.. fmea_fault_model:: message not received correctly by all recipients + :id: fmea_fault_model__mf_01_04 + :status: valid + :element: message + :importance: High + :hide: + + Different messages or messages partly lost. Only relevant if the same message goes to multiple recipients. + +.. fmea_fault_model:: message is corrupted + :id: fmea_fault_model__mf_01_05 + :status: valid + :element: message + :importance: High + :hide: + +.. fmea_fault_model:: message is not sent + :id: fmea_fault_model__mf_01_06 + :status: valid + :element: message + :importance: High + :hide: + +.. fmea_fault_model:: message is unintended sent + :id: fmea_fault_model__mf_01_07 + :status: valid + :element: message + :importance: High + :hide: + +.. fmea_fault_model:: minimum constraint boundary is violated + :id: fmea_fault_model__co_01_01 + :status: valid + :element: duration/time constraint + :importance: Medium + :hide: + +.. fmea_fault_model:: maximum constraint boundary is violated + :id: fmea_fault_model__co_01_02 + :status: valid + :element: duration/time constraint + :importance: High + :hide: + +.. fmea_fault_model:: process calculates wrong results + :id: fmea_fault_model__ex_01_01 + :status: valid + :element: execution + :importance: High + :hide: + + Is a subset/more precise description of :need:`fmea_fault_model__mf_01_05` or + :need:`fmea_fault_model__mf_01_04`. This failure mode is relevant to the analysis + if e.g. internal safety mechanisms are required (level 2 function, plausibility + check of the output, …) because of the size/complexity of the feature. + +.. fmea_fault_model:: processing too slow + :id: fmea_fault_model__ex_01_02 + :status: valid + :element: execution + :importance: Medium + :hide: + + Only relevant if timing is considered. + +.. fmea_fault_model:: processing too fast + :id: fmea_fault_model__ex_01_03 + :status: valid + :element: execution + :importance: Medium + :hide: + + Only relevant if timing is considered. + +.. fmea_fault_model:: loss of execution + :id: fmea_fault_model__ex_01_04 + :status: valid + :element: execution + :importance: High + :hide: + +.. fmea_fault_model:: processing changes to arbitrary process + :id: fmea_fault_model__ex_01_05 + :status: valid + :element: execution + :importance: Medium + :hide: + +.. fmea_fault_model:: processing is not complete + :id: fmea_fault_model__ex_01_06 + :status: valid + :element: execution + :importance: High + :hide: + + Infinite loop. + +.. needtable:: + :style: table + :columns: element;id;title;importance + :colwidths: 15,20,50,15 + + results = [] + + for need in needs.filter_types(["fmea_fault_model"]): + if need['is_external'] == False: + results.append(need) From b4354a7a7ea12d003587727c587033b65b2dd019 Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Wed, 8 Apr 2026 17:08:54 +0200 Subject: [PATCH 3/3] extend needs elements for safety analysis --- process/conf.py | 41 +- .../guidance/dfa_failure_initiators.rst | 496 ++++++++++++------ .../guidance/fault_models_guideline.rst | 50 +- 3 files changed, 411 insertions(+), 176 deletions(-) diff --git a/process/conf.py b/process/conf.py index 7642da70f4..f5e1239c35 100644 --- a/process/conf.py +++ b/process/conf.py @@ -50,13 +50,48 @@ def setup(app): "id": "^fmea_fault_model__[0-9a-z_]+$", "status": "^(valid|draft)$", "element": "^.*$", + "failure_mode": "^.*$", "importance": "^(High|Medium|Low)$", }, - "optional_options": {}, + "optional_options": { + # parent_need (singular) is auto-computed by sphinx-needs from the + # parent_needs link and is not a user-specified option. + "parent_need": "^fmea_fault_model__[0-9a-z_]+$", + }, "mandatory_links": {}, - "optional_links": {}, + "optional_links": { + # parent_needs is auto-populated by sphinx-needs when a need is + # nested inside another need's content block. + "parent_needs": "^fmea_fault_model__[0-9a-z_]+$", + }, } app.config.needs_types.append(fmea_fault_model_type) - for opt in ("element", "importance"): + for opt in ("element", "failure_mode", "importance"): if opt not in app.config.needs_extra_options: app.config.needs_extra_options.append(opt) + + # Register the DFA Failure Initiator need type. + # This type is used for failure initiators listed in the DFA failure initiators + # guideline so they can be linked to from DFA analyses instead of using plain IDs. + dfa_failure_initiator_type = { + "directive": "dfa_failure_initiator", + "title": "DFA Failure Initiator", + "prefix": "dfa_failure_initiator__", + "tags": [], + "parts": 2, + "mandatory_options": { + "id": "^dfa_failure_initiator__[0-9a-z_]+$", + "status": "^(valid|draft)$", + "element": "^.*$", + "failure_mode": "^.