Confused by "Confirm" and "Export of foreign IDs" in Tracing-sheet

[pschrtt]

From the docs available, it is not entirely clear to me which data needs to be imported into the ‘Tracing’ sheet.

The README mentions the use of external catalogues to import confirmed assumptions and countermeasures.
Is it intended that third parties be involved to ‘confirm’ whether our assumptions are valid and countermeasures are in place? Or is external just anything outside the scope of QuBa-libre?
If I have already filled in the ‘Mitigation’ and ‘Risk Treatment’ sheets with the measures that the product already implements (that´s what basically happens if you do the evaluation already during developing), I don't really understand why I should do the same assessment again in the ‘Tracing’ sheet.
Is it optional in the end?

I realise that this is a template (the best I've seen so far) and that there are many ways to use it, but I would appreciate it if I could understand the thoughts behind it a little better and perhaps adapt our processes accordingly. Maybe kind of a flowchart would help finding access to the process easier.

[holdebeSICKAG]

Hi @pschrtt,

Thanks for reaching out and thank you very much for the praises. We published the QuBA-libre as we do use it here at SICK AG. We tend to see it more as an app built-into Excel as a template.

Back to your issues.

External catalogues

Indeed the README (within the QuBA-libre) mentions the external catalogues multiple times. Those references to external catalogues do not relate to any confirmation by an external entity for the applicable countermeasures and assumptions.
You may add references to your organizations external catalogue storage (like a requirements engineering tool) so that users of the QuBA-libre in your organization may access further information about any of the countermeasures and assumptions.
This is not necessary per se, but we at SICK maintain a database with further information on any of the countermeasure and assumptions.

Tracing sheet

So the tracing sheet has the following optional use case:

• At a later point in development you want to check if all countermeasure and assumptions from the "Result Summary"-sheet are covered in your development project.
• If not all countermeasure and assumptions are covered the tracing sheet will show you the new resulting remaining risk level against the planned risk level.

This also involves you maintaining an external catalogue storage (see (external catalogues)[#external-catalogues]))

Hope these answers cover your questions well.

Have a nice day and best regards,

Benjamin Holdermann