diff --git a/docs/process/process_areas/index.rst b/docs/process/process_areas/index.rst index da4d8691c4..7d2d2eebb2 100644 --- a/docs/process/process_areas/index.rst +++ b/docs/process/process_areas/index.rst @@ -24,5 +24,6 @@ Process Areas documentation_management/index.rst implementation/index.rst requirements_engineering/index.rst + safety_analysis/index.rst safety_management/index.rst verification/index.rst diff --git a/docs/process/process_areas/safety_analysis/_assets/safety_analysis_workflow.drawio.svg b/docs/process/process_areas/safety_analysis/_assets/safety_analysis_workflow.drawio.svg new file mode 100644 index 0000000000..cf32a683a0 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/_assets/safety_analysis_workflow.drawio.svg @@ -0,0 +1,439 @@ + + + + + + + + + + + + + + + + + + +
+
+
+ Analyse Feature Architecture +
+
+
+ + + Analyse Feature Arch... + + + + + + + + + + + +
+
+
+ 1 +
+
+
+ + + 1 + + + + + + + + + + + + + + + + + + + +
+
+
+ Analyse Component Architecture +
+
+
+ + + Analyse Component Ar... + + + + + + + + + + + +
+
+
+ 4 +
+
+
+ + + 4 + + + + + + + + + + + + + + + + + + + +
+
+
+ Monitor/Verify Safety Analyses and DFA +
+
+
+ + + Monitor/Verify Safet... + + + + + + + + + + + +
+
+
+ 7 +
+
+
+ + + 7 + + + + + + + + + + + +
+
+
+ Perform Feature Safety Analyses +
+
+
+ + + Perform Feature Safe... + + + + + + + + + + + +
+
+
+ 2 +
+
+
+ + + 2 + + + + + + + + + + + +
+
+
+ Perform Feature DFA +
+
+
+ + + Perform Feature DFA + + + + + + + + + + + +
+
+
+ 3 +
+
+
+ + + 3 + + + + + + + + + + + +
+
+
+ Perform Component Safety Analyses +
+
+
+ + + Perform Component Sa... + + + + + + + + + + + +
+
+
+ 5 +
+
+
+ + + 5 + + + + + + + + + + + +
+
+
+ Perform Component DFA +
+
+
+ + + Perform Component DFA + + + + + + + + + + + +
+
+
+ 6 +
+
+
+ + + 6 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ Issue Tracking System +
+
+
+ + + Issue Tracking System + + + + + + + + + + + +
+
+
+ 8 +
+
+
+ + + 8 + + + + + + + + + + + +
+
+
+ Verified Architecture +
+
+
+ + + Verified Architecture + + + + + + + + + + + +
+
+
+ 9 +
+
+
+ + + 9 + + + + + + + + + + + + + + Text is not SVG - cannot display + + + + diff --git a/docs/process/process_areas/safety_analysis/guidance/dfa_checklist_template.rst b/docs/process/process_areas/safety_analysis/guidance/dfa_checklist_template.rst new file mode 100644 index 0000000000..315c1db198 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/dfa_checklist_template.rst @@ -0,0 +1,257 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _dfa checklist: + +DFA Checklist +============= + +.. gd_chklst:: DFA Checklist + :id: gd_chklst__dfa + :status: valid + :tags: safety analysis + + **Purpose** + + In order to identify all cascading and common cause failures, which may initiated from your feature or components to the platform, other features, components, etc., + use the following framework of dependent failure initiators to check your completeness of the analysis. + + **Checklist** + + | 2.1 Shared resources + | Same software element instance used by the two functions which are therefore affected by the failure or unavailability of that shared resource. + + .. list-table:: Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,30,30 + + * - ID + - Violation cause shared resource used by several components + - Avoidance, or detection and mitigation of the fault + - Comment + * - SR_01_01 + - Reused standard software modules + - + - + * - SR_01_02 + - Libraries + - + - + * - SR_01_03 + - Middleware + - + - + * - SR_01_04 + - Basic software + - + - + * - SR_01_05 + - Operating system including scheduler + - + - + * - SR_01_06 + - Any service stack, e.g. communication stack + - + - + * - SR_01_07 + - Configuration data + - + - + * - SR_01_08 + - Calibration data + - + - + * - SR_01_09 + - Execution time + - + - + * - SR_01_10 + - Allocated memory + - + - + + | 2.2 Communication between the two elements: + | Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender. + + .. list-table:: Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,30,30 + + * - ID + - Violation cause + Shared resource used by several components + - Avoidance, or detection and mitigation of the fault + - Comment + * - CO_01_01 + - Information passed via argument through a function call, + or via writing/reading a variable being global to the + two software functions (data flow) + - + - + * - CO_01_02 + - Data or message corruption / repetition (*) / loss (*) / + delay (*) / masquerading or incorrect addressing of + information (*) + - + - + * - CO_01_03 + - Insertion (*) / sequence of information (*) + - + - + * - CO_01_04 + - Corruption of information, inconsistent data (*) + - + - + * - CO_01_05 + - Asymmetric information sent from a sender to multiple + receivers (*) + - + - + * - CO_01_06 + - Information