*$", + "importance": "^(High|Medium|Low)$", + }, + "optional_options": { + "parent_need": "^dfa_failure_initiator__[0-9a-z_]+$", + }, + "mandatory_links": {}, + "optional_links": { + "parent_needs": "^dfa_failure_initiator__[0-9a-z_]+$", + }, + } + app.config.needs_types.append(dfa_failure_initiator_type) diff --git a/process/process_areas/safety_analysis/guidance/dfa_failure_initiators.rst b/process/process_areas/safety_analysis/guidance/dfa_failure_initiators.rst index dc724eb72a..7199d7149d 100644 --- a/process/process_areas/safety_analysis/guidance/dfa_failure_initiators.rst +++ b/process/process_areas/safety_analysis/guidance/dfa_failure_initiators.rst @@ -34,168 +34,342 @@ In order to identify all cascading and common cause failures, which may initiate use the following framework of dependent failure initiators to check your completeness of the analysis. DFA failure initiators -====================== +---------------------- -2.1 Shared resources +Shared resources +~~~~~~~~~~~~~~~~ .. note:: Shared libraries are only than to be considered as a shared resource if the feature and the related safety mechanisms are using this specific library. If the library is not used by the feature or the related safety mechanisms, it is not a shared resource. -.. list-table:: DFA shared resources (used for Platform DFA) - :header-rows: 1 - :widths: 10,50,10 - - * - ID - - Violation cause shared resources - - Importance (can be used for prioritization) - * - SR_01_01 - - Reused software components - - Medium - * - SR_01_02 - - Libraries - - Medium - * - SR_01_04 - - Basic software - - Medium - * - SR_01_05 - - Operating system including scheduler - - Medium - * - SR_01_06 - - Any service stack, e.g. communication stack - - Medium - * - SR_01_07 - - Configuration data - - Medium - * - SR_01_09 - - Execution time - - Medium - * - SR_01_10 - - Allocated memory - - Medium - - -| 2.2 Communication between the two elements: -| Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender. - -.. list-table:: DFA communication between elements - :header-rows: 1 - :widths: 10,50,10 - - * - ID - - Violation cause communication between elements - - Importance (can be used for prioritization) - * - CO_01_01 - - Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow) - - Medium - * - CO_01_02 - - Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information - - Medium - * - CO_01_03 - - Insertion / sequence of information - - Medium - * - CO_01_04 - - Corruption of information, inconsistent data - - Medium - * - CO_01_05 - - Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information - - Medium - * - CO_01_06 - - Information from a sender received by only a subset of the receivers - - Medium - * - CO_01_07 - - Blocking access to a communication channel - - Medium - -| 2.3 Shared information inputs -| Same information input used by multiple functions. - -.. list-table:: DFA shared information inputs - :header-rows: 1 - :widths: 10,50,10 - - * - ID - - Violation cause shared information inputs - - Importance (can be used for prioritization) - * - SI_01_02 - - Configuration data - - Medium - * - SI_01_03 - - Constants, or variables, being global to the two software functions - - Medium - * - SI_01_04 - - Basic software passes data (read from hardware register and converted into logical information) to two applications software functions - - Medium - * - SI_01_05 - - Data / function parameter arguments / messages delivered by software function to more than one other function - - Medium - -| 2.4 Unintended impact -| Unintended impacts to function due to various failures. - -.. list-table:: DFA unintended impact - :header-rows: 1 - :widths: 10,50,10 - - * - ID - - Violation cause unintended impact - - Importance (can be used for prioritization) - * - UI_01_01 - - Memory miss-allocation and leaks - - Medium - * - UI_01_02 - - Read/Write access to memory allocated to another software element - - Medium - * - UI_01_03 - - Stack/Buffer under-/overflow - - Medium - * - UI_01_04 - - Deadlocks - - Medium - * - UI_01_05 - - Livelocks - - Medium - * - UI_01_06 - - Blocking of execution - - Medium - * - UI_01_07 - - Incorrect allocation of execution time - - Medium - * - UI_01_08 - - Incorrect execution flow - - Medium - * - UI_01_09 - - Incorrect synchronization between software elements - - Medium - * - UI_01_10 - - CPU time depletion - - Medium - * - UI_01_11 - - Memory depletion - - Medium - * - UI_01_12 - - Other HW unavailability - - Medium - -| Development failure initiators -| Section is **only applicable if a divers SW development is needed** due to decomposition. - -:note: Section shall be applied only once to analyse all dependencies of the features. Results shall be checked during of the analysis of new features if this is applicable to the feature. - -.. list-table:: DFA development failure initiators (Platform DFA) - :header-rows: 1 - :widths: 10,50,10 - - * - ID - - Violation cause development failure initiators - - Importance (can be used for prioritization) - * - SC_01_02 - - Same development approaches (e.g. IDE, programming and/or modelling language) - - Medium - * - SC_01_03 - - Same personal - - Medium - * - SC_01_04 - - Same social-cultural context (even if different