From 6abeef1fa1de06c94bb2d518af26e01e07f9a212 Mon Sep 17 00:00:00 2001 From: pandaedo Date: Mon, 2 Feb 2026 12:32:30 +0100 Subject: [PATCH 1/2] fix typos --- .../architecture_design/guidance/architecture_guideline.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/process/process_areas/architecture_design/guidance/architecture_guideline.rst b/process/process_areas/architecture_design/guidance/architecture_guideline.rst index ac5e8db511..c698da8b75 100644 --- a/process/process_areas/architecture_design/guidance/architecture_guideline.rst +++ b/process/process_areas/architecture_design/guidance/architecture_guideline.rst @@ -226,8 +226,8 @@ for the static architecture a UML component diagram is expected (and supported b Dynamic architecture -------------------- The :need:`doc_concept__arch_process` shows the usage of UML sequence diagrams to describe dynamic -behaviour. This is also the expected default diagram. Alternatively, state machine diagrams can be used -to describe stateful behaviour. Other types like the activity diagram are not encouraged to use, +behavior. This is also the expected default diagram. Alternatively, state machine diagrams can be used +to describe stateful behavior. Other types like the activity diagram are not encouraged to use, if an activity diagram is used instead of a sequence diagram, this has to be argued as part of the architecture description. From d0841f562531d9afc755f329778fe38b220d376b Mon Sep 17 00:00:00 2001 From: pandaedo Date: Wed, 25 Feb 2026 11:33:04 +0100 Subject: [PATCH 2/2] include audit findings --- .../safety_mgt/module_safety_analysis_fdr.rst | 99 +++++++++---------- .../platform_safety_analysis_fdr.rst | 99 +++++++++---------- .../guidance/fault_models_guideline.rst | 2 +- .../guidance/safety_analysis_guideline.rst | 4 +- 4 files changed, 101 insertions(+), 103 deletions(-) diff --git a/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst b/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst index 499aff2254..9a6905a9c9 100644 --- a/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst +++ b/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst @@ -49,53 +49,52 @@ Please note that the "passed" column must contain "yes" or "no" for each checkli .. list-table:: Safety Analysis Checklist :header-rows: 1 - :widths: 10,30,30,15,8,8 - - * - Review ID - - Acceptance Criteria - - Guidance - - Passed - - Remarks - - Issue link - * - REQ_01_01 - - Is / are the attribute sufficient set correctly? - - The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. - - The mitigations are sufficient. - - - - - * - REQ_01_02 - - Are the templates for DFA and/or FMEA used? - - See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` - - Templates are used to generate the DFA and/or FMEA. - - - - - * - REQ_01_03 - - Were the failure initiators / fault models applied? - - See :need:`gd_guidl__dfa_failure_initiators` / :need:`gd_guidl__fault_models` - - The applicable items of the failure initiators / fault models are used to ensure a structured analysis. For all not applicable items an argument shall be given in the content of the document. - - - - - * - REQ_01_04 - - Are the failure effects clearly and completely described? - - Use the generic failure effect descriptions and enlarge the description if it's applicable to the considered element. - - The effects of the failure are described completely. The effect can be recognized easily. - - - - - * - REQ_01_06 - - Is the attribute "mitigated by" linked correct? - - Check if the correct failure effect is linked via "mitigated by". - - The "mitigated by" link is correct. - - - - - * - REQ_01_07 - - Is the sufficiency of the "mitigated by" (prevention, detection or mitigation) clearly described or easily recognizable? - - The sufficiency of the "mitigated by" is described in the content of the document. It can be recognized easily. - - The "mitigated by" shows clearly that a fault / failure can be mitigated by the linked requirement by prevention, detection or mitigation. It shall be described in the content. - - - - - * - REQ_01_08 - - Is the overall result of the Safety Analysis described in the report? - - It shall be shown in the report if the Safety Analyses are finished and if all artifacts are "valid" and "sufficient". - - The results of the Safety Analyses are described in the report. The report is available :need:`wp__verification_platform_ver_report`. - - - - + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Are the failure initiators :need:`[[title]] ` / fault models :need:`[[title]] ` applied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are measures defined to resolute the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` + - + + * - 4 + - Is the result of the safety analysis indicate if the safety requirements are complied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are the mitigations effective and implemented? