From ce103d6e759b8ef4d73e3e845b6b04f7824a683a Mon Sep 17 00:00:00 2001 From: PandaeDo Date: Wed, 15 Apr 2026 12:49:54 +0200 Subject: [PATCH 1/2] enlarge fdrs and fix failures in process --- .../features/feature_name/index.rst | 1 + .../feature_safety_analysis_fdr.rst | 188 ++++++++++++++++++ .../safety_mgt/module_safety_analysis_fdr.rst | 119 +++++++++-- .../platform_safety_analysis_fdr.rst | 119 +++++++++-- .../guidance/fault_models_guideline.rst | 2 + .../guidance/safety_analysis_checklist.rst | 1 + .../guidance/safety_analysis_guideline.rst | 2 +- .../safety_analysis_workproducts.rst | 8 +- 8 files changed, 405 insertions(+), 35 deletions(-) create mode 100644 process/folder_templates/features/feature_name/safety_analysis/feature_safety_analysis_fdr.rst diff --git a/process/folder_templates/features/feature_name/index.rst b/process/folder_templates/features/feature_name/index.rst index 44d8a2bc47..048ced8a2f 100644 --- a/process/folder_templates/features/feature_name/index.rst +++ b/process/folder_templates/features/feature_name/index.rst @@ -184,5 +184,6 @@ Footnotes requirements/chklst_req_inspection.rst safety_analysis/fmea.rst safety_analysis/dfa.rst + safety_analysis/feature_safety_analysis_fdr.rst safety_planning/index.rst security_planning/index.rst diff --git a/process/folder_templates/features/feature_name/safety_analysis/feature_safety_analysis_fdr.rst b/process/folder_templates/features/feature_name/safety_analysis/feature_safety_analysis_fdr.rst new file mode 100644 index 0000000000..c31e3675fb --- /dev/null +++ b/process/folder_templates/features/feature_name/safety_analysis/feature_safety_analysis_fdr.rst @@ -0,0 +1,188 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Analysis Checklist +========================= + +.. document:: [Your Feature Name] Safety Analysis Checklist + :id: doc__feature_name_safety_analysis_fdr + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + :tags: template + +.. attention:: + The above directive must be updated according to your Feature. + + - Modify ``Your Feature Name`` to be your Feature Name + - Modify ``id`` to be your Feature Name in lower snake case preceded by ``doc__`` and followed by ``_safety _analysis_fdr`` + - Adjust ``status`` to be ``valid`` + - Adjust ``safety``, ``security`` and ``tags`` according to your needs + + +**Purpose** + +The purpose of this Safety Analysis (DFA and FMEA) checklist template is to collect the topics to be checked during verification of the Safety Analysis. + +**Conduct** + +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: + +**Checklist** + +Please note that the "passed" column must contain "yes" or "no" for each checklist item. Additionally, the remarks column must explain why item passed or did not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :ref:`review_concept` for further information about reviews in general and inspection in particular. + +.. list-table:: General Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the safety analysis performed according to the defined process and templates? See :ref:`process_requirements_safety_analysis` and also :ref:`FMEA_templates` and :ref:`dfa_templates` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is the result of the safety analysis indicate if the safety requirements are complied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 4 + - Are the mitigations effective and implemented? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Are newly identified hazards adressed to be considered in HARA in the safety manual? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are additional safety-related test cases determined by potential results of the safety analyses? + - [YES | NO ] + - :need:`[[title]] ` + - + + +.. list-table:: DFA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the potential dependent failures identified by performming a DFA? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are applicable operational situations and operating modes considered? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 4 + - Are the failure initiators :need:`[[title]] ` suitable and applied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Is a rationale provided for each identified potential dependent failure? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are measures defined to resolute the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` + - + + * - 7 + - Can be the required level of independence shown for the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 8 + - Are the templates for DFA used? See :ref:`dfa_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 9 + - Is the DFA performed in a systematic way to identify the potential dependent failures and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + +.. list-table:: FMEA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the fault models suitable and applied for the FMEA? See :ref:`fault_models` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is the FMEA performed in a systmatic way to identify the potential failure modes and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are the templates for FMEA used? See :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` + - diff --git a/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst b/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst index 9a6905a9c9..18f08bf852 100644 --- a/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst +++ b/process/folder_templates/modules/module_name/docs/safety_mgt/module_safety_analysis_fdr.rst @@ -47,7 +47,8 @@ As described in :need:`wf__p_formal_rv`, the formal document review is performed Please note that the "passed" column must contain "yes" or "no" for each checklist item. Additionally, the remarks column must explain why item passed or did not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :ref:`review_concept` for further information about reviews in general and inspection in particular. -.. list-table:: Safety Analysis Checklist + +.. list-table:: General Checklist :header-rows: 1 :widths: 10,10,30,30,20 @@ -58,43 +59,131 @@ Please note that the "passed" column must contain "yes" or "no" for each checkli - Comment * - 1 - - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - Are the safety analysis performed according to the defined process and templates? See :ref:`process_requirements_safety_analysis` and also :ref:`FMEA_templates` and :ref:`dfa_templates` - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 2 - - Are the failure initiators :need:`[[title]] ` / fault models :need:`[[title]] ` applied? + - Is the result of the safety analysis indicate if the safety requirements are complied? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 3 - - Are measures defined to resolute the identified potential dependent failures? + - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. - [YES | NO ] - - :need:`[[title]] `, :need:`[[title]] ` + - :need:`[[title]] ` - * - 4 - - Is the result of the safety analysis indicate if the safety requirements are complied? + - Are the mitigations effective and implemented? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 5 - - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - Are newly identified hazards adressed to be considered in HARA in the safety manual? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 6 - - Are the mitigations effective and implemented? + - Are additional safety-related test cases determined by potential results of the safety analyses? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` + - + + +.. list-table:: DFA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the potential dependent failures identified by performming a DFA? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are applicable operational situations and operating modes considered? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 4 + - Are the failure initiators :need:`[[title]] ` suitable and applied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Is a rationale provided for each identified potential dependent failure? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are measures defined to resolute the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` - * - 7 - - Are the templates for DFA and/or FMEA used? See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` + - Can be the required level of independence shown for the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 8 + - Are the templates for DFA used? See :ref:`dfa_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 9 + - Is the DFA performed in a systematic way to identify the potential dependent failures and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + +.. list-table:: FMEA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the fault models suitable and applied for the FMEA? See :ref:`fault_models` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is the FMEA performed in a systmatic way to identify the potential failure modes and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are the templates for FMEA used? See :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` - [YES | NO ] - - :need:`[[title]] `, :need:`[[title]] `, :need:`[[title]] ` + - :need:`[[title]] `, :need:`[[title]] ` - diff --git a/process/folder_templates/platform/docs/safety_mgt/platform_safety_analysis_fdr.rst b/process/folder_templates/platform/docs/safety_mgt/platform_safety_analysis_fdr.rst index 574350b99f..af2725f07d 100644 --- a/process/folder_templates/platform/docs/safety_mgt/platform_safety_analysis_fdr.rst +++ b/process/folder_templates/platform/docs/safety_mgt/platform_safety_analysis_fdr.rst @@ -38,7 +38,8 @@ As described in :need:`wf__p_formal_rv`, the formal document review is performed Please note that it is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additional to add in the remarks why it is passed or not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :ref:`review_concept` for further information about reviews in general and inspection in particular. -.. list-table:: Safety Analysis Checklist + +.. list-table:: General Checklist :header-rows: 1 :widths: 10,10,30,30,20 @@ -49,43 +50,131 @@ Please note that it is mandatory to fill in the "passed" column with "yes" or "n - Comment * - 1 - - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - Are the safety analysis performed according to the defined process and templates? See :ref:`process_requirements_safety_analysis` and also :ref:`FMEA_templates` and :ref:`dfa_templates` - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 2 - - Are the failure initiators :need:`[[title]] ` / fault models :need:`[[title]] ` applied? + - Is the result of the safety analysis indicate if the safety requirements are complied? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 3 - - Are measures defined to resolute the identified potential dependent failures? + - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. - [YES | NO ] - - :need:`[[title]] `, :need:`[[title]] ` + - :need:`[[title]] ` - * - 4 - - Is the result of the safety analysis indicate if the safety requirements are complied? + - Are the mitigations effective and implemented? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 5 - - Are for all not complied safety requirements mitigations defined to resolute the non-compliance? The mitigations shall have a direct influence on the violation by prevention, detection or mitigation to reduce the risk to an acceptable level. + - Are newly identified hazards adressed to be considered in HARA in the safety manual? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` - * - 6 - - Are the mitigations effective and implemented? + - Are additional safety-related test cases determined by potential results of the safety analyses? - [YES | NO ] - - :need:`[[title]] ` + - :need:`[[title]] ` + - + + +.. list-table:: DFA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the potential dependent failures identified by performming a DFA? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are applicable operational situations and operating modes considered? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 4 + - Are the failure initiators :need:`[[title]] ` suitable and applied? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 5 + - Is a rationale provided for each identified potential dependent failure? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 6 + - Are measures defined to resolute the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] `, :need:`[[title]] ` - * - 7 - - Are the templates for DFA and/or FMEA used? See :ref:`dfa_templates` / :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` + - Can be the required level of independence shown for the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 8 + - Are the templates for DFA used? See :ref:`dfa_templates` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 9 + - Is the DFA performed in a systematic way to identify the potential dependent failures and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + +.. list-table:: FMEA Checklist + :header-rows: 1 + :widths: 10,10,30,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Are the fault models suitable and applied for the FMEA? See :ref:`fault_models` and also :ref:`process_requirements_safety_analysis` + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 2 + - Is the FMEA performed in a systmatic way to identify the potential failure modes and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] ` + - + + * - 3 + - Are the templates for FMEA used? See :ref:`FMEA_templates` and also :ref:`process_requirements_safety_analysis` - [YES | NO ] - - :need:`[[title]] `, :need:`[[title]] `, :need:`[[title]] ` + - :need:`[[title]] `, :need:`[[title]] ` - diff --git a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst index 34f7d9d59c..3ee8edd8e6 100644 --- a/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/fault_models_guideline.rst @@ -12,6 +12,8 @@ # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* +.. _fault_models: + FMEA Fault Models ================= diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst index d7aed9b8f3..13754aafe7 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst @@ -26,4 +26,5 @@ Safety Analysis Checklist For the content see here: - :need:`doc__platform_safety_analysis_fdr` (platform) + - :need:`doc__feature_name_safety_analysis_fdr` (feature) - :need:`doc__module_name_safety_analysis_fdr` (module) diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst index 60fbe34e51..6b8280d17c 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_guideline.rst @@ -19,7 +19,7 @@ Safety Analysis Guidelines .. gd_guidl:: Safety Analysis (DFA and FMEA) Guideline :id: gd_guidl__safety_analysis :status: valid - :complies: std_req__iso26262__analysis_841, std_req__iso26262__analysis_842, std_req__iso26262__analysis_843, std_req__iso26262__analysis_844, std_req__iso26262__analysis_847, std_req__iso26262__analysis_848, std_req__iso26262__analysis_849, std_req__iso26262__analysis_8410, std_req__isopas8926__44431, std_req__isopas8926__44432 + :complies: std_req__iso26262__analysis_741, std_req__iso26262__analysis_742, std_req__iso26262__analysis_743, std_req__iso26262__analysis_745, std_req__iso26262__analysis_746, std_req__iso26262__analysis_747, std_req__iso26262__analysis_748, std_req__iso26262__analysis_749, std_req__iso26262__analysis_841, std_req__iso26262__analysis_842, std_req__iso26262__analysis_843, std_req__iso26262__analysis_844, std_req__iso26262__analysis_845, std_req__iso26262__analysis_846, std_req__iso26262__analysis_847, std_req__iso26262__analysis_848, std_req__iso26262__analysis_849, std_req__iso26262__analysis_8410, std_req__isopas8926__44431, std_req__isopas8926__44432 This document describes the general guidances for Safety Analysis (DFA and FMEA) based on the concept which is defined :need:`Safety Analysis Concept`. Use the Platform DFA as an input so that general Safety Mechanisms are only defined once and not in every single Safety Analysis. diff --git a/process/process_areas/safety_analysis/safety_analysis_workproducts.rst b/process/process_areas/safety_analysis/safety_analysis_workproducts.rst index 3217b5f863..860f617e78 100644 --- a/process/process_areas/safety_analysis/safety_analysis_workproducts.rst +++ b/process/process_areas/safety_analysis/safety_analysis_workproducts.rst @@ -19,7 +19,7 @@ Safety Analysis Work Products :id: wp__platform_dfa :status: valid :tags: doc_lifecycle_model_2 - :complies: std_wp__iso26262__software_751, std_wp__iso26262__software_753, std_wp__isopas8926__4524 + :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753, std_wp__isopas8926__4524 Analyse the dependencies between features that references all platform feature static architecture diagrams, highlighting potential shared use of features. @@ -27,7 +27,7 @@ Safety Analysis Work Products :id: wp__feature_fmea :status: valid :tags: doc_lifecycle_model_2 - :complies: std_wp__iso26262__software_751, std_wp__iso26262__analysis_851, std_wp__isopas8926__4524 + :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752, std_wp__isopas8926__4524 FMEA verifies the feature architecture (as part of SW Safety Concept) @@ -37,7 +37,7 @@ Safety Analysis Work Products :id: wp__feature_dfa :status: valid :tags: doc_lifecycle_model_2 - :complies: std_wp__iso26262__software_751, std_wp__iso26262__software_753, std_wp__isopas8926__4524 + :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__software_753, std_wp__isopas8926__4524 Dependent Failure Analysis on feature level. @@ -49,7 +49,7 @@ Safety Analysis Work Products :id: wp__sw_component_fmea :status: valid :tags: doc_lifecycle_model_2 - :complies: std_wp__iso26262__analysis_751, std_wp__iso26262__analysis_851, std_wp__isopas8926__4524, std_wp__iso26262__software_752 + :complies: std_wp__iso26262__analysis_851, std_wp__iso26262__software_752, std_wp__isopas8926__4524, std_wp__iso26262__software_752 FMEA, verifies the component architecture (as part of SW Safety Concept) From 8161cff4fa663eef4d4131d553e7aa5105549974 Mon Sep 17 00:00:00 2001 From: PandaeDo Date: Mon, 20 Apr 2026 16:33:32 +0200 Subject: [PATCH 2/2] delete link to feature fdr in ckecklist --- .../safety_analysis/guidance/safety_analysis_checklist.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst b/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst index 13754aafe7..d7aed9b8f3 100644 --- a/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst +++ b/process/process_areas/safety_analysis/guidance/safety_analysis_checklist.rst @@ -26,5 +26,4 @@ Safety Analysis Checklist For the content see here: - :need:`doc__platform_safety_analysis_fdr` (platform) - - :need:`doc__feature_name_safety_analysis_fdr` (feature) - :need:`doc__module_name_safety_analysis_fdr` (module)