from a sender received by only a subset of the + receivers (*) + - + - + * - CO_01_07 + - Blocking access to a communication channel (*) + - + - + + | 2.3 Shared information inputs + | Same information consumed by the two functions even in absence of shared resources, i.e. from a functional perspective. + + .. list-table:: Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,30,30 + + * - ID + - Violation cause + Shared resource used by several components + - Avoidance, or detection and mitigation of the fault + - Comment + * - SI_01_01 + - Calibration data + - + - + * - SI_01_02 + - Configuration data + - + - + * - SI_01_03 + - Constants, or variables, being global to the two software + functions + - + - + * - SI_01_04 + - Basic software passes data (read from hardware register and + converted into logical information) to two applications + software functions + - + - + * - SI_01_05 + - Data / function parameter arguments / messages delivered by + software function to more than one other function + - + - + + | 2.4 Unintended impact + | Two functions affecting each other’s elements directly via an implicit, that is unintended, interface. + + .. list-table:: Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,30,30 + + * - ID + - Violation cause + Shared resources used by several components + - Avoidance, or detection and mitigation of the fault + - Comment + * - UI_01_01 + - Memory miss-allocation and leaks + - + - + * - UI_01_02 + - Read/Write access to memory allocated to another software + element (*) + - + - + * - UI_01_03 + - Stack/Buffer under-/overflow (*) + - + - + * - UI_01_04 + - Deadlocks (*) + - + - + * - UI_01_05 + - Livelocks (*) + - + - + * - UI_01_06 + - Blocking of execution (*) + - + - + * - UI_01_07 + - Incorrect allocation of execution time (*) + - + - + * - UI_01_08 + - Incorrect synchronization between software elements (*) + - + - + + | (*) These issues are taken from the arguments on freedom from interference between software elements. + | In that respect, the dependent failure initiators Unintended Impact and Communication represent causes of violation of freedom from interference for software. + + | 2.5 Systematic coupling + | Systematic causes from human or tool errors can lead to the simultaneous failure of more than one function. + + .. list-table:: Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,30,30 + + * - ID + - Violation cause + Shared resources used by several components + - Avoidance, or detection and mitigation of the fault + - Comment + * - SC_01_01 + - Manufacturing fault / repair fault (e.g. false flashing, + false calibration reference for sensors) + - + - + * - SC_01_02 + - Non-diverse development approaches including: + - same software tools (e.g. IDE, compiler, linker) + - same algorithms + - same programming and/or modelling language used + - same complier/linker used + - + - + * - SC_01_03 + - Same personal + - + - + * - SC_01_04 + - Same social-cultural context (even if different personnel) + - + - + * - SC_01_05 + - Development fault, e.g. + - human error + - insufficiently qualified personnel + - process weaknesses + - insufficient methods + - + - diff --git a/docs/process/process_areas/safety_analysis/guidance/dfa_template.rst b/docs/process/process_areas/safety_analysis/guidance/dfa_template.rst new file mode 100644 index 0000000000..6f31ea9e16 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/dfa_template.rst @@ -0,0 +1,32 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +DFA Template +============ + +.. gd_temp:: DFA Templates + :id: gd_temp__dfa + :status: valid + :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753, std_req__iso26262__software_7411, std_req__iso26262__analysis_741, std_req__iso26262__analysis_742, std_req__iso26262__analysis_743, std_req__iso26262__analysis_745, std_req__iso26262__analysis_746, std_req__iso26262__analysis_747, std_req__iso26262__analysis_748, std_req__iso26262__analysis_749 + + | .. feat_saf_dfa:: + | :id: feat_saf_DFA____ + | :violation_id: + | :violation_cause: "Failure mode similar to :need:`gd_chklst__dfa`" + | :violates: + | :measure: < NONE|ID from Feature Requirement> + | :sufficient: + | :argument: + | :status: diff --git a/docs/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst b/docs/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst new file mode 100644 index 0000000000..48595f9a84 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst @@ -0,0 +1,205 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Fault Models +============ + +.. gd_guidl:: Fault Models + :id: gd_guidl__fault_models + :status: valid + :complies: std_wp__iso26262__software_752, std_req__iso26262__analysis_846 + + Fault Models for activity diagrams + + .. list-table:: Fault Models for activity diagrams + :header-rows: 