diff --git a/docs/index.rst b/docs/index.rst index 8417fd620e..7949987b44 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -89,7 +89,7 @@ Project structure and processes .. grid-item-card:: Platform Management Plan (PMP) - ^^^ + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Read about our project and organization structure in the :ref:`Project Handbook `. And learn how we deal with :ref:`Platform Safety Plan ` or care about :ref:`Software Verification Plan `. @@ -105,10 +105,12 @@ Project structure and processes requirements/index modules/index contribute/index + release/index Releases Tools PMP + safety/index Eclipse design_decisions/index diff --git a/docs/platform_management_plan/index.rst b/docs/platform_management_plan/index.rst index b75d3fdbc9..1f3e0aa00b 100644 --- a/docs/platform_management_plan/index.rst +++ b/docs/platform_management_plan/index.rst @@ -50,3 +50,4 @@ Platform Management Plan role_assignment/platform_safety_manager role_assignment/platform_security_manager role_assignment/platform_quality_manager + diff --git a/docs/platform_management_plan/safety_management.rst b/docs/platform_management_plan/safety_management.rst index 9b5c35ecdc..41979d26b8 100644 --- a/docs/platform_management_plan/safety_management.rst +++ b/docs/platform_management_plan/safety_management.rst @@ -377,8 +377,8 @@ Functional Safety/Security Management SW Platform Work Products * - :need:`wp__verification_platform_ver_report` - :ndf:`copy('status', need_id='wf__verification_platform_ver_report')` - - - - + - :need:`doc__platform_verification_report` + - draft * - :need:`wp__requirements_stkh` - :ndf:`copy('status', need_id='wf__req_stkh_req')` @@ -429,18 +429,18 @@ Functional Safety Specific SW Platform Work Products * - :need:`wp__fdr_reports` (platform Safety Plan) - :ndf:`copy('status', need_id='wf__p_formal_rv')` - - - - + - :need:`doc__platform_safety_plan_fdr` + - draft * - :need:`wp__fdr_reports` (platform Safety Package) - :ndf:`copy('status', need_id='wf__p_formal_rv')` - - - - + - :need:`doc__platform_safety_package_fdr` + - draft * - :need:`wp__fdr_reports` (feature's Safety Analyses & DFA) - :ndf:`copy('status', need_id='wf__p_formal_rv')` - - - - + - :need:`doc__platform_safety_analysis_fdr` + - draft * - :need:`wp__audit_report` - performed by external experts @@ -449,13 +449,13 @@ Functional Safety Specific SW Platform Work Products * - :need:`wp__platform_dfa` - :ndf:`copy('status', need_id='wf__analyse_platform_featarch')` - - - - + - :need:`doc__platform_dfa` + - draft * - :need:`wp__platform_safety_manual` - :ndf:`copy('status', need_id='wf__cr_mt_safety_manual')` - - - - + - :need:`doc__platform_safety_manual` + - draft * - :need:`wp__safety_tailoring` (generic) - :ndf:`copy('status', need_id='wf__def_app_process_description')` diff --git a/docs/release/index.rst b/docs/release/index.rst new file mode 100644 index 0000000000..4dfff31c60 --- /dev/null +++ b/docs/release/index.rst @@ -0,0 +1,25 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. + +Release documentation +===================== + +Release specific documentation for Platform is listed here + +.. toctree:: + :maxdepth: 1 + + platform_ver_report.rst diff --git a/docs/release/platform_ver_report.rst b/docs/release/platform_ver_report.rst new file mode 100644 index 0000000000..d226f7ee09 --- /dev/null +++ b/docs/release/platform_ver_report.rst @@ -0,0 +1,59 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Platform Verification Report +============================ + +.. document:: Platform Verification Report + :id: doc__platform_verification_report + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__verification_platform_ver_report + :tags: + + + +**** + + **1. Verification Coverage** + + **1.1. on Requirements** + - Lists of stakeholder and feature requirements tested by which test case, passed/failed/not_run and completeness verdict + (this shall be generated by tools and accompanied by progress charts to be usable also for project steering) + - For external component Assumptions of Use: coverage by platform safety manual + - This is split in a list of QM requirements tested and a separate list of tests for ASIL rated requirements. + - List of stakeholder requirements (ASIL rated) linked to inspection checklist and verdict (derived from PR export) + + **1.2. on Architecture** + - List of feature architecture tags tested by which test case, passed/failed and completeness verdict + (this shall be generated by tools and accompanied by progress charts to be usable also for project steering) + - This is split in a list of QM features tested and a separate list of tests for ASIL rated features. + - List of feature architecture tags (ASIL rated) linked to inspection checklist and verdict (derived from PR export) + + - The lists may also contain other verification methods + + **2. Safety Analyses Report** + - List of the performed Platform and Feature Safety Analyses, pass/fail with open mitigations + + **3. Test results** + - Test result per test case with status passed/failed/not_run for :need:`wp__verification_platform_int_test` and :need:`wp__verification_feat_int_test` + + **4. Test logs** + - Test log per test case with status passed/failed/not_run for :need:`wp__verification_platform_int_test` and :need:`wp__verification_feat_int_test` + with status passed/failed/not_run + + **Note1: The verification report is valid for the platform version tagged together with the report** + + **Note2: All the above lists are generated automatically** diff --git a/docs/safety/fdr_reports_safety_analyses_DFA.rst b/docs/safety/fdr_reports_safety_analyses_DFA.rst new file mode 100644 index 0000000000..4889206c42 --- /dev/null +++ b/docs/safety/fdr_reports_safety_analyses_DFA.rst @@ -0,0 +1,91 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Analysis Formal Review Report +==================================== + +.. document:: Safety