personnel). Only applicable if diverse development is needed. - - Medium - * - SC_01_05 - - Development fault (e.g. human error, insufficient qualification, insufficient methods). Only applicable if diverse development is needed. - - Medium +.. dfa_failure_initiator:: Reused software components + :id: dfa_failure_initiator__sr_01_01 + :status: valid + :element: shared resource + :failure_mode: Reused software components + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Libraries + :id: dfa_failure_initiator__sr_01_02 + :status: valid + :element: shared resource + :failure_mode: Libraries + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Basic software + :id: dfa_failure_initiator__sr_01_04 + :status: valid + :element: shared resource + :failure_mode: Basic software + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Operating system including scheduler + :id: dfa_failure_initiator__sr_01_05 + :status: valid + :element: shared resource + :failure_mode: Operating system including scheduler + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Any service stack, e.g. communication stack + :id: dfa_failure_initiator__sr_01_06 + :status: valid + :element: shared resource + :failure_mode: Any service stack, e.g. communication stack + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Configuration data + :id: dfa_failure_initiator__sr_01_07 + :status: valid + :element: shared resource + :failure_mode: Configuration data + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Execution time + :id: dfa_failure_initiator__sr_01_09 + :status: valid + :element: shared resource + :failure_mode: Execution time + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Allocated memory + :id: dfa_failure_initiator__sr_01_10 + :status: valid + :element: shared resource + :failure_mode: Allocated memory + :importance: Medium + :hide: + +.. needtable:: + :style: table + :columns: id;failure_mode;importance + :colwidths: 20,60,20 + :filter: type == "dfa_failure_initiator" and element == "shared resource" and is_external == False + + +Communication between elements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender. + +.. dfa_failure_initiator:: Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow) + :id: dfa_failure_initiator__co_01_01 + :status: valid + :element: communication + :failure_mode: Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow) + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information + :id: dfa_failure_initiator__co_01_02 + :status: valid + :element: communication + :failure_mode: Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Insertion / sequence of information + :id: dfa_failure_initiator__co_01_03 + :status: valid + :element: communication + :failure_mode: Insertion / sequence of information + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Corruption of information, inconsistent data + :id: dfa_failure_initiator__co_01_04 + :status: valid + :element: communication + :failure_mode: Corruption of information, inconsistent data + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information + :id: dfa_failure_initiator__co_01_05 + :status: valid + :element: communication + :failure_mode: Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Information from a sender received by only a subset of the receivers + :id: dfa_failure_initiator__co_01_06 + :status: valid + :element: communication + :failure_mode: Information from a sender received by only a subset of the receivers + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Blocking access to a communication channel + :id: dfa_failure_initiator__co_01_07 + :status: valid + :element: communication + :failure_mode: Blocking access to a communication channel + :importance: Medium + :hide: + +.. needtable:: + :style: table + :columns: id;failure_mode;importance + :colwidths: 20,60,20 + :filter: type == "dfa_failure_initiator" and element == "communication" and is_external == False + +Shared information inputs +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Same information input used by multiple functions. + +.. dfa_failure_initiator:: Configuration data + :id: dfa_failure_initiator__si_01_02 + :status: valid + :element: shared information input + :failure_mode: Configuration data + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Constants, or variables, being global to the two software functions + :id: dfa_failure_initiator__si_01_03 + :status: valid + :element: shared information input + :failure_mode: Constants, or variables, being global to the two software functions + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Basic software passes data (read from hardware register and converted into logical information) to two applications software functions + :id: dfa_failure_initiator__si_01_04 + :status: valid + :element: shared information input + :failure_mode: Basic software passes data (read from hardware register and converted into logical