1 + :widths: 15,6,30,30,15 + + * - Element + - ID + - Failure Mode + - Simplification + - Importance + * - data storage + - DS_01_01 + - stored data changed + (before read operation) + - + - High + * - data storage + - DS_01_02 + - new data not stored (keeps old data) + / stuck-at (specific value) + - + - High + * - data flow + - DF_01_01 + - transferred data changed + - DS_01_01 if there is one data flow to the data store + - Medium + * - data flow + - DF_01_02 + - transferred data lost + - DS_01_02 if there is one data flow to the data store + - Medium + * - data flow + - DF_01_03 + - transferred to wrong data store + - DS_01_01 unless point in time of change is important + - Low + * - data flow + - DF_01_04 + - data stored at wrong location in data store + - relevant only for arrays/complex types + - High + * - processing + - PS_01_01 + - process calculates wrong result(s) + - DS_01_01 unless process affects multiple data stores + - High + * - processing + - PS_01_02 + - processing too slow/fast + - relevant only if timing is considered, infinite loop->CF01_01 + - Low + * - control flow + - CF_01_01 + - control flow stops + - + - High + * - control flow + - CF_01_02 + - control flow skips process + - PS_01_01 and PS_01_02 + - Medium + * - control flow + - CF_01_03 + - control flow proceeds to wrong process + - CF_01_02 or limited to specific process + - Low + * - fork + - FK_01_01 + - some but not all outgoing concurrent processes are triggered + - + - Medium + * - fork + - FK_01_02 + - concurrent processes are triggered despite incoming process has not yet been completed + - similar to CF_01_02 + - Low + * - fork + - FK_01_03 + - none of the outgoing concurrent processes is triggered + - similar to CF_01_01 + - Low + * - join + - JF_01_01 + - execution proceeds before all joining processes have been completed + - similar to CF_01_02 + - High + * - join + - JF_01_02 + - execution does not proceed despite all joining processes have been completed + - similar to CF_01_01 + - Medium + + + | Fault Model for sequence diagrams + + .. list-table:: Fault Models for sequence diagrams + :header-rows: 1 + :widths: 15,6,30,30,15 + + * - Element + - ID + - Failure Mode + - Simplification + - Importance + * - message + - MF_01_01 + - message is not received + - MF_01_05 + - Low + * - message + - MF_01_02 + - message received too late + - relevant only if delay is a realistic fault + - Medium + * - message + - MF_01_03 + - message received too early + - usually not a problem + - Low + * - message + - MF_01_04 + - message not received correctly by all recipients (different messages or messages partly lost) + - only relevant if the same message goes to multiple recipients + - Low + * - message + - MF_01_05 + - message is corrupted + - + - High + * - duration/time constraint + - CO_01_01 + - minimum constraint boundary is violated + - + - Medium + * - duration/time constraint + - CO_01_02 + - maximum constraint boundary is violated + - + - High + * - execution + - EX_01_01 + - Process calculates wrong result(s) + - MF_01_05 or MF_01_04 + - High + * - execution + - EX_01_02 + - processing too slow/fast + - relevant only if timing is considered + - Low + * - execution + - EX_01_03 + - processing changes to arbitrary process + - + - Low + * - execution + - EX_01_04 + - processing is not complete (infinite loop) + - + - Low + * - frame (*) + - FE_01_01 + - frame not entered as specified + - + - Medium + * - frame (*) + - FE_01_02 + - frame not exited as specified + - + - Medium + * - frame (*) + - FE_01_03 + - frame entered differently than specified + - + - Medium + * - frame (*) + - FE_01_04 + - frame exited differently than specified + - + - Medium + + | (*) frame is a reference to another diagram, which describes more detailed aspects. Entry- and Exit points define the order of transitions. diff --git a/docs/process/process_areas/safety_analysis/guidance/index.rst b/docs/process/process_areas/safety_analysis/guidance/index.rst new file mode 100644 index 0000000000..8630155667 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/index.rst @@ -0,0 +1,26 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Guidance +######## + +.. toctree:: + :maxdepth: 1 + + dfa_checklist_template + dfa_template + fault_models_guideline + safety_analysis_guideline + safety_analysis_process_reqs + safety_analysis_templates diff --git a/docs/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst new file mode 100644 index 0000000000..a1bc28061c --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst @@ -0,0 +1,110 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Guidelines +########## + +.. gd_guidl:: Safety Analysis Guideline + :id: gd_guidl__safety_analysis + :status: valid + :complies: std_req__iso26262__analysis_841, std_req__iso26262__analysis_842, std_req__iso26262__analysis_843, std_req__iso26262__analysis_844, std_req__iso26262__analysis_847, std_req__iso26262__analysis_848, std_req__iso26262__analysis_849, std_req__iso26262__analysis_8410, std_wp__iso26262__analysis_851 + +This document describes the general guidances for Safety Analysis based on the concept which is defined :need:`[[title]]`. + +Workflow for Safety Analysis +============================ + +Detailed description which steps are need for implementation. + +#. To analyse the Feature Architecture a Safety Analysis and a DFA shall be executed. +#. Perform Safety Analysis on the feature. +#. Perform DFA on the feature. +#. To analyse the Architecture a Safety Analysis and a DFA shall be executed. +#. Perform Safety Analysis on the component. +#. Perform DFA on the component. +#. The performance of the Safety Analysis and DFA shall be monitored and verified. +#. Open issues like from the Safety Analysis and DFA shall be monitored by the Issue Tracking system. +#. The verification of the Architecture is completed when Safety Analysis and DFA are completed by using the checklist and all open issues are closed. + + +Step-by-Step-approach DFA: +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The analysis is done by using the template <:need:`gd_temp__dfa`> on the feature or component architectural diagrams using a checklist <:need:`gd_chklst__dfa`>. + +**Step 1:** +For each identified violation assign the violation by ID from the DFA checklist and document it as a sphinx-needs directive. +Document the resulting violation causes and effect and the violated safety requirement. +Document safety measure/mechanism to avoid or control the violation. + +**Step 2:** +Judge if this is sufficient. If not, request to update the requirements with additional safety measure/mechanism to come to a sufficient outcome. +The analysis is finished, if for each identified violation a mechanism/measure exists. +Unless the attribute sufficient is yes, measure and argument attribute can be still empty. + +Alternatively the checklist template can be used. It can be filled out and is then the DFA report. + +**Example:** + +| .. feat_saf_dfa:: +| :id: feat_saf_DFA____ +| :violation_id: "SR_01_05" +| :violation_cause: "Operating system including scheduler" +| :violates: FEAT_REQ__persistency_key_val_storage__creation +| :measure: +| :sufficient: no +| :argument: +| :status: valid + + +Step-by-Step-approach Safety Analysis: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The analysis is done by using the template <:need:`gd_temp__safety_analysis`> on the feature or component architectural diagrams +(activity and/or sequence diagrams) using a diagram specific applied fault model <:need:`gd_guidl__fault_models`>. +The analysis considers single faults that can violate a safety requirement. + +**Step 1:** +For each affected design element in scope of each diagram, assign the faults by ID from the fault model applicable and document it as a sphinx-needs directive. +Document the resulting failure mode and effect and the violated safety requirement. +Document safety measure/mechanism to avoid or control the failure. + +**Step 2:** +Judge if this is sufficient. If not, request to update the diagram and the requirements with additional safety measure/mechanism to come to a sufficient outcome. +The analysis is finished, if for each identified faults a mechanism/measure exists. +Unless the attribute sufficient is yes, measure and argument attribute can be still empty. + +**Examples:** + + +| .. feat_saf_fmea:: OpenKVS +| :id: FEAT_SAF_FMEA__KVS__OpenKVS +| :failure_node: "MF_01_05" +| :failure_effect: "message from calling app is corrupted" +| :violates: FEAT_REQ_persistency_key_val_storage__interface +| :measure: +| :sufficient: no +| :argument: +| :status: valid + +| .. feat_saf_fmea:: GetKeyValue +| :id: FEAT_SAF_FMEA__KVS__GetKeyValue +| :failure_node: "MF_01_05" +| :failure_effect: "message is corrupted due to corrupted call open to OSAL" +| :violates: FEAT_REQ_persistency_key_val_storage__interface +| :measure: FEAT_REQ_persistency_key_val_storage__error +| :sufficient: yes +| :argument: "Calling app gets error information" +| :status: valid diff --git a/docs/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst new file mode 100644 index 0000000000..0ea8f23f59 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_process_reqs.rst @@ -0,0 +1,222 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _process_safety_analysis: + +Process Safety Analysis +======================= + +.. gd_req:: Safety Analysis Structure + :id: gd_req__saf__structure + :status: valid + :tags: structure + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Safety Analysis shall be hierarchically grouped into different levels. + + Following levels