From 4eef32d51d149ae4cfb6558b8b20d75ce6afa6cb Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Wed, 1 Apr 2026 18:13:55 +0200 Subject: [PATCH 1/3] Update Safety Analysis Template --- .../features/feature_name/safety_analysis/dfa.rst | 1 + .../features/feature_name/safety_analysis/fmea.rst | 2 ++ .../module_name/component_name/docs/safety_analysis/dfa.rst | 1 + .../module_name/component_name/docs/safety_analysis/fmea.rst | 2 ++ .../folder_templates/platform/docs/safety_mgt/platform_dfa.rst | 1 + 5 files changed, 7 insertions(+) diff --git a/process/folder_templates/features/feature_name/safety_analysis/dfa.rst b/process/folder_templates/features/feature_name/safety_analysis/dfa.rst index 5dbd87ec21..125dcaa57d 100644 --- a/process/folder_templates/features/feature_name/safety_analysis/dfa.rst +++ b/process/folder_templates/features/feature_name/safety_analysis/dfa.rst @@ -193,6 +193,7 @@ For all identified applicable failure initiators, the DFA is performed in the fo :id: feat_saf_dfa____ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/features/feature_name/safety_analysis/fmea.rst b/process/folder_templates/features/feature_name/safety_analysis/fmea.rst index 4a298e035f..1d875115ca 100644 --- a/process/folder_templates/features/feature_name/safety_analysis/fmea.rst +++ b/process/folder_templates/features/feature_name/safety_analysis/fmea.rst @@ -122,6 +122,8 @@ For all identified applicable failure initiators, the FMEA is performed in the f :id: feat_saf_fmea____ :fault_id: :failure_effect: "description of failure effect of the fault model on the element" + :failure_root_cause: "description of the root cause of the failure" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst index 98a1b4e033..7af0a48cd0 100644 --- a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst +++ b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/dfa.rst @@ -193,6 +193,7 @@ For all identified applicable failure initiators, the DFA is performed in the fo :id: comp_saf_dfa____ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst index 728d701951..11b429e10d 100644 --- a/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst +++ b/process/folder_templates/modules/module_name/component_name/docs/safety_analysis/fmea.rst @@ -121,6 +121,8 @@ For all identified applicable failure initiators, the FMEA is performed in the f :id: comp_saf_fmea____ :fault_id: :failure_effect: "description of failure effect of the fault model on the element" + :failure_root_cause: "description of the root cause of the failure" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: diff --git a/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst b/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst index 917328cce3..4592c6ed72 100644 --- a/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst +++ b/process/folder_templates/platform/docs/safety_mgt/platform_dfa.rst @@ -263,6 +263,7 @@ For all identified applicable failure initiators, the DFA is performed in the fo :id: plat_saf_DFA__Platform__ :failure_id: :failure_effect: "description of failure effect of the failure initiator on the element" + :safety_relevant: :mitigated_by: :mitigation_issue: :sufficient: From 015106a773258081d003b3be8a8287e2d19d7e53 Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Thu, 30 Apr 2026 15:08:42 +0200 Subject: [PATCH 2/3] Update Safety Analysis Process requirement --- .../guidance/safety_analysis_process_reqs.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst index b683a79fda..40b594465e 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst @@ -121,6 +121,24 @@ Process Safety Analysis Attributes Every Safety Analysis shall have a short description of the failure effect (e.g. failure lead to an unintended actuation of the analysed element) +.. gd_req:: Safety Analysis attribute: safety relevant + :id: gd_req__saf_attr_safety_relevant + :status: valid + :tags: done_automation, attribute, optional + :satisfies: wf__analyse_platform_featarch, wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_742 + + Each Safety Analysis may indicate whether the analysed failure is safety relevant. The value shall be either or . + +.. gd_req:: FMEA attribute: failure root cause + :id: gd_req__saf_attr_failure_root_cause + :status: valid + :tags: done_automation, attribute, optional + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_742 + + Each FMEA may provide a short description of the root cause of the failure. + .. _process_requirements_safety_analysis_linkage: Safety Analysis Linkage From 38b72187e3a338f06b2f03d91cff92d211a76fde Mon Sep 17 00:00:00 2001 From: "Negm Adham (ETAS-ECM/ESY3)" Date: Thu, 30 Apr 2026 15:26:38 +0200 Subject: [PATCH 3/3] Update Safety Analysis Guideline --- .../safety_analysis/guidance/safety_analysis_guideline.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst index 6b8280d17c..ea3ed268cc 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst @@ -50,6 +50,8 @@ The attributes of the template are described in :ref:`process_requirements_safet #. Replace the placeholders in the "id" attribute with the name of the feature or component and a short description of the element so that it can be easily identified. #. Document the fault ID from the fault model :need:`gd_guidl__fault_models` that applies to the element in the "fault_id" attribute. #. Describe the failure effect of the fault model on the element in the "failure_effect" attribute. Use the failure mode description and enlarge the if it's applicable to the considered element. +#. Document the root cause of the failure in the "failure_root_cause" attribute. +#. Indicate whether the analysed failure is safety relevant using the "safety_relevant" attribute ( or ). #. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. If only testability is defined as mitigation measure, complexity requirements shall be allocated to the feature/component. #. If there is no mitigation or existing mitigation is not sufficient a mitigation issue has to be created in the Issue Tracking system and linked in the "mitigation_issue" attribute. #. The analysis is finished, if for each identified fault a sufficient mitigation exists. @@ -79,6 +81,7 @@ The attributes of the template are described in :ref:`process_requirements_safet #. Replace the placeholders in the "id" attribute with the name of the feature or component and a short description of the element so that it can be easily identified. #. Document the failure ID from the failure initiator :need:`gd_guidl__dfa_failure_initiators` that applies to the element in the "failure_id" attribute. #. Describe the failure effect of the failure initiator on the element in the "failure_effect" attribute. Use the violation cause description and enlarge the if it's applicable to the considered element. +#. Indicate whether the analysed failure is safety relevant using the "safety_relevant" attribute ( or ). #. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. If only testability is defined as mitigation measure, complexity requirements shall be allocated to the feature/component. #. If there is no mitigation or the mitigation is not sufficient a mitigation issue has to be created in the Issue Tracking system and linked in the "mitigation_issue" attribute. #. The analysis is finished, if for each identified fault a sufficient mitigation exists. @@ -107,6 +110,8 @@ find possible failures. Therefore we need a mitigation. :id: feat_saf_fmea__mab__comp1_call_nreceived :fault_id: MF_01_01 :failure_effect: Message is not received. This leads to a unavailability of a safety related functionality of the feature. + :failure_root_cause: The message is lost due to a communication error. + :safety_relevant: yes :mitigated_by: aou_req__mab__call_not_received :mitigation_issue: :sufficient: yes @@ -132,6 +137,7 @@ In the static view of the example could be seen that component 1 uses component :id: feat_saf_dfa__mab__data_corruption :failure_id: CO_01_02 :failure_effect: Data or message corruption will lead to a corruption of the data or message that could violate a safety functionality. + :safety_relevant: yes :mitigated_by: feat_req__mab_integritiy_check :mitigation_issue: :sufficient: yes @@ -171,6 +177,7 @@ Additionally in the static view we see Component 4 is a library used by Componen :id: comp_saf_dfa__component4__allocated_memory :failure_id: SR_01_10 :failure_effect: Component 4 is using allocated memory of Component 3 + :safety_relevant: yes :mitigated_by: comp_req__memory_management :mitigation_issue: :sufficient: yes