information) to two applications software functions + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Data / function parameter arguments / messages delivered by software function to more than one other function + :id: dfa_failure_initiator__si_01_05 + :status: valid + :element: shared information input + :failure_mode: Data / function parameter arguments / messages delivered by software function to more than one other function + :importance: Medium + :hide: + +.. needtable:: + :style: table + :columns: id;failure_mode;importance + :colwidths: 20,60,20 + :filter: type == "dfa_failure_initiator" and element == "shared information input" and is_external == False + +Unintended impact +~~~~~~~~~~~~~~~~~ + +Unintended impacts to function due to various failures. + +.. dfa_failure_initiator:: Memory miss-allocation and leaks + :id: dfa_failure_initiator__ui_01_01 + :status: valid + :element: unintended impact + :failure_mode: Memory miss-allocation and leaks + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Read/Write access to memory allocated to another software element + :id: dfa_failure_initiator__ui_01_02 + :status: valid + :element: unintended impact + :failure_mode: Read/Write access to memory allocated to another software element + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Stack/Buffer under-/overflow + :id: dfa_failure_initiator__ui_01_03 + :status: valid + :element: unintended impact + :failure_mode: Stack/Buffer under-/overflow + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Deadlocks + :id: dfa_failure_initiator__ui_01_04 + :status: valid + :element: unintended impact + :failure_mode: Deadlocks + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Livelocks + :id: dfa_failure_initiator__ui_01_05 + :status: valid + :element: unintended impact + :failure_mode: Livelocks + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Blocking of execution + :id: dfa_failure_initiator__ui_01_06 + :status: valid + :element: unintended impact + :failure_mode: Blocking of execution + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Incorrect allocation of execution time + :id: dfa_failure_initiator__ui_01_07 + :status: valid + :element: unintended impact + :failure_mode: Incorrect allocation of execution time + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Incorrect execution flow + :id: dfa_failure_initiator__ui_01_08 + :status: valid + :element: unintended impact + :failure_mode: Incorrect execution flow + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Incorrect synchronization between software elements + :id: dfa_failure_initiator__ui_01_09 + :status: valid + :element: unintended impact + :failure_mode: Incorrect synchronization between software elements + :importance: Medium + :hide: + +.. dfa_failure_initiator:: CPU time depletion + :id: dfa_failure_initiator__ui_01_10 + :status: valid + :element: unintended impact + :failure_mode: CPU time depletion + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Memory depletion + :id: dfa_failure_initiator__ui_01_11 + :status: valid + :element: unintended impact + :failure_mode: Memory depletion + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Other HW unavailability + :id: dfa_failure_initiator__ui_01_12 + :status: valid + :element: unintended impact + :failure_mode: Other HW unavailability + :importance: Medium + :hide: + +.. needtable:: + :style: table + :columns: id;failure_mode;importance + :colwidths: 20,60,20 + :filter: type == "dfa_failure_initiator" and element == "unintended impact" and is_external == False + +Development failure initiators +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Section is **only applicable if a divers SW development is needed** due to decomposition. + +.. note:: Section shall be applied only once to analyse all dependencies of the features. Results shall be checked during of the analysis of new features if this is applicable to the feature. + +.. dfa_failure_initiator:: Same development approaches (e.g. IDE, programming and/or modelling language) + :id: dfa_failure_initiator__sc_01_02 + :status: valid + :element: development + :failure_mode: Same development approaches (e.g. IDE, programming and/or modelling language) + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Same personal + :id: dfa_failure_initiator__sc_01_03 + :status: valid + :element: development + :failure_mode: Same personal + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Same social-cultural context (even if different personnel). Only applicable if diverse development is needed. + :id: dfa_failure_initiator__sc_01_04 + :status: valid + :element: development + :failure_mode: Same social-cultural context (even if different personnel). Only applicable if diverse development is needed. + :importance: Medium + :hide: + +.. dfa_failure_initiator:: Development fault (e.g. human error, insufficient qualification, insufficient methods). Only applicable if diverse