are defined: + + * Feature architecture + * Component architecture + +.. _process_safety_analysis_attributes: + +Process Safety Analysis Attributes +---------------------------------- + +.. gd_req:: Safety Analysis attribute: UID + :id: gd_req__saf__attr_uid + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Each Safety Analysis shall have a unique ID. It shall be in a format which is also human readable and consists of + + * type of Safety Analysis + * keyword descirbing the level of analysis + * keyword describing the content of the Safety Analysis + + The naming convention is defined here: :ref:`naming_convention_needs` + +.. gd_req:: Safety Analysis attribute: title + :id: gd_req__saf_attr_title + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + The title of the Safety Analysis shall provide a short summary of the description + +.. gd_req:: Safety Analysis attribute: description + :id: gd_req__saf_attr_description + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Each Safety Analysis shall have a description. With this another person should be able to recognize the results of the Safety Analysis + +.. gd_req:: DFA attribute: violation ID + :id: gd_req__saf__attr_vid + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Each DFA shall have a violation ID. The violation ID is used to identify the related fault <:need:`gd_guidl__fault_models`>. + +.. gd_req:: DFA attribute: violation cause + :id: gd_req__saf__attr_vcause + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Every DFA shall have a short description of the violation cause. + +.. gd_req:: FMEA attribute: failure node + :id: gd_req__saf__attr_fnode + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Each FMEA shall have a failure node. The failure nod is used to identify the related fault <:need:`gd_guidl__fault_models`>. + +.. gd_req:: FMEA attribute: failure effect + :id: gd_req__saf__attr_veffect + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Every FMEA shall have a short description of the failure effect. + +.. gd_req:: Safety Analysis attribute: measure + :id: gd_req__saf_attr_measure + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_844, std_req__iso26262__analysis_746, std_req__iso26262__analysis_747 + + Each violation shall have a measure for it. + +.. gd_req:: Safety Analysis attribute: sufficient + :id: gd_req__saf__attr_sufficient + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + Each measure shall have an statement if it's sufficient. + +.. gd_req:: Requirement attribute: argument + :id: gd_req__saf__attr_argument + :status: valid + :tags: attribute, mandatory + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + The argument shall describe why the measure is sufficient or not. + +.. _process_safety_analysis_linkage: + +Safety Analysis Requirement Linkage +''''''''''''''''''''''''''''''''''' + +.. gd_req:: Safety Analysis Linkage + :id: gd_req__saf__linkage + :status: valid + :tags: attribute, automated + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + Safety Analysis shall be linked to its adjacent level via the attribute mitigates. + + * Feature Safety Analysis <-> feature architecture + * Component Safety Analysis <-> component architecture + +.. gd_req:: Safety Analysis attribute: measure coverage + :id: gd_req__saf__attr_saf_cov + :status: valid + :tags: attribute, automated + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + It shall be possible to specify the measure coverage. + + * 0 to 100 percent + +.. gd_req:: Safety Analysis attribute: link to Aou + :id: gd_req__saf__attr_aou + :status: valid + :tags: attribute, automated + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_845 + + It shall be possible to link Aou. + +.. gd_req:: Safety Analysis attribute: versioning + :id: gd_req__saf__attr_hash + :status: valid + :tags: attribute, automated + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: + + It shall be possible to provide a versioning for Safety Analysis. It shall be possible to detect if any of the mandatory attributes differ from the versioning: :need:`gd_req__saf__attr_mandatory` + + +.. _process_safety_analysis_checks: + +Process Requirements Checks +''''''''''''''''''''''''''' + +.. gd_req:: Safety Analysis mandatory attributes provided + :id: gd_req__saf__attr_mandatory + :status: valid + :tags: attribute, check + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + It shall be checked if all mandatory attributes for each Safety Analysis is provided by the user. For all Safety Analysis following attributes shall be mandatory: + + .. needtable:: Overview mandatory Safety Analysis attributes + :filter: "mandatory" in tags and "attribute" in tags and "safety analysis" in tags and type == "gd_req" + :style: table + :columns: title + :colwidths: 30 + +.. gd_req:: Safety