Update Persistency safety analysis fdr #2873
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,178 @@ | ||
| .. | ||
| # ******************************************************************************* | ||
| # Copyright (c) 2025 Contributors to the Eclipse Foundation | ||
| # | ||
| # See the NOTICE file(s) distributed with this work for additional | ||
| # information regarding copyright ownership. | ||
| # | ||
| # This program and the accompanying materials are made available under the | ||
| # terms of the Apache License Version 2.0 which is available at | ||
| # https://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # ******************************************************************************* | ||
|
|
||
|
|
||
| Safety Analysis Checklist | ||
| ========================= | ||
|
|
||
| .. document:: Persistency Safety Analysis Checklist | ||
| :id: doc__persistency_safety_analysis_fdr | ||
| :status: valid | ||
| :safety: ASIL_B | ||
| :security: YES | ||
| :realizes: wp__fdr_reports | ||
| :tags: persistency | ||
|
|
||
| **Purpose** | ||
| The purpose of this Safety Analysis (DFA and FMEA) checklist template is to collect the topics to be checked during verification of the Safety Analysis. | ||
|
|
||
| **Conduct** | ||
|
|
||
| As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: | ||
|
|
||
| - reviewer: Uwe Maucher, Volker Häussler | ||
|
Contributor
There was a problem hiding this comment. Has Uwe safety manager skills? If not we should either remove his name from the formal document or state that he is an additional reviewer in his role as module lead.
Contributor
There was a problem hiding this comment. Should Volker be the reviewer? It looks to me, as he also would be the author. |
||
|
|
||
| **Checklist** | ||
|
|
||
| Please note that the "passed" column must contain "yes" or "no" for each checklist item. Additionally, the remarks column must explain why item passed or did not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. | ||
|
|
||
| .. list-table:: General Checklist | ||
| :header-rows: 1 | ||
| :widths: 10,10,30,30,20 | ||
|
|
||
| * - ID | ||
| - Safety analysis activity | ||
| - Compliant to ISO 26262? | ||
| - Reference | ||
| - Comment | ||
|
|
||
| * - 1 | ||
| - Are the safety analysis performed according to the defined process and templates? See :need:`gd_req__saf_structure` and also :need:`doc__feature_name_fmea` and :need:`doc__feature_name_dfa` | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_841>` | ||
| - Templates for safety analysis are used and the process is followed. | ||
|
Contributor
There was a problem hiding this comment. I would add here a link to the evidence: i.e. to the safety analysis documents that were checked. |
||
|
|
||
| * - 2 | ||
| - Is the result of the safety analysis indicate if the safety requirements are complied? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_842>` | ||
| - The safety analysis results indicate compliance with the requirements. | ||
|
Contributor
There was a problem hiding this comment. I would expect some more explanation for example that the reqs are linked to the architecture views and these to the safety analysis? Or we refer to some process description? |
||
|
|
||
| * - 3 | ||
| - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_843>` | ||
| - Yes. All non-compliances have defined mitigations. | ||
|
Contributor
There was a problem hiding this comment. Please elaborate further like: "for this we checked that every feat_saf_fmea/dfa has a mitigation linked" |
||
|
|
||
| * - 4 | ||
| - Are the mitigations effective and implemented? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_844>` | ||
| - The mitigations are effective and have been implemented. | ||
|
Contributor
There was a problem hiding this comment. add for example "i.e. there are no open mitigation_issue" |
||
|
|
||
| * - 5 | ||
| - Are newly identified hazards adressed to be considered in HARA in the safety manual? | ||
| - NO | ||
|
Contributor
There was a problem hiding this comment. I would state here "not applicable" |
||
| - :need:`[[title]] <std_req__iso26262__analysis_845>` | ||
| - HARA is out of scope / tailored out for this project. | ||
|
Contributor
There was a problem hiding this comment. Would we better change this question in the process description to something like "make sure all the AoU created as mitigations are covered in the safety manaual"? Or remove altogether, as the process does not cover HARA (system level)? |
||
|
|
||
| * - 6 | ||
| - Are additional safety-related test cases determined by potential results of the safety analyses? | ||
| - NO | ||
| - :need:`[[title]] <std_req__iso26262__analysis_847>` | ||
| - There are no additional safety-related test cases determined by potential results of the safety analyses. | ||
|
Contributor
There was a problem hiding this comment. But now we do not have "potential results" but real results, so I would skip the half sentence. The standard expects additional test cases if those are needed. So with an argumentation we could set the "Compliant ..." to "YES" - otherwise the FDR is failed, is this what you wanted? But then I would expect a ticket linked to resolve this. |
||
|
|
||
|
|
||
| .. list-table:: DFA Checklist | ||
| :header-rows: 1 | ||
| :widths: 10,10,30,30,20 | ||
|
|
||
| * - ID | ||
| - Safety analysis activity | ||
| - Compliant to ISO 26262? | ||
| - Reference | ||
| - Comment | ||
|
|
||
| * - 1 | ||
| - Are the potential dependent failures identified by performming a DFA? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_741>` | ||