development is needed. + :id: dfa_failure_initiator__sc_01_05 + :status: valid + :element: development + :failure_mode: Development fault (e.g. human error, insufficient qualification, insufficient methods). Only applicable if diverse development is needed. + :importance: Medium + :hide: + +.. needtable:: + :style: table + :columns: id;failure_mode;importance + :colwidths: 20,60,20 + :filter: type == "dfa_failure_initiator" and element == "development" and is_external == False diff --git a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst index ffe43e5010..7ea126e63c 100644 --- a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst @@ -35,42 +35,53 @@ Fault Models for sequence diagrams :id: fmea_fault_model__mf_01_01 :status: valid :element: message + :failure_mode: message is not received,Is a subset/more precise description of fmea_fault_model__mf_01_05. :importance: High :hide: - Is a subset/more precise description of :need:`fmea_fault_model__mf_01_05`. + + .. fmea_fault_model:: message received too late :id: fmea_fault_model__mf_01_02 :status: valid :element: message + :failure_mode: message received too late ,Only relevant if delay is a realistic fault :importance: Medium :hide: - Only relevant if delay is a realistic fault. + + + .. fmea_fault_model:: message received too early :id: fmea_fault_model__mf_01_03 :status: valid :element: message + :failure_mode: message received too early,Usually not a problem :importance: Low :hide: - Usually not a problem. + + + .. fmea_fault_model:: message not received correctly by all recipients :id: fmea_fault_model__mf_01_04 :status: valid :element: message + :failure_mode: message not received correctly by all recipients,Different messages or messages partly lost. Only relevant if the same message goes to multiple recipients. :importance: High :hide: - Different messages or messages partly lost. Only relevant if the same message goes to multiple recipients. + + .. fmea_fault_model:: message is corrupted :id: fmea_fault_model__mf_01_05 :status: valid :element: message + :failure_mode: message is corrupted :importance: High :hide: @@ -78,6 +89,7 @@ Fault Models for sequence diagrams :id: fmea_fault_model__mf_01_06 :status: valid :element: message + :failure_mode: message is not sent :importance: High :hide: @@ -85,6 +97,7 @@ Fault Models for sequence diagrams :id: fmea_fault_model__mf_01_07 :status: valid :element: message + :failure_mode: message is unintended sent :importance: High :hide: @@ -92,6 +105,7 @@ Fault Models for sequence diagrams :id: fmea_fault_model__co_01_01 :status: valid :element: duration/time constraint + :failure_mode: minimum constraint boundary is violated :importance: Medium :hide: @@ -99,6 +113,7 @@ Fault Models for sequence diagrams :id: fmea_fault_model__co_01_02 :status: valid :element: duration/time constraint + :failure_mode: maximum constraint boundary is violated :importance: High :hide: @@ -106,36 +121,43 @@ Fault Models for sequence diagrams :id: fmea_fault_model__ex_01_01 :status: valid :element: execution + :failure_mode: process calculates wrong results, Is a subset/more precise description of fmea_fault_model__mf_01_05 or fmea_fault_model__mf_01_04. This failure mode is relevant to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size/complexity of the feature. :importance: High :hide: - Is a subset/more precise description of :need:`fmea_fault_model__mf_01_05` or - :need:`fmea_fault_model__mf_01_04`. This failure mode is relevant to the analysis - if e.g. internal safety mechanisms are required (level 2 function, plausibility - check of the output, …) because of the size/complexity of the feature. + + + .. fmea_fault_model:: processing too slow :id: fmea_fault_model__ex_01_02 :status: valid :element: execution + :failure_mode: processing too slow,Only relevant if timing is considered :importance: Medium :hide: - Only relevant if timing is considered. + + + .. fmea_fault_model:: processing too fast :id: fmea_fault_model__ex_01_03 :status: valid :element: execution + :failure_mode: processing too fast,Only relevant if timing is considered :importance: Medium :hide: - Only relevant if timing is considered. + + + .. fmea_fault_model:: loss of execution :id: fmea_fault_model__ex_01_04 :status: valid :element: execution + :failure_mode: loss of execution :importance: High :hide: @@ -143,6 +165,7 @@ Fault Models for sequence diagrams :id: fmea_fault_model__ex_01_05 :status: valid :element: execution + :failure_mode: processing changes to arbitrary process :importance: Medium :hide: @@ -150,15 +173,18 @@ Fault Models for sequence diagrams :id: fmea_fault_model__ex_01_06 :status: valid :element: execution + :failure_mode: processing is not complete :importance: High :hide: Infinite loop. + + .. needtable:: :style: table - :columns: element;id;title;importance - :colwidths: 15,20,50,15 + :columns: element;id;failure_mode;importance + :colwidths: 10,15,35,10 results = []