Analysis linkage level + :id: gd_req__saf__linkage_fulfill + :status: valid + :tags: attribute, check + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + Every feature- and component Safety Analysis shall be linked to at least one parent feature architecture. + + +.. gd_req:: Safety Analysis linkage safety + :id: gd_req__saf__linkage_safety + :status: valid + :tags: attribute, check + :satisfies: wf__analyse_featarch, wf__analyse_comparch + :complies: std_req__iso26262__analysis_848, std_req__iso26262__analysis_749 + + It shall be checked that Safety Analysis (Safety != QM) can only be linked against elements with the same ASIL. + +.. needextend:: "process_areas/requirements_engineering" in docname + :+tags: safety analysis diff --git a/docs/process/process_areas/safety_analysis/guidance/safety_analysis_templates.rst b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_templates.rst new file mode 100644 index 0000000000..39c0499d2c --- /dev/null +++ b/docs/process/process_areas/safety_analysis/guidance/safety_analysis_templates.rst @@ -0,0 +1,32 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Analysis Template +======================== + +.. gd_temp:: Safety Analysis Templates + :id: gd_temp__safety_analysis + :status: valid + :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752, std_req__iso26262__software_7410, std_req__iso26262__software_7412, std_req__iso26262__analysis_841, std_req__iso26262__analysis_842, std_req__iso26262__analysis_843, std_req__iso26262__analysis_844, std_req__iso26262__analysis_845, std_req__iso26262__analysis_846, std_req__iso26262__analysis_847, std_req__iso26262__analysis_848, std_req__iso26262__analysis_849, std_req__iso26262__analysis_8410 + + | .. feat_saf_fmea:: + | :id: feat_saf_FMEA____ + | :failure_mode: + | :failure_effect: "Failure mode similar to :need:`gd_guidl__fault_models`" + | :violates: + | :measure: < NONE|ID from Feature Requirement> + | :sufficient: + | :argument: + | :status: diff --git a/docs/process/process_areas/safety_analysis/index.rst b/docs/process/process_areas/safety_analysis/index.rst new file mode 100644 index 0000000000..9592f12b3f --- /dev/null +++ b/docs/process/process_areas/safety_analysis/index.rst @@ -0,0 +1,28 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _safety_analysis: + +Safety Analysis +############### + +.. toctree:: + :maxdepth: 1 + + guidance/index + safety_analysis_concept + safety_analysis_getstrt + safety_analysis_roles + safety_analysis_workflow + safety_analysis_workproducts diff --git a/docs/process/process_areas/safety_analysis/safety_analysis_concept.rst b/docs/process/process_areas/safety_analysis/safety_analysis_concept.rst new file mode 100644 index 0000000000..6412a2dd1a --- /dev/null +++ b/docs/process/process_areas/safety_analysis/safety_analysis_concept.rst @@ -0,0 +1,92 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Concept Description +################### + +.. doc_concept:: Safety Analysis Concept + :id: doc_concept__safety__analysis + :status: valid + :tags: safety_analysis + +In this section a concept for the safety analyses will be discussed. Inputs for this concept are the requirements of ISO26262 Part-9. + +Inputs +****** + +#. Stakeholders for the safety analysis? +#. Who needs which information? +#. How to analyze existing safety measure/mechanism? +#. How to add new safety measure/mechanisms? + +Stakeholders for the Safety Analysis +==================================== + +#. :need:`Committer ` + + * Analyse the feature architecture by performing the safety analyses and DFA + * Analyse the component architecture by performing the safety analyses and DFA + * Monitor/veryfiy the Safety Analysis and DFA + +#. :need:`Technical Lead ` + + * Support the feature safety analyses and DFA + * Support the monitoring and veryfing of the feature safety analyses and DFA + +#. :need:`Module Lead ` + + * Support the component safety analyses and DFA + * Support the monitoring and veryfing of the component safety analyses and DFA + +#. :need:`Safety Manager ` + + * Approve the safety analysis and DFA + * Approve the verification of the safety analysis and DFA + +#. :need:`Security Manager ` + + * Support the safety analyses and DFA + * Support the monitoring and veryfing of the safety analyses and DFA + + +Standard Requirements +===================== + +Also requirements of standards need to be taken into consideration: + +* ISO26262 +* ASPICE +* ISO SAE 21434 + +How to analyze? +=============== + +DFA +^^^ + +A DFA :need:`gd_guidl__safety_analysis` shall be used to proof the absence of dependent failures. For the analysis a checklist +:need:`gd_chklst__dfa` is available. + +Safety Analysis +^^^^^^^^^^^^^^^ + +For the safety analyses the safety analyses :need:`gd_temp__safety_analysis` shall be used. The safety