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 7 + - Are the templates for DFA and/or FMEA used? See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] `, :need:`[[title]] ` + - diff --git a/process/folder_templates/platform/safety_planning/platform_safety_analysis_fdr.rst b/process/folder_templates/platform/safety_planning/platform_safety_analysis_fdr.rst index d97625d8da..c314cdb3ae 100644 --- a/process/folder_templates/platform/safety_planning/platform_safety_analysis_fdr.rst +++ b/process/folder_templates/platform/safety_planning/platform_safety_analysis_fdr.rst @@ -47,53 +47,52 @@ Please note that it is mandatory to fill in the "passed" column with "yes" or "n .. list-table:: Safety Analysis Checklist :header-rows: 1 - :widths: 10,30,30,15,8,8 - - * - Review ID - - Acceptance Criteria - - Guidance - - Passed - - Remarks - - Issue link - * - REQ_01_01 - - Is / are the attribute sufficient set correctly? - - The mitigations shall have a direct influence ont the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. - - The mitigations are sufficient. - - - - - * - REQ_01_02 - - Are the templates for DFA and/or FMEA used? - - See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` - - Templates are used to generate the DFA or / and FMEA. - - - - - * - REQ_01_03 - - Were the failure initiators / fault models applied? - - See :need:`gd_guidl__dfa_failure_initiators` / :need:`gd_guidl__fault_models` - - The applicable items of the failure initiators / fault models are used to ensure a structured analysis. For all not applicable items an argument shall be given in the content of the document. - - - - - * - REQ_01_04 - - Are the failure effects clearly and completely described? - - Use the generic failure effect descriptions and enlarge the description if it's applicable to the considered element. - - The effects of the failure is described completely. The effect can be recognized easily. - - - - - * - REQ_01_06 - - Is the attribute "mitigated by" linked correct? - - Check if the correct failure effect is linked via "mitigated by". - - The "mitigated by" link is correct. - - - - - * - REQ_01_07 - - Is the sufficiency of the "mitigated by" (prevention, detection or mitigation) described or can it be recognized easily? - - The sufficiency of the "mitigated by" is described in the content of the document. It can be recognized easily. - - The "mitigated by" shows clearly that a fault / failure can be mitigated by the linked requirement by prevention, detection or mitigation. It shall be described in the contend. - - - - - * - REQ_01_08 - - Is the overall result of the Safety Analysis described in the report? - - It shall be shown in the report if the Safety Analysis are finished and if all artifacts are "valid" and "sufficient". - - The results of the Safety Analysis are described in the report. The report is available :need:`wp__verification_platform_ver_report`. - - - - + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Are the failure initiators :need:`[[title]] ` / fault models :need:`[[title]] ` applied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are measures defined to resolute the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` + - + + * - 4 + - Is the result of the safety analysis indicate if the safety requirements are complied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are the mitigations effective and implemented? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 7 + - Are the templates for DFA and/or FMEA used? See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] `, :need:`[[title]] ` + - diff --git a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst index 88ba4ae5a2..34f7d9d59c 100644 --- a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst @@ -75,7 +75,7 @@ Fault Models for sequence diagrams - High * - execution - EX_01_01 - - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04) + - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature. - High * - execution - EX_01_02 diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst index f854bd32a4..a38e08ee97 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst @@ -50,7 +50,7 @@ The attributes of the template are described in :ref:`process_requirements_safet #. Replace the placeholders in the "id" attribute with the name of the feature or component and a short description of the element so that it can be easily identified. #. Document the fault ID from the fault model :need:`gd_guidl__fault_models` that applies to the element in the "fault_id" attribute. #. Describe the failure effect of the fault model on the element in the "failure_effect" attribute. Use the failure mode description and enlarge the if it's applicable to the considered element. -#. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. +#. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. If only testability is defined as mitigation measure, complexity requirements shall be allocated to the feature/component. #. If there is no mitigation or existing mitigation is not sufficient a mitigation issue has to be created in the Issue Tracking system and linked in the "mitigation_issue" attribute. #. The analysis is finished, if for each identified fault a sufficient mitigation exists. #. Unless the attribute sufficient is yes, mitigation and argument attribute can be still empty. @@ -79,7 +79,7 @@ The attributes of the template are described in :ref:`process_requirements_safet #. Replace the placeholders in the "id" attribute with the name of the feature or component and a short description of the element so that it can be easily identified. #. Document the failure ID from the failure initiator :need:`gd_guidl__dfa_failure_initiators` that applies to the element in the "failure_id" attribute. #. Describe the failure effect of the failure initiator on the element in the "failure_effect" attribute. Use the violation cause description and enlarge the if it's applicable to the considered element. -#. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. +#. Document the safety mitigation. This can be a detection, prevention or mitigation of the fault. If only testability is defined as mitigation measure, complexity requirements shall be allocated to the feature/component. #. If there is no mitigation or the mitigation is not sufficient a mitigation issue has to be created in the Issue Tracking system and linked in the "mitigation_issue" attribute. #. The analysis is finished, if for each identified fault a sufficient mitigation exists. #. Unless the attribute sufficient is yes, mitigation and argument attribute can be still empty.