Analysis Formal Review Report + :id: doc__platform_safety_analysis_fdr + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + :tags: + + +**Purpose** +The purpose of this Safety Analysis (DFA and FMEA) checklist template is to collect the topics to be checked during verification of the Platform Safety Analysis & DFA. + +**Conduct** +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: + +**Checklist** + +Please note that it is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additional to add in the remarks why it is passed or not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Safety Analysis Checklist + :header-rows: 1 + :widths: 10,30,30,15,8,8 + + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - REQ_01_01 + - Is / are the attribute sufficient set correctly? + - The mitigations shall have a direct influence ont the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - The mitigations are sufficient. + - + - + * - REQ_01_02 + - Are the templates for DFA and/or FMEA used? + - See :need:`doc__platform_dfa` + - Templates are used to generate the DFA or / and FMEA. + - + - + * - REQ_01_03 + - Were the failure initiators / fault models applied? + - See :need:`gd_guidl__dfa_failure_initiators` / :need:`gd_guidl__fault_models` + - The applicable items of the failure initiators / fault models are used to ensure a structured analysis. For all not applicable items an argument shall be given in the content of the document. + - + - + * - REQ_01_04 + - Are the failure effects clearly and completely described? + - Use the generic failure effect descriptions and enlarge the description if it's applicable to the considered element. + - The effects of the failure is described completely. The effect can be recognized easily. + - + - + * - REQ_01_06 + - Is the attribute "mitigated by" linked correct? + - Check if the correct failure effect is linked via "mitigated by". + - The "mitigated by" link is correct. + - + - + * - REQ_01_07 + - Is the sufficiency of the "mitigated by" (prevention, detection or mitigation) described or can it be recognized easily? + - The sufficiency of the "mitigated by" is described in the content of the document. It can be recognized easily. + - The "mitigated by" shows clearly that a fault / failure can be mitigated by the linked requirement by prevention, detection or mitigation. It shall be described in the contend. + - + - + * - REQ_01_08 + - Is the overall result of the Safety Analysis described in the report? + - It shall be shown in the report if the Safety Analysis are finished and if all artifacts are "valid" and "sufficient". + - The results of the Safety Analysis are described in the report. The report is available :need:`wp__verification_platform_ver_report`. + - + - diff --git a/docs/safety/fdr_reports_safety_package.rst b/docs/safety/fdr_reports_safety_package.rst new file mode 100644 index 0000000000..fbd55b3db1 --- /dev/null +++ b/docs/safety/fdr_reports_safety_package.rst @@ -0,0 +1,73 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Package Formal Review Report +=================================== + +.. document:: Platform Safety Package Formal Review + :id: doc__platform_safety_package_fdr + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__fdr_reports + :tags: draft + + + +**Purpose** + +The purpose of this review checklist is to report status of the formal review for the Platform safety package. + +**Conduct** +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: + +**Checklist** + +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Safety Package Checklist + :header-rows: 1 + + * - Id + - Safety package activity + - Compliant to ISO 26262? + - Comment + + * - 1 + - Is a safety package provided which matches the safety plan (i.e. all planned work products referenced)? + - [YES | NO ] + - + + * - 2 + - Is the argument how functional safety is achieved, provided in the safety package, plausible and sufficient? + - NO + - The argument is intentionally not provided by the project. + + * - 3 + - Are the referenced work products available? + - [YES | NO ] + - + + * - 4 + - Are the referenced work products in released state, including the process safety audit? + - [YES | NO ] + - + + * - 5 + - If safety related deviations from the process or safety concept are documented, are these argued understandably? + - [YES | NO ] + - diff --git a/docs/safety/fdr_reports_safety_platform_safety_plan.rst b/docs/safety/fdr_reports_safety_platform_safety_plan.rst new file mode 100644 index 0000000000..99961b8f46 --- /dev/null +++ b/docs/safety/fdr_reports_safety_platform_safety_plan.rst @@ -0,0 +1,102 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Plan Formal Review Report +================================ + +.. document:: S-CORE Platform Safety Plan Formal Review + :id: doc__platform_safety_plan_fdr + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__fdr_reports + :tags: + + +**Purpose** + +The purpose of this safety plan formal review checklist is to report status of the review for the Platform safety plan. + +**Conduct** +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: + +**Checklist** + +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Safety Plan Checklist + :header-rows: 1 + + * - Id + - Safety plan activity + - Compliant to ISO 26262? + - Comment + + * - 1 + - Is the rationale for the safety work products tailoring included? + - [YES | NO ] + - + + * - 2 + - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? + - [YES | NO ] + - + + * - 3 + - Does the safety plan define all needed activities for safety management (incl. formal document review and Safety Audit)? + - [YES | NO ] + - + + * - 4 + - Does the safety plan define all needed activities for System and SW development, integration and verification? + - [YES | NO ] + - + + * - 5 + - Does the safety plan define all needed activities for