analysis +is done on architectural diagrams (activity and/or sequence diagrams). Therefore fault models shall be used +:need:`gd_guidl__fault_models`. + +How to add new safety measure/mechanisms? +========================================= + +Identified faults without a mechanism/measure stay open and were monitored in +the issue tracking sytem :need:`wp__issue_track_system` until there are closed. diff --git a/docs/process/process_areas/safety_analysis/safety_analysis_getstrt.rst b/docs/process/process_areas/safety_analysis/safety_analysis_getstrt.rst new file mode 100644 index 0000000000..cbfe5331af --- /dev/null +++ b/docs/process/process_areas/safety_analysis/safety_analysis_getstrt.rst @@ -0,0 +1,38 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Getting Started +############### + +.. doc_getstrt:: Getting Started on Safety Analysis + :id: doc_getstrt__safety_analysis + :status: valid + :tags: safety_analysis + +This document describes the steps which are needed to perform safety analysis and also how to monitor/verify the results of the safety analysis. + +Therefore a guideline for :need:`gd_guidl__safety_analysis` is available. +The concept of performing safety analysis is described in :need:`doc_concept__safety__analysis`. + +General Workflow +**************** + +.. figure:: _assets/safety_analysis_workflow.drawio.svg + :align: center + :width: 80% + :name: safety_analysis_workflow_fig + + Safety Analysis Workflow + +The details of what needs to be done in each step are described in the :need:`gd_guidl__safety_analysis`. diff --git a/docs/process/process_areas/safety_analysis/safety_analysis_roles.rst b/docs/process/process_areas/safety_analysis/safety_analysis_roles.rst new file mode 100644 index 0000000000..878523d508 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/safety_analysis_roles.rst @@ -0,0 +1,31 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Roles +##### + +For requirements engineering no additional roles need to be defined. + +Contributing Roles: + + * :need:`Contributor ` + * :need:`Committer ` + * :need:`Technical Lead ` + * :need:`Module Lead ` + * :need:`Safety Manager ` + * :need:`Security Manager ` + +A detailed overview of the responsibility for the steps of the safety analysis process is listed here: + +:ref:`workflow_safety_analysis` diff --git a/docs/process/workflows/safety_analysis.rst b/docs/process/process_areas/safety_analysis/safety_analysis_workflow.rst similarity index 79% rename from docs/process/workflows/safety_analysis.rst rename to docs/process/process_areas/safety_analysis/safety_analysis_workflow.rst index cbb7b4b85d..b772e67e99 100644 --- a/docs/process/workflows/safety_analysis.rst +++ b/docs/process/process_areas/safety_analysis/safety_analysis_workflow.rst @@ -12,16 +12,14 @@ # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* -Safety Analysis -=============== +.. _workflow_safety_analysis: -Workflows ---------- +Workflow Safety Analysis +######################## todo: need to add guidance and standard links - .. workflow:: Analyse Feature Architecture :id: wf__analyse_featarch :status: draft @@ -57,4 +55,19 @@ todo: need to add guidance and standard links :output: wp__sw_arch_verification, wp__issue_track_system | The safety analyses and DFA are monitored and verified. - | The inspection shall be implemented as integral part of the review tool. + | The inspection shall be implemented as an integral part of the review tool. + + + + +RAS(IC) for Safety Analysis +*************************** + + +.. needtable:: RASIC Overview for Safety Analysis + :tags: safety_analysis + :filter: "safety_analysis" in tags and type == "workflow" + :style: table + :sort: status + :columns: id as "Activity";responsible as "Responsible";approved_by as "Approver";supported_by as "Supporter" + :colwidths: 30,30,30,30 diff --git a/docs/process/process_areas/safety_analysis/safety_analysis_workproducts.rst b/docs/process/process_areas/safety_analysis/safety_analysis_workproducts.rst new file mode 100644 index 0000000000..a002e4aa27 --- /dev/null +++ b/docs/process/process_areas/safety_analysis/safety_analysis_workproducts.rst @@ -0,0 +1,59 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Workproducts Safety Analysis +############################ + +.. workproduct:: Feature Safety Analysis + :id: wp__feature_safety_analysis + :status: valid + :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752 + + Bottom-Up Safety Analysis with e.g. FMEA method, verifies the feature architecture (as part of SW Safety Concept) + - Detection and prevention mitigations linked to Software Feature Requirements or Assumptions of Use + +.. workproduct:: Feature DFA + :id: wp__feature_dfa + :status: valid + :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753 + + Dependent Failure Analysis