| - The potential dependent failures have been identified by performing the DFA. | ||
|
Contributor
There was a problem hiding this comment. Please enrich by e.g. "The potential dependent failures have been identified by using the templates and documented in the DFA ". |
||
|
|
||
| * - 2 | ||
| - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_742>` | ||
| - The identified potential dependent failures are plausible and could lead to a violation of FFI. | ||
|
|
||
| * - 3 | ||
| - Are applicable operational situations and operating modes considered? | ||
| - NO | ||
|
|
||
| - :need:`[[title]] <std_req__iso26262__analysis_743>` | ||
| - Not applicable for the project. | ||
|
|
||
| * - 4 | ||
| - Are the failure initiators :need:`[[title]] <gd_guidl__dfa_failure_initiators>` suitable and applied? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_744>` | ||
| - Failure initiators are suitable and have been applied in the DFA. | ||
|
Contributor
There was a problem hiding this comment. Better "Failure initiators as provided in template are suitable" and "all of these were either argued as not applicable or documented as a potential failure" |
||
|
|
||
| * - 5 | ||
| - Is a rationale provided for each identified potential dependent failure? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_745>` | ||
| - A rationale is provided for each identified potential dependent failure. | ||
|
Contributor
There was a problem hiding this comment. Better "A rationale which argues ..." and "is documented in every failure description section" |
||
|
|
||
| * - 6 | ||
| - Are measures defined to resolute the identified potential dependent failures? | ||
|
Contributor
There was a problem hiding this comment. in the process description we also call these "mitigation" instead "measures" |
||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_746>`, :need:`[[title]] <std_req__iso26262__analysis_747>` | ||
| - Measures are defined to resolute the identified potential dependent failures. | ||
|
Contributor
There was a problem hiding this comment. Isn't this question the same as the above in general list "3" |
||
|
|
||
| * - 7 | ||
| - Can be the required level of independence shown for the identified potential dependent failures? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_748>` | ||
| - The required level of independence can be shown for the identified potential dependent failures. | ||
|
Contributor
There was a problem hiding this comment. A proper argument is needed here - otherwise we can dump this column and just answer "YES" |
||
|
|
||
| * - 8 | ||
|
Contributor
There was a problem hiding this comment. Isn't this question the same as the above in general list "1" |
||
| - Are the templates for DFA used? See :need:`doc__feature_name_dfa` and also :need:`gd_req__saf_structure` | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_748>` | ||
| - The templates for DFA are used. | ||
|
|
||
| * - 9 | ||
| - Is the DFA performed in a systematic way to identify the potential dependent failures and their effects? Are the failure effect and the mitigation described? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_8410>` | ||
| - The DFA is performed in a systematic way to identify the potential dependent failures and their effects. The failure effect and the mitigation are described. | ||
|
Contributor
There was a problem hiding this comment. Better: "All initiators were covered ..." |
||
|
|
||
|
|
||
| .. list-table:: FMEA Checklist | ||
| :header-rows: 1 | ||
| :widths: 10,10,30,30,20 | ||
|
|
||
| * - ID | ||
| - Safety analysis activity | ||
| - Compliant to ISO 26262? | ||
| - Reference | ||
| - Comment | ||
|
|
||
| * - 1 | ||
| - Are the fault models suitable and applied for the FMEA? See :need:`gd_guidl__fault_models` and also :need:`gd_req__saf_structure` | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_846>` | ||
| - The fault models are suitable and have been applied for the FMEA. | ||
|
Contributor
There was a problem hiding this comment. Better: "The fault models as in :need: |
||
|
|
||
| * - 2 | ||
| - Is the FMEA performed in a systmatic way to identify the potential failure modes and their effects? Are the failure effect and the mitigation described? | ||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_849>` | ||
| - The FMEA is performed in a systematic way to identify the potential failure modes and their effects. The failure effect and the mitigation are described. | ||
|
Contributor
There was a problem hiding this comment. Compare similar question in DFA list. Need to define what we consider a "systematic way" (maybe some overlap with the point "2" just above. |
||
|
|
||
| * - 3 | ||
| - Are the templates for FMEA used? See :need:`doc__feature_name_fmea` and also :need:`gd_req__saf_structure` | ||
|
Contributor
There was a problem hiding this comment. Isn't this question the same as the above in general list "1" |
||
| - YES | ||
| - :need:`[[title]] <std_req__iso26262__analysis_849>`, :need:`[[title]] <std_req__iso26262__analysis_8410>` | ||
| - The templates for FMEA are used. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The FDR is a formal review for all safety analysis in one module (feature, component, fmea, dfa). According to the folder template it is stored in persistency (module) repo in persistency/doc/safety_mgt as it belongs to safety management iso chapter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree on the meeting. We might consider if we change the process description https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/guidance/safety_analysis_checklist.html. We defined FDR for platform, feature and module.