safety analysis and DFA? + - [YES | NO ] + - + + * - 6 + - Does the safety plan define all needed activities for supporting processes (incl. tool mgt)? + - [YES | NO ] + - + + * - 7 + - Does the safety plan document a responsible for all activities? + - [YES | NO ] + - + + * - 8 + - If OSS software components is used, is it planned to be qualified? + - [YES | NO ] + - + + * - 9 + - Is a safety manager and a project manager appointed for the project? + - [YES | NO ] + - + + * - 10 + - Is safety plan sufficiently linked to the project plan? + - [YES | NO ] + - + + * - 11 + - Is safety plan updated iteratively to show the progress? + - [YES | NO ] + - diff --git a/docs/safety/index.rst b/docs/safety/index.rst new file mode 100644 index 0000000000..4f4afbc0ee --- /dev/null +++ b/docs/safety/index.rst @@ -0,0 +1,29 @@ +.. + # ******************************************************************************* + # Copyright (c) 2024 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. + +Safety documentation +==================== + +Safety specific documentation for Platform is listed here + +.. toctree:: + :maxdepth: 1 + + fdr_reports_safety_analyses_DFA + fdr_reports_safety_package + fdr_reports_safety_platform_safety_plan + platform_dfa + platform_safety_manual diff --git a/docs/safety/platform_dfa.rst b/docs/safety/platform_dfa.rst new file mode 100644 index 0000000000..ddcca70195 --- /dev/null +++ b/docs/safety/platform_dfa.rst @@ -0,0 +1,47 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Platform DFA (Dependent Failure Analysis) +========================================= + +.. document:: Platform DFA + :id: doc__score_platform_dfa + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__platform_dfa + :tags: + +.. note:: The platform DFA is only performed once at platform level to analyse the dependencies between the features of the platform. + The results shall be used as an input for the safety analysis so that general safety mechanisms are only defined once and not in every single safety analysis. + +.. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. + + +Dependent Failure Initiators +---------------------------- + +.. code-block:: rst + + .. plat_saf_dfa:: + :violates: <Feature architecture> + :id: plat_saf_DFA__<Feature>__<Element descriptor> + :failure_id: <ID from DFA failure initiators :need:`gd_guidl__dfa_failure_initiators`> + :failure_effect: "description of failure effect of the failure initiator on the element" + :mitigated_by: <ID from Stakeholder Requirement | ID from AoU Feature Requirement> + :mitigation_issue: <ID from Issue Tracker> + :sufficient: <yes|no> + :status: <valid|invalid> +.. note:: Argument is inside the 'content'. Therefore content is mandatory. diff --git a/docs/safety/platform_safety_manual.rst b/docs/safety/platform_safety_manual.rst new file mode 100644 index 0000000000..2e9ed93edd --- /dev/null +++ b/docs/safety/platform_safety_manual.rst @@ -0,0 +1,91 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Platform Safety Manual +====================== + +.. document:: Platform Safety Manual + :id: doc__platform_safety_manual + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__module_safety_manual + :tags: + + +Introduction/Scope +------------------ +| This Safety Manual applies to the S-CORE Platform + +Assumed Platform Safety Requirements +------------------------------------ +| For the S-CORE Platformhe following safety related stakeholder requirements are assumed to define the top level functionality (purpose) of the S-CORE Platform. I.e. from these all the feature and component requirements implemented are derived. +| **<List here all the stakeholder requirements, with safety level not equal to QM, the module's components requirements are derived from.>** + +Assumptions of Use +------------------ + +Assumptions on the Environment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +| Generally the assumption of the project platform SEooC is that it is integrated in a safe system, i.e. the POSIX OS it runs on is qualified and also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's safety concept. +| **<List here all the OS calls the project platform expects to be safe.>** + +List of AoUs expected from the environment the platform / module runs on: + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" in need["tags"]: + results.append(need) + +Assumptions on the User +^^^^^^^^^^^^^^^^^^^^^^^ +| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform SEooC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform SEooC safety package. +| Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways: +| 1. There are assumption which need to be fulfilled by all SW components, e.g. "every user of an IPC mechanism needs to make sure that he provides correct data (including appropriate ASIL level)" - in this case the AoU is marked as "platform". +| 2. There are assumption which can be fulfilled by a safety mechanism realized by some other project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module SEooC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe project platform persistency feature. + +List of AoUs on the user of the platform features or the module of this safety manual: + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" not in need["tags"]: + results.append(need) + +Safety concept of the SEooC +--------------------------- +| **<Describe here the safety concept incl. which faults are taken care of, reactions of the implemented functions under anomalous operating conditions ... if this is not already documented sufficiently in the feature documentation "safety impact" section of all the features the module is used in.>** + +Safety Anomalies +---------------- +| Anomalies (bugs in ASIL SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>. + +References +---------- +| **<link to the user manual>** +| **<other links>**