on platform/feature level + - Detection and prevention mitigations linked to Software Feature Requirements or Assumptions of Use + Perform analysis on interactions between safety related and non-safety related modules or modules with different ASIL of one feature. Including potential influences from the rest of the SW platform. + +.. workproduct:: Component Safety Analysis + :id: wp__sw_component_safety_analysis + :status: valid + :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752 + + Bottom-Up Safety Analysis with e.g. FMEA method, verifies the component architecture (as part of SW Safety Concept) + - Detection and prevention mitigations linked to Software Component Requirements or Assumptions of Use + +.. workproduct:: Component DFA + :id: wp__sw_component_dfa + :status: valid + :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753 + + Dependent Failure Analysis on component/module level + - Detection and prevention mitigations linked to Software Component Requirements or Assumptions of Use + Perform analysis of safety related and non-safety related sub-elements or sub-elements with different ASIL. + Perform analysis on interactions between safety related and non-safety related sub-components or sub-components with different ASIL of one component. Including potential influences from the other components in the component's module. + +.. workproduct:: Architecture Verification + :id: wp__sw_arch_verification + :status: valid + :complies: std_wp__iso26262__software_754 + + Depends on architecture, FMEA and DFA tooling. + May include several methods like inspection, modelling ... Which are selected in SW Development Plan. diff --git a/docs/process/workflows/index.rst b/docs/process/workflows/index.rst index 3a11e5a8e4..0241050ade 100644 --- a/docs/process/workflows/index.rst +++ b/docs/process/workflows/index.rst @@ -23,4 +23,3 @@ Workflows platform_management change_management quality_management - safety_analysis diff --git a/docs/process/workproducts/index.rst b/docs/process/workproducts/index.rst index 8877bd0462..d058f3d5d4 100644 --- a/docs/process/workproducts/index.rst +++ b/docs/process/workproducts/index.rst @@ -112,25 +112,6 @@ Product development Platform development ^^^^^^^^^^^^^^^^^^^^ -.. workproduct:: Feature Safety Analysis - :id: wp__feature_safety_analysis - :status: draft - :tags: safety - :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752 - - Bottom-Up Safety Analysis with e.g. FMEA method, verifies the feature architecture (as part of SW Safety Concept) - - Detection and prevention mitigations linked to Software Feature Requirements or Assumptions of Use - -.. workproduct:: Feature DFA - :id: wp__feature_dfa - :status: draft - :tags: safety - :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753 - - Dependent Failure Analysis on platform/feature level - - Detection and prevention mitigations linked to Software Feature Requirements or Assumptions of Use - Perform analysis on interactions between safety related and non-safety related modules or modules with different ASIL of one feature. Including potential influences from the rest of the SW platform. - .. workproduct:: Platform Build Configuration :id: wp__platform_sw_build_config :status: draft @@ -161,34 +142,6 @@ Platform development Component development ^^^^^^^^^^^^^^^^^^^^^ -.. workproduct:: Component Safety Analysis - :id: wp__sw_component_safety_analysis - :status: draft - :tags: safety - :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752, std_wp__isopas8926__4524 - - Bottom-Up Safety Analysis with e.g. FMEA method, verifies the component architecture (as part of SW Safety Concept) - - Detection and prevention mitigations linked to Software Component Requirements or Assumptions of Use - -.. workproduct:: Component DFA - :id: wp__sw_component_dfa - :status: draft - :tags: safety - :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753 - - Dependent Failure Analysis on component/module level - - Detection and prevention mitigations linked to Software Component Requirements or Assumptions of Use - Perform analysis of safety related and non-safety related sub-elements or sub-elements with different ASIL. - Perform analysis on interactions between safety related and non-safety related sub-components or sub-components with different ASIL of one component. Including potential influences from the other components in the component's module. - -.. workproduct:: Architecture Verification - :id: wp__sw_arch_verification - :status: draft - :complies: std_wp__iso26262__software_754 - - Depends on architecture, FMEA and DFA tooling. - May include several methods like inspection, modelling ... Which are selected in SW Development Plan. - .. workproduct:: Module Build Configuration :id: wp__module_sw_build_config :status: draft